Category: Microsoft

If you’re a geek, and you’re not reading Raymond Chen, I think you should.

Raymond’s been at Microsoft since before there was a [Time event] to [Time demarcation]. His blog is an endless awesome examination both of Microsoft code lore, Microsoft speak lore, Microsoft, code, speak and …lore. I feel very fortunate to know him (in the Microsoft culture-email-sense meaning we talk from time to time in email.  Actually it occurs to me I don’t know him at all personally.  Well crap now I feel kind of like an asshole, I should totally go buy him lunch or something.)

Where was I…oh.  This post in particular is a good intro as to why Raymond’s blog is informative but also interesting no matter if you know the code or not.

His blog is worth your valuable time.

Digg This

About all those Windows 7 editions.

I read with great amusement the outrage and wailing about the number of Windows 7 SKU’s. People have such short memories.

The Windows 7 SKU’s are actually a good leap forward. Let’s all remember where we were the day Vista launched:

Windows XP Home
Windows XP Pro
Windows XP Pro 64 bit Edition for Itanium
Windows XP Tablet PC Edition
Windows XP Tablet PC Edition 2005
Windows XP Media Center Edition
Windows XP Media Center Edition 2005
Windows XP Pro x64 Edition 2003
Windows XP Home N

Windows XP Professional N
Windows XP Starter Edition

And of course that doesn’t even get into sp1/2/3/embedded, etc lunacy.

Compared to XP Vista was a step forward. Windows 7 just tries to take it one notch down to focus on two primary retail SKUs (Home and Pro, jury’s out on retail Ultimate I think).

It’s also important to note that customers by the vast majority aren’t confused by this. They get Windows. They don’t think too much about it because right now so few people as an overall measure of the user base use media center or remote domain login and the rest are enterprise customers who are paid the big bucks to know what they are buying.

So as much as we think it’s silly (and believe me, I do) the data on this is clear: no one but the press and the 2% of the population that are technorati actually invest any emotion about how we SKU Windows. :>

The Redmond Reality Distortion Field

Sometimes I get asked "What the hell were you guys at Microsoft thinking when you did [insert action/product/initiative]?

It’s not exactly our fault. The answer is the Redmond Reality Distortion Field. To wit:

The Redmond Reality Distortion Field:

The field that influences Microsoft employees and product designers to make wildly incorrect assumptions on the use of technology, computers and devices by the world. The field is caused by the fact that Microsoft employees tend to be far more affluent and have free access to technology than the general population. Generated by Microsoft employees, the field is centered in Redmond but can manifest itself weakly in any area where a significant number of employees gather, such as remote campuses or subsidiaries.

Its most common effect on individuals is to make design decisions or requests either on the way customers should use products as opposed to how they actually use them, or by the interoperability of a product in the unique environment of the employee’s home.

The field itself is invisible and exceedingly hard to detect, as once under its influence reality itself becomes distorted. Entire Microsoft products have been designed under the influence of the field.

An example of one is the Microsoft Cordless Phone System, released in 1998. While the system itself was innovative and contained many unique features like multiple voicemail boxes, customized answering machine messages for individual caller ID’s, etc, the phone system required a dedicated computer be on at all times to enable its features. Due to the software’s high resource demands and the fact it would only work with Windows 95 or Windows 98, it was assumed customers would dedicate a second PC to the phone, thus essentially asking a customer to commit a $500+ dollar investment to make their new $100 phone work. The assumption is that customers either already had a high end computer, a cast off second computer, or would be willing to buy a second computer to make it work. This assumption is based on the fact that almost every Microsoft employee in 1998 had two computers at home (NOT including work machines) due to our access to technology and tendency to be on the high curve of technology investment. Now? Well It’s 10 years later and I have five computers in my home, which I bet is on the low end of most MS people. Imagine what decisions are being made about the general state of home networks today thanks to the field!

Another example of the pervasiveness of the field on the Microsoft campus is feedback between Microsoft product groups. The following is an actual email to the Xbox team, redacted appropriately for confidentiality:

From: [Microsoft Employee]
Sent: [Recently]
To: [Internal Xbox Feedback Alias]
Subject: Xbox LIVE through ISA Server

[Redacted]

Nearly 6 years after Xbox LIVE released and our own Firewall/Router product doesn’t allow any setting above "strict" for an Xbox 360.

Repro Steps:

Set up an Xbox on a network that goes through an ISA Server 2000, 2004 or 2006 to get to the internet.
Set up ISA Server to allow ALL traffic.
Do the Xbox LIVE Connection test and note that the NAT type is "strict".
Wait 5 years for these two teams to talk to each other.
Do the Xbox LIVE Connection test and note that the NAT type is still "strict".

Now, on the face of it you might expect that indeed, our firewall product should work well with Xbox LIVE. Until you realize that ISA Server is our corporate level firewall, which requires significant technical expertise and a license for Windows Server to operate. So the ISA people optimize their time and development tasks towards corporate scenarios. Xbox and Xbox LIVE dedicates our resources to optimize consumer scenarios.

At a bare minimum, this employee, due to their access to our products, is running $2500 dollars worth of enterprise software capable of handling tens of thousands of users to basically perform the function of a $59 standard router easily capable of handling 20 users.

Where the field comes in, is that the employee doesn’t just want the two teams to dedicate resources to make it work to their level of expectation, but expects it to already be a priority simply because Microsoft makes both products.

So when you wonder why, exactly, the company would have Playsforsure not work with the Zune or release a digital USB speaker system (whose best features required USB) at a time when few computers had USB at all, the answer is the Redmond Reality Distortion Field. It’s not our fault. Really.

Happy fifth year anniversary, Patch Tuesday

So I’m sitting in a meeting today and just before it starts I pipe up and say "Has everyone made sure to get today’s out of band update?"

Blank stares.

"Oh come on guys it’s important, make sure you download it."

"What the hell are you talking about?" someone asked.

"Today’s security update!" I said.

"Oh, I have mine set to automatic, what’s the big deal? It will install like normal right?"

"Yes," I replied, "but this is out of band so you might want to force install it now."

"What the hell is out of band?" someone else asked.

"It’s when we release outside of the monthly update cycle," I said, "that’s rarely done, and only for severe issues we see in the wild."

"We do them monthly?" the first person said, "I never noticed, how long have we done that?"

That’s when I realized it is five years ago this month.

You see, before Oct 15th, 2003, we released security updates every week on Wed. at 10am pacific. There was no advance notice, you either checked the security site or Windows Update on Wed. mornings or you weren’t responsible for security updates in your org.

I remember at the time I was very much against moving to monthly updates. It struck me as leaving people vulnerable for way too long.

Boy was I wrong. A couple of customer visits cured me of that notion, as I saw first hand how customers could not handle having critical updates every seven days. The risk model to update reaction time was not scalable for even medium sized organizations. After a ton of research, 30 days was determined from customer feedback to be the optimum spread to make sure organizations could evaluate and deploy updates on a manageable schedule. I think it’s turned out well. (weirdly, Oracle would later mimic us but feel like they had to make it different so they made quarterly security updates.)

So on today’s out of band update, I wish a very happy birthday to consumable and predictable update schedules, and more protected customers in the intervening time.

SecTor 2008!

A few months ago I was asked to keynote the SecTor security conference in Toronto. A million things flashed through my mind, like "Would I do a good job?" and "What would I talk about?" and "Do I speak Canadian?"

Thankfully I was able to harness my special powers of fear and stagefright to craft up something passable.

The conference was packed, a variety of security researchers, security IT pros, and security vendors were in attendence. It was my first trip to Toronto. Although I arrived insanely past my scheduled arrival time–

Wait, that was such an event in and of itself, I had to include it in my keynote.

It was an 8am flight so I was already kind of bitchy and cranky because if there’s anything I hate more than repeatedly being punched in the throat, it’s air travel.

Sure enough, the pilot comes on after we’re all seated. The flight plan computer in the cockpit has a non recoverable fault and they were going to have to, get this, reboot the airplane.

This involved turning the plane off, turning the plane on again, and waiting for the flight team to recertify the flight.

This process takes 30 to 40 minutes.

That didn’t work. So they…did it again. And it didn’t work.

So the pilot came on and said well folks, rebooting hasn’t fixed the problem so we’re going to potentially have to cancel the flight but first we’re going to…reboot it one last time.

And that time it worked.

So I got there insanely late and had just enough time to catch some crappy wings and a guiness with JJ, Jamie, and the Hoff before crashing.

Tuesday was a load of press interviews followed by what was probably the best event speaker dinner EVAR. It was at the Bier Markt downtown. OMG. All the beer. All the amazing food you could ever want. Best. Food. EVAR.

The talk was security trends, how awesome the food was, which was the next beer, how awesome the food was, security trends, beer, food, security? Wait Xbox? food. Beer? Security! Beer! wait what? SECURITY! wow. We were there until way way insanely late, and we stumbled back to the hotel.

Next morning I woke up early, hit some coffee, and gave my keynote. I hear it was good but to be honest I was a bundle of nerves and in the end realized the deck I provided was missing three slides from my practice so I actually ended 10 minutes early and was a bit mortified. Luckily the audience had questions. Here’s the text, along with a description of the slides in brackets.

It was overall a great experience with fun presenters. I can’t wait for SecTor ’09. Thanks to all who were there and went to my talk.