Foredecker

Jibe!

Dear Anonymous Slashdot Guy

leave a comment »

I just noticed your most recent post here.  I almost never look at positing from Anonymous Cowards, but I mistakenly clicked on a link that I thought was from Symbolset.

First, I really and truly do appreciate that you are trying to be helpful.    You have certainly been persistent.

This blog post contains my thoughts on some of your Slashdot posts: #29969474, #30308758, #29980114, #30303590, #30011606, #30021114, and #30340094.  These posts have a lot of info, questions, links and other things that I thought I’d try address a couple of the top level things.  Note, I apologize if I missed some of your posts.  I put in an effort to hunt them down, but you are posting Anonymously which makes your posts really hard to find.

I’d like to begin by addressing a couple of items from your posts.  I’m not anonyms and there is nothing “alleged” about me me as development manger in Windows.   I’m pretty “out there” in the public sense.   And most importantly, I’m not refusing to respond to your posts or blowing you off (both phrases you use in your posts)   I just don’t pay attention to Anonymous posts – there is no obligation for me to do so.  The fact that I noticed your most recent post is a happy accident.  

Oh yes, this post is somewhat long and I’m terrible at editing my own writing – please forgive any spelling or grammar mistakes.

Here are some comments on your two top level items:



1. Tell us why rootkit.com said X, Y and Z:

I read the rootkit.com article you referenced (here).   From your posts, I believe you are assuming that the kernel networking APIs in Vista and W7 is bad, or problematic in some way.   This isn’t how I read the article or understand the NPI kernel mode APIs.

My take is different:  To me, the rootkit.com article is very factual in nature, they are not sating any opinions or making any “claims” (to use your word).  One of the most interesting things form the article is this:

…the security software vendors prefer to use poorly documented and sometimes unstable ways for the hooks’ installation.

This jives with my understanding.   Prior to Vista, some companies hooked Windows components (in both kernel and user mode) in very “ugly” ways.   Specially in ways that the OS was not at all designed for.  While I’m sure these vendors employ some really smart developers, its hard enough for people at MSFT to do this well, let alone people that do not have a thorough understanding of the Windows operating system and how its used.

Preemptive Slashdot response:  If Windows was open source it wouldn’t have this problem – anyone could see the source and do things properly.”  

What the networking team did for Vista, and improved in Windows7, is to make it easier for partners to write well behaved, reliable and well performing security products.   Part of this was moving them away from the old TDI APIs which the rootkit.com article says where hard to use and not well document to the new APIs.

You seem to be thinking that because the new APIs are easier to use for developers and better documented than the old TDI stuff that somehow this makes Windows less secure.  If that is what you are insinuating, then you are very much mistaken. 

Hacking and hooking is inherently problematic and causes all kinds of reliability and security problems.  This isn’t a windows thing – its a OS thing.   Unsupported hooking and hacking in kernel mode is a problem for any operating system, no matter how well intentioned. 

Well documented, easy to understand, debug and use APIs are important for enabling partners to write software that is reliable, robust, secure and well performing.

The new networking stack was designed so that developers didn’t have to hook and hack kernel mode components to implement firewalls and other networking security products.  This gives end users a more reliable, robust and well performing system.  That’s a good thing.

Most important these new APIs are a necessity:   Partners cannot develop products for 64-bit windows without them as 64-bit Windows doesn’t allow kernel hacking, hooking and patching.   Features like PatchGuard, allowing only signed drivers, and DEP make such APIs essential.


2. Give us a SOLID answer to why 0 was removed in HOSTS

I have no idea, but I’ll send some mail and see if I can find an answer.  If you haven’t already read it, here is what MSDN says about the hosts file.

Let me set expectations.  I’m not an expert in this area but I’ll spend a little time on this.  If  I find an answer, I’ll post something on my blog here.  Please be patient and don’t nag me about it. 

Now about host file size… I’m not an expert about the use of the hosts file, but I’m pretty sure its not designed to grow really large.

In one of your posts you cite this article Resurrecting the Killfile by Oliver day.   You mention that his hosts file has grown to 16,000 lines long.   That’s really large…  Look at it this way:

Lets say that each line averages 50 characters – an IP address, some white space, a host name and possibly a short comment.   In this case, a 16,000 line hosts file would be about 780 kilo bytes in size.  That’s  pretty big.   I’m pretty sure that we didn’t design the system for hosts files that large – they work, but I would certainly call hosts files of this size a very, very tiny “corner case”.    Remember, we’re designing and building a system for hundreds of millions of people.  While its an educated guess on my part, I suspect that the hosts file on all but a very tiny fraction of systems are just a few KB in size – at the most.  For example, all the systems at my house have the default host file that comes with windows – nothing has modified them.   While certainly not representative, its interesting anecdotally.

Note, I completely understand how using the hosts file can be useful to some people – that groovy.   What I’m saying is that we didn’t proactively design for hosts files to be this large.

Now, using the hosts file the way Oliver day does, and you do, may be a great idea!  But I really don’t know.  The best thin to do is use the most effective channels to give the right people that suggestion.  Read the info toward the end of this post for more information on how to do that.

Again, while I’m not an expert in network security, I suspect that there are many better ways for security software to control and block access to host names than to use the legacy hosts file.  And it is a legacy thing, it is what was used before DNS worked reliably or broadly.

For example, I know that Microsoft has security and related software that blocks phishing sites, malware sites and and other kinds of things.  They have quite a sophisticated system for publishing sites, pages, and other things that need to be blocked.  I know that other security software vendors do a very similar thing.   I expect that their data bases of ‘bad’ sites and pages is way larger than sixteen thousand entries – I suspect two or three orders of magnitude larger.

I  suggest to you that more sophisticated methods of managing lists of ‘bad’ sites and pages are way, way better than using the old legacy hosts file.  Storing IP address and hosts names in a simple ANSI text file is probably the least effective way to do this.   Here are some issues I can think of off the top of my head:

  1. It is not a compact format
  2. It has to be read into memory often – the file itself isn’t searchable or indexed.
  3. No support for Unicode host names (its an ANSI text file, not UTF8)
  4. There is no way to control access for readers and writers – its a text file not a database…
  5. If I was a malware writer this is the first place I’d look to change things.  Oliver day mentions this in his article.  So does Wikipedia.


Now, I really and truly appreciate that you are working to be helpful in your own inimical way.  But to be open, honest and respectful [1] your approach to driving change in the Windows OS is probably the least effective you possibly could have chosen:

  1. You are assuming I am the best person to answer your questions and ask me “what you plan to do about it”  I’m just one dude.   I’m pretty senior, but I’m certainly not in the inner circle.  My specialty is performance, not security or networking. 
  2. You are assuming I’m actually going to read replies from an Anonymous Coward on Slashdot in any kind of a timely manner.   That’s a really bad assumption.  I almost never read anonymous replies or posts in general.  you are labeled an Anonymous Coward for a reason…
  3. You are assuming that the fact that you are replying to me puts me under some obligation to reply.  It does not.
  4. Your writing is the least effective type to encourage someone to take you seriously and understand what you are working to say.
  5. You seem to be assuming that places like Slashdot and blog comments (even on the Windows 7 engineering blog) are effective places to give people in the Windows organization actionable feedback.  They are not.

I’d like to comment on your writing – it is polemic at best.  Its also disjoint and fractured.   The posts of yours I’ve see are the equivalent of ranting and yelling while waving your arms about – in my face.

At least one other has given similar feedback hereSpun is giving you good advice here:

… you sound smart. You are writing to communicate ideas to others, not to hear yourself type, right? Then take the other guy’s advice: make it brief, summarize and write in normal English.

You didn’t take that simple and polite feedback well at all.   

I’m going to ditto his advice: This isn’t about the use of English.  Your posts are hard to follow.  Their tone and tenor is very off putting and “in your face”.  This is true as individual posts, but even more true taken collectively.  I realize this is a very informal forum, but its not a bad idea to focus on clarity and succinctness when working to communicate detailed technical information.  The longer the post, the more this is true.  

Next, you can really be rude.  I readily admit even I can be a bit snarky, but these kinds of posts (#30011606) damage your credibility and give people and excuse not to take you seriously and to ignore you.  

My point is this:  if your goal is to be impactful – to get things changed – then you need to do a few things.

  1. Write clearly, factually, and succinctly.   Make actionable suggestions.  Simply drop metaphorical “hand waving” and the polemic tone.  Keep opining and subjective material to a minimum.  It doesn’t serve your cause.
  2. Don’t use very informal places like Slashdot or even MSFT blogs to give MSFT your feedback.    We have readily available official channels.  Use them (I’ll explain how shortly).   As the blog says here, we get a TON of feedback, its hard enough to mange as it is and we put a lot of time effort and energy into doing so.   
  3. Focus on one thing per item.  For example, if you have three things on which to give MSFT feedback, file 3 bugs, or send three separate messages – don’t smoosh them all into one thing.

Here is how to send Microsoft feedback:  Join the Microsoft Connect Program. Its really easy to do, and free of course.  

The connect program is pretty cool and is how people can directly file bugs and send feedback and comments to Microsoft.  We have a very rich internal system for handling this information.  The bugs and suggestions you enter go directly to the owning team. 

You get a dashboard, and there are forums for discussions, not just with MSFT people, but with others in the connect program as well.  There is a program specifically for Windows networking – this is the one you should apply for.  Note, there doesn’t seem to be a general “windows 7” category, I’m not sure why that is.  I’ll try to find out.   I’ll post what I learn on this blog.

Connect is the best way to “get Microsoft’s attention”.   I hope you are successful doing so on connect.   Its work, but you have shown you are persistent – be persistent at using connect.

My intention here is not to refute your posts or argue with you; my desire is give you my thoughts on some of the thins you ask me about on Slashdot.    Feel free to post comments here on my blog, but I’m not going to maintain this conversation on Slashdot.   I think its more effective to do that here on my blog.   Its more discoverable that way.

Lastly, I have one last requests: Get a Slashdot login and user name.  there is really no reason for you to be an Anonymous Coward.  this will let me follow you as you participate on Slashdot.

– Best Regards, Foredecker

[1] This is an internal MSFT phrase – really.

Advertisements

Written by foredecker

December 7, 2009 at 4:56 am

Posted in Miscelaneous

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: