Microsoft officials are downplaying the security aspect of the leak of the Windows 2000 and Windows NT 4.0 source code. "The leak was not a breach of our internal security, it was not a breach of corporate network security and it was also not a breach of the Shared Source or Government Security programs or from one of those licensees. The code also did not come through the Code Center Premium, the mechanism we use to deliver source code to customers," said Jason Matusow, Microsofts Shared Source Program director, in Redmond, Wash.
Microsofts response is not sitting well with some customers and developers. "The code leak was a fairly serious event, both for consumers and for Microsoft itself. Downplaying the issue is standard Microsoft damage control, but there will be consequences for that leak," John Persinger, an internal network administrator for Source4 Inc., in Roanoke, Va., told eWEEK. "We run on the realistic knowledge that our network is, and always will be, subject to potential threats. We do all we can to maintain the most active awareness of threats to both us and to our customers, but events like the code leak dont help."
Bob Duerr, president of Integrated E-com, in Naperville, Ill., takes the code leak seriously. "This is a breach of the very code that is the core of what we use today in our business, Windows 2000. Even little pieces can be put together to give insight into where a hacker may insert trouble and breach security," Duerr said, adding that Microsoft must assume responsibility for the leak.
"The buck has to stop somewhere. This is no different than Coke keeping their secret formula for their cola. The bigger issue is that they should have had contingency plans if this happened," Duerr said.
Brian Riley, a senior programmer and analyst at a publicly traded health care services company, also points to Microsofts security record. Riley said that "from a user standpoint, Microsoft products have never been secure and have gotten even less so." But unless there are some serious exploits as a result of the leaked code, he does not expect that to have any impact on his company. "Security has tightened up quite a bit around here since Slammer, Nimda and Blaster," he said.
In defending Microsoft and its security initiatives, Matusow said, "I think our candidness around security vulnerabilities and our response mechanisms are part of the effort to show that we are dealing with these issues head-on. But I understand how customers make the leap of logic that the leak represents further proof to them of security concerns," he said.
"Weve been sharing Windows source code for 13 years, and many eyes have looked at that code. Maybe we havent done a good-enough job telling the source code story. It appears that many people think this is the first time anyone has ever seen Windows source code," Matusow said.