Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

typodupeerror

## Interview with IE Lead Program Manager289

crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
This discussion has been archived. No new comments can be posted.

## Interview with IE Lead Program Manager

• #### Christopher Vaughan ... (Score:5, Funny)

on Wednesday June 21, 2006 @08:32AM (#15575040)
a relative of Protestnic Vaughan Jeltz?
• #### Need a /. interview with this guy (Score:5, Insightful)

on Wednesday June 21, 2006 @08:32AM (#15575042) Journal
Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.
• #### Re:Need a /. interview with this guy (Score:5, Insightful)

on Wednesday June 21, 2006 @08:50AM (#15575118)
What 'tough questions' would you ask him that haven't already been asked? Whimpy questions about the 'integration' between IE and Windows? Turn it into a political/philosophical debate about the Open Source model? Bashings about long patch response time?

Do tell, I personally thought the interview wasn't too bad, although it could have pressed on a few issues rather than swiftly moving onto a new question.
• #### Re:Need a /. interview with this guy (Score:5, Interesting)

on Wednesday June 21, 2006 @09:00AM (#15575161) Journal
Oh, I'm not saying it's a bad interview; it's quite good. It just goes in a different direction than I think a slashdot interview would. I'm saying I'd be interested in seeing what questions the slashdotters ask, specifically those with significant experience in web development. I think it would also focus more on things like the UI and how how things got to be where they are today.
• #### Re:Need a /. interview with this guy (Score:2, Insightful)

You mean like the Neal Stephenson [slashdot.org] interview where Neal tells us about his great battles with William Gibson.

4) Who would win? (Score:5, Funny) - by Call Me Black Cloud
In a fight between you and William Gibson, who would win?
...

• #### Re:Need a /. interview with this guy (Score:3, Funny)

Oh, I'm not saying it's a bad interview; it's quite good. It just goes in a different direction than I think a slashdot interview would.

Well, yeah, but that's because a Slashdot interview would focus primarily on a software engineering decision made a decade ago and whether or not IE7 will support PNG transparency...

• #### Re:Need a /. interview with this guy (Score:4, Interesting)

<david@uberconcep[ ]om ['t.c' in gap]> on Wednesday June 21, 2006 @08:55PM (#15579714) Homepage
How about asking him about standards support in the current browser?

How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?

They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
• #### Strangely enough.. (Score:5, Funny)

on Wednesday June 21, 2006 @08:34AM (#15575050) Homepage Journal
..that page looks a lot better in Firefox.
• #### You forgot one question... (Score:5, Insightful)

on Wednesday June 21, 2006 @08:35AM (#15575058) Homepage

Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)

http://psychicfreaks.com/ [psychicfreaks.com]
• #### Re:You forgot one question... (Score:5, Funny)

on Wednesday June 21, 2006 @08:39AM (#15575072) Journal
After versions 2, 3, 4, 5, and 6, the man needed a vacation. Cut him some slack.
• #### Not using .net? (Score:5, Interesting)

on Wednesday June 21, 2006 @09:29AM (#15575291)
Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?
• #### Re:Not using .net? (Score:5, Insightful)

on Wednesday June 21, 2006 @11:47AM (#15576202) Homepage
Is there a message here perhaps?

Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere
• #### Re:You forgot one question... (Score:2, Insightful)

Why was there no development on IE for several years?

Lack of motivation. They waited for some competition.
• #### If only I could take Balmer's job... (Score:5, Interesting)

on Wednesday June 21, 2006 @11:30AM (#15576057)

I would...

• Get the IE team to implement privilege separation for the IE rendering engine and all plugins - these would run as the GUEST user. Granted, if NT is installed on FAT this isn't going to help much.
• Seriously consider replacing the rendering engine with Gecko or KHTML. Vista is demonstrating an obvious manpower shortage, and those IE developers could be better tasked. The stock price would also probably jump if such an overt move was made to embrace open source.
• OpenBSD has implemented W^X on i386 regardless of the presence of an NX-capable CPU. I would move heaven and earth to do the same on Windows 2000, XP, and Vista (and unify the kernels of these releases to minimize support complexity).
• OpenBSD code is distributed by Microsoft in the SFU package. Microsoft should aggressively back OpenBSD (funding hackathons, etc.) for the following reasons:
• OpenBSD actively removes GPL-code from the base whenever possible. The enemy of my enemy is my friend - endorsing BSD is better than campaigning against GPL.
• OpenBSD is slower on any given platform than most other free kernels (because of extensive security and no fine-grain SMP locking), allowing the NT kernel to be promoted for performance.
• The OpenBSD installer is concise yet complex, as is much of the OS. It is unlikely that it would ever be repackaged in a form that will compete with NT.
• If Microsoft goodwill and contributions obtains some influence over OpenSSH, an opportunity is presented to obtain some control over AIX, RedHat, and others. Subtle manipulations of these platforms might benefit NT.
• OpenBSD, if expanded properly, will produce more secure coders which might be of use within Microsoft.
• #### Better question for the interview... (Score:5, Insightful)

on Wednesday June 21, 2006 @08:36AM (#15575060)
why isn't IE7 doing a better job with supporting CSS standards?
• #### Re:Better question for the interview... (Score:5, Insightful)

on Wednesday June 21, 2006 @08:53AM (#15575132) Journal
The fanboy answer: Because MS didn't invent it.

Apparently they think they have a better way of doing CSS than the people who set the CSS standards. That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

Better yet, get involved in the development of the standard and put your ideas on the table along with everyone else's.
• #### The business argument (Score:5, Insightful)

on Wednesday June 21, 2006 @09:18AM (#15575240)
That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.

If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.

Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.

• #### Re:The business argument (Score:5, Insightful)

on Wednesday June 21, 2006 @09:41AM (#15575359) Journal
You are pretty far off.

It doesn't matter what the browser market share is in terms of installed base. That's entirely irrelevant to this discussion.

The real market share is the number of pages on the net that are coded to some IE standard rather than the open standard. That's the real market share here.

Developers have adopted the open standards and valid code at a fast rate lately. It's extremely rare to find a page that only works in IE these days. Most of those pages are holdovers from 1997 or something.

And more and more pages are W3C valid. Even slashdot is valid now!

So really IE can hang themselves if they want, it's not up to their idiots users, it's up to the web developers. And the web developers are telling MS to fuck off.
• #### Re:The business argument (Score:3, Insightful)

It doesn't matter what the browser market share is in terms of installed base. That's entirely irrelevant to this discussion.

The real market share is the number of pages on the net that are coded to some IE standard rather than the open standard. That's the real market share here.

Do you honestly believe that there is no connection between those two ideas?

So really IE can hang themselves if they want, it's not up to their idiots users, it's up to the web developers.

Actually, for the most part on

• #### Re:The business argument (Score:3, Informative)

Why are developers still writing to support IE? If they just wrote the way web pages should be and then let people know with an alternative link that IE was not going to show them the page correctly (possibly even only letting them into a splash page explaining why they don't support IE) wouldn't more people start to use these alternatives? In reality web developers are the ones in control, not Microsoft.

It's a shame that web developers have LET IE define the standard.

• #### Re:The business argument (Score:4, Insightful)

on Wednesday June 21, 2006 @11:40AM (#15576140)
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
They're both standards. Internet Explorer is a de facto standard. The W3C is the de jure standard. The former got established by ruthless arm-twisting, anti-competitive behavior and the illegal exploitation of a monopolistic position.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
How are they supposed to support anything other than W3C specs? The W3C publishes their specs; Microsoft does not. If they did, I'm sure the Mozilla folks would be more than happy to implement it. As it stands, they're forced to try and emulate some of IE's bugs and quirks in order to render poorly-written, IE-only pages correctly.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
It doesn't just suck for the consumer. It sucks for web developers. The whole point of a published standard is that you can be assured of certain behaviors. So if I code my HTML to comply to the standard, any browser that follows the standard will display it correctly. This makes the testing process far, far easier. For something like IE, you have to reverse-engineer and guess what's going on.

It's all well and good to be smug and practical about this kind of thing. "Well Microsoft dominates so just live with it." But some of us are, you know, interested in making things better than how they are, not waiting for our Benevolent Microsoft Gods to give us their blessings.
• #### Re:Better question for the interview... (Score:5, Interesting)

on Wednesday June 21, 2006 @09:46AM (#15575385)

Apparently they think they have a better way of doing CSS than the people who set the CSS standards.

Try again. Microsoft had employees on the CSS working group at the W3C, while at the same time they were busy coding the proprietary stuff instead. All the finished CSS specifications, right from the first one published in 1996, have an acknowledgements section listing, among others, Microsoft employees.

The fact is, if they thought they had a better way of doing things, they could easily have brought it up when CSS was being designed, because they are some of the people who made CSS in the first place.

• #### responsible for handling...security requests. (Score:5, Funny)

on Wednesday June 21, 2006 @08:41AM (#15575079)
> At Microsoft, I'm one of several Lead Program Managers on the IE team. My team and I are
> responsible for handling all of the incoming customer & security requests.

Q: Can you make it secure please?
A: Sadly, no - as I've been asleep for the last 5 years! Why else do you think nothings happened on the IE project since 2001?
• #### Twice Daily Status Meetings? (Score:5, Funny)

on Wednesday June 21, 2006 @08:42AM (#15575082)
I couldn't get through the second sentence without a wtf moment:

"We met while working on Windows Server 2003 at the twice daily status meeting."

Morning meeting: "I'm planning on writing some code today"

Afternoon meeting: "I had planned on writing some code, but I was busy preparing my presentation for this meeting"

This explains a lot...
• #### Re:Twice Daily Status Meetings? (Score:5, Interesting)

on Wednesday June 21, 2006 @08:48AM (#15575107) Journal
I had a job something like that once upon a time. I was the sole IT person. I'd been shoved into the Accounting department for organizational purposes and so answered to that manager. I also answered to the production manager and the site manager. Between my three bosses, I spent more time explaining to people what I was doing, why I was doing it, and what problems I was encountering than I spent actually working. I wonder if Microsoft has similar problems. You're right, that would explain much...
• #### Re:Twice Daily Status Meetings? (Score:3, Funny)

Did you have TPS forms? :)
• #### Re:Twice Daily Status Meetings? (Score:4, Interesting)

on Wednesday June 21, 2006 @09:28AM (#15575279)
You can always tell the people who are just FAKING work by looking for the people who attend every meeting and are on every committee in your organization.

Sadly, though, the guy who is on every committee and is constantly in meetings is probably most likely to get a promotion (since he's doing such a great job of making it LOOK like he's working hard). He's also the guy on every committee who is mysteriously absent when any actual committee WORK assignments are being handed out.

-Eric

• #### That long eh? (Score:5, Funny)

on Wednesday June 21, 2006 @08:42AM (#15575084) Homepage
Christopher has worked on every release of Internet Explorer since version 2

And he's kept his job?!?
• #### Re:That long eh? (Score:3, Insightful)

> And he's kept his job?!?

If the product you were responsible for had a 97% market share (apparantly "only" in the high 90's now though) your job would probably be somewhat safe too.
• #### Re:That long eh? (Score:4, Informative)

on Wednesday June 21, 2006 @08:51AM (#15575120) Homepage
I am happy (and proud) to say that only 58% of the visitors to my various websites use IE. That is, in the last 60 days. The various Gecko-based browsers share 32%.

I don't believe 97 percent was ever achieved by IE, but I could be wrong.
• #### Re:That long eh? (Score:3, Informative)

> I don't believe 97 percent was ever achieved by IE, but I could be wrong.

It's pretty close, from what I've read.

http://en.wikipedia.org/wiki/Usage_share_of_web_br owsers [wikipedia.org]

it's in that ball park (frequently around 90-95%).

My point remains - it could only be 50% and it's doing well (on paper!)
• #### Re:That long eh? (Score:3, Insightful)

When your website is linked on /. you should expect a disproportionate amount of users from non-IE browsers. That being said, you still have more IE users than non-IE users. And if you were able/tried to parse out which browsers people were using (not versions but types) you would see IE with a 58% chunk and then a bunch of tiny, segmented slices representing all the different factions of the various Gecko-based browsers, Mozilla, etc ... Microsoft still owns the pie.
• #### Re:That long eh? (Score:3, Informative)

At my non-technology-related weblog (about learning Japanese), my stats are roughly 60%-30%-15% for Firefox, IE, and Safari. I've heard similar stats from other blog writers. Maybe the AOL crowd was 97% IE at one point, but the web-savvy blog-surfing crowd is not.
• #### Re:That long eh? (Score:2)

Depends on your site. I know of a couple major online banks that sit at 95+% IE, only down from 98 a few years ago.
• #### Re:That long eh? (Score:5, Insightful)

on Wednesday June 21, 2006 @01:22PM (#15576963) Homepage Journal
Having to spoof MSIE's user agent because they sniff your agent and display "This site is designed for Microsoft Internet Explorer" if you're using anything but would not have anything to do with that now, would it?

I can imagine the IT discussions there:

CFO: "Hey, let's get online banking done. What do your guys need from us?"
CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."

(weeks/months later)

CFO: "Hey it doesn't work in Netscape 4.0"
IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
CIO: "Yeah, all we need to do is check for something called the user agent."

(a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)

CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
CIO: "Sounds great to me."
• #### Re:That long eh? (Score:3, Funny)

I am happy (and proud) to say that only 58% of the visitors to my various websites use IE.

Hmmm, since your url is: http://nerds.palmdrive.net/ [palmdrive.net], I'm not surprised you have fewer IE users.
• #### Re:That long eh? (Score:5, Insightful)

on Wednesday June 21, 2006 @08:56AM (#15575145) Homepage
True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!
• #### Re:That long eh? (Score:2, Insightful)

True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!

That wouldn't be correct, as most people DON'T use WordPad for their word processing. So actually your example proves that just because something is included in Windows doesn't automatically make it popular.
• #### 'Trending'? (Score:5, Funny)

by Anonymous Coward on Wednesday June 21, 2006 @08:47AM (#15575105)
we're trending in the right direction as a company

Did he mean 'tending', or is this some horrible fusion of trend and tend that I was previously unaware of?

A brief search [google.co.uk] reveals that I am out of touch. But everyone else is wrong, I should add.
• #### Re:'Trending'? (Score:4, Insightful)

on Wednesday June 21, 2006 @08:51AM (#15575119) Journal
In corporate newspeak, all nouns are considered fair game for conversion to verbs.
• #### Re:'Trending'? (Score:5, Funny)

on Wednesday June 21, 2006 @09:12AM (#15575210) Journal
Surely you mean: "all nouns are fair game for verbing."
• #### Re:'Trending'? (Score:2)

Of course. Right you are, mistaken I was.
• #### Two quotes: (Score:4, Insightful)

<ten.egaekim' ta' `todhsals'> on Wednesday June 21, 2006 @08:49AM (#15575112) Homepage
every IE release since IE 2 or 3

Glad he's paying attention

The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.

Oh, really? Let's hear it for forward thinking...
• #### Re:Two quotes: (Score:5, Insightful)

on Wednesday June 21, 2006 @08:58AM (#15575155) Homepage
I don't know what rock he's been sleeping under, but internet security has been a concern since long before 2000.

Oh, but not for Microsoft. That's hardly the users fault.

• #### Why not start a "marklar project?" (Score:5, Interesting)

on Wednesday June 21, 2006 @08:50AM (#15575116)
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.
• #### Re:Why not start a "marklar project?" (Score:5, Informative)

on Wednesday June 21, 2006 @09:19AM (#15575248)
Because they don't want to suddenly have a broken codebase and have to re-write the entire app when the next version of .NET and its development tools come out?
• #### Re:Why not start a "marklar project?" (Score:3, Informative)

Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#.

The "Javagator" project - a parallel project at Netscape to completely rewrite Netscape Navigator in Java - is one commonly cited reason why Netscape failed.

Rich.

• #### Re:Why not start a "marklar project?" (Score:4, Informative)

on Wednesday June 21, 2006 @10:25AM (#15575606)
current native code which has hooks deep into the OS.

Ok, a lot of people keep saying this, and I think there is some big misconception here.

IE taps into the HTML rendering DLLs of Windows. However EVERY application that runs on Windows taps into the FONT rending DLLs or the BITMAP rendering DLLs, but no one makes this claim about them. Nor other applications that use features from the HTML rendeing functions of Windows.

So to keep asserting that IE is somehow 'hooked' into Windows on a level above a NORMAL application is not entirely correct. It would be like saying FireFox also has deep hooks into Windows because it uses the Windows DLLs for FONTS and IMAGES...

• #### What is this... (Score:2, Interesting)

...MS Propaganda Week on /. ?

• #### Active code (Score:5, Insightful)

<thinkinginbinary@nosPaM.gmail.com> on Wednesday June 21, 2006 @08:58AM (#15575156) Homepage

Do you think the browsing model where active content is executed in the user's browser broken? How is it different from active content in office documents? Can these models be fixed?

Well of course you do have to be careful. It's our responsibility to help users be safe, but users also want a pleasant user experience. Imagine an extensibility model so severely limited that you can't save files you download from the Internet, run any application, or save settings. It's our job to draw a line between those two extremes, and that's what we've been doing for the last few years - refining that line.

I want to point out that every browser has an extensibility model of some sort, and they all have security & usability challenges to overcome.

I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)

I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.

• #### Re:Active code (Score:4, Funny)

on Wednesday June 21, 2006 @09:31AM (#15575298)
Yeah, I can see that dialog box now:

"This website wants to take advantage of an unpatched buffer overflow in the browser itself, an Active-X component, or an underlying DLL. Is that OK?"
• #### About CSS2... (Score:5, Interesting)

on Wednesday June 21, 2006 @08:58AM (#15575157)

In light of yesterday's request for interview questions for the creator of CSS [slashdot.org], I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture' [webstandards.org]

How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.

• #### Re:About CSS2... (Score:5, Interesting)

on Wednesday June 21, 2006 @09:16AM (#15575230) Homepage Journal

For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'

I think this answers your question: http://flickr.com/photos/dbaron/126886608/ [flickr.com]

• #### Re:About CSS2... (Score:2)

How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.

And *I* think it would very quickly get filtered to /dev/null, probably at the email server.

Seriously, there are ways to get your point across; email bombing people isn't one of them.
• #### Re:About CSS2... (Score:3, Insightful)

How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox?

Or how about being grateful for the free use of the software they are giving you? Or how about gettinmg involved in the solution rather than coming up with newer ways to spam the programmers who volunteer their time to make you a better browser?

I get your frustration. I'm a web developer, and deviation from standards causes me a great deal of pain and trouble, but when it's all said and done, I haven't contributed o

• #### Spyware (Score:3, Interesting)

on Wednesday June 21, 2006 @09:15AM (#15575226)

From TFA

Well in one respect, I don't really care where spyware & malware is going - I just want it eliminated. Whether it's key loggers or rootkits or adware, our job is simple: keep unauthorized software off of the users' machines. We've attacked this problem at multiple levels

And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA. Or is it that their spyware is OK, others is not because 'they're the good guys'

• #### Re:Spyware (Score:3, Insightful)

...our job is simple: keep unauthorized software off of the users' machines.

This epitomizes MS culture and why they constantly fail. By making themselves the gatekeepers of "authorized" software, MS realizes anew way to take money away from developers. It completely ignores what users want. User's don't want to be restricted to a subset of software that is "authorized." They want to run any damn thing they please, but they want the OS to stop it from doing anything malicious.

I've said it before... new s

• #### Re:Spyware (Score:4, Interesting)

<drsmithy@[ ]il.com ['gma' in gap]> on Wednesday June 21, 2006 @11:48AM (#15576204)
They want to run any damn thing they please, but they want the OS to stop it from doing anything malicious.

These two goals are fundamentally in conflict, since "malicious" cannot be objectively and programmatically defined.

I've said it before... new software on Windows should be running in a jail or sandbox or VM or something and by default should not be allowed to touch anything without the user being informed in real English and given the option to granularly deny the software, without stopping that software from running in most cases. This would solve the vast majority of Window's and IE's security problems.

No, it wouldn't. You have proposed the standard "dialog box storm" solution to security, and it doesn't work. Primarily because users are lazy, but also because they're ignorant and simply uninterested in acquiring sufficient knowledge to make educated decisions.

Asking the user "are you sure" three times is not more secure than asking them "are you sure" twice.

As long as lazy, ignorant and downright stupid end users are able to execute arbitrary code on their computers, the malware problem will not - and can not - be solved.

• #### Re:Spyware (Score:3, Insightful)

Indeed.

Microsoft are just being ..... well ..... being Microsoft.

If Windows was perfect, they would never be able to sell a new version. But Microsoft have to sell new versions of Windows; it's the basis of their business. Therefore, Windows has to be defective in order for there to be something to put into a "better" version in future.

There's a similar line of reasoning which explains why governments haven't solved the major social problems of the day. There's good work for a government in a fuc
• #### It's sad - but... (Score:3, Insightful)

on Wednesday June 21, 2006 @09:19AM (#15575250)
Sadly - I think someone previously hit the nail right on the head, and the guy is partially right about drawing the line between outrageous functionality and security. I know for a proven fact that users, when given the option of a 'secure' browser or one that lets them send web pages to buddies on their Yahoo! messenger... well you know which one they'll pick. The problem is maintaining functionality that allows the user experience to be rich and meaningful without being able to hook into the operating system... this still leaves the browser exposed! BHOs are an atrocity which we in the security world have had to live with for some time - I cringe every time my wife says "my browser is so slow" and I look into her "Manage Add-Ons" menu - there's always crap in there! See... browser security is a constant battle between user experience and what security features we want. I don't see IE7 being any better at it... and I think FireFox had the right approach... build a base browser and force the users to add-in plugins they want to use. Microsoft's bloated IE comes with everything they think you'll ever want, toaster included, so there's just so much to exploit. Anyway - I could rant but I'll stick to the hard truth... when presented with an option, users always choose the more functional, easier to use, more colorful version - and they don't care if it's more 'secure' ... all the education in the world isn't going to change human nature folks.
• #### .NET not good enough for MS? (Score:3, Insightful)

on Wednesday June 21, 2006 @09:20AM (#15575251)
If MS themselves refuse to use .NET for their own programs, what does that say about the viability of it for the rest of us? It doesn't inspire confidence.
• #### Credit where credit's due (Score:5, Funny)

on Wednesday June 21, 2006 @09:28AM (#15575282)

Microsoft gets a bad rap here on Slashdot, but for the record I'd like to publicly thank them for one of the best, most altruistic decisions in tech history.

I'm talking about the decision to discontinue Internet Explorer for Mac. As a web developer this has made my life far easier. God knows how many man-decades of work this has saved the world's html coders.

The cloud to this silver lining is that I still spend a good proportion of my working life abusing my code so that it'll work on IE without breaking on real browsers. Multiply that up by the number of web designers / developers in the world and that's got to cost a few lives.

So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?

• #### Re:Credit where credit's due (Score:3, Insightful)

That's a bit of an odd thing to say. Microsoft essentially pulled the rug out from under the Mac Internet Explorer developers. What would have been the rendering engine for v6.0 was instead used for Mac MSN, and it turned out to be a great engine with great standards support. Killing Mac Internet Explorer just meant that the people who stayed with Mac Internet Explorer stayed with the old and buggy version you despise instead of having up to date support for the standards.

• #### IE Free Existence? (Score:3, Interesting)

"So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?

I'll answer for him. Somewhere around, oh, 2020. Unless Firefox stops being an annoying, memory-leaking POS that hangs on me every half hour, or Opera actually gains some momentum, or Linux captures more than 50% of the market.... none of which I'm anticipating.

I say 2020 only because I think the browser concept will probably last about that long.
• #### Managed Code (Score:2, Interesting)

I don't understand why they are not pushing managed code internally. It sure doesn't look good from the outside if they won't start using something they recommend for customers. They don't seem to want to eat their own dog food.
• #### Not a good sign (Score:3, Interesting)

on Wednesday June 21, 2006 @09:49AM (#15575400)
Search TFA for "CSS" and it's not there. Hmm...
• #### Spyglass (Score:2, Informative)

by Anonymous Coward
Why cannot MS write anything themselves? IE is only a newer version of the Spyglass browser. They ditched the in-house version 1.x and made Spyglass IE 2.0. Not even the name is a MS invention, they bought the name "Internet Explorer" for a lot of cash some years ago.
• #### IE7 = Vista, therefore IE7=good? (Score:3, Interesting)

<Spinlock_1977 AT yahoo DOT com> on Wednesday June 21, 2006 @10:15AM (#15575543) Journal
From the article: "Remember too that IE7 is built from the same code base as Windows Vista which has received a huge amount of scrutiny, so this is going to be the most solid code base of IE we've ever produced."

So that's a good thing, right?

Some folks may think otherwise [theinquirer.net]
• #### Microsoft Has Improved (Score:3, Interesting)

on Wednesday June 21, 2006 @12:54PM (#15576737)
I accidentally posted this for the wrong article so I'll probably get flammed and modded down for it, but here it is again.

At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.

Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.

What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com] [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.

I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.

IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.

Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.

#### Related LinksTop of the: day, week, month.

"Pok pok pok, P'kok!" -- Superchicken

Working...