Ben Galbraith’s Blog

Michael Howard kicked off Day Two of MTS07 talking about security. He talked about the SDL, Microsoft’s process to ensure their products are reasonably secure. SDL isn’t a new process — they didn’t have the luxury of re-inventing their software manufacturing process — its a serious of tweaks to their existing process to make products more secure. He said a few interesting things:

“If SDL didn’t work, Bill Gates would kill it in a heartbeat.”

“Everything in the SDL is there for a really good reason.”

“Within 60 days of joining a product group, you have to go to security training.” If you came from academia, from government, from anywhere, we assume you know squat about security, and its a safe assumption. “The scariest person is someone who knows nothing about security, but thinks they do.”

Michael’s group offers a number of courses. They have a basic course that everyone has to attend on a regular basis and some advanced courses which cover specific security areas. I asked if I could attend his courses. He said, “If you sign an NDA like any other Microsoft employee, I would be happy to have you attend the courses.” He also mentioned that the basic security course has been videotaped and is included with the SDL book he’s selling.

“I spent a good 50% of my time on analyzing attack surface areas.” Thread modeling is the other very important aspect to security. Its all about finding design issues. Everyone must create threat models at Microsoft. Two Vista features were crushed because their threat models indicated that attackers would use the features more than legitimate users. If I had to chose one thing to implement security, I’d do thread modeling.

“Some people say the industry would get better once we get better tools. I say ‘No, the industry will get better when we stop letting monkeys write code.’”

“There is no replacement whatsoever for good engineering practices.”

Much of Michael’s talk is convincing us that Microsoft takes security serious and is doing a good job of creating secure software by relaying a bunch of anecdotes and telling us things like, “When an API has 3 or more bugs, we shoot it in the head and enforce that it can’t be used by analyzing the code on check-in” and “VML had a bug in Vista that could have been exploited, but you can’t actually exploit it, because our compiler detects the exploit and returns null when the affected function is invoked.”

[I saw he had “Head home” as a reminder on his calendar, and amidst a bunch of laughter he admitted he has to scheduling eating and going home on his calendar because he is so focused and enthused by his job.]

He also showed a Gartner quote as of Feb. ‘06 that Microsoft is leading the industry in the area of security best practices.

He mentioned that they have started working with a number of companies to improve industry security practices, but because we’re not under NDA, he can’t tell us about those relationships — except that they have worked with Adobe.

Q: What are the security differences between 64-bit and 32-bit Vista?

A lot of the defenses we’ve added to 64-bit are on by default. Also, the return address isn’t put on the stack in 64-bit, so you can’t override it. Those are the big ones from my perspective. Plus, a lot of the legacy support is off in 64-bit. One of the biggest predictors of security problems for us by the way is the age of the code.

Chris Anderson rose to fame as the architect of Avalon (now called WPF), Microsoft’s incredible new ultra-rich GUI development platform. Since wrapping up his full-time work with WPF several years ago, not much has been said about his new project.

The famous Don Box, COM Extraordinaire, put together one of the best services stacks out there in Indigo (now WCF). He joined Chris Anderson to work on… something.

The public line is that their effort is centered on one of Bill Gates’ passions: model-driven development (MDA). Surely this gave comfort to Microsoft’s competitors, as some awfully bright and well-funded folks have disappeared into the rat-hole of creating higher-level, domain-centric abstractions for developing software.

I don’t think that’s what they’ve been working on. Or at least, MDA is probably at best more a feature of an effort that is more appropriately described as an application framework for WPF. Perhaps close Microsoft watchers have known about this for a while, but its news to me.

Earlier today at MTS07, Chris Anderson had some strong words for what he considers WPF’s number one hole. Here’s my paraphrased transcription:

We’re kinda sucking in [the application framework] space. We’re pushing out samples, etc. You can see hints as to our direction, but we don’t even have an MFC-style system inside of WPF. We have a lot of work to do in this area. This is top of the mind and my #1 thing as to what is missing and is needed to make WPF a compelling app platform.

In the past, he’s acknowledged this weakness but in a much more subdued way. It seems to me that he’s dialing up the pain in order to increase the drama when the cure is revealed in a few short months.

Don seemed to confirm this when we said separately, “We’re basically working on XAML 2.0.” XAML of course is preferred way to express WPF user interfaces; why would MDA involve rev’ing the XAML grammar? Of course, Don and Chris have also talked a lot about extending XAML to do far more than express user interfaces; Chris openly talks about using XAML to replace C# in many non-GUI scenarios. Hmm…

If their project is a WPF application framework, it would make perfect sense: the app framework is a big gap when comparing WPF point-by-point against the Flex/Apollo stack. And the exciting bit is that Microsoft has an opportunity to innovate. Flex’s app framework clearly trumps Swing and WinForms, but certainly doesn’t take things to the “next level” (in terms of productivity features on top of a GUI toolkit). If this forthcoming WPF app framework does something innovative, we could be in for some truly interesting times.

I’ll be watching the blogosphere closely around the Mix ‘07 timeframe to see what exactly Don and Chris unveil in Sin City…

More from MTS07: Chris Anderson (former architect, WPF) and Don Box (former architect, WCF) addressed us. Chris started out the prezo by reciting some Haiku:

They used Don’s familiar format of opening up notepad, asking the audience what they want to talk about, and then improv’ing for the rest of the talk.

The group came up with a diverse set of questions related to Microsoft in general, WCF, and WPF.

What follows are various quotes and notes from the ensuing conversation:

Q: How does your WPF stack compare to Adobe’s Flash/Flex stack?

Chris: Three aspects — the graphics visualization engine, the run-time platform, and the application frameworks.

App platform: We’re kinda sucking in that space. We’re pushing out samples, etc. You can see hints as to our direction, but we don’t even have an MFC-style system inside of WPF. We have a lot of work to do in this area. This is top of the mind and my #1 thing as to what is missing and is needed to make WPF a compelling app platform.

Run-time platform: The CLR crushes the Flash runtime, but IE is weak compared to Flash.

Graphics viz: We have a much better story here as far as actually having a full-scale platform that goes from the client with WPF/E all the way to the OS with WPF.

Don: “The decisions we make are often test constrained.” On one team we have three testers for every one developer.

Chris: The decision to do all rendering in WPF/E in software was an engineering decision, not an evil decision to force you to WPF for perf.

Chris: To make it clear, I think we are going to win in this space.

Q: “Why do you say that Flash is evil but somehow WPF/E is good?”

Chris: We’ve made our intentions clear with WPF/E; we’re not pretending [like Adobe is with Flash] that it is some kind of open standard. People are saying that Flash is good and WPF/E is evil, but we actually think our story is better [for the community] here.

Q: WCF is cool, but how can you get it to interop?

Don: Our goal was to make Windows the best OS we could make it. So when folks encounter a lot of pain when dealing with other messaging systems, this is in a sense the whole purpose of WCF — to make you want to use Windows for messaging across the enterprise.

I think WCF merits a B+, interop a B, but the metadata system (i.e. XSD) gets a C.

“So yeah, interop is really tough.” What would you have me do to fix it? I can’t control IBM or Java.

Q: “Couldn’t you provide adapters to talk to specific messaging systems?”

“I’m glad you said that, because that’s what we’re doing.” Don talked about their “channel” abstraction that makes it easy for you to adapt WCF to specific platforms.

Q: What is the future of REST?

Don: Interesting word that means different things to different people, such as:

1. Get the WSDL and XSD out of my face
2. Get the SOAP out of my face
3. Put the URI in my face
4. Respect GET
5. Embrace PUT and DELETE

“It turns out a lot of the headache people have with Web Services or WS-* is tied to XSD. XSD is more flawed than most technologies that roam the earth. I was on the committee that created it, and that was back when I made my money explaining complicated technologies to people for money, and man, I could hear the cash registers ringing in my ears.”

“Now my job is making things simple, which is unfortunate since I’m stuck with XSD.”

“XSD was a standard-committee driven piece of ####ing crap.”

“If you’re Sun, if you’re Microsoft, if you’re IBM, you can just throw a bunch of engineers in a room and make it all work. Sun is committed to making their stuff interop with WCF with Project Tango. But if you’re Matz, or DHH, or Larry Wall, you’re screwed, because you don’t have time to build out this stack and then make it interoperate.”

Q: What’s the future of SOAP?

Don: “We’re done. No more to say here. There won’t be another version of SOAP. You don’t get a version 3 of protocols.”

Q: Why does Ballmer have to say such stupid things?

Don: “He’s an energetic guy who believes in the company, what are you doing to do? I apologize for anything that may have offended you on behalf of the owner/employees of Microsoft.”

Q: How has WinForms done compared to the Web?

WinForms suffers from the fact it was the last rev of its technology, and it suffers from all the same weaknesses that last versions of technologies have. It was a last one-off before WPF shipped. We have seen good pickup of WinForms in the enterprise space because it fits the model they are used to.

Q: My final release version of Vista blue-screened and rebooted multiple times a day. Turned out it was a video card driver issue. My Mac just works. What are you guys doing to fix this crappy user experience?

Chris: It is a huge problem. I don’t know what the fix is. [We had a lot of back and forth discussion about how important this is to fix, that Apple’s UX for a machine that just works kills theirs, and Chris agreed, but didn’t have a clue what the fix would be.]

Q: Chris, you blogged about XAML being good for more than just creating a UI — that it could be a new general purpose language that’s better than C#. The rest of the world is running away from XML as a general-purpose programming language. Why are you bullish on this?

[They didn’t clearly answer this question; instead talked about how XAML is a sort of general-purpose IL that is easy to extend but provides enough structure to make it easy to tool.]

Q: Is Microsoft still viable? A fun place to work?

Chris: I came to MSFT as a contractor, left to start a co., and came back in less than a year because I love working here. I love it because of all the smart people here. A lot of smart people working towards the same goals is going to do some exciting things.

Also, the ability to make an impact by working at MSFT is bigger than almost anyplace else I can imagine. Something like WPF is huge and I’m very happy to have been a part of it.

I’ve been lucky enough to shape the team that I want to work on — a twelve person team with daily scrum and monthly milestones. We pick our next objectives, we work on a small set of features and drive them to quality, we have 80% code coverage on everything we work on, etc. — we create the environment we work in. MSFT is a lot of little companies.

Don: “There’s a lot of little companies in Microsoft; one of them will figure out how to crush Google.” “We will keep trying for a very long time.”

Q: Why do you care so much about crushing Google?

Don: Google is the best thing that happened to MSFT because it gave us a big evil opponent with which to be in direct competition. Without a big scary competitor, we just don’t do as well in the marketplace. IBM is such a different business model that we don’t view it as nearly the type of threat that Google is. Google is very much in the same space as a software play.

We are competing head-to-head with them, and a lot of people here at Microsoft are very concerned with them.

Q: I know a CS grad who doesn’t want to work for MSFT because he doesn’t want to be a PM of a dialog box. And he doesn’t want to go through the whole “how much water fits in a room” interview process.

Don: Look, there are some great entry-level positions at MSFT, but there are some crappy ones. Some people ask puzzle questions, I don’t.

Q: Yeah, but MSFT just isn’t cool anymore.

Chris: [Launched on a dialog about how to be a serious engineer in the industry, people should be more willing to put in the time to work on maintaining legacy systems, etc.] So I don’t know that making us cooler is even the right thing to do.

Q: How are you going to deal with the open-source threat?

Chris: I don’t think open-source is a threat. Its a new practice we need to understand in order to compete better in that world.

Don: Linux, Apache, Firefox are competitors. Open-source is not.

Q: I’m offended that you think you need to beat Google. This is not a zero-sum game.

Chris: Look, our shareholders have told us that we need to increase the amount of money that we make.

Don: Its great for the consumer that Google is making us improve and that MSFT is making them improve.

[Some guy]: The fact that Google has made you think they are good and MSFT is evil just means that their marketing is good.

Don: When I was an ISV in the Microsoft ecosystem, I didn’t want to be treated like a baby. I want to be told how it is. We could pretend to sing Kumbayah with Google and Eric Schmidt, but the fact is that we’re competing with them and out to win.

Chris: Regarding zero-sum game, look, the whole ad-driven software revenue model is a whole new world, and we’d like to get a piece of that pie. Google has a massive share of that space; I think they’re #1, we’re #2, and we’re massively behind.

[Some guy]: But there’s always this talk about throwing chairs, knifing babies –

Don: — we don’t knife babies –

[Some guy]: — and people find it distasteful.

Don: The American public loves theatre, they love competition.

[This conversation is bogging down into uselessness; I’m bailing on blogging the rest.]

Overall, was a fun session that didn’t surface any new material, but Don as usual was on the spot with some provocative, entertaining quotes.

Unlike some people, I’m not much of an identity guy, so I wasn’t very interested in Kim Cameron’s presentation on Windows’ identity solution. But my curiosity was piqued as the talk ran on.

Dion and I found it interesting just how many of the presenters, like Kim, were running on Macs.

Some of Kim’s points:

• CardSpace is Microsoft’s implementation of an open Information Card standard that multiple vendors are implementing on different platforms.
• “We created a visual metaphor for files, but not for people.” The Information Card standard has a nice UI for choosing between multiple identities that you may have for yourself.
• Identities are either self-signed or signed by a trusted third-party.
• He demoed IE’s smooth integration with CardSpace — so a WordPress blog for example could allow users to auth with an Information Card provider instead of a username and password. You can also decide how much information you want to expose in the transaction.

I’m so happy to see that the identity folks have been up to really useful things over the past few years. I hope something like this makes it into the wild. It was unfortunate that Kim’s demo was a mock-up.

Dion wrote up comprehensive coverage of the conversation all of us at the Microsoft Technology Summit had with Jim and John. A few particularly interesting quotes came out of that session:

Jim: “Ten years ago if Sun had hired me to work on Jython, I would have been very excited about it.”

John: “I like writing in programming languages that make me happy, not in languages that make me angry.”

Jim: “Rather than debate dynamic versus static, millions of developers are happy doing dynamic languages. Let’s make them happy rather then keep telling them they’re doing the wrong thing.”

Jim: “I write half my code in Python and half my code in C# and I’m extremely happy with that.” You choose the right language for the job and for you.

Unfortunately, for the really interesting questions — when will Rails work on the CLR, will you (please) use the CLR to drive JavaScript in IE at some point in the future, etc. — they simply directed the question back to the audience to get feedback, but… great that we’re having the conversation and that the thoughts are getting planted.

I took a few pictures on my K750i:

Jim and John introducing themselves

Jim and John didn’t have an agenda; we put it together as a group.

John did a prototype Ruby editor with WPF using RubyCLR to drive WPF. He said it got really fun when he employed a bunch of metaprogramming tricks to make generating WPF wrangler in code easier.

Dion and I are at the Microsoft Technical Summit (MTS07) this week, Microsoft’s annual event for reaching out to the non-MSFT types. We’ll be posting entries here and there as interesting stuff comes up. But since I’m at Redmond, its only appropriate to blog about Vista.

I finally figured out why my Vista box was blue-screening multiple times a day: the video driver. Vista kindly informed me after reboot number fifty-something that the crash was related to a deadlock in the video driver. Windows update said I had the latest nVidia driver, but sure enough, when I visited the nVidia support website, I found I was several versions behind.

Happily, after updating to the latest nVidia driver (I felt brave and went with the beta they have posted) my system has been very stable.

There are dozens of great reviews of the Apple TV out there. I echo Walt Mossberg’s review: just worked, streams like a dream from any computer in the house, and finally offers my wife a way to use our digital content without me around to help. I have some additional observations:

• The kids love the photo slideshow feature. So cool to setup a slideshow without hooking up a computer or firing up iPhoto, etc.
• I can’t believe that iTunes offers no easy way to move items from one machine to another. Now that our media collection is nearing vast sizes, I’m amazed I can’t sync iPhoto across two machines (while picking up photos synced to one but not the other, etc.), decide to move a TV series from the home server to the laptop (without jumping down to Explorer / Finder), and so forth.
• I’m really disappointed they released the Apple TV half-finished. You can see what the top items at the Apple Store are, but you can’t buy them. Nice.
• Way too klunky to share media from multiple machines with the Apple TV. I can only move items to the Apple TV from one computer, which stinks, and you have to explicitly chose which computer to stream media from — there’s no consolidated view of all media in the house.
• The Apple TV doesn’t support at least some of my Audible files. I haven’t looked into whether these are Audible’s non-MP3 wrapper types (Types 1-3 if I recall…)
• The UI seems… weird. Front Row seems more refined in some aspects. For example, the Movie Trailer UI in Front Row shows you rows and rows of movie posters for all the trailers. In Apple TV, you get a list that you have to scroll down, and only see one movie poster at a time. I think the new Windows Media Center UI trumps Apple TV pretty handily.
• A shame that in the quest for simplicity, the Apple remote doesn’t do much useful. I have to have at least two remotes to use the thing as the Apple remote doesn’t control audio. This is an area where Apple made the wrong trade-off.

All-in-all, I’m happy with the Apple TV, despite the trade-offs, and look forward to further software updates.

The big complaint against using Gmail full-time is when you’re on an airplane and can’t get access to your mail; you can pretty much get to it any other time. If only Gmail had a thick-client sibling that let you use it seamlessly in off-line mode and it integrated with Gmail when you sync’d back up.

So I was intrigued when Dion linked to Mailplane, a thick-client wrapper for Gmail that lets your run Gmail just like any other OS X application, and, you guessed it, it adds the ability to use Gmail on an airplane. Except, it doesn’t. The author chose the name “plane” - and used an airplane in the logo - because “I liked the word, the beauty and power of airplanes and the history behind these specialized aircrafts. It was about time they could fly again.” It doesn’t actually work on an airplane. It just makes it easier to attach files and things.

Among the wonderful changes in Java 5 that make code easier to read and maintain (cough) is autoboxing. Consider the following line of code:

return handleIncorrectType(message, modelColumn, o, keyboard);

It was throwing a NullPointerException (not passing one from the underlying method invocation). I had to scratch my head for quite a few minutes to see how it would, as there was no invocation on the parameters that could cause it.

The answer was that one of the parameters was a primitive wrapper type (Boolean) set to a null value, and the autoboxing mechanism punts when coalescing wrapper nulls to primitive types. Fun!

Now that the dust has settled a bit in my life, let me provide some additional details on Nimbus.

First off, I apologize for the problems people had viewing the mockup and the specs on Flickr I linked to in my earlier blog entry. I had forgotten that Flickr makes you log in to see them in their original size. So, without further ado, here are some links to the full-size pics:

Second, let me talk a bit about where the project is at and where it’s headed. Right now, Nimbus is an early alpha release. The team hasn’t yet finished initial rough cuts of the various widgets in the Nimbus spec, much less polished them into final implementations. So to those that have tried out the Nimbus SwingSet2 demo and come away unimpressed, take it easy. There’s tons more work to come. I personally feel SwingSet2 is an easy way to look at individual widgets but a very poor way to get a feel for how a look-and-feel might look in real applications.

We’ve a goal to reach beta on the project by JavaOne ‘07, but that’s just two months away and will take some doing to get there. What is certain is that Nimbus will be ready for use in Java 1.6 projects by the of the year. We have a major goal to back-port to 1.5, but that may not make release grade by year’s end (though I very much hope it will).

Is 1.4 compatibility important to you? Let me know (comment on this blog entry).

Third, I want to talk a bit about why I’m so excited about Nimbus. I believe that the designs Sun came up with are better than any other Swing look yet implemented and will allow Swing applications to be competitive visually with Aqua and Aero. Nimbus will include some innovations, including an easy way to chose from three different standard widget sizes (inspired by Cocoa and improving on Quaqua’s implementation); it will make healthy use of Chet’s timing framework for nice effects (though some of these may be optional); it will go to great pains to guarantee cross-platform fidelity; it will provide a great reference implementation of a Synth skin; and more that I’ll talk about as time goes on.

Thanks for all the kind words and interest so many of you have shown, and watch this space (and others) for more details on Nimbus as the project progresses.