So did they or didn't they? Through Friday Microsoft spokespeople, spinmeisters and execs seem to have been largely unsuccessful in damping down the fires started by the Wall Street Journal's 'Microsoft hacked' story, but by the end of the day some kind of corporate line seemed to be emerging - they didn't get anything, they didn't change anything, and anyway they weren't in there for long.
But the trouble with the 'no story' story is that it doesn't directly address several of the claims made by the WSJ, that it doesn't necessarily guarantee that the hackers weren't in there for longer (and that they're not actually still in there), and that this Redmond corporate line wasn't completely available when the story first broke.
Compare and contrast:
The WSJ said that hackers could have been in the network for as long as three months. During the day Microsoft sources traded this down to six weeks, and then finally to one week.
The WSJ said that the break-in had been discovered on Wednesday, and after initial Microsoft attempts to investigate it itself, the FBI was called in on Thursday. But later the company said that it had first detected the intrusion on Tuesday 17th, six days earlier.
The WSJ said that Microsoft security "detected passwords being remotely sent to an e-mail account in St. Petersburg, Russia. Microsoft... interpreted electronic logs as showing that those internal passwords were used to transfer source code - software blueprints - outside the Microsoft campus." This would have been entirely impossible in the scenario Microsoft is now describing - the intrusion was detected when the creation of new accounts "did not match our normal audit logs," the activities of these accounts were monitored over the next few days, and only source for one "future product" was seen by the intruder.
In addition, as Microsoft would have a record of download attempts, no code can have escaped. So, after initially giving the impression that its security was collander-like, Microsoft is now presenting it as efficient enough to spot the intrusion straight away, then monitor it, and then finally call in the cops when there was nothing more to be learned.
Seeing the spin-doctors will have known since Thursday at the latest that the WSJ was going with a story, it kind of makes you wonder why they left it until Saturday to run this one by the New York Times for counter-spin. But even laying that aside, there are holes in the pitch.
It seems to be pretty well established that the intruder used the QAZ Trojan to break into an employee's machine, but what happened next is still in some doubt. The break-in was to the employee's home machine, Microsoft told the NYT, the implication being that this was somehow less serious. The certainty of this, and the rest of the story, is however undermined slightly by the NYT saying this was described by Microsoft officials as "one possible chain of events." So maybe they're not sure after all.
Once established on the machine with access to Microsoft's network QAZ will have tried to gain control of other machines on the network. Did it succeed? Despite the assuredness of Microsoft's current story, this isn't covered. What about the passwords being sent to St Petersburg? What about the logs "showing that those internal passwords were used to transfer source... outside the Microsoft campus"? These claims remain strangely undenied.
According to the NYT Microsoft corporate security officer Howard Schmidt Schmidt "said the intruder might have had access to the victim's computer before Oct. 17, but would not have raised alarms within the security offices until he created the new accounts."
So actually the intruder could have been around for three months - Microsoft doesn't know. Microsoft does know about new accounts created by the intruder, and the source they had access to (not Office, Win2k or WinME), but does it know for sure that there were no other unauthorised accounts, or unauthorised control of legitimate accounts?
If you think about what actually happened, even according to Microsoft, your confidence in the Microsoft version of events does tend to ebb. At minimum it was possible to successfully plant a Trojan in a Microsoft employee's home computer. Through this it was possible to gain access to source code under development, even as Microsoft's security people were allegedly monitoring that access. Microsoft incidentally says that the code couldn't have been downloaded because that would have been recorded, rather than that it couldn't be downloaded because it was secure. For the company crown jewels, this is not good.
Either the intruder had initially hijacked the home computer of a reasonably senior employee with reasonably high access levels, or had been able to create new accounts with that status. This is of course perfectly plausible, because Microsoft has a pretty loose structure (which in part explains past escapes of code), and a lot of employees with home access to the company network. Clearly, by Microsoft's own admission, it's possible to get at source code via this route, and it's likely that it's also possible to change that code. Otherwise why, in the words of the WSJ, was Microsoft "checking to ensure that the hackers didn't alter some of the company's commercial software"?
Despite the 'we are in control' noises now coming out of Redmond, it looks like an inherently leaky system that could easily have supported a major source code escape. If it didn't, Microsoft surely has to put it down more to luck than security. ®
MS hacked! Russian mafia swipes WinME source?