Slashdot Mirror
Windows 2000 & Windows NT 4 Source Code Leaks
PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Later isn't going to work, since the server was down even before it hit the Slashdot front page. I empathize with their server.
I did, however, managed to grab the news blurb (but not the, at that point, 214 comments) from the intermittent front page:
Torrent, anyone?
I had but a simple dream, to destroy all humans.
Mirror with comments.
Hope it's all just a bluff.
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
While you may not have heard of Neowin before, they are actually quite well known and are often placed in those '100 essential sites' lists.
They focus primarily on windows tech, and have a knack for breaking stories about Windows- leaked builds of future versions, beta builds of service packs, etc. Whoever runs the site is well connected in Microsoft.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Microsoft gave a talk at usenix: Windows A Software Engineering Odyssey
This slide indicates the full source is 50gb and took a week to setup and 2 hours a day to update.
That implies to me that people could have the whole source but it would huge.
Slide 24 talks about their new perforce based system that only takes 3 hours to setup and 5 minutes to update.
I personally think it's a bad analogy, but even that isn't as far-fetched as you might think.
George Harrison (of Beatles fame) was succesfully sued for _subconsciously_ ripping off the song "He's So Fine" (in "My Sweet Lord"). See here for more details.
So, no, I don't think worrying about IP contamination from looking at Windows source code is paranoid at all.
DNA just wants to be free...
As long as you do not copy the code verbatim you are not in violation of copyright law.
Copying of nonliteral elements is actionable infringement. That's why many reverse engineering firms have two separate teams: one to describe a piece of copyrighted code and another to implement it.
In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.
Try telling that to the estate of George Harrison, who lost in Bright Tunes v. Harrisongs. It's possible to copy without knowing you're copying, and it's still infringement.
The idea of being "tainted" is actually from licenses that have "trade secret" clauses. Once you sign a license like that, you *are* tainted. That being said, it's a very difficult clause to enforce. Contracts that prevent someone from working in the field for which they are educated and experienced have often been found unenforceable by courts.
(IANAL and this is not legal advice. Go talk to PJ. At least she's a paralegal.)
Javascript + Nintendo DSi = DSiCade
IAAL. What you are saying is simply not true. Even if you don't copy verbatim you can be guilty of copyright infringement if you create a "derivative work" from copyrighted material. MS would probably argue that your "perusal" of their code and subsequent creation of a work based on such "perusal" would constitute creation of a derivative work. Its done all the time since only a complete moron would copy source code verbatim.
Also, because the act of copying is incredibly hard to prove unless you are dealing with a complete moron, it is not necessary under the law today for a copyright plaintiff to actually prove the act of "copying." Generally speaking, it is sufficient for them to prove "access" to the copyrighted work and "substantial similarity" between the two works. There is tons of case law on this stuff.
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.
Please do not post any links/screenshots/hints or anything to do with the source code outbreak. Discussion is allowed but we will not condone people spreading this source code.
(The rest is just the comments, you know, crap like you get on /.)
To note if the leak is true and the stock gets pounded it's unlikely one would get the opportunity to short the stock. Ref SEC rule 10a-1 (aka "Uptick Rule). For Reference: http://www.forbes.com/2001/10/04/1004short.html But bottom fishing would certainly be in order. Question of course is where is the bottom when a stock takes a hit? :)
Cheers!
...when hackers broke into Microsoft's corporate network. Google is your friend.
found a torrent: ed2k://|file|windows_2000_source_code.zip.torrent| 16496|5506C49CCCA12204BAB6FE960CE5602C|/
n fo 20021207 - decode BitTorrent metainfo files
btshowmetainfo.py windows_2000_source_code.zip.torrent
btshowmetai
metainfo file.: windows_2000_source_code.zip.torrent
info hash.....: f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
file name.....: windows_2000_source_code.zip
file size.....: 213748207 (815 * 262144 + 100847)
announce url..: http://alge.nlc.no:6969/announce
maybe its that thing, atm 23 seeders, 239 downloading and it was created on 2/12/2004 11:16:13 PM, so looks good so far
knock yourself out
Windows Update clients are hardly secure if you happen to modify the registry of the client system to use a differenet "WindowsUpdate" server...
You remember incorrectly. That looks like zlib (which gzip is based on). zlib's license is very flexible:
/* zlib.h -- interface of the 'zlib' general purpose compression library
http://www.gzip.org/zlib/zlib_license.html
version 1.2.1, November 17th, 2003
Copyright (C) 1995-2003 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly jloup@gzip.org
Mark Adler madler@alumni.caltech.edu
*/
The listing appears valid, but is only a subset.
I lived for years with full source access at a MS partner company.
Example of what's missing is the file systems (only the file system recognizers seem to be there, not the file system), the entire device driver tree, storage drivers, etc. Most of the core kernel functionality is there though, if pre-service pack levels.
http://www.internetnews.com/ent-news/article.php/3 312451
r ol eak_1.html
. as p
http://zdnet.com.com/2100-1104_2-5158496.html
http://www.infoworld.com/article/04/02/12/HNmic
http://www.eweek.com/article2/0,4149,1526390,00
http://www.sschmidt.info/w2k_source.torrent
:-)
I haven't finished downloading this, but it's 200MB in size, has 944 peers!
The tracker is the same one you have listed:
http://alge.nlc.no:6969/announce
The hash is also the same.
The company was actually called Spider, and the Spider TCP/IP stack (which was BSD-derived) was used in exactly one MS operating system: Windows NT 3.1 (1993-1994).
Windows NT 3.1 was released in 1993, and replaced in 1994 by Windows NT 3.5, which was much smaller, much faster and used an MS-written TCP/IP stack (which was presumably smaller and faster than the BSD-derived Spider stack). The MS TCP/IP stack in NT 3.5 was then ported to Win9x for the release of Windows 95.
The lifetime of NT 3.1 was very brief, and during that brief lifetime, hardly anyone used it (because it was too big, too slow and there was no Win32 software), so the fact that its TCP/IP stack was BSD-derived is not really something to brag about.
I read rotten.com, I think I'm about as fscking tainted as they come. It's absurd to think that there would be ground for a lawsuit against an open source project you worked on because you had at one point glossed over the NT kernel source or something. That's like homeopathics who believe that remedies should contain miniscule quantities of active ingredients. In fact, the "strongest" formulations usually contain not a single molecule of the substances in question. Zero parts per billion -- pure water.
I've seen the Windows CE source. Maybe I should never program again because MS could sue me! I think not.
PS No offence to homeopathics, I don't care what crazy shite you belive in.
-73, de n1ywb
www.n1ywb.com
Think it absurd if you want; the law certainly allows for it. It works like this:
1) You see some proprietary source, either legally or otherwise;
2) You later work on some open source project;
3) The copyright holder of the proprietary source in 1) looks at the open source project and decides that some sections of the code look strikingly similar to their own code. They further discover that you wrote or contributed to those sections. They call their lawyer. Now, it may well be a combination of "coincidence plus a limited number of ways to do X" that caused the similarity, but you're going to have to convince a judge and/or jury of that. The other side will have to convince them that you copied it. They've got the striking similarity plus the fact that you've seen their source. What have you got?
Now, since you've seen the Windows CE source, why don't you ask the Samba project if you can join, and tell them you've seen MS source code (whether legally or not doesn't matter; seeing it is all that matters) and see if they will take you on as a developer.
I bet they won't.
Microsoft Confirms Windows Code Leak
---
Microsoft Corp. on Thursday confirmed that the source code for two versions of its Windows operating system has been leaked, a security breach that could give hackers important intelligence about how to exploit flaws in software run by most of the world's computers.
"Today we became aware that incomplete portions of Windows 2000 and NT 4.0 source code was illegally made available on the Internet," said Microsoft spokesman Tom Pilla. "It's illegal for third parties to post Microsoft source code and we take that activity very seriously."
Pilla said the company does not know how much of the operating system code was compromised, but he said Microsoft believes it was not a complete version of either operating system.
There was no indication that the code was stolen through a breach of Microsoft's internal network, Pilla said. He said the FBI is investigating the matter.
Computer security experts said the release of Windows source code could pose a significant threat to Internet security, depending on what portion of the code was leaked.
A leak of any portion of the Windows code "could dramatically increase the probability that new zero-day vulnerabilities will be found," said Alan Paller, director of research the SANS Institute, a security training group based in Bethesda, Md.
"Zero day" exploits are highly effective attacks that occur when hackers discover a way to exploit a security vulnerability before or at the same time as a software maker learns of the flaw. Attackers can then use this information to launch a virus or worm that exploits the security hole before a patch can be released to fix the problem.
Thor Larholm, senior security researcher at Newport Beach, Calif.-based PivX Solutions, said the Windows source code file being traded on the Internet appears to be roughly 660 megabytes in size, about the size of one CD-ROM's worth of data. That is far short of the estimated 40 gigabytes of data that makes up the entire 40 million lines of code in the Windows operating system.
Even a partial leak "is a potentially very serious problem for Microsoft," Larholm said. "Just look at the vulnerabilities that are discovered by people who didn't have access to the source code."
The origin of the leak is not currently known. The Redmond, Wash.-based software giant closely guards the computer code that comprises the company's operating system. But Microsoft does license portions of its programming code to security researchers and more than 50 universities under its "Shared Source Initiative."
Microsoft last year said it would began sharing complete copies of its source code with governments around the world that want to validate the security of the software before deploying it in national defense and other sensitive areas. Microsoft signed an agreement in 2003 that lets the Australian government inspect the source code of Windows 2000, Windows XP and Windows Server 2003. Other counties, including India, are exploring similar arrangements.
Unlike open-source software like the widely used Linux operating system, the code comprising Microsoft's Windows software is not open for public inspection. Linux users are encouraged to participate in an open, continuous cycle of modifications and upgrades that its proponents say results in systems that are more secure and reliable than those powered by proprietary code like Windows.
Hmm. That's my tracker. And it's dead now. I probably should learn to not have a public tracker.. *sigh*
Anyway, at least 1000 people got it down, so it shouldn't be too hard for some of them to make a new torrent. But I'm definetly not going to host it anymore.
--
alge of flauna
http://alge.nlc.no/
Security bugs.. Nah...
_ 01.html
ORGANIZATION=Mainsoft Co. Ltd.
MAINSOFTLM_HOST=@xora /app-defaults
$ grep -r strcpy -i . | wc
10454 42054 1069145
Where it was ganked from:
There is a core dump file inside the windows 2000 (sp1) archive, it clearly shows that the source was stolen from a system at Mainsoft. The following url confirms that they did have access to the leaked code. http://mainsoft.com/news/press_releases/2000_3_22
The actual strings which confirm this:
PWD=/usr/ms/win2k_sp1/private/security/msv_sspi
DOMAIN=mainsoft.com
REPLYTO=eyala@mainsoft.com
MWBATCH_SERVER=lod:8000
MSOFTLM_HOST=@xor
XAPPLRESDIR=/il2/users/eyal
EDITOR=vi
BASE_LIBPATH=/usr/lib
http://torrent.spyderlake.com/download.php?info_ha sh=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
The Reuter's article on Yahoo contains a number of inaccuracies that are clearly prejudicial, and are probably sourced within Microsoft.
It (the story) amounts to an obvious attempt to spin up a scenario that will lead ultimately to criminal prosectution of persons involved in Open Source. And the story being such an obvious attempt at spin doctoring could lead one to believe there is more going on here than one poorly written news story...
Apparently Gates & Co. have decided their civil case fronted by SCO is not quite strong enough, and are trying to establish criminal precedent in order that, whether the current SCO effort succeeds or fails, the next case will be criminal.
One could hope that the courts will develop enough tech skillz to determine that the line
showing up in both windoze and Linux code does not constitute proof of theft under some Gatesien system of jurisprudence ...
Examples of the (imo) prejudicial language in the story [emphasis mine]:
There is no evidence cited that the code is being "traded". It appears that it is being distributed, but I haven't seen any reports of it being exchanged for anything else. This is key, since the languaged used here implies a profit motive on the part of the alleged "traders"; necesary for the criminal prosectution because there is a need to establish that the code is worth a great deal...
This sounds like it came straight out of a Microsoft publicist. It is an emotional appeal statement, designed to imply a henious threat to the alleged victim, Microsoft (and by implication, SCO).
The statement is factually inaccurate, even as metaphore. Source code is a principle part of the products manufactured by most software companies, but expertise in the creation of source code is more properly the "lifeblood" of the company.
Of course, Microsoft is a bit challenged in the expertise dept, but that should be applied to "any software company"....
If it is indeed "illegal" for 3rd parties to post the sources, then why would the aforementioned "agreements" require threat of civil action? If it's illegal, there should be no need to lititgate. The threats would be of prosecution, not litigation.
Furthermore, the word "share" here is ridiculous. If you've ever looked at what it takes to get an NDA to look at M$ sources, there's no "sharing" to it. It's a business transaction, and it doesn't happen unless M$ gets the lions "share" of any potential benefit.
WTF? Well, admittedly I haven't written any "programs running on Windows" in quite a few years, but I no idea things had changed quite that much... [that's sarcasm in case you can't tell; the statement is just plain wrong]
"The Internet is made of cats."