Is It 'Code Red' for Windows OS?

by Paul Rubens

Microsoft gives the Russian Federal Security Service access to source code for Windows Server 2008 R2, Office 2010 and SQL Server, thus bringing the 'more eyeballs, more secure code' argument back to the surface. Only this time, it isn't about Windows vs. Linux. And that's not the only recent twist out of Redmond: Azure will come in more than one shade.

More about Azure

What do you do when you find a serious vulnerability in Microsoft server OS source code? You could tell the whole world about it, or you could keep schtum and just inform Microsoft. Or, of course, you could tell no one and use the knowledge to go and attack other systems.

What would the Russians do? That's an interesting question, and I guess we are about to find out because Microsoft (NASDQ: MSFT) recently signed a deal with the Russian Federal Security Service giving it access to source code for Windows Server 2008 R2, Office 2010 and SQL Server.

The announcement has security wonks in a tizzy, with Richard Clayton, a UK-based security expert, pointing out that there must be tens of thousands of bugs in the millions of lines of source code. A malicious body need find only one that can be exploited successfully to launch attacks on its enemies.

But he also observes there are plenty of ways to find software bugs -- such as fuzzing -- without having access to source code. "If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," Clayton told ZDNet.

What would happen if everyone had access to server OS source code? Not just the Russians, but the Chinese, the North Koreans -- everybody? Well, with open source server OSes like Linux they already do, and you have to say that it doesn't seem to have done anyone much harm. Hackers find plenty of bugs in Microsoft's server OS products despite not having access to the code, and even though -- perhaps, thanks to -- everyone and his dog able to inspect Linux code, it doesn't seem like considerably more flaws are found in Linux-based open source servers. Quite the reverse, in fact.

Microsoft's agreement with the Russian spooks will allow various Russian agencies to study the code and develop cryptography for the Microsoft products, Igor Tsukanov reports in the Russian publication Vedomosti. It's not clear if the Russians will then contribute this code back to Microsoft. If they do, it sounds almost like Microsoft is adopting the open source software development model. Which is rather surprising.

Talking of surprises, Microsoft announced at its Worldwide Partner Conference 2010 earlier this week that the Azure OS for the cloud will also be available for enterprises to run in-house. That's a bit of a turnaround for the books, since previously Azure was available only as a service hosted by Microsoft. Now, the company says Windows Azure Platform Appliances will be made available for customers to install in their own data centers to address the concerns around physical control, location, regulatory compliance and data sovereignty that some potential Azure users have had. It's not clear at this stage what the appliances will look like or cost, although Microsoft Vice President of Server and Cloud Platform Marketing Bob Kelly told The Register, "it will not be a one-server appliance. It's more than one server." What we do know so far is that it comprises Windows Azure and SQL Azure, running on Microsoft-specified hardware from Dell, Fujitsu and Hewlett-Packard.

Microsoft has clearly been bitten by the cloud bug in a big way recently, and it was also touting its Private Cloud Deployment Kit at WDC. Details on this remain fuzzy, but essentially, it's a way of using the Windows Server OS, System Center management software, Hyper-V virtualization and SQL Server to build -- you guessed it -- your very own private (or public) cloud, and one which is more versatile and customizable than Azure. "Our strategy is to provide the full range of cloud capabilities in both public and private clouds," explained Robert Wahbe, Microsoft vice president of server and tools.

So there you have it. Microsoft now has not one, not two, but three strategies for the cloud: plain vanilla Azure, Azure appliances for enterprise clouds, and a more customizable roll-your-own enterprise cloud based on Windows Server.

And the company is giving its source code to the Russians and may be adopting an open source software development model. Not bad for a sleepy week in July.

Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.

Follow ServerWatch on Twitter

This article was originally published on Tuesday Jul 13th 2010
Mobile Site | Full Site