In March of 2020, Americans began to realize that the coronavirus was deadly and going to be a real problem. What no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds’s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT.
Russia, we now know, used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.
The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s no big deal.
That’s because Microsoft has “an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft.” It’s nice that Microsoft is admitting that the open-source approach is the right one for security — something I and other open-source advocates have been saying for decades. But, inner source isn’t the same thing as open source.
When hackers, not Microsoft developers, have access to proprietary code, the door’s open for attacks. True, Microsoft’s “threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” But, making that assumption is one thing. Dealing with reality is something else.