Slashdot Mirror
The Impact on Open Source of Stolen Microsoft Code
Cabal writes: "I recently came across this article on Linux Journal. It discusses some of the more interesting legal ramifications of the theft of Microsoft's source code that I hadn't even thought of and it's effect on open-source projects. Basically, it's saying don't go near any code claiming to be stolen from MS, and with good reason, including quotations from the Samba project. Check it out, it's a good read."
But what about the flipside of this.
Would it be at all feasible, from a law perspective, to counter-sue Microsoft for *NEGLIGENCE* in protecting their so-called trade secrets?
Wouldn't it be possible to make the argument that since Microsoft *allowed* the source code to get out into the public domain, they are responsible for their own mess, and thus use that as a basis to dismiss any court cases that would be enacted based on this conspiracy theory.
It seems to me that this argument could be made fairly strongly - as is the case with trademarks - if you do not protect it, you do not deserve the right to exclusivity, and thus there would be no basis for damages should the code be 'used' elsewhere?
Can anyone with a strong legal background comment on the feasibility of this issue? It would seem to me that something like this could be argued in any case against Microsoft for this purpose.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Forget the legal ramifications... using microsoft code in an Open Source and/or Free Software project would be like building your house out of straw when you get free bricks and know the Big Bad Wolf is on his way.
1. Bill Gates' credit card details
2. Source code for Bob
3. Cheat list for Solitaire
4. Online application form for donations from the Bill and Melinda foundation
5. Wish list for enhancements to MS-DOS 3.3
6. Complete set of MP3s of Steve Ballmer rocking out
7. Original code for Linux
8. Discarded Office Assistants including Penfield the crazy Judge and Linus the toad
9. Contents of Bill's desktop trash folders for the last five years
10. Contact details for Bill's personal stylist
.sigs: Just Say No!
Microsoft has to take reasonable care in protecting valuable trade secrets. It is clear that they haven't. Even if they believe that their E-mail client has sufficient security, if they believe their source code is as valuable as it is, it should reside on a more protected part of the network. Microsoft is merely trying to avoid responsibility for their product defects and for their poor security policies.
It is an outrage that the taxpayer now even has to foot the bill for trying to track down people who took advantage of security defects in Microsoft products. That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.
It is still good advice for open source projects to stay away from any Microsoft source, legally or illegally obtained. But don't get suckered into believing that Microsoft has any ethical claims: they were negligent. And, objectively, they ought not to have any hope of legal success either--they should fix their products instead and stop shifting the cost of their defective products onto law enforcement and, ultimately, the tax payer. As long as they can get away with shifting cost and responsibility onto others, they will have no economic incetives to fix their software or procedures.
Everytime anything to do with decss is posted on /., a load of +5 informative posts pop up with the code. Slashdot refuse to take them off.
If someone decided to post some key code to windows here, would it be kept on the server? How many nanoseconds would it take before 200,000 lawyers shut the site down?
How far will slashdot go?
Just a random thought that popped in my head, but what if it turned out that GPL'd code was found in Microsoft's source code?
:P
Maybe their 'innovative' re-invention of symlinks and mapping drives to directories was based on GPL'd code.
Prolly not, but I say it was just a random thought I had.
Thank you. Drive through. (:wq)
To be honest, I had this smug feeling about the whole deal until I read the article. This is really an unfortunate situation. More importantly, it touches all of us, since anyone who tries to reverse engineer an API from MS is going to get painted with the haxor brush. The MS code isn't even that good. I only hope that they don't use this as an excuse to begin a litigious assault on the Open Source movement. Sustained lawsuits attacking key applications will slow development, and could influence virtually everything we do.
One thing this means for us is this: concentrate in your source trees, now more than ever, on modularity. Any time a chunk of code becomes suspect, we should be able to isolate and replace it until the dispute is resolved.
On another note, it would probably be a good idea for people in the Open Source community to alert the FBI to anything we might hear about who may be responsible for this. While I don't like MS, the courts will punish them for their monopoly, and the marketplace will punish them for their close source methodology. To not assist whereever appropriate will leave us open to accusations that our community is filled with criminals and warez d00dz.
Besides, the sooner this is put to rest, the sooner we can dispel the myth that MS source code is actually valuable in the first place...
What's going on? Well, it seems like MS's PR department has been working hard to downplay the attack. Notice how the informant shifts over time from an unnamed "Microsoft engineer" to Balmer to MS's "corporate security officer." I assume that what happened went like this: 1) a mid-level MS engineer leaked the real story to the press, 2) PR (Balmer) steped in for damage control, and finally 3) PR propped up a puppet with a written script to try and kill the issue.
The thing is, the strategy may backfire on MS. Now, they can't claim that open source developers are pirating their code. They've already gone on record saying no MS code exists in the wild. Which means that if you happen upon the source to Office, you are free to look at it, since MS has already declared that that code does not exist.
Heh.
It is hard to imagine that something that could look so good on the surface (Microsoft getting totally 0wned) could be so bad for the Free Software Movement. Now potentially any open source project that has anything to do with Microsoft interoperability is open to a law suit. At the very least, it will make accepting contributed code into the CVS tree more difficult.
It has been said that one of the fundamental damages that security breaches cause is not only the loss of data, but the loss of the integrity of data. It is unfortunate that this loss of integrity has to spread to other victims that have basically nothing to do with Microsoft.
Friends don't let friends use multiple inheritance.
While I understand the legal issues involved... it still irks me that reading something can get you into trouble.
Well, I DON'T understand something about this, and the flap surrounding it:
As I understood it, a trade secret is GONE once the secret is out of the bag. The holder of the secret has an action ONLY aginst the person who improperly exposed it - either after stealing it, or in violation of a valid confidentiality agreement - and perhaps anyone in collusion with that person. (Collusion would be things like hiring him to steal it, or giving him some benefit in return for a copy you knew to be stolen. Downloading it from an open internet site would not be collusion.)
Since when is there an action against anyone found using part of a FORMER secret that is now widely distributed? Since when is there NOT a big-time countersuit and other legal grief for anyone who brings such a bogus suit?
Yes, you can sue anyone for anything. Yes, if you have enough lawyers you can cause anybody a lot of trouble. But you can't just use your money and the court system to make life hell on any random person or company you don't like. You have to have a palusible case. If you knowingly bring a bogus suit you're on the hook big-time - both civilly and (if you're blatant and unpopular enough) criminally.
Has the deCSS case broken the legal system THAT badly?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If Microsoft's source code appears in public, downloadable from somewhere or in some other way, most likely they will not write on the page "Hey Dudes, check this out! This is M$ Office Source Code!". Maybe after the water calms down, something will appear in some anonymous way in some projects, in some webpages... It might be difficult to know for an OSS maintainer that a contribution to his software does not come from M$ stolen code. How should a maintainer behave? Should he be paranoid? Should he act "in good faith"? It won't be as simple as it looks.
Exactly, the benefits of implementing gpf-like functionality (better crash-dialog functionality) into kde or, for the gnome folk, gnome.
Seriously, though, I know not what the true story is, but I'm sure there are many reasons Microsoft might execute such and infinately many reasons why they would not have. And, by the way, we don't even know what, if, or exactly how much code was stolen.
Maybe this is another case of a hard drive being misplaced behind a copy machine, anyways.
Microsoft has invested MANY millions of dollars into their software -- something they obviously don't want to lose -- against your theory. With all the funky legal stuff going on in recent years, I must say if Microsoft hasn't used this vehicle, you are first, in my book, to give ideas to those who will ;-)
So they're seriously suggesting that anyone who's ever worked for Microsoft or a licencee is not allowed to work on an Open Source project attempting to mimic functionality ever in their life? That can't be right, and if it is, isn't that a huge threat to individual freedom?
But they don't have to. Just pick one or two high-profile members of the group, and target them. As soon as everyone else in the project finds out what's happening, the project is dead. It may not be possible to eradicate all OSS projects, but a few well-delivered blows could seriously cripple most of the useful stuff out there. Besides, MS would likely only target those things that pose a threat to them. I doubt that they'd go after anyone working on vi, for instance.
Question: When has Microsoft ever shown fear of any entity??? This is part of the reason they're perpetually in trouble with DOJ/FTC/etc...
Where the value of X-Mailer: is the true measure of a man...
__
Sounds strange? Think about the following reasons. We've seen many times previously that MSFT avoids admitting their own mistakes for as long as they possibly can. It takes them awhile to warn the public about known bugs or exploits in their various software products. Yet, in this case of the stolen source, they were seemingly very willing to let the press know about the break-in and apparent theft of the source code.
Now that it is public knowledge that some MSFT source code has been stolen, imagine what it does for free/open-source development. Because of this, the FSF and other maintainers of free/OSS software now have to take extra measures to ensure that the code is free of any potential influence of the supposed 'stolen code'. This takes time, effort, and will generally serve to slow-down the development open-source software projects. A big 'plus' for MSFT.
Also, suppose someone posts snippets of the 'Forbidden Source' to various newsgroups, like the public postings of DeCSS and MSFT's kerberos additions to slashdot. Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects. Both of these things are bad for OSS/free software, and are good for MSFT.
This may sound like some grand paranoid conspiracy theory and doomsday scenario, but as someone posted to LinuxToday, "Just because you're paranoid doesn't mean they're NOT out to get you."
make world, not war
I haven't looked at how QAZ works, but wouldn't it get installed and then listen on some port?
Doesn't microsoft keep all of their users behind a firewall? If so, QAZ would just be opening a port on the users computer behind the firewall, no one should be able to get in and actually connect to it, there would have to be a hole poked in the firewall for that to happen.
Need Free Juniper/NetScreen Support? JuniperForum
I think that a lot of Slashdotters went off their meds simultaneously, today. There's no other possible way to explain the weird paranoia that crops up every time this source code theft is mentioned.
Conspiracy theory #1 - Microsoft faked it
Come on. Microsoft does not possess an oracle that tells them things like "if you fake being hacked, your stock will stay high, people will not abandon your products (quite the possibility at the server end), and you'll get lots of clout in drafting new anti-hax0r legislation". And if you don't have that kind of oracle, you're not going to go out and pretend that you got hacked so that you can score some political points against the free software movement.
They stand to lose far more business from 10% of their potential server market shifting to Sun/IBM/whoever (or deciding to stay with Sun) than they stand to gain from slightly helping the cause of some vague, unenforcable laws directed at reverse engineering.
Yes, Microsoft will try to get as much advantage as they can from this. That's no suprise.
Conspiracy theory #2 - Free software people did it
If free software types (or supporters of same) were behind it, don't you think that someone would have seen the sources on freenet or some random ftp site by now? Or at least heard a couple of well-substantiated stories to that effect? ("I saw a huge tarball called microsoft-sources.tar.Z on ftp://....").
Far more likely, it's either some script kiddiez, who probably didn't even get it together to the point where they could get the source in any useful form, or some low-level industrial espionage people who are discreetly shopping around their product to various shady firms.
Incidentally, if it's the latter case, I wouldn't anticipate seeing the source showing up anywhere for free; why would the people who stole the source for profit give it away for free?
It's very simple. Have some code "Stolen," then use the whole "intellectual Property" issue to destroy the Linux Vendors a few upgrades from now. Don't you remember the Halloween documents? The proposal that Trade Secret Laws could be used to destroy open source???
Six months from you you'll see the SAMBA and WINE teams being sued. M$ will win because the judges know nothing about computers and M$ money can buy the best lawyers.
Oh well. I've been meaning to look at BEos for a while now anyway.
"Live Free or Die." Don't like it? Then keep out of the USA
Anyone understand what that statement is supposed to mean at all? How can they know that the source was ``only'' viewed? If the cracker was viewing the code, then copied-and-pasted out of his xterm/browser/whatever, then he has a permanent, downloaded copy! I suspect the use of these words is an attempt to fool non-technical people.
perl -e 'fork||print for split//,"hahahaha"'
No, it sounds like these puppies were real pros. If I was running a master criminal organization, stealing source to Microsoft code would be the best way to evaluate weaknesses in their code and use that quietly to hack into the world's biggest companies and banks undetected and run off with billions. Or how about hacking into foreign government intranets to get their secrets? Remember that this code has not received a critical eye looking at it with the intent to covertly break into it.
There are real risks to the world going to 100% Microsoft solutions. It's like royal families inbreeding in medieval times. It ain't good and it's getting worse.
Just think, your entire company may be Microsoft on the desktop, but at least the back ends are still something else. But soon no more. To leverage those nifty Active Directory benefits you need to move your DNS, LDAP, and Kerberos services to Windows 2000. Then you'll start to see the real benefits of moving that web server to IIS and e-mail to Exchange 2000.
The real thing to fear here is what's going to happen behind closed doors outside of Redmond...
I just don't understand the logic in trusting corporate and often national security interests running software you are unable to audit written by a private company whose only concern is maximizing their revenue and market share.
...just to be on the "safe" side.
Consider. Free project GNUFoo comes out which competes with Microsoft Active FUBAR 2000. If it looks popular, M$ can just state that "there's a possibility that our proprietary source code influenced this design," and instantly GNUFoo is dropped like a hot potato.
Now, there's none of M$'s code in GNUFoo, but the FSF and the GNUFoo programmers now have to prove that, because in the Real World you are presumed guilty until proven innocent, and even then you're still guilty of looking guilty.
And in the years that it takes to satisfy the courts that GNUFoo is guilty of nothing but competing against The Man, the project will slowly grind to a halt. By the time GNUFoo is cleared of wrongdoing, M$ will have released their next project, and GNUFoo will be useless because it's so outdated.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Obviously MS have an excuse to sue if one person looks, but where's the harm in everybody looking? After all, the Windows programmers have had access to every piece of code ever relased under the GNU Public License since 1984! What I'm saying is based on the hypothetical that Windows source is / will be generally available, but then that's what all the don't-look-don't-touch hysteria is based on too.
On the offchance this is the case, why should one free software programmer fear litigation for implementing something that MS also implemented? What's to stop the programmer of some major open source software taking the opportunity to scrutinise Windows for appropriated ideas from GPL code? Obviously no free software programmer would be idiot enough to cut and paste Windows code, so if we're arguing on the stealing of `ideas' from code, and code from both sides is available for scrutiny, surely lawsuits could fly both ways?
I can see why the Samba / Wine people might be more wary than most but MS would have a very hard time grinding all international free software devleopment to a halt just because windows_src.zip turned up on a few FTP sites.
Matthew @ Bytemark Hosting
The problems with M$, with understanding anything they do, what, when or why, is of course, the secrecy.
Do I think that this will slow down the OpenSource community in the least... No!
Secrecy is a double-edged sword. Any Linux distro could be entered into public record without a ripple. In fact that might be a good idea to do so now in preparation for any potential eventuality.
But I don't see M$ dragging their APIs and source code into court for the public record anytime soon. That's what they would have to do to even allege with intent to procecute against anyone for supposedly stealing any of their code.
They would have to identify the code and prove it came from them and the only way to do that is by bringing their own code to court and doing so in such a way as to prove the code repository had not been tampered with since the discovery of the break in.
Then M$ would have to argue that it could not possibly have come from any other source but their code. All a developer has to do is keep a clear paper trail of what ideas come, as they come, and the very plausibility of the defense would dispell any allegation M$ might make.
Making those allegations is a great deal more difficult than you think... Basically, M$ has a choice that I doubt they'd ever make even when their backs were against the wall.
If you live in secrecy, you can't step into the sunlight too quickly. I think we're safe from an open source M$ for a long time to come.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
To start, I'll admit that I'm no major fan of Microsoft these days; yes, I even find it hysterical they've been hacked on this scale; yes, admittedly (regrettably?), I have sympathy for them. No matter how much I dislike the ethics (or lack thereof) of Bill Gates, he has been wronged: theft is theft (if indeed source code was stolen, which has yet to be proven, by the way). Of course, I'm wondering something of my own (away from all the flying conspiracy theories, rest assured). According to MSNBC, Microsoft has figured out that the passwords were being sent to an account somewhere in Russia. So what's taking so long? What's taking Microsoft so long to actually come up with something definitive? Enough "may have" and "could have" -- where is the "did" and "done"?
... They have 3 or 4 service packs for Visual Studio 6. Two service packs for SQL Server 7. Even their beloved Windows 2000 (not a few months after being released) now has its own Service Pack 1. I could keep going, but I'd be typing forever. No, nothing will be truly bug free upon release. Yes, bugs will always be one of the inherent problems behind code. But consider the overall amount of time between finding a bug and releasing a fix for it. Linux does it better and faster; Microsoft tries to mimic that behaviour and often times fails. Microsoft cannot keep up with the drive of Linux, and that's in out favour. If Microsoft source code ever became a part of Linux, I'd probably scream "Borg!" and run off to my own little planet somewhere in Andromeda. Assimilation of the illegal or the unwilling needs to be where the line is drawn.
Now, here's another thought. If the Linux community were behind this, we'd be unimaginable idiots every last one of us. Linux is so much more than Windows could ever hope to be. If you look at the track record of Microsoft and bugs, it don't look pretty. They have 7 service packs for Windows NT 4 (1,2,3,4,5,6,6a)
Though, I wouldn't mind someone stealing the source code for DirectX 7.0 and developing it over to Linux. *drool* I'd love to play Final Fantasy VIII under Linux. (And, for my legal sake, that is not a serious statement, though it would be a dream to play games of that magnitude under Linux. Of course I could just hope that Linux and Sony somehow combine forces and make a new distribution called Sony Linux or something...)
This breakin at Microsoft also says something for off-site workers. As a consultant, at times I do work off-site, and I see some interesting effects in the worst case. Since the intruders appeared to the security logs as employees simply working off-site, security overlooked them for three months. For three months the intruders worked, doing only God knows what. (Like I said, there's been no real definitive proof to surface yet except for allegations about what "might have" and "could have" and "appears to have happened"...) But I still think this might produce some chilling and overly restrictive corporate policy changes on working off-site.
I'm betting that nothing really serious did happen; I'd bet that the intruders only want to sit down and see how long it would be before someone noticed. In three months, you could cause all sorts of chaos for Goliath in his own camp. Blow out a few torches, bring down the mainframes, format a few servers, knock out corporate E-Mail, shut down all the domain controllers. (That latter one would be VERY interesting, believe me.) Maybe I'm wrong; maybe something serious did happen (not that a break in of this size isn't already something serious in and of itself)... I just want proof before I start my panic run. (Which, for me, consists of about 2 minutes of hyperventilating. *grin*)
Enough rambling...
Seth Anderson BTW, I'm not 23 anymore -- I am TexasCowboy26 now. =)
Yes, they've basically stolen tons of stuff from everyone else... one MIGHT be tempted to say "fight fire with fire"... BUT...
Here's the chance to publicly say "even if it was offered to us, we wouldn't take it." That kind of corporate-espionage B.S. belongs to a totally different world. Open Source is a philosophy, let it live and or die on its own two feet and by its merits.
Showing the world the kind of class that Microsoft never had and never will should ratchet the public image of slashdot types way up, and counteract those stupid and offensive "hi! I'm the fat black hacker guy who has your credit card!" commercials...
--- Jump!! Fire!! Bullet time!! - Lego version of the Matrix
[...] W32.HLLW.Qaz.A was first discovered in China in July of 2000. W32.HLLW.Qaz.A is a companion virus that can spread over the network and also has a backdoor that lets a remote hacker connect to and control the computer via port 7597. Since the virus does not have the ability to spread to computers outside the network, the virus might have originally been spammed out by email.
Who said anything about an open port?
I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.
First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.
Let's look at some of the other ways to get in from the outside (Just off the top of my head):
The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
that you MUST keep the secret, right? So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they? The spies have broken the law, and should be punished, but if they publish the "secrets", it's none of my doing that that's not a secret any more. There may be a copyright to keep me from cutting and pasting, but other than that, it seems that I should be in the clear.
In a nutshell,(TM) I thought that once a trade secret slipped out, it was no longer protected by law. Can someone who IS a lawyer comment on this? Is it true that it doesn't matter HOW a trade secret is divulged?
See what I've been reading.