Why Microsoft code leak worries me

If allowing some users to see Windows source code puts the security of the product in danger, then why not just keep the whole thing secret?

I've been following with interest the news about portions of the Windows NT and Windows 2000 source code being leaked onto the Internet. While many of the details may be filled in by the time you read this, as I write there's still a lot we don't know.

I don't, for example, know where the leak came from. While that bit of information will probably be tracked down eventually, we may never really know how much damage the leak might cause. I mean, nobody's going to build a pirate operating system from 600MB of code -- not when the operating system it comes from runs to 40GB. But that doesn't mean the leak is harmless.

Until we know more about how the code ended up in the wrong hands, and until Microsoft tells us precisely what code was released, it will be hard to decide what the leak really means. But let me speculate anyway and offer my own personal assessment.

Microsoft has been sharing code with select customers for some time now. The company could use this leak as an excuse to close down at least some of those sharing agreements. If the code release can be traced to any of these licensees, Microsoft would seem to have a justification in shutting that door.

A Microsoft exec has already been quoted as saying that the code sharing is too important to kill just because of this leak. But how many times must this happen before code security becomes more important than customer pacification? Let this happen another dozen times, and a lot of code will be making the rounds -- enough to constitute a serious security breach. A gigabyte here, a gigabyte there, and pretty soon you're talking a real loss.

I'm not a conspiracy theorist, but it's always possible that someone at Microsoft -- without any corporate authority -- leaked the code. That someone could have done so for any of a number of reasons.

Perhaps this theoretical employee wanted to put pressure on the code-sharing program. Or maybe it was an effort to pressure customers into dumping NT and 2000 ("the compromised operating systems") in favour of XP or, eventually, a more secure Windows Longhorn. (Of course, compromise these two OSes and you're as likely to see customers rushing to Linux as staying with Microsoft.) Or maybe it was done out of sheer malice.

Considering the possible sources and motives for the code release quickly becomes mind-numbing, so I'll stop right there. Let's just say this could play out in any number of ways. Maybe it will just fade from the news, never to be thought of again. But if you're Microsoft or one of the code-sharing customers, who will presumably face more stringent security requirements as a result of the release, I doubt it.

As a Microsoft customer who doesn't have access to the code, I'm much more interested in keeping the source code secure than in the desires of a few customers to have the code for themselves. Given that Microsoft is target number one for the world's bad guys, I think that protecting its source code almost rises to the level of a national security issue, considering the downside of having a large portion of the world's computers compromised.

For us mere customers, this points out how dependent we've become on products whose security is important to us but which we are in no position to control. Of course, the same could be said for even more important products, like electricity and water, but losing lots of important data and having to rebuild major business systems would be right up there in terms of revenue loss.

So here's my bottom line: I don't want Microsoft handing out source code for the products I use and I wish it would stop. I couldn't care less about the desires of big corporate customers, governments, or the Linux community, which want Microsoft to show them its source code.

Considering the consequences of releasing the code, which are more than theoretically catastrophic, and since releasing it to corporate accounts and universities seems only to guarantee its eventual release into the hands of every malcontent on the planet, I just don't see the value in it.