The leak of some of Microsoft Corp.s Windows source code on the Internet last month has elevated the discussion about why the software company believes it needs to protect its code so fiercely when other vendors are more liberal with access to their proprietary source code. The leak has also raised doubts about Microsofts commitment to, and ability to effectively deal with, the security of its products.
Microsoft officials are downplaying the security aspect of the leak of the Windows 2000 and Windows NT 4.0 source code. “The leak was not a breach of our internal security, it was not a breach of corporate network security and it was also not a breach of the Shared Source or Government Security programs or from one of those licensees. The code also did not come through the Code Center Premium, the mechanism we use to deliver source code to customers,” said Jason Matusow, Microsofts Shared Source Program director, in Redmond, Wash.
Microsofts response is not sitting well with some customers and developers. “The code leak was a fairly serious event, both for consumers and for Microsoft itself. Downplaying the issue is standard Microsoft damage control, but there will be consequences for that leak,” John Persinger, an internal network administrator for Source4 Inc., in Roanoke, Va., told eWEEK. “We run on the realistic knowledge that our network is, and always will be, subject to potential threats. We do all we can to maintain the most active awareness of threats to both us and to our customers, but events like the code leak dont help.”
Bob Duerr, president of Integrated E-com, in Naperville, Ill., takes the code leak seriously. “This is a breach of the very code that is the core of what we use today in our business, Windows 2000. Even little pieces can be put together to give insight into where a hacker may insert trouble and breach security,” Duerr said, adding that Microsoft must assume responsibility for the leak.
“The buck has to stop somewhere. This is no different than Coke keeping their secret formula for their cola. The bigger issue is that they should have had contingency plans if this happened,” Duerr said.
Brian Riley, a senior programmer and analyst at a publicly traded health care services company, also points to Microsofts security record. Riley said that “from a user standpoint, Microsoft products have never been secure and have gotten even less so.” But unless there are some serious exploits as a result of the leaked code, he does not expect that to have any impact on his company. “Security has tightened up quite a bit around here since Slammer, Nimda and Blaster,” he said.
In defending Microsoft and its security initiatives, Matusow said, “I think our candidness around security vulnerabilities and our response mechanisms are part of the effort to show that we are dealing with these issues head-on. But I understand how customers make the leap of logic that the leak represents further proof to them of security concerns,” he said.
“Weve been sharing Windows source code for 13 years, and many eyes have looked at that code. Maybe we havent done a good-enough job telling the source code story. It appears that many people think this is the first time anyone has ever seen Windows source code,” Matusow said.
Next page: Microsofts crown jewels.
Page Two
Microsoft has long maintained that its code is its most valuable intellectual property, often dubbed the “crown jewels,” and has thus aggressively restricted access to that code. But other software companies, such as Sun Microsystems Inc., of Santa Clara, Calif., are less worried about sharing their source code with customers, developers and academic institutions.
Programmer Riley said he believes that, among software vendors, IBM probably does the best job of keeping its source code secure while still letting those who need to see it do so.
John Fowler, Suns chief technology officer for software, said Sun is much less protective of its Solaris and Java source code. Sun is also meeting with those parties who are pushing for an open-source implementation of Java.
“We take a far more laid-back approach,” Fowler said. “We license the source code fairly liberally and quite widely. Solaris source code is licensed to hundreds of academic institutions for $100; we also have 50 commercial licensees. We are in general happy for people to look at the source and tell us what we ought to be changing—developers, partners and academic institutions—and allow them to download the actual code, which they can change as long as this is for noncommercial reasons,” he said.
Fowler said Sun is fundamentally different from Microsoft with regard to its source code. “Preventing access to my source is not central to my business model,” he said. “Preventing access to source is central to their business model, as is trying to avoid having people have compatible implementations of protocols, data formats and other things.”
But Microsofts Matusow disputes that claim, saying Fowler is muddling some ideas relative to standards and the role that standards play for things like communication protocols.
“He is ignoring the fact that we have published, under the Consent Decree, more than 280 application programming interfaces but also made available for licensing the communication protocols for both client and server,” Matusow said. “Aside from those issues, he is correct that if you release all of your source code, then you do have an impact on competitive differentiation.”
Its hard to argue that Microsoft has not enabled an ecosystem around Windows, which supports some 75,000 applications, Matusow said, adding that Microsoft also won the Best in Show award at LinuxWorld in 2003 for interoperability with its Services for Unix product.
“[Fowler] may very well be giving away more of the source,” Matusow said. “But I cant comment on the effect of that on Suns business model except to say that you can judge that for yourself.”
Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page: