IE EOLA & Issues of trust in software

I posted the stuff below to Susan Bradley's blog but it quickly turned into yet another look at the way we expect less and less from the software we use in business. I recently posted a warning about beta software and why consumers should not try it. As usual, I get 5-10x as many emails and IM's as I do comments on this blog and Rob Murphy from Palm Beach IT UG asked "what is your opinion of setting clients up with MS antispyware/ Windows Defender Beta at a desktop level?". It's quite simple: If the software was ready, it would not be in beta. Software vendors are putting IT Professionals like Rob Murphy into a situation where they have to make a compromising decision on whether or not to recommend clearly unstable and unsupported code to their customers. Why? Because software vendors advertise the hell out of it, on the front page nonetheless! Get Boot Camp Beta, Vista Beta, Defender Beta, Vmware Beta, the list goes on. Rob is an ITPRO and he knows what a beta is. Customer does not. So here is how I try to explain this to my customers that just saw an awesome flash movie and persentation on why he needs to install this beta product. Customer: Vlad, I need **** Beta, NOW! Vlad: Please sign the liability waiver. Customer: Why? It's on their web site! And they shipped me a CD! Vlad: Because its broken. Customer: But, but, but, er.. I want it! It's shiny! Vlad: Ok, lets try this in simpler terms. Let's say you and I meet down at the gas station. We'll drain your tank till there is only a gallon left. Thats about 20 miles right? Your house is 25 miles away. Now, I hope most of your trip is downhill, that you will not be running A/C in Florida, that you will not hit many red lights on your way and that you are not going to go over 25 mph on I-95. There is about 80% chance you'll make it home without walking a mile or two or abandoning your Lexus on the side of the road. People drive with low fuel all the time, I'm pretty sure you'll make it. Besides, whats a little time spent walking along a highway? So, meet you at the gas station? Customer: Uhh. No. Vlad: I see. You must have plans tonight. How about tomorrow morning on your way to work? But lets say this time we only put half a gallon in there. You might have to walk 8 miles, have your car impounded, posessions inside of it stolen and you miss half to a full days worth of work, does that sound ok? Customer: Absolutely NOT! Vlad: Welcome to the wonderful world of beta testing. Still want to install that trash? Now back to Susan and the holy ActiveX jihad:

Welcome to the Microsoft Security Response Center Blog! : April 2006 Advance Notification Everyone testing that EOLA patch that changes the way ActiveX is done and know if you are good to go? Welcome to the Microsoft Security Response Center Blog! : An update on the IE ActiveX change from Mike Nash Internet Explorer ActiveX update

I have completely eliminated external use of Internet Explorer. Check out Amy Babinchak's excellent blog to find out how to use ISA to restrict access to certain web sites only. So the post, without further ado:

Ok, I will stick my foot in the lions mouth and ask. Is it irresponsible to run Internet Explorer outside of the few company-approved web sites or further restricting it to internal-use-only? In my opinion: yes. I'll take it a step further: Anybody purchasing ActiveX driven software should be fired, on the spot. IE and its associated technologies have at least in my heart long lost the thumbs up and purchasing decisions should go towards web services that require no client components to be running. This is where the customer loses, when he/she is required to download and "trust" the code. I am tired of trusting, tired of patching, tired of constantly having to compromise, evaluate, alpha, beta, CTP, GTM and otherwise personally waste my time on software that should be delivered with some defined standard of quality. I'm tired of people ready already. How about maintenance free for a change?

First, its one thing to pick on System Administrators, ITPRO and developers and people that should be capable of evaluating the risk in a lab or even in production. It's quite another to pick on a consumer that doesn't understand the difference and is easilly impressed by flourescent colors. Believe me, I've heard the excuses: "Vlad, we can't just test it all we need help to sell you more software". Fair enough, do not open up the beta to the consumers. You are not approaching her to get her to test your software, you are pitching her the benefits and hiding the beta logo and disclaimers in as small of a font as possible. So it blows up her entire mailbox, disables her access for a day, eliminates any chance of support or person to contact when there may be an issue – those details are ommitted or subdued. But the benefits? Well, www.gmail.com – judge for yourself if this is an invitation to a beta test or almost a teaser worthy of a porn site. Second, ActiveX is an easy pick given the topic but it is by no means behavior limited to Microsoft. Nearly all software vendors have jumped on the beta bandwagon and are only releasing software and new features as beta. Part of a testing process, part of a marketing push, part of a sales potential evaluation, part of raising awareness, part of eliminating full "trial" versions…. but not a part of my production network and not a part of responsible ITPRO recommendation for a production environment. Have a nice weekend!