Popular @
Forum Controls
Spotlight Features
The Rich Engineering Heritage Behind Dependency Injection
Andrew McVeigh takes us on a tour of the rich heritage behind dependency injection, what it represents, and tells us why its here to stay.
NetBeans 6: Matisse Updates
NetBeans 6 delivers great updates to the Matisse GUI builder. Spend a few minutes with Roman Strobl and get an expert briefing on what's new and what has changed. (sponsored)
Introduction to Groovy Part 3
In this, the third and final installation of Andres' Introduction to Groovy series, you learn about how Groovy handles variable numbers of arguments, named parameters, currying, and more about Groovy operators. Including, some new operators.
Easier Custom Components with Swing Fuse
Swing Fuse (actually just Fuse), is a framework designed to make it easier to create your own custom desktop components. In this article, Daniel Spiewak shows you how to get started and provides sample source code you can download.
Benchmark Analysis: Guice vs Spring
Willam Louth shows how he uses JXInsight Probes to investigate probable performance issues with code bases that he is not familiar with. He also highlights possible pitfalls in creating a benchmark, as well as in the analysis of results.
Matt & Rick Not at Microsoft: Day 3
At 3:05 AM on Mar 19, 2005, Ken Sipe wrote:
Fresh Jobs for Developers Post a job opportunity
------------------
8:45 AM
Eric Rudder Keynote
This time was denoted as a closing keynote, however it was merely a Q&A session. Most of the time seemed to be focused around trust. There were a number of reflective comments doubting the commitment to change. Todd from AZ (don’t remember his last name) made a great point around Microsoft’s community responsibilities. For instance they stated they are focused on security and have learned a number of development best practices for the future, so why haven’t they shared this with the entire community. Eric’s answer didn’t seem to indicate he got the point. His answer was a commit to have a Microsoft security focused meeting within the next 30 days. There is some interpretation on my part, but his answer seemed to indicate participation with Microsoft customers. I believe what Todd was looking for global IT community involvement. A world where Microsoft would feel responsible for what they have learned, and contribute learns and best practices to everyone, not for an economy gain, but because it’s the responsible thing to do. Efforts such as this, repeated over time, would build trust. Am I too idealistic? Or naive? Eric’s last comments on the subject of security was that “Microsoft is a little gun shy”, they don’t want to make a big press release that they have the answer to security issues, followed by any future announcements of a security bug…
The more interesting part of this discussion was Microsoft’s protocol choice for the future… You guess it, Web Services. Specifically Eric stated that Interoperability to him and Microsoft is synonymous to Web Services. This commitment seems to stretch too far in my opinion. Everything is to have a WS interface. This means according to Eric, WS interface for; Exchange, SQL Server, and basically any MS product line defined as a Server. Web Server interface to the database…. Does that make sense to anyone?
--------------------
9:15 AM
Mike Hall - Windows CE and Mobility
I missed the opening demo. The session mainly discussed the embedded options for Microsoft which are: Windows CE, Windows XP Embedded and SPOT.
For CE, the focus was around a tool named Platform Builder. It is used to configure the components you want to deploy to a CE device. With this product comes millions on lines of code available with the free edition of the builder.
If you are interested in embedded OSs, CE is derived from MM Light which Mike claimed was available from the MS research site. I tried searching for it with no success, maybe I missed understood the name. However he indicated that Ivan @ ivanjo at microsoft dot com would provide help.
Windows XP Embedded is a componentized version of XP. Supposedly you can decide which OS features you want to install. With this product you can run any previously developed Windows application on the embedded machine. Additionally you can lock the application to be the only available application, providing what seemed like kiosk ability.
SPOT was interest… but frankly the watches are too large to wear and the features are too limiting. The toolkit is for watch vendors to develop a product and what they decide is what you get. Until you can add your own code to the watch or device, who cares… OK, OK I get that you can receive SMS messages on it, but so can my cell phone.
---------------------
10:30 AM
Prashant Sridharn - Visual Studio 2005
At Prashant’s request I will limit my blog of this session… it is to be announced Monday, it just a weekend away. I do have some comments to add here though specifically to the Java / Open Source community.
The session started with a story of Prashant getting a tattoo where ever he was the ’98 TechEd. The tatooist asked what Prashant did for a living and after discovering he worked for MS, the tatooist pulled out his copy of J++. The story illustrating that everyone is and can be a developer. There is a big push from MS to provide hobbyist and students with tools. What would Mort do without MS?
The future breakdown of the toolset was provided which I’ll skip for now, but let me share this. In the world of technology a technology is either leaping or be leaped. The Java community is being leaped. The toolsets around team development coming out seem to hit at the sweet spot of enterprise full life-cycle development. There will be a new version code tool which will allow for concurrent development, there will be a build system which Prashant himself compared to cruise control, system-wide task list, and bug tracking. This wouldn’t be too big a deal, if it wasn’t so well integrated. Each one of these tools on their own, I could agree there is an option for in the open source community. The integration in the toolset is extremely well done. Prashant announced that they had worked very closely with a number of the XP / Agile leaders providing a compelling story.
My main disappointment (but not a surprise) was that MS didn’t use what the community had worked on. They brought us up here to ask use “why do people hate us?” and “how can we build a community together?”. After this presentation here are some clues. There are people who have developed NANT and NUNIT for use with the MS development product line. Do MS use those technologies or extend them or promote them? NO did they even make them pluggable into the environment? NO. They have developed their own build system and their own unit testing framework alienating yet another group.
-------------------------
Well it’s over… I for one have learned a tremendous amount regarding Microsoft, their products, future and people. Additionally, there are some exceptionally talented developers working at Microsoft. I am grateful for the hospitality and their internal commitment to provide such an event.
Here are my thoughts and opinions on the matter based on the following facts:
1) Everyone (including MS) believes the future is heterogeneous
2) Microsoft is doing everything to drive people to their OS, specifically designed to the “best” stack.
OK, I would say most people aren’t looking for MS to open source windows (ok Larry is, and probably Stallman) they make money on windows. Great, make it compelling, innovate, make it great, make it secure and a large number of people will purchase it. The issue is MS doesn’t have an answer for the other end (which they agree will be there) out side of SOAP. More is needed here, I don’t know what shape this takes, maybe .net on linux and solaris, maybe a commitment to provide binary interoperability to Java. The consistent story from MS is if we build for another platform it will take away from Windows… I don’t agree, I think it will extend there software reach. In the end, they need to decide if they are a software company or an OS company. I think there is a significant difference. One decision, leads to controlling tactics, a lot of marketing and fragmentation of the industry. The other decision provides solutions to customer problems. There IS money to be made fixing client problems, in a way that is inclusive and not exclusive.
The conversations were open and honest. I can’t say that anything in particular was decided or resolved through the 3 days. In the end the lines of communication have been left open to all the attendees… and that’s a good thing. Here’s hoping for a better tomorrow.
19 replies so far (
Post your own)
Here's where MS shares security info/alerts/best practices
I was at the conference as well (I don't work for Microsoft though) and I'll add a comment, somewhat in defense of Microsoft, regarding not sharing security info with the public.The guy who gave security talk on Weds announced that on Friday MS was going to release their SDL or "Security Development Lifecycle" process to the public on Friday. I just found it at
http://msdn.microsoft.com/security/sdl
This is their injection of security concerns into their software development process, and I think all software developers could get some takeaways from this.
I think this is a good example of sharing what they've found and learned when trying to make security a part of your overall development lifecycle in trying to make all software better, not just MS software.
Also, they do post up to date security alerts, and anyone can subscribe to their security alert emails and RSS feeds at
http://www.microsoft.com/technet/security/default.mspx
My primary concern with MS security, which I asked about and never really got an answer, was when they find out about a vulnerability, don't tell the public, then an exploit is leashed out on the Internet and we then all find out about how long they knew about it in the press. At what point do they decide to go live with a vulnerability? What are the ramifications of publicizing a vulnerability when you don't have a fix available yet? Does that just help the virus and worm writers? Or is it more responsible to mention the problem, before having a fix, in the name of transparency and openness?
Thanks for covering Day 3, Ken
Matt and I both appreciate your excellent and thoughtful write-up. Thank you!Rick
bestuff.com - the best stuff in the world
Re: Matt & Rick Not at Microsoft: Day 3
They brought us up here to ask us “why do people hate us?”Does "knife the baby" ring a bell?
Re: Matt & Rick Not at Microsoft: Day 3
> In the end, they need to decide if they are> a software company or an OS company.
Yes. I think this is one of their key problems. Because trying to be an OS company undercuts their efforts as a general software company. OTOH, it provides a lot of income, and so they are trapped.
I don't see Windows as the server platform of the future, myself...
Re: Matt & Rick Not at Microsoft: Day 3
> > In the end, they need to decide if they are> > a software company or an OS company.
>
> Yes. I think this is one of their key problems.
It is not THEIR problem.
It is OUR BIG problem.
Do you remember the antitrust war about this?
The split never happened.
So, they're still there producing their OS and the best software for it, in every area.
With all the money they have, they can buy anyone and have a new software in their catalog.
Actually, today, is there any software you can work on without having to face the M$ counterpart?
Only very specific ones.
And avarage people wants M$ ones beacuse they think it is the standard and more reliable, just beacuse of the M$ name on it.
An example?
We had years of Internet mailing with softwares like Postfix , Sendmail, various IMAP/POP servers in the Open Source area, Netscape messenger on the client or other ones.
Today, if you go to a customer and say "Here I have a quick solution, all open source" you get the answer "What software is that? I want Exchange, cause I know it is the standard and is M$ software".
How can you fight this?
Re: Matt & Rick Not at Microsoft: Day 3
> For instance they stated they are> focused on security and have learned a number of
> development best practices for the future, so why
> haven’t they shared this with the entire community.
What am I missing here. Do you believe that after
all these years of really poor security, that MS
has suddenly learned something significant
about security? I don't understand why anyone
cares to hear what MS might have to say about
technical issues involving security.
> The more interesting part of this discussion was
> Microsoft’s protocol choice for the future… You guess
> it, Web Services.
Not much choice there. HTTP over TCP/IP is about
the only thing that MS could use. It's not like
they'd suddenly jump on the CORBA bandwagon with
everyone else.
> The session started with a story of Prashant getting
> a tattoo where ever he was the ’98 TechEd. The
> tatooist asked what Prashant did for a living and
> after discovering he worked for MS, the tatooist
> pulled out his copy of J++. The story illustrating
> that everyone is and can be a developer.
I guess that helps explain why I don't like
MS development tools. If they're easy enough to use
that the tatooist can use them, then they're just
slowing me down.
> In
> the world of technology a technology is either
> leaping or be leaped. The Java community is being
> leaped.
I'd say it's more "be leaped and then leap".
> Here are my thoughts and opinions on the matter based
> on the following facts:
> 1) Everyone (including MS) believes the future is
> heterogeneous
> 2) Microsoft is doing everything to drive people to
> their OS, specifically designed to the “best” stack.
In other words:
2) Do our best to stop 1) from happening.
>
> OK, I would say most people aren’t looking for MS to
> open source windows (ok Larry is, and probably
> Stallman)
No, Stallman himself says he's not an open source
advocate. He wants it to be Free.
> they make money on windows. Great,
> make it compelling, innovate, make it great, make it
> secure and a large number of people will purchase it.
Sure, that's what the technical people think and work on.
But the reality is that MS products generally
do not sell because they are great.
They sell because they are entrenched.
How they get entrenched...well, you know...
not by being great, that's for sure.
> I don’t agree, I think it will extend there software
> reach. In the end, they need to decide if they are a
> software company or an OS company. I think there is
> a significant difference.
I disagree. MS has made it quite clear that having
an OS monopoly and simply extending that monopoly
to other software is a *very* good money making
strategy. Illegal maybe, but a couple convictions
by the US and EU hasn't impacted them so far.
> One decision, leads to
> controlling tactics, a lot of marketing and
> fragmentation of the industry.
But a good fragmentation from the MS point of view:
One one side is MS, with Windows and Office monopolies
being extended to virtually all software areas.
On the other side is everyone else, struggling to
interoperate. From a strictly money-making point of
view, this strategy works very well for MS.
> The other decision
> provides solutions to customer problems. There IS
> money to be made fixing client problems, in a way
> that is inclusive and not exclusive.
But why should MS bother? So non-MS software developers
hate MS...so what? The bottom line is that MS makes
good money with the current situation.
>
> The conversations were open and honest. I can’t say
> that anything in particular was decided or resolved
> through the 3 days. In the end the lines of
> communication have been left open to all the
> attendees… and that’s a good thing. Here’s hoping
> for a better tomorrow.
Thanks for the writeup - very nice!
Andy
Re: Matt & Rick Not at Microsoft: Day 3
> > > In the end, they need to decide if they are> > > a software company or an OS company.
> >
> > Yes. I think this is one of their key problems.
>
> It is not THEIR problem.
> It is OUR BIG problem.
Yup.
> Do you remember the antitrust war about this?
> The split never happened.
> So, they're still there producing their OS and the
> best software for it, in every area.
I don't think their software is ever "the best",
but it's usually adequate (at least at version 3).
What MS software would you consider "the best"?
Doesn't everyone who's tried both Windows and
Linux/UNIX prefer UNIX? Same for IIS vs. Apache?
My experience is that people "prefer" MS only
when it's the only one they know. Certainly
that's the case for Windows, and also the
Exchange example you give below.
> With all the money they have, they can buy anyone
Hey! Hey! Hey! So Rick and Matt got free trip and
some doughnuts! So what?
...just kidding guys
> and
> have a new software in their catalog.
>
> Actually, today, is there any software you can work
> on without having to face the M$ counterpart?
> Only very specific ones.
> And avarage people wants M$ ones beacuse they think
> it is the standard and more reliable, just beacuse of
> the M$ name on it.
Again, by "think it is the standard" I think you mean
"it's the only one I know of", and reliable? Only in
the sense of "no one every got fired for choosing
IBM", not in the sense of "doesn't break much".
>
> An example?
> We had years of Internet mailing with softwares like
> Postfix , Sendmail, various IMAP/POP servers in the
> Open Source area, Netscape messenger on the client or
> other ones.
> Today, if you go to a customer and say "Here I have a
> quick solution, all open source" you get the answer
> "What software is that? I want Exchange, cause I know
> it is the standard and is M$ software".
> How can you fight this?
I saw the same thing: the IT dept says "you must
use Outlook". I'm not sure of their exact technical
reasons (I don't think they're sure either), but
I do know you can't fight it with technical
solutions. People are forced to use Outlook at work
because of MS lack-of-interoperability, or simply
MS marketing that makes people believe in
lack-of-interoperability.
Andy
Re: Matt & Rick Not at Microsoft: Day 3
Overall I think you make good points or counterpoints. I thought I would respond to your counter to security though. If there was one thing I got from the trip to Redmond it is this: I thought the security edict from Gates was more marketing spin, it was something they had to do, but like many I believed that it was hype. After the trip to Redmond, I don't believe that anymore. I see they have a firm commitment to security and have hired some extremely talented security experts. They have an issue of having so much code that it will take some time to get it all secure.I didn't take Mr. Howard's presentation without challenging it. I read about 1/5 of his book on the flight back home, and it's probably the best security book I've ever read. http://www.microsoft.com/mspress/books/5957.asp
It appears the commit to security is real. In addition MS will be shipping developer tools which provide checks (on by default) for security issues during compilation.
Combine this with Nomad (which is a *nix type shell to a windows server), most of the biggest issues with windows servers are addressed. They appear to moving the product line into a position where all you can complain about is licensing and price. Which would seem to against them
As far as security goes here is my concern: Howard points out in his book that having many eyes on pieces of code isn't enough when it comes to security, they have to be trained eyes. He gives an example where 2 developers were handed code samples to discover security issues. then they were trained, then left to review the code again. They discovered 5 times as many issues. The issue with the security debates comparing Linux vs Windows is this. MS has a plan, they have trained their staff and are focused on the problem. From the linux perspective, we have many eyes, but are they trained eyes? Is there a plan and a focus? Without serious commitment and focus from the open source community there could come a day when the security tables are turned.
-- Ken
Re: Matt & Rick Not at Microsoft: Day 3
> Overall I think you make good points or> counterpoints. I thought I would respond to your
> counter to security though. If there was one thing I
> got from the trip to Redmond it is this: I thought
> the security edict from Gates was more marketing
> spin, it was something they had to do, but like many
> I believed that it was hype. After the trip to
> Redmond, I don't believe that anymore. I see they
> have a firm commitment to security and have hired
> some extremely talented security experts. They have
> an issue of having so much code that it will take
> some time to get it all secure.
>
> I didn't take Mr. Howard's presentation without
> challenging it. I read about 1/5 of his book on the
> flight back home, and it's probably the best security
> book I've ever read.
> http://www.microsoft.com/mspress/books/5957.asp
>
> It appears the commit to security is real. In
> addition MS will be shipping developer tools which
> provide checks (on by default) for security issues
> during compilation.
I don't doubt that MS is serious about security now.
I'm just saying that after many years as probably
the worse company around at security, they can't
suddenly brand themselves as experts. Even if they
have individuals who really are experts.
They need to prove themselves.
>
> Combine this with Nomad (which is a *nix type shell
> to a windows server), most of the biggest issues with
> windows servers are addressed. They appear to moving
> the product line into a position where all you can
> complain about is licensing and price. Which would
> seem to against them :)
>
> As far as security goes here is my concern: Howard
> points out in his book that having many eyes on
> pieces of code isn't enough when it comes to
> security, they have to be trained eyes. He gives an
> example where 2 developers were handed code samples
> to discover security issues. then they were trained,
> then left to review the code again. They discovered
> 5 times as many issues. The issue with the security
> debates comparing Linux vs Windows is this. MS has a
> plan, they have trained their staff and are focused
> on the problem.
The problem with MS plans is that they're always 5-10
years late. Took them 10 years to basically get rid
of the BSOD. Took them 10 years after the 32 bit
CPUs came out to deliver a 32 bit OS. Took them
10 years after MAC 1984 to deliver a reasonable GUI.
Took them 5 years to start taking the internet
seriously and build IE.
UNIX gurus where building security into UNIX 30 years
ago. You really could argue that it's taken MS
decades to take security seriously. Even if they
are serious, it will take years for their products
to improve - it's not easy to add security in later.
> From the linux perspective, we have
> many eyes, but are they trained eyes? Is there a plan
> and a focus? Without serious commitment and focus
> from the open source community there could come a day
> when the security tables are turned.
Yup. On the other hand, all the non-open-source
UNIXes do have the trained eyes, and have for a very
long time now.
Andy
>
> -- Ken
Re: Matt & Rick Not at Microsoft: Day 3
>Doesn't everyone who's tried both Windows and>Linux/UNIX prefer UNIX? Same for IIS vs. Apache?
>My experience is that people "prefer" MS only
>when it's the only one they know. Certainly
>that's the case for Windows, and also the
>Exchange example you give below.
Well I do prefer XPSP2 to Linux.
I use Linux in my spare time to try different things and to develop in a different environment (not so much for Java but for C++). I've tried in time different distros (Red Hat, Suse, Slackware) and I have now stabilized on Ubuntu.
From a desktop point of view while I found Linux perfectly usable I still prefer Windows.
On the contrary, as a server is an entirely different story.
Re: Matt & Rick Not at Microsoft: Day 3
> The issue with the security> debates comparing Linux vs Windows is this. MS has a
> plan, they have trained their staff and are focused
> on the problem.
LOL. Security is a serious concern. You can't be trained. But they can finally made their developpers concerned by the issues. Do you really think they have provided serious training to their thousands of developpers? Do you think these people will be able to secure their applications quickly? It is almost impossible to secure an application if it was not designed with security in mind. All they can do is to disable some features to limit dammages. If you want secure software from MS, you will have to wait some years, until the next generation of products.
> From the linux perspective, we have
> many eyes, but are they trained eyes?
They are a lot of trained eyes but it is a small percentage of the total number of eyes. Critical software (kernel, servers, daemons, ...) are well examined. A lot of developpers are also concerned by security (according to mailing lists). But there is also unsecure applications discovered every day.
> Is there a plan and a focus? Without serious
> commitment and focus
> from the open source community there could come a day
> when the security tables are turned.
There is more than plan and focus, there is dedicated projects. There is secure kernels, secure servers and secure distributions. More important, there is security tools (what are the MS equivalent?) and security teams that track holes.
Now, not every Linux software is secure. Because not every software is widely used, widely reviewed, etc. And because security also goes against usability. All in all, XP HE SP2 is much much less secure than any desktop linux distro. And a Linux/BSD kernel + a Java server is thousand times more secure than any combination of MS products.
VS.NET going the failed, pricey route of JBuilder/TogetherJ
After the demo of Visual Studio.NET Team Server and all of the various editions, each costing about $4,000, and the fact that instead of working with NAnt, NUnit, etc. they have built in their own unit testing, build, source control, etc. systems that they are going the failed routes of JBuilder and TogetherJ: large bloats of IDE-ware that does lots of things, while a community of OSS developers create simple, easy-to-integrate tools that don't require thousands of dollars to use. They should be more like Eclipse and IntelliJ by embracing these popularly-used tools instead of trying to build their own. In fact, the unit testing framework is almost exactly the same as NUnit, why rip it off when you can just integrate?Re: Matt & Rick Not at Microsoft: Day 3
> >Doesn't everyone who's tried both Windows and> >Linux/UNIX prefer UNIX? Same for IIS vs. Apache?
> >My experience is that people "prefer" MS only
> >when it's the only one they know. Certainly
> >that's the case for Windows, and also the
> >Exchange example you give below.
>
> Well I do prefer XPSP2 to Linux.
> I use Linux in my spare time to try different things
> and to develop in a different environment (not so
> much for Java but for C++). I've tried in time
> different distros (Red Hat, Suse, Slackware) and I
> have now stabilized on Ubuntu.
> From a desktop point of view while I found Linux
> perfectly usable I still prefer Windows.
> On the contrary, as a server is an entirely different
> story.
Hmm.. Interesting, so I guess not everyone, but I'd
still say almost everyone. You just find the Windows
XP GUI easier to use than KDE and/or GNOME? Are you
sure that's not just because you're so used to
the Windows GUI (as opposed to it actually being
"better")? Because that was my whole point: that
people like Windows because it's what they're used
to ("entrenched"), rather than actually being better.
Andy
Re: Matt & Rick Not at Microsoft: Day 3
> More important, there is> security tools (what are the MS equivalent?)
I get a good chuckle every time I'm reminded that
MS is now going to enter the antivirus market.
Isn't that like GM entering the car repair business?
...wait...GM *is* in the car repair business!
Good thing GM doesn't have a monopoly, or they
could easily make more money by shipping defective
cars and then charging to fix them. After all, they
are the experts!
Andy