Microsoft Stops New Work To Fix Bugs 689
An Anonymous Coward writes: "According to this article at Government Computer News, Microsoft has announced a month-long moratorium on new coding, as part of its Trustworthy Computing Initiative. Richard Purcell, director of the company's corporate computing office, said, 'We are not coding new code as of today' [Feb 1, 2002] 'for the next month.' The idea seems to be that Redmond will spend the 28 days of February patching bugs in existing code. Is this a hoax, or maybe just marketing hype? The web site looks to be legitimate."
Re:Color me unimpressed... (Score:0, Interesting)
Yeah, introduce a new VM in the middle of code freeze. That's a way to go!
Re:February? (Score:2, Interesting)
Well, lookie here [slashdot.org].
Impossible!! (Score:2, Interesting)
process.
Tester feeback is the best way to debug a system,
when QA is an issue. But for a ship-and-let-lusers-pay-for-beta
company like microsoft, they need to *listen* to
user feedback.
Here is the catch: Even if microsoft devotes all its
time, throughout the month for debugging, users will
not be doing that!
So, if they are not soliciting user feedback, how
are they doing it? heauristics?
My first guess is, they have heaps of bug reports
that they need to go over and fix.
But halting all development is not the way to do it,
they childishly jumped the gun this time, simply
because ALL developers don not debug.
Similarly, there is no "wipe your ass day",
wiping your ass should happen every time you take
a shit.
So, it is either an stupid decision, or YAPR move.
Will this matter in the long run? (Score:2, Interesting)
Hmm, how much code was that they had to go over again?
Assume a programmer can read and perfectly debug 100 lines of code an hour. For every 2 million lines of code, it will take 125 programmers to finish within the one month period (4 40-hour work weeks). Hmm. They might do it, given overtime and plenty of workers, but it assumes they debugging process is perfect.
Of course there's another way this might work- if they have a huge backlog of known bugs. On second thought, that can't be- this is Microsoft, surprised with each new Outlook-enabled virus! </sarcasm>
Re:todo list (Score:2, Interesting)
Microsoft vs Their Own Bugs (Score:1, Interesting)
Still, even if the bug hunting is purely greed based, it is something that can only benefit the consumer. I have no grudge against Microsoft, and do not even mind their de-facto monopoly that much. And like it or not, Microsoft is best positioned to inact major and good changes to online consumerisim. A fully realized
Case in point: Game developers have to rely on publishers to distribute their games, and as a result, the publishers get the bulk of the money. If enough people trusted online purchasing, and had the bandwidth needed, it would make it more viable for a game developer to distribute a game entirely online. Which means more money for those who actually create the content.
In removing the middlemen, Microsoft will be taking for themselves alot of the money that the middlement currently get. But they wont get all of it.
END COMMUNICATION
Re:MS Annoyed Pain? (Score:2, Interesting)
I also predict that some slashdot user will state that a better solution is to use a non-Microsoft operating system (such as OpenBSD or Linux).. well, that may be a good solution for you, but there's still some Windows software that don't run under OpenBSD or Linux (even with Wine Emulation)... such as the Goldmine licensing software that's designed to prevent more than X number of people using their software.
Re:Ironic.. (Score:1, Interesting)
Re:Ironic.. (Score:1, Interesting)
In America, women are not oppressed and have not been for 20 years. The feminists of the 70s and the suffragettes of earlier accomplished their goals and have managed to achieve equality. The only "feminists" left today are those who think it's trendy and those who think equality means superiority. The wage disparity is merely a statistical anomaly that is a result of inequality in consistency of work. That is, while most men work to support themselves, or to contibute to their family, not as many women work because they either become traditional mothers, supported by their husband, or they take time off from work to have children. While it is obvious that the former will depress the mean income of the gender, the latter also has a similar effect. When one takes off repeatedly or for excessive durations of time, job advancement is going to be hindered. It's a choice that must be made. To argue that such is an injustice is wrong. It is equality.
Re:Is This Possible? (Score:3, Interesting)
On the one hand you have Steve Maguire and his experiences described in _Writing Solid Code_. Microsoft has known how to write reliable code for years, it's known it knows this (this book was published by Microsoft Press), yet some managers still resisted. Ditto many other excellent books published by Microsoft Press.
On the other hand I attended a MS job faire as a non-traditional CS grad student at the University of Colorado. I heard the recruiter tell the potential employees that Microsoft understands coders just want to code, not find and fix bugs. So they have other people do that stuff for them. I'm not the only one who heard it - Evi Nemeth et al mentioned it in the Red Book as well.
So I just don't get it. The public execution of an Outlook or IIS manager for inadequate supervision of the bug issue would do wonders for the motivation of the survivors to pay attention. (Not the literal execution, of course, but in the corporate world being escorted off campus after a meeting with the boss may be worse.)
Windows XP was a great jump forward (Score:2, Interesting)
MS may be greedy but they know how to run themselves as a business.
Re:Ironic.. (Score:3, Interesting)
Security can't be bolted on top of a broken model (Score:3, Interesting)
Sadly alternatives and improvements to the UNIX security model [google.com] have been proposed for years but it seems in this case Worse Is Better [mit.edu].
"Of course it looks legitimate" + a suggestion. (Score:3, Interesting)
If it is a hoax, what would be the point if it looked suspicious?
Personally, I kind of like it, even if it just to earn cheap points. If they actually concentrate hard on swatting bugs, it will benefit not only MS users, but everyone out there that some way or the other relies on something Microsoft to work. No matter what you run yourself. I bet that is most of you...
Now, if they only would do this on a regular basis. How about officially declare February "bug swatting month" every year? I think that would be good for others than MS too.
A month is not long enough (Score:5, Interesting)
They need to address the following points at the email client
1. Make it more difficult for users to execute file attachments by default
2. Perform checking of file attachments to ensure that a
3. Where executable attachments must be run, execute them in a sandbox so they can't modify the registry, create files, send emails etc.
4. disable or cripple Windows Scripting.
For the Desktop OS
1. Separate the Update process from the web browser, so that the web browser does need full access to all O/S files on the system.
2. Run the web browser in a restricted shell to limit the damage from breaches.
3. Split the registry into more files and make it text so that a text editor can be used to fix it.
4. Make it more dificult for users to run as administrator, e.g. limit what apps can run
5. Starty moving as much as possible out of kernel mode and into user mode, so a program crash or dodgy video driver is less likely to bring down the O/S
For the server OS
1. Stop running all services as administrator and introduce separate users for separate functions like Unix now does for Apache, Sendmail, BIND, etc. That way when IIS gets compromised the hacker does not get an Administrator shell
2. Default off (i.e not installed) all but the most essential services, so that users must install new features and then enable them. That way a bug in the index server (CodeRed) only affects a few servers.
3. Default off any automatic services, such as network plug and play.
Office.
1. Default off macros in Office, it's only virus writers that use the advanced features.
2. disable the ability of macros to rewrite other macros, run in a sandbox.
All products.
1. Stop trying to get a new O/S out every year and fix the ones people have already (over)paid for.
2. Stop talking about security and actually get on and do it.
If Microsoft do all of these things then we in the Linux community have got real problems.
Re:Let's give them a bit of credit (Score:3, Interesting)
New PR Direction? (Score:1, Interesting)
Describing the state of computing today as unstable and unreliable, he [Purcell] said Microsoft chairman Bill Gates "is really annoyed by the incredible pain we put everyone through in computing.
So, Bill Gates himself is concerned about what 'we' [Microsoft] put 'everyone' [consumers] through. I would doubt that Bill would have any press comment attributed to him by a Microsoft staffer, unless it had been thoroughly vetted by the spin doctors. This is of course to make sure that it fits the official PR line that Microsoft wants to put out.
My pick is that this is either a hoax, or Microsoft are signalling a major new PR direction. Linux is a major threat, and it's seen by the consumer's as more reliable and stable than Microsoft offerings.
New PR direction - make Windows look more robust in the public eye. Start by apologising (from the very top man) for the past, move onto promises of fixes etc. Microsoft knows it's got a poor reputation for stability; it wants the business server market; it has to improve it's image.
Re:Ironic.. (Score:3, Interesting)
Re:Past History (Score:4, Interesting)
Having run windows, linux, and solaris servers and desktops in large enterprise environments over many years has proven Solaris to be the most stable, and Windows the least. Crashes on Solaris are the most recoverable and windows are the least. Amount of administration required is the most on windows and the least on solaris. Linux always seems to be in the middle in all things but cost where it is the lowest and Windows is the highest. I don't expect any of this to change much in the upcomming years, except Linux may replace Solaris in some of those categories as it is advancing quickly while solaris remains fairly static. (Note that ANY unix like system beats windows in these areas, such as BSD, AIX, HPUX, QNX, etc.)
So comparing win2k with win95, sure - ms products have gotten better, but they are a LONG way from being rock solid. It will DEFINATELY take MUCH longer than a month to make a dent in overall product quality.
So while I applaud the effort, I have serious doubts about how much this will affect overall product quality.
Bottom line: Quality is not something you add later - it's an integral part of the entire product development process.
"But boss, it can't crash! I installed the optional Quality module!"
Re:Uh... Hoax? (Score:2, Interesting)
The real question is - will this make much of a difference? Maybe in clearing any backlogs of reported bugs, but I can't believe that by changing their focus for a month they can uncover AND fix all possible security flaws in their products. It will help, but I'm sure it won't be the end-all for security breeches.
Re:Linux Arrogance (Score:2, Interesting)
Re:Taking it at face value (Score:4, Interesting)
Having done cross-platform conversions of some Evil Software Empire code, I can say that the answer is a definite YES. Why? You inherit code which generates a huge number of warnings, mostly for things like missing prototypes and pointer conversion, and you turn those warnings off because you just don't have the time to fix them because of time pressure.
I for one would welcome such pauses-- It's sometimes embarassing to go back to look at my own code and realize that my error checking only worked correctly because it never got called.
A new microsoft? (Score:3, Interesting)
Gates quit as every day head of MS to devote himself to special projects and areas of interest.
MS manages to release a stable and fully functional os in XP (look past the crap on activation which i can assure you is a non issue)
They start talking for the first time about fixing security flaws and exploits in software instead of simply denying it.
Now this announcment - fix the major issues.
Its smart and shows a company becoming increasingly smarter.
Now posit this - MS does not make major money of OS products, never has - the money is in applications - larger unit cost and better profit, longer lifecyle etc. MS are fixing bugs and issues and the question has to be asked why ?
Its not the open source movement pressuring them - the general man in the street uses MS products and so does their employers.
The bad press from code red, i love you etc has meant little more to MS that so more public relations work.
but look at it in another light - if MS decided to release their OS software for minimal cost or free to non corporates and the home user (Public Domain not GPL) then this would be a smart move ahead of such a move and i would point out would fuck up the anti trust case in a huge way - the clamour to split the company into OS and APPS divisons would be muted as the OS one would not make any money.
Say for a minute they set up (already have it actually) seperate business units for consumer and corporate/business. They public domain windows 95, 98 and millenium and maybe XP home thus giving them away free (they can afford it trust me)
Where does that leave linux ? how many home users chose SUSE and MANDRAKE because of the price?
Even better - give away the Desktop OS for free and licence the server os, and GPL IIS.
Its worth a long hard thought, and dont forget that MR Gates started out as a pogrammer and hacker himself (do some history reading) and is well aware of the lessons of freely available OSes and their ability to grow a market (it can be argued that the piracy of DOS led to the first boom in PC software and development - and it was his MS dos that was the most pirated)
Perhaps instead of rubbishing MS for this we should start thinking why ?
One whole month? (Score:2, Interesting)
Re:Taking it at face value (Score:3, Interesting)
"I think you underestimate the kind of work that goes on at Microsoft. Do you really think that the people who work there are stupid enough to ignore compiler warnings? That they don't use prototypes? That misuse of printf is a major problem in their graphical applications? Or that they make sophomoric mistakes like using bubble sort?"
Yes, absolutely. Comparing to another large company, I worked in several operating systems groups at Digital Equipment Corporation for many years, and I saw all of those things and more. Furthermore, I know Microsoft is not using data typing correctly because their Windows software interface requires not using typing in places. E.g., many arguments to Windows routines must be cast to integers even though they are pointers and vice-versa. And as I use their code, I often run across behaviors that strongly suggest to me how the engineering was done (and why it is wrong), and often it is a simple mistake.
Many engineers are incompetent. You would think an engineer writing device drivers in an important operating system for a large company would know what they are doing. But I've seen code that initiated a DMA and then sat in an interrupt-priority loop (blocking all other system activity) polling for DMA completion for over three seconds! The whole point of Direct Memory Access is for the device to access the memory directly, bypassing the processor so it is free to do other work. The proper way is to set up data needed to handle DMA completion, initiate the DMA, and then leave interrupt mode and return to other work until the completion signal arrives. Stopping all work in a real-time operating system for three seconds is malpractice.
Aside from incompetence, many engineers don't care. When you are driven by learning or pleasure or a project you are interested in, you write good code. You think about it and take pride in it. When you are writing code you don't like year after year for money, it becomes mindless. You don't have the energy to review compiler warnings. Your boss wants the program done so it can shop and doesn't give you time to review compiler warnings. Your boss gets reviewed based on how late the product shipped, not how few compiler warnings there are, so that's what gets attention.