Why Microsoft code leak worries me

Why Microsoft code leak worries me

Summary: If allowing some users to see Windows source code puts the security of the product in danger, then why not just keep the whole thing secret?

SHARE:
TOPICS: Tech Industry
22
I've been following with interest the news about portions of the Windows NT and Windows 2000 source code being leaked onto the Internet. While many of the details may be filled in by the time you read this, as I write there's still a lot we don't know.

I don't, for example, know where the leak came from. While that bit of information will probably be tracked down eventually, we may never really know how much damage the leak might cause. I mean, nobody's going to build a pirate operating system from 600MB of code -- not when the operating system it comes from runs to 40GB. But that doesn't mean the leak is harmless.

Until we know more about how the code ended up in the wrong hands, and until Microsoft tells us precisely what code was released, it will be hard to decide what the leak really means. But let me speculate anyway and offer my own personal assessment.

Microsoft has been sharing code with select customers for some time now. The company could use this leak as an excuse to close down at least some of those sharing agreements. If the code release can be traced to any of these licensees, Microsoft would seem to have a justification in shutting that door.

A Microsoft exec has already been quoted as saying that the code sharing is too important to kill just because of this leak. But how many times must this happen before code security becomes more important than customer pacification? Let this happen another dozen times, and a lot of code will be making the rounds -- enough to constitute a serious security breach. A gigabyte here, a gigabyte there, and pretty soon you're talking a real loss.

I'm not a conspiracy theorist, but it's always possible that someone at Microsoft -- without any corporate authority -- leaked the code. That someone could have done so for any of a number of reasons.

Perhaps this theoretical employee wanted to put pressure on the code-sharing program. Or maybe it was an effort to pressure customers into dumping NT and 2000 ("the compromised operating systems") in favour of XP or, eventually, a more secure Windows Longhorn. (Of course, compromise these two OSes and you're as likely to see customers rushing to Linux as staying with Microsoft.) Or maybe it was done out of sheer malice.

Considering the possible sources and motives for the code release quickly becomes mind-numbing, so I'll stop right there. Let's just say this could play out in any number of ways. Maybe it will just fade from the news, never to be thought of again. But if you're Microsoft or one of the code-sharing customers, who will presumably face more stringent security requirements as a result of the release, I doubt it.

As a Microsoft customer who doesn't have access to the code, I'm much more interested in keeping the source code secure than in the desires of a few customers to have the code for themselves. Given that Microsoft is target number one for the world's bad guys, I think that protecting its source code almost rises to the level of a national security issue, considering the downside of having a large portion of the world's computers compromised.

For us mere customers, this points out how dependent we've become on products whose security is important to us but which we are in no position to control. Of course, the same could be said for even more important products, like electricity and water, but losing lots of important data and having to rebuild major business systems would be right up there in terms of revenue loss.

So here's my bottom line: I don't want Microsoft handing out source code for the products I use and I wish it would stop. I couldn't care less about the desires of big corporate customers, governments, or the Linux community, which want Microsoft to show them its source code.

Considering the consequences of releasing the code, which are more than theoretically catastrophic, and since releasing it to corporate accounts and universities seems only to guarantee its eventual release into the hands of every malcontent on the planet, I just don't see the value in it.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • I'm with you on this one, David. Releasing Windows source code into the wild is just giving ammunition to the idiots who are prepared to create worms like MyDoom simply to further their own anti-Microsoft/SCO agenda. As you mentioned, we might as well release the blueprints of every weapons platform in our defence systems.
    anonymous
  • Maybe it's time to reconsider your status as a Microsoft customer. They have demonstrated longstanding ineptness at making a modern, secure, plug-and-play, or easy to use operating system, and with this latest problem I think the time is right to jump ship.

    Linux and Apple offer viable alternatives with the latter allowing full conectivity and compatibility with Microsoft machines and file formats. Only my opinion, but I think there is a better way ;)
    anonymous
  • How sure can you be of an OS when leaked source code can be the source of threats to users? (Contrast this case with the OpenSource movement where all code is available). Shouldn't I be scared that these "vulnerabilities" in the code are already known and being exploited by malicious users/organisations? In the bottom line, keeping the code secret from the wide public should make me sleep easier?
    anonymous
  • The very fact that the code protecting data as sensitive as you make it out to be will not stand public scrutiny should worry you. It certainly worries me.

    And this is surely the case that OSS advocates have been making for years. Keep user applications closed, sure, but the underlying technology - OS's, protocols and server software - should be open to guarantee that it can stand up to public scrutiny.

    No one worries that all the source for apache and linux is open to any blackhat out there do they? People don't worry that their linux router will be cracked because the source is available to whoever wants it.

    So why are we so worried about MS Windows code being out there?
    anonymous
  • If Microsoft wrote better code in the first place then we would not have to worry. These partners need Windows source so that they can devlop software for there OS there is no other way around it.
    anonymous
  • Security through obscurity has never worked, and promoting it is a bad idea. If you worry about security exploits from code leaks it is time to look at a more secure OS that has had its code open and available since inception: OpenBSD or linux.
    anonymous
  • Who said the Linux community wants to see Microsoft's code? I'd say open source software is doing pretty well by itself, thank you very much.
    anonymous
  • Great hindsight, and I agree.... it *was* a bad idea. Another bad idea, from Microsoft. But reality is, the code has been released, even to the government of China. Not exactly the best of US allies.

    The damage has been done, the source code released, though not much, yet, into 'the wild'. It has been released to way too many companies and governments. Now, people really really do need to consider other OSs, Linux, Mac OS X, BSD, AIX, I don't care. Use something else, anything other than Microsoft. If not we are in severe danger.
    anonymous
  • I can't say that it bothers me one little bit!

    My opinion (for what its worth) is that Windows is just as safe as the next operating system. I don't believe that any other operating system is safe, whether you can see the code or not.

    Just because Linux or Unix or whatever doesn't have so many high-profile security issues, you don't have to look very far in the news, websites or forums to realise that they are happening to other operating systems.

    This is a global issue and will require a global solution. Petty point scoring isn't the answer. Tougher action needs to be taken on these hackers and virus writters. Let them think about their anti-Microsoft/anti-society prank with 15 years in jail.

    Hacker & Virus writters are digital terrorists, criminals and nothing more, not technical evangelist. They get in the way of my right to choose and I HAVE CHOSEN. If they aren't happy with my choice well frankly it's none of their business.

    If you want to use Linux, fine! If you want to use Microsoft, fine! Choice, it's a wonderful thing, this is what democracy gives us. Think about that the next time you close your mind.
    anonymous
  • The Linux Community most definitely does NOT want to see Microsoft's code, since this could potentially open the door to frivolous copyright-violation lawsuits.

    The Shared Source scheme was entirely Microsoft's idea, being Microsoft's response to the freely available GNU/Linux source code.
    anonymous
  • Any cracker (hacker is different) worth her/his weight should/would already know how to reverse engineer Microsoft's code. Any one who has studied operating systems will know about inference and agregation, and with little clues and extra tools, will be able to figure out what exactly the system is doing at points in time.

    This release -(the sceptic in me is more likely to think it is a Microsoft plot)- actually carries little weight and one would believe that it would do more to assist Microsoft than it would the cracker community - the reverse being the case for the latter. "An exploitable secret is one that you do not know that I know" - kind of attitude.

    Microsoft's products, irrespective of the money the organisation makes, are adequate class "C" systems- in terms of security. One does not presume that it is/was the fundamental intent of its designers to produce anything better, so why should its customes expect to have bought anything better than what they paid for. As the old saying goes - "If it walks like a duck"....
    anonymous
  • I don't believe any OS can be made absolutly bullet-proof and that dedicated hackers will be able to break down code either by reverse engineering or by access to the source and find a vunerability.

    The dfference here is two fold, first the target community. If Windows is the more prodomient system it is going to be the OS of chioce to break into esp given the 3 of users who don't update and patch or hang on to old versions (Win95) of software

    The second is fact that there are varying skill levels amongst the hacking community from the so called script kiddies to the 'digital terrorists' and while the script kiddies tend to prey on the people who don't patch or run anti-virus programs but they are the more prodominate.
    anonymous
  • There are all too many who believe that the only reason that MSoft products are being hacked to the degree they are is because they are so prevalent.

    One would be inclined to believe that nothing is further from the truth. Instead, it would possibly be best to maintain the view that Microsoft products are, by their very nature, not geared towards delivering high security - due to the fact that they have not been historically required to protect the kind of data that could be deemed important enough to justify such protection. MSoft products are meant actually for individuals who do not require such security - and if their hard disk data gets blown away, well... not much damage done in the grand scope of things.

    Linux, due to its very design, is built with different intentions and is highly flexible and can be scoped to such levels. It is in fact a different beast derived from a different set of requirements - the two are just not comparable.
    anonymous
  • Who said this "the Linux community, which want Microsoft to show them its source code" if there exists one community at all. And about security at risk, wasn't that playing around already for decades? No matter that this peace of crap of ms has found it's way out, the very nature of the windows architecture yearns for leaks and flaws to be found and exploited. Maybe come back and write with knowledge about these issues rather than babbling a bit around, even the names of the involved company, the name of the person within that company and the particular computer from which the leak stems have been mentioned days ago. Why should we read this and why should you be paid for this crap.
    anonymous
  • @ the editors of ZDNet. Hereby I recommend myself as a freelance journalist for background information and raising public opinion regarding it issues. I have build up a long standing reputation as an it analyst (not of the quality of a certain Laura D. who time and again is wide of the mark). And I KNOW WHAT I'M TALKING ABOUT.
    anonymous
  • I don't think windows is as bad as the oss-community likes to think.
    If only linux (or the others) had a market share as big as microsofts it would be proven insecure by numerous attacks and exploits.
    At this point linux just isn't very interresting to digital terrorists, because (compared to windows) hardly anyone uses it...
    anonymous
  • You could be right, hope things will change and then we'll see.
    anonymous
  • If MicroShaft didn't charge so much for their Operating systems in the 1st place, nobody would care to push the source out or pirate their software. Do we see the start of a MicroShaft rebellion? Lets hope so!
    anonymous
  • "Given that Microsoft is target number one for the world's bad guys"

    I keep hearing this or comments like "Microsoft is the (frequent) victim of [viruses, worms, etc.]" and it's so obviously wrong.

    *MICROSOFT* is not the victim of these viruses/security problems, etc. It is the Microsoft USERS and CUSTOMERS who are.
    anonymous
  • I suppose the idea behind this article is alright, but fundamentally flawed. Any IT professional should know that security through obfuscation is NO substitute for writing good, secure code. This is why the code that people truly feel they can rely on (eg certain encryption algorithms) are public domain.

    What worries me is the fact that mere weeks after code has been leaked (and this is only a tiny snippet), people are finding bugs already. Doesn't look good for Palladium, or whatever they want to call it these days - would you trust it?
    anonymous