Two recent moves by previously tight-fisted (read: proprietary) developers of software – Microsoft and the United States National Security Agency (NSA) – to open-source some of their applications could have a significant impact on developer and cyber security communities.
First, Microsoft. The software giant announced in March it was open-sourcing its Windows Calculator on GitHub under the MIT Licence. This includes the source code, build system, unit tests and product roadmap.
“Our goal is to build an even better user experience in partnership with the community. We are encouraging your fresh perspectives and increased participation to help define the future of Calculator,” Dave Grochocki, senior program manager, and Howard Wolosky, senior software design engineer on Microsoft’s Essential Experiences Team working on Calculator, declared in a blog announcing the move.
Some commentators welcomed the announcement as yet another indication that Microsoft’s embrace of open source software is deepening. Others felt the announcement was no big deal, given that it was really only about a calculator. Besides, just one day before, at the 2019 RSA Conference in San Francisco, a key event in the global cyber security calendar, the NSA demonstrated and made available one of its powerful anti-hacking tools.
Nevertheless, while Microsoft will continue to run its own testing, security and quality control of Calculator, the Microsoft duo noted that reviewing the Calculator code would provide developers with a great way to learn about the latest Microsoft technologies like the Universal Windows Platform, XAML and Azure.
“Through this project, developers can learn from Microsoft’s full development lifecycle, as well as reuse the code to build their own experiences,” they wrote.
The significance of this announcement, therefore, goes beyond the ability of developers to submit new features, bug fixes, and other changes for potential inclusion into the Calculator. It could be seen as the first time developers will be able to contribute directly to Windows 10 releases. Previously, the only contribution developers outside of Microsoft could make was to identify and report bugs through the Windows Insider program.
And to make developers’ participation even easier, Microsoft will be contributing custom controls and API extensions that are used in Calculator and other apps to projects like the Windows Community Toolkit and the Windows UI Library.
But still, it’s just a calculator and Microsoft will have to make considerably more concessions to open source to compete with the NSA announcement about its software reverse engineering framework, GHIDRA.
The NSA has developed several advanced hacking tools such as EternalBlue, which, after being leaked in 2017, is alleged to have been used by cyber criminals (and rival governments) to infiltrate target computers and spread malware across networks.
However, there is no risk of GHIDRA being leaked, now that it has been open-sourced. Making the announcement at the security conference, NSA cyber security expert Rob Joyce said the tool would be a contribution to `the nation’s cyber security community’. As open source, it will undoubtedly contribute to the cyber security community well beyond the borders of the United States.
According to Joyce, the GHIDRA platform includes ‘all the features expected in high-end commercial tools, with new and expanded unique functionality NSA developed’.
GHIDRA cannot be used to hack devices. Rather, as a reverse-engineering platform, it can take compiled and deployed software and ‘decompile’ it, allowing researchers to understand how identified malware works, what its capabilities are, who wrote it and where it came from. It’s also an important way for developers of anti-malware software to check their own code for weaknesses.
While there are other reverse-engineering products on the market, this is believed to be the first time a high-end tool of GHIDRA’s calibre and pedigree has been made available for free.