Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Security Software Windows IT

Microsoft To Share Office Source Code 348

I_Love_Pocky! writes "According to this article, Microsoft is going to give its source code for Office 2003 to more than 30 different world governments. The purpose? So they can inspect the code for security flaws."
This discussion has been archived. No new comments can be posted.

Microsoft To Share Office Source Code

Comments Filter:
  • I'm wondering... (Score:5, Insightful)

    by leonmergen ( 807379 ) * <lmergen@@@gmail...com> on Monday September 20, 2004 @07:02AM (#10296183) Homepage
    Not only security is the purpose of making it available, but also so that governments can adapt file formats for cross-software compatibility. Now I'm wondering, what will happen if a government wants to adapt this document format to some opensource program, which happen to have a license that requires to donate all adjustments to the code to the opensource community... I'm pretty sure Microsoft will not allow this, will it ?
    • Re:I'm wondering... (Score:5, Interesting)

      by Kingsly ( 565272 ) on Monday September 20, 2004 @07:05AM (#10296205)
      The important questions is...

      Is there a way for the governments to verify if the binaries that MS ships is from the same source that they are getting to see?

      Will the governments be allowed to compile their own version ?

      • Re:I'm wondering... (Score:5, Interesting)

        by mirko ( 198274 ) on Monday September 20, 2004 @07:08AM (#10296224) Journal
        Well, if they compile these and they do not get the exact same binaries, they might claim they are cheating but as we know Microsoft, they will explain that their WC++ might not always produce the same output depending on many factors...
        So, well, they have to believe it.
        • >> explain that their WC++ might not always produce

          Wisual C++? Great for Russia but what about everyone else?
        • Here in the UK, WC used to stand for "Water Closet", also known as the toilet.

          Are you saying that their compiler is 1 better than a crapper?
        • Re:I'm wondering... (Score:3, Informative)

          by I didn't ( 569512 )

          Trojans can still be introduced by evil compilers. See Ken Thompson's Turing Award Lecture. [acm.org]

      • Re:I'm wondering... (Score:2, Informative)

        by lachlan76 ( 770870 )
        To get the same binaries, they'd need to use the same compiler, all the same options, breath the right way, and hope that they get the right thing.
    • It's their new tactict to take over the world. First let governments look at their source, then once they use the source in something sue them. They are probably also hoping they will use the source in Open Source projects so they can get rid of them, the old kill two birds with one stone...
    • Re:I'm wondering... (Score:3, Interesting)

      by Anonymous Coward
      Good point, This offer should be rejected on many levels, first and foremost, shouldn't Microsoft be responsible for their own security.

      Surely with a $500.00+ dollar pricetag for Office MS can afford to do their own homework !!

      • Re:I'm wondering... (Score:5, Interesting)

        by AstroDrabb ( 534369 ) on Monday September 20, 2004 @07:51AM (#10296460)
        That is exactly what I was thinking. MS gets tons of government programmers to do the job for MS in finding security problems. Then MS keeps all that _tax payer_ work and gets to turn around and sell that back to the governement. What a great business model!

        This still doesn't fix the problem of governements putting out documents in a closed format that limits who can use/view those documents. Sure there is the free MS Word Viewer [microsoft.com], though that only says it supports MS Word 2000 and doesn't mention WinXP. So it may or may not work. Also, MS realeases these viewers a long time after the most recent version comes out, so the most recent viewer is usually a version or two behind the most recent MS Office Suite. I think all governments should stick with an open doc format like PDF. Any government can use an suite like OOo.org that will let them convert documents to PDF or even Flash.

        • Re:I'm wondering... (Score:3, Informative)

          by Coryoth ( 254751 )
          Sure there is the free MS Word Viewer, though that only says it supports MS Word 2000 and doesn't mention WinXP. So it may or may not work.

          Rather more significantly (for me, and many others) it is only available for Microsoft operating systems. That means the "free viewer" is useless to anyone using a Mac, Linux, BSD, Solaris, or any of a number of other operating systems. Yes, they're all small percentages of the market, but according to Google by the time you add all those up, you're looking at almost
      • >> Surely with a $500.00+ dollar pricetag for Office MS can afford to do their own homework !!

        Or at least teach Clippy (or whoever is in Office now) how to do my homework. For that kinda cash, I expect to see that paperclip doing my Physics....

    • Re:I'm wondering... (Score:4, Informative)

      by EvilGrin666 ( 457869 ) on Monday September 20, 2004 @07:09AM (#10296230) Homepage
      They wont have a license to distribute the MS office code and any license they do have from MS is likely to be so encumbered that it would be incompatible with the opensource license.

      The only viable option a government wishing to do this is to do a clean room design [wikipedia.org]. Unless of course there are patent restrictions.
    • by jaaron ( 551839 ) on Monday September 20, 2004 @08:00AM (#10296522) Homepage
      If a government is going to have to go through all the trouble of inspecting code for security flaws, why not just inspect open source software and at least be able to have a return on investment?

      It's one thing when the burden of providing secure code is shared between developer and user in the case of open source software since the benefits and rights to the code are also shared. But in the case of proprietary commercial software, I expect this burden to be on the vendor. The "privilege" of inspecting the source code is really just asking customers for free quality testing. Moreover, if the situation gets to the point that security inspections are needed, then you've chosen the wrong vendor.
    • by samvo ( 808431 ) on Monday September 20, 2004 @09:06AM (#10297045) Journal

      The Demise of Microsoft

      In the long saga of the battle between the world and its detested adversary,
      the Microsoft corporation, everybody is dying to see how the movie end.
      Everybody also knows that in the movie the antagonist always dies at the end,
      but the question is how? To most who detest Microsoft vehemently they would
      like to see a quick and horrid death and those who detest even more so would
      only find a sadistic pleasure in seeing nothing less than having Microsoft being
      slowly skinned alive on a burning stake.

      An IT Fairy Tale

      Once upon the time, there was a computer software company named Microsoft,
      whose craftiness in marketing made it become one of the most popular software company
      on the planet. However, once that company attained its dominant position
      in the marketplace, greed and fear filled the unsettled soul of Microsoft.
      The company then aggressively pursued and eliminated almost all of its contenders,
      names that once were legends one by one fell to Microsoft's sword, WordPerfect,
      Borland, Novell, Netscape, Corel and more. Soon, people saw Microsoft for what
      it was, a cunning roguish company that had no conscience to stop itself doing whatever
      it needs to achieve its ambitions. All the other software companies
      realized that there will be no end to Microsoft's unquenchable thirst for power but
      none dared to challenge Microsoft until one day a young knight developed an operating
      system called Linux. Linux came with a license called Open Source, which represented
      to all the other companies a platform from which they can rally together in a
      silent treaty to overthrow the software tyrant. One day, Microsoft woke up
      and saw a huge army amassed upon the hills, companies that once were shot, wounded,
      cheated and humiliated now all carry the same banner, the flag of Linux. Amongst
      the valiant warriors, were IBM, Novell, Sun, Oracle, Sony, Fujitsu, Red Hat and CA and
      amongst the catapults and shields they used were forged from the power of Open Source,
      Apache, OpenOffice, Mozilla, PosgreSQL, MySql, Python, PHP, Samba and much
      more. What Microsoft saw shook its heart, however its power to control the market
      is still immense and with 56 billion dollars in the vault, its going to put up a very
      good fight. This is the year 2004 and the battle has just begun.

      The Crystal Ball

      So my young seer, you wish to see how this battle unfold? First, you have to understand
      how unlike previous battles where the companies were easily and ruthlessly cut down
      by Microsoft, this time the catapults and shields that the Allies formed from Open Source
      were impenetrable, in fact, the more Microsoft attacked the slowly advancing catapults and shields,
      the stronger the catapults and shields became. How can that be? The magic of Open Source.
      All artifacts created from Open Source do not obey the laws of the jungle, first of all
      artifacts are immortalized by having the source code freely distributed across the
      earth, as Microsoft attacks one point more heads would sprout from different places.
      Another power of Open Source is leverage, in the old times when a developer was to
      write a software, he practically has to write most of the libraries himself/herself or
      purchase or license expensive code sets from other companies like Microsoft. Nowadays,
      these libraries are all available freely from Open Source, graphics libraries,
      network libraries, XML libraries, parsers, compilers, were all there for all to share.
      This is the leverage that hasn't been available to developers before, now all the
      Davids have slingshots.

      Rebellion of the Serfs

      Back to that same once ancient period, almost all developers lived under the direction and
      command of Microsoft. Their blind obedience contributed immensely to
      the growth of Microsoft. They created applications of all sorts of shapes
      and sizes which made the Microsoft platform very popular. All these times
  • Interesting (Score:5, Interesting)

    by StateOfTheUnion ( 762194 ) on Monday September 20, 2004 @07:03AM (#10296191) Homepage
    Interesting . . . wonder how long it will take to leak out of one of these offices and wind up on file sharing sites?
    • Re:Interesting (Score:2, Interesting)

      by blowdart ( 31458 )
      If it's anything like the windows code that got leaked, it will be watermarked, so it can be tracked back.
      • by AstroDrabb ( 534369 ) on Monday September 20, 2004 @08:00AM (#10296524)
        If it's anything like the windows code that got leaked, it will be watermarked
        Huh? Where did you get that from? Exactly how does one watermark a plain text file?
        #include "windows.h"
        int main(void)
        {
        RunWinders();
        return 0;
        }
        /* this is the MS WaterMark (tm), do not remove */
        • Re:Interesting (Score:5, Interesting)

          by glyph42 ( 315631 ) on Monday September 20, 2004 @08:27AM (#10296722) Homepage Journal
          Source code watermarking is a hot research topic. You do it by inserting *logic* into the code, not just text. The logic, thanks to the hardness of SAT, can be constructed so that it is nigh impossible to see which parts will be run and which will not. Thus it becomes impossible to remove the logic, even for a nice optimizing compiler. There are side effects built into these bits of code, such that no matter how it is modified, rearranged, and compiled, the side effects can be read (by you, the programmer) to identify which copy of the source code it comes from. Of course, the code will become somewhat obfuscated and difficult to read, but hey :P There are tools already available for watermarking Java.

          Google for: "source code" watermarking filetype:pdf
        • Re:Interesting (Score:4, Interesting)

          by Destoo ( 530123 ) <destoo@noSPaM.gmail.com> on Monday September 20, 2004 @08:45AM (#10296857) Homepage Journal
          Version 1:

          #include "windows.h"
          int main(void)
          {
          RunWinders();
          return 0;
          }

          Version 2:

          #include "windows.h"
          int main(void)
          {
          RunWinders();
          return 0;
          }

          Then a version with tabs.. and stuff like that.
          And pass each section through some sort of CRC checks.

          Easy to find if you get your hands on two versions leaked. But what are the odds of that happening.</sarcasm>
          • Re:Interesting (Score:5, Interesting)

            by ajs ( 35943 ) <[ajs] [at] [ajs.com]> on Monday September 20, 2004 @09:06AM (#10297040) Homepage Journal
            It's much easier to just add whitespace at the ends of lines. There's software out there that hides text in source code by doing this. Bottom line: if you get source from MS, don't give it to anyone else unless you're unafraid of being fingered as the one who did it. There are DOZENS of ways to embed IDs in code (changing variable names, subtle differences in whitespace, bury an ID in an include file somewhere, encode it in filenames, switch which files constants are defined in, etc, etc.) If they're smart (and while MS may be large and unscrupulous, we should give them credit for being smart), they'll use several of these techniques at once.
          • Re:Interesting (Score:3, Insightful)

            by AstroDrabb ( 534369 )
            But that is assuming that the person who gets your source code just wants to copy-n-paste it into thier own project. Not very smart IMO. The real benefit would be to see how someting is done. That could cut out tons of reverse engineering. Maybe a competitor wants 100% MS Office compatibility or specs for different MS proprietary protocols. Just learn from the source and write your own. There would be no way to track that. No plain text watermarking would work.

            The only thing that "watermarkign" sou

    • Re:Interesting (Score:3, Interesting)

      by Lumpy ( 12016 )
      that would be devastating.

      Any of these "governments" will have a hard time getting competent coders to look at the code, as the second you do, you become "tainted" and pretty damn unemployable. Microsoft would love to be able to play the lawsuit card on any company that hired someone that ever saw that code... ESPICALLY if they worked for a company making software that interoperates or is even remotely similar to Office.

      Having access to any of Microsoft's source code is the poison/suicide pill for any p
      • Having access to any of Microsoft's source code is the poison/suicide pill for any programmer in today's sue, sue, sue litigation is business as usual environment.

        They won't be in America, probabaly working for the local equivalent of the NSA. Or if they are seconded from the private sector, good luck for MS proving that any code they write was "tainted". Unless it's a cut-and-paste job, like the Chinese compnay that copied a bunch of Cisco's code, they won't get anywhere in court, or even get a court to

      • Re:Interesting (Score:3, Insightful)

        by WebTurtle ( 109015 )
        Maybe it also explains the provision in their agreement with SUN that allows MS to sue them over StarOffice/OpenOffice.

        Regardless, it's ominous for OSS/FS and programmers who might work on similar projects.

        Office software project maintainers need to be very careful about what contributions they accept from now on. They need to be sure to vet the sources contributing the code and document all contributions and the name and contact info of the contributor, perhaps requiring the contributor to sign some lega
      • Re:Interesting (Score:5, Insightful)

        by ajp ( 192328 ) on Monday September 20, 2004 @08:47AM (#10296872)
        If this were true then not one person who previously worked at Microsoft would ever be able to work anywhere else. Rob Glaser, for example, who left Microsoft's media division to open up Real Audio.

        Thank you. Next?
    • Interesting . . . wonder how long it will take to leak out of one of these offices and wind up on file sharing sites?

      Just wait for it to get to Los Alimos, it will dissapear from them quickley enough...

  • by Anonymous Coward on Monday September 20, 2004 @07:03AM (#10296192)
    I didn't realize there was even one world government. I have no idea how they could manage 30 with overlapping jurisdictions... ;)
  • by Tyndmyr ( 811713 ) * on Monday September 20, 2004 @07:03AM (#10296193)
    Well, its not open source, but its probably a good move for MS. Its at least a possibility that someone will do the work of bug hunting for them.

    On the flip side, how many goverments keep enough trained programmers to effectively search through so much complex code?

  • by Bromrrrrr ( 166605 ) on Monday September 20, 2004 @07:03AM (#10296194)
    Will the real world governement please stand up!
  • by WillRobinson ( 159226 ) on Monday September 20, 2004 @07:03AM (#10296197) Journal
    Maybe Rob could build this into the core of /. as a spell checker.
  • Jesus (Score:5, Insightful)

    by gowen ( 141411 ) <gwowen@gmail.com> on Monday September 20, 2004 @07:03AM (#10296198) Homepage Journal
    And exactly how many of those governments are going to waste their taxpayers money debugging the code for MS, when the license under which they've seen the code, doesn't allow them to do anything with it?

    <TIN FOIL HAT>
    and what happens when the members of a gov IT team that's licensed this code, then want to use and contribute to an Open Source project that better suits their needs -- hey! they can't! You've signed a prescriptive NDA!
    • Re:Jesus (Score:2, Insightful)

      by Anonymous Coward
      This is a good point. Open source platforms like AbiWord present an opportunity for large institutions and small governments to cut their software licensing costs. They can pay their own programmers to adapt the application for their own use.

      The lifecycle of the office apps is almost over. The featuresets have stopped growing, and the apps just adapt to the contemporary networked environment. There's little reason to upgrade the apps.

      With each potential upgrade cycle, there's a greater incentive to sw
    • Re:Jesus (Score:5, Insightful)

      by Angostura ( 703910 ) on Monday September 20, 2004 @07:30AM (#10296349)
      Precisely. It strikes me that in most cases this program will just be used to fill in the right check box on a tick list. "We can look at the source code if we want to" . Good. Next.

      I doubt there will be much real examination going on.

      There are numerous benefits to be gained by a programmer who examines real open source code. They can implement new features, squash bugs, tweak functionality - and potentially learn programming techniques.

      The potential return on investment in time is great.

      By comparison, the return on investment of examining MS code is small both to the organisation, and to the individual programmer - there is little or nothing that can be *done* with the knowledge gained. In fact the tainting issue referenced by others can even have a chilling effect on the use of *existing* knowledge.
      • There are numerous benefits to be gained by a programmer who examines real open source code. They can implement new features, squash bugs, tweak functionality.

        Are you perhaps referring to free software, rather than open source software in general?

  • No source for you (Score:4, Interesting)

    by cermanius ( 814292 ) on Monday September 20, 2004 @07:04AM (#10296202) Journal
    Only 30 eh? It doesn't mention anything about M.S. letting the US government see the code. Think they might still be a little bitter with that whole "You have a monopoly. We can't let you do that..." thing? Or do you think M.S. is afraid the Department of Homeland Security might issue another advisory saying that Office 2003 is insecure and everyone should switch to Open Office.
    • No, they're afraid the US governmentn will run Eric Raymond's "shredder" programm and find more lovely bits of source code they've stolen, and verify that OpenOffice in fact does not use Microsoft's source code despite the lawsuits.
  • Readable? (Score:5, Interesting)

    by Daengbo ( 523424 ) <daengbo AT gmail DOT com> on Monday September 20, 2004 @07:05AM (#10296204) Homepage Journal
    If the reports that I've heard are true about the code, it's so confusing that the developers are afraid to change much lest they break something. All that backward compatability screws everything up. Could the govenments make much sense of it if the MS developers are having a hard time?

    Love this part:
    Redmond, Washington-based Microsoft keeps its source code closely guarded, and requires any governments or companies to sign agreements not to divulge the data that is used to create its software programs.


    The Linux software system, which is now a major competitor to Windows and other Microsoft products, and its source code are freely available to anyone under an open source license that guarantees that the data will always be shared.
    • The Linux software system, which is now a major competitor to Windows and other Microsoft products, and its source code are freely available to anyone under an open source license that guarantees that the data will always be shared.

      And this is exactly the one reason the majority of the open source community overlooks and this is exactly why open source is so important to the world. This should be a prime motivation for using open source. This, and the use of open standards of course.

    • Re:Readable? (Score:2, Interesting)

      by Daengbo ( 523424 )
      I feel like elaborating on this quote a little. OMFG -- It's a press move by MS, and Reuters ... Reuters ... prints a story which will probably be picked up verbatim by many newspapers mentioning that Linux already does this, and does it better.

      I'll say it again... OMFG!!! What is the world coming to?
  • by DrSkwid ( 118965 ) on Monday September 20, 2004 @07:06AM (#10296212) Journal
    Because then we too can have the benefit of a world class spell checker

    "30 different world governements"
  • by dpoulson ( 132871 ) <daz AT 22balmoralroad DOT net> on Monday September 20, 2004 @07:06AM (#10296213) Homepage Journal
    Programmers in 30 countries all seem overcome by fits of laughter.
  • Clippy (Score:3, Funny)

    by Anonymous Coward on Monday September 20, 2004 @07:07AM (#10296217)
    clippy() {
    if (disabled == true) {<br/>
    disabled = false;<br/>
    annoying_interrupt();<br/>
    random_cr ashes();
    }
  • by MurrayTodd ( 92102 ) * on Monday September 20, 2004 @07:07AM (#10296218) Homepage
    1. We give source code for Office 2003 to more than 30 world governments.
    2. They show their brightest computer programmers this code.
    3. Trying to comprehend the source (written in typical Microsoft Quality) the programmers' heads implode, causing death within 2 hours.
    4. With all the programming talent taken care of, we get all the world governments to outsource their internal I.T. operations to us.
    5. We take over the world!
  • by acceleriter ( 231439 ) on Monday September 20, 2004 @07:08AM (#10296220)
    . . . the DRM components and the secret file format parsers. Besides, all those governments, if they're that paranoid, should each worry about the other twenty-nine governments that will all have access to the supposed source.

    I'll believe it when the government of Randomistan announces that they received the source code and build tools, and have compiled a version that bit-for-bit matches the retail CD.

  • I have my doubts that MS is really going to do what it states it will. It'll probably release some code, of that I'm sure. But, my gut tells me it will be non-important code. Who is going to know? Odds are their document formats and their proprietary secret stuff is still going to be hidden. Sure, we'll have the code to see how to finally axe Clippy, but we won't be able handle Word Documents any better.


    My glass is just half-empty, I guess.

  • by StateOfTheUnion ( 762194 ) on Monday September 20, 2004 @07:08AM (#10296222) Homepage
    Are any of these governments already using open source technologies? I wonder if this effort is to get governments to switch back to MS products or only to prevent others from joining those that have already defected from Microsoft's empire . . .

    Alos, are any of these governments developing countries? Or southeast Asian? In other words is Microsoft entrusting the code to any governments that seem to take a blind eye to software piracy?

  • Do 30 different world governments employ programmers who can understand this junk? What are they going to do with the code, exactly? How much money will be wasted around the world?

    What a waste of time, but gotta give it to 'em, it's an interesting PR move.
  • A marathon starts with the first step.

    I wonder if governments will be permitted to publish documents describing the file formats? If so, this could be the biggest benefit of the source code being made available to them.

  • But wait! (Score:2, Insightful)

    by netsharc ( 195805 )
    Didn't MS say, if "hackers" can see the code, it would be easier to write exploits for it? Why are they exposing their own code then?!?
    • Didn't MS say, if "hackers" can see the code, it would be easier to write exploits for it? Why are they exposing their own code then?!?

      Because they know it's FUD, because they're the ones who made it up? I seriously doubt they expect the code to not be leaked.

  • by SQLz ( 564901 )
    Its not open source. Whats so great about doing Microsoft's work for them and getting nothing in return?
  • by hfis ( 624045 ) on Monday September 20, 2004 @07:12AM (#10296251)
    With all due respect (cough) to you MS bashers out there, this is a good thing and I don't believe MS should be given a bad rap for it.

    Isn't one of the main arguments against Windows that its closed-sourcedness makes it harder for security holes to be found and fixed? To me, it looks like Microsoft has taken the first step in recitfying this problem.

    • Point Taken (Score:2, Insightful)

      by p.rican ( 643452 )

      With all due respect (cough) to you MS bashers out there, this is a good thing and I don't believe MS should be given a bad rap for it. Isn't one of the main arguments against Windows that its closed-sourcedness makes it harder for security holes to be found and fixed? To me, it looks like Microsoft has taken the first step in recitfying this problem.

      I'm not a big fan of MS but they are very reactive to anything that threatens their primary source of revenue. MS should have been doing something along th

  • Another SCO? (Score:5, Interesting)

    by iammrjvo ( 597745 ) on Monday September 20, 2004 @07:15AM (#10296258) Homepage Journal

    When (not if) the source code is leaked, then how long will it be before MSFT claims that office code was integrated into OpenOffice. How much in royalties will they demand?
    • Lawsuits to follow (Score:5, Insightful)

      by walterbyrd ( 182728 ) on Monday September 20, 2004 @07:24AM (#10296319)
      That's exactly what I was thinking.

      If I was a software developer, I wouldn't want to go anywhere near that code. You can be sure that anybody who views this code will no longer be able to work in software development. After you view that code anything you write that works with msft files, will be considered a stolen idea.

      Besides, who needs it?
  • by StateOfTheUnion ( 762194 ) on Monday September 20, 2004 @07:15AM (#10296261) Homepage
    After thinking aoubt this for a while I think that it may be a brilliant strategy on MS's part . . .

    If the government of a country has the source code of the software to examine for security flaws, doesn't this give MS a defense against liability from future lawsuits? For example, if the UK government gets to inspect the source code, continues to use MS-Office, and then has a major problem due to hackers hacking MS-Office; MS can say that the software was given a clean bill of health by the British government, so MS shouldn't be held liable.

    I know that no defense is necessarily bulletproof, but this is just going to give MS's legal dept. more ammunition so that that MS can get away with writing sloppy code and not be found as grossly negligent.

    • I think that "limited liability" is already stated in EULA. Why do you think nobody sued MS or other software giant for bugs/exploits?
      And that's a good thing actually, because it's market force in action, not freaking lawsuits (If the software is buggy - just stop buying. Simple).
      The least of two evils.
  • My Q(s) is/are... (Score:5, Interesting)

    by danalien ( 545655 ) on Monday September 20, 2004 @07:15AM (#10296263) Homepage
    * what's "_most_" of the src(s)?

    • /* Quote [emphasis added]: "The new initiative is an extension of Microsoft's Government Security Program, which allows the governments of more than 30 countries to examine
    • most of Microsoft's underlying source code, or software blueprint for its flagship Windows operating system." */

    * what is 'required' to agree beforehand with? ..and how will this agreement effect ones ability to work (with other 'source code(s)') in the future to come?

    • /* Quote [emphasis added] : "Redmond, Washington-based Microsoft
    • keeps its source code closely guarded, and requires any governments or companies to sign agreements not to divulge the data that is used to create its software programs." */
  • . . . have people with the expertise to actually check the MS Office source for security holes? Especially given how (probably) huge and internally messy that source code is? (The OO.o 1.1.2 source, which is probably on the same order of magnitude, is over 200MB--compressed.)

  • Why not go with an open source product that has already been audited for security holes by the general public.

    Why waste goverment money when there are free alternatives?
  • So I guess Microsoft is going to use "Taxpayer Source" to compete with open source . . . in other words, have "taxpayer funded government-paid" people find security flaws in Microsoft software so that Microsoft doesn't have to pay its own people to do it.

    Sounds like a sneaky way to get a subsidy . . .

  • Don't Look (Score:5, Insightful)

    by suezz ( 804747 ) on Monday September 20, 2004 @07:21AM (#10296304)
    If anybody develops for OpenOffice or any other office suite I would not even get in the same room as the code. If you look at the code and develop for OpenOffice then Microsoft will probably come after you saying you stolen their code because you read it and it gave you the ideas and means to do the programming. Be very, very, very careful - why would a proprietary company want people to see it's secrets that has been its cash cow for the past 4 or five years. I think they are gearing up for an attack on open office - now that we have seen part of the agreement between sun and them - why would open office even have to be mentioned in the agreement - it has nothing to do with them. I smell something rotten in denmark.
  • i wonder how long it will take to figure the average software analyst / programmer, to understand the code that is released. i mean, the code-base for an office suite is bound to be enormous.
    plus... what is the actual outcome supposed to be? will some government-sponsored IT professional point out "this and that is not secure, not reliable, not interoperable" and MS will change it? or is it like "hey, that's fine (and i am not sponsored by MS), everyone should prefer M$ office over Open Office, now that i
  • ... running naked up and down the corridors screaming:

    The monster has capitulated, the monster has capitulated!!!!

    Ahhh don't you love Linux?
  • Smoke and mirrors (Score:5, Interesting)

    by Slinky Saves the Wor ( 759676 ) on Monday September 20, 2004 @07:25AM (#10296322) Homepage
    This is basically a load of crap. Why? Well...

    If you cannot compile the given source to a fully working Microsoft Access (or whatever source is provided), how can you be sure that the program you buy from the store contains the same source code?

    You can't, since you most likely can't compile the given source, and keep on using that compiled version!

    This is just smoke and mirrors. Now Microsoft can say their code has been provided for auditing by some instance, so it's got to be safe. However, there is no guarantee that the defects found will be fixed at all, and that the fixes will ever be found in the actual product. There is also no guarantee that the software you obtain from the store is the same as that for which the source was provided.

    You can easily implant backdoors to the supposedly "audited" source code: just don't give the newly modified source code with the backdoor back to auditing...

  • Just inspect the source of OOo [openoffice.org] instead.

    MS are hypocrites, claiming that Open Source is a problem, yet trying to reap its rewards on their own products.
  • by Quinn_Inuit ( 760445 ) <Quinn_Inuit@ya h o o . com> on Monday September 20, 2004 @07:29AM (#10296342)

    Other commentors have opined that this is a clever Microsoft strategy. Perhaps. I have my doubts.

    First, they're implicitly acknowledging the security arguments in favor of open source. What will their corporate clients think? Like _they_ trust the gov't to vet their code for them. Doing this will only strengthen the demand on a number of fronts to see the Windows source.

    Second, the only way for two people to keep a secret is if one is dead. I don't care what those EULAs say, if you distribute some of the most valuable closed source in the world to 30...30!...gov'ts, someone's going to leak it. Remember the .bmp buffer overrun? I wonder what's going to flow from this.

  • Just a PR stunt (Score:5, Interesting)

    by Andy_R ( 114137 ) on Monday September 20, 2004 @07:30AM (#10296345) Homepage Journal
    From the article (emphasis added by me)

    The new initiative is an extension of Microsoft's Government Security Program, which allows the governments of more than 30 countries to examine most of Microsoft's underlying source code, or software blueprint for its flagship Windows operating system.

    What's the benefit in looking at "Most of" the code and seeing if it is secure?

    Absolutely nothing at all, apart from Microsoft getting an NDA signed on your behalf by your Govern(e)ment without any consultation with the public.
  • Half of a puzzle (Score:2, Insightful)

    by maximilln ( 654768 )
    Is it possible to do a worthwhile security audit of Office source if one doesn't have access to the OS source with which it so tightly integrates?

    My brother discovered that the best way to make a perfect maze in Racing Destruction Set [planetflibble.com] was to start with the + piece and just click like mad random all over the potential map. After strategically *g* placing about 10 intersections the next 30 minutes would be spent connecting them. This resembles the logic structure for any operating system and accompanying m
  • by WindBourne ( 631190 ) on Monday September 20, 2004 @07:43AM (#10296416) Journal
    This should be interesting to find out if governments will actually do MS's work for them? And for that matter, why should a government do MS's work, and then pay for all the millions of copies of Office, when they can simply go into OpenOffice and update that one and then elect to upgrade to SO or stay with OO.
  • Anti-Microsoft? (Score:2, Insightful)

    by thegnu ( 557446 )
    This is little more than a metacomment, but I have to say this. I'm really not sure that anyone here who finds a problem with MS's actions is anti-MS. The truth is, this is a bullsh. cop-out release of source code. This is NOT open source code.

    Also, it is unbearably true that Microsoft has been dealing more and more directly with government officials these days. And taxpayers do, in fact, pay for absolutely everything a government does.

    I'm not upset about this particular issue. I'm upset enough about
  • by dJOEK ( 66178 ) on Monday September 20, 2004 @07:58AM (#10296509)
    I don't know about the rest of the world, but generally People Working At Governments aren't exactly the best and brightest or the best motivated workers. Let's call them Very Good at being Mediocre.

    Imagine the following:

    Boss: Jim, you're a programmer right?
    Jim: uh, right
    Boss: Management told me to inspect some code for bugs. I tossed it to the printer. Can you mark all the bugs with magic marker?
  • Consequences? (Score:3, Interesting)

    by wombatmobile ( 623057 ) on Monday September 20, 2004 @07:59AM (#10296519)

    If developers who look at MS Office code are prhobited thereafter from working on other software projects such as open source projects that cross Office's domain, how many less contributers might there be to open source projects as a result of this?

  • Out of Interest... (Score:3, Insightful)

    by Singletoned ( 619322 ) <singletoned@gmail.com> on Monday September 20, 2004 @08:44AM (#10296853) Homepage
    People keep talking about programmers becoming tainted by looking at proprietary source code, but has anyone ever been sued or prosecuted after having done so?
  • by cpghost ( 719344 ) on Monday September 20, 2004 @08:55AM (#10296943) Homepage

    This is not nearly enough to satisfy governments. First of all, code that they don't compile themselves is not guaranteed to stem from the same set of sources. Second, the source code to the OS, and to the compilers is needed as well, because, hey, what does that black box kernel, dll, or compiler toolkit add to the pristine source?

    Responsible governments would either avoid closed-source products completely, or they should require a complete source code system that they could bootstrap themselves. No hidden binary at all!

    Would Microsoft provide such a complete, source code system that could bootstrap itself? It was reported many times earlier that they are having a helluvatime to maintain their own compiling environment. Would they be able to package it in such a way that non-Microsoft personnel could do something with it...

    ... assuming that they were sincere, and not just pulling a cheap PR stunt?

  • by roesti ( 531884 ) on Monday September 20, 2004 @09:42AM (#10297383)
    Hang on a second. I thought that even if you let other people review your source code, they're highly unlikely to do so. Isn't that one of the arguments that the anti-OSS crowd march out all the time? Now, Microsoft are doing it, and they're telling people it's for security purposes. Aren't they conceding that this argument is flawed, if they themselves can see some merit in doing so?

    Coming up in the news, Microsoft will announce it will start making good design choices, writing good documentation, publishing their binary file formats, and giving away their flagship software for free. For the government. Foreign ones, even. Probably.
  • It's not the eyeballs that make open source attractive, it's the lack of central control.

    If Office was open sourced we could pull the design flaws that lead to security holes out. Back in the '90s there was a smart fellow in Florida who came up with an effective counter to the word macro virus problem... he came up with a macro that disabled all the automatically executing macros, so you could open a Word document with macros without having them trigger. Unfortunately a later version of Word disabled it as part of Microsoft's virus protection feature. Unfortunately Microsoft's feature gave you the option of completely disabling and hiding all the macros, so you couldn't even see what they were, and leaving them enabled. So if you actually needed to use macros you were just as exposed as if they had done nothing... worse, in fact, because you couldn't kill the autoexecute capability.

    In an open source project we could back that out, we could even restrict macros to making changes in their own document only, so they couldn't propogate or do harm. But no matter how many eyeballs there are on the code, if the brains behind the eyeballs can't make changes then there's not much point... even if every line of Word was free of buffer overflows, so long as it's got that powerful a macro language with no way to control it the basic security problem remains.
  • by inkswamp ( 233692 ) on Monday September 20, 2004 @12:18PM (#10298922)
    Let me see if I can get this straight. When it's a bona fide open source project, Microsoft's FUD dept. and their apologists will claim that many eyeballs viewing the source code doesn't make a piece of software any more secure than closed source, proprietary software. However, when it's a Microsoft product having some of its source pried open just slightly for viewing by a select few, then it's considered a way to make it more secure.

    I believe this is called having one's cake and trying to eat it too.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...