The Impact on Open Source of Stolen Microsoft Code

Cabal writes: "I recently came across this article on Linux Journal. It discusses some of the more interesting legal ramifications of the theft of Microsoft's source code that I hadn't even thought of and it's effect on open-source projects. Basically, it's saying don't go near any code claiming to be stolen from MS, and with good reason, including quotations from the Samba project. Check it out, it's a good read."

stolen items include

[joe+user+jr]

1. Bill Gates' credit card details
2. Source code for Bob
3. Cheat list for Solitaire
4. Online application form for donations from the Bill and Melinda foundation
5. Wish list for enhancements to MS-DOS 3.3
6. Complete set of MP3s of Steve Ballmer rocking out
7. Original code for Linux
8. Discarded Office Assistants including Penfield the crazy Judge and Linus the toad
9. Contents of Bill's desktop trash folders for the last five years
10. Contact details for Bill's personal stylist

... if the register is to be believed..

Microsoft failed to take proper care

[jetson123]

This whole incident looks almost like a publicity and PR stunt. Microsoft seems to have succeeded at two things.

• First, they have created the impression that Windows source code actually has significant commercial value. That's, of course, nonsense. The only reason Windows source code is valuable is because of Microsoft's market position and commitment to enhancing it, not because there is anything intrinsically clever about it.

• Second, Microsoft seem to have gotten people to believe that being infected by an E-mail virus is kind of like being the victim of a robbery at gunpoint--something they can't do anything about. That's, of course, non-sense, too. It would have been very easy for them to protect themselves from this kind of threat. Susceptibility to this kind of threat is a defect in Microsoft products (other products and systems have defects, too, but the issue is who Microsoft blames for their defects, not the existence of defects in other products).

Microsoft has to take reasonable care in protecting valuable trade secrets. It is clear that they haven't. Even if they believe that their E-mail client has sufficient security, if they believe their source code is as valuable as it is, it should reside on a more protected part of the network. Microsoft is merely trying to avoid responsibility for their product defects and for their poor security policies.

It is an outrage that the taxpayer now even has to foot the bill for trying to track down people who took advantage of security defects in Microsoft products. That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.

It is still good advice for open source projects to stay away from any Microsoft source, legally or illegally obtained. But don't get suckered into believing that Microsoft has any ethical claims: they were negligent. And, objectively, they ought not to have any hope of legal success either--they should fix their products instead and stop shifting the cost of their defective products onto law enforcement and, ultimately, the tax payer. As long as they can get away with shifting cost and responsibility onto others, they will have no economic incetives to fix their software or procedures.

Re:An interesting reversal of fortunes.

[Wellspring]

To be honest, I had this smug feeling about the whole deal until I read the article. This is really an unfortunate situation. More importantly, it touches all of us, since anyone who tries to reverse engineer an API from MS is going to get painted with the haxor brush. The MS code isn't even that good. I only hope that they don't use this as an excuse to begin a litigious assault on the Open Source movement. Sustained lawsuits attacking key applications will slow development, and could influence virtually everything we do.

One thing this means for us is this: concentrate in your source trees, now more than ever, on modularity. Any time a chunk of code becomes suspect, we should be able to isolate and replace it until the dispute is resolved.

On another note, it would probably be a good idea for people in the Open Source community to alert the FBI to anything we might hear about who may be responsible for this. While I don't like MS, the courts will punish them for their monopoly, and the marketplace will punish them for their close source methodology. To not assist whereever appropriate will leave us open to accusations that our community is filled with criminals and warez d00dz.

Besides, the sooner this is put to rest, the sooner we can dispel the myth that MS source code is actually valuable in the first place...

OK to look at code -- MS has screwed itself

[ahaile]

It's been interesting to watch MS change the story about the hack. Every day, it becomes less severe:

• first, it lasted three months, and there was talk that not only was source downloaded, but it might have been modified
• then, it was for six weeks, and MS was sure that no source was modified
• now, it was only one week, and source was only "viewed", not downloaded, and to a minor "future product" at that.

What's going on? Well, it seems like MS's PR department has been working hard to downplay the attack. Notice how the informant shifts over time from an unnamed "Microsoft engineer" to Balmer to MS's "corporate security officer." I assume that what happened went like this: 1) a mid-level MS engineer leaked the real story to the press, 2) PR (Balmer) steped in for damage control, and finally 3) PR propped up a puppet with a written script to try and kill the issue.

The thing is, the strategy may backfire on MS. Now, they can't claim that open source developers are pirating their code. They've already gone on record saying no MS code exists in the wild. Which means that if you happen upon the source to Office, you are free to look at it, since MS has already declared that that code does not exist.

Heh.

An interesting reversal of fortunes.

[electricmonk]

It is hard to imagine that something that could look so good on the surface (Microsoft getting totally 0wned) could be so bad for the Free Software Movement. Now potentially any open source project that has anything to do with Microsoft interoperability is open to a law suit. At the very least, it will make accepting contributed code into the CVS tree more difficult.

It has been said that one of the fundamental damages that security breaches cause is not only the loss of data, but the loss of the integrity of data. It is unfortunate that this loss of integrity has to spread to other victims that have basically nothing to do with Microsoft.

Re:What If The Tables Are Turned?

[Trepalium]

This is almost certainly already the case. It's just a matter of what and where. Bug fixes and exploits on the BSD TCP/IP stack revealed that NT essentially used BSD's TCP/IP logic (if not the code). But I haven't seen many dialogs in Windows saying "portions of this product are owned by the Regents of UC Berkeley".

How about this. The following text appears in the program code for Windows 9x FTP.EXE:

@(#) Copyright (c) 1983 The Regents of the University of California.
All rights reserved.

There's no way to generate this string from running the executable itself, it's only viewable in a hexeditor.

Re:trade secrets mean...

[Andrew+Cady]

So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they?

From the Trademark FAQ, whose authors (unlike me) actually are lawyers:

A trade secret owner can prevent the following groups of people from copying, using and benefiting from its trade secrets or disclosing them to others without permission:

[...]

• people who knowingly obtain trade secrets from people who have no right to disclose them
  
• people who learn about a trade secret by accident or mistake, but had reason to know that the information was a protected trade secret,

[...]

There is one group of people that cannot be stopped from using information protected under trade secret law. These are people who discover the secret independently, that is, without using illegal means or violating agreements or state laws. [...]

The question becomes, does an individual who stumbles upon MSFT code have reason to know the information is protected trade secret? In most cases, probably. But then, an anonymous contribution in the form of a diff emailed to the SAMBA project is fair game -- without having seen the MSFT code themselves, SAMBA has no reason to believe it's a trade secret, and thus does not fall under the restrictions of trade secret law. Of course, it may also be protected by copyright, in which case (AFAIK) ignorance is not a valid defense.

__

Plan

[wass]

I was just reading about this article on LinuxToday , so this scenario of paranoia isn't one I've crafted myself, but it presents some interesting ideas. A few people posted some comments there suggesting that perhaps MSFT itself either stole their own code, or maybe hired someone to steal it for them.

Sounds strange? Think about the following reasons. We've seen many times previously that MSFT avoids admitting their own mistakes for as long as they possibly can. It takes them awhile to warn the public about known bugs or exploits in their various software products. Yet, in this case of the stolen source, they were seemingly very willing to let the press know about the break-in and apparent theft of the source code.

Now that it is public knowledge that some MSFT source code has been stolen, imagine what it does for free/open-source development. Because of this, the FSF and other maintainers of free/OSS software now have to take extra measures to ensure that the code is free of any potential influence of the supposed 'stolen code'. This takes time, effort, and will generally serve to slow-down the development open-source software projects. A big 'plus' for MSFT.

Also, suppose someone posts snippets of the 'Forbidden Source' to various newsgroups, like the public postings of DeCSS and MSFT's kerberos additions to slashdot. Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects. Both of these things are bad for OSS/free software, and are good for MSFT.

This may sound like some grand paranoid conspiracy theory and doomsday scenario, but as someone posted to LinuxToday, "Just because you're paranoid doesn't mean they're NOT out to get you."

How would QAZ work

[austad]

I haven't looked at how QAZ works, but wouldn't it get installed and then listen on some port?

Doesn't microsoft keep all of their users behind a firewall? If so, QAZ would just be opening a port on the users computer behind the firewall, no one should be able to get in and actually connect to it, there would have to be a hole poked in the firewall for that to happen.

Re:How would QAZ work

[Fred+Ferrigno]

I believe what happened was that the trojan was pre-programmed to scamper about looking for passwords, then emailed them to an account somewhere. Then the attackers could have used the passwords to log in in the same manner as regular employees for whom there was a hole in the firewall.

Frankly, I'll be surprised if they got anything more sensitive than a newer build of Whistler.

--

Enough inane conspiracy theories, already!

[OnanTheBarbarian]

I think that a lot of Slashdotters went off their meds simultaneously, today. There's no other possible way to explain the weird paranoia that crops up every time this source code theft is mentioned.

Conspiracy theory #1 - Microsoft faked it

Come on. Microsoft does not possess an oracle that tells them things like "if you fake being hacked, your stock will stay high, people will not abandon your products (quite the possibility at the server end), and you'll get lots of clout in drafting new anti-hax0r legislation". And if you don't have that kind of oracle, you're not going to go out and pretend that you got hacked so that you can score some political points against the free software movement.

They stand to lose far more business from 10% of their potential server market shifting to Sun/IBM/whoever (or deciding to stay with Sun) than they stand to gain from slightly helping the cause of some vague, unenforcable laws directed at reverse engineering.

Yes, Microsoft will try to get as much advantage as they can from this. That's no suprise.

Conspiracy theory #2 - Free software people did it

If free software types (or supporters of same) were behind it, don't you think that someone would have seen the sources on freenet or some random ftp site by now? Or at least heard a couple of well-substantiated stories to that effect? ("I saw a huge tarball called microsoft-sources.tar.Z on ftp://....").

Far more likely, it's either some script kiddiez, who probably didn't even get it together to the point where they could get the source in any useful form, or some low-level industrial espionage people who are discreetly shopping around their product to various shady firms.

Incidentally, if it's the latter case, I wouldn't anticipate seeing the source showing up anywhere for free; why would the people who stole the source for profit give it away for free?

Why you'll never see their source in the wild...

[weave]

Forget it folks. If this was your typical leet h4k0r attack, they wouldn't be able to resist announcing it to the world or sneaking their little "greets and shouts" lines into their source code.

No, it sounds like these puppies were real pros. If I was running a master criminal organization, stealing source to Microsoft code would be the best way to evaluate weaknesses in their code and use that quietly to hack into the world's biggest companies and banks undetected and run off with billions. Or how about hacking into foreign government intranets to get their secrets? Remember that this code has not received a critical eye looking at it with the intent to covertly break into it.

There are real risks to the world going to 100% Microsoft solutions. It's like royal families inbreeding in medieval times. It ain't good and it's getting worse.

Just think, your entire company may be Microsoft on the desktop, but at least the back ends are still something else. But soon no more. To leverage those nifty Active Directory benefits you need to move your DNS, LDAP, and Kerberos services to Windows 2000. Then you'll start to see the real benefits of moving that web server to IIS and e-mail to Exchange 2000.

The real thing to fear here is what's going to happen behind closed doors outside of Redmond...

I just don't understand the logic in trusting corporate and often national security interests running software you are unable to audit written by a private company whose only concern is maximizing their revenue and market share.

M$ could just call "Foul" on everything...

[devphil]

...just to be on the "safe" side.

Consider. Free project GNUFoo comes out which competes with Microsoft Active FUBAR 2000. If it looks popular, M$ can just state that "there's a possibility that our proprietary source code influenced this design," and instantly GNUFoo is dropped like a hot potato.

Now, there's none of M$'s code in GNUFoo, but the FSF and the GNUFoo programmers now have to prove that, because in the Real World you are presumed guilty until proven innocent, and even then you're still guilty of looking guilty.

And in the years that it takes to satisfy the courts that GNUFoo is guilty of nothing but competing against The Man, the project will slowly grind to a halt. By the time GNUFoo is cleared of wrongdoing, M$ will have released their next project, and GNUFoo will be useless because it's so outdated.

Who's afraid of Big Bad Bill?

[mattbee]

Obviously MS have an excuse to sue if one person looks, but where's the harm in everybody looking? After all, the Windows programmers have had access to every piece of code ever relased under the GNU Public License since 1984! What I'm saying is based on the hypothetical that Windows source is / will be generally available, but then that's what all the don't-look-don't-touch hysteria is based on too.

On the offchance this is the case, why should one free software programmer fear litigation for implementing something that MS also implemented? What's to stop the programmer of some major open source software taking the opportunity to scrutinise Windows for appropriated ideas from GPL code? Obviously no free software programmer would be idiot enough to cut and paste Windows code, so if we're arguing on the stealing of `ideas' from code, and code from both sides is available for scrutiny, surely lawsuits could fly both ways?

I can see why the Samba / Wine people might be more wary than most but MS would have a very hard time grinding all international free software devleopment to a halt just because windows_src.zip turned up on a few FTP sites.

Sorry, no.

[schon]

a firewall should have prevented the attacker from exploiting the open port

Who said anything about an open port?

I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.

First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.

Let's look at some of the other ways to get in from the outside (Just off the top of my head):

• Outbound sessions - have the victim initiate the TCP session. So instead of Attacker->Victim, you have Victim->Attacker. Set the destination port to something that the client may be likely to do (Such as port 80, or perhaps 22 or 25) to enhance the likelyhood that any packet filter would allow it.
  
• Use UDP to do the transfer - again have the victim initiate the session, and send control packets via the UDP-return mechanism. This is harder to implement than TCP (you have to handle dropped packets and retransmits yourself,) but probably the best way to do it, considering the way that the MS Netmeeting protocol works. (If the victim is allowed to use Netmeeting to anywhere on the 'net, then you can't block unknown UDP packets.
  
• Use another protocol, such as ICMP, or maybe a combination of UDP and ICMP - the victim sends data/ack/heartbeat packets to to the attacker, and the attacker sends commands embedded in ICMP destination-unreachable packets (IIRC, this is how the TRINOO trojans work - this is what was used in last year's DDOS attacks.)
  

The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.

trade secrets mean...

[nels_tomlinson]

that you MUST keep the secret, right? So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they? The spies have broken the law, and should be punished, but if they publish the "secrets", it's none of my doing that that's not a secret any more. There may be a copyright to keep me from cutting and pasting, but other than that, it seems that I should be in the clear.

In a nutshell,(TM) I thought that once a trade secret slipped out, it was no longer protected by law. Can someone who IS a lawyer comment on this? Is it true that it doesn't matter HOW a trade secret is divulged?