Is Microsoft going out of business due to the source-code leak on Thursday: Not!
Im starting to wonder if the security industry has lost its mind. For most of the morning Ive been hearing security “experts” say that the leak of Microsofts source code is a huge exposure for the company.
These same security experts often favor Unix and Linux for secure deployments—both now Open Source products where virtually all of the code is available on the Web. This leak is embarrassing, sure, but life threatening? Please….
Lets take a deep breath and go back and look at the issue. Microsoft has been strongly anti-open source, arguing that widely distributing source code could result in security problems. But so far open source hasnt suffered from these types of problems.
Crackers have taken the path of least resistance. Its easier to create a virus or attack based on a security bulletin then to do the hard discovery work needed to identify the exposure from scratch. And thats regardless of whether the source code was “open” or not.
Microsoft was created in an era where people kept intellectual property close. The belief at that time was that secrecy provided better protection then a patent or copyright.
The premise was, and is: If only you knew it, then no one else could copy it. The act of patenting something, according to popular belief, could reduce your competitive advantage because others could duplicate what you had just by obtaining the patent.
Often that secrecy was part of the marketing campaign—the “secret Coke formula” or the “Secret Sauce.” In Jacks case (from Jack in the Box), at least, it wasnt so special. It turned out to be simply Thousand Island dressing.
But that mystery ingredient let companies like Bayer sell generic products at premium prices. When it comes to cola, most cant tell the difference in a blind test between Coke and brand X. But theyll pay more for Coke because of a perceived taste advantage.
: Food yes, Software no”> While secret recipes have added value—and even saved mystery meat like hot dogs—software buyers arent as sanguine. Big customers have demanded access to the secret sauce to conduct their own due diligence: to identify problems, make systems work better, or to simply discover how the darned stuff works.
With roots in education, much of the Unix code has been widely available for decades. Some of the Unix variants (Digital Unix, HP-UX, and Solaris) had significant secret parts, but the core technology was there for all to see.
Linux started out as a community project, and has always been widely shared. And in the age of the internet, once you set your code genie free, its virtually impossible to stuff it back in the bottle.
This has created a problem for Microsoft, since it continues to believe that the open release of source code can create serious problems for a high-volume multi-national vendor.
Microsoft already has a serious software piracy problem, compounded by the potential for Windows clones that look and feel like Windows, but either contain malware or circumvent anti-piracy enforcement. The chance of this happening with Windows is much higher than with open source software, which is often tied directly to hardware or other services.
This as a far greater threat for Microsoft than crackers simply using source code to create new attacks.
There is one area where exposing the code could cause security problems. The security industry is still anticipating organized attacks from criminal or terrorist groups who may move more strategically than the common-day rogue.
These shadowy groups could choose to avoid known exposures (where patches are generally available, and applied in many cases), and could instead target previously unknown vulnerabilities gleaned from the code. An attack vectored on an unknown hole, if wide enough, could be virtually unstoppable.
But even more worrisome than an attack, sophisticated crackers could instead simply create back doors into sensitive systems, and then manipulate financial transactions, extract sensitive data, or take control of critical systems at a predetermined time.
However, many of these truly sensitive systems still run Unix, and many, based on the advice of “security experts” are beginning to run Linux. As a result, any problems rising from source-code mining would be at least as bad for these platforms as it is for Microsofts.
There is a silver cloud, however. The source code theft is once again raising the issue of whether OS source code should be publicly available. If “open source” is good, then why is the accidental release of a small amount (only about 15 percent) of source code so damaging to Microsoft?
Maybe its time to set aside our Microsoft biases and objectively analyze this issue. Until we do, we cant honestly determine whether open source is worth the risk. And answering that question, as weve seen in this crisis, is critical to the future of the software industry.