Slashdot Mirror
Microsoft To Share Office Source Code
I_Love_Pocky! writes "According to this article, Microsoft is going to give its source code for Office 2003 to more than 30 different world governments. The purpose? So they can inspect the code for security flaws."
Not only security is the purpose of making it available, but also so that governments can adapt file formats for cross-software compatibility. Now I'm wondering, what will happen if a government wants to adapt this document format to some opensource program, which happen to have a license that requires to donate all adjustments to the code to the opensource community... I'm pretty sure Microsoft will not allow this, will it ?
- Leon Mergen
http://www.solatis.com
On the flip side, how many goverments keep enough trained programmers to effectively search through so much complex code?
Support more choices in goverment-Vote 3rd party.
And exactly how many of those governments are going to waste their taxpayers money debugging the code for MS, when the license under which they've seen the code, doesn't allow them to do anything with it?
<TIN FOIL HAT>
and what happens when the members of a gov IT team that's licensed this code, then want to use and contribute to an Open Source project that better suits their needs -- hey! they can't! You've signed a prescriptive NDA!
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Didn't MS say, if "hackers" can see the code, it would be easier to write exploits for it? Why are they exposing their own code then?!?
What time is it/will be over there? Check with my iPhone app!
~~~
While I'm sure it would make it easier for governments to find security flaws, I don't think that goverments will see any benefit in hiring teams of people to hunt for bugs to save MS a few bucks.
Isn't one of the main arguments against Windows that its closed-sourcedness makes it harder for security holes to be found and fixed? To me, it looks like Microsoft has taken the first step in recitfying this problem.
So what happens if say North Korea gets the source and finds security flaws but doesn't tell anybody then uses those flaws to exploit USA government workers?
If anybody develops for OpenOffice or any other office suite I would not even get in the same room as the code. If you look at the code and develop for OpenOffice then Microsoft will probably come after you saying you stolen their code because you read it and it gave you the ideas and means to do the programming. Be very, very, very careful - why would a proprietary company want people to see it's secrets that has been its cash cow for the past 4 or five years. I think they are gearing up for an attack on open office - now that we have seen part of the agreement between sun and them - why would open office even have to be mentioned in the agreement - it has nothing to do with them. I smell something rotten in denmark.
That's exactly what I was thinking.
If I was a software developer, I wouldn't want to go anywhere near that code. You can be sure that anybody who views this code will no longer be able to work in software development. After you view that code anything you write that works with msft files, will be considered a stolen idea.
Besides, who needs it?
plus... what is the actual outcome supposed to be? will some government-sponsored IT professional point out "this and that is not secure, not reliable, not interoperable" and MS will change it? or is it like "hey, that's fine (and i am not sponsored by MS), everyone should prefer M$ office over Open Office, now that i have seen the revela.... ehm... source-code)"?
someone pointed out that MS might take this as a starter to label itself as "Open Source company", which i personally believe to be utter nonsense, why should MS try to appear as supporter for something it fights with all its power (and money)? i do not think this is what they are aiming at.
summarized, my believe is that the outcome will be an IT "professional" for every participating government feverously pointing out the superiority of MS Office over any other product, proved by source-code examination that cannot be verified or counter-proved by anyone who has not agreed to a NDA.
If you don't learn from history,
then you are an idiot by definition.
--- Vadim Yasinovsky
LiNuX_ZeAlOt666: wtf taht is fkcued man dont u care about teh SECURITY????? how can we fix ur security holez without teh source????????111/1
(Time Passes)
Microsoft: Ok, we did a bit more thinking, and have decided to release some of our source code to help improve security, just like you OSS chaps have been suggesting all along.
LiNuX_ZeAlOt666: lol fag u suk
--
They just can't win, can they? Man, this inane shit is starting to sicken me..
Other commentors have opined that this is a clever Microsoft strategy. Perhaps. I have my doubts.
First, they're implicitly acknowledging the security arguments in favor of open source. What will their corporate clients think? Like _they_ trust the gov't to vet their code for them. Doing this will only strengthen the demand on a number of fronts to see the Windows source.
Second, the only way for two people to keep a secret is if one is dead. I don't care what those EULAs say, if you distribute some of the most valuable closed source in the world to 30...30!...gov'ts, someone's going to leak it. Remember the .bmp buffer overrun? I wonder what's going to flow from this.
Stop learning! Only you can prevent esoterrorism.
It's never wise to claim something has no security flaws. Can you point to a comprehensive OOo audit?
Looks like MSFT will soon have 30 to point to, for free...
Is it possible to do a worthwhile security audit of Office source if one doesn't have access to the OS source with which it so tightly integrates?
My brother discovered that the best way to make a perfect maze in Racing Destruction Set was to start with the + piece and just click like mad random all over the potential map. After strategically *g* placing about 10 intersections the next 30 minutes would be spent connecting them. This resembles the logic structure for any operating system and accompanying massive application suite (though, metaphorically, at least Linux uses stoplights and everyone drives on the same side of the street). If we take that map and reveal 1/2 the squares (Office source) but black out the other 1/2 (OS source), will we really be able to have a good feel for the security?
As others have noted I feel this is a political play by MS to 1) get free bug-hunting services and 2) gain a stronger voice in political arenas. It's good business for MS but I sure hope that my tax dollars don't get wasted on it. If MS wants beta testers they should pay for them or acknowledge that their product will fall to the superior products.
+++ATHZ 99:5:80
This should be interesting to find out if governments will actually do MS's work for them? And for that matter, why should a government do MS's work, and then pay for all the millions of copies of Office, when they can simply go into OpenOffice and update that one and then elect to upgrade to SO or stay with OO.
I prefer the "u" in honour as it seems to be missing these days.
I agree that there is a high amount of MS bashing on this site but keep in mind that this site's target audience is not the typical MS apostle.
This is little more than a metacomment, but I have to say this. I'm really not sure that anyone here who finds a problem with MS's actions is anti-MS. The truth is, this is a bullsh. cop-out release of source code. This is NOT open source code.
Also, it is unbearably true that Microsoft has been dealing more and more directly with government officials these days. And taxpayers do, in fact, pay for absolutely everything a government does.
I'm not upset about this particular issue. I'm upset enough about the nature of Longhorn. But these are valid points.
Please stop stalking me, bro.
If a government is going to have to go through all the trouble of inspecting code for security flaws, why not just inspect open source software and at least be able to have a return on investment?
It's one thing when the burden of providing secure code is shared between developer and user in the case of open source software since the benefits and rights to the code are also shared. But in the case of proprietary commercial software, I expect this burden to be on the vendor. The "privilege" of inspecting the source code is really just asking customers for free quality testing. Moreover, if the situation gets to the point that security inspections are needed, then you've chosen the wrong vendor.
Who said Freedom was Fair?
Its Windows that has all the security holes, back doors and spyware, probably not office.
Don't forget with Microsoft, there's hardly any distinction between apps and the operating system components.
Thank god other OS's such as Linux aren't stupid enough to allow user-level apps or their installers to install/replace shared libraries directly in the OS, or change the way the OS is configured (registry).
Maybe it also explains the provision in their agreement with SUN that allows MS to sue them over StarOffice/OpenOffice.
Regardless, it's ominous for OSS/FS and programmers who might work on similar projects.
Office software project maintainers need to be very careful about what contributions they accept from now on. They need to be sure to vet the sources contributing the code and document all contributions and the name and contact info of the contributor, perhaps requiring the contributor to sign some legal statement affirming the code they are contributing is all original or otherwise free code.
------- "One of the joys of travel is visiting new towns and meeting new people." -- G. KHAN
according to the last article they were going to washington to say that open soruce limits innovation. hypocrites..?
irc.enterthegame.com #linux
People keep talking about programmers becoming tainted by looking at proprietary source code, but has anyone ever been sued or prosecuted after having done so?
If this were true then not one person who previously worked at Microsoft would ever be able to work anywhere else. Rob Glaser, for example, who left Microsoft's media division to open up Real Audio.
Thank you. Next?
This isn't what it seems its really a fly trap in disguise. Anyone looking at this code will legally be tainted and will have allot of problems producing "open source code". I'm supprised it took Microsoft this long to figure out it could lock in people even more so buy showing them the source code with a big nasty shared source license/contract attached that removes all your rights as a programmer. Yep your now Bills, slave you have seen the forbidden ones true makings though shall not go to open source Nirvana thou shall always be my slave mwahahaha
Other than Adobe Acrobat, is there a program (Open- or Closed-source) that allows PDFs to be edited?
Yes, I have read the PDF specification, so I know that changes can (at least in theory) be tracked and encrypted etc.
However, I have yet to find a single program that can *edit* PDF and do a decent job of round-tripping it as opposed to just outputting PDF as OOo and PDFCreator do.
Karma points for reasonable suggestions.
Hang on a second. I thought that even if you let other people review your source code, they're highly unlikely to do so. Isn't that one of the arguments that the anti-OSS crowd march out all the time? Now, Microsoft are doing it, and they're telling people it's for security purposes. Aren't they conceding that this argument is flawed, if they themselves can see some merit in doing so?
Coming up in the news, Microsoft will announce it will start making good design choices, writing good documentation, publishing their binary file formats, and giving away their flagship software for free. For the government. Foreign ones, even. Probably.
Attack its weak point for massive damage!
MS is trying to get as many eyes looking at the source to Office as they can. Then Government workers wont be able to work on the OpenOffice code for fear of retaliation from MS. The only reason MS lets anyone look at their code is so that they can spread more fud about the GPL, and scare customers away from FOSS with threats of lawsuits.
Like these people are, or even know, good security experts? I don't think so.
It may only be me, but I'd expect this move to result in 30 countries whose spy agencies now will know vulnerabilities that can be used to spy on their citizens.
If MS was serious about improving their code, they'd be passing it on to White Hat Hackers (based on said hackers past track record of reporting flaws) and security firms.
This is obviously nothing more than a sales move to try and keep governments comfortable with MS software. I doubt any of the rest of us will benefit at all.
Microsoft - You're dumb!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It's not the eyeballs that make open source attractive, it's the lack of central control.
If Office was open sourced we could pull the design flaws that lead to security holes out. Back in the '90s there was a smart fellow in Florida who came up with an effective counter to the word macro virus problem... he came up with a macro that disabled all the automatically executing macros, so you could open a Word document with macros without having them trigger. Unfortunately a later version of Word disabled it as part of Microsoft's virus protection feature. Unfortunately Microsoft's feature gave you the option of completely disabling and hiding all the macros, so you couldn't even see what they were, and leaving them enabled. So if you actually needed to use macros you were just as exposed as if they had done nothing... worse, in fact, because you couldn't kill the autoexecute capability.
In an open source project we could back that out, we could even restrict macros to making changes in their own document only, so they couldn't propogate or do harm. But no matter how many eyeballs there are on the code, if the brains behind the eyeballs can't make changes then there's not much point... even if every line of Word was free of buffer overflows, so long as it's got that powerful a macro language with no way to control it the basic security problem remains.
The only thing that "watermarkign" source would do is as you pointed out. Say if MS gives their source to 30 different governments. They could have different versions that just change trivial things like #include orders, local variable names, etc. Then if there is a code leak, it would be easier for MS to find out what government did the leak.
P.S. How do you get spaces to stay in code examples on /.? <ECODE> removes all that when I try.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I believe this is called having one's cake and trying to eat it too.
--Rick "If it isn't broken, take it apart and find out why."