By now, I'm sure that almost everyone has heard of the Microsoft Code Compromise...
The big buzz in the above CNN article talks about profanity and a partner's name hidden in the leaked Microsoft code. As I read it, I took a step back and noticed something about the article that surprised me. Look at the slant of the article. I was surprised that CNN allowed this type of writing in the Technology section instead of the Editorial section. The article is titled "Profanity, partner's name hidden in leaked Microsoft code." The subtitle is "File swappers nab Windows secrets." It's not until the 8th paragraph that they admit that it's not clear whether the information in the shared files was in the original code or put there afterwards. It's not until the 12th paragraph that you find out the breach was not a breach of Microsoft's corporate network or internal security. And it's not until the next paragraph that you find out that the code appears to come from a "core dump" file generated by one of Mainsoft's (their partner) Linux-run machines.
I couldn't believe that I had to go halfway through the article to find out what happened. I was surprised that I had to weed through paragraphs of gloom and doom security bogeyman crap to get to the meat of the matter. I'm more surprised at that than any "leak" of Microsoft code.
One of the things that caught my attention was that the "leak" involved the source code of Win2K and NT (about 15% of the code for the OS). Yes, this was bad press for Microsoft. But, such "bad press" is not going to take down a mega-corporation so easily. Even if the press runs the "security" bogeyman up the flag pole and most of their customers salute it, Microsoft is not going to just stand there and take a beating. In Microsoft's eyes... those are "old" operating systems. All they would have to do is rewrite/write around the 15% of leaked information and stuff it in the next release of Win2003...or Win200X... then turn around and join everyone in saluting and tout it as a compelling reason to UPGRADE...
The other bogeyman that I found odd was that this leak could arm hackers and virus writers. They also mention that it could also assist software pirates in building bootleg copies of Microsoft software. Hmmm... all this out of 15% of the source code?
The reason this seemed odd was because -- open source software has the source code completely public!!! That's your other option, folks. So, why are there so many exploits of MS systems? Because there are many systems running that software. That is the actual long and short of it. It really doesn't matter which operating system most people use. Whatever *most* people use is the one that will be exploited. People rob banks because that's where the money is...and hackers write MS exploits because that's where the systems are... So switching to Linux, Unix or Mac is not going to stop it.
I also found some very interesting information on the Mainsoft site. Their partnership with Microsoft revolves around taking Windows applications and porting these things to Unix. "Mainsoft is one of the only companies fully licensed by Microsoft to modify and resell products created from Windows source code, on non-Windows platforms. ... In addition, Microsoft is also a Mainsoft customer, having used Mainsoft technology to port Internet Explorer, Windows Media Player and Outlook Express to Unix." Their products are Visual MainWin which "is an enterprise-class application-porting platform that enables software developers to develop C++ applications on Windows using Visual Studio and deploy them on Unix and Linux. " They are also the company that took Microsoft's Visual Source Safe and rehashed it for Unix. In case you've never heard if it.... Visual Source Safe is a software program that developers use to keep track of code development. It provides version control and accountability during the creative process of cranking out code. Think of it as a virtual file cabinet with a lock and a paper trail.... telling who worked on what and the changes they made to the code.
So much for people clamoring about interoperability...
For a more even-handed treatment of the topic, see the Washington Post article... The article seems to cover the topic without sensationalizing it.
One of the good things about this information is that ordinary users (read: management) will hear the term "core dump" and finally associate it with real security concerns. One of the ways that hackers breach security is by breaking the system. When the system breaks, it pukes up bunches of information. This is the way that computers have always operated. When they get an error, they're supposed to let you know what went wrong so that you can fix it. Some exploits focus on the vulnerability of the system while it's puking its guts out. Other exploits focus on sifting through the puke for tidbits of information to assist in compromising the system. When management sees a system down, all it knows is that it better be back up -- NOW. When security sees a system down, red flags start flying and they want to take a more cautious approach to re-enabling the system. When security folks talk about things like a core dump, management looks at it and thinks..."hey, I can't use this garbage to get into the system, so how could anyone else? These computer geeks have been watching too much sci-fi. Nobody could _really_ use this stuff." Yes, they could. And they do. Often. Perhaps now they will believe... before somebody proves it in a most painful way - on their network.
Posted by BlueWolf on February 14, 2004 11:04 AM