IE EOLA & Issues of trust in software

IT Business, IT Culture

I posted the stuff below to Susan Bradley's blog but it quickly turned into yet another look at the way we expect less and less from the software we use in business. I recently posted a warning about beta software and why consumers should not try it. As usual, I get 5-10x as many emails and IM's as I do comments on this blog and Rob Murphy from Palm Beach IT UG asked "what is your opinion of setting clients up with MS antispyware/ Windows Defender Beta at a desktop level?". It's quite simple: If the software was ready, it would not be in beta. Software vendors are putting IT Professionals like Rob Murphy into a situation where they have to make a compromising decision on whether or not to recommend clearly unstable and unsupported code to their customers. Why? Because software vendors advertise the hell out of it, on the front page nonetheless! Get Boot Camp Beta, Vista Beta, Defender Beta, Vmware Beta, the list goes on. Rob is an ITPRO and he knows what a beta is. Customer does not. So here is how I try to explain this to my customers that just saw an awesome flash movie and persentation on why he needs to install this beta product. Customer: Vlad, I need **** Beta, NOW! Vlad: Please sign the liability waiver. Customer: Why? It's on their web site! And they shipped me a CD! Vlad: Because its broken. Customer: But, but, but, er.. I want it! It's shiny! Vlad: Ok, lets try this in simpler terms. Let's say you and I meet down at the gas station. We'll drain your tank till there is only a gallon left. Thats about 20 miles right? Your house is 25 miles away. Now, I hope most of your trip is downhill, that you will not be running A/C in Florida, that you will not hit many red lights on your way and that you are not going to go over 25 mph on I-95. There is about 80% chance you'll make it home without walking a mile or two or abandoning your Lexus on the side of the road. People drive with low fuel all the time, I'm pretty sure you'll make it. Besides, whats a little time spent walking along a highway? So, meet you at the gas station? Customer: Uhh. No. Vlad: I see. You must have plans tonight. How about tomorrow morning on your way to work? But lets say this time we only put half a gallon in there. You might have to walk 8 miles, have your car impounded, posessions inside of it stolen and you miss half to a full days worth of work, does that sound ok? Customer: Absolutely NOT! Vlad: Welcome to the wonderful world of beta testing. Still want to install that trash? Now back to Susan and the holy ActiveX jihad:

Welcome to the Microsoft Security Response Center Blog! : April 2006 Advance Notification Everyone testing that EOLA patch that changes the way ActiveX is done and know if you are good to go? Welcome to the Microsoft Security Response Center Blog! : An update on the IE ActiveX change from Mike Nash Internet Explorer ActiveX update

I have completely eliminated external use of Internet Explorer. Check out Amy Babinchak's excellent blog to find out how to use ISA to restrict access to certain web sites only. So the post, without further ado:

Ok, I will stick my foot in the lions mouth and ask. Is it irresponsible to run Internet Explorer outside of the few company-approved web sites or further restricting it to internal-use-only? In my opinion: yes. I'll take it a step further: Anybody purchasing ActiveX driven software should be fired, on the spot. IE and its associated technologies have at least in my heart long lost the thumbs up and purchasing decisions should go towards web services that require no client components to be running. This is where the customer loses, when he/she is required to download and "trust" the code. I am tired of trusting, tired of patching, tired of constantly having to compromise, evaluate, alpha, beta, CTP, GTM and otherwise personally waste my time on software that should be delivered with some defined standard of quality. I'm tired of people ready already. How about maintenance free for a change?

First, its one thing to pick on System Administrators, ITPRO and developers and people that should be capable of evaluating the risk in a lab or even in production. It's quite another to pick on a consumer that doesn't understand the difference and is easilly impressed by flourescent colors. Believe me, I've heard the excuses: "Vlad, we can't just test it all we need help to sell you more software". Fair enough, do not open up the beta to the consumers. You are not approaching her to get her to test your software, you are pitching her the benefits and hiding the beta logo and disclaimers in as small of a font as possible. So it blows up her entire mailbox, disables her access for a day, eliminates any chance of support or person to contact when there may be an issue – those details are ommitted or subdued. But the benefits? Well, – judge for yourself if this is an invitation to a beta test or almost a teaser worthy of a porn site. Second, ActiveX is an easy pick given the topic but it is by no means behavior limited to Microsoft. Nearly all software vendors have jumped on the beta bandwagon and are only releasing software and new features as beta. Part of a testing process, part of a marketing push, part of a sales potential evaluation, part of raising awareness, part of eliminating full "trial" versions…. but not a part of my production network and not a part of responsible ITPRO recommendation for a production environment. Have a nice weekend!

8 Responses to IE EOLA & Issues of trust in software

  1. Anonymous says:

    Fair enough but without public beta testing how do you expect to get your software as cheap as you do and at the quality that it finaly arrives at?

  2. Vlad says:

    What quality is that? The one that requires an army of support software and staff to constantly patch, evaluate, test and re-test every subsequent point release that should be done by the vendor to begin with.

    This is something I expect from F/OSS – you get what you pay for. From commercial entities I expect far more.

    Microsoft for example has a very responsible testing process for server software. They have internal test teams, they have TAP programs under which you are hand-held through the deployment and work with an engineer every step of the way. Microsoft does not want to get a black eye from a big customer but they do want to see real world use, experience and performance. Good for them.

    Now look at the workstation side and you’ll see the problem. All the actual software issues aside, I accept that software will not be perfect and bug free. But I do not accept the blatant ploys to encourage customers to abandon the quality of their software, abandon the support, abandon the reliability of their system just so they can help someone make a better anti-spyware tool. I do not believe the risk is adequately advertised to the customer at all.


  3. blake jones says:

    Right on. Our SLA prohibits use of beta/trialware and repair fees are 30% higher on systems purpousefully damaged by the client by installing unapproved things they find on the net.

  4. ccWare says:

    No joke lately every company is pushing their latest beta on the front page. I see this as less of a plea to help and more as a detterent to stop someone from going elsewhere. Vmware is a great example, they have dominated the virtualization space for a long time and now that they have their back against the wall they stoop to beta. Very low and dishonest imho.

  5. Anonymous says:

    People still use IE? Sorry to post as anonymous but this is worthy. We estimated that 60% of our IT staffs time was spent on IE-borne issues.

    We decided to switch to a Gecko (Mozilla’s browser engine that Firefox is built on) and customize the interface to only display our portal / sites. IE has a hardcoded proxy which only allows traffic to specific URL’s.

    Both proxies report violations and throw alerts when browsing outside approved sites is requested. Managers have the ability to add needed sites on their own through a web based GUI.

    Through this we were able to reduce the time needed to manage our network and a lot of budget we would have used on security software went towards much needed hardware upgrades.

    I know most can’t just dump IE today but it has been the best decision we have made.

    Anonymous “monkey” from a Fortune 500 company.

  6. jmccollan says:

    I’ve been burned by beta / preview enough thank you very much. I’ve since gone all virtual for my testing but lately I find I have less and less time to test. My hat is off to folks that go and actually beta this stuff for me.

  7. Anonymous says:

    Problem with dumping IE is in SBS and using Microsoft Partner Program sites. I as a consultant cannot get rid of it in my own practice because of dependance on Microsoft sites and I can’t recommend to my clients to do the opposite. Hopefully Microsoft will just dump all of their ActiveX components as a result of this patent dispute and we can work in a stripped down or very powerful browser.. IE or Firefox, I really don’t care. Security and functionality, that I care about a lot.

  8. mikeboi says:

    Amen. Beta is software that is not suitable for prime time and is not allowed to run on a network used by others. Plain and simple.

Comments are closed.