The biggest surprise might be that the leak appears to have come not from the thousands of organisations included in Microsoft’s Shared Source initiative, or a foreign government participating in the Government Security Programme, but from
Microsoft is displeased and has called in the FBI, but is stressing the illegality of the theft rather than the security implications. The leak probably won’t provide a large number of security breaches — only a small portion of the Windows 2000 code has been revealed, it dates from around 2000, and much of it is reportedly low-risk software such as screensavers. That doesn’t mean it isn’t useful to unprincipled crackers (a vulnerability in IE5 was gleaned within a couple of days), but it’s unlikely to result in a stream of Windows exploits.
Security issues aside, the source code tells us something about Microsoft’s development procedures. Conspiracy theorists who expect the code to provide a “smoking gun” are likely to be disappointed: an interesting analysis posted on the Kuro5hinwebsite says the code doesn’t appear to contain any copyrighted code lifted from GNU or Linux projects. Although it does include some references to undocumented APIs, the Microsoft developers have also included hacks or workarounds to benefit third-party software from competitors such as IBM and Borland. The author, one Selznak, correctly points out that even the warning comments about code hacks are evidence that the developers are making the effort to flag potential shortcomings, as any conscientious developer would do.
In fact, the article is positive about the quality of the code. “In short, there is nothing really surprising in this leak,” Selznak writes. “Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility.”
Perhaps showing the source is the best way Microsoft could get some of the conspiracy theorists off its back. Source code doesn’t lie; there can be no argument that the key called ‘NSAKey’ is a backdoor for the NSA, for example, if the source says otherwise.
There’s no reason for complacency, however. This public leak of Windows source means we must now presume there’s more where that came from.
To believe otherwise would be to accept that somebody grabbed as much code as would fit on a single CD, and no more; that they decided to pilfer the source code to screensavers, the Taskbar, widget code and HyperTerminal rather than concentrate on high-risk code such as networking, authentication and file handling; and that they kept the source code to themselves for years before releasing it into the wild. It’s an implausible scenario.
It’s more likely that whoever stole this particular fragment of the Windows source no longer has any use for it, and they either don’t care that it found its way online or were keen to embarrass Microsoft by leaking it. Somebody has had the source code, probably for years, and nobody knew. Microsoft VP Jim Allchin’santitrust testimony in May 2002 that the company wouldn’t share Windows APIs if it knew of a security vulnerability suddenly looks less than enlightened.
Security researchers have been proven right: security through obscurity doesn’t work. We must presume the enemy has the source.