Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
I had a job something like that once upon a time. I was the sole IT person. I'd been shoved into the Accounting department for organizational purposes and so answered to that manager. I also answered to the production manager and the site manager. Between my three bosses, I spent more time explaining to people what I was doing, why I was doing it, and what problems I was encountering than I spent actually working. I wonder if Microsoft has similar problems. You're right, that would explain much...
120 characters for a sig? That's bloody useless.
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.
In light of yesterday's request for interview questions for the creator of CSS, I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'
How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Oh, I'm not saying it's a bad interview; it's quite good. It just goes in a different direction than I think a slashdot interview would. I'm saying I'd be interested in seeing what questions the slashdotters ask, specifically those with significant experience in web development. I think it would also focus more on things like the UI and how how things got to be where they are today.
120 characters for a sig? That's bloody useless.
These hooks being only introduced in the first place so MS could justify that it wasn't bundling IE and that it was a necessary part of the OS. Once again MS putting security and the end user lower down its priority list than profits, control and market share.
Some, yes. Some of the hooks existed already as part of Microsoft's great failure: placing "user-friendly" over security. That is ultimately what has made their software so vulnerable: in the interest of maintaining their hold on the market, they made their OS as easy to use as possible. That means minimizing security challenges and that sort of thing...which means opening it up to exploitation. Add in the fact that their two biggest products besides Windows--IE and Office--both hook deep into the OS and provide the same sort of vulnerabilities, and you get a recipe for disaster.
120 characters for a sig? That's bloody useless.
Why is the first (top) choice on right-click-on-a-link "open" - if I wanted to do that I'd left click?
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
I won't argue there. MS picked convenience over security, and it's plagued them (and us) ever since.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7.
Firefox has had a few problems, and they were quickly and effectively patched. FF has the advantage of being OSS, which means that the less malicious hackers will find the bug and report it rather than abuse it, simply because they are sympathetic to OSS projects.
Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
Bear in mind that there are a lot of anti-MS types out there just waiting for a new version of IE so they can bang out the first exploit for it to show that MS is weak. And, of course, there's the fact that IE7 is going to be the dominant browser in a few years, whoever gets a head start on cracking it now will have the advantage later when they're making grabs for zombie PCs or burying adware on your system.
I'm not saying any of that makes up for all the difference, but it's definitely something we need to consider. Firefox simply doesn't attract the vitriol that anything made by MS does.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
OpenBSD has gone through some pretty serious revisions over the years. IE6 has been patched, but it's still IE6.
120 characters for a sig? That's bloody useless.
Sadly, though, the guy who is on every committee and is constantly in meetings is probably most likely to get a promotion (since he's doing such a great job of making it LOOK like he's working hard). He's also the guy on every committee who is mysteriously absent when any actual committee WORK assignments are being handed out.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?
I want a list of atrocities done in your name - Recoil
Try again. Microsoft had employees on the CSS working group at the W3C, while at the same time they were busy coding the proprietary stuff instead. All the finished CSS specifications, right from the first one published in 1996, have an acknowledgements section listing, among others, Microsoft employees.
The fact is, if they thought they had a better way of doing things, they could easily have brought it up when CSS was being designed, because they are some of the people who made CSS in the first place.
Bogtha Bogtha Bogtha
Search TFA for "CSS" and it's not there. Hmm...
Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
I would...
These two goals are fundamentally in conflict, since "malicious" cannot be objectively and programmatically defined.
I've said it before... new software on Windows should be running in a jail or sandbox or VM or something and by default should not be allowed to touch anything without the user being informed in real English and given the option to granularly deny the software, without stopping that software from running in most cases. This would solve the vast majority of Window's and IE's security problems.
No, it wouldn't. You have proposed the standard "dialog box storm" solution to security, and it doesn't work. Primarily because users are lazy, but also because they're ignorant and simply uninterested in acquiring sufficient knowledge to make educated decisions.
Asking the user "are you sure" three times is not more secure than asking them "are you sure" twice.
As long as lazy, ignorant and downright stupid end users are able to execute arbitrary code on their computers, the malware problem will not - and can not - be solved.
I use autocomplete. I mostly have to enter one or two letters before the site I want
Well IE sorts web addresses in some useless order. It's alphabetical, which would be useful if I was a computer and could binary search it or something.
Firefox (and opera I believe) sorts the autocomplete addresses by frequency of use, I type g 'tab' 'enter' and google pops up. Not gameSiteThatIVisitedOnce.com.
I type s 'tab' 'enter' and slashdot appears. Not samsreallycoolhomepage.com
I type p 'tab' 'enter' and penny arcade loads.
Guess what happens when I type ap? I get apple.ca!
I believe there is one of those chain blog (like chain email) games where you list the first site that appears in firefox for every letter of the alphabet.
How about asking him about standards support in the current browser?
How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?
They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
meh