Different View Of MS Code Theft

LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.

Re:At this rate...

[grarg]

and you don't think MS have a safe copy of their latest binary/source kept somewhere off the network? they're not THAT stupid...if the worst came to the worst, whatever project they'd been working on woulde be set back back by a few weeks, nothing more.

Bollocks until proven

[chazR]

I have followed this whole story in a desultory way. Now, I think it's time for some journalism. Only I'm too lazy to do it. But, if I were a journalist these would be my questions:

Where did the initial allegation (MS hacked) come from?

Is there more than one verifiable source?

What made MS admit to the crack? (They didn't have to - they could have denied it)

The QAZ/Russia stuff? Who is the source? I haven't seen the MS logfiles. How do we know it waz a trojan posting "some data" to Russia?

Which journalist/journal is prepared to stand up and say "This happened - I believe it - here is my evidence."?



Question: Why would *anyone* want to steal MS source code. They are happy to *sell* access for a small fee (100k+ last time I asked - which is chump change)

Who could benefit from a source release? (Answer - any *professional* cracker who wants to crack MS run boxes). I'll leave you to work out the consequences of that. But *my* NT/2000 net-facing boxes are running home to Solaris/HP-UX/AIX/OS-400

And, finally: MS admitted it. So, there must be evidence that it happened. Where the fuck is this evidence?

Pissed posting pisses people off. Perhaps people posting pissed should perceive the pseudo-plenipontentiary powers of the powerful people who perform peer-review. Or not.

Re:Bollocks until proven

[WowMan]

As large and delectible a target as Micro$oft IS, I wonder why it's taken this long for an Internal Penetration to happen? Maybe these things have been happening all along, only now Micro$oft has decided to go public! If this is the case, why would Micro$oft choose this particular moment in time to acknowledge what for them may amount to a routine penetration? Speculative Esoteric Musings??

Micro$soft stands to offer the US Justice Department substantial public support for Draconian Internet Regulations against these "Wiley Haquers" - a "favor" to the US Justice Department of enormous proportions in their world wide effort to regulate the Internet. It certainly would not hurt Micro$oft's AntiTrust position were they to be intrumental in the course of events leading up to expanded US Law Enforcement Control of the Internet. A Quid-Pro-Quo with the US Justice Department of this size might even earn Micro$oft the proverbial "slap on the wrist" resolution to the AnitTrust case!

Re:Source Code Obsession.

[WheelDweller]

Actually, it does matter- a great deal! What happens when evidence of Microsoft's theft of Spyglass (and a host of others) makes it out?
LAWSUITS!
It couldn't happen to nicer people.

Re:At this rate...

[Gothmolly]

WHAT producy deadlines? ;-)

Re:racism? doubt it... wrong!

[kupolu]

That's pretty sick. Considering most of your sources are from before 1960 when the Black Rights movement was still coming around, of course Blacks wouldn't have had as good of an education as Whites. They were totally prejudiced against! They got shit everything, and were never expected or encouraged to think for themselves.

I've noticed racism is spawned by ignorance, and if you really think about it, it's plain dumb. They're humans, the difference is *skin color*. Let's be prejudiced against people with brown eyes and black hair while we're at it... Oh wait, hitler was. Prejudice is so sick.

Re:Obviously the security advisor

[HiThere]

OTOH, we don't need to worry about them stealing the source.

Still ...
This is a point worth contemplating, and a valid
one. I don't yet know how to be certain that my system has been secured. (Well, I use a dial-up connection, and I've been installing several distributions from scratch .. so I doubt that I'm currently cracked. But it would be nice if it were easier to tell.)


Caution: Now approaching the (technological) singularity.

It's OK, they didn't steal the source code

[JoelFeinstein]

As every media organisation has been at pains to point out ad nauseam, they only stole the BLUEPRINTS. Which , of course, is much less serious. Makes you wonder why the media don't trust the intelligence of the audience enough to say the words 'source code' Maybe they're right.

Re:racism? doubt it... wrong!

[kupolu]

Don't let him get to you, that's what he wants.

Re:Why do it?

[HerrNewton]

Well it certainly wouldn't fit on a shirt....

----

Re:Reading Comments Can Be Enlightening

[tyronefine]

There were no such comments in the many thousands of lines of code that I read and wrote at Microsoft while I was there (for five years, several years ago).
Likely story. Why should I believe you? And even if I did, what are thousands of lines out of millions?

(and most of my co-workers were not white, American, Christian men).
I don't doubt that. It is known that Microsoft imports cheap labor from the indian sub-continent and south-east asia. This, in itself, is outrageos. No better than Nike using child labor in it's sweatshops and paying low wages. The saddest and most enraging part is that Microsoft is hiring foreigners when there are plenty of African-Americans right here at home who can't get work because of discrimination.

And that's all I gotta say about that.

I am,

Re:Source Code is both singular and plural!!!!

[mike260]

My favourite was the line about email containing 'a hidden code'

Re:Everything's a virus

[grarg]

actually, in GB/IRL terms, a hack is a journalist, but what's a little semantics among friends? :)

How much does anyone trust M$NBC?

[levendis2]

Does anyone really believe that MSNBC is uninfluenced by MS??? I am surprised that this article was even posted...

I'm a fucking Bhuddist. This is enlightenment. - Bjork

If you see this ad, be suspicious...

[Michael+Jennings]

New Operating System!!!

Winski 2000 by MicroSlav

Operates just like Windows 2000!

Only 20 rubles. Put the money and your email address under the trash can on Ivanoff Street.

Re:If you see this ad, be suspicious...

[hughk]

Actually MS Win 2K sells for 60 roubles (about $2)in St. Petersburg. Office costs more because of the extra CDs. Moscow prices at the market are slighly less. It is openly sold and it is quite difficult to find legit versions. None of the clampdowns have been effective and most people stick with pirate distributions. If a top programmer costs about $1000/month, $300 for an OS is a lot of money.

Re:IPv4

[h3x0r]

When Sir Linux Torvaldis invented IPX, he did so with the knowledge that if buffers were improperly evacuated such that Hq(x)=0, you could send a router into an infinite loop. The common workaround, is, as you suggest, to change the aggregate global unicast address to an unsigned integer. SO_LINGER serves a noble purpose (and rightly so!) when it pre-initializes a connection:address lookup table (CALUT) to preset the subnet ID. So you see for your workaround, you have no have no way of ensuring that the flow control window is sized correctly, thus growing asymptotically. This is the major downfall of TCP/IPX, as per your original post. But what I would recommend instead is that you re-regulate a UDP ARP mechanism such that the piggyback ARQ doesn't not SYN when echo response is requested. In other words, in half duplex-, or full-half-on mode, you don't have such a huge pipe to worrry about router loopback syndrome (RLS). In a common token-ring topology, as opposed to a shared-medium ethernet topology, this can get hairy, to use the technical term. This is why it is always necessary to synchronize to a simulation authority for verification. Thus the SMPP local link cannot, by definition, be adjusted thusly. O(log n) can cause performance problems, and thus is why Linux Torlavidis implemented the HTONS/HPOUNDS in such a way as to circumvent this problem, in his NetBUI implementation.
---

Re:Its a Government Conspiracy!

[HiThere]

I really doubt if they let this happen on purpose. I do. Really.
But I also doubt if they care much. I don't see it doing them any harm. And we can expect them to take every PR opportunity that presents itself.
Caution: Now approaching the (technological) singularity.

Hacker was just playing the numbers.

[BlackSabbath]

It is interesting to note that the break-in was committed using an "old" trojan (ie anti-virus products were detecting it since July). Why? If you were trying to hack into some pretty big IT firm you would have to assume that they have SOME sort of anti-virus/content vetting software. However, you might also assume that among the thousands of staff, there would have to be some that decide (for whatever reason) that they don't need to be running the company's mandated anti-virus product because of "XYZ" (insert completely lame excuse here, probably related to "This is meant for those DUMB users not ME").

Knowing this, it is just a matter of playing the numbers and eventually...BINGO! And of course if you spread out your attack over time, the failures would stay below the "Danger Will Robinson!" threshold. (Any sufficiently large and hated IT firm would have to expect a certain number of "incidents" over time - these wouldn't cause any undue alarm unless the density was high enough or there was a detectable pattern). Good ol' human engineering. You just can't protect against it. All you can hope to do is detect it quick enough and run your business such that you don't "have" too much info which if it got out would drive you under (can anyone say open source?)

What is REALLY interesting is the motive? Why would you do it? To improve WINE/SAMBA/XYZ??? I doubt it. These guys won't be touching any significant new changes with a ten foot pole for a while I bet. The competition? Why? What possible advantage could be worth the risk?

If its not just some dude who wanted to be the first to "plant the flag", then my money is on the mob. Why not? Just imagine how many buffer overflow bugs someone like Georgi Guninski (check out NTBugTraq) could discover with a good peek at the code. You could then use the knowledge when/where-ever. Alternatively, instead of using this knowledge themselves they may pass on the source to the "highest bidder" which would probably include the usual suspects (middle eastern "terrorists" etc).

Just my 5 rubles.

Re:Hacker was just playing the numbers.

[hey!]

Knowing this, it is just a matter of playing the numbers and eventually...BINGO!

This is a very interesting perspective, if you think it through a bit. It means that perhaps any source of software should, from a security standpoint, be considered potentially compromised.

This might be an argument for open source -- at least if you are vulnerable you can audit the vulnerability independently. But it is a very disturbing prospect because software is so ubiquitous, and updatable, it seems, all the way down the CPU microcode. Virtually everybody is working on closed source BIOSes.

Re:I think people might have this backward...

[Erasmus+Darwin]

Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.

First the obligatory joke: Isn't that what MS does anyway?

But, in all seriousness, MS does have internal protections in place. Consider this: When I interned there last summer, there were something on the order of 500 interns there. These were virtually all normal college-aged CS geeks -- and not all of them were die-hard Microsoft drones, either. With that many people, in that demographic, for that short of a time period, I'd be willing to bet that if all the Windows source code was open for the viewing, something would've happened already. On the other hand, what was generally accessible on the corporate network were the websites for each of the various projects -- the sort of stuff that'd be best kept secret from a business standpoint, but would have zero interest to the Slashdot crowd.

And as a random aside, even the developer kit for the Barney Actimates doll that MS produces is kept secured from general access, for reasons that should be fairly obvious. (Creating a humorous yet vulgar Barney dialog is left as an exercise to the reader.)

m$nbc

[llordreefa]

Oh, good! They've told us everything's under control, situation normal... It's not like we can trust m$nbc to tell the truth about this one.

Re:Multimillion Dollar Russian Hackers?

[h3x0r]

FYI, there are _buildings_ in our country that are twice as old as our _country_.
---

In other news...

[mike260]

...Microsoft reports that Oceania has always been at war with Eurasia.

Re:In other news...

[Prior+Restraint]

<joke>
<paranoid>

After reading a number of posts, it becomes clear that /. posters are all referencing several contradictory stories. The fluid nature of the Web and the short attention span of the average consumer are conspiring to allow just what you've described.

</paranoid>
<rational>

Man, that's funny!

</rational>
</joke>

Obviously the security advisor

[bugg]

Doesn't want it to be linked to an earlier comprimse. There would be a lot of egg on his face if the problem was brought to his attention earlier and he didn't fix it.

The Chief Security Officer is trying to cover his ass. Take what he says with a grain of salt.

Re:Obviously the security advisor

[landaker]

Actually, there was an entire slashdot article about this yesterday: http://slashdot.org/article.pl?sid=00/10/28/194525 3&mode=thread

Re:Obviously the security advisor

[litheum]

Acually yeah i did think of that.. they just make up this thing and then try to fuck with open source developers and projects later trying to accuse them of using stolen code or some crap like that. what a deal.... the bastards!

Re:Obviously the security advisor

[BlueFunk]

What if this is a fiendishly clever plot by Bill to destroy the open source community? MS sees open source as a threat, so they allow their system to be "breached" and some OS source code to be "stolen". They then enlist the aid of the FBI to "find" it on any number of PC's, and hey, how come so many of the transgressors are members of the FSF? Pure coincidence!?!? So MS achieve through nefarious means what they can't achieve any other way ... they negate the free software movement. Sounds awfully "conspiracy" I know, but it does bear thinking about....

Re:Obviously the security advisor

[Manaz]

Alternatively, he could actually be correct, and merely stating fact.

While it *is* possible that he's just covering his ass, just because he works for Microsoft doesn't mean that's his only motivation, or that he's not capable of doing his job.

Re:Obviously the security advisor

[bugg]

I'm not saying that he's lying, I'm not that cynical. But I am saying that we should take all first party diagnostics of the situation with a grain of salt.

Re:Obviously the security advisor

[Stephen+Samuel]

I hope your not indirectly implying Linux's track record is any better?

I won't just imply it, I'll say it. Linux's track record is better -- at least in this way:

MS has a reputation of denying and/or pooh-poohing security bugs. There have been a few cases of hackers going to MS, quietly, with bug reports and being given the runaround about them until they get frustrated enough that they simply report the bug to the press to light a fire under MS's ass.

I mean: how many people would have been surprised to find that MS would have let their employees get remote access using Win/95 boxes? For many security conscious types, that ideas is almost obscene. NT is slightly better, but I wouldn't even THINK of betting my life on it.

Given that kind of history, I wouldn't be all too surprised to find that there are a few bugs/design errors that Microsoft knows about internally, but "just hasn't had the time to fix" or considered "user enhancements". This probably includes a couple that black-hat hackers have found and not bothered to report to MS or the press.

This is what (I think) was probably meant by leaving your windows open.

In the open source community, there's always somebody out there who -- when a security bug is found -- feels some self-interest in closing the problem as soon as possible. This means that the space between reporting a bug, and having it closed by people who care, is as small as possible. If I'm feeling paranoid, I can always go to free BSD who apparently clame Zero remote-root exploits in the last 3 years. I don't have that sort of warm and fuzzy feeling with Microsoft.

'Nuff said.
`ø,,ø`ø,,ø!

Re:Obviously the security advisor

[georgesr]

I know what you mean. The probes are out there and they are always active. I'm running a cable connection with a four tier security layer including black ice and surfingard. I pull the logs and check them every evening. After deducting all the legitimate pings and probes (my ISP, IM software, etc) I still wind up with between 40 and 50 probes I can't resolve. If my security software is catching these I can't help but wonder what they might not be catching. I've gotten to the point that I keep all my important files on zip disks and only work on that data with my internet service disconnected. I don't believe that absolute security is possible on any computer that is connected to the web. I only keep those things on my internet machine that I don't care if the world sees.

Re:Obviously the security advisor

I find it amazing that anyone is surprised that Microsft's Windows operating system can be compromised so easily.

I guess that if you leave your car unlocked and someone steals it, you still go to the police to report the theft. But in this case the media seems to be heeing and hawing that anyone could have broken into Microsoft in the first place. Is anyone really surprised?

What the media should be explaining to the public about this case is that Microsoft has a long history of insecurity & that Microsoft does as little as possible when security exploits are brought to its attention.

The entire computing industry knows about Microsoft's insecurity. It's time the American public did as well.

Re:Obviously the security advisor

[Karmageddon]

I hope your not indirectly implying Linux's track record is any better?

Why do you hope he's not? Linux track record is better on this score. This security hole is a designed-in flaw in Windows. While all software has the potential to have bugs which cause security risks, the particular problem of launching emailed trojans or viruses is a Windows problem. Unix and Unix MTAs do not launch attachments. The user would be forced to save them to disk and manually make them executable.

Re:Obviously the security advisor

[flynt]

I hope your not indirectly implying Linux's track record is any better? It is very difficult to make sure there are no holes, especially when you are one of the most targetet corps on the planet. You can take a million precautions, and when someone does one thing stupid, people cry "no security". The good thing is that they found out, think of all the better hacks that are never found out at all...then you should be scared.

Re:Obviously the security advisor

[greenrd]

... don't yet know how to be certain that my system has been secured.

Use Tripwire. It doesn't give you certainty but it helps.

Windows is a moving target

[rabtech]

Windows is a moving target. I do buy the line about the hackers being interested in the .NET technologies -- those are the ones that will eventually replace the Win32 API altogether. Windows has been moving forward more than many wish to admit. Since the Terminal Services have been integrated with 2000 (which gives *nix-style terminal features a GUI twist), whistler takes this a step further. When you log off of a Whistler workstation, it gives you the option to save your state. If you choose to do so, Whistler will save all your currently running programs to disk, then allow another user to immediately log on. Next time you log on, all your programs,etc... will still be running.... This is just like "sleep" or "hibernate", only MUCH better :) Of course it will have much faster bootup times, integrated skins support, and much, much more, including a new graphics engine (GDI+). I've posted on that before, and why it makes some interesting changes that will make much more of a difference than (Apple's) Quartz ever will. Every day it seems like Linux moves a little bit further behind windows. I mean, this is 2000 and Linux doesn't even support plug and play or dual monitors! (at least not very well) It doesn't scale on SMP systems very well (due to coarse grained locking), its network/TCPIP stack isn't fully multithreaded (resulting in lower network throughput than equiv. Solaris or 2000 systems), and the desktop UI is still a kludge (Do you see anybody running X on mission-critial Linux systems?) Granted, there are good things about it, but Linux is not some sort of magic spell that, when cast over your computer, will magically make your life better. I expect the Open Source movement to start finally recognizing that the "high ground" they occupied not so long ago has been taken back by Microsoft, and respond in kind with a much better Linux. Of course that will just spur Microsoft on to achieve even greater things, and the process will repeat. Add in niche systems like OS X and BeOS, and you've got a winning combination of market forces and innovation. These are exciting times to live in, indeed. I'm just glad I don't have to choose sides. (God bless whoever invented dual-booting :)
-----

Re:Windows is a moving target

[ddstreet]

Every day it seems like Linux moves a little bit further behind windows. I mean, this is 2000 and Linux doesn't even support plug and play or dual monitors! (at least not very well)

Linux does support plug-n-play in 2.4 (beta) which will soon (within months) be a stable release. Dual monitors is completely up to the X server; I think Xfree86 does support dual monitors in 4.0 and I know there are many commericial X servers out there that do support multiple monitors.

expect the Open Source movement to start finally recognizing that the "high ground" they occupied not so long ago has been taken back by Microsoft, and respond in kind with a much better Linux.

No, I seriously doubt that. I instead expoect the community to continue to produce quality software without interruption, and without regard for anything M$ is doing. The Open Source community does not try to 'keep up with M$'.

God bless whoever invented dual-booting

Certainly not Micro$oft.

Is this getting boring?

[rekcufrehtom]

Yes, I think so.

Re:Is this getting boring?

[Jelque]

Yes, until we see actual code.

Re:Is this getting boring?

[Stephen+Samuel]

sleep() calls.
`ø,,ø`ø,,ø!

Re:Is this getting boring?

[Sapien__]

#include <crash.h>

/* Windows 95/98/Me startup code */

/* Make program look bigger */
char lots_of_random_junk[8761765];

int main() {
crash();
}

Re:Is this getting boring?

[Mr+Z]

You obviously don't know what you're talking about. You need a couple more layers of indirection, and a bunch of Hungarian Notation thrown in for good measure.

(Tongue firmly planted in cheek.)

--Joe
--
Program Intellivision!

Re:If Windows is so bad ...

[Tuzanor]

WINE. if i can play half-life under linux with decent stability and full openGL support then I'll be happy. if the source code was released this would be of immense help to wine. sure, they wouldn't HAVE to copy the code, but they could look at it and say "oh, that's how it works" and then write WINE acordingly...

is this all that important?

[jaycee]

I wonder how much important information microsoft actually allows to be seen in an environment where individuals with the passion can find it.

Re:is this all that important?

[phossie]

from the article:

Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products . Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier.

no OSS trolling necessary in this article. none at all. this is a horrible incident and microsoft deserves sympathy for its hardship.

THE WHO WHAT AND WHY

[TrenchWarrior]

The who is obviously from Russia... After programming for 29 years I can tell you that MS doesnt have any source code that I'd be interested in... What innovated new product (or code) have they produced (notice I said produced instead of developed) that hasnt been done before by someone else??? This is just cracker job.. What "the compitetion steal this"... what competition? Who'd want it??? WHy'd MS report this anyways... I can not see anything but bad PR coming to MS for reporting this... or they are in cohoots with the govt to get additional snooping laws passed.

Re:Source Code Obsession.

[llywrch]

> Why is everybody so obsessed with source code, Microsoft's or anybody else's? Just what in the heck are you going to *do* with
> a glimpse of some of the source code to Office or Windows?

Grab a bunch of old CS textbooks, & do a diff against various parts of the code. And publish the findings. Especially if the textbooks happen to date to the 1960's. (We all know how Microsoft uses modern code -- none of that old crap from the 1970's like UNIX does.)

I still want to know just how many rat's-nests of speghetti code are nothing more than thousands of man-hours of patches to fix a mistake caused when some coder forgot to include a line he was copying from a textbook at 4:00am.

Bet there's more than a few.

Geoff

Very very dangerous strategy.

[vinylat33]

The vast majority of Windows users are seriously happy with their system, cause the only thing they do is write emails and surf some sites.
I have seen people upgrade their system every year just to have the latest system and they still do not use above 1% of their CPU power.

People react very opposing on changing things, specially when it is about nerds like us taking control of securing systems they do no know shit about.

The Interview

interviewer : So what is your age ?
nerd : 18 years old

interviewer : Your parents must be proud ?
nerd : well, my brother more, cause now his Explorer doesn't crash anymore when he visites porn sites.

interviewer : uuuhh....?

interviewer looks like director
director slaps his forehead

interviewer : I mean, how did you find all these bugs?
nerd : well, i wrote a nice program on my linux box, which searches for the standard patterns in the code which are basically based ,.. uh funny,.. on BASIC.

interviewer : BASIC ? ,... uuuh... well, gongratulations with your prize. People,...the first who found 40000 bugs.
hilarious applaud from the microsoft tribune

interviewer : Wat are you going to do with the price money?
nerd : i quess a nice 21 inch monitor doesn't hurt and my own RAID system would also be nice.

interviewer : very nice, very nice.

vinylat33

Re:MS Code ...

[ckedge]

> Think about it ... not a rogue OS based off of MS code

Arrh! Damn it, that's what I really want! A STABLE Windows 98! With integrated skinning capabilities! For nearly free!

Either that or a version of Windows 2000 that will play all the games. For nearly free.

I've given them my share of the 100 billion dollars! Where's my fucking software!?!? What's with this shit I'm currently stuck with!!!?

Re:Conspiracy Theory?

[Libor+Vanek]

M$ cannot fight anything what doesn't exist!
If they (after moths and lot of $) suceed to shutdown (for example) www.samba.org site there is no problem to move to another country ;-)

Re:Source Code Obsession.NONSENSE

[mesocyclone]

30 years ago, during my hacker days, a group of us got access to the source code of a pretty secure operating system (GCOS-III pre: GETSS). That source code enabled us to find a number of exploits that one would *never* find without it. We found about 12 ways to get into the equivalent of "root."

To a hacker or a cracker, source code is worth it's weight in gold! You can look for buffer overflows and figure out how to exploit them. You can find hidden API tricks that allow one to gain extra privileges. You can find bugs that defeat security measures. You can find lots of stuff.

If you thought windows was easy to hack before... well, it just got a lot easier!

More evidence that Open Source will dominate

[gark]

Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier. Microsoft has shared parts of its source code with partners, but it has kept the vast majority of the data secret.

It appears perhaps the biggest fear is that the thieves will use the code to profit by creating additional security breaches for hapless users. This is really a big risk to take as a user, and I wouldn't be surprised if CFOs begin to recommend the move to open source primarily for security, especially if some people lose lots of money through this exploit.

Re:IPv4

[h3x0r]

Frankly the SO_RCVLOWAT is not so hot as it would seem. The number of WSAEWOULDBLOCKs that crop up over time can bring down a system. I would instead recommend that you use SO_LINGER and not dynamically resize your stack frame every time an inbound datagram arrives. This provides much lower perprocess overhead than traditional multicasting techniques, especially when you consider the small domain size IPv4 provides compared to more traditional schemes like ATM. Specifically, over ethernet with an MTU of ~1500 bytes/datagram (1460 in TCP), significant performance gains can be seem as opposed to ATM, with an MTU of 53 bytes but only when piggybacking on a FILO frame buffer, or a preamble.
---

Industrial Espionage

[mcv]

Guess 1: Some MSFT employees are intentionally working on distributing MSFT source code to equalize the playing field in the new information economy. They are actually working for third world governments.

Guess 2: Because of the importance of the Internet and its operation, Cisco(or any other mainline router company) has employees who will/have intentionally designed in ASIC router "bugs" that will be exploited in a Cyberterrorism threat.

Guess 3: This will happen over and over again. The more important that the Internet is to global competition and economic well-being, employees will be "co-opted" into destroying the internals of their "Internet Proprietary" systems through backdoors.

Re:Industrial Espionage

[Chris+Johnson]

It's weird how nobody seems to think there's any other sort of espionage than industrial espionage these days. How about entertaining the possibility of:

Guess 1.5: Some MSFT employees are intentionally working on relaying MSFT source code to give their government employers better ability to commit IT sabotage at time of war. They ain't working for the US government.

Honestly, the world does not begin and end with e-commerce. Warfare still happens, and IT is militarily sensitive- it can be an absolute jugular vein if mishandled.

Re:Unfairly modded down

[isorox]

Check out Post 37, the original post that the AC just copied.

Re:Several points, one slightly off topic

[ckedge]

As long as you present your case using that language, I am absolutely certain I could confuse the hell out of a jury into convicting your ass.

US Trade Secret law

[chazR]

MS code is a "Trade Secret".

It is still a "Trade Secret" even if it is stolen, posted on the web, displayed on billboards, whatever. This is OK until you *use it*. Then, you're screwed.

If MS can prove to a court (in the US) that you used their trade secrets, and that you knew that you had acquired their trade secrets illegally (which *well* includes downloading the source from an FTP site), well, then you are so shafted it's unreal. Can you say "Punitive damages"? 'cos that's what you'll be paying.

All MS have to do to protect their trade secrets is to exercise "reasonable care". Now, try and prove they didn't.

FACT: Stolen secrets are still secrets in law. Half-witted sophistry doesn't change that.

The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context

Re:US Trade Secret law

[chazR]

Are you the next Signal 11?

*Blushes*

No - I was responding to a post that indicated a complete and utter lack of knowledge of the law. But, I'm flattered ;)

Re:US Trade Secret law

[grahamm]

What is the logic behind this (or behind a law which may say otherwise)? By the very definition, once a secret becomes common knowledge then it is no longer a secret.

Re:US Trade Secret law

[bentriloquist]

>The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context

...really? Who said it?

/Bent Pedersen

Re:IPv4

[Th3+D0t]

While I agree you have a point, this discussion is about security, not performance. In that respect take linux. Linux, as long as you avoid X like the horrible plague upon humanity that it is, performs excellently. Windows, on the other hand, runs like shit, although, it is faster than linux running X. But then, consider how horribly insecure linux is. So you see it is a triple edged sword, with a cherry on top.
---

Of course it does, forget commerce for a second.

[Chris+Johnson]

MS Windows massively monopolizes not only the consumer sector, but huge chunks of the military as well. Hell, _ships_ run off Windows, the Air Force is totally full of Windows, and who knows how many other countries in the world are totally standardised on Windows.

If Russian military intelligence got to go over Microsoft's source code with a fine-tooth comb (or anybody- I only say Russian because apparently that IS precisely who's going over the code now), they would be able to conduct information warfare much more effectively, whether or not there are intentional backdoors- if there aren't, all the military spooks would have to do is dig up overflow exploits and the like. They have the code, and lots of people find ways to do this even _without_ the code.

They're not interested in fixing it, selling it, posting it on the net or anything of the sort. Their only concern is being prepared to take all of American military IT _down_ before the missiles are launched. (And again, America doesn't have to be the target- any country with a modern computerised military could be the target.)

The problem with lazy-ass monopolised security through obscurity is just this: now there's no security at all- odds are, some country (possibly not even Russia?) now has what they need to be able to take out any and all Windows-based IT at will. They're not going to be filing bug reports, or _using_ their techniques, unless they are seriously taking action. The only defense against this is to persuade Microsoft to either open their process to outside auditing (for instance, the NSA or the military), or to ask Microsoft to please fix any bugs that might be a weak point in this sort of attack.

*bitter laugh* riiiight.

I want my country's military off Windows, dammit. Now. All that is _compromised_. It's one big trojan horse because of Microsoft's arrogance and belief that they are SO SMART that they don't need to let anyone else into their process.

Re:Reading Comments Can Be Enlightening

I would not be surprised to find that Microsoft has racist and discriminatory comments in their code.

. At Redmond alone, we have the African American employee group, the Attention Deficit Disorder group, the Chinese employee group, the Deaf and Hard of Hearing group, the Filipino group, the Gay, Lesbian, Bisexual, and Transgender group, the Hispanic, Indian, Korean, and Native American groups, as well as heaps more. Don't sprout this rubbish about Microsoft being a racist company.

So who's the next target?

[RallyDriver]

Will they be hacking Red Hat, SuSe et al next to get the Linux sources? :-)

Oh great ...

[Strepsil]

[from the article]
>the targeted material was related to Microsoft's
>.NET strategy, a sweeping plan to build the
>Internet into all its software.

How much disk space is THAT going to take up? Can't they just link to the Internet that's already there?

(Sorry, I'm in a weird mood today ...)

Re:racism? doubt it

[isorox]

You know I'm still pissed about the romans invading britain, perhaps I should moan at the italians now.

And I've never forgiven the french over 1066!

In fact, I think that Og hit my great great great great ..... great great great grandfather over the head with a club, and Og is releated to you, so you owe me all that extortion money you got from your last employer.

If someone scrawls some racist/sexist/agist/classist/anti microsoft slogan to a bridge, can you sue the council? No! (Well, I hope not). You tell them its tehir, they remove it.

Maybe a GOOD thing for M$?

[Sly+Mongoose]

Now that M$ have publicly admitted that their IP has been compromised, they are in a good position to complain about anyone producing any competing products.

If a C# compiler were to appear on the scene for a non-Windows platform, might the authors not be accused of having used M$'s IP in order to produce it? The same goes for any piece of code to appear that threatens their .NET stranglehold strategy.

I have not seen any definitive list of what code was compromised. Has that been made public? Or are they free to point to anything that appears in future and say it is based on their IP?

Hell, maybe they are making the whole incident up!

Re:Everything's a virus

[Mr+Z]

Gallagher. And his joke ("There's a brightness knob on the TV, but it doesn't work.") I don't think started with him.

--Joe
--
Program Intellivision!

Microsoft Security = not much

Today I'm going to tell you a little bit about Microsoft's physical security. Or, how J. Anonymous Coward walked into Microsoft and walked out with confidential data. (And a very large quantity of free Coke.) Unfortunately, I have to leave out a lot of details so as to protect the poor innocent M$ employees who did nothing wrong except choose the wrong employer. Also since this took place in 1998 some of this information may be out of date.

I wasn't even looking for confidential information. Just turns out that I knew a couple of people who happened to work at Microsoft, and so I decided to pay one of them a visit at their office in Redmond, while I was vacationing in Seattle.

Now at each entrance to each M$ building there are Honeywell card readers, and each employee has a matching Honeywell card that opens the right doors so he can get to work. With the building I was at there is a front entrance and then a foyer with a receptionist's desk. During the day you have to get by the receptionist slash security guard to the second set of doors, which you also have to swipe your Honeywell card at. (At the building I was in, the receptionist desk was inside the second set of doors.) At night there isn't a receptionist or security guard, you just swipe both sets of doors and you're in. And once you're in a building you can go practically anywhere in that building; there aren't any other security checkpoints.

If you lose your card you can use the phone next to the card reader on the outside to call in to the receptionist, or to call your friend inside to let you in. This is how I got in. I called my friend's 5-digit extension and they came down to get me. (That's 2-xxxx inside; 425-882-xxxx outside.) There are refrigerators stocked with Coke (and Pepsi) products on nearly every floor. Just help yourself. There are also random arcade games, Ping-Pong and billiard tables scattered around. Each person has their own office, small as it may be; a few people share in some areas.

Anyway, inside, they have large supplies of blank CD-R's. All of them were factory labeled with the Microsoft logo and the words "Microsoft Confidential" and some other legalese. They are half blue and half white. And most of the developers that I met had their own burner.

I'm quite sure you can figure out the rest from here, and these are the details I have to omit. I can say it has something to do with caffeine's diuretic effects on developers. But I wil provide a few other details for you.

Microsoft has their own security people. At night they go around and turn off all the lights in the buildings. Only they do it from the outside, via remote control. I think the system uses RF. (If you're inside, you can turn them back on, though. And be careful, they even turn off the lights in the bathrooms, and the switch can be hard to find. In the bathroom I used, it was about eight inches higher than I expected it to be.)

Microsoft has an internal server with pre-built installers for most (all?) current Microsoft operating systems, applications, etc. If you need something, you just open the network drive and get it.

Microsoft's firewall prevents people internal from connecting to certain outside sites. In 1998 this included netscape.com (but not mozilla.org).

Certain parts of Microsoft source are written in C and/or C++, and these parts are LITTERED with gotos. I mean they're everywhere. It's almost like they'd never heard of do, while, break or continue.

Anyway, that's my story.

Re:Microsoft Security = not much

[11223]

I know there's a place for while. But when you need the assembler to do what you want it to do (and btw switch is a redundant feature of C that should have been removed), and you're thinking of your code on the assembly level, you want to use goto.

Re:Microsoft Security = not much

[ddstreet]

Sure, when you need the code to have a goto in the assembly, you want to use goto in C; but how often do you really need to have a goto in assembly? You're second-guessing the compiler/assembler. Let it do its job and it will probably optimize better than you.

Re:Microsoft Security = not much

[11223]

So is Linux. goto's produce a perfect near jmp in quite a few incidinces, making cleaner assembly.

But, then again, you knew that, right?

Re:Microsoft Security = not much

[ddstreet]

good compilers (read : gcc) will produce near jmps when you use for, while, etc also. e.g., how do you think switch() is done? jump table. and that's the whole point of high level languages, isn't it? To NOT have to second-guess the complier, or try to optimize the code yourself? Now, if using a goto makes the code more readable (i.e., the only other option is 5 nested fors or whiles with bunches of varibles to break out, etc) then that's a good place to use goto...but using goto to try and optimize the assembly is bad.

But, then again, you knew that, right?

Re:Or maybe this isn't so bad...

[kupolu]

Fix all the errors in the source and there'd be nothing left.

Re:Download speeds and M$oft

[polymath69]

I think you need to check your calculations. 9GB at 9600 b/s would take about three and a half months to download.

Start with 9GB = 9 * 1024^3 = 9663676416 Bytes
Times 9 bits per byte (8 data + 1 stop) = 86973087744 bits
Divide by 9600 bits/second = 9059696 seconds
Divide by 3600 seconds/hour = 2156 hours
Divide by 24 hours/day = 104.8 days

Add in overhead and line drops and we're talking about a little bit more than a long weekend...


--

oh christ

[ArchieBunker]

you back again? fuck your ancestors. If you hate the white man so much why don't you leave this country?

Its the new age of racism, I'm not from the south, I don't have a rebel flag, a pickup truck, a shitty looking house or an ugly wife. I'm the average white guy who you can't tell from anyone else.

Re:Its a Government Conspiracy!

[cosmosis]

I like your sense of humor! Hail Eris!

Well, assuming it is a government plot, you can look at this two ways:

1) Either M$ colluded with the Government in orchestrating the break-in. Very unlikely.

or

2) The government did it on their own in order to further their own agenda. Who better to go after than the most powerful software firm. If you can get the big software players over to your side, then the rest of the smaller software companies will more easily succumb to political pressure to grease the wheels of government intrusiveness into people's lives. Afterall, "we the government are the good guys, we are trying to protect your business. Please help us spy on your customers in order to protect you."

Now New Zealand is following suit with their own cyber-snoop laws orchestrated by none other than the FBI. NZ's law will make it a crime to encrypt information, even accidentally, and refuse to give over the keys to it. Even if you lost them! Refusal to do so will land you in prison for 5 years! This same law is mandating that all ISP's keep complete dossiers on all their customers for at least 40 days!

stealing millions of dollars !

[Mr.Sarcastic]

Russia is known as a haven for criminal hackers who, among other exploits, have been fingered for stealing millions of dollars from banking networks.

Did I miss a headline about this or is MSNBC talking out of their back orifice? Millions stolen? I think would have been headline news.

Re:racism? doubt it

[cronio]

Jesus fucking christ. Racist doesn't just mean black-hating white people. You think that there are no white-hating blacks? You think that any company with an anti-[insert religion, ethnicity, or belief here] should be shut down?

Core products?

[Tony+Shepps]

"Microsoft said it was not part of the company's core products."

Now I'm *really* intrigued. What constitutes a core product? Wouldn't it be interesting if certain languages were "core" and others weren't?

How would you feel if you paid $600 for Project to run major development work... or used Visual Basic to develop critical code for your company... or

If the cracker picked up Notepad, they wouldn't have asked for FBI help, would they? If it was MS Baseball 2002, they wouldn't have picked up the phone... it HAD to be something worth more than the bad press that could be generated!
--

Mini-tech must be hard at work

[Tans]

All the minions at Mini-Tech (Redmond) must be very busy. Thier desks must be full with articles to be changed. Yes Big Brother (BG) knew about this all along and it was a test. This just proves that .Net is the answer, it must be. One central place were all your data can be securely stored, the memo now states. But wait I think I could remember something about a possible security threat with there software... then again maybe it was the one that they didn't want to fix because no one would exploit it.

So almost overnight there is a new history. Only a glimpse.

Everyones happy.

Nothing to worry about except that Emmanuel Goldstein (oops this dang keyboard, I mean Linus Torvalds). It must have been that open source underground behind this, a memo will soon read.



Up next Animal(Apple) Farm (or how to alienate your loyal followers)

Re:Why do it?

[DavidTC]

Why I bother responding to this I have no idea, but the code was not 'spammed' all over usenet. It was put up on FTP. The entire Linux kernel has never been posted to usenet. But, of course, you knew this already.

-David T. C.

If they did, we would not have heard about it

[xixax]

If they (communist|terrorist|criminal) really wanted it, they would have paid off someone inside MS to steal a copy and you would have never heard about it. In fact, if it ever was going to happen, I'd guess it happened a long time ago.

Stand by for some "prove you are innocent" lawsuits once the public memory does goldfish() on this incident.

X.

Re:Source Code Obsession.

[VivianC]

I think it does matter who sees the source code.

Let's flash back to a /. story from 1998. If this code went to Russia, to quote an Imperial General in Star Wars "it is possible, however unlikely, they may find a weakness and exploit it."

Think about that next time send our ships somewhere like Serbia or Tiapei.


Viv
-----------
I Use Napster. I use DeCSS. I buy over $1000 a year in CD/DVDs.

Re:Its a Government Conspiracy!

[Yardley]

No, you're not the only one.

Nobody stole any Microsoft code. Microsoft staged the break-in as part of its continual goal to create a perception of greater value in their product (if it weren't valuable why would people steal it; why would people pirate it; etc) & to get certain anti-hacker legislation shuttled through Congress (which will help them yield greater control over their product after you've bought it & to fight against open source software's reverse engineering of their proprietary standards for compatibility and publishing of security exploits). The Microsoft staged break-in also helps to bolster their image as a victim, like they claim in the ongoing anti-trust case, rather than the perpetrator, which they are.

These events did not transpire without a reason. Microsoft wants to control your computing experience from the ground up and will do whatever it can do to further that end.

--

Re:MS Code ...

[Alan]

Shit! Get the code and produce exploits from it???? Someone better tell this "linux" company that their code is out there for anyone to see and 'sploit them!

Hmmm... wait a minute, if the windows source wasn't closed to the world, this whole thing would't be a concern....

Re:moderate up!

[isorox]

Antartica, April 1 2007, 15:12

Microsofts 18th, and final, appeal against the DOJ ruling was rejected today. A distraught Bill Gates strode out of the court this morning and was seen heading straight for a local internet cafe.

2 minutes later every nuclear missile on the planet launched, while all anti-nuke defences blue screened, many cities were laid waste to. CNN's daily broadcast of "linux - the future, now", was cut short by an unexplained illegal operation.

Mr Gates was unavaiilable for comment, however a spokesman for Microsoft stated that this was a tragic accident, probably caused by incompatibility between the few remaining NT servers, and any non microsoft software.

Re:MS Code ...

[Alan]

Agreed. At our company the source code is spread out on several developers boxen, depending on who they are and what they are working on. There is no nice tarball with a filename like full_product_source.tar.gz. More like: foo.c on box a, foo.pl and foo.pm on box b, bar.java on box c, baz.bz and qux.bz on box d.

*IF* someone knew exactly where things were they could maybe get several things of value. But that involves many levels of password (hack box a, then box b, then c, d, etc, *after* getting past the initial firewalls (all the developers use linux boxen). Sure, send a vbscript virus, no big deal, the salespeople get it, and you can look at proposed banner ads and shit like that. I'm assuming that it's similar to this at MS, only a HUGE amount more :)

Re:Open up some standards

[hammock]

Yes but it goes both ways. See, the whole SMB and Win32 API is so crufty and shitty that nobody at Microsoft (which has an employee turnover of about 98% every 6 months) really understands what is going on in the source. Hey look ! someone has reverse engineered it AND documented it AND commented the source!

Now Microsoft can use the documentation to understand what is going on in thier own shitty crufty code, thus saving themselves alot of time and money, all by violating the free software licences (GPL for Samba, X11-style for WINE).

They can also audit the WINE and Samba code to find areas where they can break Windows -> (Wine,Samba) compatibility while maintaining Windows -> Windows compatibility, causing the free software projects to waste more effort in reverse engineering the changes.

Even though the Halloween documents went public, Microsoft is doing EXACTLY what they set out to do.

Re:I think people might have this backward...

[martinflack]

Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.

You know, what's to stop this from happening to an Open Source product? Your average Linux distro is a few hundred separate packages - who's to say someone doesn't hack into an author's computer and add a few lines to his project for him?

What with all these binary .rpm's and all these days, it might be a while before anyone noticed... I know I certainly don't have time to read the code of every program I want to use.

So I suppose my point is - in light of those two points above, isn't a scenario like this *more likely* with Open Source?

It just occurred to me that AFAIK, Red Hat, the particular vendor I use for Linux, doesn't actually advertise that they read every line of source code for intentional "vulnerabilities". (Or do they?)

Hmmmmmm.... let me play Devil's advocate - what if M$ (or some entity controlled thereof) did this intentionally to undermine Linux? i.e. coded something that Linux badly needed, and then intentionally coded in a subtle backdoor and released an exploit under the table, followed shortly thereafter by appropriate FUD.

Re:Source Code Obsession.

[Azza]

I just want to find out how the hell they calculate the microsoft minute. I mean, it's a simple algorithm, I really want to know how they got it as wrong as they obviously have.

Unfairly modded down

[volpe]

Although I don't know why the above individual posted anonymously, that post was definitely not a troll. It seems like a valid observation to me.

Yawn!

[xonix7]

what about sex with female collies?

Re:Everything's a virus

[JabberWokky]

You must choose between the words virus, trojan, or worm. They have different, but related meanings.

Yes, but in mainstream articles, everything is a virus. Thus, a worm becomes a "worm virus", or a trojan horse program becomes a "trojan virus".

"Virus" == "Malicious Program" in the mainstream view. Don't blame the journalists... their job is to tell the story. They have to speak in the common vernacular. "Hacker" == "Someone who breaks into computers", "Hack" == "A Golfer", "Operating System" is generally undefinable, and I knew one very intelligent person who does not use nor know computers who thought from early news stories that Linux replaced your BIOS (given their description of it).

--
Evan

Re:MS Code ...

[MobyDisk]

> This project is then suspected by MS ... but it would take illegal reverse engineering or a
> court warrent to confirm ... thus another downfall to MS.

Since when was reverse engineering illegal? What country would have jurisdiction anyway?

A large amount of attention on Source Code

[painecave]

If Windows was Open Source the concern about source code hacking (which seems to be the concern of 90% of the articles I read) would be eliminated.

The Quote, the Truth and the Lesson

[Codeala]

[The Quote]

"We start seeing these new accounts being created, but that could be an anomaly of the system," Rick Miller (MS spokeperson) said. "After a day or two, we realized it was someone hacking into the system."

[The Truth]

What software was stolen/looked at? Paperclip 2001, "I can't let you do that, Dave".

[The Lesson]

And yes we only have one copy of our source code and we don't believe in backups or checksums, so code tempering is a very serious problem.


====

Re:The ships run on unix

[ethereal]

The Yorktown lost control of its propulsion system because its computers were unable to divide by the number zero, the memo said. The Yorktown's Standard Monitoring Control System administrator entered zero into the data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units, the memo said.

from Government Computer News, the horse's mouth.

So a database divide-by-zero took down the whole network, including all the machines on it. Sounds like an OS failure to me - why should a database failure or even a database crash of another machine on the LAN take down every other machine? Even if it caused the custom application to fail on every other machine, the machines should still be up.

So while NT may not have been the initial failure, due to its poor error handling or stability problems it converted a localized problem into a network-wide problem. If that's not a failure of the OS, what is it? A feature? :)

OT - The Number of Trolls. Once Again

[isolation]

This is really getting old. 7 posts in and only one is about the story.

Check out
http://www.kuro5hin.org

Re:OT - The Number of Trolls. Once Again

[cheekymonkey_68]

You wait till the movie version of Lord Of The Rings is released.

Then you will have a real reason to complain about the number of trolls.

What Good is M$ Source Code?

[herbierobinson]

They "borrow" ideas from everyboby else. There probably isn't anything original in the stuff. From the articles, I would say the hacker agreed (they claimed the hacker spent all of two minutes looking at source code....).

Much more fun stuff would be business documents. Things documenting stuff like, oh... monopolistic business practices...

Re:What Good is M$ Source Code?

[TheShadow]

That's a good point... I wonder how much GPLed code is in M$ products. I'm sure there is a lot of it... and I'm sure they are violating the GPL all over the place.

Re:Right out of some satire

[Kushana]

If any attempts to download or transfer the source code were made, such activity was not recorded in Microsoft's logs, Miller said, adding that it is unlikely any source code files were copied because of their immense size.

Good grief! What were they writing? Software bloat as a protection against theft?

Code size plus Microsoft Visual SourceSafe does equal security. Anyone who has used VSS knows that updating a moderate size project can be a "go away and eat lunch while it finishes" proposition. Doing a "Get Latest Version" from scratch on the Win98SE project is more likely "go away for fourteen sleeps."

Re:Well, Microsoft cares

[mallie_mcg]

Anyway, Windows is not the only product Microsoft sells. Source code from Office was also compromised. I can imagine why competitors might want to look at how certain features work, given the feature-list "checkbox wars" that go on in the industry.

Actually the MSNBC article says that it was an as yet unreleased, and underdevelopment project, that Microsoft said, that the intruder came across the source code for the computer program under development. Microsoft said it was not part of the company's core products. hell have the quote from the web site.


How every version of MICROS~1 Windows(TM) comes to exist.

Virus checker

[Imran+Ghory]

Surely more than anything, it has highlighted an important point, Microsoft either don't run a virus checker or they haven't updated the one they do use.

As the later is unlikely, one must assume the first, their reasons would be fairly obvious (Would you run software which was constantly in memory and written by a semi-competitor on your development machines ?). But surely announcing it in such a way is an open invitation for "would-be" hackers to send them viruses.

(Incidently apparently the code was ".NET" related, any bets that it was a virus checker they were writing ? :-)

Decompilation

[Animats]

You could presumably reverse-engineer the source with a C decompiler. Existing decompilers aren't very good, but beat reading disassembler output.

In general, C decompiling doesn't recover macros, inlines, local variable names, or compiler idioms, so you get back something that looks like assembler expressed as C source. You're lucky to get something back you can compile. Decompiling is an area that needs more work.

Re:Opening windows will increase MS stock values?

[gallir]

MS stock rose 5% _after_ the theft was known.

MS Code ...

[SuperDuG]

Hypothetical ... but what would happen if the windows source code was released onto the internet ... (ie DeCSS) ... even if it was deemed illegal and the distributors were arrested ... the code would still live on and become what might be the downfall of MS.

Think about it ... not a rogue OS based off of MS code ... but thousands upon thousands of exploits would turn up thus any computer connected to the internet through a (sarcasm) "secure" internet connection would now be at risk.

Another hypothetical ... company A comes out with a product that can run all win32 binaries... this os is based off of the source code of windows but is a closed source project. This project is then suspected by MS ... but it would take illegal reverse engineering or a court warrent to confirm ... thus another downfall to MS.

One more question I have ... If MS is SOOO concerned about their code ... why the hell is it so easy to remote access it?

Re:MS Code ...

[ardiri]

• So, it's a matter of comparing code. If it's 'sufficiently similar' there could be a case.

you never know - this is very likely. but, if you see something that is written *really* bad (it can happen, even with M$; sarcasm is to be removed upon reader choice) - rewrite it in a more optimal manner :)) i think, getting knowledge about how the internals of win32 operates can only be a benefit for M$. we might be able to find all those screwy bugs many people have spent ages trying to work around.

Re:MS Code ...

[Felinoid]

I've been at it for 5 years now [lie]
My team of programmers can be found on FidoNet (Hay guys back me up here..)
Oh wait... No My team of programmers can be found on FidoNet.. that BBS right there.. and that one over there.. and those three... oh my they went away over the last few years.. gee I've not paid attention.. I'm sorry my whole programming team is unaccessable...

That dosn't save me from an expert examination... that would reveal my code was in fact stolen from Microsoft... wops...

Microsofts people would recognise it by "feel".. all the querks in place.. that sort of thing... the stuff the avrage user might miss... and wouldn't be needed for a clone.

Re:MS Code ...

[King+of+the+World]

Please note:

1. 60%+ of desktop users use MS Windows 9x.
2. Some apps are only available for Windows.
3. Wine is being developed. Win32 is not. Wine has the possibility of becoming more stable. It already is more stable than Win32 for some apps.
4. If people could replace MS Windows with a free and more stable OS - they would in droves.

So yes, there would be market. You lapid dickless hole.

Re:MS Code ...

[King+of+the+World]

We are talking about http://openwindows.sourceforge.net right? (though it seems to be dead right now)... The OpenWindows that is the topic of discussion in this slashdot story right?

OpenWindows being a hybrid in that it duplicates MS Window's features (runs win32 binaries) but makes improvements due to Wine and Samba code (which I said my opinion was based upon; that both are more stable than the original for some applications and purposes and hopefully would only improve to beat Win16/32 in all areas as Microsoft are not concentrating on Win16/32 any more).

It's not proprietry, it's GPLed - though I'll grant you "slow and uglier".

I thought OpenWindows was a stupid idea, I agreed with most of the trolls at the time.

Re:MS Code ...

[Fist+Prost]

I was thinking of OpenWindows from Sun, which is one of two wm's available on the sparcs in the computer labs where I work*. It is indeed slow and ugly, but at least I don't have that nasty app-bar that CDS insists on putting on the screen, taking up valuable desktop real-estate.

*There is also twm available, but you have to start your session in some sort of failsafe mode to use it, and it makes OpenWindows look like KDE2 by comparison.

Fist Prost

"We're talking about a planet of helpdesks."

Re:MS Code ...

[linuxgod]

Exactly, if it were Russia which ms claims it was. Then Russia is holding the cards, not ms.


Ignore the Anonymous Pissant trolls !!!

Re:MS Code ...

[linuxgod]

If Russia said "fuck you" to the US, then M$
would be screwed, and any code coming from Russia
that appeared to be M$ code would not be allowed in the US.

Its somthing to think about.


Ignore the Anonymous Pissant trolls !!!

Re:MS Code ...

[Stephen+Samuel]

(all the developers use linux boxen)
I doubt that most MS developers use linux boxen.
`ø,,ø`ø,,ø!

Re:MS Code ...

[linuxgod]

Stamp those damned trolls !!!


Ignore the Anonymous Pissant trolls !!!

Re:MS Code ...

[linuxgod]

I take it you din't like that statement?
It must have personaly bothered you.


Ignore the Anonymous Pissant trolls !!!

Re:MS Code ...

[Ian+Lance+Taylor]

And nothing says backwards-compatible-lovin like working on a file with a creation date over a decade ago.

There are plenty of files in gcc which have creation dates of 1987. I didn't check emacs, but there might be some even older files there.

Re:MS Code ...

the code would still live on and become what might be the downfall of MS

As an ex-employee... all I have to say is "yeah, right". The level of cruftiness in certain codebases (NT, and Visual Studio, for example) is astounding. When I first started there, I was amazed that it worked at all.

And nothing says backwards-compatible-lovin like working on a file with a creation date over a decade ago.

Let's just put it this way: those who had access to MS source code probably didn't have a clue what to download or what would be useful. And even professional developers would have trouble making heads or tails of most of the MS code, even with complete access to it. With just bits and pieces, you could probably do better getting a non-tainted hacker (ex: Jeremy Allison) to explain it to you.

Remember awhile back, when crack dot com fucked up and someone managed to download the Quake source code from them? As a person who got a copy of this, I can tell you that it wasn't particularily useful. Without documentation, and without Carmack to tell you what the hell is going on, it would've been a tremendous task to go through that spaghetti and figure out what it was doing. I could understand most of the low level video functions and that sort of stuff, but when you get into the BSP and internals of the engine - no way.

And that was just a drop in the bucket compared to the MS source code behemoth.

- AC for obvious reasons

Re:MS Code ...

[MightyMicro]

Hang on, hang on, you're missing a thing or two about software copyright.

If your hypothetical company A produced a derivative product from Microsoft's source code, and Microsoft took action, the likeliest outcome (at least in the US) is that a court could order a comparison to be made by an independent expert of the two pieces of source code. If that expert found that there were "striking similarities" between the two, then the case would be part proven.

Secondly, how long did it take you to write this almost perfect clone of Windows? A week? Really? Can you show me the timekeeping records of the army of hackers you had working on this project to write a "new" Windows? Their names and addresses? No? (And so how long have those guys at Freedows been at it so far?) Your case is now in more trouble.

Finally, did you have access to the original source code? Can you prove that you didn't? Can all your army of programmers swear affidavits that they have never seen the Windows source code (and could not, therefore, have copied it)? Kinda tricky if it's been published for all to see on the Internet, don't you think.

Forget the reverse engineering, you're dead.

Re:MS Code ...

[Alan]

Of this I have no doubt, however, I was simply giving an example of how things were at my place of work :)

Re:MS Code ...

[t3553r4ct]

interesting comment, how on earth can ms prove something when proving it is illegal?!? hah!

Re:MS Code ...

[Mirr0rz]

Is there any possibility that the loss of the sacred windows source could make windows a better OS, for us ? ..sure ...for consumers, ? mabye. just think: all of the neat little apps you can find for unix, now (because of the source) could be released for windows...... windows + the speed and reliability of non-reverse engineered products = at least better than what we have now. With the exception of more veanuribilities, windows could only get better because of this, and mabye after learning the risks of using a Microshot, the public would finally have to actually learn how computers worked. instead of depending on an easy to use and cute OS to do the dirty work for them. cuz we know how well those things work - Mirr0rz

Re:MS Code ...

[isorox]

Call me naive, but can Microsoft proove you had seen the source code, and used it in your project?

Universal Declaration of Human Rights
Article 11

Everyone charged with a penal offence has the right to be presumed innocent until proved guilty according to law in a public trial at which he has had all the guarantees necessary for his defence.

Re:MS Code ...

[andyh1978]

Call me naive, but can Microsoft proove you had seen the source code, and used it in your project?

The judicial system is of course based on the concept of 'reasonable doubt'.

So, it's a matter of comparing code. If it's 'sufficiently similar' there could be a case.

It's all up in the air of course, since there's 'copied and changed' code and 'coincidentally similar because it does the same thing' code.

I don't know how definitive the burden of proof has to be in the US, particularly in intellectual property cases.

Re:MS Code ...

[King+of+the+World]

People wouldn't just use MS's code to make a replacement - they'd take Wine's code and make a hybrid (something like OpenWindows - only not cleanroom).

The ships run on unix

[codepunk]

I just left the navy after 10 years of service as a IS type. I can tell you for a fact that Windoze does absolutly nothing mission critical. They might use it for typing up some messages but all combat / intel / recon software is all based on unix in most cases HP.

Re:The ships run on unix

[RelliK]

So what about that warship that got stuck in the water because windows crashed?
___

Re:The ships run on unix

[3wicky]

that was the USS Yorktown in the Smart Ship' program that was merely TESTING Windows integrated with all major shipboard systems. Not all of the ships in the navy have this, previous poster is correct that only basic front end stuff runs Windows NT. In fairness to NT they tried to integrate almost all major shipboard services, and did'nt have enough time to really QA their stuff. What happened on the Yorktown could have happened regardless of the OS since it was the software they were using that goofed.

Re:The ships run on unix

[3wicky]

your linking to the article only reinforces the obvious. The fault was on the application level, not the OS.
cheers.

Re:The ships run on unix

[mpe]

I can tell you for a fact that Windoze does absolutly nothing mission critical.

Except on the USS Yorktown... Apparently this didn't result in Windows being thrown out of the program. Apparently no-one took the risk of kamakazi rowing boats seriously.

Re:The ships run on unix

[ethereal]

What happened on the Yorktown could have happened regardless of the OS since it was the software they were using that goofed.

I disagree with that - there are some OSes that I could name which wouldn't go belly-up just because a particular application was written incorrectly. Now if you based your ship's operations on that faulty application, you still might have to be towed back to port, but at least your other applications would still be usable.

The Halloween documents part 2

[Leto2]

Wanna bet tomorrow an internal memo will leak out stating that Microsoft indeed made all this fuzz up and leaked the code deliberately in order to prevent Linux from becoming a main-stream OS?

History repeating, folks!

Re:The Halloween documents part 2

[BovineOne]

Of course, but it was probably just an attempt intended to infect all the existing GPL code projects with arcane Hungarian variable names.

MS was cracked for three months

[alpha264]

Didn't you read the origional MSNBC article at all? "The hackers, whose identities are unknown, are believed to have had access to the codes for three months."-MSNBC article

Oh I don't know about that

[xant]

Microsoft makes a living off not fixing problems that are brought to their attention in plenty of time. The security officer would probably get a bonus for adhering to company policy so well.
--

Re:Everything's a virus

[Markar]

What surprises me is that the media didn't refer to it as a 'trojanwormvirus' ;-)

I'm not surprised, why should he be?

[HiyaPower]

Last paragraph in the article is:

"We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppönen, anti-virus researcher for F-Secure Corp. "It has finally happened. I'm just surprised it happened at the top."

Since these guys are (by definition) running M$ cruft to the hilt and the worms usually take advantage of Outlook/Viral Basic. What better place to target? Someplace that runs Lotus Notes maybe??

Re:I'm not surprised, why should he be?

[matman]

That end quote is sort of misleading. From what it sounds, this attack is nothing new - and it didnt first happen at the top. What's more interesting, and accurate, is that even with so much experience in worm vulnerability, Microsoft was not able to protect themselves from the threat.

Re:I'm not surprised, why should he be?

[IntlHarvester]

An industrial espionage Outlook script would be trival to write -- just scan public folders and shared drives and silently mail files out in the background.

A Lotus Notes version of this sort of thing would also be pretty easy in most environments, providing you had access to somebody's User ID Certificate file. (Notes can restrict the programming interfaces to trusted developers, but the default setting is wide open to all users.)
--

Re:Several points, one slightly off topic

[BovineOne]

Cutting off access immediately when something suspicious is discovered doesn't allow you to continue to collect evidence against the people doing the hacking and wouldn't allow you to prosecute as effectively as you could if you have definite evidence of some theft occurring. Evidence of repeated access tracing back to the same party each time also allows you to establish intent. I'm sure there was also some delay involved in allowing the notified authorities to come in and also observe.

Re:If Windows is so bad ...

[King+of+the+World]

Well lets look at the claims,

Its bug ridden,

Granted. It crashes and crashes and suffers awful rot.

not too many eyeballs have refined it over the years,

Bollocks.

its most likely unreadable,

FUD.

hard to compile,

What? ...well maybe if you're a tard.

not cross platform compatible,

Granted. If it was at all cross-platform I would assume they would have used it in CE or NT or whatever (I read `cross platform` as being n/bit independant).

purposely built to be incompatible with other platforms, in general, just a real mess.

Also true. The legacy incompatibility from breaking Caldera's DOS applications - that's still in there.

The code is just a joke.

Yes, this is probably true - a company's operating system not being cross platform, suffering system rot, being so very crash prone would qualify as "just a joke".

On the most part, AC, you're speaking out of your arse.

Re:Source Code is both singular and plural!!!!

[sith]

My fave was a few days ago when Cnet explained the somebody had figured out a code to allow macintoshes on napster..

Yes.. Up up down down left right left right b a select start...

Re:Source Code Obsession.

[Bluesee]

Obsession is a good word.

This whole discussion reminds me of that famous American pastime: going out and buying a lottery ticket and then lying around on the couch saying: "I know, I know we aren't really gonna win, but what IF we did! What would You do with Your share of the 11 million dollars!"

And to those who joke about fixing the bugs for the rest of the world... I hope it is a joke. Otherwise you are seriously deluded if you think one guy would single-handedly be able to diagnose and then fix the bug - without causing more problems - in less than several months...

I suspect that versions of the source code for Windows have been lying around for years any way.

It's in the OS!

[GordoSlasher]

My buddies in Russia sent me the source code of the next release of Microsoft Word. Here it is.

/* Word 2001 */
/* Unpublished proprietary source code of Microsoft */
#include <winapi.h>
main()
{
/* call new WinAPI routine */
WinWord();
}

Looks like they finally put Microsoft Office into the operating system!

Re:It's in the OS!

[jorgen]

winword.c:3: `#include' expects "FILENAME" or <FILENAME>

Well, looks like they still have some bugs to iron out before 2001. Does this mean Office 2001 will be delayed?

Re:If Windows is so bad ...

[UnknownSoldier]

> The code is just a joke.

Sounds like Linux :-)

Moderators, there is an EMOTICON on the end, in case you missed the SARCASM. :)

Seriously how much has 2.4 been cleaned up?

(OpenBSD is supposedly been rewritten and cleaned up due to the full audit. Allthough after writing NT device drivers, I'd say any OS is relatively clean ;-)

Cheers

Re:Download speeds and M$oft

[dr.+greenthumb]

Well, I guess you'll need to add packetcompression to your calculation - but still, the download would take ages ...

Re:Of course it does, forget commerce for a second

[msodfjsalfhlskdhf]

It would be interesting to see how MS and the NSA would react if it was revealed by Russian officials who take the code stolen by the Russian crackers when they're arrested (lots of ifs and buts in there) if the officials revealed that the NSA key backdoor that has been given so much publicity actually exists. Suddenly both MS and the US Gov have a lot of egg on their faces...

Re:Open up some standards

[hammock]

Internal microsoft memos that were leaked out into the public and later confirmed by MS pr to be authentic. They detail how they can "lock out" open source projects by obfuscating and de-commoditizing pretty much every standard protocol and interface. A Microsoft employee also submitted his experience with installing Linux and specifically, checking out the dhcp client as "I'm a poorly skilled UNIX programmer but it was immediately obvious to me how to incrementally extend the DHCP client code (the feeling was exhilarating and addictive)"

It's basically an internal memo on how MS plans to beat Unix (and Linux), followed by a detailed explanation in Microsoft jargon on just what Linux and Free Software is. There are a couple of humorous fictional "documents"

All in all, its a good read, read it here:
http://www.opensource.org/halloween/

Re:I think people might have this backward...

[atcurtis]

Remember in the court case Digital Research bought against them. Microsoft's defense was that they had no version control so they had in effect "lost" all previous versions of Windows and so were unable to present the Windows 3.1 source code to the court as the court had ordered.

Safe from their own developers?

[mikemulvaney]

Wow, great story. So all you need to break into Microsoft is a few friends that work there. What is Microsoft supposed to do about that? Of course you can't hide your source code from your own developers! That's not a security breach. How can Microsoft possiby control that?

What are you suggesting, that Microsoft should not allow its own developers access to the source code?

Mike

Re:Yes!

[King+of+the+World]

No.

Although this makes me sad too. The dancing gorillas are somewhat hypnotic.

The danger....

[AgentOBorg]

I see a real danger in the possibility that manipulative and/or paranoid microsoft officials might try to proclaim unrelated open source project to this. Basically, that there are bound to be accidental duplication, at least in terms of superficial similarities, for someone to claim that a piece of code was based in some way on the stolen source. With the ability to insight ignorant official and the public about dangerout "hackers" it would almost surprise me someone didn't try to claim that "trade secrets" were floating all over, and push it as a mean to attack potential rivals. And, if is it is claimed that algorithms were stolen and the code paraphrased, it might be hard to prove one way or the other (which should help on the defendant, but in practice the thing often work out who knows).

Re:Of course it does, forget commerce for a second

[tftp]

some country (possibly not even Russia?) now has what they need

I doubt that any government had anything to do with this alleged break-in. Why in the world would a trained cyber-spy create lots and lots of new accounts knowing very well that this activity will be logged? Especially if he hasn't disabled logging first (assuming that he had domain admin privileges which are required to create accounts anyway).

From what I read in popular literature, if a military intelligence wants to steal some secret chances are that nobody will ever learn about it - at least, not in several years. (USA learned about leaks to China after it got its own data stolen back!)

A professional also would pay much more attention to hiding and disguising himself. Anyone can create a Hotmail account which would be as good as any to collect sniffed passwords. Ability to lay low and just sniff more passwords may be extremely valuable.

Most importantly, a MI professional may simply choose to use old and reliable way: infiltrate the organization and sneaker-net the data (on CD or HDD). I would assume that developers can take their laptops home. With large number of developers and large number of hires it would not be difficult to recruit someone or even let the secret agent himself through. Leaks like that are likely, and it is very difficult to detect them.

As someone else mentioned, a government can also simply pay for the privilege to see the code. Many companies have access to NT/Win2K code. The search for vulnerabilities probably would violate the license, but a government isn't going to admit that!

Therefore, if the break-in actually occurred it was a script kiddie work, judging by his efforts being directed towards less productive work (creating accounts) instead of emailing absolutely everything outside of the company. Microsoft seems to have decent network connection, so if Win2K is 3e7 LOCs it would be only 600 MB uncompressed - just one CD, hardly a big file these days.

Fuck MS Stories

[duplicate-nickname]

For a Linux/OSS orientated web site, /. certainly has enough Microsoft articles on it. Did we see this much about /. being hacked? No. And that would have actually pertained to a site running open source software....not some script kiddie scanning for trojans (unless QAZ is open source?).

Re:Open up some standards

[mike260]

Sure, but as long as the source to a released build of windows exists, that constitutes a stable interface. If Samba and WINE strictly adhere to that interface, there's nothing MS can do to break Samba that won't also break at least one version of Windows.

Right out of some satire

[jetson123]

From CNET/AP News:

"We start seeing these new accounts being created, but that could be an anomaly of the system," Miller said. "After a day or two, we realized it was someone hacking into the system."

Sounds like it's OK if accounts create themselves, as long as it isn't too frequent. Just when you get a lot of them is it indicative of a breakin?

If any attempts to download or transfer the source code were made, such activity was not recorded in Microsoft's logs, Miller said, adding that it is unlikely any source code files were copied because of their immense size.

Good grief! What were they writing? Software bloat as a protection against theft? So, if it's so big, how do they know it wasn't hacked?

Microsoft's source codes are the most coveted in the multibillion-dollar industry.

I still can't figure out who would want Microsoft source code. Basing a new product on code you have transferred from another group is hard enough with their cooperation, basing it on a snapshop stolen from a breaking would seem to be pointless: you are better off starting from scratch.

With access to these software blueprints, competitors could write programs that undermine Microsoft--or use the data to identify vulnerabilities, making computer break-ins and virus writing easier.

Ah, the media fully buying into the "security by obscurity" approach. The underlying assumption is that any software must be so full of security holes that we couldn't possibly let people look at the sources. How clueless.

I don't think one could have written a better satire if one tried. It is sad, however, that technical reporters write this kind of drivel as serious reporting (probably directly copied from some PR releases) and people in power believe it.

Re:Right out of some satire

[maunleon]

Don't think windows. Think transaction servers, commerce servers, sql engine, etc. Sure, they are coveted. I'm sure Oracle would like to get the MSSQL source code so they can write a set of benchmarks to exploit weakneses in SQL engine.

Re:The source code's not the important part

[Apotsy]

True, but MS has the money and the clout to spin this however they want, which will be "those malicious open-source people are to blame", all the while glossing over the fact that it is their lax approach to security that caused it. As usual, the "news" outlets will go right along with it.

Why do it?

[Captain_Frisk]

Besides being the ultimate hack, what would you do with the source code to Windows? Even if you were able to get the whole thing, theres no a small group of people would be able to do anything with it, and they can't admit to having it, so it can't be distributed out.

What would you do with stolen MS source code? I'm sure there are some creative Slashdotters out there.

Re:Why do it?

[girish]

"what would you do with the source code to Windows?"

It would be funny if someone came out with a Stable Version of windows, take the source code, make better garbage collection, and a better kernel... hey.. it could happen!

Re:Why do it?

[bmasel]

Sell a lot of T-Shirts.

Re:Why do it?

[Kiss+the+Blade]

What would you do with stolen MS source code?

Post it on /. of course! It would have very interesting repercussions.

Re:Why do it?

[aTMsA]

I'd compile it substituting every string on which appeared any data about microsoft with data about my company(Which would be called Microsofl), and i would start selling it as MS Windows(and on small letters 100% compatible). The package and everything would look the same as the original, but i'd sell it 8$ cheaper.
IF they try to sue me, they'll have to give proof that i've stolen their code, and since it's encrypted(i've compiled it, right?) it's illegal to reverse engineer it...

Mmmhhh... Actually it's not that bad idea...

Re:Why do it?

[brad3378]

> What would you do with it?

Sell a lot of T-Shirts.

......They would have to be size XXXXXXXXXXXXXXXL covered front and back.

;-)

Re:Why do it?

[jfunk]

Print it on toilet paper.

Then I'd TP Gates' house with it.

...

After using it.

I have a question...

[kgutwin]

Is it just me, or does this not make any sense?

At first Microsoft decided simply to deny access to the trespasser, and shut down the new accounts on Oct. 20, a Friday, Schmidt said. But the intruder returned on Monday through the same route and created more accounts.

Now, I'm no hacker, but if I had created accounts, and they had mysteriously disappeared, I would be a bit suspicious. I don't think I'd go out and do the same thing again... it would have been obvious that they detected my presence. Does anybody else think this smells a bit funny?

-Karl

Re:I have a question...

[stinky+monkey]

Yeah. The whole thing is probably just a new MS2000 random account creation "feature" that they haven't realized that they added yet. .

Source code : blood

[xant]

Source code in a software company is a lot like the blood in your body. Sure, if you lose control of where it's going, you are in deep shit. But you cut yourself almost anywhere, and you're gonna find some.

This is their stock in trade and they have hundreds (if not thousands) of people working with it and on it. I can assure you that it will always be 'close to the surface', as it were.

Take it for someone who also works for a big software company.
--

different view of code theft indeed

[xeno]

Code, code, code. Who gives a rat's ass about their hideous source code? Not me. If I were in the cracker's shoes (funny that, I'm white and look at my footgear often), I would carefully evaluate what actions would give the most bang for my hacking buck:

• Medium bang/buck option: Look at source for a mainstream product: I might figure out how to exploit errors and conditions I wouldn't otherwise find, if I could dig through the sea of crap code.
• Big bang/buck but risky option: Modify the source for a mainstream product: I might be able to slide hooks or tools into a large population, but I run the risk of discovery when code is dif'ed for QA and component testing. Kind of inelegant, if you ask me.
• Huge bang/buck option: Modify the code repository or insert hacked compilers at MS that add hooks or tools into libraries or other code at compile time: Then I can infiltrate a huge user base through multiple future MS products with little or no risk of discovery; i.e. no code review will show the hacks, because they never exist in the source. (Imagine if the compiler used to compile Visual C++ was hacked.) Then create unrelated accounts, copy some unrelated code and intentionally leave tracks as a cover.

Hmm. If I were going to the trouble of entering the lair of the great software satan, I'd surely want more than to look at spagetti code from some hyped-up codeslave just out of college. I'd want to get some mileage out of it, and what better way than to do something with continuing returns? Better to salt the fields than just burn them, eh?

Re:different view of code theft indeed

[xeno]

Ain't no original thought in any of my suggestions, just a combination in this particular instance. (Isn't Thompson's suggestion pretty widely known?) In fact, I think someone alluded to a compiler hack earlier in the discussion. The point was that the viewed or stolen code might have been a cover for something else, and that there are a lot of insidious something-else's.

J

If Windows is so bad ...

[(void+*)0x00000000UL]

If Windows is such a piece of crap, why does the slashdot community wants to (illegally) get its source code ?
If you are found with this code, you'll sure get into great trouble...

Re:If Windows is so bad ...

[Prior+Restraint]

If Windows is such a piece of crap, why does the slashdot community wants to (illegally) get its source code ?

WINE. if i can play half-life under linux... then I'll be happy.

Wouldn't it be more prudent to try to get the source to Half-Life instead?

<ramble>

I've become fed-up with Microsoft, and over my SO's protests, I spent this past weekend retooling my Linux install so that it's the OS I use for all my day-to-day work, leaving Windows solely for games. I can sympathize with the desire to run all one's games from Linux, but I'd much rather that the games were Free than that WINE (or WinE, if you prefer) becomes unfree by accepting illegally-contributed code.

OTOH, if Free software isn't your motivation for using Linux, petition for ports of your favorite games, and then buy them. I intend to show my support for the porting efforts of companies like Loki by buying the same game again if/when it's ported to Linux. Wasted money? I don't think so. I consider it well worth my money to send the message that their efforts aren't in vain.

</ramble>

Re:If Windows is so bad ...

[PacMan]

WINE. if i can play half-life under linux with decent stability and full openGL support then I'll be happy. if the source code was released this would be of immense help to wine. sure, they wouldn't HAVE to copy the code, but they could look at it and say "oh, that's how it works" and then write WINE acordingly..

Unfortunately this is *exactly* the situation that is covered by the Trade Secret laws. The code itself is copyright, "How it works" is the secret bit.

Using any information learned from stolen code leaves you open to prosecution, even if you have not copied even 1 line of the stolen code.

Re:racism? doubt it... wrong!

[Felinoid]

The Kurll have compleated a 50 year study on mankind and have deterimined the whole speices to be inferreor to the Silicoid life that is the Krull.
On a similer note the beings from dimention X have filed a 200 year study on this entire dimention and have recomended that the board of dimentional control managment capsize the entire dimentional layer.
I have been recently informmed that the council was considering that study to be a fraud but have seen your post and changed there minds...
The termination shall start December 26 this year.. it will be instentaneous.. I can't give an exact time as everyone lives in a diffrent time zone and converting galmaktic time charts to GMT is a moster pain in the bio waist port

Except new aircraft carriers...

[jflynn]

I don't doubt you describe things accurately from your time in the service. But this was in the Washington Post last July 28.

It sure sounds like they are thinking of changing a sane policy for the worse.

Yes!

[faeryman]

So does this mean I can program my opensource GORILLA.BAS?

Sweet

WHERE IS THE SOURCE CODE????

[kerb]

ive waiting for someone to post it here! where is ur balls guys? pooooost it on FIRST POST!! :)

Re:I think people might have this backward...

[hey!]

The intentional back door has been my big concern about this incident from the start.

I think everything depends on whether the crackers got lucky and compromised somebody who had checked out some code that ran in some kind of trusted enviornment (something like kernel32, to be sure, but also portions of IIS).

The cruftiness of the code is some protection (as someone elsewhere suggested), but not much. Complex, ill-architected environments are the engineers nightmare and the cracker's natural habitat. The question is whether the crackers had time to figure out a good place to put their exploit.

Even if they failed to insert an exploit, they'd have a golden opportunity to search for naturally occuring ones.

The source code's not the important part

[DeadMeat+(TM)]

The important part of the crack wasn't the source code, if they got it. So yippee, terrific, we've got some source code -- but what do you expect to do with it?

Many posters have noted that Microsoft's source code is notoriously bad, and from what code I've seen (i.e. what they distribute with their SDKs) they're right. The whole thing is one gigantic ugly hack -- they're living in a world where strict C and object-oriented C++ mix freely, and the only thing they do consistently is their stupid variable naming scheme. People whine about Netscape 4.x being an ugly hack, but Microsoft code is much much worse -- it just has the advantage of loading at OS boot time.

That said, there's very little anyone could pull from any source code they got. Picking it apart looking for weaknesses or trade secrets would be fruitless -- picking apart the source code to their DirectX demos is bad enough, let alone a whole OS. Even before you figure in the legal issues, it's much easier to just reverse engineer the blasted thing.

What's important here is now Microsoft has to admit that their products are exploit-ridden. One of the greatest problems that computer security advisors have had recently is Microsoft's attitude towards the VBScript exploits; basically, they think that their codebase is good enough as is, with maybe a few patches needed here and there, and if in the meantime a few exploits make their way through then tough. (In fact, security experts rightly point to Outlook Express as the sole reason that worms like Melissa can even exist.) After all, the Microsoft PR people say, it's good enough for us.

But now someone has forced them to own up to the fact that the security in their products is a joke. Before this exploit, Microsoft spent many a PR dollar blasting Linux for the 'inherit insecurity' of its open-source nature, pointing to the fact that Microsoft itself uses Windows NT/2000 for its servers and nobody's broken into them before. Now that's all changed, and someone has shown that not even Microsoft can trust their own products for maximum security operations.

The irony is that Microsoft has become a victim of its own policy -- if it works for the most part, there's no point in patching up the little security holes. Well, guess what -- those little security holes added up to one major security hole that struck Microsoft at its core!

So what does this mean to the average consumer? It means that Microsoft is going to have to work really hard to fix up its codebase. After such a high-profile attack, Fortune 500 companies are probably going to think twice before using Microsoft software for mission-critical operations. Microsoft really is going to have to prove itself in the future, and that means no more quick-fix patches to security holes that fix one hole but don't really fix the overall problem, like the series of IE and Outlook Express patches that come out after every new ActiveX or VBScript exploit is revealed.

Danger of stolen code.

[www.sorehands.com]

If the Russians started to use the Windows code, it might put them back into the stone age.

Did MS stage it?

[Anonophobe]

Is MS on the block for an upcoming product release? Would they stage this to either:

1. Have a (*ahem*) "legitimate" reason to delay a product, or
2. Get sympathy from the rest of the world? (i.e. Poor MS, look what they've had to endure...they shouldn't be burdened with antitrust suits...)

-My $.02

The real worry for MS...

[franksbiyatch]

is that someone will corrupt the Redmond source code by adding all kinds of back doors.

It would be catastrophic if a much-used application like Outlook or scripting platform like VBS had huge security holes that even twelve-year-old kids knew how to exploit.

How would anyone be able to trust Win servers for e-commmerce? Would there need to be "security challenged" notices on all Win2k powered e-commerce sites like genetically-altered poultry? Just a thought.

This is going to give me nightmares.

full choose-and-lose2000 coverage

MSNBC also says access to source == vulnerability

[mrWrong]

Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier.
nice jab at open source software, there, too. can't have a story about MS on MSNBC without SOME kind of jab at OSS.

Source Code Obsession.

[MightyMicro]

Why is everybody so obsessed with source code, Microsoft's or anybody else's? Just what in the heck are you going to *do* with a glimpse of some of the source code to Office or Windows?

Laugh at banal commentary? Giggle at a misused pointer? Squirm over the indentation? Be mildly shocked at the local variable names?

Say you got the lot -- now what are you going to do? Fiddle around with n zillion lines of tired, structurally decaying code to make a version of Windows that doesn't work as well as the binary on the box you bought? What's the chances that you will have the least clue what you're doing? Or that it will be actually *worth* anything to anybody? What are you going to do? Spend your life rebuilding Windows? Please, feel free . . .

Don't you get it it? IT DOESN'T MATTER WHO SAW MICROSOFT'S SOURCE CODE.

Re:Source Code Obsession.

[finial]

I'm just using Microsoft's own words. "The code wasn't downloaded, it was only looked at."

Why? Because you could then explore an unknown flaw rather than one there may be a fix for.

Re:Source Code Obsession.

[sethg]

A friend of mine suggested a very simple use: Add another back door to the code, recompile it, and distribute it as warez. In countries where most running copies of Windows are pirated, this could be very useful for the attacker.

If the attacker can get access to one of the facilities where legitimate copies of Windows get installed onto OEM machines, then things become much more insteresting. "Here's $5000. Now, please look the other way while I replace Microsoft's master CD with Folger's Crystals...."
--

Re:Source Code Obsession.

[TomV]

Microsoft's theft of Spyglass

What, the fully paid-for and credited theft? The one referred to in the Internet Explorer 'Help/About' as follows...

Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign.
Distributed under a licensing agreement with Spyglass, Inc.

TomV

Re:Source Code Obsession.

[finial]

Here's what you could do with it:

Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?

If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.

That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?

Re:Source Code Obsession.

[Goonie]

Wrong. It does matter, for the following reasons:

1. It's going to be a lot easier to find security holes in Windows if you've got the source code. Of course, in Linux this cuts both ways because the good guys can find and fix them much more easily too, but Microsoft aren't likely to be taking patches any time soon :)
2. Having the source code would make figuring things out for interoperability purposes much easier for projects like Samba and WINE. Of course, neither of the above projects would use knowledge obtained from the crack (if the crackers actually downloaded any code worth looking at) - the legal risk is simply not worth taking.
3. Finally, the Windows source code could get audited for code that really shouldn't be in there, such as unacknowledged BSD code, or any GPL'd code. I very much doubt that it actually contains any, but . . .

So, yes, it *does* matter, but not in the ways the general media think.

Re:Source Code Obsession.

[MODERATE+THIS+UP!]

I don't know if you ever noticed but windows is comprised of a few hundred different files. Do you really think the whole shébang is compiled at once?? Of course not! You compile DLLs, EXEs one at a time.

Re:Source Code Obsession.

[Dharma]

Oh I dunno, how 'bout looking for lines such as...

/* They should be using Media Player anyway */
if(realAudio())
breakRealAudio();

/* Dang hippie OS */
if(linuxPartition())
corruptRandomLinuxBlock();

-----
Zennie

Re:Source Code Obsession.

[thue]

It's going to be a lot easier to find security holes in Windows if you've got the source code. Of course, in Linux this cuts both ways because the good guys can find and fix them much more easily too, but Microsoft aren't likely to be taking patches any time soon :)

MS has up til now relied on security through obscurity. That could mean that there are parts of the code that are insecure, but have been protected by that obscurity, we don't know.
So now any cracker in the world potentially have access to potentally easily exploidable MS source code, how do you know your windows installation is not wide open? That means that if you want to run a highly secure server, you should NOT be using MS software. (but I guess you wouldn't in the first place anyway, just another brick in the wall... :) )

Re:Source Code Obsession.

[boarderboy]

If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole
How do you expect to read the code without downloading it? Oh wait, I get it, you upload your eyeballs:)

Anyway, there are allready plenty of known security hole in the products mentioned. Why would someone need any more?

Re:IPv4

[h3x0r]

Admittedly, Sun does have some problems with the HTONS/HPOUNDS issue (we once had some Sun guys in here to try to figure out the problem with our Ultra/280 server-cluster, and they didn't realize that they needed to recompile the signal module with -m7 -e5, LOL).

As I said before, Linux Troladvis has considered this problem in his initial DMA/ATAPI architecture module implementation! Why you refuse to acknowledge this simple fact befuddles me. But let me prove it to you:

1. If you can initialize the checksum polynomial to a n-order quaternion, the first 15 of 16 bits must be secure if the ECONNREFUSED problem is properly circumvented.
2. Failing that, set the IOCTL special type to 'k'. Doing this will allow unverified checksum-return markers, but only if you can discount the XTI t_rcv function return value.
3. Finally, failing that, set the BIOS ISR for INT 23 to read a regular block from virtual space: i.e., use the mapping n[k,j] -> m[l,k]. This will allow the protected mode interface to properly supplant the independent device mode property of the source route structure. This can be done with gratuitious use of the venerable NOP instruction on x86 architecture. Specifically check the IPOPT_SSR flag. Don't be fooled; even if it's not set the first time, read i/o port 7ca, then check again -- it should be set.

As far as PMTU discovery, I myself have been an outspoken critic of this for over 87 years because I feel it is inherently flawed in design. Even Linux Trlvdsoa has proclaimed it unworthy of the Linux-Certified(tm) Logo. Take for example their software engineering practices, they do not create valid SRS documentation nor do they acknowledge a proper traceability matrix protocol segment header. Come on, you'd think they coded in C.

Now, I will admit, your alternative solution of the Guassian Elimination could work, except for the fact that AIX does not allow math operations to be performed more than 1/38.98 cycles/bounds due to inherently unstable ionization around the kernel signal processor unit. If IBM were willing to patch this fairly trivial defect, it would not be a problem, but as far as cross-platform capability, this seems to limit it somewhat. Instead I suggest we use bezier interpolation between the bits to come up with a floating point representation of each bit, encrypt and hash these floating points numbers down to 1 bit each, and then send that. That would guarantee (to some extent) algorithmic correctness, at least. But frankly I feel the best solution is a hardware solution. While I myself am a big proponent of reversible computation, Linux sdlastorjs seems to not be so confident that it can work due to space/time tradeoffs involved in emulating irreverisble operations. But if you consider that Tripoli gates are more efficient and automatically create quantum interference states, then you can use that combined with a good NMR spectroscopy to internally re-compute (automatically) the new state vector. When you collapse the solution, you can be certain that it is correct and secure. And it even runs on Sun platforms. Try beating that with ICMP based MTU discovery.
---

Re:I think people might have this backward...

[mindstrm]

That might have a chance, that is, if Microsoft didn't use some sort of version control system. As it stands, I'm *sure* their version control/build management system ensures that you can't just 'add' in some code. You would have to go way deep to actually change it. I can say that, at work, I can easily get access to all our code.. but even as the sysadmin, actually changing that code throughout the revision history of our rev contorl system would be *very* difficult.

Ha ha

[scriptkiddie]

Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products.

So competitors need to steal the source code to write programs for the O.S.? Antitrust, antitrust, antitrust.

regardless...

[Anonymous+Koward]

what does that have to do with me talking to a troll? Put yer dick away, freak. and get out of the house...(oh yeah..it's not imaginary...but no need to prove that to your gen-y ass, eh? turd)

**FLASH!** this just in:

[talks_to_birds]

This is getting spun so much as time passes that I wanted to add a little update while we can still post to this thread.

Associated Press

Oct. 30, 2000 | SEATTLE -- A hacker had high-level access to Microsoft Corp.'s computer system for 12 days -- not up to five weeks, as the company had first reported -- and was monitored the entire time."

So they watched the guy for 12 days? OK...

"The company was alerted to the break-in by the creation of new accounts giving users access to parts of Microsoft's computer network..."We start seeing these new accounts being created, but that could be an anomaly of the system," Miller said.

Well, I know that spontaneous account creation is a commonplace occurance on *any* system I've ever worked on.. Personally, I *never* worry about it..

"After a day or two, we realized it was someone hacking into the system."

Well, that must have been a shock! From "System Anomaly" to "Being Hacked"! That must have ruined someone's day...

It was not until Oct. 26, however, that the company notified federal law enforcement, which is investigating the matter. Microsoft said it initially planned to handle the break-in on its own.

"We realized the intrusion had grown to the level that warranted bringing in the FBI," Miller said.

READ: "..we realized we'd been cracked and we had to say something before the cracker did, so we could control the spin..."

Miller acknowledged the hacker could have been in the system for longer than 12 days, but he said the company is confident that high-level access occurred only between Oct. 14 and Oct. 25.

But even with low-level access, the hacker could have accessed corporate e-mails and other confidential information, Miller said.

But wait! Which is it? Twelve days, or longer? Or twelve days of high-level access and some longer period of -- what? -- mere access to "e-mails and other confidential information"?

That's a relief..

When you look at the entire pattern of M$ discussion of this event, from the first admittal, to Balmer's statements (which I take as very significant), to the more recent evolution, it's MNSHO that M$ got cracked, and cracked hard, and cracked by professionals, not scr1pt k1dd13s.

Next, watch for this story to disappear off the front page entirely.

In a week or so, you won't even know that this happened.

Except for new legislation in Wa$hington, if Gee-Dub-Ya and the Republicrats get elected..

t_t_b
--
I think not; therefore I ain't®

Quote

[chazR]

I'm pretty sure it was Stewart Brand. There's a reference to it here

The full quote is "Information wants to be free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine -- too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. The result is a tension that will not go away."

It must be true - I saw it on /.

Re:ping:an ominous cow herd (was re:dick sizing)

[An+Ominous+Coward]

but his UID sucks my dick all night long

This would be more interesting...

[vsync64]

...if they'd at least tell us what they got the source to...

Re:Its a Government Conspiracy!

[Jeremiah+Cornelius]

This is the most plausible theory, and makes sense to people who wouldn't usually associate with the wing-nuts in the tin-foil beanies.

It could have been a REAL minor virus/trojan occurrence. These happen at big companies all the time. (I'm a security consultant, I get to see the stuff...)

Microsoft is not famous for disclosure, even under oath. Nontheless, they have voluntarily made the decision to go public with a damaging publicity incident. They are sure to be milking the cow for a reason...

Generally, these things are not at all publicized. Keep it hush! Where did this story first break? MSNBC? Did they call a press conference?

Keep your eyes open. It will be interesting to watch the further developments here. Microsoft are surely interested in manipulation of laws and government, as amply evidenced by the behaviors exhibited in the course of their subpoenaed testimony.

Bill calls the shots from the top, and he's arrogant enough to think that the Constitutional mechanisms for statute and regulation are archaic impediments to himself, personally - and to Microsoft only by extension of his ego.

Jeremiah Cornelius

Re:Its a Government Conspiracy!

[ummit]

I have to say, I'm afraid you're right. They got lucky; the story wasn't played up by the major mainstream media very much. (If it wasn't for slashdot, I don't think I would have heard about it at all.)

I guess they were helped, too, by the dulled expectations set by all the previous Outlook-related breakins: "Ho, hum, another e-mail virus". So I guess we can chalk up another item on the roster of crippled computer science concepts which the juggernaut has foisted on a gullible public until that public accepts them as normal and appropriate -- along with MS-DOS, blue screens of death, constantly changing and incompatible document formats, etc...

Fuzzy math

[Technician]

Something doesn't add up.

1) A home computer connected to the network was borken into. That is understandable.

2) Passwords were detected by (by Microsoft) being sent to St. Petersberg.

Unless they were sent from inside Microsoft, how did they detect they were sent at all?

Surely, past employees also have copies?

[Mozz+Alimoz]

I know the break-in was by someone much more likely to have a malicious motive, but surely there are plenty of ex-Microsoft employees which also have motive and have had much more access to the source. Either to take a copy or accidentally leave a buffer overflow in the code.

So in a pessimistic way I don't see this break-in as making the situation worse. Just more discussed.

asdf

[linuxgod]

Your the only one doing it now. What makes you different from me?

NOTHING


Ignore the Anonymous Pissant trolls !!!

Re:asdf

[linuxgod]

Then you're younger than I.


Ignore the Anonymous Pissant trolls !!!

Interoperability?

[Bilbo]

> 2.Having the source code would make figuring things out for interoperability purposes much easier for projects like Samba and WINE. Of course, neither of the above projects would use knowledge obtained from the crack (if the crackers actually downloaded any code worth looking at) - the legal risk is simply not worth taking.

I'm not saying anyone should do this, but consider the following:

Let's say someone on the SAMBA team is working on a particularly nasty little interface bug. Somehow, this individual gets a look at the stolen MS code. Using this knowledge, they are able to figure out this cryptic bit of interface behavior in the original MS software. They then go in and implement some function to correctly mimic the behavior or the MS code. NOTE: At no time have they included actual MS code in their implementation. What they have done is simply used a different source of knowledge to help them reverse engineer and re-implement a bit of behavior in code.

Now, is this:

1. Legal?
2. Ethical?
3. Detectable?

(One other note: Since this the stolen code was supposedly all in "future" software, like MS ".NET", this whole question is pretty academic :-/)

--

Hmmmm

[brad3378]

Okay, I'm dying to know...

Why is M$ making this news public? Wouldn't it make more sense to keep this whole thing hush-hush?

I sense a conspriacy theory!!

Re:Hmmmm

[Cryptosporidium]

If they didn't, they'd get flak for supressing news, bias, etc. You're dead one way or the other.

Re:Hmmmm

[ActMatrix]

As a publicly traded corporation, aren't they also legally obligated to release this news since it may have an impact on the integrity of their intellectual property?
---

Persactly!

[TOTKChief]

From the article:

Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products. Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier. Microsoft has shared parts of its source code with partners, but it has kept the vast majority of the data secret.

You know, I read this and thought, "If the DoJ really wanted to stop the MSFT monopoly, why not force them to open their source?"

--

"Software blueprints"?

[Earlybird]

I hate it when the old-economy, pre-"open source" metaphors and paradigms are imposed on the technology industry. I quote from the article:

• [...]
• virus had gotten a look at -- but did not corrupt -- a valuable software blueprint, or "source code," for a computer program under development.

I find it extremely interesting that many people still consider source code to be the equivalent to architectural blueprints.

In fact, as we all know, the source code is the software. Whatever "blueprints" exist in a software project comprise whatever design documents you have, and the most formalized kind of blueprint for any project today is your collection of UML/OMT/etc. diagrams.

It's not like you feed the source code into a lathe and have it cut out the final shape of your product, which are then assembled and erected by engineers and painted by graphical designers.

80%

[jjr]

80% of all security break in come from inside. I think this an inside jobs that was made to like a "Hack" You never this just my opinion I have been wrong before.

Re:Open up some standards

[NecroPuppy]

Even though the Halloween documents went public, Microsoft is doing EXACTLY what they set out to do.

I know this will make me sound rather clueless, but chalk it up to nine months of unemployment and a general feeling of not caring about the world, but I have to ask...

What are the Halloween documents?

Re:MSNBC also says access to source == vulnerabili

[gunner800]

nice jab at open source software, there, too. can't have a story about MS on MSNBC without SOME kind of jab at OSS

Exposing Windows source exclusively to malicious people would be dangerous. Security through obscurity isn't just bad in general, but it's really bad if the obscurity is destroyed.

Exposing source in OSS works well because it is exposed to everyone, and worked on by many people who are trying to make the project better.

Next you'll be complaining that MSNBC says lots of good things about linux, but only to fortify MS's claim that linux is competition.


My mom is not a Karma whore!

Everything's a virus

[Eil]

Couldn't help but notice that the story first said "trojan virus" and then later, "worm virus."

Nice to see that these "techincal" jounalists are have been keeping up with the lingo.

JOURNALISTS: You must choose between the words virus, trojan, or worm. They have different, but related meanings.

Also I'd like to applaud the media for finally giving some attention to a *real* hacker, and not some script kiddie. And d00d with the t00lz can shut down a poorly-maintained website, but it does take a bit of time and skill to track down a Micro$oft employee, find his home computer, and go looking around from there. From the sound of the article, they don't provide any evidence that any code was actually taken or downloaded, just that there is a very high probability that he got to glimpse at some of it, which they remind their readership in every other sentence.

Re:Everything's a virus

[NevarMore]

We don't know that anyone went looking for a microsoft employee. With the current boom of trojans and thier users it is more likely that someone happened to find a microsoft employee who couldnt get Noroton Anti-Virus installed correctly and downloaded BackOriface or SubSeven looking at porno. The issue is not who was the leak or what caused the leak (espionage, virus, a large angry penguin) but who ended up getting the source code.
If it was someone who knew what to do with it then m$ is going open-source wether they want to or not. It's alos likely that it may just be a script kidde that was able to recognize that it was code, but couldnt figure out how to use it and deleted it to make room for an Irc bot.

If you have acess to microsoft code and are reading this please distribute it, OPEN SOURCE NOW!

Re:MSNBC also says access to source == vulnerabili

[flynt]

Well it is the truth. The reply should be, now that the vulns are identified, steps should be taken to fix them, until there are no more. It is two different ways to approach the problem, and neither seem to be working.

Re:Its a Government Conspiracy!

[ummit]

I have to disagree with the theory that Microsoft staged this. There's a very good chance that it's going to hurt them, badly, not because of any outright code theft, but because of what it's going to do to the perception of trust, the blindly faithful acceptance, by all their faithful customers, of everything they churn out as being "good enough". Clearly, in this highly-visible case, it wasn't even that good.

Denial of the truth!

[Elric+of+Grans]

M$ is claiming that they have everything under control, but this sort of stuff is happening all the time there. I was never involved in any of it, but I recall several instances of the same sort of thing occurring in the past. Give it up M$, we are too smart for you! Thats why we have UNIX based macines in our homes :)

Re:Could it be ... ?

[delmuerte]

Cute. Well first of, how much money are WINE and Star Office making? There are soo many points here I am not really sure where to start. This is not a Linux you are dealing with here. This is not a select group of highly skilled users that are driving the technology. This is Microsoft. Every Tom, Dick and Mary use this suite. They implicitly trust their code and have no way of verifying it is safe. Look at the recent virus that have come out just with people understanding the Windows APIs. Can you picture the havoc that will be reeked when people know the actually source code. Kernel level trojans and virus. No more macros virus; now there will be virus that call on the kernel itself. Wake up! Not everybody out there is a developer with pure motives. While it is true that many of us would love to see how the system works to try to improve it, there are still way too many who would be destructive to dare let the code become public. Just my opinion David Dominick "Did you get rid of all the voices in your head? Do you now miss them and the things that they said?"

Re:M$ Suck$

[TheShadow]

But yet, you use hotmail.com... dumb shit.

Opening windows will increase MS stock values?

[gallir]

Did you notice that MS stock prices have increased since the theft? This is the first case I know where a theft increases the value of the victim.

What if MS realises that opening the code would increse their values even more? Would we have another, but a real giant RedHat?

I am amazed, I cannot understand the investors, unless they are geeks. Just in case, if someone here is thinking to rob source code from Oracle, tell us, I will buy some shares ;-)

Re:Opening windows will increase MS stock values?

[Dionysus]

Microsoft's stock went up because the company beat the marked's expectations for the last quarter.

I am amazed, I cannot understand the investors

Well, it would have helped if you had payed attention. The M$ stock had been up for a while before the news of the breakin got out.

Back door

[Ndog]

A person familiar with the break-in told The Journal that it appeared the hackers accessed Microsoft's system by e-mailing software, called QAZ Trojan, to the company's network and then opening a so-called back door through the infected computer.

I'm glad they used protection. It's always wise, but especially when going in the back door and an infection is involved.

Download speeds and M$oft

[djve]

Well, when running news at a small Australian university I worked out that in 24hours at 9600b/s you could easily move more than 9Gb. But the source will be much more than that and and you normally get the most recent versions by default so 2400B/s for two or three days would be more than sufficient.

Re:Download speeds and M$oft

[ActMatrix]

9Gb in a day at 9600bps? How'd you calculate that? At that speed you'll get 103,680 kb/day or approximately 101 megabytes per day.
---

What the hel do they expect us to believe?

[gTsiros]

Do they expect us to believe that the monitored the whole cracking attempt, yet they end up saying "we don't know what the hacker did".

isn't it a bit weird?

Source Code Value

[abiessu]

"... the most valuable code in the multi-billion dollar industry ..."

Is it just me, or is it valuable only because it isn't publicly available? It doesn't seem that there would be much inherent value in that source code of itself . . . :)

Its a Government Conspiracy!

[cosmosis]

Am I the only one around here who finds the timing and announcement of this break-in happens to conincide with the timing of both the International Anti-Cyber-Crime Treaty and the anti-hacker bill going through congress? Common folks, this is exactly the ammunition the law enforcement community needs in order to shove down our throats increasing draconian surveillance and criminal laws that strip away what remains of a tattered constitution.

The timing of this reminds me of the DoS attacks earlier this year which them prompted Congress to increase the federal governments escalation of cracking down on so called 'hackers'.

Re:Its a Government Conspiracy!

I see stupid people. They walk amongst us. They post with high uids. I guess the FBI investigation over the crack is part of this conspiracy too, eh? [!Slaps forehead!] Of course, silly me.

Here's a clue: The gov't cant even conspire to give universal health care to its citizens.

Re:Linux vs Windows security (humerous)

[Kevin+Wall]

Or, as a colleague of mine put it,
Did you hear that someone broke into www.redhat.com
and stole the Linux source code? ;-)

obviously..

[stinky+monkey]

obviously they thought they broke in somewhere else, cause as soon as they realize they downloaded MS code, they'll probably pay Microsoft to take it back.

New Copyleft clothes

[Anne+Marie]

RIDGEWOOD, NEW JERSEY -- Copyleft, an open source company that has made a significant effort to support the free software community with financial contributions financed through online sales of "geek chic" clothing, is poised to announce its new winter fashion line. Though no details are yet forthcoming, it is believed that central to Copyleft's new offerings is a blue cotton wedding dress with a thirty-foot train. When asked why, management denied comment except to mumble about needing more space to work with. Rumors of an apparent connection to Microsoft's recent break-ins and code theft remain unanswered.

I think people might have this backward...

[JohnsonWax]

Everyone is focusing on releasing Windows source code on the internet or basing products on that code. These I think are unlikely.

Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.

With everyone and their sister using Windows these days, this could give a hacker access to most every industry out there. And given the loose security between MS products, the new code could be in Office, Explorer, Outlook, almost anything. So the hacker downloads heaps of source code from a variety of MS products, finds a good location to insert this code and then modifies and sends a bit back. In amongst all the code that MS has to manage - most of which I'm sure they rarely look at, who would notice? How hard would it be to find?

Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...

Re:I think people might have this backward...

[Sangui5]

Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...

I think the WSJ article mentioned that the breakin happened several months ago. They pointed out that a new version of Outlook and MediaPlayer have both been released in the vulnerable timeframe.

So, forget about the next MS product you buy. How about the one that you have...

Re:MSNBC also says access to source == vulnerabili

[graystar]

Its only a vulnerablity if M$ doesnt fix the errors. If there are a few bugs that are exposed it would look bad for two reasons.
1. It would probably take them a long time to fix them.
2. The effort to get everyone in the world running M$ to update would be a pain in the butt, and everyone would get pissed off at M$

Using stolen code in a legal action...

[freeBill]

Does anybody know if there are any precedents on this? Does the law on evidence obtained by illegal wiretaps apply?

As I recall, Alan Dershowitz did a column in the New York Times when the movie version of "Bonfire of the Vanities" came out. In it, he said only the government was not allowed to use evidence from an illegal wiretap (i.e., one which had been recorded without the knowledge of any of the parties to the conversation).

Dershowitz claimed (in my memory) that there were no restrictions in a civil suit such as was portrayed in the movie. He also said that it was even OK for the government to use evidence it had obtained illegally if it was being used to discredit perjurous testimony.

Perhaps an unintended consequence of this incident is that no Microsoft will be able to lie in court about source code without fear of dramatic repercussions. That should severely restrict their traditional deposition-courtroom strategies.

Anyone know what the law is on this matter?

Well, Microsoft cares

[Len]

You may not give a darn about Microsoft's source code, but Microsoft does, at least as much as any other software company [except Red Hat? :-)]

They care about their intellectual property to the extent of making employees sign non-disclosure agreements. And not allowing ex-employees to clean out their desks if they take a similar job with a competitor. Other companies do the same.

Anyway, Windows is not the only product Microsoft sells. Source code from Office was also compromised. I can imagine why competitors might want to look at how certain features work, given the feature-list "checkbox wars" that go on in the industry.

And they supposedly got information about some future products, too. That would certainly be worth something to a competitor, or as blackmail material.
--

Wrong....

[blogan]

9600 bits/second x 60 sec/min x 60 min/hr x 24 hours x 1 byte/8 bits x 1 megabyte/2^20 bytes =~ 98 megs.

It's never happened before?

[klevin]

"We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppönen, anti-virus researcher for F-Secure Corp. "It has finally happened. I'm just surprised it happened at the top."

Oh, come on. Are we honestly expected to believe that this is the first time this has happened? This sort of thing goes on all the time, they even admitted it earlier in the article. Perhaps this is the first time it's happened to a really large corporation that's then let it the information leak out to the public, but the first time it's ever happened?

Stolen code and open source

[borud]

Some of the intellectually challenged journalists here in Norway have suggested that the event of open source developers having free access to the stolen code would be just what they wished for.

Oh boy are they wrong.

Imagine the stolen code surfaces on the net. Imagine Microsoft lawyers all of a sudden start targeting open source projects that are somehow related to the code that was stolen, accusing them of making use of the stolen code.

Microsoft is a large company with huge resources. Huge enough to take on the US department of justice. I am perfectly capable of imagining how Microsoft could strike a blow at the open source industry and leave it in a legal quagmire for years to come.

Re:Stolen code and open source

[graystar]

We had an article in the Sydney Morning Herald today claiming open source was "people who think commmercial software code should be free". The journos have no idea at all. I think we need a company like red hat etc to explain to these people what it means.

Racist Bullshit Must End

[tyronefine]

What's wrong with you, sucker (reffering, of course, to the sucker who moderated down my cogent remark)? I should gonna beat you like spare tire iffin I find you. Moderating me down was an obvious racist and discriminatory action, and as, it must be dealt with as such.

Just remember, you're going to be a minority one day. You best hope my African-American and mestizo brothers and sisters don't take our revenge for this kind of outrageous fortune.

I am,

racism? doubt it

[anonymous+cowerd]

...Of course, iff any racist comments are found, that's further evidence that Microsoft needs to be disbanded.

For crying out loud, Microsoft has thousands upon thousands of employees, and this is the U.S.A. - do you for a second doubt that among all those employees there are a few racists? The company I work for has maybe 250 employees in all and I personally know of at least a couple of fairly virulent racists among that lot.

I'm no fan of Microsoft at all but I'd bet you a hundred to one that there is no top-down official policy at MS which is racist in nature. Ageist, sure, I'm positive that like the rest of the software industry they blatantly (and illegally) discriminate against older coders, but racist, I seriously doubt it.

If you summarily shut down every American company with racists in it, you have to shut down damn near every company in the country. The way I feel about capitalism in general, I won't object too loudly, but, you know, there are some sensible people who might not think that is such a good idea.

Yours WDK - WKiernan@concentric.net

Re:racism? doubt it

[tyronefine]

For crying out loud, Microsoft has thousands upon thousands of employees, and this is the U.S.A. - do you for a second doubt that among all those employees there are a few racists?
Of course I don't doubt it, that's what I'm saying.

If you summarily shut down every American company with racists in it, you have to shut down damn near every company in the country.
And what is wrong with that? If that's the first step in bringing this country back from the brink of racist implostion, I say so be it. And, might I add, I think the proceeds of shutting down racist companies should go to African-Americans, in the form of reparations for wrongs done to our ancestors and present day living examples.

I am,

Source Code is both singular and plural!!!!

[Moe+Yerca]

If I hear another journalist talk about Microsoft's "source codes" I think I'm going to kill myself. What's up with that?

Did I miss something?

[discore]

When was the article on actually confirming that someone _took_ the code. I don't think anyone has seen it.
I can understand assuming that anyone who cracks into corporate computers would be capable, and willing to steal propietary source code. The script kiddies of the planet has destroyed an honest cracker's reputation long ago.
It seems to me that this is what we call hype. Maybe I'm just being ignorant, sorry if I am.

brief look at code...

[aozilla]

The Journal also reported that electronic logs showed that the internal passwords had been used to transfer source code outside Microsoft's Redmond headquarters. That was denied by Schmidt in his account to the Times, who said there was no such record of a transfer, and that it was highly unlikely the intruder did more than get a brief look at the code.

Stupid cracker, why didn't you use scroll lock!

At this rate...

[weave]

Every day the spin gets tigher and the compromise becomes less and less of a big deal.

By the end of this week, the story will be that an employee got the flu and was home sick for a few days. While working from home under the influence of prescription drugs, he accidently renamed a user account which set off a few alarms, but everything is well because no product deadlines will slip because of it.

Several points, one slightly off topic

[DoubleEdd]

Firstly, MS are surely negligent and have only themselves to blame if they spotted the break-in several weeks ago (told the Times that the break-in was first noticed when irregular new accounts began appearing more than a week ago.) and did nothing to pull the plug. They could easily have physically seperated systems containing source code from those connected to the net. If code was stolen in these circumstances they only have themselves to blame.

Secondly, what is this rubbish about a 'brief look'? We all know it'd take nothing more than use of a screenshot facility to preserve the data to read back at ones leisure.

Thirdly, considering the venom with which MS is likely to chase down anyone in possession of the source code, would it not be worthwhile using a random one-time-pad to encrypt the code and have two people post, independently, the two halves without making claim to it containing MS code? Then a third party could point out that the code can be obtained by the appropriate XORing, and noone (except perhaps the third party, who is doing little more than posting a link) can be blamed, as both the first two have posted nothing more than random data?

Where would the law stand on this issue?

Simple

Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?

If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.

That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?

Re:Simple

[Dest]

When you access data you are downloading it.

Or maybe this isn't so bad...

[qcomputing]

Did anyone ever stop to think that maybe, if some hackers were to get ahold of the Windows source code, they wouldn't use it for malicious purposes? Perhaps some intelligent hackers would use it to fix some of the massive errors in Microsoft's OS instead of just writing yet another virus.

Looks like someone did...

[qcomputing]

...in the post before this one ;)

moderate up!

[grarg]

the idea that the most powerful military arsenal(s) in the world can be so dependent on the proprietary softare of ONE company is indeed very scary...we're talking about nukes here, lads...

Could it be ... ?

[gempabumi]

Could it be that Microsoft will use this as a precursor to opening their source - to say, "Now that it's out in the open, we might as well open it anyway. For security reasons, of course."

Far fetched, I know, but think about it.

1. Open Source is taking off, and it will continue to do so becuase it benefits the programmer, and is starting to benefit the user. People are realizing that the marginal cost of reproducing software is in no way related to its price.

B. MS has bet the farm on .NET. Maybe ballmer and gates ran out of lithium and are realizing how far behind they are in distributed computing. If they open their source, they could use all the GPL'd software in their product, and be caught up in a day.

7. Didn't they just buy Corel? Or did I dream that?

X. Maybe they saw how well WINE and StarOffice handle .doc and .xls and they realize their "competitive" advantage is slipping.

Think about it - if you can't beat them, join them. Think of all the benefits microsoft would reap from being able to incorporate GPL'd software into their system - while at the same time, they give up _very little_ by opening their source.

At the same time, a break up is pending. The only way the new divisions of MS could work together was if they opened their source.

Before: MS - huge, closed-source software powerhouse with dominant market share and surging profits.

After: OpenMS - huge, open-source software powerhouse with dominant market share and surging profits.

(The only task that remains is for the spin doctors to lessen the blow on Microsoft's ego)

by the way

[Len]

I guess I should mention that I worked at Microsoft for a few years, a few years ago. And no, I won't send you any source code. :-)
--

Re:Of course it does, forget commerce for a second

[jflynn]

I expect the government will wait for the FBI report before taking any action. But I would be very disappointed if this discussion didn't occur at high levels of the government if the report does find evidence of a significant risk.

I hope that any financial institutions that are using Windows also consider their risk. After military security, financial gain is probably the second most likely motive for a serious attack. I doubt it would involve competing with Microsoft.

If open source doesn't float their boat, the military might consider forking a BSD.

A worm virus trojan?

[Sebbo]

The account given by Microsoft officials to the Times also cited the use of QAZ Trojan. Computer security experts said QAZ was a well-known worm virus that first surfaced in China several months ago.

So the QAZ trojan is a well-known worm virus. Glad we got that straightened out.

Open up some standards

[mike260]

Am I right in thinking that there's a lot of undocumented / occult stuff in Windows hindering the development of things like Samba and WINE?
I imagine having a copy of the W2K souce would help with that somewhat.

Re:Reading Comments Can Be Enlightening

[Len]

It's great that you were able to find such evidence in your case, but I can't let this go without comment:

I would not be surprised to find that Microsoft has racist and discriminatory comments in their code.

There were no such comments in the many thousands of lines of code that I read and wrote at Microsoft while I was there (for five years, several years ago). While Microsoft was under pressure at times to improve their affirmative-action practices, I never noticed any discrimination against anyone (and most of my co-workers were not white, American, Christian men).
--