Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
I had a job something like that once upon a time. I was the sole IT person. I'd been shoved into the Accounting department for organizational purposes and so answered to that manager. I also answered to the production manager and the site manager. Between my three bosses, I spent more time explaining to people what I was doing, why I was doing it, and what problems I was encountering than I spent actually working. I wonder if Microsoft has similar problems. You're right, that would explain much...
120 characters for a sig? That's bloody useless.
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.
...MS Propaganda Week on /. ?
sig has been sent away for a few small repairs...
In light of yesterday's request for interview questions for the creator of CSS, I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'
How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Oh, I'm not saying it's a bad interview; it's quite good. It just goes in a different direction than I think a slashdot interview would. I'm saying I'd be interested in seeing what questions the slashdotters ask, specifically those with significant experience in web development. I think it would also focus more on things like the UI and how how things got to be where they are today.
120 characters for a sig? That's bloody useless.
These hooks being only introduced in the first place so MS could justify that it wasn't bundling IE and that it was a necessary part of the OS. Once again MS putting security and the end user lower down its priority list than profits, control and market share.
Some, yes. Some of the hooks existed already as part of Microsoft's great failure: placing "user-friendly" over security. That is ultimately what has made their software so vulnerable: in the interest of maintaining their hold on the market, they made their OS as easy to use as possible. That means minimizing security challenges and that sort of thing...which means opening it up to exploitation. Add in the fact that their two biggest products besides Windows--IE and Office--both hook deep into the OS and provide the same sort of vulnerabilities, and you get a recipe for disaster.
120 characters for a sig? That's bloody useless.
Why is the first (top) choice on right-click-on-a-link "open" - if I wanted to do that I'd left click?
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
I won't argue there. MS picked convenience over security, and it's plagued them (and us) ever since.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7.
Firefox has had a few problems, and they were quickly and effectively patched. FF has the advantage of being OSS, which means that the less malicious hackers will find the bug and report it rather than abuse it, simply because they are sympathetic to OSS projects.
Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
Bear in mind that there are a lot of anti-MS types out there just waiting for a new version of IE so they can bang out the first exploit for it to show that MS is weak. And, of course, there's the fact that IE7 is going to be the dominant browser in a few years, whoever gets a head start on cracking it now will have the advantage later when they're making grabs for zombie PCs or burying adware on your system.
I'm not saying any of that makes up for all the difference, but it's definitely something we need to consider. Firefox simply doesn't attract the vitriol that anything made by MS does.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
OpenBSD has gone through some pretty serious revisions over the years. IE6 has been patched, but it's still IE6.
120 characters for a sig? That's bloody useless.
From TFA
Well in one respect, I don't really care where spyware & malware is going - I just want it eliminated. Whether it's key loggers or rootkits or adware, our job is simple: keep unauthorized software off of the users' machines. We've attacked this problem at multiple levels
And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA. Or is it that their spyware is OK, others is not because 'they're the good guys'
init 11 - for when you need that edge.
I suspect that may have something to do with the way asp.net handles (or did handle) state. Possibly another "innovation" to make their browser work better with THEIR software.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
Sadly, though, the guy who is on every committee and is constantly in meetings is probably most likely to get a promotion (since he's doing such a great job of making it LOOK like he's working hard). He's also the guy on every committee who is mysteriously absent when any actual committee WORK assignments are being handed out.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?
I want a list of atrocities done in your name - Recoil
I don't understand why they are not pushing managed code internally. It sure doesn't look good from the outside if they won't start using something they recommend for customers. They don't seem to want to eat their own dog food.
Error reading device 'Signature'. (A)bort, (R)etry, (F)ail?
Try again. Microsoft had employees on the CSS working group at the W3C, while at the same time they were busy coding the proprietary stuff instead. All the finished CSS specifications, right from the first one published in 1996, have an acknowledgements section listing, among others, Microsoft employees.
The fact is, if they thought they had a better way of doing things, they could easily have brought it up when CSS was being designed, because they are some of the people who made CSS in the first place.
Bogtha Bogtha Bogtha
Search TFA for "CSS" and it's not there. Hmm...
Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
From the article: "Remember too that IE7 is built from the same code base as Windows Vista which has received a huge amount of scrutiny, so this is going to be the most solid code base of IE we've ever produced."
So that's a good thing, right?
Some folks may think otherwise
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
"So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
I'll answer for him. Somewhere around, oh, 2020. Unless Firefox stops being an annoying, memory-leaking POS that hangs on me every half hour, or Opera actually gains some momentum, or Linux captures more than 50% of the market.... none of which I'm anticipating.
I say 2020 only because I think the browser concept will probably last about that long.
I would...
I accidentally posted this for the wrong article so I'll probably get flammed and modded down for it, but here it is again.
At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.
Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.
What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.
I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.
IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.
Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.
I use autocomplete. I mostly have to enter one or two letters before the site I want
Well IE sorts web addresses in some useless order. It's alphabetical, which would be useful if I was a computer and could binary search it or something.
Firefox (and opera I believe) sorts the autocomplete addresses by frequency of use, I type g 'tab' 'enter' and google pops up. Not gameSiteThatIVisitedOnce.com.
I type s 'tab' 'enter' and slashdot appears. Not samsreallycoolhomepage.com
I type p 'tab' 'enter' and penny arcade loads.
Guess what happens when I type ap? I get apple.ca!
I believe there is one of those chain blog (like chain email) games where you list the first site that appears in firefox for every letter of the alphabet.
How about asking him about standards support in the current browser?
How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?
They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
meh