Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Impact on Open Source of Stolen Microsoft Code

Posted by ryuzaki0 on from the heck-caveat-*everybody*! dept.

Cabal writes: "I recently came across this article on Linux Journal. It discusses some of the more interesting legal ramifications of the theft of Microsoft's source code that I hadn't even thought of and it's effect on open-source projects. Basically, it's saying don't go near any code claiming to be stolen from MS, and with good reason, including quotations from the Samba project. Check it out, it's a good read."

10 of 388 comments (clear)

  1. stolen items include by joe+user+jr · · Score: 5

    1. Bill Gates' credit card details
    2. Source code for Bob
    3. Cheat list for Solitaire
    4. Online application form for donations from the Bill and Melinda foundation
    5. Wish list for enhancements to MS-DOS 3.3
    6. Complete set of MP3s of Steve Ballmer rocking out
    7. Original code for Linux
    8. Discarded Office Assistants including Penfield the crazy Judge and Linus the toad
    9. Contents of Bill's desktop trash folders for the last five years
    10. Contact details for Bill's personal stylist

    ... if the register is to be believed..

    --
    .sigs: Just Say No!
  2. Re:An interesting reversal of fortunes. by Wellspring · · Score: 5

    To be honest, I had this smug feeling about the whole deal until I read the article. This is really an unfortunate situation. More importantly, it touches all of us, since anyone who tries to reverse engineer an API from MS is going to get painted with the haxor brush. The MS code isn't even that good. I only hope that they don't use this as an excuse to begin a litigious assault on the Open Source movement. Sustained lawsuits attacking key applications will slow development, and could influence virtually everything we do.

    One thing this means for us is this: concentrate in your source trees, now more than ever, on modularity. Any time a chunk of code becomes suspect, we should be able to isolate and replace it until the dispute is resolved.

    On another note, it would probably be a good idea for people in the Open Source community to alert the FBI to anything we might hear about who may be responsible for this. While I don't like MS, the courts will punish them for their monopoly, and the marketplace will punish them for their close source methodology. To not assist whereever appropriate will leave us open to accusations that our community is filled with criminals and warez d00dz.

    Besides, the sooner this is put to rest, the sooner we can dispel the myth that MS source code is actually valuable in the first place...

  3. OK to look at code -- MS has screwed itself by ahaile · · Score: 5
    It's been interesting to watch MS change the story about the hack. Every day, it becomes less severe:
    • first, it lasted three months, and there was talk that not only was source downloaded, but it might have been modified
    • then, it was for six weeks, and MS was sure that no source was modified
    • now, it was only one week, and source was only "viewed", not downloaded, and to a minor "future product" at that.

    What's going on? Well, it seems like MS's PR department has been working hard to downplay the attack. Notice how the informant shifts over time from an unnamed "Microsoft engineer" to Balmer to MS's "corporate security officer." I assume that what happened went like this: 1) a mid-level MS engineer leaked the real story to the press, 2) PR (Balmer) steped in for damage control, and finally 3) PR propped up a puppet with a written script to try and kill the issue.

    The thing is, the strategy may backfire on MS. Now, they can't claim that open source developers are pirating their code. They've already gone on record saying no MS code exists in the wild. Which means that if you happen upon the source to Office, you are free to look at it, since MS has already declared that that code does not exist.

    Heh.

  4. Re:What If The Tables Are Turned? by Trepalium · · Score: 5
    This is almost certainly already the case. It's just a matter of what and where. Bug fixes and exploits on the BSD TCP/IP stack revealed that NT essentially used BSD's TCP/IP logic (if not the code). But I haven't seen many dialogs in Windows saying "portions of this product are owned by the Regents of UC Berkeley".
    How about this. The following text appears in the program code for Windows 9x FTP.EXE:

    @(#) Copyright (c) 1983 The Regents of the University of California.
    All rights reserved.

    There's no way to generate this string from running the executable itself, it's only viewable in a hexeditor.

    --
    I used up all my sick days, so I'm calling in dead.
  5. Re:trade secrets mean... by Andrew+Cady · · Score: 5
    So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they?
    From the Trademark FAQ, whose authors (unlike me) actually are lawyers:
    A trade secret owner can prevent the following groups of people from copying, using and benefiting from its trade secrets or disclosing them to others without permission:

    [...]

    • people who knowingly obtain trade secrets from people who have no right to disclose them
    • people who learn about a trade secret by accident or mistake, but had reason to know that the information was a protected trade secret,
    [...]

    There is one group of people that cannot be stopped from using information protected under trade secret law. These are people who discover the secret independently, that is, without using illegal means or violating agreements or state laws. [...]

    The question becomes, does an individual who stumbles upon MSFT code have reason to know the information is protected trade secret? In most cases, probably. But then, an anonymous contribution in the form of a diff emailed to the SAMBA project is fair game -- without having seen the MSFT code themselves, SAMBA has no reason to believe it's a trade secret, and thus does not fall under the restrictions of trade secret law. Of course, it may also be protected by copyright, in which case (AFAIK) ignorance is not a valid defense.

    __
  6. Plan by wass · · Score: 5
    I was just reading about this article on LinuxToday , so this scenario of paranoia isn't one I've crafted myself, but it presents some interesting ideas. A few people posted some comments there suggesting that perhaps MSFT itself either stole their own code, or maybe hired someone to steal it for them.

    Sounds strange? Think about the following reasons. We've seen many times previously that MSFT avoids admitting their own mistakes for as long as they possibly can. It takes them awhile to warn the public about known bugs or exploits in their various software products. Yet, in this case of the stolen source, they were seemingly very willing to let the press know about the break-in and apparent theft of the source code.

    Now that it is public knowledge that some MSFT source code has been stolen, imagine what it does for free/open-source development. Because of this, the FSF and other maintainers of free/OSS software now have to take extra measures to ensure that the code is free of any potential influence of the supposed 'stolen code'. This takes time, effort, and will generally serve to slow-down the development open-source software projects. A big 'plus' for MSFT.

    Also, suppose someone posts snippets of the 'Forbidden Source' to various newsgroups, like the public postings of DeCSS and MSFT's kerberos additions to slashdot. Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects. Both of these things are bad for OSS/free software, and are good for MSFT.

    This may sound like some grand paranoid conspiracy theory and doomsday scenario, but as someone posted to LinuxToday, "Just because you're paranoid doesn't mean they're NOT out to get you."

    --

    make world, not war

  7. How would QAZ work by austad · · Score: 5

    I haven't looked at how QAZ works, but wouldn't it get installed and then listen on some port?

    Doesn't microsoft keep all of their users behind a firewall? If so, QAZ would just be opening a port on the users computer behind the firewall, no one should be able to get in and actually connect to it, there would have to be a hole poked in the firewall for that to happen.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  8. Enough inane conspiracy theories, already! by OnanTheBarbarian · · Score: 5

    I think that a lot of Slashdotters went off their meds simultaneously, today. There's no other possible way to explain the weird paranoia that crops up every time this source code theft is mentioned.

    Conspiracy theory #1 - Microsoft faked it

    Come on. Microsoft does not possess an oracle that tells them things like "if you fake being hacked, your stock will stay high, people will not abandon your products (quite the possibility at the server end), and you'll get lots of clout in drafting new anti-hax0r legislation". And if you don't have that kind of oracle, you're not going to go out and pretend that you got hacked so that you can score some political points against the free software movement.

    They stand to lose far more business from 10% of their potential server market shifting to Sun/IBM/whoever (or deciding to stay with Sun) than they stand to gain from slightly helping the cause of some vague, unenforcable laws directed at reverse engineering.

    Yes, Microsoft will try to get as much advantage as they can from this. That's no suprise.

    Conspiracy theory #2 - Free software people did it

    If free software types (or supporters of same) were behind it, don't you think that someone would have seen the sources on freenet or some random ftp site by now? Or at least heard a couple of well-substantiated stories to that effect? ("I saw a huge tarball called microsoft-sources.tar.Z on ftp://....").

    Far more likely, it's either some script kiddiez, who probably didn't even get it together to the point where they could get the source in any useful form, or some low-level industrial espionage people who are discreetly shopping around their product to various shady firms.

    Incidentally, if it's the latter case, I wouldn't anticipate seeing the source showing up anywhere for free; why would the people who stole the source for profit give it away for free?

  9. Sorry, no. by schon · · Score: 5
    a firewall should have prevented the attacker from exploiting the open port

    Who said anything about an open port?

    I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.

    First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.

    Let's look at some of the other ways to get in from the outside (Just off the top of my head):

    • Outbound sessions - have the victim initiate the TCP session. So instead of Attacker->Victim, you have Victim->Attacker. Set the destination port to something that the client may be likely to do (Such as port 80, or perhaps 22 or 25) to enhance the likelyhood that any packet filter would allow it.
    • Use UDP to do the transfer - again have the victim initiate the session, and send control packets via the UDP-return mechanism. This is harder to implement than TCP (you have to handle dropped packets and retransmits yourself,) but probably the best way to do it, considering the way that the MS Netmeeting protocol works. (If the victim is allowed to use Netmeeting to anywhere on the 'net, then you can't block unknown UDP packets.
    • Use another protocol, such as ICMP, or maybe a combination of UDP and ICMP - the victim sends data/ack/heartbeat packets to to the attacker, and the attacker sends commands embedded in ICMP destination-unreachable packets (IIRC, this is how the TRINOO trojans work - this is what was used in last year's DDOS attacks.)

    The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
  10. trade secrets mean... by nels_tomlinson · · Score: 5

    that you MUST keep the secret, right? So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they? The spies have broken the law, and should be punished, but if they publish the "secrets", it's none of my doing that that's not a secret any more. There may be a copyright to keep me from cutting and pasting, but other than that, it seems that I should be in the clear.

    In a nutshell,(TM) I thought that once a trade secret slipped out, it was no longer protected by law. Can someone who IS a lawyer comment on this? Is it true that it doesn't matter HOW a trade secret is divulged?

    --
    See what I've been reading.