Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
a relative of Protestnic Vaughan Jeltz?
Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.
120 characters for a sig? That's bloody useless.
..that page looks a lot better in Firefox.
Slashdot Burying Stories About Slashdot Media Owned
Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)
http://psychicfreaks.com/
why isn't IE7 doing a better job with supporting CSS standards?
I doubt IE7 will be any less of a virus/spyware propogation tool as its predecessors.
> At Microsoft, I'm one of several Lead Program Managers on the IE team. My team and I are
> responsible for handling all of the incoming customer & security requests.
Q: Can you make it secure please?
A: Sadly, no - as I've been asleep for the last 5 years! Why else do you think nothings happened on the IE project since 2001?
I couldn't get through the second sentence without a wtf moment:
"We met while working on Windows Server 2003 at the twice daily status meeting."
Morning meeting: "I'm planning on writing some code today"
Afternoon meeting: "I had planned on writing some code, but I was busy preparing my presentation for this meeting"
This explains a lot...
Christopher has worked on every release of Internet Explorer since version 2
And he's kept his job?!?
we're trending in the right direction as a company
Did he mean 'tending', or is this some horrible fusion of trend and tend that I was previously unaware of?
A brief search reveals that I am out of touch. But everyone else is wrong, I should add.
every IE release since IE 2 or 3
Glad he's paying attention
The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.
Oh, really? Let's hear it for forward thinking...
-- Is "Sig" copyrighted by www.sig.com?
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.
So Doctor Matasano now has a blog.
I wonder if the microsoft guy survived the interview.
The best test environment is production. - Me
chrome://browser/content/browser.xul
Any questions about the past are, in truth, irrelevant.
...... questions but in the end the only ones that are important to today and to the future of IE are the ones that involve current technology and what is being done to secure IE7 from the threats of today and the future.
There could be a million of those why didn't you
IE was a poor product, that is known and accepted but the IT industry, most Windows users and even Microsoft personnel. What good does rubbing it in do? Isn't it more important to address the potential concerns of the future rather then the problems of the past?
This interview was meant to be an interview, not a public lynching. I think the right questions were asked, as for the canned text answers, well what do you expect.
...MS Propaganda Week on /. ?
sig has been sent away for a few small repairs...
"Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)
I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.
ttuttle is a rankmaniac
In light of yesterday's request for interview questions for the creator of CSS, I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'
How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
The cesspool just got a check and balance.
They _are_ worth it. You are right, it cannot all be as before, it's lost, better end it. Go on, just jump, be strong, we support you.
From TFA
Well in one respect, I don't really care where spyware & malware is going - I just want it eliminated. Whether it's key loggers or rootkits or adware, our job is simple: keep unauthorized software off of the users' machines. We've attacked this problem at multiple levels
And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA. Or is it that their spyware is OK, others is not because 'they're the good guys'
init 11 - for when you need that edge.
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Sadly - I think someone previously hit the nail right on the head, and the guy is partially right about drawing the line between outrageous functionality and security. I know for a proven fact that users, when given the option of a 'secure' browser or one that lets them send web pages to buddies on their Yahoo! messenger... well you know which one they'll pick. The problem is maintaining functionality that allows the user experience to be rich and meaningful without being able to hook into the operating system... this still leaves the browser exposed! BHOs are an atrocity which we in the security world have had to live with for some time - I cringe every time my wife says "my browser is so slow" and I look into her "Manage Add-Ons" menu - there's always crap in there! See... browser security is a constant battle between user experience and what security features we want. I don't see IE7 being any better at it... and I think FireFox had the right approach... build a base browser and force the users to add-in plugins they want to use. Microsoft's bloated IE comes with everything they think you'll ever want, toaster included, so there's just so much to exploit. Anyway - I could rant but I'll stick to the hard truth... when presented with an option, users always choose the more functional, easier to use, more colorful version - and they don't care if it's more 'secure' ... all the education in the world isn't going to change human nature folks.
If MS themselves refuse to use .NET for their own programs, what does that say about the viability of it for the rest of us? It doesn't inspire confidence.
Microsoft gets a bad rap here on Slashdot, but for the record I'd like to publicly thank them for one of the best, most altruistic decisions in tech history.
I'm talking about the decision to discontinue Internet Explorer for Mac. As a web developer this has made my life far easier. God knows how many man-decades of work this has saved the world's html coders.
The cloud to this silver lining is that I still spend a good proportion of my working life abusing my code so that it'll work on IE without breaking on real browsers. Multiply that up by the number of web designers / developers in the world and that's got to cost a few lives.
So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
http://savingiceland.org
Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?
I want a list of atrocities done in your name - Recoil
I don't understand why they are not pushing managed code internally. It sure doesn't look good from the outside if they won't start using something they recommend for customers. They don't seem to want to eat their own dog food.
Error reading device 'Signature'. (A)bort, (R)etry, (F)ail?
Search TFA for "CSS" and it's not there. Hmm...
Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
is of course the end-user. No matter how nice and secure IE7 might be (and from using the beta, its miles ahead of IE6 already) its not going to make the end user any more intelligent. I think too many people are expecting the impossible of microsoft (or any software company for that matter). I find myself fixing other peoples computers, who are running firefox, yet are still bogged down in spyware/adware. Why? Because the largest and most efficient security measure is an intelligent and informed end-user, not a nice browser and/or anti-spyware software. No matter how great your software is, if you click yes on the box, you still end up with 'unwanted' spyware.
Why cannot MS write anything themselves? IE is only a newer version of the Spyglass browser. They ditched the in-house version 1.x and made Spyglass IE 2.0. Not even the name is a MS invention, they bought the name "Internet Explorer" for a lot of cash some years ago.
From the article: "Remember too that IE7 is built from the same code base as Windows Vista which has received a huge amount of scrutiny, so this is going to be the most solid code base of IE we've ever produced."
So that's a good thing, right?
Some folks may think otherwise
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Cripes.
No wonder development is so slow.
defintitely the same reason - when you right click, you get a list of commands you can perform on the document. If Open wasn't one of them, then you couldn't open it :-)
.reg files - leftclick them and I get notepad with the text inside it. Also, for dlls, leftclick and I get dependancy walker. Similarly, when I click a cpp file, it loads in Visual Studio. If left-click was hard-coded to open, none of these things would work.
You can change the default action to something else instead of open.
Left-click is just a shorthand way of right-clicking and selecting the default.
The reason its done this way is that's much better (a more OO way) of associating commands with a file type. You can add a new command, change the default to that, and then left-click the file performs the new command! I do this for
If you want to know more, read about Shell Extensions in MSDN.
As touted by MS dev, the IE7 is supposed to "fix" the IE layout fixed positioning. But as posted on the IE NG, sites such as :
htpp://www.aide.info/assistance/ that are using fixed positioning to feature an "elastic layout" clearly show that IE is buggy on fixed layout ! This site is working on Firefox, Opera, Safari, etc. An MS conditional comment for IE version less than 7 was put to enable a "CSS layout fix" that is perfectly working on IE 5.5 and IE 6. Not only IE 7 latest beta is ignoring conditional comments (that is the MS recomandation to handle the IE "legacy") but evey if "disabled" the page is baddly rendered !
Dean Edwards has proved fixing the CSS on IE is doable with simple ECMAScript. So please, MS do not tell us it is not possible because of blahblahblah and will be done on next version of IE. Dean has fixed most CSS bugs with Guys this was done by one guy in a few days !!! C'm'on MS stop fuding and fix IE now !
Okay, you go ahead and install Spyglass then and see how you enjoy browsing the web. Should be fun waiting for the entire page to load before it displays anything at all. You do know that XmlHttpRequest (AJAX) is a MS invention, right?
"So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
I'll answer for him. Somewhere around, oh, 2020. Unless Firefox stops being an annoying, memory-leaking POS that hangs on me every half hour, or Opera actually gains some momentum, or Linux captures more than 50% of the market.... none of which I'm anticipating.
I say 2020 only because I think the browser concept will probably last about that long.
And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA.
WMA is Windows Media Audio. WGA is the anoying Windows Genuine (dis)Advantage.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
*oatmeal bowl outstretched*
Please sir, may we have some more?
Please include more standards compliance regarding the CSS 2 specification? Please?
-KB
P.S. Please?
I would...
I'm surprised no one else has noticed that fact that the interviewer's name is Window, and that of all possible jobs he could have pursued, he happened to work on Windows.
Because back in the day, they were tasked with defeating Netscape at any cost as quickly as possible. No one cared about Engineering Excellence (MSFT term) or security and the codebase has been a nightmare since then. It's hard to fix bugs in it, it's hard to make it support new standards, it's hard to just even understand it, not to mention fix bugs and ask features without breaking much in terms of backwards compat. So in IE7 they're "reaping some low hanging fruit" (another MSFT term) and slapping a new UI on it.
I tried IE7 this week with great anticipation of the many long standing bugs in IE being fixed. Most of the problem bugs are still there.
If this is Microsoft's next generation browser, the IT policy of my company will shortly be Firefox on every desktop. Simply NOT good enough.
all self respecting web developers around the world now have a name to associate with all their lost coding productivity - "Christopher Vaughan."
"Christopher Vaughan," you and your employees have personally made the lives of us web developers worse. much worse.
i do have to admit, though, you are very efficient at screwing over web developers for selfish, personal gain.
was your gain worth the decades of lost productivity you inflict on web developers around the world?
was it?
i personally burned at least two weeks coding around your crap browser when i was first learning CSS. i ended up having to find a CSS expert on the web (sitepoint.com), take their template (with permission - yes, some folks ask permission) and apply it to my needs.
no browser is 100% standards compliant, but your browser is the only one DETERMINED to be NONCOMPLIANT.
for that, "Christopher Vaughan," i hope someone screws you over as much as you've screwed over web developers all around the world.
on second thought, no i don't.
i *CHOOSE* to not be that self centered and morally depraved.
I accidentally posted this for the wrong article so I'll probably get flammed and modded down for it, but here it is again.
At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.
Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.
What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.
I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.
IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.
Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.
So can we blame Microsoft now that they are trending away from Mal/viruses?
/?
---
BTW, this is Microsoft's week on
Matasano??? I would not let them treat me (matasanos = quack [4, noun] in Spanish)
So why is it for me, a person who has used multiple Windows from 1996-1999, and multiple tabs from 2000-present, that I cannot configure left click (which I use maybe 1 out of 500 clicks) to be the middle button, and open as new tab (which I use 499 out of 500 clicks) to be the left button on my mouse in my browser of choice?
I've yet to see Camino, Konq, Safari, Moz, or Firefox do this (Opera might, and with v9 have BT built in, I may switch to it).
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
s/user/victim/g
After all, this is Windows and IE we're talking about.
Once people like yourself starting seeing the Acid Test as a proof of standards compliance, it stopped having any meaning. Programmers would/could prioritize those bugs standing in the way of passing the Acid 2 Test, while other, possibly more important issues wrt. standards compliance were treated as less important.
Even a moron in a hurry would understand that passing the Acid 2 Test only means you're passing the Acid 2 Test. It doesn't even mean that you properly included the standards needed to pass the Acid 2 Test. And even less that you're (fully) standards compliant.
Please take a look at a comprehensive list comparing standards compliance before claiming lack of standards compliance in Firefox (or other browsers)
What part of "Open Source Community" do you not understand?
And what part of the standards not yet implemented in Firefox bugs you so much that you feel the need to remind the makers about it every single time you just so much as start the product?
PS: what is this "firefox foundation" you talk about?
And why not just settle for an extension instead of a plugin?
PS2: contact info for the makers of Firefox is easy to find on the web. Can you also do us the favor of informing how we can contact you in case we have issues with anything you produce in your life? I'm sure you want your customers/clients (be them paying or even non-paying ones) to contact you every single time they use a product of you that you dared to ship without it being perfect?
IE7 beta doesnt support it and I see no indicators they are working on this :(
Take for instance a fairly representative A lot of people are getting viruses from downloading programs. Microsoft's solution: make it more cumbersome to download programs. But don't make it impossible, because sometimes you just need to download a program. Make it have an extra 5 steps or whatever. Give them a modal popup that says "What you are about to do is really really scary. Are you wearing diapers in case you soil yourself? Continue | Cancel" And don't let them do anything else (including getting up to put on their Depends undergarments) until they click either "Continue" or "Cancel." Net result, fewer people are willing to go through the hassle of downloading programs, and so fewer people get virus from downloading programs. The same strategy goes for ActiveX and a host of other things. But then a year or two later, some script kiddie writes a OLE bot that clicks through the warnings and makes downloading easier. Only it isn't secure. So you download a secure knockoff, only to find it has spyware installed!
Many people have pointed out that Microsoft has the resources to produce a standards-compliant browser. The fact that they haven't done so should tell you something.
Remember what the Browser War was about? Netscape and Microsoft both wanted to control the Web as a platform. Well, Microsoft won, and they now set a de facto standard. Microsoft now wants the majority of Internet users to stay hooked on their sucky browser, and they want the browser to continue to suck. Web applications still pose a threat to Microsoft's revenue stream (witness the recent Google Spreadsheet). Microsoft's hope is to make Web development harder than Win32/.NET development.
But wait, you say. The War isn't over yet, because Firefox is taking back market share. Wouldn't that force Microsoft to improve IE? Yes, but look at what they are doing in IE 7: tabbed browsing, popup blocking, etc. are all new features to make the users happy. From the developer's perspective, though, IE 7 is just as bad as IE 6. Sure, Microsoft could implement XHTML and CSS support, but that kind of effort would do nothing for recapturing their market share. In fact, as far as Microsoft is concerned, shipping a standards-compliant browser is the same as losing the Browser War.
So that's why IE will continue to suck forever: Microsoft needs to make life hard for Web developers. The only way to force Microsoft to reform is if so many users switch to Firefox or Opera that Web developers stop working around IE's quirks. That's not likely to happen anytime soon.
I'm curious to know about the status of the products and companies that were effected due to bundling with Windows OS before Antitrust department's IE/Netscape browser case.
Slashdot = Sarcasm
as he says almost immediately, as they're coming up to release the status meetings switch to being 3 times a day. Presumably if they just increased the frequency of the status meetings, nothing would ever get released on schedule... hang on...