≡ Menu

Cannibalism

A interesting post by Bob Sutor. What is OOXML’s real competition, and how does that help ODF? The dynamics get interesting when you are hindered by your own install base. The main selling point of OOXML is its claimed 100% compatibility with the legacy binary formats. But if you are using Office 2000, and happy with it, what is the reason to move to OOXML? Why not remain using the binary formats? What justifies the migration?

The downside is clear. The minute you move to OOXML you have less choice with whom you can successfully exchange documents with. Office for the Mac, Windows Mobile, WordPerfect Office, Google Docs and Spreadsheets, SmartSuite, ThinkFree Office, users of these products, and the numerous 3rd party applications that can read and write the binary formats, these are now outside of the universe of people and applications that you can exchange documents with. Despite some early attempts from Sun and Novell, Linux users are left out as well.

So why move to OOXML? From the CTO’s perspective, if your greatest concern is legacy compatibility, what is the ROI argument for changing file formats? Wouldn’t the tendency be to remain where you are?

So the breakdown may happen like this:

  • N% of companies put compatibility with legacy documents foremost. A% of these stay on Office/Windows and upgrade to Office 2007/OOXML. B% stay where they are and use the binary formats, and C% move to some combination of ODF and PDF.
  • 100-N% make a decision primarily on factors other than 100% fidelity with legacy documents, such as ease of programmability, greater choice and diversity in applications and vendors, etc. X% stay on Office/Windows and upgrade to Office 2007/OOXML. Y% stay where they are and use the binary formats, and Z% move to some combination of ODF and PDF.

I think that B & Z may be the dominating factors. N is large now because it includes the inertial effects of Microsoft’s market dominance. Even companies that don’t make an explicit choice will end up with that path by default. But even the most passive company will not fall into choice A without some thought.

It is interesting to speculate on the initial percentages. But note that this is a network effect game, so the percentages will vary over time based on expectations.

Creative Commons License
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

{ 16 comments… add one }

  • PolR 2007/03/20, 19:53

    Rob asks: “But if you are using Office 2000, and happy with it, what is the reason to move to OOXML?”

    First this knife cut both ways. One can equally ask what is the reason to move to ODF if you are happy with Office 2000. Let’s face it, if we want people to adopt ODF, we must provide a reason for making the transition. Inertia helps Microsoft more than ODF.

    But since we are asked for a reason to change file formats, I provide a pretty compelling one. Office 2000 support terminates in July 2009. After that date, it is a security liability for lack of security patches. Office has been a vector for targeted attacks performed for corporate espionage purposes. For example, the investigator in the famous HP “pretexting” scandal used infected Powerpoint documents in attempts to uncover journalistic sources.

    This kind of attack is pretty nasty because it is performed on low scale and is unlikely to be trapped by the anti-virus organizations honeypots and won’t be present in signature files. Behavior based engine may have a chance but if the attacker is informed enough to test his malware against the victim anti-virus software before he sends it, he will make sure the attack gets trough unnoticed. Any organization that is concerned with confidentiality of information must upgrade unsupported office suites.

    Considering the time it takes to make an upgrade of this magnitude, this project must occur in the second half of 2008 or first half of 2009 at the latest. Considering the time it takes to secure the funds, large organizations using Office 2000 must be planning the upgrade right now. Telling CIOs that they don’t need to upgrade their Office 2000 isn’t likely to fall into receptive ears.

    This shouldn’t be a good reason to buy more Microsoft licenses because Microsoft stands to profit from its own lack of quality. But this is how the security world works. CIOs can wait on their existing office suite only for so long. When Microsoft pulls the security plug, the upgrade must happen.

    Another reason to change file format is when you want to use XML to implement automatic process that extract portions of the document. For instance when you want to automatically populate the indexes and the retention attributes in a document management system. Sharepoint and its competitors stand to be good reasons to upgrade if they take advantage of XML. The quality of the format counts, but the quality of available applications counts even more.

    Reading again the article making a case for a single document standard, I came to realize that the transition issues are the key factor that will drive ODF adoption. Understanding the motivation that will lead CIOs to prefer a format over another will make a lot of difference.

    Currently OOXML benefit from the weight of inertia. Office 2007 is full of little annoyance that makes it easier for the user to use OOXML instead of using the compatibility mode. Organizations that perform forced upgrades to Office 2007 because they take Microsoft for granted and don’t look at alternatives will use OOXML.

    ODF proponents must give Microsoft users a reason to look at alternatives. Otherwise, OOXML will be chosen by default as soon as CIOs are confronted with a forced upgrade. This is bound to eventually happen for Microsoft will always end up pulling the security plug when the support period is exhausted.

  • Rob 2007/03/21, 00:20

    When you read things like Internet Explorer having unpatched vulnerabilities for 284 days in 2006, compared to only 9 days for the open source Firefox, then I think that the upgrade shakedown scheme for security fixes has not much of a future.

    In any case, when the end of support period for Office 2000 comes, the CTO may evaluate other options available at the time, which will include a variety of commercial and open source ODF suites.

    For public sector use, where budgets can be slim, or held up for political reasons, the use of an open source solution has certain unique benefits. What do you do if you are stuck on Office 2000 at end of support, and a new virus hits but your budget is pending an appropriation bill that is tied up in committee? On the other hand, if you are using OpenOffice and a new virus hits, the fixes are always free. And your IT department is able to make their own fixes if needed. If you are serious about security, then having the source and the right to make fixes beats paying for the privilege of “Patch Tuesday”.

  • PolR 2007/03/21, 07:41

    Upgrade shakedowns are not a security solution. But when the support expires, CIOs must decide what to do. Do they continue with the old software without support? Or do they upgrade to a supported version? In the case of Microsoft products, security is an important factor in this decision.

    When CIO decide to upgrade, it is primarily to preserve a service they already had, namely support. Sometimes it is also to get the new features of the new version. But they rarely consider completely changing products because they don’t want a disruptive transition. Switching to an alternative product is a major decision that requires a positive business case that offset the disadvantages of having to make a transition.

    Current contracts are also a factor against switching products. In the case of Microsoft, Software Assurance customers may have already paid for Office 2007. They are unlikely to stop using Microsoft because this would be throwing an existing asset to the winds.

    This is to say we can’t rely on a slow OOXML uptake as a positive thing for ODF. If the CIOs don’t have a business case for OOXML, they are even less likely to have a business case for ODF. At the very least, avoiding the cost and disruption of a forced upgrade to Office 2007 is a tangible financial benefits favoring ODF alternatives. But if the CIO doesn’t want this upgrade anyway, this benefit isn’t applicable anymore.

    There was an interesting article in Computerworld on this topic. A non scientific survey revealed 88% of respondents have not considered alternatives to Microsoft Office or have only done so casually.

  • The Wraith 2007/03/21, 09:16

    I think Microsoft is likely to put out their existing compatibility pack for Office Open XML in the next servicepack for Microsoft Office XP, Office 2003 and Office 2004.

    I asume they will not roll out any service pack Office 2000 anymore.

    This would be a likely scenario for early 2008.

    Such a roll out might make OOXML available in 60%-80% of all Office suite implementations.
    Companies still using Office 2000 will then most likely install the compatibility packs themselfs.

  • Rob 2007/03/21, 09:16

    I’m sure the same arguments were made when the first company tried to ditch electric typewriters. Who needs the hassle? “No one was ever fired for buying IBM”, as the saying once was.

    But no one has repealed the tech adoption cycle. Not everyone has the same utility curve or the same level of risk aversion. That is what gives us a tech adoption cycle rather than a stampede. That is why we have early adopters, the visionary types who see unique value is transformations of this type, and if they succeed in this transformation they becomes the references that others can point to.

    If you look at the early adoption of ODF, it seems to center around three main themes: 1) Radical cost savings from moving to an open source stack, and including ODF as part of this, 2) Breaking out of a vendor-lockin situation and trying to preserve choice in vendors, and 3)choosing based in the openness of the format as a primary value, aside from any economic arguments.

    Those seem to be the main themes. You need to ask yourself, if your competitor moves to ODF and by that move sees radical cost savings and increased profit margins, then what do you, as CIO do? What do you tell the Big Man? It seems that the only way Microsoft could preserve their market share in that situation is by discounting.

  • PolR 2007/03/21, 10:34

    I think there are two discrete decisions here. One that is whether to upgrade from the binary format to an XML format. The other is which XML format.

    The first decision is driven by two factors 1) support and security considerations and 2) the advantages of XML when using document in networked and/or workflow applications.

    The second decision is driven by the three factors Rob mentions in his comment.

    One challenge for ODF is many upgrade decisions are driven by the support and security considerations without enough understanding or enough value given to the implications of XML. Then the upgrade is viewed as a routine operation without much thought given to the consequence of vendor control on networked applications and availability of third party applications.

  • Anonymous 2007/03/21, 12:37

    One reason people would not want to upgrade to non-binary file formats is because all those business spreadsheets using secret techniques to hide formulas, spreadsheets and a ton of business logic to the eyes of recipients. With OOXML, all this stuff is exposed whether editors want it or not.

    For instance, the “protect and hide worksheet” feature in Excel is now useless.

    Microsoft knows it. They have rebuilt those features on the sharepoint/Excel server store as a Plan B. Probably part of the plan is to sell server licenses for IT people willing to use that feature. Of course the price is an order of magnitude more. And sharing spreadsheets by hand (email) is still a problem.

    -Stephane Rodriguez

  • Queen Elizabeth 2007/03/21, 18:31

    From a business perspective, it seems like the two main reasons for upgrading to OOXML are:
    1. security (no malicious payloads are possible, as files are not binary and exclude macros)
    2. much easier integration with custom solutions (as XML files are text)
    3. familiarity with Microsoft’s products and services

    Of course you can achieve the first two ODF products, but ditching Office for them will also mean breaking:
    1. MS Office-dependent in-house solutions (and such custom work is expensive to develop)
    2. legacy documents (since no other program since MS Office can render DOC, XLS, and PPT files perfectly, documents will need to be re-created at high cost)

    Though Office 2007 is new, very different, and not free, most IT departments probably will end up switching to it because it is the path of least resistance.

  • Anonymous 2007/03/22, 00:24

    “From a business perspective, it seems like the two main reasons for upgrading to OOXML are:
    1. security (no malicious payloads are possible, as files are not binary and exclude macros)”

    It seems to me you have fallen into Microsoft trap.

    Microsoft wants you to think that you instantiate OOXML documents, but you don’t. You instantiate files which are extensions of OOXML (let’s call that Office 2007 documents) which contain macros in the general case.

    Even without specifying macros, you can still embed arbitrary OLE objects/ActiveX, and they will instantiate themselves when you open the document in Word/Excel/Powerpoint. Those objects contain arbitrary binary code getting run.

    Therefore the security shield is an illusion. And the trap is exactly that, the “backwards compatibility”.

    -Stephane Rodriguez

  • Rob 2007/03/22, 08:54

    That’s the key point. The security flaw is not in the file format, it is in the application. Think of it this way: Has Microsoft ever fixed a security flaw by changing the file format before? No, they changed Office or Windows code.

    OOXML contains enough binary blobs to get hurt, whether we’re talking about Windows Metafiles, persisted DEVMODE print driver data structures or whatever.

  • PolR 2007/03/22, 14:33

    Sigh…

    I think I need to explain myself more clearly. :(

    The point that hurts is that IT organisations must patch their Microsoft software every second Tuesday of the month when Microsoft makes its monthly relase of security fixes. If they don’t patch, they are exposed to the wave of infections that bank on the laziness of people that don’t patch on a timely basis. This is how crackers proceed nowadays. They target the vulnerabilities that have just been published and for which fixes have been released betting that many people don’t patch.

    I am not saying this is a good way of doing things. I am saying this is how security actually works nowadays.

    When support expires, there no longer is a stream of patches every second Tuesday of the month. When a vulnerability is published, the application is a sitting duck to any infection targeting this vulnerability. The cure is to replace the application with a version for which the provider will provide security fixes. The new version need not be a Microsoft product, no question about that. But the upgrade must occur and security conscious organisations will upgrade regardless whether they are happy with their current software or not.

    I am saying that too many IT organisations will upgrade without considering alternatives seriously enough. These organisation will pick Office 2007 because this is the natural upgrade path offered by Microsoft. The result is a de facto adoption of OOXML for reasons having nothing to do with the merits (or lack of merits) of the file format. This is not because these organisations want OOXML or because OOXML solve any security issue. This is not saying that OOXML will be an acceptable standard that works as a standard should. This is a side-effect of how IT organisations will address the security issues resulting from discontinued support.

    I am not sayning this is a good thing or a good way to address the security problem. I am saying this is what organisations that don’t think things thoroughly will do.

  • Queen Elizabeth 2007/03/22, 16:10

    Oops, totally forgot about the WMFs and binary blobs! But then again, ODF also permits them, so neither of the standards is totally secure.

    However, Microsoft HAS addressed security flaws by changing the file formats before (as well as changing Office/Windows code.) They have modified the PE (portable executable) format to allow for, among others, digital signing and no execute sections.

  • Anonymous 2007/03/22, 17:11

    PolR said “This is a side-effect of how IT organisations will address the security issues resulting from discontinued support.”

    Sure. But virtualization is making its way and it disrupts this. (If I were cynical, I would say that’s exactly why Microsoft is trying to kill VMWare and other competitors).

    Besides this, I think most of security issues on Windows are moot if users are running as non-admins. Just a habit to take.

  • PolR 2007/03/22, 18:47

    Anonymous said “But virtualization is making its way and it disrupts this.”

    Would you care to explain? Perhaps I am dense but I don’t quite understand how virtualization will stop IT organizations from wanting to apply their monthly dose of Microsoft patches and upgrade software that don’t get them because of discontinued support.

  • Anonymous 2007/03/22, 22:21

    Because virtualization allows to insulate the physical machine and native OS.

    -Stephane Rodriguez

  • PolR 2007/03/23, 02:16

    Stephane Rodriguez a dit “Because virtualization allows to insulate the physical machine and native OS.”

    Did you consider Blue Pill?

    In any event the purpose of corporate espionage attacks on Microsoft Office is not to hack the physical environment. It is to steal confidential data. Virtual machines can be infected and data can be stolen from there just fine.

Leave a Comment