Leaked Code Is Traced to Microsoft Partner Firm
Nothing is more sacred to Microsoft Corp. than the millions of lines of programming code that make up its flagship Windows operating system. It’s the computer world’s equivalent of Coca-Cola’s secret formula or the Colonel’s 11 herbs and spices. It’s the crown jewels that make Microsoft among the most powerful companies on the planet.
As the software giant has been forced to let hundreds of regulators and other outsiders gape at the source of its dominance, it has gone to extraordinary lengths to protect those technology blueprints, using “smart cards” to keep tabs on outsiders who peer at the most sensitive bits and deploying secret watermarks to track individual batches of code.
None of that, it turns out, was enough.
Major chunks of the code in Windows 2000 and Windows NT 4.0 operating systems for server computers leaked onto the Internet on Thursday, allowing hackers to swap hundreds of copies and pore over the code looking for new ways to attack the world’s computers.
As it ramped up its investigation Friday, Redmond, Wash.-based Microsoft didn’t point the finger at any of those whose access had made the company so nervous in the past. No foreigners, Linux-loving academics, disgruntled computer makers or states suing over antitrust violations were to blame.
Instead, early evidence led to Mainsoft Corp., a longtime business partner that adapts Microsoft products to work with a rival operating system called Unix. The pilfered code includes language pointing to internal Mainsoft documents and e-mail addresses, people who reviewed the code said.
Security experts said the compromised code had apparently been given to the San Jose company, though it was unclear whether an employee made the copy or an outsider broke in electronically and took it. Mainsoft said Friday that it was cooperating with Microsoft and a criminal probe by the FBI and other law enforcement agencies.
“Mainsoft takes Microsoft’s and all our customers’ security matters seriously, and we recognize the gravity of the situation,” said company Chairman Mike Gullard.
The leaked code, although only a small fraction of the more than 20 million lines in the entire operating system, includes most of the kernel, or technical core, of the program. It does not include much in the way of instructions to help outsiders gain access to a computer. That would have been far more damaging if it had fallen into malicious hands.
The programming appears to have been modified from its original state, said Ken Dunham, director of malicious code intelligence at security firm IDefense Inc. “There’s a mixture of professional code and sloppy, experimental things,” Dunham said. “It looks like whoever got this code played around with it.”
Because of the nature of the work it did, Mainsoft had more freedom than most to see and tinker with Microsoft code. Other software shops typically are given only what they need to carry out a specific project, with key pieces of code removed.
“They never give enough code that you can rebuild the whole system,” said Chris Wysopal, a founder of security firm AtStake, which has done contract work for Microsoft. “It’s always missing something.”
The leak underscores how tricky it is to police the spread of property once it has been reduced to electronic form.
There are two primary reasons Microsoft code hasn’t leaked before, according to current and former employees. One is the fear of getting caught and being prosecuted. The other is the technical obstacles that prevent a hacker from doing something useful with the language once it’s obtained.
“We have tons of code on different computers,” said Jason Matusow, a manager of Microsoft’s program for sharing source code with affiliates. “There’s no one, highly secured vault where Tom Cruise would be breaking in with lasers.”
Thousands of Microsoft employees have permission to peruse the entire code base through their electronic accounts. It wouldn’t be that difficult for a Microsoft insider to make a personal copy, said a former employee who asked not to be named. Indeed, rumors have abounded in the hacking underground that a few outside programmers have at least some of the code.
“It’s not like Coke, where a very small number of people know the formula,” said Richard M. Smith, an Internet security consultant in Boston.
Large development projects that require secrecy often lead to struggles over how much access to give individual staff members.
During the Manhattan Project to create an atomic bomb in the 1940s, Gen. Leslie R. Groves argued in favor of giving each scientist only a tiny piece of the project so that no individual would know how to build a bomb. Nuclear physicist J. Robert Oppenheimer wanted a team effort, with information shared among many scientists. Oppenheimer won.
“If you try to really clamp down and control source code within an organization, you’re going to limit the ability of engineers and programmers to do their job,” Smith said. “That’s a trade-off you have to consider.”
Whereas Microsoft insiders have little trouble getting access, most outsiders have had to battle even for brief peeks.
As part of its antitrust settlement with the Justice Department and more than a dozen states, Microsoft agreed in principle to allow government experts to review its code. But negotiating the specifics has been excruciating.
Until recently, Microsoft demanded that the government experts work on its 300-plus-acre campus. The regulators still haven’t been able to read the code behind the Windows XP operating system for consumer PCs, a state official said: “Microsoft hasn’t exactly rushed to provide that access.”
Not even Microsoft’s best customers, the computer makers who sell the majority of Windows-based machines, have had a gander.
“They never show it to us,” said an executive at one computer manufacturer. He cited two reasons: “A, because they’re paranoid, and B, because we don’t really have a business need.”Adding insult to injury, the computer companies and other partners have had to promise in writing that they won’t try to reverse-engineer the Windows code that they haven’t been able to see, he said.
The executive said he understood the reasoning for holding onto the code so tightly. After all, he said, “that’s their special sauce.”
Matusow declined to give many specifics about Microsoft’s security measures. But he said the most important element was trust in those that do have access.
Microsoft officials said they didn’t anticipate any wholesale changes in Microsoft’s approach in the wake of the code leak.
“I can’t imagine there will be any fundamental shift,” Matusow said. “We need to work with our partners.”
*
Times staff writer Chris Gaither contributed to this report.
