Interview with IE Lead Program Manager

crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."

Christopher Vaughan ...

[vogon+jeltz]

a relative of Protestnic Vaughan Jeltz?

Need a /. interview with this guy

[PFI_Optix]

Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.

Re:Need a /. interview with this guy

[baadger]

What 'tough questions' would you ask him that haven't already been asked? Whimpy questions about the 'integration' between IE and Windows? Turn it into a political/philosophical debate about the Open Source model? Bashings about long patch response time?

Do tell, I personally thought the interview wasn't too bad, although it could have pressed on a few issues rather than swiftly moving onto a new question.

Re:Need a /. interview with this guy

[PFI_Optix]

Oh, I'm not saying it's a bad interview; it's quite good. It just goes in a different direction than I think a slashdot interview would. I'm saying I'd be interested in seeing what questions the slashdotters ask, specifically those with significant experience in web development. I think it would also focus more on things like the UI and how how things got to be where they are today.

Re:Need a /. interview with this guy

[$RANDOMLUSER]

Why is the first (top) choice on right-click-on-a-link "open" - if I wanted to do that I'd left click?

Re:Need a /. interview with this guy

[contrapunctus]

Hit F4

It's still an extra step. I just opened a browser what do you think my intensions are?

Re:Need a /. interview with this guy

[gEvil+(beta)]

I just opened a browser what do you think my intensions are?

Oh oh oh oh. I know this! To go to msn.com!

Re:Need a /. interview with this guy

I just opened a browser what do you think my intensions are?

Porn?

Strangely enough..

[Rob+T+Firefly]

..that page looks a lot better in Firefox.

Re:Strangely enough..

[Rob+T+Firefly]

Actually, my personal page looks equally good in any browser, with the power switched off and a good book in front of the screen.

You forgot one question...

[gasmonso]

Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)

http://psychicfreaks.com/

Re:You forgot one question...

[PFI_Optix]

After versions 2, 3, 4, 5, and 6, the man needed a vacation. Cut him some slack.

Better question for the interview...

[aleksiel]

why isn't IE7 doing a better job with supporting CSS standards?

Re:Better question for the interview...

[PFI_Optix]

The fanboy answer: Because MS didn't invent it.

Apparently they think they have a better way of doing CSS than the people who set the CSS standards. That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

Better yet, get involved in the development of the standard and put your ideas on the table along with everyone else's.

Re:Better question for the interview...

[Bogtha]

Apparently they think they have a better way of doing CSS than the people who set the CSS standards.

Try again. Microsoft had employees on the CSS working group at the W3C, while at the same time they were busy coding the proprietary stuff instead. All the finished CSS specifications, right from the first one published in 1996, have an acknowledgements section listing, among others, Microsoft employees.

The fact is, if they thought they had a better way of doing things, they could easily have brought it up when CSS was being designed, because they are some of the people who made CSS in the first place.

responsible for handling...security requests.

[Threni]

> At Microsoft, I'm one of several Lead Program Managers on the IE team. My team and I are
> responsible for handling all of the incoming customer & security requests.

Q: Can you make it secure please?
A: Sadly, no - as I've been asleep for the last 5 years! Why else do you think nothings happened on the IE project since 2001?

Twice Daily Status Meetings?

[d3ik]

I couldn't get through the second sentence without a wtf moment:

"We met while working on Windows Server 2003 at the twice daily status meeting."

Morning meeting: "I'm planning on writing some code today"

Afternoon meeting: "I had planned on writing some code, but I was busy preparing my presentation for this meeting"

This explains a lot...

Re:Twice Daily Status Meetings?

[PFI_Optix]

I had a job something like that once upon a time. I was the sole IT person. I'd been shoved into the Accounting department for organizational purposes and so answered to that manager. I also answered to the production manager and the site manager. Between my three bosses, I spent more time explaining to people what I was doing, why I was doing it, and what problems I was encountering than I spent actually working. I wonder if Microsoft has similar problems. You're right, that would explain much...

That long eh?

[TheVidiot]

Christopher has worked on every release of Internet Explorer since version 2

And he's kept his job?!?

Re:That long eh?

[TheVidiot]

True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!

Re:That long eh?

[kimvette]

Having to spoof MSIE's user agent because they sniff your agent and display "This site is designed for Microsoft Internet Explorer" if you're using anything but would not have anything to do with that now, would it?

I can imagine the IT discussions there:

CFO: "Hey, let's get online banking done. What do your guys need from us?"
CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."

(weeks/months later)

CFO: "Hey it doesn't work in Netscape 4.0"
IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
CIO: "Yeah, all we need to do is check for something called the user agent."

(a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)

CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
CIO: "Sounds great to me."

Re:Security! Don't make me laugh

[PFI_Optix]

It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses.

IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.

'Trending'?

we're trending in the right direction as a company

Did he mean 'tending', or is this some horrible fusion of trend and tend that I was previously unaware of?

A brief search reveals that I am out of touch. But everyone else is wrong, I should add.

Re:'Trending'?

[DataCannibal]

Surely you mean: "all nouns are fair game for verbing."

Why not start a "marklar project?"

[MikeRT]

Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.

Re:Why not start a "marklar project?"

[$RANDOMLUSER]

Because they don't want to suddenly have a broken codebase and have to re-write the entire app when the next version of .NET and its development tools come out?

Re:Why not start a "marklar project?"

[omicronish]

Stop making up stuff. The full list of .NET 2.0 breaking changes is available here; at least cite examples from those if you're going to make claims that .NET 2.0 is completely incompatible with 1.0/1.1.

1) "We added 200 new keywords to the language which will nameclash with your code".

C# 2.0 maintains full source compatibility regarding keywords. The new keywords (where, yield, partial) work only under certain contexts, and can still be used as variable names. For example, where and partial work only in class definitions, i.e. public partial class Blah where T : class, and yield can only exist as yield return 4. There is no legal 1.0/1.1 code like that.

2) "We added 400 new classes to the library which will nameclash with your code".

Types you define in your assembly take precedence over those in other assemblies, so there's no compilation issue. If you want to use new classes that clash with yours, you can add a using SubstituteClassName = ClashingClassName and use the new substitute name.

3) "That function/class no longer does what it used to do". 7) "That function/class now takes a different number of parameters". 8) "That function/class is no longer compatible with that other function/class". 9) "We changed that parameter datatype to X".

Look at the breaking changes page and tell me which one of those impacts you severely. All the changes I see are to fix bugs or security issues, or remove extraneous functionality. New signatures are simply added as overloads and the old signature made obsolete where necessary. See next for why obsolete doesn't mean a break change.

4) "That function/class is no longer available". 5) "That function/class has been replaced by X". 6) "That function/class has been renamed to X".

You can find a list of obsolete APIs here. And before you respond with "see!!! all those obsolete APIs break my code!!!", they're all either obscure or unsafe parts of the API, or have been updated to take advantage of new .NET 2.0 constructs. Furthermore, they're merely marked obsolete and will only generate a warning; you can still use them if you choose.

10) "The new tool won't import your projects properly, so you have to recreate them from scratch (with absolute pathnames) (tied to the user login who created them) (and cryptically stored in the registry) (and you can't run the old tool to see what it looked like)".

That is likely a failing on your part. Visual Studio 2002/2003/2005 all generate solutions that reference projects with relative paths. None of that is stored in the registry; hell, I've been uploading my projects to a Subversion repository and working on them from a variety of locations for years without any path problems.

11) "You can only do that with our new brain-dead wizard". 12) "The tool is smarter than you are, do it the tools way".

All the wizards/tools generate .NET code; you can code everything manually if you'd like, including Winforms and ASP.NET. Even the project files are XML, and in .NET 2.0, you can compile everything without even the IDE installed. What examples do you have of stuff that requires a wizard to work?

Re:Two quotes:

[topham]

I don't know what rock he's been sleeping under, but internet security has been a concern since long before 2000.

Oh, but not for Microsoft. That's hardly the users fault.

Active code

[ThinkingInBinary]

Do you think the browsing model where active content is executed in the user's browser broken? How is it different from active content in office documents? Can these models be fixed?

Well of course you do have to be careful. It's our responsibility to help users be safe, but users also want a pleasant user experience. Imagine an extensibility model so severely limited that you can't save files you download from the Internet, run any application, or save settings. It's our job to draw a line between those two extremes, and that's what we've been doing for the last few years - refining that line.

I want to point out that every browser has an extensibility model of some sort, and they all have security & usability challenges to overcome.

I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)

I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.

About CSS2...

[Chabil+Ha']

In light of yesterday's request for interview questions for the creator of CSS, I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'

How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.

Re:About CSS2...

[nazh]

For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'

I think this answers your question: http://flickr.com/photos/dbaron/126886608/

Just don't make me laugh

[Gr8Apes]

IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.

Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.

And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.

Re:Just don't make me laugh

[PFI_Optix]

IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.

I won't argue there. MS picked convenience over security, and it's plagued them (and us) ever since.

Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7.

Firefox has had a few problems, and they were quickly and effectively patched. FF has the advantage of being OSS, which means that the less malicious hackers will find the bug and report it rather than abuse it, simply because they are sympathetic to OSS projects.

Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.

Bear in mind that there are a lot of anti-MS types out there just waiting for a new version of IE so they can bang out the first exploit for it to show that MS is weak. And, of course, there's the fact that IE7 is going to be the dominant browser in a few years, whoever gets a head start on cracking it now will have the advantage later when they're making grabs for zombie PCs or burying adware on your system.

I'm not saying any of that makes up for all the difference, but it's definitely something we need to consider. Firefox simply doesn't attract the vitriol that anything made by MS does.

And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.

OpenBSD has gone through some pretty serious revisions over the years. IE6 has been patched, but it's still IE6.

Re:Security! Don't make me laugh

[PFI_Optix]

These hooks being only introduced in the first place so MS could justify that it wasn't bundling IE and that it was a necessary part of the OS. Once again MS putting security and the end user lower down its priority list than profits, control and market share.

Some, yes. Some of the hooks existed already as part of Microsoft's great failure: placing "user-friendly" over security. That is ultimately what has made their software so vulnerable: in the interest of maintaining their hold on the market, they made their OS as easy to use as possible. That means minimizing security challenges and that sort of thing...which means opening it up to exploitation. Add in the fact that their two biggest products besides Windows--IE and Office--both hook deep into the OS and provide the same sort of vulnerabilities, and you get a recipe for disaster.

The business argument

[Anonymous+Brave+Guy]

That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.

As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.

If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.

Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.

Re:The business argument

[GigsVT]

You are pretty far off.

It doesn't matter what the browser market share is in terms of installed base. That's entirely irrelevant to this discussion.

The real market share is the number of pages on the net that are coded to some IE standard rather than the open standard. That's the real market share here.

Developers have adopted the open standards and valid code at a fast rate lately. It's extremely rare to find a page that only works in IE these days. Most of those pages are holdovers from 1997 or something.

And more and more pages are W3C valid. Even slashdot is valid now!

So really IE can hang themselves if they want, it's not up to their idiots users, it's up to the web developers. And the web developers are telling MS to fuck off.

Credit where credit's due

[joebutton]

Microsoft gets a bad rap here on Slashdot, but for the record I'd like to publicly thank them for one of the best, most altruistic decisions in tech history.

I'm talking about the decision to discontinue Internet Explorer for Mac. As a web developer this has made my life far easier. God knows how many man-decades of work this has saved the world's html coders.

The cloud to this silver lining is that I still spend a good proportion of my working life abusing my code so that it'll work on IE without breaking on real browsers. Multiply that up by the number of web designers / developers in the world and that's got to cost a few lives.

So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?

Not using .net?

[clickclickdrone]

Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?

Re:Not using .net?

[Abcd1234]

Is there a message here perhaps?

Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere

default action is Open

[gbjbaanb]

defintitely the same reason - when you right click, you get a list of commands you can perform on the document. If Open wasn't one of them, then you couldn't open it :-)

You can change the default action to something else instead of open.
Left-click is just a shorthand way of right-clicking and selecting the default.

The reason its done this way is that's much better (a more OO way) of associating commands with a file type. You can add a new command, change the default to that, and then left-click the file performs the new command! I do this for .reg files - leftclick them and I get notepad with the text inside it. Also, for dlls, leftclick and I get dependancy walker. Similarly, when I click a cpp file, it loads in Visual Studio. If left-click was hard-coded to open, none of these things would work.

If you want to know more, read about Shell Extensions in MSDN.

If only I could take Balmer's job...

[emil]

I would...

• Get the IE team to implement privilege separation for the IE rendering engine and all plugins - these would run as the GUEST user. Granted, if NT is installed on FAT this isn't going to help much.
• Seriously consider replacing the rendering engine with Gecko or KHTML. Vista is demonstrating an obvious manpower shortage, and those IE developers could be better tasked. The stock price would also probably jump if such an overt move was made to embrace open source.
• OpenBSD has implemented W^X on i386 regardless of the presence of an NX-capable CPU. I would move heaven and earth to do the same on Windows 2000, XP, and Vista (and unify the kernels of these releases to minimize support complexity).
• OpenBSD code is distributed by Microsoft in the SFU package. Microsoft should aggressively back OpenBSD (funding hackathons, etc.) for the following reasons:
  • OpenBSD actively removes GPL-code from the base whenever possible. The enemy of my enemy is my friend - endorsing BSD is better than campaigning against GPL.
  • OpenBSD is slower on any given platform than most other free kernels (because of extensive security and no fine-grain SMP locking), allowing the NT kernel to be promoted for performance.
  • The OpenBSD installer is concise yet complex, as is much of the OS. It is unlikely that it would ever be repackaged in a form that will compete with NT.
  • If Microsoft goodwill and contributions obtains some influence over OpenSSH, an opportunity is presented to obtain some control over AIX, RedHat, and others. Subtle manipulations of these platforms might benefit NT.
  • OpenBSD, if expanded properly, will produce more secure coders which might be of use within Microsoft.