Microsoft Code in Captivity

Microsoft's code leak increases criticism of the company's practice of tightly controlling its source code.

The leak of some of Microsoft Corp.s Windows source code on the Internet last month has elevated the discussion about why the software company believes it needs to protect its code so fiercely when other vendors are more liberal with access to their proprietary source code. The leak has also raised doubts about Microsofts commitment to, and ability to effectively deal with, the security of its products.

Microsoft officials are downplaying the security aspect of the leak of the Windows 2000 and Windows NT 4.0 source code. "The leak was not a breach of our internal security, it was not a breach of corporate network security and it was also not a breach of the Shared Source or Government Security programs or from one of those licensees. The code also did not come through the Code Center Premium, the mechanism we use to deliver source code to customers," said Jason Matusow, Microsofts Shared Source Program director, in Redmond, Wash.

/zimages/4/28571.gifClick here for eWEEKs interview with Jason Matusow.

Microsofts response is not sitting well with some customers and developers. "The code leak was a fairly serious event, both for consumers and for Microsoft itself. Downplaying the issue is standard Microsoft damage control, but there will be consequences for that leak," John Persinger, an internal network administrator for Source4 Inc., in Roanoke, Va., told eWEEK. "We run on the realistic knowledge that our network is, and always will be, subject to potential threats. We do all we can to maintain the most active awareness of threats to both us and to our customers, but events like the code leak dont help."

Bob Duerr, president of Integrated E-com, in Naperville, Ill., takes the code leak seriously. "This is a breach of the very code that is the core of what we use today in our business, Windows 2000. Even little pieces can be put together to give insight into where a hacker may insert trouble and breach security," Duerr said, adding that Microsoft must assume responsibility for the leak.

"The buck has to stop somewhere. This is no different than Coke keeping their secret formula for their cola. The bigger issue is that they should have had contingency plans if this happened," Duerr said.

/zimages/4/28571.gifShould Microsoft open-source its leaked code? Find out here.

Brian Riley, a senior programmer and analyst at a publicly traded health care services company, also points to Microsofts security record. Riley said that "from a user standpoint, Microsoft products have never been secure and have gotten even less so." But unless there are some serious exploits as a result of the leaked code, he does not expect that to have any impact on his company. "Security has tightened up quite a bit around here since Slammer, Nimda and Blaster," he said.

In defending Microsoft and its security initiatives, Matusow said, "I think our candidness around security vulnerabilities and our response mechanisms are part of the effort to show that we are dealing with these issues head-on. But I understand how customers make the leap of logic that the leak represents further proof to them of security concerns," he said.

"Weve been sharing Windows source code for 13 years, and many eyes have looked at that code. Maybe we havent done a good-enough job telling the source code story. It appears that many people think this is the first time anyone has ever seen Windows source code," Matusow said.

Next page: Microsofts crown jewels.