To appease various governments, Microsoft will allow them to examine its source code for security flaws. How would you like to be the government intern who gets that job?

“Rick, we have this software here, and we need you check if it’s secure. Couple weeks ok?” Windows Server 2003 of course contains tens of millions of lines of code. Even given a concerted effort, what are the chances that any amount of scrutiny from a government body will produce meaningful results?

TENS OF MILLIONS, people. They could have 8 solid pages containing nothing but the words “I LOVE BEER” over and over, and I bet no one would ever notice. In fact, if anyone at Microsoft is reading this, I highly recommend doing that in order to help prove my point.

In the open source community, the entire code base is available to all people, all the time. If it was really that easy to pick out security issues, why are there still vulnerabilities being found to this day in old code?

Compared to the general open source approach (which arguably works pretty well over time, given a large enough community), I think this limited MS source release doesn’t stand a chance of turning up anything interesting.

It’s not Microsoft’s fault that this is a dumb idea. They have lots of people who are paid lots of money to write this software, and contrary to popular vilification, they do a pretty good job of making it secure (lately). I’m sure they know how pointless this whole source review thing is going to be. But hey, it will give the government bodies that comfortable feeling that they are in control of what they run, and MS gets to sell some licenses.

Oh yeah, and one other thing. What makes the auditors certain that the stuff they check is even the source used to build the products? If–and I’m sure this isn’t true– there was some kind of malicious-backdoor-secret-espionage code in there, the author could just delete it out of whatever source they send to the auditors for review. Unless the governments are going to compile their own versions of Windows Server and related software, they can’t be sure they’re clean, even if they manage to effectively check all the source via some magic method.

Oops! Even if they could build their own software from source, there could still be malware automatically built in by the compiler. For further reading on this point, check out this classic Ken Thompson article. I guess they could always try to build the code with the Borland compiler instead… Do they even make that any more?

In summary, this idea is stupid to at least three levels of magnification. In the end, we find that the entire endeavor has been a colossal waste of time and energy, and we haven’t even answered the question we were trying to address. In other words, typical government program.