Slashdot Mirror
The Impact on Open Source of Stolen Microsoft Code
Cabal writes: "I recently came across this article on Linux Journal. It discusses some of the more interesting legal ramifications of the theft of Microsoft's source code that I hadn't even thought of and it's effect on open-source projects. Basically, it's saying don't go near any code claiming to be stolen from MS, and with good reason, including quotations from the Samba project. Check it out, it's a good read."
Computer crime investigations can be expensive. Let's say we are spending $XXX on trying to find whoever broke into Microsoft's system. Who are they likely going to find? A couple of high school students with no special skills: they apparently used a well-known exploit.
That money could have gone to catching some violent criminal, or helping people with drug rehabilitation, or any of a number of purposes that would improve the lives of thousands of people.
On the list of social priorities, the crime that has been committed against Microsoft is very low: it has virtually no consequences to anyone (other than Microsoft's PR and marketing), and the people who perpetrated it are unlikely to be a threat to anyone.
You can't realistically defend yourself with a gun against someone who is reasonably skilled with a gun; if you try, you assume a huge risk. Defending yourself against an E-mail virus, however, exposes you to no risk at all and has almost no cost.
And that's the reason why I would like to see our police going out on the streets tracking down gun toting criminals. OTOH, tracking down some "script kiddies" won't make my life or anybody else's life any safer. It won't even restore anything to Microsoft. All it does is waste a lot of money that could have been spent better.
Whether Microsoft can claim IP once in court is an entirely separate issue from whether the police or legal system should make any significant effort in tracking down the people who broke in.
However, while it is popular in some circles to try to invent new forms of IP protection, reality is that it's not clear they actually have much IP protection. There are really only four major forms of IP: copyrights, patents, trade secrets, and trademarks. Only trade secrets would seem to apply here (possibly copyrights, but they don't contaminate). And the legal reality is that trade secrets need to be protected carefully in order to receive any legal protection.
But what about the flipside of this.
Would it be at all feasible, from a law perspective, to counter-sue Microsoft for *NEGLIGENCE* in protecting their so-called trade secrets?
Wouldn't it be possible to make the argument that since Microsoft *allowed* the source code to get out into the public domain, they are responsible for their own mess, and thus use that as a basis to dismiss any court cases that would be enacted based on this conspiracy theory.
It seems to me that this argument could be made fairly strongly - as is the case with trademarks - if you do not protect it, you do not deserve the right to exclusivity, and thus there would be no basis for damages should the code be 'used' elsewhere?
Can anyone with a strong legal background comment on the feasibility of this issue? It would seem to me that something like this could be argued in any case against Microsoft for this purpose.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
No, they probably wouldn't write, "Hey Dudes, check this out! This is M$ Office Source Code!". They would most likely write, "Hey Dudez, check this out! This is M$ Office Source Code!". Actually, they would probably capitalize every other letter, too. I was into the warez scene right around the time the Win95 betas were coming out (I was 14 and stupid). Those kids don't have an ounce of subtlety in their bodies.
Besides that, anyone who is a good enough programmer to contribute to any serious OSS project should be a good enough programmer to recognize code from an MS product (the fact that it's bloated and sucks should be a hint). Also, code posted with no license whatsoever should be pretty suspect.
-B
But I see far more far-reaching impact on any open source project that seeks to integrate with MS products. Anything that succeeds must have come from the stolen IP! Sue everyone who might be involved with such products and force them to defend themselves in court and prove they never saw the code. (Oh, I forgot, you cannot prove a negative.)
Oh, yeah, and we heard about this days after it was anounced that Excel and Word 2000 now work in WINE. Very interesting...
I have said often that if I could just get Outlook to run in linux, I'd have no use for an MS OS. Guess someone overheard.
The GPL defends its software development model using copyright law,
whilst the MS defence is based on trade secrets. Utterly incomparable
from the legal point of view.
Not true. For example, a system that runs on a mainframe is accessed via a tn3270 program running under Windows NT. Hack that and you can install a keyboard sniffer and remote control app and get everything you need to get into that non-Microsoft system that the bank runs...
"It might be difficult to know for an OSS maintainer that a contribution to his software does not come from M$ stolen code....It won't be as simple as it looks."
I agree. There will be open source types who will use this code in a project regardless and in the end it will hurt us because microsoft will have access to the OSS source code of that project. The maintainer, on the other hand, may not have access to MS source code and won't know the difference until it's too late. So, should the maintainer get the illegal MS code to check against software submitted or should he sit blindly and assume the programmer submitting code is honest. This is a serious catch-22 here and it makes you wonder if there is a conspiracy behind the "stolen" code. Either way, OSS programmers have to be on red alert. A serious can of worms has been opened here and it could impact projects like SAMBA, WINE, or Win4Lin. Programmers of the aforementioned projects need to be cautious of anyone submitting a reverse engineering breaktrough of a Windows API.
I do want these projects to succeed by any means, however, the use of MS code will come back and bite them in the butt if they are not careful. Many of anti-MS types were happy that MS got cracked, but I have mixed feelings. The timing of the crack is too perfect - Samba TNG was formed recently which promises to implement primary domain controller type services. Could Microsoft be planning evil or is this coincidence? If you do find the code, be very careful and be smart. As much as I'd like these guys to look at the code, laugh at the bugs, and reverse engineer it, cheating will only cheat the users of free software somewhere down the line. MS has enough money to file some serious lawsuits against people they feel have used their code and in the end good projects like WINE or SAMBA will be forced underground.
I hate microsoft as much as the next linux geek, but they're not just a huge group of millionaires sitting around plotting how to destroy Linux. They would not let someone steal their source code in such a risky venture just to shut down a few MS-related projects like samba, wine, and maybe abiword. It would turn them into who they hate most: people who give away thier source.
# debian/rules
Forget the legal ramifications... using microsoft code in an Open Source and/or Free Software project would be like building your house out of straw when you get free bricks and know the Big Bad Wolf is on his way.
1. Bill Gates' credit card details
2. Source code for Bob
3. Cheat list for Solitaire
4. Online application form for donations from the Bill and Melinda foundation
5. Wish list for enhancements to MS-DOS 3.3
6. Complete set of MP3s of Steve Ballmer rocking out
7. Original code for Linux
8. Discarded Office Assistants including Penfield the crazy Judge and Linus the toad
9. Contents of Bill's desktop trash folders for the last five years
10. Contact details for Bill's personal stylist
.sigs: Just Say No!
The reports I've seen say code may have been stolen. They say that the Qaz trojan may have been the way the crackers gained entry.
But I've heard/read nothing definitive. The whole thing screams 'inside job' to this clueless luser.
For easy karma, does anyone have facts?
For example, how did the crackers get around the (OpenBSD?) firewalls?
internet mail:anita548:aol.com ICQ#:74734566
The trial isn't over yet. It will probably be drawn out for years to come. M$ will loose in some courts, the DOJ in others. No one will "Win" or "Loose" the trial until the Supreme Court hears or refuses to hear it, or one side gives up on further appeals.
Even if M$ were to loose, it would still take another three to ten years to split them up.
As for the whole "$$$ for the better lawyer" story, what do you think has been the major problem for the DECSS case? Judges who don't get it and lawyers who can talk circles around the truth.
There are plenty of cases where a criminal went free because of the quality of their lawyers. Standard Oil was bigger and badder than M$ can ever dream of being and made Bill Gates look like a Saint. It took years to even touch them, but not until JDR's personal fortune was 2% of the entire US Economy.
The "Teflon Don" escaped justice time and taime again, and OJ walked away a free man.
These are all because of lawyers and the US legal system. It has nothing to do with what is right and wrong, but who has the best legal team. Anyone who really thinks the "truth will set you free" or that anything other than money runs the nation is a sad individual with no concept of reality who might as well believe in Santa Calus.
"Live Free or Die." Don't like it? Then keep out of the USA
and your friend reading your book is copyright infringement.. yuk.. there should be laws against that.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
I don't buy that whole "contamination" thing. If contamination exists then: Anybody who's ever used MFC is contaminated, because it comes with proprietary MS source code. Conversly, anybody who's ever patched gcc is a GPL violator unless they release all their work under the GPL.
Unless Open Source projects start showing up with large swaths of code containing things like DWORD and LPVOID, I don't see how MS could prove anything.
Oh no! I've just released the secret of DWORD and LPVOID! I'm doomed!!!
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Microsoft has to take reasonable care in protecting valuable trade secrets. It is clear that they haven't. Even if they believe that their E-mail client has sufficient security, if they believe their source code is as valuable as it is, it should reside on a more protected part of the network. Microsoft is merely trying to avoid responsibility for their product defects and for their poor security policies.
It is an outrage that the taxpayer now even has to foot the bill for trying to track down people who took advantage of security defects in Microsoft products. That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.
It is still good advice for open source projects to stay away from any Microsoft source, legally or illegally obtained. But don't get suckered into believing that Microsoft has any ethical claims: they were negligent. And, objectively, they ought not to have any hope of legal success either--they should fix their products instead and stop shifting the cost of their defective products onto law enforcement and, ultimately, the tax payer. As long as they can get away with shifting cost and responsibility onto others, they will have no economic incetives to fix their software or procedures.
Nobody stole any Microsoft code. Microsoft staged the break-in to create a perception of greater value in their product & to get certain anti-hacker legislation shuttled through Congress (which will help them yield greater control over their product after you've bnought it & to fight against open source software's necessity to reverse engineer their proprietary standards and publish security exploits). The Microsoft staged break-in also helps to bolster their image as a victim, rather than the perpetrator.
Be certain: these events did not transpire without a reason. Microsoft wants to control your computing experience from the ground up and will do whatever it can do to further that end.
--
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Please!
Assumption is the mother of all fuckups. Have you ever seen the Microsoft source code?
And... have you never seen open source code that is beyond crap?
Just because you can't read it, it doesn't mean it's badly written. Try seeing an implementation of a COM subsystem that is easy to read.
I tend to believe the AC since they are generally people who fear repercussions from what they post here, be it from their employer, future employers, or the community. Thankfully there is still the AC account available for these courageous souls to use to get this information out there.. otherwise it would be hidden in the closets of corporate america along with everything else.
Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects.
If you emailed the linux source code to the Windows developers at MS, I don't think you could prevent them from working on proprietary software even if you could prove that they saw GPL'd code, so I don't think MS can prevent you from working on free software just because you saw proprietary code.
What if M$ decides to copy a chunk of GPL'd code and claim it was part of the super secret stolen source? Would anyone believe such a forgery?
Also I think at the current moment with the nature of the OSS movement if legal action was taken against the project someone would carry on
the project after it has had a injunction against it etc.. I mean just look at DeSSC code that has been distriuted so many ways. ie this
How many software distributions are there that publish DeCSS? None.
The catch to the MS stuff is that if Samba were to get MS' code, they'd mostlikely obfuscate it in such a way that it'd be hard to prove it legally. As for MS' intellectual property rights, I say screw them. They're a monopoly; they thrive on not allowing other systems to network easily with them.
then, it seems to me that a way around this, if you mistakenly or intentionally saw some of this mysterious M$ source would be to go th M$ and sign an NDA. Basically admitting that you saw it, but that you have just said, legally, that you won't use it.
Anyone? Anyone?
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
We gotta make sure nobody looks at that code, especially those hackers. I mean, they're smart, they'd know what we were doing. Threaten to sue all of them? No, that would look bad, we've got enough bad press already. How about this: let's scare them into not looking at it. Spread the word that even looking at this code would threaten their ability to work on any free software projects in the future. That should scare anybody smart enough to figure what's in there.
Everytime anything to do with decss is posted on /., a load of +5 informative posts pop up with the code. Slashdot refuse to take them off.
If someone decided to post some key code to windows here, would it be kept on the server? How many nanoseconds would it take before 200,000 lawyers shut the site down?
How far will slashdot go?
Just a random thought that popped in my head, but what if it turned out that GPL'd code was found in Microsoft's source code?
:P
Maybe their 'innovative' re-invention of symlinks and mapping drives to directories was based on GPL'd code.
Prolly not, but I say it was just a random thought I had.
Thank you. Drive through. (:wq)
To be honest, I had this smug feeling about the whole deal until I read the article. This is really an unfortunate situation. More importantly, it touches all of us, since anyone who tries to reverse engineer an API from MS is going to get painted with the haxor brush. The MS code isn't even that good. I only hope that they don't use this as an excuse to begin a litigious assault on the Open Source movement. Sustained lawsuits attacking key applications will slow development, and could influence virtually everything we do.
One thing this means for us is this: concentrate in your source trees, now more than ever, on modularity. Any time a chunk of code becomes suspect, we should be able to isolate and replace it until the dispute is resolved.
On another note, it would probably be a good idea for people in the Open Source community to alert the FBI to anything we might hear about who may be responsible for this. While I don't like MS, the courts will punish them for their monopoly, and the marketplace will punish them for their close source methodology. To not assist whereever appropriate will leave us open to accusations that our community is filled with criminals and warez d00dz.
Besides, the sooner this is put to rest, the sooner we can dispel the myth that MS source code is actually valuable in the first place...
Am I being paranoid^H^H^H^H^H^H^H^Hconcerned that MSs "theft" could be their carefully orchestrated, poorly disguised effort to discredit/destroy Open Source through oppresive application of litigation?
What's going on? Well, it seems like MS's PR department has been working hard to downplay the attack. Notice how the informant shifts over time from an unnamed "Microsoft engineer" to Balmer to MS's "corporate security officer." I assume that what happened went like this: 1) a mid-level MS engineer leaked the real story to the press, 2) PR (Balmer) steped in for damage control, and finally 3) PR propped up a puppet with a written script to try and kill the issue.
The thing is, the strategy may backfire on MS. Now, they can't claim that open source developers are pirating their code. They've already gone on record saying no MS code exists in the wild. Which means that if you happen upon the source to Office, you are free to look at it, since MS has already declared that that code does not exist.
Heh.
While I understand the legal issues involved... it still irks me that reading something can get you into trouble. I mean - is it a crime to read? I'll be sure to bring a pair of blinders with me everywhere I go now... I wouldn't want to accidently read something I shouldn't.
feh!
So, what happens if someone posts a review of the way MS did, say, real-time prioritization. Clearly the person who wrote this is treading thin ice, and MS will likely go after them.
;-)
On the other hand, does the person who reads this review have any obligation not to use the info? It seems to me that there's no copyright OR trade secret protection for a method that you came across this way. Unless MS has patented the particular method, you SHOULD be free and clear.
Lawyers? Thoughts?
I, however, am most interested in just how bad the code is. I'd love to look at it, not because I think they have any good ideas, but because I want some humor in my life
Wait... so that would make working for Microsoft the equivalent of an Actor's inability to get legit roles after working in Stag films... I knew it all along...
I'm sure that the people who are working on the wine project can show tarballs of source code going farther back than microsoft could. it doesn't matter anyways, if they can show the source from four months ago (one month before MS got cracked) than they can prove beyond any doubt that they aren't receiving stolen code in any way shape or form and then also that MS is trying to sabbotage them, thats not only an unfair bussiness practice, but i doubt that the FBI likes it when big brother cries wolf...
It is hard to imagine that something that could look so good on the surface (Microsoft getting totally 0wned) could be so bad for the Free Software Movement. Now potentially any open source project that has anything to do with Microsoft interoperability is open to a law suit. At the very least, it will make accepting contributed code into the CVS tree more difficult.
It has been said that one of the fundamental damages that security breaches cause is not only the loss of data, but the loss of the integrity of data. It is unfortunate that this loss of integrity has to spread to other victims that have basically nothing to do with Microsoft.
Friends don't let friends use multiple inheritance.
While I understand the legal issues involved... it still irks me that reading something can get you into trouble.
Well, I DON'T understand something about this, and the flap surrounding it:
As I understood it, a trade secret is GONE once the secret is out of the bag. The holder of the secret has an action ONLY aginst the person who improperly exposed it - either after stealing it, or in violation of a valid confidentiality agreement - and perhaps anyone in collusion with that person. (Collusion would be things like hiring him to steal it, or giving him some benefit in return for a copy you knew to be stolen. Downloading it from an open internet site would not be collusion.)
Since when is there an action against anyone found using part of a FORMER secret that is now widely distributed? Since when is there NOT a big-time countersuit and other legal grief for anyone who brings such a bogus suit?
Yes, you can sue anyone for anything. Yes, if you have enough lawyers you can cause anybody a lot of trouble. But you can't just use your money and the court system to make life hell on any random person or company you don't like. You have to have a palusible case. If you knowingly bring a bogus suit you're on the hook big-time - both civilly and (if you're blatant and unpopular enough) criminally.
Has the deCSS case broken the legal system THAT badly?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Salon also is asking the question
t ml
http://www.s alo n.com/tech/log/2000/10/27/microsoft_crack/index.h
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Using the same reasoning, any MS employee who has seen the SAMBA code shouldn't be allowed to work for MS anymore?
...plus it would look bad for them trying to fight OSS developers working on wine/samba/...
I'm serious. The fact that the source was stolen should not matter. Maybe accessing the MS source code would prevent you from claiming a "clean room implementation", but not from working on OSS at all.
Just another idea... what if GPL'd code is found in Windows. I'd like MS being sued (by FSF?) over copyright infringement.
Opus: the Swiss army knife of audio codec
If Microsoft's source code appears in public, downloadable from somewhere or in some other way, most likely they will not write on the page "Hey Dudes, check this out! This is M$ Office Source Code!". Maybe after the water calms down, something will appear in some anonymous way in some projects, in some webpages... It might be difficult to know for an OSS maintainer that a contribution to his software does not come from M$ stolen code. How should a maintainer behave? Should he be paranoid? Should he act "in good faith"? It won't be as simple as it looks.
..I can't program an open source GORILLA.BAS for Gnulix?
*cries*
,
faeryman
If you read it you'll go blind!!!
:P
Prolly should of been AC for this one.
Thank you. Drive through. (:wq)
In view of the possibility of OSS being contaminated with closed-source code, the use of a diversity of languages being used in OSS development is not just a good policy, it may end up affording some legal protection. Not being subject to the same forces of mindless conformity that prevail along the corporate C++/Java/VB axis, we ought to take advantage of it.
--
Proud member of the Weirdo-American community.
> Its hard to hide 1000 *.c files ;)
you mean it's hard to hide 1000 *.vb files
heh
Have someone (say, in Russia) read through the code for 'interesting' insights (such as how their undocumented protocols work, how they break competitor's products, how to work around some horrible bug, etc). That person (who you never talk to directly) then posts this info to a web page. You come along and read the web page. You've never looked at the Microsoft source code, but now you know the things you wanted/needed to know. Can you be held liable for that? I hope not?
I don't care if it's 90,000 hectares. That lake was not my doing.
Never attibute to competence that which can be explained by ... what do you mean you doubt they keep the code to W2000 in a folder called W2000? why not? Sure, they've probably got a code name, but once you identify it, it's probably called that on every machine. MS is not some magical kingdom which breaks all the rules. They pull their code on one JLE at a time like everybody else. Do you ROT13 all your folder names? Neither do they.
So they're seriously suggesting that anyone who's ever worked for Microsoft or a licencee is not allowed to work on an Open Source project attempting to mimic functionality ever in their life? That can't be right, and if it is, isn't that a huge threat to individual freedom?
But they don't have to. Just pick one or two high-profile members of the group, and target them. As soon as everyone else in the project finds out what's happening, the project is dead. It may not be possible to eradicate all OSS projects, but a few well-delivered blows could seriously cripple most of the useful stuff out there. Besides, MS would likely only target those things that pose a threat to them. I doubt that they'd go after anyone working on vi, for instance.
Question: When has Microsoft ever shown fear of any entity??? This is part of the reason they're perpetually in trouble with DOJ/FTC/etc...
Where the value of X-Mailer: is the true measure of a man...
__
Sounds strange? Think about the following reasons. We've seen many times previously that MSFT avoids admitting their own mistakes for as long as they possibly can. It takes them awhile to warn the public about known bugs or exploits in their various software products. Yet, in this case of the stolen source, they were seemingly very willing to let the press know about the break-in and apparent theft of the source code.
Now that it is public knowledge that some MSFT source code has been stolen, imagine what it does for free/open-source development. Because of this, the FSF and other maintainers of free/OSS software now have to take extra measures to ensure that the code is free of any potential influence of the supposed 'stolen code'. This takes time, effort, and will generally serve to slow-down the development open-source software projects. A big 'plus' for MSFT.
Also, suppose someone posts snippets of the 'Forbidden Source' to various newsgroups, like the public postings of DeCSS and MSFT's kerberos additions to slashdot. Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects. Both of these things are bad for OSS/free software, and are good for MSFT.
This may sound like some grand paranoid conspiracy theory and doomsday scenario, but as someone posted to LinuxToday, "Just because you're paranoid doesn't mean they're NOT out to get you."
make world, not war
Actually, execution is exactly what comes to mind when I run M$ code.
When msc 5.x came out it was a much better compiler than any other that MS had ever developed before. At that point its optimiers actualy worked but like most it had a few flaws. Funny thing is that most of the flaws were the same that gcc had.
Now if someone just had time to prove that some of the code was lifted it could be quite interesting.
that they'd 'stolen' the source code so that people could laugh at it .... (of course it wasn't stolen like a car is stolen - it was copied - information works differently than physical things ...)
Not only that, but even in high profile cases, just seeing source code or even signing an NDA does not disqualify you from working in the same area. Many consultants work for many companies in the same domain. Heck, Microsoft themselves hires engineers away from competitors.
The opensource/freesoftware worlds are currently dominated by fussy little hairsplitters who have spent far too much time working on their licenses. The licenses are important, don't get me wrong, and somebody needed to work on them. But usually, when your lawyer is done you send him home, because lawyerthink is not the best for running things.
Also, one should take the caution against knowingly passing illegal copies of anything around, not because the ideas would taint you, but the crime might.
I have a huge pile of DEC Sources, everything needed to build from scratch a VAX/VMS system (versions 2.0 up to 4.4). I also have piles of technical information and design information for buckets of DEC PDP/11 and VAX hardware. All of the above has been acquired lawfully over the past 20 years.
Am I therefore prohibited in using my personal knowledge to benefit open source software? Do I have to seek Compaq's permission to release open source software?
On a wider note, as I work with closed source software all day as part of my normal job, does this also disqualify me participating in OSS projects? I don't think so, because if it did, a lot of people on the linux kernel credits list would be in trouble for a start.
What if any Microsoft programmers, who have presumably legally seen sources, joined an OSS project? Would Microsoft be able to stop them? The possibility for nasty legal precendents is rather alarming.
I haven't looked at how QAZ works, but wouldn't it get installed and then listen on some port?
Doesn't microsoft keep all of their users behind a firewall? If so, QAZ would just be opening a port on the users computer behind the firewall, no one should be able to get in and actually connect to it, there would have to be a hole poked in the firewall for that to happen.
Need Free Juniper/NetScreen Support? JuniperForum
Pretty cool idea, almost blow-my-mind insightful, although not quite...
I'm hoping that the problem isn't quite is grim as you portray it. You show it as a very computer "If A, then must not have B" thing going on here..... I'm thinking that it might be possible to balance the two if you add in a third element, something that sooo many people seem to be lacking these days... just a touch of common sense.
Really, take it on a case-by-case issue. Yes it sometimes sounds good to make huge generalizations and sweeping "always" and "never" statements, but it's often better to look at specific occasions. Examples:
Well, enough said. Yes, you can't clamor for both privacy and open source at the same time, fair enough. However, a balance can be maintained where you say "Yes, MS has rights to privacy if they want, but I have the right to say I like open source and want to go out and make Linux, but I myself have the right for privacy when it comes to certain aspects of my personal life".... i.e. I believe in free source code, but not necessarily big brother and telescreens and every bit of info being "free".
I think that a lot of Slashdotters went off their meds simultaneously, today. There's no other possible way to explain the weird paranoia that crops up every time this source code theft is mentioned.
Conspiracy theory #1 - Microsoft faked it
Come on. Microsoft does not possess an oracle that tells them things like "if you fake being hacked, your stock will stay high, people will not abandon your products (quite the possibility at the server end), and you'll get lots of clout in drafting new anti-hax0r legislation". And if you don't have that kind of oracle, you're not going to go out and pretend that you got hacked so that you can score some political points against the free software movement.
They stand to lose far more business from 10% of their potential server market shifting to Sun/IBM/whoever (or deciding to stay with Sun) than they stand to gain from slightly helping the cause of some vague, unenforcable laws directed at reverse engineering.
Yes, Microsoft will try to get as much advantage as they can from this. That's no suprise.
Conspiracy theory #2 - Free software people did it
If free software types (or supporters of same) were behind it, don't you think that someone would have seen the sources on freenet or some random ftp site by now? Or at least heard a couple of well-substantiated stories to that effect? ("I saw a huge tarball called microsoft-sources.tar.Z on ftp://....").
Far more likely, it's either some script kiddiez, who probably didn't even get it together to the point where they could get the source in any useful form, or some low-level industrial espionage people who are discreetly shopping around their product to various shady firms.
Incidentally, if it's the latter case, I wouldn't anticipate seeing the source showing up anywhere for free; why would the people who stole the source for profit give it away for free?
I've heard that big time, really famous song writers are instructed (by their legal eagles) to NOT LISTEN to compositions by amateur songwriters (for legal reasons) because they may accidentally unconsciously plagarize part of it and get hit with a lawsuit.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
While your explanation of damage control is quite plausible I can see an alternative explanation:
1. Breach is first detected, everyone is in a panic and assumes the worst.
2. After a little checking it turns out not to be as bad as they thought at first.
3. After careful analysis of logs, including the version control management logs it turns out that no modification took place and only a minor future product has been downloaded.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
With 521 comments already, probably no one will ever read this but -- I have to say that in the 3+ years I've been reading Slashdot, this is the single most idiotic, clueless, divorced-from-reality discussion I have ever seen. I haven't been this embarassed to be part of the free software world since Eric Raymond marched on Microsoft dressed as Obi-Wan.
#include "stdio.h"
void vGenCrash(void);
int iWinMain(int argc, char **argv)
{
vGenCrash();
return 0;
}
void vGenCrash(void)
{
vPaintBlueScreen();
vGenerateRandomSetOfWeirdLookingRegDumps();
return;
}
To Terminate, or not to Terminate, that's the question - SCSIROB
It's very simple. Have some code "Stolen," then use the whole "intellectual Property" issue to destroy the Linux Vendors a few upgrades from now. Don't you remember the Halloween documents? The proposal that Trade Secret Laws could be used to destroy open source???
Six months from you you'll see the SAMBA and WINE teams being sued. M$ will win because the judges know nothing about computers and M$ money can buy the best lawyers.
Oh well. I've been meaning to look at BEos for a while now anyway.
"Live Free or Die." Don't like it? Then keep out of the USA
Would you turn down specifications that were engineered from tainted sources?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
But I never claimed that MS did this on purpose.
I'm just presenting one possible way in which they can recover their "losses" (real or perceived).
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Anyone understand what that statement is supposed to mean at all? How can they know that the source was ``only'' viewed? If the cracker was viewing the code, then copied-and-pasted out of his xterm/browser/whatever, then he has a permanent, downloaded copy! I suspect the use of these words is an attempt to fool non-technical people.
perl -e 'fork||print for split//,"hahahaha"'
Good lord you're paranoid!!! Seek professional help!
You've never heard of just throwing out an idea to see what discussion it generates? I don't believe I ever stated that "this is what I firmly believe."
It's just an idea, people. If you can't handle the thought of discussing strange and wacky concepts, you need to read some other website.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
This is a very doable project provided we have acess to windows source code. I'm not sure of the legalities but I'm pretty sure of one thing...MS uses GPL'd code in their products. Lets prove it and force them to make Office public domain. I could care less about the rest of their embrace and extend crap. If Office was free, we could be rid of them.
no sig.
No, it sounds like these puppies were real pros. If I was running a master criminal organization, stealing source to Microsoft code would be the best way to evaluate weaknesses in their code and use that quietly to hack into the world's biggest companies and banks undetected and run off with billions. Or how about hacking into foreign government intranets to get their secrets? Remember that this code has not received a critical eye looking at it with the intent to covertly break into it.
There are real risks to the world going to 100% Microsoft solutions. It's like royal families inbreeding in medieval times. It ain't good and it's getting worse.
Just think, your entire company may be Microsoft on the desktop, but at least the back ends are still something else. But soon no more. To leverage those nifty Active Directory benefits you need to move your DNS, LDAP, and Kerberos services to Windows 2000. Then you'll start to see the real benefits of moving that web server to IIS and e-mail to Exchange 2000.
The real thing to fear here is what's going to happen behind closed doors outside of Redmond...
I just don't understand the logic in trusting corporate and often national security interests running software you are unable to audit written by a private company whose only concern is maximizing their revenue and market share.
...just to be on the "safe" side.
Consider. Free project GNUFoo comes out which competes with Microsoft Active FUBAR 2000. If it looks popular, M$ can just state that "there's a possibility that our proprietary source code influenced this design," and instantly GNUFoo is dropped like a hot potato.
Now, there's none of M$'s code in GNUFoo, but the FSF and the GNUFoo programmers now have to prove that, because in the Real World you are presumed guilty until proven innocent, and even then you're still guilty of looking guilty.
And in the years that it takes to satisfy the courts that GNUFoo is guilty of nothing but competing against The Man, the project will slowly grind to a halt. By the time GNUFoo is cleared of wrongdoing, M$ will have released their next project, and GNUFoo will be useless because it's so outdated.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I stand (Or sit to be more accurate) corrected.
I remembered the story from a PBS documentary years ago. (Circa 1995) and must have messed up on the company name.
Of course, the point wasn't about the company, but the whole idea of having one team hack the product and the other design a new one based on what they learned.
"Live Free or Die." Don't like it? Then keep out of the USA
Obviously MS have an excuse to sue if one person looks, but where's the harm in everybody looking? After all, the Windows programmers have had access to every piece of code ever relased under the GNU Public License since 1984! What I'm saying is based on the hypothetical that Windows source is / will be generally available, but then that's what all the don't-look-don't-touch hysteria is based on too.
On the offchance this is the case, why should one free software programmer fear litigation for implementing something that MS also implemented? What's to stop the programmer of some major open source software taking the opportunity to scrutinise Windows for appropriated ideas from GPL code? Obviously no free software programmer would be idiot enough to cut and paste Windows code, so if we're arguing on the stealing of `ideas' from code, and code from both sides is available for scrutiny, surely lawsuits could fly both ways?
I can see why the Samba / Wine people might be more wary than most but MS would have a very hard time grinding all international free software devleopment to a halt just because windows_src.zip turned up on a few FTP sites.
Matthew @ Bytemark Hosting
I know maybe this sounds a little parynoid, but with the past history of this company I think that anything is possible with them. They are a moralless company that sees nothing but there profits. They say that they listen to there users and that there users want more features and don't care about security. That is a load and they know it.
On another hand, if Microsoft cannot secure there OWN software system and there network security is that crapy, do you really wnt ot be runnign that software? I mean really who leaves the source code to the OS connected to a system that is connected to the internet. Oh that's right they created that pptp crap and forgot to put security in in.
Microsoft gives new meaning to VPN, Very Public Network!
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
I'd say more than that. If you're a developer you can no longer open any email from anyone other than those you already know, maybe even having to have someone screen them for you. Imagine this scenario;
To:Linus Torvaldes[Torvaldes@transmeta.com]
From:Billy Bob [bill-b@notmicrosoft.com]
Subject: Kernel Patch.
blah blah blah (insert MS code here).
Or worse yet sending it to the kernel mailing list, tainting all the relevent people in one fell swoop? Even if MS doesn't do it, there are plenty of people out there with nothing better to do than try to fuck up other people's day.
Fist Prost
"We're talking about a planet of helpdesks."
Fist Prost
"We're talking about a planet of helpdesks."
-Jaron Lanier
The problems with M$, with understanding anything they do, what, when or why, is of course, the secrecy.
Do I think that this will slow down the OpenSource community in the least... No!
Secrecy is a double-edged sword. Any Linux distro could be entered into public record without a ripple. In fact that might be a good idea to do so now in preparation for any potential eventuality.
But I don't see M$ dragging their APIs and source code into court for the public record anytime soon. That's what they would have to do to even allege with intent to procecute against anyone for supposedly stealing any of their code.
They would have to identify the code and prove it came from them and the only way to do that is by bringing their own code to court and doing so in such a way as to prove the code repository had not been tampered with since the discovery of the break in.
Then M$ would have to argue that it could not possibly have come from any other source but their code. All a developer has to do is keep a clear paper trail of what ideas come, as they come, and the very plausibility of the defense would dispell any allegation M$ might make.
Making those allegations is a great deal more difficult than you think... Basically, M$ has a choice that I doubt they'd ever make even when their backs were against the wall.
If you live in secrecy, you can't step into the sunlight too quickly. I think we're safe from an open source M$ for a long time to come.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
So, the only think you can find wrong with my argument is the spelling of one word.
Thank you. You defeat in this debate has been noted.
"If you can not attack his logic and reasoning, attack his spelling. Loudly"
"Live Free or Die." Don't like it? Then keep out of the USA
To start, I'll admit that I'm no major fan of Microsoft these days; yes, I even find it hysterical they've been hacked on this scale; yes, admittedly (regrettably?), I have sympathy for them. No matter how much I dislike the ethics (or lack thereof) of Bill Gates, he has been wronged: theft is theft (if indeed source code was stolen, which has yet to be proven, by the way). Of course, I'm wondering something of my own (away from all the flying conspiracy theories, rest assured). According to MSNBC, Microsoft has figured out that the passwords were being sent to an account somewhere in Russia. So what's taking so long? What's taking Microsoft so long to actually come up with something definitive? Enough "may have" and "could have" -- where is the "did" and "done"?
... They have 3 or 4 service packs for Visual Studio 6. Two service packs for SQL Server 7. Even their beloved Windows 2000 (not a few months after being released) now has its own Service Pack 1. I could keep going, but I'd be typing forever. No, nothing will be truly bug free upon release. Yes, bugs will always be one of the inherent problems behind code. But consider the overall amount of time between finding a bug and releasing a fix for it. Linux does it better and faster; Microsoft tries to mimic that behaviour and often times fails. Microsoft cannot keep up with the drive of Linux, and that's in out favour. If Microsoft source code ever became a part of Linux, I'd probably scream "Borg!" and run off to my own little planet somewhere in Andromeda. Assimilation of the illegal or the unwilling needs to be where the line is drawn.
Now, here's another thought. If the Linux community were behind this, we'd be unimaginable idiots every last one of us. Linux is so much more than Windows could ever hope to be. If you look at the track record of Microsoft and bugs, it don't look pretty. They have 7 service packs for Windows NT 4 (1,2,3,4,5,6,6a)
Though, I wouldn't mind someone stealing the source code for DirectX 7.0 and developing it over to Linux. *drool* I'd love to play Final Fantasy VIII under Linux. (And, for my legal sake, that is not a serious statement, though it would be a dream to play games of that magnitude under Linux. Of course I could just hope that Linux and Sony somehow combine forces and make a new distribution called Sony Linux or something...)
This breakin at Microsoft also says something for off-site workers. As a consultant, at times I do work off-site, and I see some interesting effects in the worst case. Since the intruders appeared to the security logs as employees simply working off-site, security overlooked them for three months. For three months the intruders worked, doing only God knows what. (Like I said, there's been no real definitive proof to surface yet except for allegations about what "might have" and "could have" and "appears to have happened"...) But I still think this might produce some chilling and overly restrictive corporate policy changes on working off-site.
I'm betting that nothing really serious did happen; I'd bet that the intruders only want to sit down and see how long it would be before someone noticed. In three months, you could cause all sorts of chaos for Goliath in his own camp. Blow out a few torches, bring down the mainframes, format a few servers, knock out corporate E-Mail, shut down all the domain controllers. (That latter one would be VERY interesting, believe me.) Maybe I'm wrong; maybe something serious did happen (not that a break in of this size isn't already something serious in and of itself)... I just want proof before I start my panic run. (Which, for me, consists of about 2 minutes of hyperventilating. *grin*)
Enough rambling...
Seth Anderson BTW, I'm not 23 anymore -- I am TexasCowboy26 now. =)
If stolen MS code DOES get widely distributed, it would be pretty amusing for the OSS community to start anonymously sending them diff's to fix up the bugs in the stolen code. I'd like to see the face of the tech support droid who gets that email...
- Isaac =)
Compaq was very worried about this when they cloned the IBM PC. They had one group pf hackers chip away at an IBM PC to build the specs for what it needed to do, and a separate "Clean Room" team to use the specs and create the cloned BIOS. The "Clean room" designers had to be able to prove they had never worked with an IBM PC to get the job.
And thus the IMB clone of the PC architecture was born.
If they hadn't taken these precautions they would have been sued into oblivion by IBM and all PCs would be IBM PCs to this very day.
"Live Free or Die." Don't like it? Then keep out of the USA
Yes, they've basically stolen tons of stuff from everyone else... one MIGHT be tempted to say "fight fire with fire"... BUT...
Here's the chance to publicly say "even if it was offered to us, we wouldn't take it." That kind of corporate-espionage B.S. belongs to a totally different world. Open Source is a philosophy, let it live and or die on its own two feet and by its merits.
Showing the world the kind of class that Microsoft never had and never will should ratchet the public image of slashdot types way up, and counteract those stupid and offensive "hi! I'm the fat black hacker guy who has your credit card!" commercials...
--- Jump!! Fire!! Bullet time!! - Lego version of the Matrix
[...] W32.HLLW.Qaz.A was first discovered in China in July of 2000. W32.HLLW.Qaz.A is a companion virus that can spread over the network and also has a backdoor that lets a remote hacker connect to and control the computer via port 7597. Since the virus does not have the ability to spread to computers outside the network, the virus might have originally been spammed out by email.
This could easily set development back on whatever products the hackers got access to the code on. At least assuming that they we able to get write access.
treke
The reports of the Microsoft incident mentioned the Qaz Trojan, which according to this article opens port 7597 to support remote control. Which, needless to say, would easily be stopped by a firewall/packet filter/proxy/etc.
While you're correct that the most determined attackers might be able to create a trojan which might even be able to operate through a protocol-sensitive filter or proxy, the fact is that no-one seems to have actually developed such a trojan, have they? Which means that for most businesses with a decently configured firewall, you're far more likely to have a disgruntled techie or salesperson abscond with or sabotage sensitive information than you are to experience an external attack from the Internet.
Who said anything about an open port?
I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.
First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.
Let's look at some of the other ways to get in from the outside (Just off the top of my head):
The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
So now there's a perfect chance someone trims those sources of excessive baggage and releases an optimized uncrippled version of WinME on 1 floppy disk.
For the paranoid among us:
There was no breakin. Microsoft just claims there was so they can sue open source projects that incidentally/through legal reverse engineering have come up with code similar to theirs.
This message is provided under the terms outlined at http://www.bero.org/terms.html
that you MUST keep the secret, right? So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they? The spies have broken the law, and should be punished, but if they publish the "secrets", it's none of my doing that that's not a secret any more. There may be a copyright to keep me from cutting and pasting, but other than that, it seems that I should be in the clear.
In a nutshell,(TM) I thought that once a trade secret slipped out, it was no longer protected by law. Can someone who IS a lawyer comment on this? Is it true that it doesn't matter HOW a trade secret is divulged?
See what I've been reading.