Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Share Office Source Code

Posted by Hemos on from the aftershocks-to-ensue dept.

I_Love_Pocky! writes "According to this article, Microsoft is going to give its source code for Office 2003 to more than 30 different world governments. The purpose? So they can inspect the code for security flaws."

28 of 348 comments (clear)

  1. Interesting by StateOfTheUnion · · Score: 4, Interesting

    Interesting . . . wonder how long it will take to leak out of one of these offices and wind up on file sharing sites?

    1. Re:Interesting by blowdart · · Score: 2, Interesting

      If it's anything like the windows code that got leaked, it will be watermarked, so it can be tracked back.

    2. Re:Interesting by Lumpy · · Score: 3, Interesting

      that would be devastating.

      Any of these "governments" will have a hard time getting competent coders to look at the code, as the second you do, you become "tainted" and pretty damn unemployable. Microsoft would love to be able to play the lawsuit card on any company that hired someone that ever saw that code... ESPICALLY if they worked for a company making software that interoperates or is even remotely similar to Office.

      Having access to any of Microsoft's source code is the poison/suicide pill for any programmer in today's sue, sue, sue litigation is business as usual environment.

      --
      Do not look at laser with remaining good eye.
    3. Re:Interesting by glyph42 · · Score: 5, Interesting

      Source code watermarking is a hot research topic. You do it by inserting *logic* into the code, not just text. The logic, thanks to the hardness of SAT, can be constructed so that it is nigh impossible to see which parts will be run and which will not. Thus it becomes impossible to remove the logic, even for a nice optimizing compiler. There are side effects built into these bits of code, such that no matter how it is modified, rearranged, and compiled, the side effects can be read (by you, the programmer) to identify which copy of the source code it comes from. Of course, the code will become somewhat obfuscated and difficult to read, but hey :P There are tools already available for watermarking Java.

      Google for: "source code" watermarking filetype:pdf

      --
      Music speeds up when you yawn, but does not change pitch.
    4. Re:Interesting by Destoo · · Score: 3, Interesting

      Version 1:

      #include "windows.h"
      int main(void)
      {
      RunWinders();
      return 0;
      }

      Version 2:

      #include "windows.h"
      int main(void)
      {
      RunWinders();
      return 0;
      }

      Then a version with tabs.. and stuff like that.
      And pass each section through some sort of CRC checks.

      Easy to find if you get your hands on two versions leaked. But what are the odds of that happening.</sarcasm>

      --
      Nouvelles de jeux et technologies en français. TC
    5. Re:Interesting by ajs · · Score: 4, Interesting

      It's much easier to just add whitespace at the ends of lines. There's software out there that hides text in source code by doing this. Bottom line: if you get source from MS, don't give it to anyone else unless you're unafraid of being fingered as the one who did it. There are DOZENS of ways to embed IDs in code (changing variable names, subtle differences in whitespace, bury an ID in an include file somewhere, encode it in filenames, switch which files constants are defined in, etc, etc.) If they're smart (and while MS may be large and unscrupulous, we should give them credit for being smart), they'll use several of these techniques at once.

  2. No source for you by cermanius · · Score: 4, Interesting

    Only 30 eh? It doesn't mention anything about M.S. letting the US government see the code. Think they might still be a little bitter with that whole "You have a monopoly. We can't let you do that..." thing? Or do you think M.S. is afraid the Department of Homeland Security might issue another advisory saying that Office 2003 is insecure and everyone should switch to Open Office.

    --
    "Don't sweat the petty stuff and don't pet the sweaty stuff." -- by an Unknown Wise man.
  3. Readable? by Daengbo · · Score: 5, Interesting
    If the reports that I've heard are true about the code, it's so confusing that the developers are afraid to change much lest they break something. All that backward compatability screws everything up. Could the govenments make much sense of it if the MS developers are having a hard time?

    Love this part:
    Redmond, Washington-based Microsoft keeps its source code closely guarded, and requires any governments or companies to sign agreements not to divulge the data that is used to create its software programs.

    The Linux software system, which is now a major competitor to Windows and other Microsoft products, and its source code are freely available to anyone under an open source license that guarantees that the data will always be shared.
    --
    Put identity in the browser.
    1. Re:Readable? by Daengbo · · Score: 2, Interesting

      I feel like elaborating on this quote a little. OMFG -- It's a press move by MS, and Reuters ... Reuters ... prints a story which will probably be picked up verbatim by many newspapers mentioning that Linux already does this, and does it better.

      I'll say it again... OMFG!!! What is the world coming to?

      --
      Put identity in the browser.
  4. Re:I'm wondering... by Kingsly · · Score: 5, Interesting

    The important questions is...

    Is there a way for the governments to verify if the binaries that MS ships is from the same source that they are getting to see?

    Will the governments be allowed to compile their own version ?

  5. Re:I'm wondering... by bob_avernus · · Score: 2, Interesting

    It's their new tactict to take over the world. First let governments look at their source, then once they use the source in something sue them. They are probably also hoping they will use the source in Open Source projects so they can get rid of them, the old kill two birds with one stone...

  6. Re:I'm wondering... by Anonymous Coward · · Score: 3, Interesting

    Good point, This offer should be rejected on many levels, first and foremost, shouldn't Microsoft be responsible for their own security.

    Surely with a $500.00+ dollar pricetag for Office MS can afford to do their own homework !!

  7. Some questions not answered in the article by StateOfTheUnion · · Score: 5, Interesting
    Are any of these governments already using open source technologies? I wonder if this effort is to get governments to switch back to MS products or only to prevent others from joining those that have already defected from Microsoft's empire . . .

    Alos, are any of these governments developing countries? Or southeast Asian? In other words is Microsoft entrusting the code to any governments that seem to take a blind eye to software piracy?

  8. Re:I'm wondering... by mirko · · Score: 5, Interesting

    Well, if they compile these and they do not get the exact same binaries, they might claim they are cheating but as we know Microsoft, they will explain that their WC++ might not always produce the same output depending on many factors...
    So, well, they have to believe it.

    --
    Trolling using another account since 2005.
  9. Another SCO? by iammrjvo · · Score: 5, Interesting


    When (not if) the source code is leaked, then how long will it be before MSFT claims that office code was integrated into OpenOffice. How much in royalties will they demand?

    --
    Ha, ha! Nobody ever says Italy.
  10. Is this a preemptive legal defense strategy? by StateOfTheUnion · · Score: 5, Interesting
    After thinking aoubt this for a while I think that it may be a brilliant strategy on MS's part . . .

    If the government of a country has the source code of the software to examine for security flaws, doesn't this give MS a defense against liability from future lawsuits? For example, if the UK government gets to inspect the source code, continues to use MS-Office, and then has a major problem due to hackers hacking MS-Office; MS can say that the software was given a clean bill of health by the British government, so MS shouldn't be held liable.

    I know that no defense is necessarily bulletproof, but this is just going to give MS's legal dept. more ammunition so that that MS can get away with writing sloppy code and not be found as grossly negligent.

  11. My Q(s) is/are... by danalien · · Score: 4, Interesting
    * what's "_most_" of the src(s)?

    • /* Quote [emphasis added]: "The new initiative is an extension of Microsoft's Government Security Program, which allows the governments of more than 30 countries to examine
    • most of Microsoft's underlying source code, or software blueprint for its flagship Windows operating system." */

    * what is 'required' to agree beforehand with? ..and how will this agreement effect ones ability to work (with other 'source code(s)') in the future to come?

    • /* Quote [emphasis added] : "Redmond, Washington-based Microsoft
    • keeps its source code closely guarded, and requires any governments or companies to sign agreements not to divulge the data that is used to create its software programs." */
    --
    I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
  12. Smoke and mirrors by Slinky+Saves+the+Wor · · Score: 5, Interesting
    This is basically a load of crap. Why? Well...

    If you cannot compile the given source to a fully working Microsoft Access (or whatever source is provided), how can you be sure that the program you buy from the store contains the same source code?

    You can't, since you most likely can't compile the given source, and keep on using that compiled version!

    This is just smoke and mirrors. Now Microsoft can say their code has been provided for auditing by some instance, so it's got to be safe. However, there is no guarantee that the defects found will be fixed at all, and that the fixes will ever be found in the actual product. There is also no guarantee that the software you obtain from the store is the same as that for which the source was provided.

    You can easily implant backdoors to the supposedly "audited" source code: just don't give the newly modified source code with the backdoor back to auditing...

    --
    I do not moderate.
  13. Just a PR stunt by Andy_R · · Score: 5, Interesting

    From the article (emphasis added by me)

    The new initiative is an extension of Microsoft's Government Security Program, which allows the governments of more than 30 countries to examine most of Microsoft's underlying source code, or software blueprint for its flagship Windows operating system.

    What's the benefit in looking at "Most of" the code and seeing if it is secure?

    Absolutely nothing at all, apart from Microsoft getting an NDA signed on your behalf by your Govern(e)ment without any consultation with the public.

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  14. Re:I'm wondering... by AstroDrabb · · Score: 4, Interesting
    That is exactly what I was thinking. MS gets tons of government programmers to do the job for MS in finding security problems. Then MS keeps all that _tax payer_ work and gets to turn around and sell that back to the governement. What a great business model!

    This still doesn't fix the problem of governements putting out documents in a closed format that limits who can use/view those documents. Sure there is the free MS Word Viewer, though that only says it supports MS Word 2000 and doesn't mention WinXP. So it may or may not work. Also, MS realeases these viewers a long time after the most recent version comes out, so the most recent viewer is usually a version or two behind the most recent MS Office Suite. I think all governments should stick with an open doc format like PDF. Any government can use an suite like OOo.org that will let them convert documents to PDF or even Flash.

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  15. Poor Government drones by dJOEK · · Score: 3, Interesting

    I don't know about the rest of the world, but generally People Working At Governments aren't exactly the best and brightest or the best motivated workers. Let's call them Very Good at being Mediocre.

    Imagine the following:

    Boss: Jim, you're a programmer right?
    Jim: uh, right
    Boss: Management told me to inspect some code for bugs. I tossed it to the printer. Can you mark all the bugs with magic marker?

    --
    Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
  16. So 30 governments will know the security flaws by Anonymous Coward · · Score: 1, Interesting

    Microsoft is going to make sure that 30 governments have access to their source code so that they will know where the security flaws in Microsoft Office are. You have to ask yourself, what color hats are these people wearing? Why exactly would I want to use Office after this disclosure?

  17. Consequences? by wombatmobile · · Score: 2, Interesting

    If developers who look at MS Office code are prhobited thereafter from working on other software projects such as open source projects that cross Office's domain, how many less contributers might there be to open source projects as a result of this?

  18. Re:My first thought... by eagl · · Score: 2, Interesting

    Forget the legal recourse, just check the more shady BT repositories for the CD set because you KNOW someone's going to leak it out of spite. I give it a month after release before the "Office 2005 davelopers soarce kit pack" hits the streets on the pacific rim and a week more before it gets to middle eastern markets to be bought for 10 dinars by returning US servicemen/women.

    CDs marked "Windows 99" were on the street in Bahrain and Saudi Arabia before I even bought my first win98 upgrade cd, and this probably won't be any different.

  19. Office source code is not enough by cpghost · · Score: 4, Interesting

    This is not nearly enough to satisfy governments. First of all, code that they don't compile themselves is not guaranteed to stem from the same set of sources. Second, the source code to the OS, and to the compilers is needed as well, because, hey, what does that black box kernel, dll, or compiler toolkit add to the pristine source?

    Responsible governments would either avoid closed-source products completely, or they should require a complete source code system that they could bootstrap themselves. No hidden binary at all!

    Would Microsoft provide such a complete, source code system that could bootstrap itself? It was reported many times earlier that they are having a helluvatime to maintain their own compiling environment. Would they be able to package it in such a way that non-Microsoft personnel could do something with it...

    ... assuming that they were sincere, and not just pulling a cheap PR stunt?

    --
    cpghost at Cordula's Web.
  20. Re:I'm wondering... by SpaceLifeForm · · Score: 1, Interesting
    It doesn't matter if they compile the code, and it works. It doesn't matter if the binaries match. It doesn't matter that inspection of the source does not reveal any security problems.

    The bottom line is that they will never see all of the source, so there is no way to verify that lower level DLLs don't have security issues/backdoors.

    This entire 'handout' from MS is nothing more than a ploy to taint those reviewers, and to hopefully lock those governments into MS.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  21. Is Microsoft baiting open-source developers? by GhodMode · · Score: 1, Interesting

    Is Microsoft hoping that they can kill more open source by making copyrighted code available? Do they hope they will then find it in something like OpenOffice.org or AbiWord so they can sue those projects into non-existence?

    If that's the case, how is this possible? ...
    Nothing is truly original. Writing an original program is the result of taking ideas from other people's work, and putting them together in a different way.

    Here's a story: Some talented and enthusiastic programmer (like I hope to be) from viewing Microsoft's "shared" code and saying to himself "Oh... That's how they do that.". Then this person closes the Microsoft code, never to look at it again, and makes some new changes to the code in OpenOffice.org based on his experience and understanding of all of the code that he has read and learned from in the past.

    Can Microsoft now sue this person?

    If so, Brian Kernighan and Dennis Richie have one Hell of a Payday coming from their lawsuit.

    --
    -- GhodMode
  22. Re:I'm wondering... by Piquan · · Score: 2, Interesting
    Another data point regarding this:

    A couple of years ago, I was at Defcon. A Russian gentleman started his talk, when he was interrupted by the man who organizes Defcon. The speaker was asked to say "nuclear wessels". The speaker was clearly confused by the request, but the organizer persisted. I doubt the speaker knew what he was saying: he was working from a script that he'd prepared before, and obviously was not able to speak conversational English, let alone understand "nuclear wessels". Finally, after much prodding, the speaker said "nuclear wessels" into the mic, with a very confused expression on his face. The organizer sat down and the talk began.

    The next day, that speaker was arrested. I keep wondering if he considered that the two events were somehow related.

    Of course, now we all know that Dmitri was in fact arrested for a DMCA violation, but until somebody explained that to him...