Will security by mystery be a thing of the past?

February 15, 2004

This week it was reported that a Windows code leak made a portion of Windows Nt/2000 source code publically available.

While there have a been a number of spins on this incident, and I'm sure that a number of people in Redmond have gotten red-faced over this development, I'm not so sure that this will end up being a bay thing for Microsoft. I've often rolled my eyes when hearing that microsoft's hidden OS code is a security feature, because I think that this deters skilled, benevolent people from reviewing the code. It also disallows these same people from quickly developing and distributing a fix for for any holes found.

While I'm pondering this subject, I have to ask myself wouldn't it be great if the Internet Explorer source code got leaked so people could work on fixing some of IE's more painful rendering bugs?

Posted by Andrew at February 15, 2004 07:37 PM

There's some coincidental evidence (GNU makefiles among the source, for one) that Mainsoft[1] was the source of the leak. Rumour has it that they were working on some sort of Unix porting.

To be completely honest, I wouldn't be shocked it Microsoft itself leaked the code. What better way to take the heat off of repeated (major) security hole discoveries than by finding a scapegoat? "Of course exploits are being written, the code was leaked! It isn't our fault!" It's also a natural lead-in to the argument against open-source.


[1] http://www.mainsoft.com/statement.html

Posted by: dennis on February 15, 2004 07:56 PM
Post a comment