Dave Massy's Blog

Embedded Windows

This Blog

About
Email

Syndication

Search

Blogs

Undeserved Attention

Wow! I got /.ed - http://developers.slashdot.org/developers/04/06/20/1740256.shtml

Great to see all the supportive and accurate comments coming in :-)

I do have to point out though that my return to the IE team really isn't big news. The Internet Explorer team has been very busy for some time and rightly been focused on security as a priority. It's clear from the comments though that many people are unaware of the great work the team is doing for Windows XP SP2 to ensure a secure browsing experience. Please take a look at Windows XP SP2 following the links in my previous post if you aren't aware of it.

Published Sunday, June 20, 2004 5:48 PM by DMassy

Filed under: Ramblings, Internet Explorer

Comments

# re: Undeserved Attention @ Sunday, June 20, 2004 7:02 PM

The proper way to refer to a /. story is with the story link. In this case it would be http://slashdot.org/article.pl?sid=04/06/20/1740256 You can always find the story link at the very top of the comments section, just above the comment view options. If you link to a story this way, it allows viewers to retain their preferences and login status. The semi-static .shtml link was used originally for archived stories and as a fallback in case of a /.'ing.

Brad C.

# re: Undeserved Attention @ Sunday, June 20, 2004 8:24 PM

Windows XP SP2 and ie development should be separate issues.

IE is not the OS, and the OS is not IE.

By forgetting this fact, you will continue to see application code (adversely) affecting the OS code. Applications are NOT the OS. The OS is NOT an application.

Spin it all you want, but the fact remains... Unneeded integration is exactly that... Unneeded.

Make IE an application, not an OS extension. That would solve tons of the tons of security issues inherent in IE.

And while you're at it. Ditch ActiveX. It was designed in a different internet era. It's a dangerous piece of legacy code.

Magores

# re: Undeserved Attention @ Sunday, June 20, 2004 10:19 PM

I left the, "Patch the goddamn holes that make malware so easy to install." comment.

By coincidence, I'm posting this at work where I just took a call where a woman had a machine riddled with malware.

As for making the OS seperate from the browser, I believe that's rubbish. The browser is a fine addition to the OS, even if it is swiss fucking cheese. Even the BeOS people think so, and they SUED your company. Sure, it's a bit anticompetative, but it's not like Windows blocks other browsers.

Chris Deguzman

# re: Undeserved Attention @ Sunday, June 20, 2004 10:39 PM

"As for making the OS seperate from the browser, I believe that's rubbish. The browser is a fine addition to the OS, even if it is swiss fucking cheese."

I think that what you really want is for it to be part of the default Operating Environment, not the Operating System itself. The difference is technical, but important: most people agree that a browser, IE or something else, should come with the operating system. The problem with IE's integration is that it is so dangerously intertwined with the core files of OS. I think that this kind of code-minglilng is indefensible. If something couldn't be done using a published API, then the solution should have been to publish a better API, not to move code into system DLLs.

Henry Goffin

# re: Undeserved Attention @ Monday, June 21, 2004 2:22 AM

I for one know very well that the IE team has been working hard to address security issues. 'S why I left a priority list on the Channel 9 Wiki: I figure now that you've got security sorted, you can throw some cycles at other issues.

On a related note, there's an interesting (if moderately technical and arcane) observation about IE's handling of CSS here:

http://ln.hixie.ch/?start=1070385285&order=-1&count=1

I don't know if his assumption about the way IE handles CSS is even close to correct, but it might give you a starting point for tracking down some of IE's CSS woes. As well, it's quite possible someone on your team has some insight the styles-on-columns that would benefit the community at large.

Finally, I want to thank you and the rest of the IE team for opening up as much as you've done--and encourage you to keep at it. While I've directed my share of venom at IE, I'd really much rather spend my time on productive dialogue (or--dare I hope?--web development).

Please, keep the door open. The fury of the /. extremists will pass soon enough, and once it's gone things should get more productive all around.

I'm looking forward to good things from you guys in the future!

setmajer

# re: Undeserved Attention @ Monday, June 21, 2004 3:09 AM

The "browser vs OS" nonsense is just that; nonsense. Bundling a browser is fine (and probably necessary, given the wide usage of the Internet). Making the OS use the browser component is also fine (e.g. for HTAs and the like). People railing against the "integration" are misguided; it's not the "integration" that allows for malware or security holes or any of that crap.

However, tying browser updates to OS updates /is/ a problem. I don't use XP. I don't particularly want to use XP. But I'd like the XP SP2 IE improvements. There seems to be no good reason not to make them widely available. So why's it being done?

And at the end of the day, a few security fixes just aren't enough. I want something at least as good as Tasman, and I want it on Windows, and I don't think I'm alone.

Dr Pizza

# re: Undeserved Attention @ Monday, June 21, 2004 5:37 PM

Hey Dave,
Great work! Thanks for being so open about the process. I posted yesterday but with all the Slashdot craziness I doubt it will get much attention :) BTW, congrats on being /.ed, its an honor only a few get;) So You know of the obvious things that IE needs and you know what SP2 has taken care of. So I guess you really just need to work on full w3c, css, png, etc.. support, and security which you said was taken care of. Things like tabbed browsing and pop up blocking would be great too. Any chance IE will ever be done in C#? Personally, I build my own computers and have been running Linux for years, but I do admin an excahnge server for a local lawfirm. Because I run linux at home I never can test my web dev stuff (which I do on the side) on IE at home, I either wind up asking a friend to check it out or look at it in work. If there could be a linux port that'd be really great. It'd open up more market share and help the attitude of the OSS community with MS, so its a win-win :) I know you guys used to port it to Mac so a port to linux can't be that far fetched, can it? Anyway... I was asking about it being done in C# because I have recently taken up the language and love it. It fits in nicely along with my Java dev. Mono (the OSS C# framework) is making some major progress and if you guys ever did IE in C#, no porting would be necessary:) So I'm just curious to see whats going on and how things could turn out. Thanks alot for all your hard work. Take care.
-Steve

Steve

# re: Undeserved Attention @ Monday, June 21, 2004 7:28 PM

"Making the OS use the browser component is also fine (e.g. for HTAs and the like). People railing against the "integration" are misguided; it's not the "integration" that allows for malware or security holes or any of that crap. "

You couldn't be more wrong if you tried. It is *precisely* the fact that OS components rely on a particular browser - and not just the existence of *some* browser that implements a published interface - that makes both standards-compliance and decent security such a difficult thing to achieve.

There is not a *single* good reason why Microsoft couldn't just have drawn up an interface for a browser object, used Trident as the default implementation, but made it possible for others willing to do so to simply drop in their own replacement implementations at their own convenience. Had MS done this we'd have had the best of both worlds - browsers as standard OS components without the monoculture that is so inviting to spyware and trojan writers today.

Anyone who's followed Adam Lock's work with the Mozilla ActiveX plugin will know that everything I've suggested here is perfectly possible from a technical point of view; going further, it also makes for a superior architecture. IE's deep integration was about one thing and one thing only - a sadly all too successful effort at monopolization that has left us all begging Microsoft to provide functionality a more competitive market would long have provided with little prompting from us. Superior web standards support did matter to MS at one point in time, but only for as long as it took to crush Netscape Corp.

Abiola Lapite

# re: Undeserved Attention @ Tuesday, June 22, 2004 3:04 AM

"You couldn't be more wrong if you tried. It is *precisely* the fact that OS components rely on a particular browser - and not just the existence of *some* browser that implements a published interface - that makes both standards-compliance and decent security such a difficult thing to achieve. "
I love how you make this assertion (as so many other idiots do too) yet fail to provide a single shred of argument to justify it.

Are security zones going to go away in a world of replacable browser plugins? No, probably not; that kind of extensive browser usage needs a distinction to be drawn between e.g. web applications running locally (HTAs and the like) and remote web content; the former clearly need to be able to do more than the latter. So are security zone-related XSS exploits going to go away? No, probably not. And lo! we've seen numerous XSS bugs in Gecko in the past, and I'm sure we'll continue to see them in the future. Of course, we might not actually know about them, because the Mozilla group's disclosure policy on security issues makes MS's look positively open.

"There is not a *single* good reason why Microsoft couldn't just have drawn up an interface for a browser object, used Trident as the default implementation, but made it possible for others willing to do so to simply drop in their own replacement implementations at their own convenience."
And that'd solve the problems... how? Would it make bugs in IE go away? No. Would it make bugs in Mozilla go away? No. Would it make exploitation through these bugs impossible? No. So what's it solving?

"Had MS done this we'd have had the best of both worlds - browsers as standard OS components without the monoculture that is so inviting to spyware and trojan writers today. "
Ah, the old monoculture bollocks. There seem to me to be two likely outcomes for such a scenario. Either one browser engine wins out anyway (and so we have our monoculture, a was the case in the early days of NN or around the IE4/5 era), or we have a small number of engines each with a large share of the market (as is the case now). In the first case we see no advantage (we might have to switch to exploiting Mozilla instead of IE, but the fundamental problem remains). And in the latter case, each engine's market share is big enough that we can aim to hit it anyway and still yield good results. We don't need to infect many machines to be successful, so e.g. halving the size of our target is no problem.

It's highly unlikely that the market would become significantly more fragmented than this, so it's highly unlikely that we'd see any protection from exploitation.

"Anyone who's followed Adam Lock's work with the Mozilla ActiveX plugin will know that everything I've suggested here is perfectly possible from a technical point of view; going further, it also makes for a superior architecture. IE's deep integration was about one thing and one thing only - a sadly all too successful effort at monopolization that has left us all begging Microsoft to provide functionality a more competitive market would long have provided with little prompting from us. Superior web standards support did matter to MS at one point in time, but only for as long as it took to crush Netscape Corp. "
What the hell are you even talking about? It's not "deep integration" that gave IE its market share; it's "kicking the snot out of Netscape Navigator 4.x".

Dr Pizza

# re: Undeserved Attention @ Tuesday, June 22, 2004 12:24 PM

My take is that these comments aren't read or heard or even taken to board meetings with regards to the public interest pertaining to the software, but here it goes anyway...

The Open Source movements have pretty much heard customers and made changes to their softwares accordingly. Proof in the pudding is in each and every changelog that's been made available. KDE and Gnome desktops are the primary projects where you'll see customer demands being met - bugs fixed, annoyances dealt with, etc.

With that said, IE will ever become a seperate application, despite the necessity for it. Everyone except anyone at Microsoft knows IE needs to become seperate. Windows got so screwed with its tight integration that it became one big security risk altogether. So all in all, I highly doubt you'll make any dent where the dents need to be made.

WarpKat

# re: Undeserved Attention @ Saturday, June 26, 2004 3:10 PM

WarpKat: Why do you think these comments aren't being heard?

Cyrus Najmabadi

# re: Undeserved Attention @ Sunday, June 27, 2004 10:18 AM

I know the security is being focused more heavily on now, and that's assuring. I, as a web developer, don't care much about the security, though. My concern is not being able to write web applications with just following existing web standards. I have to tweak and hack my way into the IE paradise (or hell) to make things work.

The only wish i have for future versions of Internet Explorer, is that it starts supporting standards fully, or not at all. Half-way implementations like the current CSS 2 state of affairs, is horrible to work with as a developer.

Asbjørn Ulsberg

# re: Undeserved Attention @ Tuesday, August 10, 2004 9:23 PM

Dear Dave,

I am glad you made it back to the IIE team. I think your team needs some motivational training. There is nothing better for motivational training than lotsa lotsa beer. So Dave, I wish ya lots of motivation and lotsa lotsa been.

Most sincerely,

Gomer

Gomer Sneezedale

# Dave Massy s Blog Undeserved Attention | porch swing @ Sunday, June 14, 2009 4:21 AM

PingBack from http://fancyporchswing.info/story.php?id=2824

Dave Massy s Blog Undeserved Attention | porch swing

New Comments to this post are disabled