Re: Microsoft opening its source to selected parties

["Matthew S. Hamrick" <mhamrick () CRYPTONOMICON NET>]

-----BEGIN PGP SIGNED MESSAGE-----

Dan,
    While I agree with you, it will be interesting to see if this
increases or decreases the number of security-related bug reports on
windows tools / applications / operating systems, I'm not sure I
really agree with the ... who was it... Meta Group? report that
kicked this whole thing off Wednesday.

1. Microsoft has been providing source code to third-parties for a
long time now. I got the source to v5.11 Microsoft C back in '89-'90
to see how to use borland tools to write libraries for it (there were
several very subtle bugs in how that version saved DI and SI if you
had a function declared in a macro or somethign like that...) As
recently as a year ago a friend with whom I have daily contact was a
MS 2000 / NT 4 / NT 5 / NT Family source licensee. He worked for a
company that made video boards, and they knew that there was
ABSOLUTELY no way they could write the video drivers without the
source. So for point (1) I don't think this is a change in MS policy.
I think its someone publishing a story about MS doing something it's
been doing for at least 10 years.

2. Without access to derivative works, most people (okay, most people
I know...) aren't all that interested in spending a lot of time to
report bugs in the product. If I have product X that runs on WinNT,
I'm not going to spend all that much time fixing the WinNT bugs I
find. Instead, I'm going to find a way to code my application around
the buggy WinNT code. If I fixed the NT code, I still have no control
over if and when MS will accept and integrate my changes. If I'm
fixing a bug, I can almost guarantee you it's because I'll lose
revenue if I don't. I'm going to spend my time fixing the bugs in my
code that my user base has reported. If I fix the bug in the WinNT
code, I still have to fix the bug in my code because I can't tell my
customers, I fixed the bug in the WinNT codebase, so call MS and tell
them you want my bugfix included in the next SP, then tell your
admins to install the next SP when it comes out in 4 to 16 weeks.
That just wouldn't do (except maybe at Borland...)

3. Open source is not a panacea for all software ills. It's simply
exchanging one set of software ills for another. Granted, I like the
kind of ills you get when you open source, but I'm afraid that MS is
giving source code to all the wrong people. Certainly giving it to
people who you are "close to" is a good idea. However, there are few
people whose business models are such that they are motivated to play
along and report bugs in MS's "open source" strategy. A lot of the
people who get money from Linux / *BSD are guys that build web or
mission critical apps for medium sized enterprises. When these guys
find bugs in the OS, it's a bug that is causing the application they
sold to puke. If the OS, Application Server, Web Server, Data Base,
and Compiler are all open sourced, the fix will be made in the most
appropraite place for that developer. The application provider then
recompiles the application and deploys the fix. They are motivated to
report the problem / fix because if they don't they'll have a
non-standard version of the app / OS combo which means that fewer and
fewer people will be testing for them. Borland / Inprise learned this
painful lesson when they opened the Interbase source.

Oh heck.. now I'm just ranting.. Let me just say that I don't think
it will change the number of bugs reported ... MS has never been all
that concerned with security, and I don't think that's going to
change. What may change is that from time to time you might just
happen to find someone with access to the source who has the time to
investigate things further, and find the cause of a bug. Perhaps one
in twenty times the mean time to solution for a particular bug will
decrease. Perhaps one time in twenty the quality of the fix will
increase.

Hmm... maybe this should be moved over to slashdot. Thanks for
indulging me, I think I started to drift off-topic... For the sake of
the list bandwidth, I'll move this over to
http://www.cryptonomicon.net/article.php?sid=15&mode=&order=0 .


- - - ----- Original Message -----
From: "Dan Harkless" <dan-bugtraq () DILVISH SPEED NET>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, March 09, 2001 6:37 AM
Subject: Microsoft opening its source to selected parties


> > From
> > <http://news.cnet.com/news/0-1003-201-5067896-0.html?tag=nbs>:
>
>     In a major extension of corporate policy, Microsoft has quietly
> started
>     a program to provide selected large enterprise customers with
> copies of
>     the source code for Windows 2000 (Professional, Server,
> Advanced Server
>     and Data Center), Windows XP (released betas) and all related
> service
>     packs.
>
> Will be interesting to see how this affects the number of holes
> reported in Microsoft software.  Considering how many are found
> now, even without access to the source, we may see a very
> significant rise.  On the other hand, if there are more white hats
> than black hats looking at the code (which is certainly what
> Microsoft's shooting for with its "selected large enterprise
> customers" policy), perhaps there'll be a net reduction in
> unpatched holes, since there'll be more eyeballs on the code.
>
> --------------------------------------------------------------------
> -- Dan Harkless                   | To prevent SPAM contamination,
> please dan-bugtraq () dilvish speed net  | do not mention this private
> email SpeedGate Communications, Inc. | address in Usenet posts.
Thank you.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBOq2IG+krkgM9eER9AQF46Af+MGvxcvPfgHP4Em43jczefJz9bidCnuvV
ceFgBAH3EVC9FAdl6a9lh+Y1k4G2/gaFEW8H6Jv7prYVFybk1yiXFMOx36h2lS1w
rDw4EQOnFLsPoetH5fzTJzl8iCx7eWAi6KzkoWcvF5ONioFvMl7IbhrVaSb4PDFx
ZkjKBQR8fBn1K0zsXNoUM7t8MyuPGqh9gacEmPefw/AL+XJmRmybjDKEaKaaRcYS
UH8kUBgFvNJDj8IeQvBctpHYBLaViMug9I7cQwXrvSexq/WPrkkEcLSde2p7VGAF
nAunFTCYm4lY6BSyCJfr1qg3AQj/1cKwfIRVnkGWWnnYQ6hsY4UBow==
=tfIq
-----END PGP SIGNATURE-----