![[Home]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_default.gif "Home (Top Stories)"){kind=small}
![[Business]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_biz.gif "Business Stories Index"){kind=small}
![[Culture]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_cult.gif "Culture Stories Index"){kind=small}
![[Technology]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_tech.gif "Technology Stories Index"){kind=small}
![[Politics]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_pol.gif "Politics Stories Index"){kind=small}
![[Wired Magazine Site]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_mag.gif "Wired Magazine Site"){kind=small}
![[Animation Express]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/cs5/nav_anim.gif "Animation Express"){kind=small}
Microsoft has no intention of allowing government geeks to freely paw the company's beloved source code.
The company's new Government Security Program will be far more akin to a peep show guarded by aggressive bouncers than a full-blown open-source orgy.
Story Tools
![[Print story]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/storytools_print.gif "Version of this story optimized for printing"){kind=small}
![[E-mail story]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/storytools_mail.gif "E-mail this story to a friend"){kind=small}
![[Sync story]](http://a1112.g.akamai.net/7/1112/492/2002091422/www.wired.com/news/v/20020914/images/storytools_sync.gif "Sync this story to your PDA"){kind=small}
See also
- U.S. Gov't Still Penguin Shy
- Super-Secure Linux, Inch by Inch
- Bracing for MS Patent Suit Attack
- Why MS 'Ruling' Is Dangerous
- Peru Discovers Machu Penguin
- You know IT/IS Important
- News from the Linux front
Today's Top 5 Stories
Tuesday's GSP announcement wasn't even much of a surprise to security experts -- Microsoft announced a similar program last April that also gives government clients access to the source code of some Microsoft programs.
"This doesn't seem to be much of a new development," said Robert Ferrell, a systems security specialist for the U.S. government. "It might be a step in the right direction, but it's only one step on a journey of 1,000 miles."
GSP broadens the number of companies eligible to participate in Microsoft's shared source program from 30 to almost 60 and puts the emphasis on securing Microsoft programs rather than simply sharing code.
Sharing in this case doesn't mean that no strings are attached. While anyone can review and change code in open-source programs, Microsoft's shared-source scheme comes with constraints.
Salah Dandan, worldwide manager of GSP, says source-licensing rights under the GSP come in two flavors: reference grants and validation grants.
Reference grants permit the viewing of source code in read-only format for conducting security reviews. Validation grants permit agency personnel to work jointly with Microsoft to validate the code and add new features to it.
Modification is restricted to adding customized cryptography applications to the code.
Open-source programmers say the biggest benefit to open-source development is shared knowledge. Thousands of experts pore over program codes and post their problems and fixes on websites and newsgroups.
Participants in Microsoft's GSP program won't be openly sharing the details of whatever they find in MS code.
Dandan said the "source-access rights" will be exclusive to the agency to which they are granted, along with its approved contractors and consultants.
Security experts said conditions such as these would make it difficult for the GSP to provide broad benefits.
"The only beneficiaries in this case are possibly the governments using the GSP'd products that they've fixed or altered under GSP licensing," said Richard Forno, a government security consultant. "The private sector is still stuck using Microsoft products on a lick and a prayer."
Microsoft has separate shared-source programs for enterprise and education clients.
GSP access to source code is provided via the Microsoft Developer Network. Authorized government employees can view source code from approved locations through a smartcard-based, Secure Sockets Layer connection.
"This sounds as though you never actually get to hold the code in your hot little hands, as it were, but just view it through an SSL-connected browser," Ferrell said. "An OS like XP is several million lines of code. In order to conduct a thorough audit of something that size, you need to have the whole kit and caboodle available at once.
"Code audit programs have to trace function calls, pull data out of libraries and perform a lot of similar cross-component analyses that would be exceedingly difficult using a piecemeal approach like the one MS seems to be offering here."
Ferrell stressed that his comments were not based on a complete analysis of GSP, were not made in any official capacity as an agent of the government, and do not represent the views of his employers. "They're just the comments of a crusty old hacker," he said.
Most developers think that the GSP is simply a way for Microsoft to divert growing government attention from Linux and other open-source products.
"China won't touch Windows and is leaning heavily toward Linux," Forno said. "That's a huge market for MS to allow slip away. So they're trying to appear semi-conciliatory to open-source-type licensing."
Have a comment on this article? Send it
More stories written by Michelle Delio
Page 1 of 1
