Chris Brumme's blog

Microsoft senior developer Chris Brumme doesn't post often to his weblog, but every one of his essays is a lengthy, authoritative, and candidly self-critical exploration of .NET and CLR arcana, the sort of thing you might expect to read on MSDN (minus the self-criticism, that is). And in fact, the absence of this material from MSDN is controversial. Back in June, Dare Obasanjo complained about that. Robert Scoble's response was:

Publishing is too hard for many Microsoft employees. Blogging makes it easy. Would Chris even bother if he needed to figure out who was responsible for publishing stuff like his over at MSDN? Would Chris bother if he needed to have three meetings just to get his stuff approved to post up? I wouldn't. I'm not gonna publish on or unless I have to. The process is just too daunting...Think that most of Microsoft's 55,000 employees know how to get something through the publishing system at MSDN? I don't think so. Blogs take up the slack. [The Scobleizer weblog]

To which Pete Cole responded:

Errr, as a stupid sap paying $1000s for MSDN subscription I would rather that a company the size of Microsoft SORTED ITSELF OUT - please explain to me why I should even have to answer the question of which I would rather he do? If the MSDN people are a pain in the butt, then management should sort them out.

The trouble for me is that the API surface I write against is documented neither on MSDN nor the Web - I spent my life in a haystack of needles looking for the right one to put the thread through. [Pete Cole's weblog]

So premium content's path of least resistance is the blog, not the premium channel. Pete's right to suggest that if there's going to be a premium channel, it ought to figure out how to be the path of least resistance for premium content like Chris Brumme's. Of course, I'd hate to see Chris' voice vanish from the public scene. Wednesday's edition of his blog, which featured a lengthy analysis of how to shut down a managed application, concluded with a "security addendum" that reads in part:

I haven't blogged in about a month. That's because I spent over 2 weeks (including weekends) on loan from the CLR team to the DCOM team. If you've watched the tech news at all during the last month, you can guess why. It's security.

From outside the company, it's easy to see all these public mistakes and take a very frustrated attitude. When will Microsoft take security seriously and clean up their act? I certainly understand that frustration. And none of you want to hear me whine about how it's unfair.

The company performed a much publicized and hugely expensive security push. Tons of bugs were filed and fixed. More importantly, the attitude of developers, PMs, testers and management was fundamentally changed. Nobody on our team discusses new features without considering security issues, like building threat models. Security penetration testing is a fundamental part of a test plan.

Microsoft has made some pretty strong claims about the improved security of our products as a result of these changes. And then the DCOM issues come to light.

Unfortunately, it's still going to be a long time before all our code is as clean as it needs to be.

Some of the code we reviewed in the DCOM stack had comments about DGROUP consolidation (remember that precious 64KB segment prior to 32-bit flat mode?) and OS/2 2.0 changes. Some of these source files contain comments from the 80s. I thought that Win95 was ancient! [.Net notes]

It's easy to throw rocks at a faceless monolith. It's harder to throw them at a human face speaking with a human voice. I can only guess at the struggle that must be going on inside Microsoft, these days, between those who seek to control the message (a legitimate and necessary business instinct!) and those who want credible and candid voices to be heard directly. I'm not a huge fan of the book genre that chronicles high-tech corporate intrigue, but when this story is finally told I'll be fascinated to read it.

Former URL: