AutoCAD 2018 – why did the DWG format change?

In my review of AutoCAD 2018, I had this to say about AutoCAD 2018’s changed DWG format:

Why does AutoCAD 2018 need a new DWG format? It probably doesn’t. The 2013 DWG format is capable of holding pretty much anything you want… Although Autodesk cites performance reasons with certain drawings, I strongly suspect the new DWG format was introduced purely to make life difficult for competitors, and to encourage wavering customers to stay with Autodesk for fear of losing compatibility. In other words, it seems likely this is an anti-competitive change rather than a technical one.

In a recent blog post, highly respected Swiss-based Autodesk development and research person Kean Walmsley had this to say on that subject:

The main reason for the break in compatibility is some longer-term work that’s going on inside the AutoCAD codebase. For now this is really only surfacing in small ways – I expect it’s contributing some performance benefits, for instance – but the work is absolutely critical to the long-term viability of the product.

Kean’s a straight-shooter and I’m always ready to be corrected if it can be shown that I’m wrong. So I would be interested to learn more detail about this long-term work that’s critical to the long-term viability of the product. It might be good news for customers or really terrible news. If the groundwork is being laid for a file format that’s more heavily cloud-reliant or subject to continuous change, say, that would be an absolute tragedy for customers.

Autodesk is clearly manoeuvring customers into a position of maximum tie-in using various nefarious means, and if the DWG format change is part of that then it’s to be condemned. Maybe further information would help alleviate such concerns. Kean can’t provide that information, and neither can the selected bloggers who were given some insight under NDA last week, but I’m sure someone at Autodesk could. That is, if there really is nothing to worry about.

Kean also had this to say:

AutoCAD continues to be a core part of Autodesk’s business – and it continues to receive significant investment in terms of development resources – but don’t expect that to translate to buckets of shiny new features: AutoCAD’s feature maturity means the investment is rightly being focused in other areas (at least for now).

This had me wondering if Kean mistyped “immaturity”, because almost every AutoCAD feature from the last decade was released immature and only the lucky few eventually got finished. There’s a huge mass of outstanding work left to do in AutoCAD just to bring its existing half-baked features up to scratch, practically all of which could be done without disrupting customers with a new DWG format.

As for the feature set itself being mature, I can’t agree with that, either. Maybe it’s considered mature within Autodesk because of defeatist thinking about what’s possible with DWG-based CAD software? Kean’s comments seem to reinforce that impression. From where I’m standing, the lack of progress in recent AutoCAD releases demonstrates a severe lack of imagination and hunger to improve the product, not any inherent natural plateau in CAD development.

I believe this because Autodesk’s keener competitors have shown that no such plateau exists. Bricsys has proven that it’s very possible to improve an AutoCAD-like DWG-based product out of sight with genuinely useful and productive new features, and they can do it without changing the DWG format. Incidentally, my preliminary tests indicate BricsCAD V17 opens and saves DWG significantly faster than AutoCAD 2018, again without the need for a new format. More on that in a later post.

Back to Kean:

This is a tricky balance – and could easily be interpreted as a big company not caring about (some of) its users and only being interested in milking its cash-cow – but the work happening behind the scenes is significant and I believe will ultimately prove to be of real value to our customers.

Real value? History has taught me to be dubious about that. Many things that Autodesk promotes as being of value to customers turn out to be of net negative value. Time will tell with this one.

Sorry, but I really don’t believe that Autodesk cares about AutoCAD and its users as anything but an income source. I know there are still honest, hardworking, enthusiastic people within Autodesk (like Kean) who want to improve the product on behalf of customers. Good luck to those people, because their efforts are being stymied by management. The results we’re seeing out here in customer land are dismal, and no matter what spin is put on that, it must be disheartening.

Autodesk people, caring about users? Sure. Autodesk, the public listed company, as directed from the top? Nope. Autodesk’s actions and inactions tell me otherwise. Zero cares are given. No words can fix that, no matter who they come from.

AutoCAD really is being treated as a cash cow; hang one of those bells around its neck and be done with it.


(Original image: Daniel Schwen)

95 Comments:

  1. When the going gets tough, the tough throw wrenches into the file format to stymie competition and create FUD for the customer base.

    Twenty years after intelliCAD’s consent decree and they continue with the same tactics.

  2. Dieter Schlaepfer

    As anyone can verify in the AutoCAD Saveas dialog box, the DWG format changed in R14 (1997), R2000, R2004, R2007, R2010, R2013, and R2018. So you can see that it’s been about every three years between versions, except for the latest version, which has been five years. As anyone can see, the latest format change is less frequent than before.

    Here’s what I wrote in Help:

    “The DWG format has been updated to provide improvements in the efficiency of open and save operations, especially for drawings that contain many annotative objects and viewports. Additionally, 3D solid and surface creation now uses the newest geometric modeler (ASM), which provides improved security and stability.”

    The word security refers specifically to emerging problems in many formats where criminal, mercenary, and state-sponsored hackers doctor data files in targeted software that execute code when opened (using buffer overflow and other techniques). Many of these vulnerabilities have now been closed.

    Finally, I couldn’t help but notice that in the image you chose of an adorable and highly intelligent Swiss cow, you accused her of . . . Adultery! As a Swiss immigrant, I can only encourage you to avoid making accusations until you have credible evidence! 😉

    Dieter

  3. I just wonder why Adesk did not change the format in 2016 release. This thing of feature maturity is funny. If the adesk developers worked in a real company that shares xrefs between teams, they would think their tools were in pre-school, taking naps every day. If they just asked the question “how would a user know where a file is xreffed?” they could start a whole new set of features that could really addict a company to their product. But then they would have to actually work with real companies to get the tools right enough, and that might reveal their big secrets like when the developed the CUI system that continues to be broken in really bad ways. As Trump would say…”Its broken really bad, its terribly broken.”

  4. That thing about security continues to annoy me. AutoCAD looks to several files on startup that can be modified to do bad things, but really one one has ever happened, the bad acad.lsp that someone started. So Autodesk seriously allowed us to sign lisps! Of course they did not distinguish between startup lisps, and others, so got that feature wrong. They did some bandaid fixes to try to address startup stuff but why can’t they just ask long time cad managers like me and others how to do things as we are always the ones telling them how they should have been done after. Dang, if I can’t mine gold and someone keeps telling me I’m doing it wrong, and they mine gold successfully all day, maybe they should listen.

  5. Dieter Schlaepfer

    Yes, exactly.

    And so can previous versions of DWG. And so can PDF (as you probably know, Adobe hardened this format considerably as a result of widespread and well-known abuse), Microsoft DOCx, and most other software formats!

    Some months ago, I was horrified to see a video of someone opening a DWG file in AutoCAD, which resulted in MS Paint executing.

    The key here is (1) the level of criminal or terrorist motivation to execute code in your organization, (2) the level of popularity of the format, (3) the value or sensitivity of the content in the format, and (4) the level of difficulty of doctoring the format.

    US government agencies are now beginning to prohibit the purchase of software that doesn’t meet their security standards. No exceptions.

    Dieter

    • OK, let’s tie this down.

      1. Prior to the 2018 format change, the DWG data format could not be reliably read by any software  without the risk of that software being triggered into executing malicious code. Correct?

      2. The 2018 DWG format does not have that vulnerability. Correct?

  6. Dieter Schlaepfer

    Hi James,

    It’s hard to answer your question of why there was no format change in AutoCAD 2016 (or 2017). All I would say is that it’s not done unless there are a good number of really compelling reasons to do so.

    Regarding DMCS and workflow, I agree with you. Getting the level of control and complexity right is very difficult. Remember Autodesk WorkCenter many years ago? Every change to a document spawns a cascade of workflow items/notifications/ approvals, which in turn spawns set of document changes. The tools available for documentation management range from file systems to configuration management systems. Workflow tools range from email to process management. The big thing now is access control. These tools are often not employed well, resulting in a stifling amount of administrative overhead.

    Please don’t underestimate the experience of our software engineers. For example, one of them has a degree in Aeronautical engineering, Their director has a PhD in Civil Engineering.

    If you prepare a wishlist of improvements to the CUIx editor, I’ll be happy to deliver it for planning consideration. You can post it to the AutoCAD Customer Council, post it here, or email me (dieters@some_software_company.com).

    Thanks,
    Dieter

    • Software engineering ain’t rocket science. If it was, maybe your highly qualified people would be able to compete with their Bricsys counterparts in terms of code efficiency, instead of needing literally ten times as much program to do less, slower.

      I’ve been providing specific, actionable feedback about the CUI editor since it rolled out poorly designed, ridiculously slow, buggy, and horribly unfinished with AutoCAD 2006. 12 years later, I’m still working around some of the original bugs and design failings. I literally did that just yesterday. Maybe James’ suggestions could be put into the same planning consideration black hole as mine for convenience?

  7. Dieter, it’s quite reasonable to expect that Autodesk have hardened AutoCAD 2018 _code_, but how did changing data _format_ improve security?

  8. “Please don’t underestimate the experience of our software engineers. For example, one of them has a degree in Aeronautical engineering, Their director has a PhD in Civil Engineering.”

    @ Dieter
    Experience does not mean a degree or a PhD.
    This is why you don’t understand any more how to make a software.
    I can give you a tip. Start by make it smaller (reduce 3-4 times the number of code lines) and the rest will come around.

  9. @jmaeding
    This is exactly the problem that 3ds Max development has as well. The developers don’t use the software and the outsourced beta seems to only focus on the “new” features. There are two things you can count on in every Max release: Backburner net rendering will be broken and random default keyboard shortcuts and menu items will be changed, moved or renamed. As a bonus for 2018 Mental Ray has been removed.

    @Steve
    It isn’t easy to haul 25+ years of legacy code and horrible hacks around. The developers are doing the best they can before the next round of layoffs.

    There were a bunch of security updates to the DCC programs (and Revit) back in December which had to do with the FBX SDK. If there is an issue with ASM and associated dlls this could also affect 3ds Max and anything else that can load DWG. I guess if it is as serious as Autodesk says, “save as previous” in Max is going to be a problem if there aren’t additional security updates to legacy releases.

  10. More BS. If software allows execution of arbitrary code (the MS paint example) when opening native file, the software should be patched, not the file format. And previous versions (down to a reasonable 4-5 years) which exhibit the problem should be patched too, or else the vulnerability will still exist in the wild. If they really “care”…

  11. I just noticed the “hi DPI awareness” new feature of acad 2018 missed the VLIDE: https://forums.autodesk.com/t5/visual-lisp-autolisp-and-general/2018-vlide-not-high-dpi-aware/td-p/6973336
    @ Dieter, don’t get me wrong, the programmers and people at Autodesk are top notch. They make my coding skills look juvenile, no question. They are too disconnected from revision iterations though. Its fine to try something one way, but you fix when it flops. The whole thing of a main and enterprise menu, with partials daisy-chained on was a horrible idea. We went from an all adult party in 2005, to a two adult and their kids party in 2006. Enterprise read only menu idea is fine, but not the “main menu loads kids” thing when it used to be “profile loads everyone”. Autodesk forgot we run bare acad and verticals and several other things I could go into. It will never get fixed now and I can say 95% of the customization my users used to do easy is indeed rocket science now.

  12. Dieter Schlaepfer

    Wow, so many comments! Apparently, I’m easily mistaken for a piñada. 😉

    Steve,
    Software will always be vulnerable just as banks can always be robbed or scammed. We want to make it a lot harder though. It’s like home security. You add security measures as warranted. The bars over the windows, barbed wire, and guard dogs aren’t needed in my neighborhood yet. I did add a deadbolt though.

    >> Maybe James’ suggestions could be put into the same planning consideration black hole as mine for convenience?

    Or you could send them to me, and I’ll see what I can do..

    Owen,
    There’s actually several basic points of vulnerability in software including doctored data, insecure components, customization vulnerabilities, binary planting, “man-in-the-middle” attacks, buffer and stack overflows, malware included in cracked software, and so on. Generally speaking, countermeasures in data files can include encrypted segments, parity checking, sentinels, and other techniques that are far beyond my knowledge. Many software companies are now taking significant measures to make cyber attacks more difficult, including collecting and sharing emerging threats. So I have a question for you.

    Do you think Google is wasting their time with this: https://www.virustotal.com/ ?

    w64bit,
    >> Experience does not mean a degree or a PhD. This is why you don’t understand any more how to make a software. I can give you a tip. Start by make it smaller (reduce 3-4 times the number of code lines) and the rest will come around.

    Thanks for the tip. 😉

    Griffin,
    Disparaging comments aside, you’re right in that a lot of code never had cyber security threats in mind when originally written. That the threat has mushroomed in the last few years is well known by security professionals and has resulted in the requirement for significant investment by most software vendors. For example, in a joint presentation at AU last year, I included

    “Cyber espionage accounts for 60% of the breaches in the Manufacturing sector and 52% of the breaches in the Professional sector. ”
    – Data from the 2015 Verizon Data Breach Report

    “Globally, the GDP cost of cybercrime is now nearly equal to the GDP cost of illegal narcotics.”
    – Statistics from the Center for Strategic and International Studies, 2014

    We were shocked at the response rate when we took a quick poll of people who suffered breaches last year. This is why most software vendors strongly urge their customers to keep up-to-date.

    blueginko,
    Yes, we’ve heard from customers who want us to patch previous releases. Maybe you disagree, but I think it makes better economic sense to encourage customers to use the current release even if there were zero feature enhancements. Go ahead and pose the same question to Adobe, Microsoft, and other major software companies. I bet they’ll tell you the same thing.

    James,
    Thanks for the kind words for our software engineers. Please understand that they don’t act alone, but are part of feature teams that include a variety of professionals including UX designers, test engineers, technical writers, and so on. In my experience, software development is indeed an iterative and collaborative process that also involves the AutoCAD Customer Council, Gold Sites, site visits, and customer interviews at AU or by phone. Customers also identify issues as you mentioned.

    Hi Eric,
    Support for 4K monitors is included in AutoCAD 2018, but there’s definitely more work to be done. You might want to post to an AutoCAD forum regarding speed or hatch issues to see whether what you’re encountering is out of the ordinary. If you’re having a problem specifically with hatches in a drawing, go ahead and email part of it to me (dieters@wellknownsoftwarecompany.com) and I’ll ask a test engineer to look at it. Ok?

    Dieter

    • Dieter, thanks for your extensive response. Not to appear ungrateful, here’s one you missed:

      OK, let’s tie this down.

      1. Prior to the 2018 format change, the DWG data format could not be reliably read by any software without the risk of that software being triggered into executing malicious code. Correct?

      2. The 2018 DWG format does not have that vulnerability. Correct?

    • Microsoft actually patches previous versions of Windows (to a reasonable extent), when security is in line, in case you didn’t notice. And, as far as “better economic sense” is an excuse, changing format without a technical need is also “better economic sense”.

    • Hello again Dieter, the brave one. I’d suscribe to MDT 2018…

      “Cyber espionage accounts for 60% of the breaches in the Manufacturing sector and 52% of the breaches in the Professional sector.”

      Isn’t the requirement for continuous Internet connectivity responsible for 100% of those breaches? Way back in the dark days before pre-cloud lies, when ws received all-in-the box deliveries, once in a while updates downloaded onto an isolated Internet machine… ten releases ago – those breaches required burglary. I don’t have no pHd, but I do know that unplugging the ethernet cable offers unbreachable electronic security.

      Written on a throwaway tablet while my CAD gently weeps. – Bill

  13. @Dieter
    If you walk into a room of unhappy cad users wearing the Autodesk pinata costume they will beat on something until the candy comes out.

    Not really disparaging but more like a plain, slightly pointed, truth. Sometimes you do what you have to do to get it out the door. Maybe it is cleaned up later maybe it isn’t. That’s life. I wonder if there are any colorful dev comments in ACAD, Max, Maya etc. for regressions.

    @blueginkgo
    It certainly makes better cost benefit sense to the vendor to get a customer to pay to fix vendor defects than to fix them for free. It is unlikely the customer will see any value in that and even less value in paying for zero feature enhancements.

    “Nice project you got there, would be a shame if something happened to it”

  14. Hi Dieter,

    > Do you think Google is wasting their time with this: https://www.virustotal.com/ ?

    No.

    I think the best defense against cyber threats is the free and open exchange of information about vulnerabilities. It’s possible that the AutoCAD 2018 format was changed in order to make it more secure. Unlikely, but possible. I think it’s more likely that it was changed in the misguided belief that a new format would force users onto a newer “more secure” platform.

    However, if it’s true that data saved in pre-2018 formats is inherently vulnerable, then I think Autodesk have an obligation to share details so potential victims can properly evaluate their risk exposure and take action on equal footing with the bad guys, who presumably already know all about it.

  15. @Dieter,
    But aren’t our questions and comments based on constructive criticism your organization desperately needs? I write software too and tell my users to be “picky and greedy” to get the best results in terms of productivity. I take it as a compliment when they say some feature needs minor or major changes, as that is a healthy relationship.
    Anyway, I did want to mention that I have done several focused study groups with various products, and it has been a disaster. Many of them literally ask me if a button should be on the left or right, or they show me some interface and I am supposed to offer a reaction. Its as if I am being presented art work with no info and am supposed to talk out loud. My reactions are always “what was the team trying to do?”, but you know I am way too late on the scene at that point. I have talked to certain product developers early on, but they have not maintained the conversation and ended up with good ideas implemented just poorly enough that I can’t use them. So my opinion at this point is Autodesk does not maintain client relationships how normal software makers would to get features “correct”. We wish they did, as you would find we have years of history and usage testing but can never seem to find the person who can do anything with it. Maybe you can, would love to hear how adesk wants us to truly be part of its development efforts.

  16. On the security issue, I have yet to see any virus or malicious code get executed or even detected from a dwg as long as I recall. Honestly, I would thing dwg is a ripe target too as its a data file type people sling around. However, the time I spend dealing with corrupted AEC objects, excess reg apps, layer filters, materials, and anno scales is 100x more than it should be. So if Autodesk claims it wants to make dwg secure, it should first patch up the holes in the hull before looking at potential, much less real, leaks. This comes up fast when sharing files with Bricscad users. I routinely have to delete the civil3d dictionary portion of a dwg to get xrefs to resolve in bcad. Its starting to get where the acad verticals are regarded as contaminating dwg’s. I know that is not easy to just change, but there is a distinct lack of file cleaning tools from adesk, which is the easier answer to the trouble than fixing the architecture involved.

  17. Dieter Schlaepfer

    Steve,
    What you’re missing is that cyber security is not a yes or no proposition, but a matter of degree. So yes, the 2013 DWG format and previous ones did not have any specific cyber security defenses. But, it would be incorrect to say that the 2018 DWG format does not have “that vulnerability.” There’s no magic bullet that will ensure a file cannot be doctored.

    To put things into perspective, I’d also like to add that the easiest, cheapest, and most prevalent method for breaking into a company network is through social engineering, which includes phishing attacks. This method constitutes about 77% of all attacks. It’s sobering to learn that 11% of recipients click on email attachments. You can do the math for your company. As IT departments clamp down on the easier methods, more expensive methods are employed such as the infamous acad.fas file used in the Medre virus, malware in AutoLISP routines, and the potential for doctored DWG files.

    Any I’ve not even mentioned network attacks. Have you ever watched this for awhile?

    http://map.norsecorp.com/#/

    blueginkgo
    Actually, I was referring to Microsoft application programs such as Excel and Word. But the economics boils down to the allocation of resources. Software releases are supposed to supersede each other, and not be developed and maintained in parallel. Imagine the responses to the following letters:

    Dear Microsoft, I’m quite happy with my copy of Word 95, but I noticed that it has some software defects and I’m concerned about vulnerability to malware. When can you send out a patch to fix these issues? Sincerely yours, Dieter Schlaepfer

    Dear Adobe, I’m using Acrobat Version 6 and I’m not happy with its speed. When can you send me a patch to fix this problem? Sincerely yours, Dieter Schlaepfer

    Hi Bill,
    >> Hello again Dieter, the brave one.

    Brave or foolish. Yeah, I know that MDT is a sore point, but that’s another discussion.

    >> Isn’t the requirement for continuous Internet connectivity responsible for 100% of those breaches?

    You’re partly right. A friend of mine who is developing an interesting new engine has air-gapped his development computers based on the required practices when he worked for a secure military organization. They never touch the internet or his company’s network.

    Is he secure?

    To a large degree, yes. But how does he transfer his design off his development computers? A USB stick? These can include virtually undetectable malware that are designed to spread between devices, and are a favorite tool for Foreign Intelligence Services to the extent that some organizations epoxy their USB ports. A Google employee once told me how they caught a visitor sneaking into an office plugging in a USB drive into the PC there. Encryption of sensitive data is an excellent idea, but even the metadata associated with a project is enormously valuable.

    Griffin
    >> If you walk into a room of unhappy cad users wearing the Autodesk pinata costume they will beat on something until the candy comes out.

    Has any candy come out yet? 😉

    >> Not really disparaging but more like a plain, slightly pointed, truth. Sometimes you do what you have to do to get it out the door. Maybe it is cleaned up later maybe it isn’t. That’s life. I wonder if there are any colorful dev comments in ACAD, Max, Maya etc. for regressions.

    Yes, regressions do happen and they typically get a high priority.

    Owen,
    > Do you think Google is wasting their time with this: https://www.virustotal.com/ ?

    >>No.

    Why not?

    >> I think the best defense against cyber threats is the free and open exchange of information about vulnerabilities.

    So even the “script kiddies” can also plaster everyone with more sophisticated malware?

    >> It’s possible that the AutoCAD 2018 format was changed in order to make it more secure. Unlikely, but possible. I think it’s more likely that it was changed in the misguided belief that a new format would force users onto a newer “more secure” platform.

    No and no. Here’s why the format was changed:

    “The DWG format has been updated to provide improvements in the efficiency of open and save operations, especially for drawings that contain many annotative objects and viewports. Additionally, 3D solid and surface creation now uses the newest geometric modeler (ASM), which provides improved security and stability.”

    >> However, if it’s true that data saved in pre-2018 formats is inherently vulnerable, then I think Autodesk have an obligation to share details so potential victims can properly evaluate their risk exposure and take action on equal footing with the bad guys, who presumably already know all about it.

    Now THAT would make customers more vulnerable, wouldn’t it? It would likely cause a tidal wave of new attacks and the accusation would be that this was a deliberate attempt to force customers to upgrade. No thanks.

    James,
    >> On the security issue, I have yet to see any virus or malicious code get executed or even detected from a dwg as long as I recall.

    Yep, same here. But unfortunately it’s coming

    >>Honestly, I would thing dwg is a ripe target too as its a data file type people sling around.

    Exactly.

    >> However, the time I spend dealing with corrupted AEC objects, excess reg apps, layer filters, materials, and anno scales is 100x more than it should be.

    Some of these issues have been addressed as far as I remember. In any case, defects and security both need to be addressed, and priority should be linked to severity. But you raise a good point about interoperability. I don’t know much about other products, but it seems like it would be a better solution to translate data between formats than remove it, right?

    >> But aren’t our questions and comments based on constructive criticism your organization desperately needs? I write software too and tell my users to be “picky and greedy” to get the best results in terms of productivity. I take it as a compliment when they say some feature needs minor or major changes, as that is a healthy relationship.

    Yes, I completely agree. What you’re describing sounds like a very healthy “productivity partnership” between you and the customers you serve. Good job!

    >> Anyway, I did want to mention that I have done several focused study groups with various products, and it has been a disaster. Many of them literally ask me if a button should be on the left or right, or they show me some interface and I am supposed to offer a reaction.

    It sounds like you were being asked these questions by visual designers concerned about ergonomics, Hopefully, you provided them with your perspective.

    My best suggestion would be to participate on the AutoCAD Customer Council. AutoCAD designers, test engineers, and others regularly participate. The strongest leverage is in the surveys, feature requests, and defect reports that customers provide. For example, in this last release, one of the features was pulled out due to low customer ratings.

    Hope this sheds some light.

    Dieter

    • Dieter, I’m not missing anything, just asking questions. You raised security as a reason for the new DWG format, and I’m trying to find out if that represents a genuine justification or not. I’m still struggling to see a genuine justification for the DWG change, am highly suspicious, but am offering you the opportunity to provide that justification. So far, the pickings are slim.

      But let’s accept for the sake of argument that the 2013 DWG format does contain a vulnerability that allows malware writers to do nasty stuff that can’t be anticipated and resolved by the writers of any software that reads that format. Let’s also accept that the 2018 format closes that vulnerability, while not excluding the possibility of other vulnerabilities still remaining.

      OK, assuming all that’s true, let’s say I’m a bad guy who wants to spread my evil via DWG files. Have you spotted the gaping hole in your scheme yet? I simply put my stuff into a 2013 DWG file. Right now, 99.9% of the world’s DWG files are 2013 or earlier. AutoCAD 2018 and its successors are going to have to read 2013 DWG files for many years to come, possibly decades (if Autodesk’s still around). So AutoCAD 2018 and its successors are every bit as vulnerable as they were before the DWG format change.

      There’s your security justification for the DWG change blown out of the water. Got anything else?

    • Dieter, I’m sure you’re aware that not only is Owen one of the world’s top CAD programming gurus in general, he has two decades of experience in the specific area of DWG security and encryption. Given a choice between his assessment on such matters and anybody else’s, inside or outside Autodesk, my money would be on Owen.

      In this case, I don’t even need to appeal to Owen’s towering authority to know that you’re dead wrong about free exchange of knowledge being a risk rather than a benefit. Anybody with even beginner-level knowledge in the field of security and encryption (e.g. me) knows that if you’re relying on security through obscurity, you’ve already lost. I can understand Autodesk wanting to obfuscate DWG for commercial reasons, but let’s not pretend it’s being done for our protection.

  18. Dieter, you asked for it, so let’s continue this:

    >> Generally speaking, countermeasures in data files can include encrypted segments, parity checking, sentinels, and other techniques that are far beyond my knowledge. <<

    I fully agree. But all this could have been added to 2013 DWG without any need whatsoever to change the file format.

    You are correct in saying that a misplaced pointer in a DWG might have allowed malicious code to be executed in AutoCAD. But it's always AutoCAD which executes the code.

    I remember doing a conference presentation in 199x when Autodesk had started to allow embedding VBA executable code in DWG (e.g. an Excel sheet with macros). I showed a proof-of-concept infecting a foreign computer opening my DWG.

    But as Owen says, it's the CODE that has to be secure, not the file format. The mis-placed pointer might have been included by some terrorist – or by a failing USB drive.

    So the task is to create the code to savely open a data file (broken or not). And for DWG this involves all the software trying to open a DWG – from Autodesk, from ODA, from whatever.

    I still don't see a technical reason for changing the file format. Educate us, please.

    Dietmar

    • Good to hear from you, Dietmar. For those of you who might not be familiar with Dietmar, he’s the writer and translator of a whole swathe of AutoCAD books including an excellent one for developers about the AutoCAD object model (the basis for what gets stored in a DWG file). He also has long experience in DWG security matters. In other words, he knows what he’s talking about.

      That is, we now have multiple independent experts (no, I didn’t contact them, they just turned up here) who fail to see a valid security justification for the file format change.

  19. Dieter Schlaepfer

    Steve,
    The best that I can offer you is that incremental improvements in security is what all software companies are doing. Yes, I would recommend that everyone keep current with software upgrades, but even more than that, I’d recommend encryption of sensitive files.

    I’m sure my knowledge as a technical writer is miniscule compared to Owen’s towering authority as you put it. Still, he didn’t fault Google’s efforts regarding file format hacking. No, I’m not advocating “security through obscurity.” It doesn’t deter well-funded foreign intelligence services, but it does reduce the potential volume of attacks by less skilled criminals.

    Dietmar!
    It’s been well over 25 years since we had lunch together in Sausalito. I hope you’ve been doing well.

    While I wasn’t present at the conference you mentioned, I do remember that few people were anticipating the kind of world where cyber warfare over information has such a prominent role. But you did.

    I asked the question of Owen, but maybe you can share your perspective of why Google has gone to the trouble with this: https://www.virustotal.com/ . I also ran across this with regards to “weaponized” file formats: http://www.decalage.info/en/book/export/html/55 that you might find interesting.

    But this is only a relatively small facet of the upgrade to the latest version of ASM.
    Also, I want to make sure to maintain an accurate perspective. Here’s what I wrote regarding the DWG format update:

    “The DWG format has been updated to provide improvements in the efficiency of open and save operations, especially for drawings that contain many annotative objects and viewports. Additionally, 3D solid and surface creation now uses the newest geometric modeler (ASM), which provides improved security and stability.”

    I have no doubt that Steve will now perform some timings on DWGs that use many annotative objects and viewports.

    Folks,
    Once again, I appreciate Steve’s willingness to publish my views and to give me the opportunity to provide some perspective on the factors that led to the DWG format update. Whether you agree with them or not, the fact remains that this upgrade came 5 years, not 3 years after the last one.

    Finally, while performance rather than security was the primary reason for the update, I do want everyone to be adequately prepared for the rapidly evolving cyber security environment that we’re encountering regardless of what software you’re using.

    Thanks and regards,

    Dieter

    • Maintaining that accurate perspective, you followed that up with this:

      “The word security refers specifically to emerging problems in many formats where criminal, mercenary, and state-sponsored hackers doctor data files in targeted software that execute code when opened (using buffer overflow and other techniques). Many of these vulnerabilities have now been closed.”

      Your emphasis was on the security aspect of the DWG change. We’ve not only challenged that aspect on multiple fronts without any response of substance, we’ve pretty much blown it to shreds. You’ve got nothing, or if you do have something, it’s not evident yet.

      Will any of the other alleged reasons behind the DWG change stand up to scrutiny? You’re right that I will indeed do some timings to find out.

  20. How long before some Autodesk yes-man tells us “A2018 security was improved by having no new feature : new features means new lines of code, thus risks of new security holes; no features, no holes, that’s a win-win !”…

  21. Dieter,

    thanks for asking, I’m doing fine 😉 And I am sure, you’re not taking this discussion personal. As Bill said, you’re brave to defend your company’s decisions here. You deserve highest respect for that.

    We’re beating a dead horse here as the change is already made. But just for the sake of argument, let me answer you post.

    Talking about “weaponized” file formats, there are only two ways to weaponize a file format: either the format allows to contain auto-executable code or the main software reading the file contains security holes which can be triggered by certain file contents. In the latter case it’s the software makers duty to fix the bug. And in the case of code inclusion it’s the software-makers duty to disable this feature by default and to create high borders to enable it.

    Next you’re saying that “3D solid and surface creation now uses the newest geometric modeler”. OK, but does a new modeler need to have a new data structure? With a well-defined data structure it shouldn’t matter which software reads or writes it. And if the modeler needs additional data objects, you could easily add them to the existing format. DWG is full of objects most software (including AutoCAD) has no idea about.

    Finally you talk about “improvements in the efficiency of open and save operations”. I agree that a bad data structure (or file format) may result in a huge lot of unnecessary operations. Optimizing for speed is not always good, though. But I guess your company has had lots of discussions with their clients on the question of speed versus dataflow continuity. So you decided for speed. Fine. Your choice!

    Kind regards
    Dietmar

  22. “A note from Autodesk:
    The DWG format has been updated to provide improvements in the efficiency of open and save operations, especially for drawings that contain many annotative objects and viewports. Additionally, 3D solid and surface creation now uses the newest geometric modeler (ASM) which provides improved security and stability.”

    Maybe I am reading this all wrong but it looks like there is definitely a problem with 3D Solids and Surface creation IN THE PRE -2018 Autocad SOFTWARE . Then What is it users SHOULD BE AWARE of? Just a concerned user.

    Hans. (By the way.. I like the 3d improvements l, especially large models with small parts)

  23. Dieter Schlaepfer

    Hi Dietmar,

    What I’ve heard security experts recommend is not to rely only on a “perimeter” defense, but to have some overlapping security. People are very clever when they want to steal something. For example, one would assume that a 100 kilo gold coin would be completely secure in the Bode museum (from the details provided, I’m beginning to wonder whether it was a prank).

    In the case of the doctored DWG file that I used as an example, the person only *thought* they were opening the DWG file in AutoCAD. What actually happened was that simply double-clicking the file started the Paint.exe program (or any other arbitrary code).

    I suppose that people opening the DWG from the Start tab, Open button, etc. would be safe from this exploit. No, I don’t think this exploit has been closed yet–I’m not sure how it could be closed.

    Dieter

    • Hang on, are you saying the DWG executing something else example was just a Windows program association redirection? Doesn’t that apply to every single file on the entire system independent of its format? In which case, what does that have to do with changing the DWG format?

  24. Dieter Schlaepfer

    Yes, indeed. Or the “DWG” file can execute its own code. Or the DWG can contain shellcode that launches another executable. The point isn’t how cheesy or ubiquitous that the data file exploit is, the point is that it works.

    In AutoCAD 2018, addressing a potential security vulnerability was only a minor factor as I stated. In the future, I can easily imagine another format change that could include encrypted sections within a DWG that checks for parity, location, and other factors that can detect something unnatural or doctored in the file. As you probably know, form of this concept is already present with digital signatures. Encrypted sections might include support for access control software, so that even if an unauthorized bad actor does obtain a DWG file, it will be useless to them.

    So, why do you think Google went to the trouble of creating this data file and URL checking service : https://www.virustotal.com/ ? Do you think they were stupid in doing so?

    Dieter

    • No, the DWG file can’t execute its own code. It relies on AutoCAD or another executable to do that.

      I can easily imagine Autodesk putting lots of stuff into the DWG format to make life difficult for both bad actors and competitors.

      No, Google isn’t stupid (not about this, anyway – it’s currently being really stupid about something else completely unrelated). Because of vulnerabilities in executables and some terrible design decisions by the makers of those executables (e.g. allowing macros into data files), data files can be used to trigger those vulnerabilities. The makers of executables need to fix the vulnerabilities, but as that is an ongoing and imperfect process, Google’s service can help.

      None of this gives any credence to the idea that security can be used to justify the DWG change, even as a minor factor.

  25. Dieter Schlaepfer

    Hans,

    >> Maybe I am reading this all wrong but it looks like there is definitely a problem with 3D Solids and Surface creation IN THE PRE -2018 Autocad SOFTWARE . Then What is it users SHOULD BE AWARE of? Just a concerned user.

    First off, I’ve done a lot of 3D solid modeling in AutoCAD and I haven’t run into problems (I also use techniques that reduce error buildup). The new ASM modeler likely includes fixed defects, is definitely pickier about the data, closes some security vulnerabilities, and is now the *same version* as that being used by Autodesk Inventor and Fusion 360, which assures better interaction between the products.

    Hope this addresses your concerns.

    Dieter

  26. Dieter Schlaepfer

    Steve,

    >>No, the DWG file can’t execute its own code. It relies on AutoCAD or another executable to do that.

    Wanna bet? 😉

    Dieter

  27. Dieter Schlaepfer

    And what makes you so sure that it’s really a data file?

  28. Hi, Dieter,

    an “executable” file in OS context has a clear header (called “PE” header in Windows, “ELF” on Linux etc.) – without such header, a file is a data file always & only …
    exceptions are only batch files / scripts for the OS (plain text files).

    (have a look into any .exe file, with a hex editor, or with notepad)

    No doubts, no OS at all will ever take a DWG file as an executable, but always as a data file only.

    many greetings to all !

    • “No doubts, no OS at all will ever take a DWG file as an executable, but always as a data file only.”

      Hi Torsten,

      this depends on how you define “OS”. You are developer (or “integrator”) of a Lisp engine in BricsCAD, and in Lisp there is no difference between data and program code. Perhaps you remember the Symbolics computer, which was nothing but a Lisp engine.

      Since AutoCAD to some extend is an OS (it can execute LISP code), and since a DWG file can hold any kind of data including Lisp Code, you can’t tell apodictically that a DWG file is always a data file only.

      About in 1990 I developed an VitalLISP application for AutoCAD, which generated Lisp code from user data, stored that code together with entity data in a dwg file, and made drawing entities “executable”.

      It’s so simple as this: As long as Autodesk allows users and developers to store data in a dwg, a dwg is a potential security risc. No change of the dwg format can ever reduce this risc.

      Best regards
      Tom

  29. Dieter Schlaepfer

    Yes. But unless you’re paranoid, what two things would make you assume that an object in an email attachment, a folder, or your desktop is a DWG or a PDF file?

    • Dig, dig, deeper, dig. Go to the PhD software engineers you mentioned earlier, and try to explain them your conception of an executable file, that’ll give them a good time. If they don’t laugh, it’s worse than we think.

  30. Dieter Schlaepfer

    Hi Torsten,

    Thanks for pointing this out. I only wish we were talking about an April fool’s joke, which this unfortunately isn’t. I can point you in the right direction or you can send me an email (dieters@somesoftwarecompany.com) for the details. I know that obscurity is no substitute for security, but it doesn’t hurt.

    Dieter

  31. Dear Dieter,

    also that “email attachment” security problem is not related to “execute a data file as executable” – in all such cases, data files are opened by an extra application (PDF viewer etc) which *assume* the provided command-line argument file would be valid file for this application.

    If that application does not correctly check the validity of the data file, and/or the file is corrupted by intention, then a memory/stack corruption can happen, which as result might be used to execute “foreign code” (the usual approach by hackers).

    But, to make the story short :
    a data file can never be made safe by itself – hence, Autodesk can not at all make DWG file format “safer”, that is 100% sure, no need to discuss this.
    And all security issue is then related to an application, loading/opening/processing such data files.

    I can understand that i.e. modeler data (ACIS/SPA data) are made more efficient inside DWG, for performance, and/or to unify with Inventor and similar.
    But “security” was & is definitly no reason for dwg format change.

    “But unless you’re paranoid, what two things would make you assume that an object in an email attachment, a folder, or your desktop is a DWG or a PDF file”
    just simple – I never click or doubleclick on it – I always store on disk, and will have a look into it with notepad.exe 🙂

    many greetings 🙂

  32. Dieter Schlaepfer

    So Torsten, regarding your comments . . .

    >> a data file can never be made safe by itself – hence, Autodesk can not at all make DWG file format “safer”, that is 100% sure, no need to discuss this.

    So, your point seems to be that if something cannot be made 100% safe, its security need not be improved.

    >>just simple – I never click or doubleclick on it – I always store on disk, and will have a look into it with notepad.exe

    Wow, you are far more cautious than anyone I know! But does this make you 100% safe? 😉

    So, back to my question: What two things would you assume would make someone who is obviously less careful than yourself believe that they are double clicking on a DWG or PDF file?

    Kind regards,
    Dieter

    • Hi, Dieter,

      “So, your point seems to be that if something cannot be made 100% safe, its security need not be improved.”

      I did not say this at all – so the wrong question 🙂

      I said, that security can not be improved “at the level of the *data* file” – it must be improved at the level of the *executable” file.

      Everything must be done & should be done at the place where it belongs to … not mixing apples with peas 🙂

      And I wanted to point out, that security can not be improved by Autodesk at the level of the dwg data structure (unless they completely expose the structure to the public !), as you mentioned that the new file format is (amongst others) caused by security reasons – which definitly it is not, regardless of what marketing people say.

      ” But does this make you 100% safe? 😉”

      Safer than anything else, at least – as I do not rely on mechanisms from external side … and no, not 100%;
      but why do you ask about 100% – is that the topic here ?

      But do Autodesk’s approaches provide 100% ?
      No, as well not … so another question which I feel is a kind of provocation 🙂 in positive sense 🙂

      “What two things would you assume would make someone who is obviously less careful than yourself believe that they are double clicking on a DWG or PDF file?”

      I don’t know – that simply depends on too many details :
      – are they using Windows Explorer or another tool
      – for Windows Explorer and similar tools, how it is configured (showing file extensions or not)
      – does it show file properties somewhere or not
      – most important : the origin of the file

      At least, neither the file extension nor the nice little icon in Explorer means anything at all … someone who relies on those details for his/her safety is never safe at all (regardless of what Autodesk is implementing, btw.).

      many greetings !

  33. Well, this is fun, people. “AutoCAD 2018 – why did the DWG format change?” has shot up the charts into the top ten most-commented posts of all time (this is comment 50). Still nowhere near “AutoCAD 2013 – An Autodesk Help writer responds” with 164 comments, though.

    Dieter, I’m quite willing to bet. If you can email me a DWG file that spontaneously executes code without being read by an executable (e.g. AutoCAD), you can have a blog post here all to yourself to say whatever you like. If you can also show that the 2018 DWG change makes that situation any safer, you can have ten such posts.

    If you can’t do either, I get a blog post all to myself to say whatever I like on Autodesk’s AutoCAD blog. In each case, the “foreign” blog post gets treated just the same as the others on that blog and stays there, and visible, permanently. Deal?

    • “If you can email me a DWG file that spontaneously executes code without being read by an executable (e.g. AutoCAD)”

      Hi Steve,

      this would not be a big problem, if I get the chance to modify your OS so that a dwg file can be used as a executable. You even may provide a dwg file of your choice, and I need not even modify that to use that file as an executable.

      “Executable” is not a big word. Everything can be made executable, since everything can be interpreted as a symbol, and it only depends on the engine, which executes a symbol, HOW this symbol is interpreted. It is a simple principle of informatics that any data can be used to execute anything you like.

      Greetings, Tom

  34. Dieter Schlaepfer

    Steve,

    You know very well that I’m just an AutoCAD technical writer and cannot make “deals” concerning Autodesk.

    I did briefly consider emailing you a doctored data file that appears to be legitimate, but upon double clicking it, turns out to be an executable in disguise, executing some arbitrary code. But before I do anything like this, I always ask myself, “What would it look like if it were published on a front page by an ungenerous person.”

    “Autodesk Employee Sends Malware to Customer”

    Plus, there’s liability if it gets into the wild and is further modified. No, won’t do that either.

    But as I said previously, if you, Dietmar, and Torsten send me an email requesting proof of how this would work, I will respond to it. So far, none of you has, but I’m still willing. (dieters@youknowwho.com).

    Regards,
    Dieter

    • Dieter, every challenge you get on this 2018 DWG “security” claim has you backing off, dissembling and making excuses. It’s unlike you, and not a good look. But I’ve sent the email so I guess we’ll see if there’s any substance to it.

      The malware thing is a bit rich considering Autodesk already inflicts Akamai Download Manager on thousands of its customers every day.

    • For interested readers, Dieter’s response to my email gave links to publicly available information that described how a malicious party could make an executable that looks like a DWG file, or any other file for that matter. It won’t execute itself, of course, which is what I requested. You need to persuade the OS to run it by double-clicking on it, and then bypass any warnings the OS might throw up. If you do that, you’re then relying on your anti-virus software to save you (assuming it didn’t catch the file earlier).

      It’s an interesting diversion, but of course is an OS-wide issue completely unrelated to any security issues to do with the DWG format. To be fair, Dieter didn’t claim it was.

      I’m still waiting for any security justification for the DWG format change.

  35. Dear Dieter,

    for me there is a simple rule, since decades :
    never double-click on data file, relying on (potentially corrupted) Windows’ mechanisms – mainly, which executable to load/process that data file (but there are more mechanisms involved)
    => that all can be manipulated, in several ways.

    Personally, I always open the intended software myself, and then drag & drop the data file into that software ….
    not fool-proof, not 100% safe, but at least prevents a large range of such hacks, with virtually 0 efforts.

    Therefore, your intention to verify : a corrupted, manipulated file (which is an executable in fact), and/or a manipulated Registry to use a hacked executable to open the file can clearly show a security defect, no doubts …
    but all that is not at all related to “made dwg file format safer”, as dwg file format is not involved in your sample at all 🙂

    In generally, if users become more “lazy” by using doubleclick on data/dwg file, instead of the “hard” way to open the CAD system (or any other) and drop the data/dwg file into … yes, as long those users will pay for their lazyness, by reduced security …
    and Autodesk’s efforts can not help here at all – as it is a Windows matter.

    So I appreciate your offer, but personally no need for me – I know that such scenarios can work as you described.

    many greetings & a sunny weekend !

  36. Dieter Schlaepfer

    Steve,

    The 2018 DWG data format is more secure than earlier versions–I know this for a fact. I’m sure you’re aware that all security improvements are incremental, and this is such an increment that covers a subset of the data in a DWG file.

    In representing the improvements to AutoCAD 2018, I was careful to follow two principles when I wrote the description that I previously quoted: to be specific, and to accurately reflect the relative significance between each of the improvements listed.

    I know you’ve strongly disliked the Akamai Download Manager for years now, but download managers seem to be a fact of internet life. According to the Wikipedia article on Akamai, “Akamai’s content delivery network is one of the world’s largest distributed computing platforms, responsible for serving between 15 and 30 percent of all web traffic.”

    Torsten,

    >> So I appreciate your offer, but personally no need for me – I know that such scenarios can work as you described.

    Unfortunately, yes. And you’re also correct that spoofing a data file is a Windows vulnerability, not one that can be addressed by the DWG or any data format.

    What I was responding to was the incorrect assertion that “DWG files” could not possibly execute code. And they can also execute code within AutoCAD using buffer overflows (among other things), something that the AutoCAD security team continues to work on. And, of course, the bogus executable can launch AutoCAD along with a legitimate DWG file as a cover for itself.

    The most significant protections include digitally signing your data files using a Digital Signature Certification Authority, and also knowing where a data file came from.

    Thanks and best wishes as well,

    Dieter

    • >> The 2018 DWG data format is more secure than earlier versions–I know this for a fact.

      I invite you, again, to provide something to back this assertion. It had better be good; given the minimal substance behind what you’ve produced so far, I’m dubious in the extreme.

  37. Dear Dieter,

    all modern browsers can perfectly download gigabytes, even continue disrupted download sessions (as long as the server supports continuation).

    There is simply no need to enforce Akamai’s download manager at all !
    Stating that such download managers are “… a fact of internet life” is simply a wild guess, accepting bad logic & bad strategies 🙂
    And finally wondering about “corrupted security” ?
    It is the same story … “keep it simple” is the easiest + best approach for security, as a first & easy step.

    And also if Akamai has the widest reach (from Wikipedia) – that not at all means that it is
    a) a good download manager
    b) needed at all

    such download managers are in turn known to co-install tons of rubbish, being a security trap as well (the download manager & the co-installed rubbish).

    So why Autodesk does not offer a plain download parallel as well, so that users have a choice ?

    And, if Autodesk is interested in “security”, it should first of all get rid of any such additional & unneeded stuff – simply reducing the chance for hackers and corrupted binaries …

    So far, my cents on that part 🙂
    many greetings & a nice day !

    • Dieter Schlaepfer

      Torsten,

      Has anyone tested the relative speed between using a download manager such as Akamai and simply relying on a browser download?

      An internet search on “Akamai vulnerabilities” seems to indicate that Akamai at least claims to improve security–but I admit I’m not knowledgeable in the issues.

      >> Stating that such download managers are “… a fact of internet life” is simply a wild guess, accepting bad logic & bad strategies

      It’s not a wild guess, but yes, you’re right that I’m relying on its popularity rather than a technical rationale for using it. I’m assuming its popularity is primarily due to improved speed. If Akamai or other download managers do indeed “co-install tons of rubbish” or introduce security holes, I’d wonder why anyone continues to use them.

      >> So why Autodesk does not offer a plain download parallel as well, so that users have a choice ?

      I don’t know. Generally, I’m in favor of well-informed choice, whether it’s providing additional system variables to control behaviors in AutoCAD, a choice for using a download manager, a choice to purchase or rent software, support options, and so on.

      However, I also realize that there are significant factors that need to be taken into consideration. For example, Akamai might be a lot faster or more secure (again, I don’t personally know whether this is true).

      There are also human factors involved–speaking as a person who’s stubbornly clinging to Windows 7 and my thin and simple Motorola Razor flip phone. Go figure. 😉

      Dieter

      • Dear Dieter,

        >> If Akamai or other download managers do indeed “co-install tons of rubbish” or introduce security holes, I’d wonder why anyone continues to use them.

        Because many website only offer downloads with such “enhanced downloaders” – they are “popular” for providers to transport commercial advertisement, but not necessarily popular by users … and especially not as those provide more functionality;
        but if you have only 1 choice, then what to do ? 🙂

        Exactly as Autodesk does – no choice …
        hence, what you state is a kind of “self-fulfilling prophecy” 🙂

        And such bad strategies will not end, if big providers like Autodesk do not change here to provide a choice – like for the subscription strategy 🙂

        many greetings & a nice evening !

        • Dieter Schlaepfer

          Torsten,

          >> Exactly as Autodesk does – no choice … hence, what you state is a kind of “self-fulfilling prophecy

          Ok, fair enough. But what about speed and security–how much faster is Akamai if at all, and I wonder whether infosec organizations have made a security assessment of using Download Managers such as Akamai.

          I know that Steve’s IT folks are strongly against using Akamai because they report that it takes significant advantage of his company’s resources (how much impact, I don’t know). We’re getting a bit off-topic, but I can’t help wondering whether anyone here has some solid information (which I’ll be happy to convey).

          Kind regards,
          Dieter

          • Dear Dieter,

            indeed, a bit going off-topic … nevertheless interesting enough 🙂

            >> But what about speed and security–how much faster is Akamai if at all, and I wonder whether infosec organizations have made a security assessment of using Download Managers such as Akamai.

            I think, there are many aspects :

            a) if you have a good connection, then download manager *might* be a bit faster (using parallel streams) … if the server allows this;
            if you have a poor connection, then it doesn’t matter at all; even “continue download” depends on the server, not on download manager, and even brwosers support this

            b) for security : as less external, and “unknown” foreign software (like Akamai) is involved, as better for security and user … “less is more” & “keep it simple”

            c) what, if such enforced download manager like Akamai does not properly install on a given machine, if the AV software inforrectly flags Akamai as virus, and whatever reason there might be that Akamai does not run ?
            Then, user has no chance to download …
            => here, Autodesk should offer a classic download link for their own & user’s comfort – but they don’t, and *this* makes me wonder …
            but it perfectly fits in the large range of similar faults / intentions by Autodesk … so I do not wonder anymore 🙂

            d) additionally, the Akamain is not only permanently on disk – but permanently running in background !!
            Have you seen how many software installations install such permanent background stuff ?
            Strictly spoken, such behaviour is close to be illegal
            (and I have my experience here, believe me);
            usually none such installations ask for permission to install such permanent background task – and this is “changing user’s machine without their willingness” …

            e) any more involved (and permanent software) is also a security trap as well … so far for Autodesk’s concerns about security …
            if they realyl want, then they should get rid of any such extra, unwanted, unnecessary stuff …
            good old rule “keep it as simple as possible, as complex as necessary”

            >> We’re getting a bit off-topic, but I can’t help wondering whether anyone here has some solid information

            No, and I even don’t want to have such details 🙂
            As I personally follow my rules : no unneeded extra stuff at all … all that stuff I really need is complex enough, and any extra (background) software can only provide damages, not advantages …
            and I decide what is allowed to run permenently or not; and not a software provider / download manager …

            >> because they report that it takes significant advantage of his company’s resources (how much impact, I don’t know).

            And that is the key point – it does *not* matter whether it effectively uses small, many, many many, or many many many resources – it does take resources, but does not provide any useful functionality to user – so why a user should keep it ???

            What would you say if I install tons of nonsens on your machine and tell you “it does not harm, usually” … strange logic, right ?
            Same for Akamai …
            funny question : why does Akamai not uninstall itself, after downloading ? Would be a safe + clean approach …

            many greetings & a nice evening !

          • My experience with Akamai is that if you allow it onto your system and it actually runs, it takes days to do what takes minutes without it. A non-Akamai download manager application (e.g. Free Download Manager) will reduce the number of minutes further. However, some people use the Akamai DLM successfully and achieve good download speeds: YMMV.

            The Akamai NetSession Interface DLM has a history of doing sneaky malware-like things, including setting itself up as a peer-to-peer server, i.e. your bandwidth is being used in the background to save Akamai money, without your explicit permission. Akamai has defended this as a legitimate way of doing business. Previous DLMs have also resisted attempts to uninstall it by providing misleading scare screens and even leaving behind stubs that reinstall it, and other unconscionable things. As it stays installed and active, it provides a backdoor vulnerability that simply doesn’t need to be there. This is not the sort of thing that anyone should allow near their computers.

            An Autodesk person I discussed this with a few years ago claimed that Autodesk’s Akamai DLM-based downloads at that time have the peer-to-peer thing turned off. Based only on the apparent honesty of that person in our private discussions, I believe this was true at the time. Others may be less trusting. As for the situation now and in the future, there are no guarantees that the peer-to-peer switch won’t be flipped back on to save Autodesk a few cents in hosting costs.

            With or without the peer-to-peer stuff, Autodesk is doing its reputation no good by inflicting these executables on its customers. Just because other companies (e.g. Adobe) are equally culpable doesn’t make Autodesk’s actions right. No excuses; this is downright nasty.

  38. Dieter Schlaepfer

    Torsten,

    Admittedly, I know little about CDNs, but in such situations, I like to look at both sides of the question. Here’s what I found:

    Akamai claims greater security
    https://www.quora.com/What-does-Akamai-do-exactly

    Amazon.com uses Akamai
    https://www.quora.com/Why-does-Amazon-use-Akamai-CDN-instead-of-its-CloudFront

    Cisco partners with Akamai
    http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/intelligent-wan-akamai/solution-overview-c22-733534.html

    IBM partners with Akamai
    https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/c_dsm_guide_akamai_kona_overview.html

    Microsoft partners with Akamai
    https://azure.microsoft.com/en-us/blog/microsoft-and-akamai-bring-cdn-to-azure-customers/

    Presumably these companies also have many customers and know what they’re doing, right?

    Regards,
    Dieter

  39. Dear Dieter,

    why do you rely on statements of such companies ? They all might have their very special reasons to use Akamai (indirect income from commercial advertisement etc., and all the stuff mentioned by Steve).

    Again : only because something is widely spreaden does not at all mean that the stuff in question is good or positive – it only means that all participating parties have their own reasons
    (“don’t ask the wolf about the sheeps …”)

    And as we all know, even big companies make big mistales …
    so imho, it does not matter at all, whether those big compines use Akamai or whatever …

    Did you ever expected that Akamai will tell you the real truth (if ever they do know about ?) like “maybe we are unsafe, reside permanently on your system …” (btw., for what reasons at all ?).

    Personally I better rely on my own thinking about it, and rely on some more logical reasons to do something or not …

    And again – there are many good download managers available from Open/Freeware community – every user can use it, if a plain download does not work well.

    And again – if Autodesk intends to provide security, they should provide alternatives … “mono-culture” is never goos …
    assume, Akamain download manager would get infected ? Then Autodesk would spread it …
    all this is not theoretical, but happened many times … and I remember the “excuses” from those big players, afterwards, when it was too late …

    many greetings 🙂

  40. Dieter Schlaepfer

    Torsten,

    I’m sure the customers of Amazon, Cisco, IBM, Microsoft and others asked similar questions and for similar assurances. I’m also sure their executives have had to justify their decision to continue with Akamai. In any case, I wouldn’t characterize these companies as “wolves” and their customers as “sheep.”

    As I said, I know very little about download managers, and I don’t have much of an opinion about them. If download managers are faster and more secure, then I’m for them. Maybe you could find out if Amazon, Cisco, IBM, Microsoft, and others have encountered criticism (or praise) for going with Akamai. It would be interesting to know whether there are widespread complaints.

    Kind regards,
    Dieter

    • It’s important here to avoid conflating companies “going with Akamai”, for example using their services as a CDN, with “inflicting Akamai’s notorious NetSession software on their customers”.

      Yes, various companies have indeed encountered criticism for inflicting Akamai’s notorious NetSession software on their customers. Even if they hadn’t, that would not invalidate the criticism Autodesk has received for its Akamai download mechanism from me, various commenters here and many other customers, including various Autodesk Expert Elites and other highly knowledgeable users on your own forums.

      It’s common knowledge among your smartest customers that Autodesk’s primary download mechanism sucks donkey balls and should be avoided like the plague. Valid criticism is valid criticism. Cop it on the chin.

      • “It’s important here to avoid conflating companies “going with Akamai”, for example using their services as a CDN, with “inflicting Akamai’s notorious NetSession software on their customers”.”

        I think this is the core of the matter. To Autodesk it’s probably not about blessing customers with another breathtaking download manager, it’s about using Akamai’s CDN infrastructure to get their stuff shipped.
        I could arrange with that, but seeing Akamai’s processes being active all the time and probably adding my computer and bandwidth to its CDN is nothing I have been asked for. And I would definitely refuse that.

  41. Dear Dieter,

    just a small correction :
    “In any case, I wouldn’t characterize these companies as “wolves” and their customers as “sheep.”

    Sorry if I got misunderstood 🙁
    What I mean is this :
    if you ask the wolf on his opinion about sheeps, you will get the answer of a wolf 🙂
    Hence, I do not ask a wolf about sheeps – I know that answer upfront 🙂

    many greetings !

  42. Dieter Schlaepfer

    Thanks for clarifying, Torsten. I understand.

    Because I don’t know much about Akamai, I asked one of our software development managers about Akamai and peer-to-peer resources. Here’s what he wrote me:

    “I appreciate the specific question – few people understand that Akamai NetSession peer sharing is configurable. The direct answer is yes, our implementation excludes peer-to-peer operations.”

    “A slightly longer answer: Akamai NetSession offers the means to opt-out of peer-to-peer file sharing, and we do opt-out. There are two Autodesk utilities that use Akamai NetSession: Install Now and the Autodesk Download Manager. This answer applies to both: Neither version ever implemented file sharing. Please note carefully that many other applications install Akamai NetSession, so there exists a chance that it may be enabled by a non-Autodesk product.”

    The last point that he made is significant. Also, when I met with him this morning he drew a simple diagram that represented how Akamai works on a high level. One question that I had was about peer-to-peer downloading. I wanted to know whether it was possible to configure Akamai to restrict the domain of users, and the answer was no. This is another reason why customers such as Steve expressed concern and as a result we continue to exclude peer-to-peer operations.

    As a result of our conversation, he’s considering posting a more technical Autodesk blog article to dispel some of the more common misconceptions about Akamai and other download managers.

    Hope this helps.

    Kind regards,
    Dieter

    • Dieter, thanks for looking into this and confirming that the peer-to-peer switch is currently turned off in Autodesk downloads. There is, of course, no guarantee that it won’t be deliberately or accidentally turned on silently at some point in the future. Even with such a guarantee, I would still consider Autodesk’s Akamai downloads as way too high a security risk to even contemplate using.

      • Dieter, you might also like to have a word with your legal people to see why they find it necessary to include this in the AutoCAD EULA:

        “Autodesk download technology may use the Akamai NetSession Interface, which may utilize a limited amount of your upload bandwidth and PC resources to connect you to a peered network and improve speed and reliability of Web content. The Akamai NetSession Interface is secure client-side networking technology that harnesses the power of your computer to deliver software and media available on the Akamai network. Your Akamai NetSession Interface works collectively with other Akamai NetSession Interfaces, along with thousands of Akamai edge servers, and runs as a networking service utilizing a limited amount of your computer’s available resources. More information about the Akamai NetSession Interface is available here: http://www.akamai.com/client. By clicking “Accept” and using the Autodesk download technology, you accept the Akamai License Agreement (http://www.akamai.com/eula) in addition to the Autodesk License and Service Agreement.”

        This is a pretty clear statement. If I use an Autodesk/Akamai DLM, according to the EULA I am giving permission to Akamai to do pretty much whatever it likes, specifically including setting up my PC as part of a peer-to-peer network and auto-updating its own software without further permission. Anything at all Akamai feels like allowing itself at any time in the future is also specifically granted by the Akamai EULA. By using an Autodesk download, it’s total open slather, both technically and legally. Literally anything goes.

        Why does Autodesk include the above clause if it has no intention of taking advantage of it? And no, “we just copied and pasted it, other companies do it too” is not an acceptable answer.

        • Dear All,

          reminds me about BOT networks … exactly same technology 🙂
          And if the bad guys hijack Akamai, then they have a perfect infrastructure …
          So far about security by Autodesk … trust the facts, not the words ….

    • You might also want to ask your software development manager to have a look in the Autodesk desktop app section of “the place I don’t post any more” and comment on what’s being said there.

  43. Dieter Schlaepfer

    Steve,
    >>Dieter, thanks for looking into this and confirming that the peer-to-peer switch is currently turned off in Autodesk downloads.

    Certainly. And for the foreseeable future it will remain off due to strong customer aversion. The only thing that I could see that might change this would be if Akamai provided the ability for customers to *voluntarily* designate a limited domain of internal computers. But even so, I’d worry about security as you would probably predict.

    >> Dieter, you might also like to have a word with your legal people to see why they find it necessary to include this in the AutoCAD EULA

    Based on a similar discussion that I had with them regarding the cloud service agreement, which I’m sure you remember, I know what the answer will be. Legal teams will write into service agreements Every Possible Advantage often using legal terms that have specific technical meanings in court. In my research on those agreements, I checked those used by several well-known companies including IBM and found similar language. The bottom line is that companies don’t want to lose cases in court, but also realize if they actually perform/abuse some of the actions granted to them, they will find themselves dead.

    While you or your IT folks might find this unacceptable, it’s a fact of life in our litigious environment, and it’s likely you will find similar language in the [redacted]’s legal agreements and disclaimers.

    Yes, I did forward the CC comments by BB, which are very well researched and explained.

    Torsten,
    Yes, we’re acutely aware of security risks and we’re continuously working to stay on top of the latest vulnerabilities as well as *incrementally* hardening our products, as I’m sure Akamai needs to do if they want to stay in business. That’s not to say a breach can’t occur, as has occurred with many companies and virtually all government agencies. That’s why I strongly advocate access control, digital signatures, and encryption.

    >> So far about security by Autodesk … trust the facts, not the words ….

    What do you have in mind specifically?

    Kind regards,

    Dieter

    • Paraphrased discussion:

      Steve: Autodesk was not being an asshole with Akamai’s peer-to-peer malware a few years ago but could be now or in the future.
      Dieter: I’ve checked, and Autodesk is not currently being an asshole in that way.
      Steve: Thanks for checking, but there’s nothing to stop Autodesk being an asshole in that way in future.
      EULA: Autodesk can be an asshole whenever it likes, and so can Akamai! Up yours!
      Steve: Your EULA is being an asshole.
      Dieter: That’s its job.

  44. Dear Dieter,

    >> Yes, we’re acutely aware of security risks and we’re continuously working to stay on top of the latest vulnerabilities as well as *incrementally* hardening our products, as I’m sure Akamai needs to do if they want to stay in business. That’s not to say a breach can’t occur …

    I can give you a tip how to perfectly improve security here :
    don’t use Akamai at all … use plain download, that’s all (like majority in this world does – enforcing a DLM is the absolute minority on the planet [mainly by big players – why ??]);
    as long as Autodesk does not return to engineer’s goold old rule “keep it simple”, then we put resources into problems, triggered by such wrong strategy …

    >> we’re continuously working to stay on top of the latest vulnerabilities as well …

    and that is a key point – such Akamai defects (or hijacked Akamai defects) are out of your reach – it does not matter what Autodesk does here, if the defect is outside their reach & control … so these are only well-sounding words !

    >> That’s why I strongly advocate access control, digital signatures, and encryption

    yes, to fight against problems, triggered by using inappropriate technology like Akamai … I would prefer : prevent such technology which has no advantage to users (only to Autodesk & Co) !

    >> trust the facts, not the words

    🙂 See the 2,3 discussion points above – fact is : Akamai is used, including the rights to misuse client’s machine, without any chance to be rejected by user – regardless whether it is actually used or not (“don’t ask the wolf …”);
    and to put legal statements as explanations only shows, how weird the entire topic here is ! Don’t you think that something wrong then ?

    Only to be on legally safe side … aha
    But what if Akamai does misuse the user’s machine ? Then Autodesk is safe – not the user !! A court could still claim “user is responsible to take care that the software on *HIS* machine does nothing bad …”
    great deal for the users … would Autodesk then help those users in court ?
    I really doubt …

    Always making things more complicate to struggle against problems introduced by previous step of technology ?
    Imho, clearly the wrong way …

    >> While you or your IT folks might find this unacceptable, it’s a fact of life in our litigious environment, and it’s likely you will find similar language in the [redacted]’s legal agreements and disclaimers

    Yes, the bad old logic, as always … do we accept murderers, only because they are there ?
    So why do we accept (and why do such big players) such bad logic here ?
    I guess you would get angry if your daily bakery would give you such an answer “we do it because the other bakery does it as well …” – if the bread does not taste ?
    Why is it allowed to use such a strange, weird logic here ?
    It is only a fact of life, because such big players drive it into such direction – not because users want it, but because the big players want it (for whatever strange reasons) !

    I’m not stupid, I know how the world goes … but it does not mean that it is valid, and we should do our best to stop bad strategies, not to accept them only because they are in reality …

    Of course, there are always reasons to explain why Autodesk did this & that … (“don’t ask the wolf …”) and we will always get whatever reasons to explain it – like in this debate …
    but the only point that matters is – what is behind !
    a) does it help the users (those paying Autodesk) or not
    b) does Autodesk focus on users’ inetrests or on own interests – what is the priority ?

    following this, you can perfectly see “the words & the facts”, and build your own opinion …

    many greetings & a sunny evening !

    P.S: sorry for philosophy … but sometimes, looking at detalil only prevents the overall view … and both sides are necessary.

  45. Dieter Schlaepfer

    Steve,
    I’m sure you’ll find this amusing. Last night about this time, I was having a hard time with my internet connection speed at home. My DSL is pathetic to begin with, but this was really bad. Then I noticed that my router still stayed busy when I wasn’t doing anything, so I fired up Net Limiter to see what was going on.

    Imagine my surprise when I saw Akamai NetSession running under Autodesk Application Manager! Naturally, I thought, WTF (Where’s This From)?

    Remembering what I learned a few days ago about NetSession, I scanned my other processes and saw that NetSession was being called from my Garmin app that downloads map updates (yes, I’m geographically challenged).

    Next, I verified that Garmin does indeed use Akamai’s NetSession option so I killed it in Net Limiter (several times), and then my connection speed improved by a factor of four!

    This confirms that while Autodesk does NOT enable Akamai’s NetSession nor has any intent to ever do so, it cannot exclude Akamai NetSession if it’s been enabled by another app. That’s the catch. You have to remove ALL apps that have NetSession enabled or the others will use it.

    Torsten,
    Maybe you can answer your own question why many companies such as IBM, Amazon, HP, ESPN, Adobe, NBC Sports, NASA, etc. use Akamai. Do a little research and please let us know what you find out. No more “philosophy,” ok? Just facts.

    Simplicity does not automatically assure safety or reliability. In general, would you be safer flying in a modern passenger plane or one from the 1930s? Is a model T Ford more reliable than a modern car?

    Kind regards,
    Dieter

    • Thanks for the story, Dieter! I think your experience shows why people distrust Akamai NetSession. Your bandwidth was being used without your explicit permission. You had to go to some effort to stop it happening. Both of these are malware-like, and either is enough to put the software on my brownlist.

      What’s Autodesk Appplication Manager doing on your PC? Hasn’t it updated itself to Autodesk desktop app? Either way, the Autodesk software should have an off switch that prevents its use of the NetSession software. Just because another app is running it should not be assumed to be permission for the Autodesk app to use it.

      But yes, the solution is to completely eliminate Akamai NetSession, no matter what the source. If only Autodesk would do so…

      Again, be careful to avoid confusing “using Akamai” with “installing Akamai NetSession with every download”. How many of those companies do the latter? As for why they do it, I’m sure the reason is financial. The only reason I can see for Autodesk doing it is to get its hosting costs from Akamai reduced. That happens, right?

      I’m not sure how big the saving is, but I am sure it’s not worth it. For Autodesk to spend a billion dollars a year on marketing and then make it impossible, difficult or inadvisable for people to download demo versions of its software is idiotic.

  46. Gieter,

    >> Maybe you can answer your own question why many companies such as IBM, Amazon, HP, ESPN, Adobe, NBC Sports, NASA, etc. use Akamai. Do a little research and please let us know what you find out.

    this is EXACTLY what I will NOT do !
    why shall I spend my time, finding out what big players *SAY* about why they use Akamai (and having no chance to verify whether it is the truth what they *SAY*, or just marketing rubbish !) – I mentioned already, they will tell you tons of (whatever) reasons;
    as I said, don’t ask the wolf …
    what I DO will do is to see the results – and the result is that such big players use Akamai, which clearly is not in users’ interest, but only in companies’ – (mis)using clients’ machines for *their* purpose – unacceptable, period.

    And that is a fact ! Philosophy is only to explain the logic behind !
    And it is also a fact, that no user really needs or wants Akamai – why do those big players do not follow their users’ interests, but prefer their owns ?
    That is the only point which matters, imho.

    And to correct you – it is not necessary to uninstall all those applications; uninstalling Akamai should be enough, together with a search on local disks (and services), to find potentially surviving parts of Akamain and to delete it.

    Why do you repeat to say “see what the others do …” – that is neither an argument by itself, nor a v alid approach at all … that is the point where I counterstrike, it is invalid logic, which perfectly allows to explain everything.

    >> Simplicity does not automatically assure safety or reliability …

    right, I agree … but this does not mean the opposite would be true 🙂
    I said, that it would be better to use a more simplified approach (involving less technology), when it is proven that this particular piece of software is (potentially) bad ….
    I said “as simple as POSSIBLE, as complex as NECESSARY”, an old engineers rule;
    but it seems, such delicate, but important details are too often overlooked 🙁

    >> This confirms that while Autodesk does NOT enable Akamai’s NetSession nor has any intent to ever do so

    No – neither of both !
    It only confirms that Autodesk (potentially !!) does not enable that stuff in Akamai at this moment ! But what the future will bring, nobody knows …
    and have you verified *any* Autodesk software about ? Likely not …
    so why do you claim such assumptions as facts ?

    See the “never enforce subscription only …” stated some years ago ?
    The same truth & look into future ?

    About philosophy … as this discussion shows, looking *ONLY* at deeper & deeper technical details (and 50% marketing statements !!) does not really help to explain the whole picture … hence, stay a bit away to see it from a wider view …

    many greetings & a nice weekend

  47. Dieter Schlaepfer

    Steve,
    Yes, I agree. For example, Google apps must each obtain explicit permissions. They are not assumed, and I don’t automatically grant them to every hopeful app when they clearly don’t need them. Apparently, Akamai doesn’t do this. It uses NetSession for all your applications that use their download manager if just one of your applications has enabled it. That’s why, even though Autodesk excluded NetSession, my internet connection speed was brought to its knees last week until I killed the process. In my case, Garmin was the culprit, and I plan to complain to them.

    >> What’s Autodesk Appplication Manager doing on your PC?

    Heh. That’s exactly what one of our software managers asked me when I shared my experience with him. A few years ago, I purchased a perpetual license of AutoCAD on my home PC for my personal projects, one of which is a commercial product related to your favorite sport, incidentally.

    Kind regards,
    Dieter

    • Actually, Autodesk is also the culprit because its software is using your bandwidth without permission. It shouldn’t do that, period. Akamai’s technical SNAFUs and unconscionable business practices are no excuse; Autodesk chooses to use the software and needs to wear the criticism. So I hope you plan complaining to Autodesk too.

      Perpetual licenses are wonderful things, aren’t they?

  48. Dieter Schlaepfer

    Already done, Steve.

    Obviously, Autodesk uses Akamai’s servers for download speed while trying to opt out of Akamai’s peer-to-peer mechanism. That the P2P operations are nevertheless still happening for the reason that I provided is disturbing. This is why I provided the tip. Also, note that I can’t make any promises, but I can assure you that I’ve passed along my experiences.

    As for software subscriptions, they are actually a *much* better arrangement for the majority of businesses when you consider ALL factors. But I see that you have another article on that subject.

    Kind regards,
    Dieter

    • Glad you’ve complained. I hope your feedback has a better chance of success than mine.

      You’re entirely wrong about software subscriptions, at least in Autodesk’s case. The market has proven you wrong. Twice. That’s why Autodesk had to get heavy handed the third time and remove the perpetual license alternative. Despite the strongarm tactics and a huge marketing effort, Autodesk is still really struggling to sell the idea. Why would that be? Are we too dumb to see the benefits? Or are we too smart to be conned?

      If you think you can come up with some factors that haven’t yet been considered, feel free to add your thoughts to one of the many posts here on this subject. I would suggest Autodesk license costs options – summary 2. Take your bullet-proof vest. 🙂

  49. Dieter Schlaepfer

    Steve,
    >>Glad you’ve complained. I hope your feedback has a better chance of success than mine.

    Yes, we’ll see what Garmin says. Interestingly, NetSession seems to be leaving me alone. I’m hoping it’s because its analytics determined that using my pathetic bandwidth at home results in too many errors and slowdowns. Maybe I can get one of my sons to program something like NS Epoxy ™ , which will erratically slow down, slightly alter, or encrypt outbound NetSession data. 😀

    At Autodesk, customer feedback has a greater weight than my opinion, as it should. As a result, I have to validate my proposals, as you will see over the next few days should you visit the AutoCAD Customer Council.

    >> Are we too dumb to see the benefits? Or are we too smart to be conned?

    No, it’s because you’re not aware of “the big picture” (as they used to say at General Electric when I worked there). If you had a background in accounting or finance, you would recognize the dynamics of opportunity cost. Try this. Ask a finance person or accountant at [redacted] why they prefer leasing office space long term rather than owning it. Or office furniture. Or computers. However, accept what they say–if you press them too hard on why these rules exist, they tend to get depressed and suicidal. 😉

    Ok, gotta get to work. I’ll see about adding something enlightening on your License Costs post.

    Kind regards,
    Dieter

    • Actually, at [redacted], the office space and furniture are owned. Because it works out cheaper that way in the long term, looking at the big picture. I think it’s the same with the computers, but there’s some kind of corporate supply & support deal going on so I can’t be certain.

    • Chris Schildmeier

      I don’t expect many accountants or finance people would suggest that you sell office space and or furniture that you already own back to who you bought them from, assuming you plan to stay in business anyway.

      Especially with the knowledge that the plan is that those people are just going to turn around and rent said office space and equipment back to you, at a higher cost.

  50. Dieter Schlaepfer

    Ok, fair enough. Here’s a couple of random articles that address the issue of owning versus renting business equipment:

    Computers
    https://www.entrepreneur.com/article/80230

    Furniture
    http://www.ltdofficesolutions.com/blog/lease-v-buy/lease-v-buy-whats-your-best-option/

    They cover some of the same considerations, but not all. Software is not the same as furniture, of course. There are some additional important points to consider, at least from my perspective. I’ll post these soon.

    Kind regards,
    Dieter

    • Link 1: “Ultimately, leasing is almost always more expensive than purchasing.”

      Link 2: “The downside is that leasing is almost always more expensive than buying furniture.”

      Well, yes. Got any other convincing arguments? 😉

    • Yes, leasing can make business sense under some circumstances, depending mainly on the cashflow and local taxation situations. But leasing isn’t necessarily just rent-to-use. Depending on the contract, you can end up owning the item at the end of the contract period in exchange for a final fee. This is common with vehicle leasing, for example. Autodesk isn’t offering that option.

      Link 1: None of the pros apply to the Autodesk maintenance v subscription comparison because the situation with those factors is identical under both schemes. So you’re left with all cons and no pros.

      Link 2: Again, none of that applies. The initial cashflow argument once would have, but even that is now irrelevant. Because Autodesk no longer sells software, decision-making between maintenance and subscription applies only to those who have already purchased perpetual licenses (possibly many years ago) and overcome any cashflow issues back then. Again, all cons and no pros.

      You’re making my argument for me here. Thanks!

      Still struggling to see what part of the big picture I’m missing. It all seems pretty straightforward from here. Renting something you already own is a bad deal.

  51. Dieter Schlaepfer

    >> Yes, leasing can make business sense under some circumstances, depending mainly on the cashflow and local taxation situations.

    Exactly. But there’s much more to it.

    So this is probably a good place to segue to the topic you suggested:

    http://www.blog.cadnauseam.com/2017/03/16/autodesk-license-costs-options-summary-2/

    See you there! 😉

    Dieter

Leave a Reply