Coffeehouse Thread

11 posts

The Code Room - what did you think?

Back to Forum: Coffeehouse
  • irascian

    I hate to be the "curmudgeon in residence" around these parts, but I have to ask what on earth Microsoft is thinking with the latest edition of "The Code Room".

    Personally I enjoyed the first episode even if the people were a bit irritating (the whole point of successful reality shows anyway). The second one was a brave but failed attempt to shake the format up a bit after weak reviews of the first, but the third is ... well WHAT is it?

    Larry thinks it's worth half an hour to view.

    Much though I admire Larry I beg to differ. Half an hour of wasted time learning absolutely nothing.

    What on earth is a developer supposed to take away from this episode? A couple of references to "threat modelling" and "cross site scripting" that might look sufficiently interesting to be worth typing into Google?

    The educational value is as close to zero as it's possible to get.

    Is it just meant to be light-relief entertainment? It's beautifully shot and edited and the presenter is attractive in a ballsy rock chick kind of way. The thing must have cost a fortune because the production values are very high, with only the "actors" letting the thing down a little. Helicopters and fast cars don't come cheap. This glossy content-free production is almost the antithesis of the "cheap and nasty but usually informative" Channel 9 video.

    As such it seems very odd that they're posted here on Channel 9!

    I have to ask, is it just me? And if it's not, what on earth were the project sponsors thinking? What exactly is the aim of this latest episode? To show us that hacking is cool? To show us that beating hackers is cool? To show us that working for Microsoft means you get to fly in in a helicopter?

    I'm honestly confused! Personally if getting the security message across to developers was the aim I'd have spent the money on getting a bunch of free copies of "Writing Secure Code" or the MCAD/MCSD "Implementing Security for Developers" training kit out to them. Or I'd have explained some of the basic terminology. Not written a cod Vegas story with really hokey performances.

    Personally I think this episode has probably killed the whole series (unless I'm way out of wack on estimating what it's likely to have cost). Which, on the back of the .NET Show being canned is NOT good news. Channel 9 videos are great for some areas but other areas and other audiences need the more professional production that these shows had to get the message across to the required audiences.

    What do others think?

  • Born2Run

    I tried watching the first episode, but very, very quickly lost interest. There was sooooo much marketing and soooo little valuable content for us developers.

    Will definately not be watching any further episodes. Am not about to waste more time on this series.

    The presenter is cute though Smiley

  • SlackmasterK

    I really enjoyed the first two episodes.  Seemed to me the first episode played a  bit too strongly on the geeky food consumption behaviors, but I'm willing to let that slide.  What I find amusing is that I actually caught the "NetworkSteam" problem in Episode 2 before they did!   I was expecting to see a line somewhere in there like "hey, man, why don't you double-check the Half-Life of line 392?".  It would have made a funny allusion.

  • Zaki

    irascian wrote:
    The educational value is as close to zero as it's possible to get.

    Is it just meant to be light-relief entertainment?
    [...]
    I'm honestly confused!
    [...]
    Personally I think this episode has probably killed the whole series


    I really agree with you. Who is the intended audience here? Developers? No, we (usually) already know, that SQL injection is bad. IT professionals (IT managers)? I don't think so, not with this title anyway. Wannabe-hackers? Not probable. That is the source of confusion.

    However what would have been very cool - and more in line with previous episodes, especially the very good first one - is if they did set up two real teams and give them the two goals: break in the system and protect the system. Not a real casino, just some test system. That would have been quite intense but focusing mainly on the technical part - that does not mean no "surprises" from the producers.

    And I really hope this series is not killed yet, just experimenting a bit, trying to set up the constraints to delivering a constantly amazing show.

  • Mark Brown

    irascian wrote:
    I hate to be the "curmudgeon in residence" around these parts, but I have to ask what on earth Microsoft is thinking with the latest edition of "The Code Room".


    In fact, it IS supposed to be entertaining. You among a laudable but small group of developers who are confident writing secure code. An overwhelming majority of developers are in fact not confident in this regard.

    This show is an attempt to present these topics in a way that is fun to watch and point them to resources which can help them learn more about writing more secure code which I think we can all agree is a good thing.

  • lars

    Holy cow. Who is the intended audience for this video? If it’s a marketing video trying to make security look cool and interesting for your average teenage Hollywood audience I guess it’s okay. They’re even playing the "cute and sexy hostess" card. But next time, get better actors.

    Now, where is that roll-eyes smiley when you need it... Expressionless

  • dotnetjunkie

    Mark Brown: I liked it, it was entertaining but educational at the same time, for a large audience.  I sent it to a few friends, who are not developers, and I'm sure it opened up their eyes!
    So the video accomplishes its goal very well.

    Already looking forward to the next episode!
    Keep up the good work!

  • Angus

    I really thought that it was great, I am definetly going to watch the next episodes.

    Angus Higgins

  • Mark Brown

    lars wrote:
    But next time, get better actors.


    Really? I thought it would be fun to have real developers (in fact, security experts) play the principal roles instread of actors, but if developers think that stinks then I'm not sure what to think. Perplexed

    btw, if anyone is curious feel free to Google these guys to find out who they are and what they do. They are definitely NOT actors. Wink 

  • Caleb Sima
  • Duane LaFlotte
  • Joel Scambray
  • Rick Samona
  • Frank Swiderski
  • Keith Brown
  • John Viega
  • Joe Stagner

    Edit: In fact it appears as though three of our cast have appeared here before on Channel 9.

    Frank Swiderski on Threat Modeling
    Duane La Flotte on the Crypto API (or CRAPI as I jokingly call it) Actually I love this API.
    And finally John Viega, via cite by Charles for co-authoring the 19 Deadly Sins of Software Security.

  • cheong

    Agreed little useful information can be taken from it.

    In the video, there (probably) useful thing I noticed is:
    1) If you don't concern security in the beginning in the system building, it's likely to cost you expensive lesson.
    2) Once the bad guys got it's way in, it's difficult to get them out.
    3) SQL injection is bad, but can be combated by some validation controls. (If you use the SQL parameter properties, you have some level of defence against this?)
    4) The identity of Session owner should be verified(While I think in ASP.NET, some of the verification is done in Viewstate already).

    Most of them is considered "common sense" for developer. But if the video is called "The Code Room", I think it'd be appropiate to have an add-on video further elaborate these points. (Such as a brief guide on how to actually implement the defense, etc.)

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • Larry​Osterman

    Mark Brown wrote:
    lars wrote: But next time, get better actors.


    Really? I thought it would be fun to have real developers (in fact, security experts) play the principal roles instread of actors, but if developers think that stinks then I'm not sure what to think. 

    btw, if anyone is curious feel free to Google these guys to find out who they are and what they do. They are definitely NOT actors.  

  • Caleb Sima
  • Duane LaFlotte
  • Joel Scambray
  • Rick Samona
  • Frank Swiderski
  • Keith Brown
  • John Viega
  • Joe Stagner

    Edit: In fact it appears as though three of our cast have appeared here before on Channel 9.

    Frank Swiderski on Threat Modeling
    Duane La Flotte on the Crypto API (or CRAPI as I jokingly call it) Actually I love this API.
    And finally John Viega, via cite by Charles for co-authoring the 19 Deadly Sins of Software Security.

  • Btw, I'm with Mark.  I think that Stagner did a very credible job as host, and it the show was way more real with people who actually had street cred.

    Personally, I think you should have had the hacker team built from guys like David Litchfield and other notable vulnerability researchers (the guys from eEye, etc), but that might be cutting things a smidge close.

    One day, I'm hoping that people will finally understand that every system out there is vulnerable, unless it's been through a rigerous development process like the SDL that builds secure design into the product.  One of the things I absolutely loved about this video is that both of the vulnerabilities presented would have been mitigated with proper threat modeling and analysis. 

    Personally, I wish the video had included another vulnerability like a buffer overflow that was caused by an incorrect use of strcpy() into a stack buffer (which shows that even with proper modeling and analysis, you STILL can't write crappy code).  The nice thing about that particular threat is that the techniques that we've been discussing for years in both Howard, Leblanc and Viega's 19 sins and Howard and Leblanc's Secure Code help to mitigate that threat. 

    But I didn't write the episode, so...

  • Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.