Saturday, February 14, 2004

Musings on Microsoft's Bad Week

By now everyone knows about Microsoft code being "made available on the Internet", according to the linked press release. Microsoft claims:

"On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft?s corporate network or internal security, nor is it related to Microsoft?s Shared Source Initiative or its Government Security Program."

This probably doesn't comfort Mainsoft, claimed by some to be involved in the leak.

I found it amusing that news outfits like NPR and Wired and CNN found the amount of profanity in the Windows source to be newsworthy. A Slashdot post provided the following help grep syntax:

grep -Hirn "INSERT PROFANITY HERE" ./*

In case you're wondering about the switches:

-H, --with-filename
-i, --ignore-case
-r, --recursive
-n, --line-number

The Slashdot follow-up is probably the best place for a comprehensive look at the issue.

The silver lining to this cloud is a hope that this event will prompt a serious debate on the merits of open source vs. closed source software. O'Reilly is leading the charge with good articles on the merits of open source software. Also, people must finally recognize that open source software is not inherently more vulnerable because anyone can review it. With this Microsoft source disclosure, the world has to acknowledge that Microsoft's code has been available to the underground and is just as easily reviewed as OSS.

On related Microsoft news, today I received Introducing Microsoft Windows Server 2003 in the mail. This was sent after I participated in a phone survey last week on Microsoft's Get The Facts program. I signed up to get a free evaluation copy of Windows 2003 Server, so Microsoft called me. I repeatedly told the survey taker I was concerned with Microsoft's security problems. She was reading a script and tried to pigeon-hole my answers into her form. She tried to steer me towards "server consolidation" and "upgrading from Windows NT 4.0" when I told her I was more interested in "upgrading" to 2003 for security reasons. I told her I ran multiple versions of UNIX and had no plans to change.

Update: This post to full-disclosure claims to be the first public vulnerability discovered as a result of scrutinizing the Windows source code.