Microsoft: We'll open up more source code (part II)

NEWS Part two of our interview with Microsoft's Jason Matusow: How do people physically access the Windows source code?
A. The MSDN Code Centre Premium resource is the mechanism by which people access the Windows source code. It is a reference tool accessed through a secure Web site. When organisations sign up, they get a smart card and a smart card reader.
All the servers for this are currently located in Redmond, but we will start mirroring them around the world. Can people access all the Windows source code?
No. About 95 percent of Windows is in the programme. Another 3 percent of Windows we don't own so we can't share it. And some parts - such as product activation code - are too valuable to us to share, and then some of the cryptographic elements are restricted by the US government and we can't share them beyond the EU and eight other countries, so we deal with those on a case by case basis. So that covers Windows. How do the other programmes differ?
The Windows CE division has taken a different approach. About 45 percent of Windows CE source code has been opened up to anybody - any organisation or an individual - in any country. The licence says you can view, modify and redistribute the code for non-commercial purposes. This means software and hardware vendors can modify applications and hardware based on their knowledge of the source code. Some companies can see the whole of the WindowsCE source code, but they pay a licence fee because the 55 percent of the code not open to everyone has IP (intellectual property) issues. There are about 300,000 developers in the embedded community, and we have had 128,000 downloads of the source code. About half of those say they use it on a weekly basis and about 75 percent say they plan to develop for Windows CE as a result of having access to the source code. What other Shared Source programmes exist today?
There is the C# CLI (Common Language Infrastructure) licence, which is similar to the CE licence in that it is a non-commercial derivative licence, but in this case almost all the activity is focused on the academic community. We have had about 35,000 licensee downloads - not including 18,000 individuals who entered a coding competition in Japan. So where next?
In the coming months we will expand the Shared Source programmes into other parts of Microsoft. All our platforms are in the Shared Source programme right now, and next we will be seeking to expand it to SQL, Exchange and possibly even Office. We have not yet decided on Office. It may be that we decide not to do it. There will be a lot of work involved in scrubbing the IP. We'd like to push this programme into tools and everything from games to applications. But we have a lot of issues to deal with, such as who needs to get to source code and how badly they need access. It is of marginal use even to most developers, and or no use at all to most users - especially when it comes to the operating system. That's why Linux only has a small number of kernel developers - this is very complex stuff. It is a question of weighing up the risk against the benefit. Most modern industry was built on the notion of trade secrets. The important part is that as you share more, those trade secrets are open to more eyes, and so they can become weakened. How does this concept of Shared Source sit with the mantra of 'security through obscurity,' which is so closely associated with Microsoft?
Microsoft does not subscribe to security through obscurity. But equally, the many eyes theory is untested and fairly unsupportable because most of what those eyes look at is the wrong stuff. People like to look at the sexy, interesting code, and the older, harder code that is more tedious to look at often gets overlooked. It is a lot more complicated than saying: if lots of people can see the source code then they'll find the bugs. Take the Kerberos example, where a big flaw was discovered after ten years. This is an open-source security product that has had many eyes looking over it. OpenSSH is another example - this open-source product was recently found to have a Trojan horse in it. The problem with open source is that you don't know who is controlling the code. Microsoft always signs all of its binaries. You know who is responsible for it. For us the interest in shared source is to do with platform integrity. Palladium cryptographic code will be Shared Source so people will be able to scrutinise it, just like they could with the RSA cryptographic code. I don't know how we can more clearly state that we don't believe in security through obscurity. Matt Loney writes for ZDNet.co.uk