What do you do when the company that provides your most critical business software admits that it was hacked? And what happens when this security lapse lasts up to 3 months, apparently giving hackers access to the source code of the company's crown jewels for an extended period of time? Well, this event actually happened. Last week, Microsoft announced that it had suffered just such an attack, President and CEO Steve Ballmer tried to calm his customers Friday by explaining that the source code to Windows and Office was OK. But the Wall Street Journal (WSJ)—whose reporters talked to people close to the hackers—wrote that things aren't OK. And it might be weeks before we know whether Microsoft shipped any software that hackers modified, despite the calming tones of the company's subsequent revelations.
Are you scared yet? I am. And despite what Microsoft says, this event proves beyond a shadow of a doubt that the company's approach to security is exactly what critics say it is: completely inadequate. If Microsoft weren't so hell-bent on killing its competition under a mountain of features at every step, this attack never would have succeeded. If the reports are correct, the attack took advantage of security lapses in Outlook that let hackers install a backdoor application on a user's system—in this case, a Microsoft employee's home system—and execute secret code that opened up the company's internal network. And the WSJ reports that the hackers who first gained access to Microsoft's network immediately began collecting sensitive password data so they could gain access to the most sensitive parts of Microsoft's network. If the report is true, they got it all: the source code to current and future versions of Windows, Office, and other applications.
Still not scared? Consider the possible rationale for and the ramifications of such an attack. Most hackers are looking for revenge or to make a name for themselves, and Microsoft is an obvious target (therefore, the company should have one of the most secure networks in the world). Hackers might simply want to harm Microsoft by making subtle changes to Office and Windows source code, making these programs unstable. Or they might want access to Microsoft's intellectual property so that they can give it to companies that make competing products. Big companies such as Sun, Oracle, and even Red Hat would, of course, probably resist breaking the law and report the attempted delivery of Microsoft source code. But in the world of open-source software, how do you know where snippets of code come from? If some enterprising developer suddenly comes up with a cool way to add Microsoft Office-like features to, say, Sun Open Office, how would anyone know that the code really came from Microsoft?
At the heart of this problem is the debate about open-source software and the proprietary, closed model older software companies such as Microsoft use. Microsoft jealously guards the source code to its products because that code is the company's biggest asset. But products such as Linux are developed in the open, by a committee of sorts, and the source code is available to one and all. When someone finds a security problem in Linux, for example, many people discover what the problem is and work to fix it immediately. When someone discovers a security problem in a Microsoft product—and let's face it, security problems surface every week—customers must wait for Microsoft to even acknowledge the problem's existence. Then, customers wait for the company to provide a workaround, and, hopefully, release code that actually fixes the problem. And in many cases—take most Windows NT 4.0 service packs, for example—the fixes cause more problems than the original issue. It's an untenable situation, regardless of your position in the open-source debate.
I'm sure that Microsoft was embarrassed to admit the hack publicly and involve the FBI. But the hack involves much bigger issues than embarrassment. I still get email occasionally from people who worry that Windows or Office secretly sends information back to Redmond. And, although these concerns are largely unwarranted, the news of a Microsoft hack makes me wonder whether someone is looking over my shoulder, even as I write this. The fact that the person isn't from Redmond makes the idea even more disconcerting. I fear the unknown enemy more than the known. And for all of Microsoft's customers, this event is a very real concern.