Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with IE Lead Program Manager

Posted by ryuzaki0 on from the through-the-looking-glass dept.

crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."

15 of 289 comments (clear)

  1. Need a /. interview with this guy by PFI_Optix · · Score: 5, Insightful

    Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.

    --
    120 characters for a sig? That's bloody useless.
    1. Re:Need a /. interview with this guy by baadger · · Score: 4, Insightful

      What 'tough questions' would you ask him that haven't already been asked? Whimpy questions about the 'integration' between IE and Windows? Turn it into a political/philosophical debate about the Open Source model? Bashings about long patch response time?

      Do tell, I personally thought the interview wasn't too bad, although it could have pressed on a few issues rather than swiftly moving onto a new question.

    2. Re:Need a /. interview with this guy by contrapunctus · · Score: 4, Insightful
      Hit F4
      It's still an extra step. I just opened a browser what do you think my intensions are?
  2. You forgot one question... by gasmonso · · Score: 5, Insightful

    Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)



    http://psychicfreaks.com/
  3. Better question for the interview... by aleksiel · · Score: 5, Insightful

    why isn't IE7 doing a better job with supporting CSS standards?

    1. Re:Better question for the interview... by PFI_Optix · · Score: 4, Insightful

      The fanboy answer: Because MS didn't invent it.

      Apparently they think they have a better way of doing CSS than the people who set the CSS standards. That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

      Better yet, get involved in the development of the standard and put your ideas on the table along with everyone else's.

      --
      120 characters for a sig? That's bloody useless.
  4. Re:Security! Don't make me laugh by PFI_Optix · · Score: 5, Insightful

    It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses.

    IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.

    --
    120 characters for a sig? That's bloody useless.
  5. Re:That long eh? by TheVidiot · · Score: 5, Insightful

    True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!

  6. Re:Two quotes: by topham · · Score: 5, Insightful

    I don't know what rock he's been sleeping under, but internet security has been a concern since long before 2000.

    Oh, but not for Microsoft. That's hardly the users fault.

  7. Active code by ThinkingInBinary · · Score: 4, Insightful

    Do you think the browsing model where active content is executed in the user's browser broken? How is it different from active content in office documents? Can these models be fixed?

    Well of course you do have to be careful. It's our responsibility to help users be safe, but users also want a pleasant user experience. Imagine an extensibility model so severely limited that you can't save files you download from the Internet, run any application, or save settings. It's our job to draw a line between those two extremes, and that's what we've been doing for the last few years - refining that line.

    I want to point out that every browser has an extensibility model of some sort, and they all have security & usability challenges to overcome.

    I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)

    I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.

    --
    ttuttle is a rankmaniac
  8. Just don't make me laugh by Gr8Apes · · Score: 4, Insightful

    IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.

    Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.

    And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.

    --
    The cesspool just got a check and balance.
  9. The business argument by Anonymous+Brave+Guy · · Score: 5, Insightful
    That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

    As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.

    If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.

    Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:The business argument by GigsVT · · Score: 5, Insightful

      You are pretty far off.

      It doesn't matter what the browser market share is in terms of installed base. That's entirely irrelevant to this discussion.

      The real market share is the number of pages on the net that are coded to some IE standard rather than the open standard. That's the real market share here.

      Developers have adopted the open standards and valid code at a fast rate lately. It's extremely rare to find a page that only works in IE these days. Most of those pages are holdovers from 1997 or something.

      And more and more pages are W3C valid. Even slashdot is valid now!

      So really IE can hang themselves if they want, it's not up to their idiots users, it's up to the web developers. And the web developers are telling MS to fuck off.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  10. Re:Not using .net? by Abcd1234 · · Score: 4, Insightful

    Is there a message here perhaps?

    Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere

  11. Re:That long eh? by kimvette · · Score: 4, Insightful

    Having to spoof MSIE's user agent because they sniff your agent and display "This site is designed for Microsoft Internet Explorer" if you're using anything but would not have anything to do with that now, would it?

    I can imagine the IT discussions there:

    CFO: "Hey, let's get online banking done. What do your guys need from us?"
    CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."

    (weeks/months later)

    CFO: "Hey it doesn't work in Netscape 4.0"
    IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
    CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
    CIO: "Yeah, all we need to do is check for something called the user agent."

    (a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)

    CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
    CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
    CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
    CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
    CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
    CIO: "Sounds great to me."

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50