Raible Designs

[Microsoft] Day 1 Morning

"An open and honest dialog" - that's what the goal of this shindig is. Most of these sessions aren't really interesting to me. If there's APIs I can talk to, I'm cool with that, but as far as SQL Server 2005 and Windows Architecture ... I'm not interested. The thing I'm looking forward to today more than anything is meeting Scoble.

Most of the folks in this room seem to be community leaders, i.e. JUG Founders and architects. There's also a fair amount of "Developer Evangelists" in the room. Probably half the room is MS people. I wonder what the hell a Developer Evangelist does? Do they write any code? I'm guessing there's no MS coders in the room.

Michael Howard - Improving Security at Microsoft by changing the process

Michael Howard is the co-author of the "Writing Secure Code" book that we all received this morning. He's writing a new book called the "19 Deadly Sins of Software Security" - which apparently covers everything: Windows, Linux, OS X, Java, JSP, MySQL, Oracle, etc. Sounds like a pretty good book - it's got some open-source guy as a co-author too. It's a McGraw Hill book and should be short-n-sweet at 300 pages. Michael is the Senior Security Program Engineer and sounds like a champion of the "Trustworthy Computing" mantra here at Microsoft.

zone-h.org tracks the number of web server attacks. Michael is talking about the fact that IIS 6.0 has had one security bug in 2 years, while Apache 1.3 has 13 and Apache 2.0 has had over 20. "Apache has more security bugs than IIS."

Everyone has security bugs, we're the only ones doing something about it.

Threat Modeling - they do a lot of research on skills vs. motivations. They're basically trying to understand not only how, but why hackers attack.

OK, this is a pretty boring talk - mostly because it doesn't interest me. There's a lot of talk about security in "Whidbey", which is the next version of Visual Studio.NET. Apparently, it's now got some tools to detect security issues and memory leaks. My boredom has caused me to start working on AppFuse, and to try out the USB Flash Memory Drive they gave us. It's kinda funny - the box it came in has a link to where you can download the drivers for Windows 98/SE. No driver is needed for ME/2000/XP. I also discovered that it works great on the Mac. Cool - too bad it's pretty much useless if you're always online like I am.

Heh, shortly after writing the above, I yanked out the device and it killed both Keynote and BBEdit. It's definitely a useless device!

Don Box - Microsoft Messaging Futures Using Indigo

Don is taking an interesting approach to his presentation - and typing it all in notepad. He wants us to tell him why we think MSFT sucks. Don works on the XML messaging stack. Specifically, he's an architect on Indigo and he worked on the WS-* specs. An audience member puts a stop to the typing because he's legally blind and can't read anything. Here comes the talking. How does Microsoft suck?

Audience feedback:

• Community Involvement sucks
• Need to do security by default
• COM+ isms not there - transactions more mature in J2EE
• Does MS believe in managed code?
• 2 year platform cycles, re-invention w/ every release
• Dependency hairball - shouldn't have to buy other products to make simple things work
• Dependency Injection, IoC, ORM

I brought up the fact that MSFT crushes or buys their competition more often then not. Don spent some time answering this question, defending MSFT a bit, but also saying that we're in a new decade now and it's a very competitive industry. For the record, I don't really believe MSFT is the "Evil Empire" like many hard-core Linux and open-source guys. I have quite a few MSFT certifications, but I've found most of them useless in my career - except that I can easily troubleshoot and fix most of the issues I have on Windows. I use Windows and prefer it over OS X for the most part, but that's because I'm more efficient using Windows, and because my Windows box is much faster than my PowerBook.

Don reminds me of a good friend of mine - Chad Shoup - but he's about 10 years older. For those of you who know Chad, you know he's fun to listen to. I don't have much interest in the talk (I don't even know what Indigo is), but it's an enjoyable talk - mainly because he's enthusiastic about what he's talking about - and he's walking around the room, keeping the audience involved.

RelaxNG is better than XSD. The primary goal of Indigo is to satisfy the customers and consolidating the choices in .NET so that choices are easy and explicitly - instead of having a number of different products that do the same thing. They don't plan on taking choices away - they just plan on making the choice easy and explicit. If you're working with .NET, there might actually appear to be an architect behind it all.

Don goes on to address all the audience feedback and explain MSFT's position and what they're doing to address this. Sorry, I tuned out as I wasn't that interested. The one interesting quote I got out of this session is "I believe we're going to be more than competitive in O/R Mapping. Soon."

Richard Monson-Haefel asks "Is there a place for AOP in .NET or is it too sophisticated for your developers." Don's take is "My development platform should allow me to write code w/ a couple of beers in me." He ragged a bit on Java developers and said their main problem is they think they're smarter than they are. He also said that if he could change on thing at MSFT, it would be that Ruby becomes the language of choice.

Break time: yogurt and granola. I got a picture with Don and will post that as soon as I find a cable. I'm also going to see what this "Double Strength, Double Size, Rockstar Energy Drink" is all about. It sounds poisonous, but it's likely to give me a wicked buzz or make me throw up. Seems like a good experiment.

Looking outside, it's raining now - which seems appropriate now that we're going to have a Programming Language Design Panel. The rain goes with my depression that I have to sit through this session. I doubt it'll be of any interest to me.

Programming Language Design Panel: Jim Miller (CLR Architect), Herb Sutter (C++ Architect), Jim Hugunin (Lead for IronPython and dynamic languages on CLR)

Jim Miller: The five programming languages that Microsoft ships: C#, VB.NET, C++, J# and JScript. Generics are now a part of the run-time environment. Closures and light-weight code-generation will also be available.

Herb Sutter: Only guy on the panel that cares about managed and native code.

C# Guy: C# 2.0 features: Generics - code looks a lot like Java, but implementation is very different in CLR. Closures so you can pass methods as arguments. Iterators - lazy enumeration of collections like Python and Ruby. Partial types or structured include files - multiple files make up one class (good for code generation).

Jim Hugunin: Used to be a Java Developer, working with AspectJ and other dynamic languages. He wanted to see why .NET was such a horrible platform for dynamic languages. A year later, he found himself working for Microsoft. He's found that .NET is a good platform for dynamic languages (of course, right?). His current job is getting IronPython to 1.0.

Dion asks about Ruby on .NET and about AOP in .NET. Jim doesn't know of any major projects that are addressing Ruby on .NET. C# guy says that we have a lot we can learn from dynamic languages and thinks the best thing is to allow less typing (i.e. declare type once) in strongly-typed languages like C# and Java. As far as AOP, the C# guy is still in the wait-and-see mode.

Rockstar Energy Drink Status: I made it about 1/3 of the way through it before the stomach ache kicked in. Now I'm jittery and nauseous... <great/>

IronPython will likely be an open-source project b/c the Python Community will probably reject it otherwise.

Will Java 5.0 code be able to easily port into J#? The panel doesn't know and thinks it's more of a legal question. J# currently supports JDK 1.4 syntax and they don't think there current license allows supporting JDK 5.0.

Mono - they've been taking a wait-and-see approach to see the commercial uptake on it. So far, they haven't seen a whole lot of commercial interest in Mono, nor any licensing requests from Novell.