Microsoft Partners Assess Fallout from Code LeakBy Jacqueline Emigh | Posted 2004-02-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
As security experts download, peer at, and analyze leaked source code, the industry still buzzes over last week's Windows security breach. But what impact will the leak have on Microsoft's relationships with channel partners?
With security experts busily downloading, peering at, and analyzing leaked source code, the industry is still buzzing with controversy over last week's Windows security breach. But what about the impact of the leak on Microsoft's relationships with channel partners? Will Microsoft still be able to trust its partners, and vice versa? Will application security be harmed, or possibly ultimately helped? Opinions range all over the map.
Now, a security researcher nicknamed GTA has posted a comment to an Internet newsgroup, claiming that he's discovered the first security exploit based on the leaked code.
"People are gobbling up the code in the newsgroups," noted Jay Jacobsen, an independent security consultant who is also an anonymous participant in newsgroups. "Over 50,000 source code files were leaked. I don't know what the percentage is, in terms of Microsoft's total source code, but that's a whole lot of code," he added.
Jacobsen, who is CEO of Edgeos, Inc., also predicted that Microsoft might find it tougher to trust its partners, now that MainSoft has been implicated in the code heist. "Many of Microsoft's fans tend to be very loyal. The breach is more likely to cause a lack of trust on Microsoft's part than the other way around."
What partners are saying
What partners are sayingIn a series of interviews, many Microsoft partners did seem to be adhering to a true blue attitude. "Microsoft is in an unfortunate position. However, I'm very confident in the seriousness of Microsoft's commitment toward security," said Ezra Davidson, VP for business development at SynCast, a Microsoft customer and corporate development partner.
On the other hand, trust is "definitely the biggest problem," in the view of Richard Cruit, CEO/CTO of Blue Sky Factory, a Microsoft ASP partner.
"The Cold War is the best analogy. The code leak has the same impact as if a government spy leaked state secrets. The allies of that country start to question the government's ability to hold a secret," Cruit illustrated.
By and large, the Windows code leak didn't take anyone by surprise. "The Internet is so easy to use, and so easy to transfer information over, that it's fairly amazing that Microsoft hasn't experienced a 'bad apple' situation before," observed Sean MacIsaac, CTO of Intwine, another solutions partner.
Partners vary widely, though, in their expectations of security fallout. "The leak does have a chance of hurting security. It seems to have constituted only a small portion of Windows code, and people probably won't be able to do anything that malicious. But this does make us more vulnerable," according to Blue Sky Factory's Cruit.
"There may be a period of time when code is more vulnerable to viruses and worms," acknowledged Steven Lupinski, CEO of eServer. Also as Lupinski sees it, though, products might eventually become more secure than prior to the leak, as Microsoft is forced to address pre-existing security holes.
How can Microsoft do a better job of battening down the hatches? Partners raised suggestions ranging from disciplinary action to placing identifier tags on code.
Battening down the hatches
Battening down the hatches"I'm not sure exactly how this breach happened – whether a Microsoft employee passed any code around, or whether one of more partners were involved. But Microsoft needs to clearly communicate that source code is very important, and that they need to be careful with it. Maybe Microsoft could threaten to terminate relationships with any partners that leak code," Lupinski recommended.
Some partners, though, would like to see greater openness by Microsoft from the outset. "I am a fan of open source code. Most developers go with the assumption that vulnerabilities exist in all software code, anyway. We can get at 80 percent of all source code through reverse engineering. However, we'd like to like to be aware of the vulnerabilities from the beginning. Then you'd see the code getting locked down, and becoming safer as a result," according to one developer at a small, Microsoft-certified consultancy on the West Coast.
"So a lot of people out there in the trenches are saying, 'Let's open it up!' Right now, we're going through a fairly extensive procedure to fix (Windows) code. In contrast, with open source, people can address vulnerabilities in a matter of hours," added the developer, who asked not to be identified.
"We're a small company in comparison to our partners. Microsoft can be very aggressive in protecting its image, if you know what I mean," the developer contended.