Microsoft announced a month long moratorium on new coding in order to fix bugs.
February 6, 2002 12:45 AM   Subscribe

I find myself on this site arguing for Microsoft quite a bit and getting razzed for it. I had first read this story on slashdot and laughed a little. Your question is on the mark, what would it take for a development enterprise the size of MS to make sure that their existing code base is bug free? I'm not religious, but I'd say the second coming of Christ and most of the Justice League. I'd like to see them continue to patch up XP (easy because it has the built-in update service to do it) and then continue on a more secure path for future products. However, to take four weeks to go back and fix the code base for five+ years (I say five years because it's difficult to find anything older in most up to date networks, barring, of course, law offices) worth of products is an insane thought.
posted by eyeballkid at 1:01 AM on February 6, 2002

When I first heard about this, news stories said they were going to take a month to "focus on security". Now they say they are going to "fix bugs". Those two things could each be loosely interpreted to mean somewhat the same thing, but I wonder if MS is not being 100% clear in its press releases.

In any case, I'm a little surprised at this move. They don't have to do anything to improve security or reliability, since nearly all computer users are stuck with their software no matter what. They could just leave things as they were. I would say it's a PR stunt, except that I don't see why they need the PR -- they've got the press pretty much at their feet as it is. It doesn't really make sense.
posted by Potsy at 1:11 AM on February 6, 2002

(Also, this is somewhat of a double post.)
posted by Potsy at 1:13 AM on February 6, 2002

The security focus is a long-term strategy. The bug hunt is just one component of that strategy.

Yes, it's all a PR stunt, but it has nothing to do with XP or any of their current products. It's all about priming the market for .NET.

The whole .NET initiative depends on users being comfortable giving Microsoft their data. For that to happen, users have to feel Microsoft's products are stable and secure. The current effort is their start at planting the seeds of this perception in the public's mind.
posted by jjg at 1:24 AM on February 6, 2002

Microsoft is a company that is very, very good at making sure their products are strengthened when a percieved weakness shows up.

Microsoft is very, very good at making dramatic and drastic changes in focus when the need arises.

Now, couple this with the current public perception (incorrect I might add) that Windows is more vulnerable than it's competators (Linux/MaxOSX) and this is what happens.

Can Microsoft change focus? Can it make radical shifts in short time?

Hell yes. Look at the Internet. Caught flat footed Microsoft now ships the best browser available and certainly one of the best servers (IIS 5 is good, real good).

Look at the OS itself. Percieved stability issues (again, mostly unfounded) were a pain int heir ass and suddenly we have XP - one of the most stable OS's every shipped anywhere, anytime.

It will happen again in development tools. The .NET framework is an outstanding technology - and the important parts are open specifications. The tools are incredible (VS.NET is good and the beta .NET for IIS is rock solid) and getting better all the time.

When Microsoft sets it's power on something, that thing happens. Not because it's unfair - simply because they have huge resources and incredibly smart people.
posted by soulhuntre at 1:39 AM on February 6, 2002

I like XP, but I don't like its windows update.
It pestered me to download some "VERY IMPORTANT SECURITY UPDATES" which I did, and then it screwed up my network connections! So I had to take them off. I'm not a big fan of patching some problems then causing new ones.
posted by Keen at 4:48 AM on February 6, 2002

Maybe Gates is mad because he's using XP as his everyday OS.

I've got a brand-new Dell business machine loaded to the gills and Windows XP is running like a dog on it. I'm actively downgrading things -- switching from Word 2002 back to Word 97, removing the speech recognition component from Office XP, and the like -- just to get a usable system.

It also has a great new feature: System lockups sometimes prevent the on-off switch from working. I have to reach the back and pull the plug. So far the system's nothing close to the reliability I had with Windows 2000. It reminds me more of Windows Me, which was also a disaster.
posted by rcade at 5:18 AM on February 6, 2002

rcade: On most machines with ATX power supplies (which includes basically any machine on which a hardlock stops the power switch from working), you can hold the power button in for four seconds to turn power off when Windows buys the farm. Might save you having to yank the cord.

On topic, I don't think this can be anything other than a publicity stunt. A great many of Microsoft's security problems have their roots in design flaws (the lack of any real memory protection in consumer Windows before XP, the spaghetti that is the NT architecture, the insistence on placing the relatively insecure COM/ActiveX/NewMarketingNameHere everywhere, etc., etc.) Even if they called in every third party Windows developer on the planet and were somehow able to coordinate them, in a month all they can do is fix implementation bugs.

Unless they're planning on implementation-level hacks to fix design-level flaws (which won't do much for Windows' already-spotty stability), a month won't really help them that much.

Therefore, I'm forced to assume this isn't altruism from Bill, or even Microsoft reading the market's insistence on secure products and responding to it. This is more Microsoft marketing, pure and simple - just like the percieved stability of XP, just like the percieved quality of IIS, just like the percieved newness and innovation of DCOM/.NET.
posted by Vetinari at 5:50 AM on February 6, 2002

Well best of luck to MS. Too bad so many of the problems with their software are the results of interactions between programs and poor architectural choices (made, as noted by eyeballkid, years ago).

I've always felt that software ultimately reflects the organization that created it. It's going to take more than "bug fix month" to affect such a fundamental change in practices.
posted by tommasz at 5:55 AM on February 6, 2002

...what would it take for a development enterprise the size of MS to make sure that their existing code base is bug free?

Of course, as you point out, it is not possible for them to make their code base bug free, it's just a matter of degree. It would not be worth the effort to remove 90% of the existing bugs, but if they could just fix the right 20% of them, it could make computer use a lot less painful for many people.
posted by Prawn at 6:18 AM on February 6, 2002

There's a real difference between "bugs" and "massive security holes that allow buffer overflow exploits so an end user can run the code of their choice".

I've said this a million times before, but here it is again: When people say that MS gets all the bugs because they dominate the market, they're not paying attention. Windows is a more more "open" OS than OSX or Unix.

Even the business-grade versions (NT, XP, 2K) have these vulnerabilities. I think MS is going to have to fundamentally change the way it looks at its OS, not the way it looks at bugs.
posted by jragon at 6:38 AM on February 6, 2002

Note: When I say "open" I don't mean source code, I mean vulnerable.
posted by jragon at 6:39 AM on February 6, 2002

I assume next week Snopes will be posting that this is yet another hoax?
posted by rev- at 7:22 AM on February 6, 2002

Look at the OS itself. Percieved stability issues (again, mostly unfounded) were a pain int heir ass and suddenly we have XP

soulhunter, while i agree with some of your post, the stability issues for all the consumer versions prior to xp were not just a perception. complete crashes with loss of data and possible disk corruption were/are a daily occurrence. and i don't see how 6 years to fix this fundamental problem is 'suddenly.'

as an aside, many people people are pleased with win2k, but my experience with it has been just awful. (my nt4 computer worked very nicely, tho)
posted by lescour at 7:46 AM on February 6, 2002

If they want to fix all the bugs, a month sounds about right to delete all copies of the source files and start from scratch.
posted by joaquim at 11:03 AM on February 6, 2002

I usually end up defending Microsoft in public forums even though I have very strong reservations about the way they conduct their business.

I too agree that Microsoft's technology choices have been suboptimal in the past - to say the least. But they have usually been extremely good at learning from their mistakes and learning from others. If you just think about the huge leaps that they made from DOS to win 3.x (yuk!) to their current OS, their whole internet strategy, the migration from activex (whatever that was) to .net, you would realize that in spite of all their problems, they are arguably the only organizations of their size that is so nimble and adaptable.

I agree with Eyeballkid that 4 weeks to fix up a code base of 5 years is laughable. But I suspect it is more of a symobic gesture meant to bring home to the Microsoft employees the importance that MS now attaches to security than anything else. Of course, the PR angle is always there. As jig pointed out "The whole .NET initiative depends on users being comfortable giving Microsoft their data.".I would like to believe that Microsoft is doing something tangible to resolve the real issues rather than trying to change the perception and that this is a step to alter the way Microsoft developers think about technology.

They have some brilliant people out there. Force everyone to think bugs for a month and the entire organization would be VERY VERY careful in the future.
posted by justlooking at 1:04 PM on February 6, 2002

Look at the Internet. Caught flat footed Microsoft now ships the best browser available and certainly one of the best servers (IIS 5 is good, real good).

By what criteria are you judging 'best', or any of your statements, for that matter? As others have often pointed out, Microsoft operating systems may have an equal or lesser number of bugs overall, but they are far more serious in that they frequently relinquish control of the entire system at the drop of a hat. I'm pretty damned sure that a bug in Windows Media Player or Outlook Express or other system-integrated software that exposes me in potentially catastrophic ways is a bit more serious than, as you put it, a "perceived weakness". The same goes for IIS and the SirCam/BadTrans/Code Red/Code Blue/Nimda debacle.

Me, I qualify 'good' software as that which performs its function quickly and efficiently without opening up gaping security holes on my system. I also like the ability to uninstall it if it doesn't serve my purposes. It's slightly difficult to remove buggy software when it's integrated at a fundamental level with my operating system.

Microsoft is adept at releasing patches (and patches for those patches) BECAUSE they are so large and so used to having to mop up after their sloppy code.
posted by Danelope at 3:10 PM on February 6, 2002

There's a real difference between "bugs" and "massive security holes that allow buffer overflow exploits so an end user can run the code of their choice".

I beg to differ - check out the last paragraph of OpenBSD's audit process. OpenBSD takes the security crown because they fix a bug before they prove that it could be used to exploit the system.

As most conscientious programmers and system administrators know, security is a process, not a one-time "let's fix it all and then forget it" event. Let's hope MS realizes that.
posted by Llama-Lime at 5:22 PM on February 6, 2002

"By what criteria are you judging 'best', or any of your statements, for that matter? As others have often pointed out, Microsoft operating systems may have an equal or lesser number of bugs overall, but they are far more serious in that they frequently relinquish control of the entire system at the drop of a hat."


Actually, 90% of the exploits in MS systems use 3-4 vulenrabilities that have had patches available for them for months. Aside from the USB exploit there hasn't been a fundementally new security hole in windows in quite a while.

I seriously question the term "far more" serious when many Linux exploits can give root access.

There are bugs in ALL systems. Stay patched and the vast majority of the time it's all good.
posted by soulhuntre at 11:13 PM on February 6, 2002

BTW - "percieved" weakness referred to the fundementally flawed idea that Windows NT/2K/Xp systems are seriously deficient in security when properly adminsitered.
posted by soulhuntre at 11:14 PM on February 6, 2002

Ok, here is a far more detailed account of the MS code review story that I originally linked to. (via rc3.org Daily)
posted by justlooking at 1:01 AM on February 7, 2002

A few years ago in Canada we had a scandal regarding the conduct of peacekeeping troops in Somalia. After a few months it was concluded that some documents related to the Canadian presence in Somalia were missing from National Defence archives.

The minister of defence at the time (I can't remember who it was) went through the extraordinary step of publicly announcing that on two days later the same month soldiers would be ordered to stop their work and begin a search for the documents in their desks, filing cabinets, and ostensibly behind the couch too.

Now does that sound completely ridiculous to you? Of course it does, because predictably the entire press saw it as a huge hare-brained scheme to divert attention away from the people in government at the time, which it was.

So now when I hear that Microsoft engineers will stop coding in order to conduct a month-long code review of their entire codebase, I think pretty much the same thing. Just how completely brain-dead does Mr. Gates think we are, anyway? Is there any possible way for a sentient being to take the security pronouncement seriously?

TAE (Visit my web site!)

posted by clevershark at 8:25 AM on February 7, 2002

clevershark: i will not visit your website
posted by particle at 9:57 AM on February 7, 2002