Stealth Updates and the Group Mentality

So we've all heard about Microsoft slipping updates onto machines through Windows Update without alerting folks. (If you haven't heard about it, read about it here. Microsoft discusses it here.)

The gist of the issue is that, on or around August 24th, a mysterious update appeared on XP and Vista machines without warning. The update was a patch to the Windows Update service and several other DLLs (the specific DLLs depended on your operating system).

Reading the comments on Digg, you'll find that people generally (but not absolutely) tend to fall into three camps. For brevity's sake, we'll dub them Microsoft Sympathizers, Linux and Apple Fanbois, and the Naive.

Microsoft Sympathizers

This group feels that Microsoft is absolutely entitled to do whatever it wants to the operating system since they own the OS and you're just licensing it.

There may be a great deal of legal truth to this statement; however, as many have pointed out, it is quite frustrating and is tantamount to Microsoft using its massive legal power to coerce its customers into giving it a free reign on its computer systems. This fact alone is problematic.

Consider the countless users in corporate environments who have no choice over which operating system they must use. Microsoft Windows is the de facto standard in the vast majority of corporate environments. In development environments, knowing what patches are installed on your system at any given time is a critical aspect of software testability. You can't very well reproduce an end-user's environment with certainty if you aren't running the same patches that they are. That's why it's critical that the end-user have control over what patches are installed and when.

But this move by Microsoft (which, admittedly, may have been happening all along and only recently come to light) removes that control from the end-user and introduces a degree of uncertainty into the mix. You don't know what you're running, and you don't know that it matches the end-user's environment, because it could change behind your back. There's no notification to alert you to the fact that it did.

At some point, Microsoft must admit that their software is playing in our sandbox, and managing our data, our bits. Sure, we are licensing the operating system from them, but we're also granting them permission to run their half-baked operating system on our machine. It's a cooperative agreement. Our acceptance of the license agreement is not an explicit agreement to grant them free reign to do whatever they want whenever they want. Our hardware is not Middle-earth, and Windows is not Sauron, despite the alarming similarities in behavior.

Linux and Apple Fanbois

Any time Microsoft does anything that smacks remotely of foul play the Apple and Linux Fanbois line up to shout at the top of their lungs. They tout their wares, proclaiming that everyone should just drop everything and switch to Apple or Linux. Linux fanbois are the most egregious fanbois; it is, after all, the Silver Bullet of Operating Systems. It's free, after all, and patched daily, and you can get the source code and patch it yourself.

My god, people, wake up.

First off, the average home user isn't going to have the technical skills to be able to use any of the xNix operating systems (excluding OS X). These operating systems tend to be complex, having been built up over 40 years and counting. Their vast feature set is daunting, even to advanced IT professionals. You cannot expect the average home user to turn in an operating system like Windows, which shields them from the complexities inherent in an operating system and expect them to switch gears without introducing a whole new set of problems. The frustration from learning a new operating system alone would likely drive them bonkers.

Second, you have to take application selection into consideration. Are your favorite applications even available in that operating system? Can you get Microsoft Office for it? PageMaker? Adobe Acrobat? Decent video or music editing software? And of the software that is available for it, can the average home user go to Best Buy, Circuit City, or CompUSA and purchase it in a nice shrink-wrapped box (complete with documentation, mind you), or does he or she have to go to some obscure website that he or she may or may not trust and download it (possibly with a complimentary virus)? And if they download it, will it work and can they get product support for it?

Third, how about device support? Can they plug all of their peripherals in it and have them just work? Or will they have to go on a mad search for device drivers again, like they had to back in the days before Windows XP? Sure, if they're IT professionals, that's a snap. But if they're the Average Home User (TM), that's more than they're usually able to deal with. It's probably going to tick them off royally, and they're going to wonder why in the heck they bothered with this operating system in the first place. They'll be wondering, "Where's my plug-n-play support?"

Fourth, how good is the font support? Does it support true WYSIWYG? Or does the type look completely different between the screen and the printer? The same could be asked of the colors. That's going to be really important for the average home user who's working with videos and photos, printing calendars, Christmas cards, and invitations, you know.

Fifth, if they need to do their office work on it, will they be able to do so? If so, how difficult will it be to do that? Will they have to be rocket scientists? And if it breaks, who do they call? I mean, if they were able to call their brother or their kid before, because he was a Windows guru at his company, will they still be able to do that? They've just switched operating systems, and now no one knows anything about it. They're now an island in the middle of a Windows ocean. They've effectively isolated themselves from everyone. How long do they have to wait before they can get meaningful support in an emergency?

Now. Ask yourself a really serious question and think hard before you spit out a really ludicrous answer. Are you really going to tell someone to risk losing all that support just because the browser isn't that cool, or because there are a few security loopholes? Or because you found out about these stealth updates from Microsoft?

Sure, we live in a Microsoft world. Are all their products perfect? Heck no. I work with Microsoft products every day, and I can testify to the fact that they aren't. I also own a Mac computer at home, and I happen to be a big fan of OS X. I've also had the occasion to use Linux. Each of them has their pros and cons. But I'm here to tell you that there is no silver bullet. Statements like those being made in these comments are asinine, short-sighted, and utterly ridiculous. Linux is not the solution to everyone's problems because it isn't the ideal operating system for the average home user.

Average home users need an operating system that's easy to use, has a large selection of over-the-counter applications, is secure but not intrusive, supports all of their peripherals, and has great product support. In my opinion, the one that comes closest to that is Mac OS X. However, it's pricey nature makes it cost-prohibitive for the average home user; and that's one of the reasons we live in a Microsoft-dominated world.

Sure, Linux is cheap. But the over-the-counter application support just isn't there, and the GUIs, in my opinion, still look like their in their infancy. And they're still targeted at tech-heads. When all the Linux variants start targeting the average home user, and the over-the-counter application support gets there, and they get really good device driver support, things might change. But there's no way on earth I'd ever recommend it to my family or any of my non-technical friends. They'd go out of their minds trying to figure it out.

So, in the end, I'll continue to read these kinds of posts from Linux advocates and shake my head. In my personal opinion, statements like these demonstrate a complete lack of comprehension when it comes to the average home user's computing needs.

The Naive

The last group believes that the patch from Microsoft is just a patch to the Windows Update service, and that, consequently, nothing could possibly go wrong. We're all blowing things way out of proportion, and everyone should just forget about it. I mean, really, what could POSSIBLY go wrong?

Well, let's think about that. Anyone with even a passing familiarity with DLL Hell knows from experience that any number of things could go wrong.

The notion that Windows Update isn't an integral part of Windows, and that patching it won't screw up something else is naive and shortsighted. Just ask anyone who was recently screwed over by the WGA flap when their perfectly valid Windows licenses were suddenly declared invalid due to programmer error.

If Windows Update can download software onto your machine without your knowledge, and if it can do so without notifying you, it can download buggy software onto your machine without notifying you. In a corporate environment where software must be vetted through the IT department before it's released to the masses, this is particularly worrisome. It's not the IT Staff that we're worried about here: it's some bloke at Microsoft accidentally releasing prerelease software through this stealth update mechanism.

Yes, it's a theory, and a hypothetical situation at best. But here's the scary part: it can happen, and it already has, at least once, and it affected a LOT of users. So those who casually dismiss it as "nothing to worry about" are viewing the situation with rose colored glasses.

So while I won't tell everyone that they should be panicking and seeing conspiracies everywhere, I would tell them that they shouldn't so easily dismiss a very real concern, and that they should definitely view the situation with its due gravity. Windows components are tightly integrated; patching one of them could easily break others, and assuming that a patch to Windows Update is a perfectly safe operation is misguided and a sure way to set yourself up for a nasty surprise down the road.

The Joy of Slowing Down

A couple of things happened when I decided to go public with NValidate. First, I decided to rewrite it from scratch. There were suggestions I'd received from others that I really wanted to incorporate, and I didn't want to do them piecemeal. I also wanted to review the design and architecture, and that gave me the opportunity to decide exactly what it was that I was trying to accomplish, who my users were going to be, and what I wanted them to be able to do with it once I released it.

I also decided to switch languages. I'm in the process of porting NValidate from VB.NET to C#, and I'm enjoying the experience thoroughly. While I'm doing that, I'm fully embracing test-driven development.

All of these things together have combined themselves to force me to slow down in my approach to the development of NValidate. It's startling to reflect back on my professional experience as a software developer and realize just how haphazard much of it has been. Part of that haphazardness has been my own doing, but a very large part of it has been due to the rushed nature of software development in general.

We always seem to be in such a big hurry to get things done that we cut corners in all the wrong places. A vague statement describing a problem somehow becomes the vision statement which in turn becomes the requirements specification. We slap together a prototype, and somehow the prototype becomes the product. We shortchange testing, shortchange defect resolution times, shortchange staffing ratios, and yet still want it out the door on time. We cut features, go cheap on the aesthetics and documentation, and rush a piece of crap out the door just to beat the competitor to the market. All because the first guy to home base usually captures the market share.

God, how I wish that would change.

It's obvious when you're forced to use a product that was rushed out the door or that was cheaply made. And that's any product; it's not just software. Typically, you know within a few moments of having to use it. It either lacks the features you thought it had, it lacks the power to do any real work, or it breaks too frequently to be of any real use. Some of them, while useful, are so gaudy that you would never leave them out where your friends or family could see them. It's embarrassing to have to use them.

It bothers me to think that some of the software that I've had to work on the past, and some of the software that I've designed in the past, is of that caliber: it's only fit to be shoved into a kitchen junk drawer.

That kind of software need not be a mandate. Rather, it can be a thing of the past if I take the time to slow down and make useful, powerful, well-designed software that people are actually excited to use. But that requires slowing down, and thinking my way through the design, the requirements, the architecture, what the consumers actually want and need, and how to give it to them in a way that compels them to use it.

And that's where my experience with NValidate comes in. (You knew I had to be going somewhere, right?) I've had to stop and think my way through the design and architecture all over again. It's not just me that's going to use it. What do other folks likely want from something like this? How will they use it? How should it perform for them? What languages will they use (programming and spoken)? What are the big design goals (performance, memory footprint, extensibility, maintainability, etc.)?

So in the process, I actually get to do it right. And it's refreshing. I have a vision. I have the design priorities. I have the platform selected, and I have the language selected (and a compelling reason for the language: it's an open standard). I have a rough idea of what I think the end users will expect from it. I have the base architecture sketched out and documented. When I code, I write the test cases first, and then code to satisfy the test cases. There's no fluff. It's lean. It's clean.  

Slowing down is a joy. There's no panic involved here. I'm enjoying the project, and I'm looking forward to its initial release. I'm not even really worried about whether or not it's widely accepted by the masses. The opportunity to develop a piece of software that's well documented, using a slow, steady approach to its development instead of a rushed, haphazard approach is rewarding and fulfilling in ways that I never imagined.

I've got twenty years and counting under my belt as a software developer. The vast majority of that time has been spent working at companies where "best practices" were either unknown, paid lip service to, or looked upon as something that were typically beyond the fiscal reach of the firm. But my experience with NValidate has taught me something surprising: my confidence in the product is leaps and bounds ahead of anything I've written before. Granted, it's not rocket science, but I am left wondering if that same degree of confidence isn't directly transferable to larger projects were we to adopt the mantra, "Slow and steady wins the race."

Slow and steady, careful and methodical. Take your time, think your way through the product, and stop rushing through everything. Invest the time you need to design, architect, plan, code, and test. Don't shortchange yourself or your customers in the name of "time to market." While there's always something to be said for getting something out the door, I'd like to think that most customers would rather have something that works and works well, rather than something that looks pretty and blows their foot off.