One of my favourite memories from my consulting days is a developer that decided to modify the DES encryption algorithm because “it was too well known”.

The developer was not an experienced cryptographer and had made arbitrary changes to the version of DES implemented in their proprietary software. I don’t know what the impact of these changes were but they likely weren’t good. This happened in 2001, which is after DES has been determined to be weak but before it was withdrawn from service in 2005. However, none of the changes the developer made were to address any known issue. The changes were simply on the basis that it was public and public, in their mind, was not secure.

As a young technology consultant this flew in the face of “open is good” but more importantly it ignored Kerckhoff’s Principle also known as Shannon’s Maxim - “the enemy knows the system”. The design of modern encryption algorithms does not rely on the underlying math being secret, in fact there are probable benefits having them public because it allows the whole cryptographic community to examine it for flaws and make the design better. The only thing that needs to be kept secret then is the encryption key and its way easier to protect a few hundred bits then it is to protect thousands of lines of code.

Shannon’s Maxim has been a guiding principle for me in all the work I do; if my security designs and practices relied on secrecy to be effective then they are fragile. A system designed with secrecy as a foundational component for achieving its security objective is ineffective once it’s secrecy is compromised. If keeping the design of a system secret is a foundational component of a system’s security then once made public that system needs to be replaced as it can no longer achieve its security objective; in other words it is no longer secure. Conversely, an open system that does not rely on its design being kept secret remains secure even if it’s inner workings are exposed. Relying on secrecy as a main component of providing security is known as “Security through obscurity” and is strongly discouraged in professional security circles.

When I think about Microsoft’s disclosure that the Solarwinds hackers saw some of their source code, I’m not immediately concerned. The security of Microsoft’s products is not based on their code being kept a secret; it may impact their competitiveness and trade secrets but not necessarily their security. It’s unlikely that there is some “The Net” style backdoor hidden in the code that is now known to these bad actors

It’s possible that the hackers saw an unknown vulnerability in the source code and could use that to some future advantage but that doesn’t change what’s already happens today. Hundreds of times a year independent security researchers find flaws in Microsoft (and many other) products without seeing the source code and have been doing so successfully for decades. Given how well resources the Solarwinds hackers appear to have been and that they’re most likely Russian national intelligence makes it likely they were already searching Microsoft products already and probably have a stash of undisclosed vulnerablities on hand if they’re anything like the NSA (see Eternal Blue). At this point, unless Microsoft learns more and shares that there was sufficient access to the code to make changes, I don’t think any immediate actions are required by the Microsoft customers at large.

TL;DR: The SolarWinds hackers were able to see Microsoft source code but that doesn’t automatically undermine the security of their products.