closed source wants out
February 13, 2004

The leaking of Microsoft's sourcecode onto the internet recently prompted some consternation; an AP article said that the leak puts "users at risk because it opens the door to more people finding vulnerabilities in Microsoft's code".

What this really does is expose the root vulnerability here: the sourcecode is a closely held secret, and therefore, by its very secretive nature, it assumes a value that it would not otherwise have had.

In addition, several other issues are exposed:

1. Insufficient numbers of people have examined the code. If an adequate number had looked at it, there would be no cause for concern.

2. The sourcecode has probably been leaked already, given that the public is usually the last to know about security leaks. The vulnerabilities that exist are already in the hands of malevolents. Therefore, the public has already been exposed to whatever threats could capitalise upon those vulnerabilities - and because those vulnerabilities are secret, nobody ever finds out about them. Two days before this article was written, Microsoft released a patch for IE that fixed an eight-month-old security hole that let someone take over vulnerable machines. For eight months, the underground knew of this vulnerability. The public, however, did not - and was therefore exposed for eight months, while Microsoft took their time fixing it.

3. The public has no way to protect itself, even if a vulnerability is disclosed to the public. This is because only Microsoft has access to the sourcecode, and therefore only Microsoft can fix the vulnerability.

All of these problems arise due to the underlying secretive nature of the code.

The reasoned conclusion, then, is to open the sourcecode to a wider audience. The wider the audience, the more people can look for, find, and fix vulnerabilities. In fact, if the public itself was able to examine the code, then the chances of exposure to vulnerabilities would be minimised, as there would be literally millions of pairs of eyes carefully scrutinising every line.

The thing is, this is all Old News to the "open source" community. You see, they have been here and done this many, many times before. They have learned all the hard lessons - about a single point of failure, unpatched vulnerabilities, user lockin, and other dirty little secrets the industry would rather not have aired - already. That's why they support open sourcecode. That's what open source means - public access, to avoid precisely these issues that Microsoft has created, and the public is now facing.

The leaking of Windows code simply highlights the disadvantages of Microsoft's secretive, closed-source approach, while simultaneously, highlighting the advantages of the open-source alternative.

This event is precisely why open source exists. The solution to the problem has already been built: it's called Linux!