Release of Windows Coding Is a New Worry for Microsoft

[Dave Farber <dave () farber net>]

Release of Windows Coding Is a New Worry for Microsoft

February 14, 2004
 By JOHN MARKOFF





SAN FRANCISCO, Feb. 13 - The illicit distribution on
Thursday of portions of the secret programmer's
instructions for two versions of the Windows operating
system poses vexing legal and security challenges for
Microsoft.

Computer security experts said Friday that having even
relatively small parts of the blueprints for Microsoft's
Windows 2000 and Windows NT operating system as easily
available reference material for potential vandals and
troublemakers could complicate the company's already
difficult task in securing its software.

Microsoft has been criticized on security issues in recent
years and the company has devoted increasing resources in
an effort to restore its credibility with its customers.

The posting of the information on the Internet does not
present any direct threat to the hundreds of millions of
users of Microsoft's software, but it may fuel the fire
among those who say that Microsoft, based in Redmond,
Wash., has done a poor job of protecting computer users
from hackers and invasions of viruses and worms.

The company may also face a debate over its contention that
the secrecy of its proprietary software offers a computer
security advantage over the publicly available text of open
source programs like Linux.

Microsoft's executives said Friday that they were working
with federal law enforcement officials to attempt to
understand how the software instructions, known as source
code, had appeared a variety of Internet peer-to-peer file
sharing systems.

"We take this seriously," said Tom Pilla, a Microsoft
spokesman. "It's illegal for third parties to post or make
our source code available. From that standpoint we've taken
appropriate legal action to protect our intellectual
property."

Word of the theft of Microsoft's source code spread rapidly
on Thursday afternoon after it was first reported on a Web
site, Neowin.net, and then discussed on the Slashdot Web
site, which is widely read by the nation's programming
community.

By late Thursday evening, dozens of copies of different
text files ranging in size from 200 megabytes to one
gigabyte were being downloaded by thousands of Internet
users.

Computer programmers who examined the software instructions
- the basic texts from which the Windows operating systems
programs are assembled - reported that at least some
versions of the program had come from a Microsoft partner,
the Mainsoft Corporation, a software company that is based
in San Jose, Calif.

Several computer security experts speculated that the
Microsoft operating system source code had been stolen from
a Mainsoft computer via the Internet and then posted on
peer-to-peer file sharing networks.

Neither Microsoft nor Mainsoft would confirm this report.
Mainsoft, however, released a statement acknowledging that
the firm had a source code licensing agreement with
Microsoft.

"Mainsoft takes Microsoft's and all our customers' security
matters seriously, and we recognize the gravity of the
situation," Mike Gullard, chairman of Mainsoft, said in the
statement. "We will cooperate fully with Microsoft and all
authorities in their investigation."

Even though Windows 2000 and Windows NT are older versions
of the company's operating systems, they are still widely
used by corporations around the world.

"This raises real national security concerns," said William
Cook, a partner at Wildman Harrold in Chicago and a former
federal computer crime prosecutor. "The fact that
Microsoft's software is so widely available will have an
impact across the computer security industry."

Several computer security and legal experts said that
Microsoft's biggest challenge as a result of the incident
might unfold as skilled programmers begin to examine the
texts in search of material that might be embarrassing or
damaging to Microsoft.

"There have been lots of stories about the existence of
undocumented features" in Microsoft's operating system that
were intended to harm competitors, said Bruce Schneier,
founder and chief technical officer of Counterpace Internet
Security, a computer security firm in Mountain View, Calif.


In 1999, Microsoft suffered a black eye when a Canadian
programmer, examining a portion of its software, discovered
an element inside the company's Windows operating system
labeled NSAKey.

At the time, Microsoft said the reference was not an
indication that the company was engaged in a conspiracy
with the National Security Agency, a federal intelligence
operation. The label, however, undercut the company's
credibility within the computer security community, where
it was widely criticized.

In addition to the NSAKey incident, the Diebold
Corporation, a manufacturer of automated teller and voting
machines faced criticism after the programmers'
instructions for its voting machines were circulated on the
Internet. Technical experts said the code revealed flaws
that might make the machines vulnerable to manipulation, a
charge that Diebold denied.

Several computer experts said that Microsoft had no choice
but to rush to court to try to limit the spread of the
software instructions through temporary restraining orders.


"The horse is out of the barn,'' said Jim Brelsford, a
partner at the law firm Jones Day in Menlo Park, Calif.
"But you have to do this to protect your trade secrets.''

http://www.nytimes.com/2004/02/14/technology/14soft.html?ex=1077758523&ei=1&en=d3a2d35370e2be8b

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/