Wednesday - 8:00AM - Martin Taylor
General Manager - Platform Strategy

Guest on Slashdot - At MSFT for 12 years. Has the feeling that 12 years ago MSFT was more participative in the developer world. Company has stigma, but there's less negative feeling when personal connections are formed. Hopes to form more of those relationships and is also looking for feedback from us and ongoing dialogue. Runs Linux/OS R&D team, which tries to inform MSFT core R&D teams how Linux and OS work. Also runs "field arm" with 50 people around the world to follow issues around OS in other countries.

Hires Linux & OS developers for temporary and permanent positions. Feelings of those people are almost always the same. First they are apprehensive, then they become impressed with the academic and collegial environment they experience at MSFT. Has watched this dynamic many times with individuals, and always wanted to have more of these types of activities.

MSFT has made a decision for this meeting NOT to be covered with NDA, so attendees are free to convey what they hear here. This may limit some of the things that can be said because there's no limit on external sharing. If we can't get the desired level of depth, then future meetings like this may need to be covered by NDA.

Agenda pretty much covers the gamut of MSFT product areas except for games. Hopes that he and MSFT teams learn a lot from us and our feedback. Looking forward to an open and honest dialogue with 2-way benefits.

An attendee mentioned that his primary reason for coming was the wording of the invitation that suggested there would be a "conversation" and he hopes to see evidence that MSFT takes away something from the conversation. Martin promises to make a personal effort to ensure that there is someone who is "capturing everything" and that they take it back to their discussions. He emphasizes that "this is not a conversion meeting, it is a conversation meeting."

He thanks us for taking them up on their invitation and wants to ensure that MSFT works hard on making use of the feedback in a way that is beneficial to our interests as well.
-------------------------------

(8:25 AM)
Heidi Dell (US Community relations) apologizes for 6:45 schedule start. She and Steve Loethen are excited to have this conference having emerged from concepts they have been discussing for a long time.
-------------------------------


(8:30 AM)
Introductions around the room

There are about 35-40 people here from Java User Groups, Flash, Linux, Cold Fusion and other technology focus areas. The MSFT team has done a pretty good job of getting a diverse group of experts together for this "conversation." I can't help wondering who is likely to take the most away from this, since I think people are likely to tell Microsoft more than they are likely to tell us. There are lots of MSFT "DEs" (developer evangelists) and marketing people around taking notes and clearly looking for information about how those of us in the non-MSFT developer spaces regard the company. It should be interesting.

-------------------------
Michael Howard - 9:00-10:00 AM
Author of "Writing Secure Code" - At MSFT for over 13 years

Improving security at MSFT by changing the process
The first real presentation of the day was given by Michael Howard, one of the people responsible for bringing about the new security initiatives at Microsoft. He has worked at MSFT for 13 years, nearly the entire time in some form of security. A few years back, he splintered from Windows group and created "Secure Windows Initiative" and helps the individual product groups secure their products by focusing on the threats to a system.

Security Development Lifecycle

One of the Michael’s prevailing opinions is that most software created today is crap with respect to security. Processes in place for software today do NOT make secure software. The positive thing to take away from that statement is that the people sitting at the very top of MSFT are completely sold on the need of changing the way that Microsoft developers software. They are so sold on the change of process, that Michael’s group has a completely open head count, with endless hiring.

One of the most important changes that Security Development Lifecycle (SDL) process brings to software development is that there is one person responsible at each end, on the product group and on the security group. This means that there is always someone who is accountable and knows what is going on.

In his opinion, right now, Microsoft “sucks a lot less than we did three years ago”, with Windows Server 2003, now having a fairly good track record with respect to security. He mentions that Windows Server 2003 and IIS is actually more secure than Linux and Apache. Of course, the audience mentions that IIS still has a bad record of public opinion, even though it has had very few vulnerabilities in its latest release. Michael guides us to a website (http://www.zone-h.org) that shows that if you look at the number of actual intrusions and defacements, Apache 1.3 and 2.x actually have a much higher rate than IIS 6. How much of this is actually true is left as an exercise for the reader. It may be that the number of deployments has something to do with the number of defacements.

Next Michael says that everyone has security bugs (including Linux) and says that Microsoft is the only company that admits it has problems and is actively trying to fix them. So, is the SDL a MSFT competitive advantage, or are they actually trying to help the state of security in software? According to them, the SDL (http://msdn.microsoft.com/security/sdl) will be available for everyone (15 page document) at MSDN starting on Friday so that everyone can begin to improve their development process. Although, even with the improvement of the process, the security of a system is only as good as the knowledge of the person who installs the software and platform. No matter how good the tools are, they can never replace the skills of a live person.

One of the interesting things to note that has come from the change is process is that application compatibility is now second to security in terms of priority during a new release. It has also caused software to be delayed because the product groups cannot successfully complete the SDL. The SDL will also be integrated into Xbox2 and the games for Xbox2 due to the inherent security problems that occur because everything will now be online.

All in all, I felt the talk was a fairly interesting overview of how a new focus on security has changed the way that software is designed at Microsoft. It will be interesting to download the SDL when it is available and see how it can improve how Java developers design their software.
-------------------------

Don Box
(Some kind of XML architect for Indigo, he's pretty smug.)

"If ponytail-boy hired me tomorrow to go work at Sun, then the first thing I'd do is go through and consolidate because there's just too much cacophony."

"Indigo? Indigo is a state of mind." (audience chuckles)

(Talking about upcoming technologies an PR)
"Here's the deal, dude. If it's in PowerPoint, be very skeptical. Look at the DLLs we're shipping to see what we're actually building."

"Everyday there's a Microsoft Community Outreach event and there's a Star Trek convention."

"If I could just snap my fingers and change the world. If I could just snap my fingers and change how Microsoft developers work, then you know what I'd do. We'd all use Ruby."

--------------------------

11:15 AM to 12:15PM (running 20 minutes over so far)
Programming Language Design Panel
Jim Miller - CLR Architect
Herb Sutter - C++ language guy
Anders Hejlsberg - C-Sharp Architect
Jim ?? - AspectJ and dynamic languages guy

These are some of MSFT's really smart guys, and they don't push the party line with the same fervor as the marketdroids who are around.

Herb: He seems to have a reasonable sense of the place they are seeking to manage at the crossroads of native code and .NET managed code

Anders: C-Sharp 2.0 - new language features. Support for generics. Anonymous methods (familiar as lambda functions to Lisp programmers.) Support for "iterators", like python and Ruby's "generators". Now has "partial types" - splits a class into multiple disjunct segments which are assembled by the compiler - helpful for tools that combine autgen code and custom code. Nullable type support. A whole slew of monor new features. For a year or so Anders has been thinking about C-Sharp 3.0, and he looks forward to further eliminating the line between general purpose programming languages and database.

Jim: Came from Java community, worked on AspectJ. Focused on why .NET was such a horrible platform for dynamic languages. Began to do some research for an article, and after about a year of being involved with it he wound up at MSFT. Says .NET is actually really good for dynamic languages. Says the debuggers are better than Java debuggers for that. Says Iron Python on .NET is about 80% faster than the standard C implementation while Jython was always slower. Wants to keep enhancing the platform

Dion Almaer asks whether anything is going on with Ruby on .NET? Also asks about where AOP fits. Jim H answers that he doesn't know of any major effort to implement Ruby, but he hopes so. Anders says he personally follows dynamic languages with great interest. He says there's a lot we could do in strongly typed languiages to make the typing less painful - a lot more type-inference. Wants to make C-Sharp let you have your cake and eat it too. Anders answers that he is in "wait and see" mode on AOP. He can see some advantages, but also some very big problems. Concerned about the fact that AOP could allow someone to inject behavior into any piece of code and change it concerns him. Jim Miller says he's giggling because he came into all this from the Scheme community and it's all looping back, "I'm finally relevant!" he says, and everyone chuckles.

Richard Monson-Haefel asks about typing and python. Asks if you'll be able to run Python programs on .NET straight? Can you use python libs or do you have to use .NET libs? Anders answers about runtime typing, says he's talking about innate declaration of variables, says they can usually infer type and don't need to make you specify the type. He says this is useful, especially with generics, or you might have an anonymous type that just got generated, and inference saves you hassle but lets you stay strongly typed. Pratha asks how you prevent someone from switching the type implicitly later on. Jim H answers about running existing python programs on .NET. Initially he doesn't expect all the python libs to be available - some libs will be present, but others will not. The problem is all the python libs written in C that expect the standard C libs (which aren't safe for managed code.) He says "we'd love to see the community take some of the other libs and convert them to run on .NET." Haefel asks if Iron Python is going to be a Microsoft Open Source project, and Jim H. says he can't answer without an NDA, will announce a plan at a python conference next week.

Someone asks something about the number of "distribution models" and the confusion in Java about the number of libs and frameworks that are out there. Jim Miller replies that Microsoft's investment is to make all the major requirements available in the base libraries. Anders says that all the new features in "Whidbey" except generics have not required any core changes to the CLR. Says they are hesitant to change the CLR for obvious reasons.

Someone asks if there are any changes to J-Sharp. Anders answers that there are certain constraints and limitations in Java that prevent it from supporting some things. Another guys asks whether MSFT will support JDK 1.5 features, and Anders says that nothing really prevents it, but that the size of the runtime for 1.5 is so much bigger that it's not clear that it is. Problems are partly political, partly legal, everything but technical. MSFT doesn't have a license from Sun to support new Java 1.5 features. Miller says MSFT is at the limit of the license they already have, and he doesn't know whether they are being successful in expanding their license with Sun.

Chafiq asks "What do you feel about how to get the CLR onto other platforms." Says it is in Windows, and sort of in Mono, but not really. He wants a CLR that runs on Linux, says he would pay for it. Miller says they have considered many of these things, and they have made a conscious deliberate decision to standardize a lot of the core APIs. Mono is now a commercial Novell product, but not much uptake on it. He says there's not really any market pressure for the technology to be ported. Chafiq says he would pay $1000 for a licensed CLR that he could run on Linux and rely on it. A lot of not especially interesting banter about whether MSFT should ship .NET for Linux follows. The MSFT guys all say plainly that there's no real business case, but audience members keep urging them to move certified versions of .NET beyond Windows. Anders says "We have to look at this from the business perspective. What is it down the line that will keep us in business?" People still urge MSFT to go further, and the MSFT guys say thanks for the valuable feedback. Miller asks, "Imagine that MSFT takes some .NET subset and puts it on top of Linux and sells it. If they do this, then what is it that developers would be freed from? It's still Microsoft's product." Raul Salazar says there would be benefits of using MSFT developer tools but to also leverage the strengths of other platforms for what they are good for.

---------------------

Lunch - It appeared that lunch would be an opportunity for the attendees to have a moment for conversation, but as soon as we sat down they began another presentation DURING LUNCH! It has really been relentless, and they have significantly overscheduled the number of speakers they are trying to pack in. It is easier to take on of those free trips to Florida where you have to go to the 2-hour presentation on the time-share property they want to sell you. This overscheduling is so bad that I honestly don't know if I would ever want to do this again. The whole pace should be more easygoing and relaxed.

---------------------
1:00PM-2:00PM
Sanjay Parthasarathy
VP of Platform & Developer Evangelism

He starts by saying he'd like the session to be "Where do we suck?" Says he has a passionate belief that MSFT has to have relationships with developers on the outside. Says they are trying to break all the rules - hired Scoble for blogging with litte or no legal oversight. Wants us to tell him how to do better.

MSFT has about 1000 evangelists worldwide, not on sales staff, not maintaining any quotas. Says MSFT thinks about community in 4 pieces: in the product, in support, in relationships for the sake of relationships, and in dealing with "influentials" - people like us.

Raul asks what is in MSFT's future plans to help schools in the community? Sanjay says this is obviously a very very hard product. One answer is in product - eg, a version of VS 2005 specifically for students, with support for assignments, curriculum, etc. In support they have "thespoke.com" where students help each other. MSFT funds thespoke.com but Sanjay says they stay out of it. About 100 of the evangelists are focused on schools, on helping kids learn computer science and programming if that is what they're interested in. He mentions some interesting efforts MSFT is working to help young children learn about programming.

(30 more minutes pass) Okay, this talk has basically become a tape loop of people telling MSFT to do more Open Source and to embrace Open Source, and the MSFT guys saying they are trying to. The conversation hasn't been that interesting and few innovative or really high quality challenges have been raised. Some attendees have expressed their perception of a so-called "sea change" at MSFT with respect to these issues, but I really don't see why they would say so. The mere fact that MSFT has gathered a bunch of people who have historically not been supportive of them is not proof that any material change whatsoever has occurred within MSFT. They could just as easily be trying to get a concentrated expression of the major arguments against them and their strategies so they can analyze them carefully and develop talking points and coordinated responses to those argumenets throughout the company as a whole. It's hard, if not impossible, to say that MSFT has shown any signs of real change.