IE Security: Just shoot him instead...



  • Was reading a Microsoft IE security blog today...

    Update coming for IE 6.0 SP1 security vulnerability

    It's an interesting discussion about the recent security patch that MS had to pull back when it turned out that the patch exposed new problems of its own. Tony Chor, a Program Manager, explains the steps Microsoft is doing to improve security - all the way to the developer level.

    In fact he writes:

    We’ve been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this.
    <snip>
    In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue.

    What?! Why didn't they just take the developer outside and shoot him?
    Not sure I would want to be that developer on the IE team for much longer.
    Hopefully it not a standard procedure when a developer makes a coding mistake. Surely this guy hasn't been producing insecure crap patches for 10 months? This kind of punishment constitutes a public humiliation. I almost feel sorry for him :-)

     



  • @bviksoe said:

    Was reading a Microsoft IE security blog today...

    Update coming for IE 6.0 SP1 security vulnerability

    It's an interesting discussion about the recent security patch that MS had to pull back when it turned out that the patch exposed new problems of its own. Tony Chor, a Program Manager, explains the steps Microsoft is doing to improve security - all the way to the developer level.

    In fact he writes:

    We’ve been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this.
    <snip>
    In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue.

    What?! Why didn't they just take the developer outside and shoot him?
    Not sure I would want to be that developer on the IE team for much longer.
    Hopefully it not a standard procedure when a developer makes a coding mistake. Surely this guy hasn't been producing insecure crap patches for 10 months? This kind of punishment constitutes a public humiliation. I almost feel sorry for him :-)

     



    You are too hard to this poor lad. He has just finished college a year ago and his first task was to take over the maintenance of IE, despite the fact he mastered in Ancient Greek History and was only applying for a job as a messenger. Whenever he asks for a second programmer (one who is actually educated in programming) to support him, they tell him: "Sure, as soon as Vista is completed".


  • If a house just built by an architect was found to be fundementally unsound and unsafe at a basic level, and you lived in a house he designed a few months ago, wouldn't you expect this sort of investigation into his recent work? How about a plumber? Producer of  popular soft drinks? Wouldn't the same go for any other designer or producer where the end result of such a flaw is a danger to life, security, or finance for an enormous number of people?

    The guy's not been named, and not flogged, so I don't see how this can be considered public humiliation or punishment.

    Someone makes a bad product that (potentially) affects hundreds of millions of people in a negative way... and has also written other code with the same scope. To NOT check up on his recent work would IMO be negligent. I'd also hope similar investigations would be done into those who reviewed the code prior to release, etc.

    Just as long as it stays as an investigation witout punishment or finger-pointing, this is just doing the bleedin' obvious.



  • But that's exactly it. They are pointing their finger at this guy and saying: we don't really thrust him. All this about IE being insecure may just be one bad programmer. Let's make sure this programmer <FONT color=#000000>feels the pain. Nice team spirit! Obviously they were in a hurry to release the fix, so no </FONT>proper review was done, and now he takes the blame.
    Didn't Microsoft learn anything from pushing out unverified code out in the past? Isn't this the reason for their miserable security reputation?

    But security is supposed to be a big concern at Microsoft now, so how come this guy got to push patches for IE by himself? Why are they doing the reviews only now? Wouldn't any responsibly company dealing with a flawed reputation and buried in security bugs, have a system with both bug AND fix code-reviews (before and after analysis) in place - especially when they are changing their critical Internet components?

    If you have ever done a code review you'll know that it can be a very painful (and a great learning) experience. But doing a back-log of 10 months check-in is just ludicrous - I can feel this guy's agony.
    Or perhaps Microsoft is just saying: we let this bozo submit patches to IE for 10 months unsupervised. Other patches in the past may be deeply flawed too, but now we'll have a look. I guess they really are concerned with security after all.

    bjarke

     



  • You seem to have a grudge against Microsoft.  I think it makes since to go back and look at the code that he wrote in the past.  it could very well have the same mistakes in it.  The guy didn't say they are blaming all the problems on the guy, he's just saying they are trying to catch bugs before the public does.



  • It would be nice to have more information before passing judgement.

    If they looked at the code at fault and it was WTF-rich, or broke established coding practices, then this would be in order.

    It wouldn't be the first time an employee was used as a scapegoat. I wouldn't be too shocked to hear they announced this regardless of the quality of the code in question.

    If anything, I'd expect the QA people to be hung out to dry. Perhaps the developer failed to communicate critical information to the QA team regarding his change, and the review is to see if he made other such failures in the past.






  • @obediah said:

    If anything, I'd expect the QA people to be hung
    out to dry. Perhaps the developer failed to communicate critical
    information to the QA team regarding his change, and the review is to
    see if he made other such failures in the past.


    Indeed.  The real WTF here is that apparently they're only just now reviewing his code for the past ten months.



    Why wasn't all of that code reviewed earlier?  The fact that it
    wasn't tells me Microsoft still doesn't care about the quality of what
    it produces.  Regular code reviews will eliminate well over 99% of
    WTFs.



    Is the money that's saved by skipping regular code reviews really more
    than the money spent on making patches, the money spent hosting the
    patches for 90% of the world's computers, and the damage to the
    company's reputation?



  • One judgement I am ready to make is that Tony Chor is a grade A *@#!%.

    There is one immutable rule to management.

    When something goes right - give all the credit to the team.
    When something goes wrong - take all the blame for yourself.

    I've yet to encounter anyone that broke only one of these, so I consider it one rule :)

    Tony blew it big time.



  • I agree.  This reminds me of something that happened in a company I used to work for.  Small IT department of two programmers, one sysman, one manager, and a system analyst.  I was one of the programmers.  We hired another programmer, a very sharp lady who used to work for Lockheed.  Her first assignment was to code up a new application in the financial software.  She was given full specs by the manager and instructed to merely code and test it.  She did.

    Manager and system analyst both did a "QA" review of her stuff and approved it.  They told her to move it to the live production system at the beginning of the month.  She did, and one day later none of the books balanced.  They discovered that her software debitted and creditted the accounts recievables or payables properly but didn't record anything to the general ledger.  DOH!  Huge fiasco.

    A few months later, she found that this was listed as a huge black mark against her on her performance review.  Of course there was NO mention of the fact that the specs for the project were developed by... the manager, nor of the fact that he and the system analyst both missed it on their "QA" review.  Nope, it was entirely her fault.



  • @ammoQ said:



    You are too hard to this poor lad. He has just finished college a year ago and his first task was to take over the maintenance of IE, despite the fact he mastered in Ancient Greek History and was only applying for a job as a messenger.

    If I were him, I'd just take my winged feet and find another job.



  • @marvin_rabbit said:

    @ammoQ said:


    You are too hard to this poor lad. He has just finished college a year ago and his first task was to take over the maintenance of IE, despite the fact he mastered in Ancient Greek History and was only applying for a job as a messenger.

    If I were him, I'd just take my winged feet and find another job.

    Oops..  After a quick check, I see that I'm confusing my Greek pantheon and Roman pantheon again.



  • @marvin_rabbit said:


    Oops..  After a quick check, I see that I'm confusing my Greek pantheon and Roman pantheon again.


    Aren't those basically the same, only with different names? (Zeus=Jupiter, Hermes=Merkur etc.)



  • @ammoQ said:

    @marvin_rabbit said:

    Oops..  After a quick check, I see that I'm confusing my Greek pantheon and Roman pantheon again.

    Aren't those basically the same, only with different names? (Zeus=Jupiter, Hermes=Merkur etc.)

    Er, yeah, you're right.  I guess I meant Hermes...  In my head, I was thinking Mercury.  So my thoughts were wrong, even if my post didn't make my error evident.



  • @marvin_rabbit said:

    @ammoQ said:
    @marvin_rabbit said:

    Oops..  After a quick check, I see that I'm confusing my Greek pantheon and Roman pantheon again.

    Aren't those basically the same, only with different names? (Zeus=Jupiter, Hermes=Merkur etc.)

    Er, yeah, you're right.  I guess I meant Hermes...  In my head, I was thinking Mercury.  So my thoughts were wrong, even if my post didn't make my error evident.


    The Real WTF(tm) is that Roman names like Mercury are different in German ("Merkur") and English. ;-)



  • @ammoQ said:


    ---------
    beanbag girl 4ever

    On an unrelated note: I see that your lobbying effort has paid off...  Good job!


Log in to reply