Slashdot Mirror
Windows 2000 & Windows NT 4 Source Code Leaks
PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.
I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.
The next great MMORPG.
First point: The tagline for Neowin.net is "Where unprofessional journalism looks better" I'll take what they say with a block of salt.
Second point: The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that. The code is probably scattered across multiple servers in Redmond, for starters, and you'd only be given access to the parts you needed to work with.
Third point: The article has absolutely no detail to it whatsoever. For all we know, they've released a trojan masquerading as the source code and are trying to sucker geeks and 14m2rZ into downloading it.
Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.
Obliteracy: Words with explosions
Seriously, don't look at it, you will no longer be considered "clean" and might become a liability to any project you work on.
What ever you do, don't let the code influence your projects. The last thing we want is Microsoft joining in with SCO and accusing the open source community of using MS code in an open source project such as Linux. Sure you probably wouldn't want to with its reputation, but I am sure there would be those who would be tempted.
Jumpstart the tartan drive.
Do NOT read that code if you ever wish to program for an open source OS, ever. Doing so will make you tainted- you open the project up to allegations of copyright infringement. Unless you never want to contribute a single line to Linux, *BSD, etc, checking out that code is a bad idea. Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.
I still have more fans than freaks. WTF is wrong with you people?
This is not good. Windows is designed primarily with 'security by obscurity' in mind. The security holes indeed show up every often and we have worms making it to the gazillion windows boxes before the patch does. Get ready for a deluge of worms/virri. Another bad week/month for sysadmins.
Free XBox, PS2
I haven't been able to even get to Neowin, it's been slashdotted since before this story even made it to "The Mysterious Future" here on /., but think about what this means if this is actually true. The potential vulnerabilities. All the trade secrets Microsoft put in there. Hell, IE 5 was released with Windows 2000, so if this is full source, it means IE 5 and the trident engine are in there as well.
If this is true, today may be the day that everything changes.
Is the code that bad such that this news story considers this so dangerous to Microsoft? Seems a bit hysterical to me.
I don't know how useful it is to WINE, etc... OSS developers not wanting to be "contaminated" by looking at the source code won't look at this stuff anyway.
Sure it's illegal, but so have many things Microsoft has done.
I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.
Ok so here's MS's plan.
... Ya, I'm sure you know what goes here.
Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3)
Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.
Jerks.
--
Mike
-- Mike wildcard@illuminatus.org
Where law ends, tyranny begins -- William Pitt
but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
I disagree with the reporter. Because of the added scrutinity a widespread access to the sourcecoude will generate, it's more likely that we'll finally see a tight, secure Windows 2000 and NT. That is, if Microsoft accepts fixes, tips and advices from the hacker community as they should. If they don't, I can already see the unofficial Service Packs doing a much better job than Microsoft's.
There are two kinds of people in the world: Those with good memory.
Mr Bill isn't the only one in a bad situation here, with the source code available to all those crackers/virus writers, there will be lots of new worms and exploits, millions of Windows users will be in a much worse situation too.
Worms and exploits will start to appear quicker, and more frequently than ever.
The IT section color scheme sucks.
Allthough driver 'wrappers' and the like would be awesome for the linux community. think of the lawsuits that would start if linux 2.7.0 had much much better support for NTFS and the like.
this actually can hurt us more than help.
In the last article on the /. home page, we have W. Russell Jones talking about all the insecurity of having source available in open source projects.
I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N
I've nothing to say here...
At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them.
How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.
Vote in November. You won't regret it.
Now I guess those of us who write code for free project have to be double carefull what code we read and who tracks us doing so.
I can allready forsee the seize-and-desist letters to free projects, claiming that one or more developers are have been tainted by knowledge of 'proprietory information' from microsoft, and the enclosed clicktrail on www.w2k-source.com provides the nessecary evidence. And you thought you were just checking out driver support info on a community site.
mfg lutz
What the NT kernel does is well understood. The object code is widely available, and key parts, like file system formats, have been reverse engineered. There's plenty of documentation. A few major development shops have access to the source anyway. If you're into kernel architecture, it might be interesting, but otherwise, so what?
Anyone who looks at that source is pretty much legally prohibited from ever writing a line of remotely related code for any project. If Wine attempted to make any use of this leak, it would immediately become illegal in the US, EU, and most other copyright-enforcing countries. Probably no one would bother the users, but anyone redistributing it (or developing it) in the US would be cracked down on.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
> It *amazes* me that it hasn't been routine.
Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.
Democrat delenda est
The Windows code hasn't had nearly as much peer review as open source OS's so I won't be suprised if this leads to a ton of exploits. The big problem here is that this source will be available to any black-hat that wants it--they obviously aren't going to be concerned about the legalities of obtaining leaked source code. But the businesses that use Windows aren't going to be able to audit the code for security leaks unless they obtain it illegally (or sign some agreements with Microsoft and shell out bundles of cash.)
I think from a legal standpoint it might be very important that OSS developers not look at the code. Even though they didn't leak it, MS still has rights to the code. If an open source program took advantage of illegally leaked code, what would the legal ramifications be on the OSS project? I don't know the answer, but I'd be willing to be real money that MS would sue. I remember reading an article where the SAMBA developer said he was very careful not to look at any code because of this. Reverse engineering is fine, but you don't get any help to do it.
No, no and no.
Unless this source 'leak' was officially sanctioned (which we know it wasn't), possession, use, distribution, etc of said source would be illegal, regardless of if you have a legitimate copy of windows 2000 sitting on your home pc.
Also, the EULA covers the final product, not the original source. There are separate license agreements for that source.
Help Brendan pay off his student loans
It's in c (at least the core pieces). the older modules may contain assembler.
Mod +5 Drunk
I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.
... the textbook author would own all of your code.
... trivial code will generally be similiar regardless) the more difficult that is.
IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.
Otherwise, no student would be able to code having once looked at examples in a text book
The problem is, of course, proving one implimented the code oneself and did not in fact crib the whole thing from someone elses code, and the greater the similiarity (for code of sufficient complexity
In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.
The Future of Human Evolution: Autonomy
My question is, has anybody managed to get this steaming pile of manure to compile? Seems like one would need to do that and then compare the binaries (ignoring any timestamping) before assuming this is authentic.
"Freedom means freedom for everybody" -- Dick Cheney
No, but how long will it be until Microsoft pulls an SCO and accuses open source of integrating MS code? If it is indeed true, and the code is floating around out there, and within a few weeks a miracle version of Wine is released which suddenly has 100% compatibility, what would MS's reaction be?
www.litestep.net, or litestep.com. Works pretty good too.
i don't like my old sig.
Know what. Screw the whole legality issue. Those who have a foot in both the software design (even OSS?) and warez scene need to nab this. Much positive work could be done with windows/linux compatibility once we figure out the obscure protocols that windows uses. Yeah, it'll be legally grey, but who cares.
This will probably elicit a lot of replies about how Linux needs, especially now, legitimacy, especially under scrutiny of corps hoping to use it on desktops/servers. Individuals wouldn't care as much, obviously. They're right, in part at least. However, I've always admired the range of software choice Linux has, and just like Debian doesn't ship with all the necessary mplayer codecs.. they're out there, if you want 'em.
On another note.. what if someone took the code, released Linux software designed to help, say, samba, or something. Then another developer, without looking at the actual code for that program, made their own derivative by decompiling/whatever?
http://cltracker.net -- powerful craigslist multi-city search
Source code (being mostly text) should compress a lot better than compiled binaries.
Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,
Religion is a gateway psychosis. -- Dave Foley
If you work on any Open Source project, DO NOT LOOK!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Now SCO can sue Microsoft for stealing their code, too! *LOL*
Seriously, though... If the circulating source is really NT4 & W2K, that would give a powerful instrument to both sides - the ones who wants to sue Microsoft for stealing their technologies and for Microsoft, too, since from now on they will be looking very closely at newcoming products of their rivals.
Yup. And films should not be copyrighted because the film studios did not invent silver nitrate.
And CDs should not be copyrighted because they did not invent the photon used to read it.
If you take this to its logical extreme, any file is simply an extremely large digital number (millions of bits). How do you copyright a number? So it is then not possible to copyright ANY digital work.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I agree. Remember, at the trial MS argued that opening or showing parts of Windows source code would be a threat to national security. Not long after that, they gave their source code to Russia, China, and many multi-national corporations and other organizations as part of their Shared Source initiative. Now, don't know where the source was leaked from, but 1 + 1 = ?
If in fact, this story is true, MS is riding against the wind here. It is feeling pressure from the Open Source while its security, software, and business models are based on keeping the source secret. If so, how long can they keep up?
I thought Litestep just replaces the shell (ie explorer.exe). Is there any way I can change the click-to-front behaviour of Windows to use the Amigas (or WindowLabs) click-to-focus but not click-to-front model.
Nope? - didn't think so.
The only way I can think of doing it is using hardcore hook stuff. Having the code would be *much* easier.
Possibly, but would they really want to? The samba group ended up with faster code then MS by reverse engineering the SMB protocol instead of inheriting a bunch of code patched by different people over the years. I would imagine looking at the source would solve a bunch of problems for the short term.
Of course if this turns out to be true and all.
win2k+3? wow that's much easier that typing win2003...I don't care mod me down, abreviations and acronyms have gotten out of control!
Pretty widgets? What pretty widgets?
This is not funny. I have been working on ReactOS and WINE for quite a few years and do not want to see my work put at risk. Or have my project become the target of of a Microsoft Sco-like case because some twit puts Microsoft code in to ReactOS.
- Steven
Free Unix? Free Windows. http://www.reactos.com
Before now, it could be assumed that Samba developers were working from scratch- clean room implementations, because it wouldn't be possible for them to have the source code.
Now, unless the leak and spread can be precisely pinpointed, the Samba project could be the target for attacks under the "assumption" that they were sitting on this and that's why it works as well as it does. Whether or not they think this is true is irrelevant, they just need to let their legal team sink their claws into it, and muddy the waters.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
there might be patent issues, but i think they list those one the software or license somewhere. my understanding of trade secrets is that it is their reponsibility to maintain a the secret. and if this is *really* source code for nt4/win2k, it's not a secret anymore.
eric
No. If the Wine folks look at the actual Windows source code, they aren't reverse engineering any more, they're copying, which is illegal
I'm tired of this b.s. Since when has looking at something been equated to copying it? Copying is copying. Looking is looking. However, obtaining the code is probably a copyright violation. After all, this post is not a copy of your post. It was inspired by it, I looked at your post, I legally cited your post, but I did not give you the rights to my post by doing so, nor can you force me to remove my post.
The contention is that you would have a dickens of a time proving in court that you were not directly influenced or did not directly copy the copyright work. Do you have the financial security to take this through the courts and win? No? Then, keep your nose clean. If you don't want to stink, don't go near the shit.
I understand what you're saying, but it's best to steer far and wide and very clear of it. Treat it like nuclear waste. You don't even look at it no one can try to taint you.
Forget your brand of "MS is doing it to get us on the sly".
How about:
MS took a calculated risk in allowing the Chinese government access to the code in order to secure more sales, and are now paying for it, because someone Freed Billy!
http://pcblues.com - Digits and Wood
Speaking of "a world of hurt," wouldn't the general reaction to a leak of this kind cause a precipitous fall(big or small) in Microsoft's stock? If was an investor, I would totally short the stock right now, since there will probably be some crazy reaction at just the hint of a leak...probably because people will think it's a bigger deal than it will end up being.
It looks as though at the end of the trading day, MSFT did lose some value. If not short it, then maybe sell it, if only to pick up some deals later...
ummm he let detectives do a raid?
i would have kicked them the hell out then called the police for attempted burgarly AND pretending to be a law enforcement officer.
So having said that, why does it surprise anyone that two identical lines (or whole procedures) of code end up in two different programs or operating systems? The code to control the hardware can only be written so many ways.
Besides, if the way all MS code acts is any indication of how it's written, the only place I can see it being of use is with virus/worm/trojan writers and geek comedy clubs.
Have you hugged your penguin today?
But, it only takes one person to look at the Windows source, then go do something vaguely similar in Linux (or any OSS project for that matter). The result would be devastating: Microsoft would litigate Linux to death.
As many have said, the principle behind these copyright suits is awful. Looking at code, then doing something somewhat similar (because of inspiration) should not be a copyright violation. But with Microsoft's legal and financial resources, the laws will "adapt" to what is most beneficial to them.
I can only echo what many other have said: for the sake of Linux and OSS in general, do not look at the Windows source!. That's a very conservative and overly-paranoid policy, but it's a invaluable measure for protection.
To me, general acceptance of open-source software is similar to political elections: every last spec of dirt is drug out and put under the spotlight. Any potential or suspect or even misunderstood characteristic is scrutinized, and the naysayers always manage to put a negative spin on it.
Open source only stands a chance if it can maintain the straight and narrow path... I hate to sound preachy, but any slight mishap, no matter how innocent or accidental, quickly turns into a major catastrophic disaster. There's just too much money and power interested in seeing OSS fail.
Windows viruses affect everyone. We all use the same Internet that slows down when the latest worm hits. Virus writers are scum, kill them all.
(2) Concerned individuals and companies can learn from those who look at the code just how BAD the vulnerabilities ARE.
Probably, but what can they do about it? It's Microsoft's IP, they can't fix it and just hand it back. Virus writers will probably write more worms, the Internet slows down, we all suffer (see 1).
This could very well accelerate migration away from Windows and towards other OS's which are secure despite having available source code.
Erm, Open Source software is quite happily gaining market share without the need for this, thank you very much. Up to now it's being doing so on the basis of being software that's as good as, or better than, what MS write. It has not needed any visibility of MS IP to do this.
I am certainly no MS fan but this theft is nothing more than someone somewhere wanting some kudos.
C'mon, people! The real fight is not having DRM pushed down our throats, not tearing apart MS's source code...
Gentoo Linux - another day, another USE flag.
Penguins spend their lives in the freezing cold fending off polar bears and rouge iceburgs and catching fish, they are totally used to it and even if a particular nasty polar bear comes around they can usually deal with it. If you release a home-trained hampster into that environment its just gonna die.
This comment does not represent the views or opinions of the user.
What part of "being proved guilty beyond reasonable doubt" didn't you understand? It's the accuser's task to prove the accused party guilty, not the other way round.
No, it's the same codebase. Big parts of it are rewritten for every release and new parts are written from scratch to support new features, but a lot of it is the same. How else do you explain that most of the security bugs affect every Windows NT version from 4.0 to Server 2003? They were rewritten from scratch with the same mistakes?
Finally you are getting smarter. But just for case if don't understand it yet: all copyrights are bad. The world without copyrights would be much better. Demonstration: compare the quality of copyrighted Windows to copylefted Linux.
America is great because America is good, and if America ever ceases to be good, she will cease to be great.
And this is exactly what's happened to America after 2001/09/11.
By the way, America was never better than many other countries, like England or Australia. So, guess what?..
Less is more !
Adding Microsoft to the SCO mix would make no difference whatsoever.
IBM's legal team make Microsoft's look like first year law students. IBM's lawyers held the DoJ at bay for DECADES. Not even Microsoft are prepared to mess with IBM. The moment IBM called SCO's bluff SCO knew they were dead.
And if Microsoft could buy them with a month's revenue imagine what IBM could do. They are a little bit bigger than Microsoft you know...
I just think it's funny that IBM were everybody's worst enemy in the 70's and 80's, and now they are usually the ones doing the right thing by the industry.
What do you know about who reviews the windows code ?
Also, what assumptions are you making about the number of people, and their qualifications, that are reviewing OSS code ?
My opinions are my own, and do not necessarily represent those of my employer.
I'd say that's misleading at best. The reason there have been more worms/virii/etc. that attack 2000/XP than 9x is purely numbers. There's so many more computers running than 2000/XP than 9x, why bother writing any kind of worm that targets 9x?
Coincidently, this is also one of the key reasons that there are more worms/virii released that target Windows than Mac or Linux - why target Mac or Linux when you can target Windows, with many, many times more users?
Why this is perceived as such a security threat to Microsoft, when it's not for Linux?
or other released code. It should be possible to triangulate the source against existing released software, so at least we can know what exactly it is and whether this is a hoax or not.
Paul
We witness not a fallen world, but falling every day - The Call.
But assuming they find some lines of GPL, can't microsoft just deny that the source code in the wild is the propert code for Win2000?
--- guns don't kill people, people with guns kill people ---
ummm... prolly because you post as Anonymous Coward? Its just a thought...
It seems that you are not looking far enough.
Computers are necessary.
If windows is untrustable, what do you do?
(Hint: There ARE other operating systems that run on PCs)
The truth about Led Zep should never be told on
Not likely - the WINE folks could just show some code from before the leak with the "similar routines" included. That said, they'd have to find a way to *prove* that it came from before.
--- Bwah?
>I respect your integrity, but as far as I'm concerned MS is a pretty sleezy company so I'm not gonna shed any tears for them.
Its about not stooping to their level.
The main drivers of OpenSource are those which just program and share, not those that fight dirty/go on illogical and embarassing rants.
Look at SCO. I assume that there are many fine people there, but how do you view the company as a whole? After this SCO vs. IBM thing is over, what is your impression of them?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I guarantee, that if it was one of these countries who gave it away. They will be caught. Why? Because Microsoft probably made small but unique cosmetic changes to each of the codebases they released. Essentially, putting a unique fingerprint on it in each instance they have shared out the code.
This is extremely good advice. I would go even further and say that if you would ever like to work on an open source project, don't look. The presence on a project of a person who had seen the Windows source could put the entire project at risk.
For a very practical example, consider Samba. If a person who had seen the Windows source were to contribute to Samba and it were later to come to light that the contributor had seen the Windows source, in the name of safety every piece of code that person contributed would have to be ripped out and replaced. Worse, to guarantee that there was no trace of taint, it would probably have to be replaced by people who had not only never been exposed to the Windows source, but who had also not seen the contributor's tainted code. In short, it would require the recruitment of people who had never worked on the project before, or even read the source. Finding those people would not be easy, to say nothing of the time and credibility that would be lost.
For that matter, even if you have legally seen the Windows source because Microsoft has provided it to your employer under their shared source program, the same taint would follow you. If your employer has access to Windows source and your job does not require you to see that source, do yourself a favor: don't look.
If you look at the Windows source, you at the least taint yourself WRT working on any project aimed at interoperability with Windows, and quite possibly on a much wider variety of projects than that.
In short, JUST SAY NO.
In this case the point should be that people who bought into the MS security concept will feel screwed. The ones on other systems will be able to do their business as usual while crazed windows admins run around firefighting for their lives.
I cant imagine how this could have a bad effect on linux at all. A big boost for ABM and the industry as a whole would survive just fine without MS. It isnt like MS has really truly made something significant other than piggybacking and marketing.
HTTP/1.1 400
When I go out in the sun, I wear sunscreen and although I'm fairly pale, I probably won't get burned too badly. If someone goes outside with a T-shirt and shorts for the first time in their life (say a 25-year old), they'll probably get burned fairly badly (unless they wear a lot of sunscreen or aren't out for long).
Linux and other open source OS have had people looking at them for a long time. The people looking at the source of Linux are less likely to be a monoculture than the people at MS who are hired to look over software. In addition (uninformed speculation) more of the Linux people may have been black hats once - the less ordered (as in cubicle order rather than procedure order) system may be more amenable to some who fit a less monolithic background. Linux is thus likely to have been looked at by people who might once have looked to hack it and by people with a wider variety of skill sets. MS knows a lot about software, but their diversity in software knowledge and opinion is likely smaller than that of either their user set or of that of white hat hackers.
The other factor is that having the MS source without a licence is illegal - thus the people who are most likely to take advantage of the availability of the source are people without much respect for the license in the first place - black hats. Linux source can be viewed legally, and so is just as likely to be looked over by white hats as black hats (probably more likely, because of the population ratio of BH and WH).
In one of the Clancy books (I think "Debt of Honor"), he talked about secrecy being good for hiding information that someone doesn't want you to know - but that when it broke, the news would be much worse for that someone, and harder to control. That seems applicable here - only the news is directed almost exclusively to those who would do them harm.
The next day it was discovered the patch was very badly coded, and included a backdoor...
I think I'll stay away from 'opensource' MS patches, thank you very much.
Wrong. Only distribution would be illegal. Copyright only protects from making COPIES. Just like MP3's. Having 10GB of MP3's on your hard-drive is only illegal if you distribute them. It doesn't even matter whether or not you have the original CD's, either. (But if you don't, it was probably illegal to GET them. But not to possess or use them)
ASCII stupid question, get a stupid ANSI
My guess, this is some of the source released to academic institutions for study. Lots of universities have access to a small portion of the windows source code, for use in various computer labs, and to create interoperable code. It comes on a single CD, and is not difficult to obtain.
.eml files be links to the original file? .eml files, like tcp-ip tutorial.eml. Would there really need to be a tutorial like this spread everywhere?
/. doing the trolling, this will probably hit the major news outlets tomorrow. No doubt, they will only quote the most pandering media whores around, to sensationalise the story. Any bets several major stories will point to /. as a culprit, or as a den of criminal hackers?
/.
I've studied one small section of M$'s source code, a single network module appearing in both NT4 and NT5.0, under NDA of course. I don't see it here. There are a lot of things I don't see here, and I'm still going through the tree. There are some things here that are clearly part of windoze, such as the source to regedit.
Some other things that make me suspicious this isn't all the source code:
1) lots of 0 length files, could all those
2) the win2k source just happens to total 658MBytes, about the size of a CD
3) there are a number of 0 length files of people's names with the letters CV next to them. cv - vered mazafi.eml, ronen-cv.eml
4) all through the file listing are repeats of
I think this is just a student prank, being trolled out of proportion. It's not just
the AC
I can't believe I'm admitting to extensive knowlege of windoze on
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I should think that the lawyers at M$ will wait a suitable period of time and then, once ReactOS looks good, swoop in with a C&D order. They will have a long list of "similarities" in source, and charts showing how development of ROS features and stability has become accelerated since the release (though ReactOS was picking up anyway, as has WINE, as does any project gaining mindshare) and even if it makes no sense M$ will be able to hold up everything for years in litigation and findings.
This whole thing has a really high suck factor.
Combined with SCO FUD and that fscking MyDoom nonsense, this is really bad.
=^..^= all your rodent are belong to us
It is wise to keep a low profile from a company that offers bounties to hunt people down.
Yankee Group senior analyst (sic) Laura Didio has these alarming thoughts on internetnews.com about who might now be able to get their hands on the Windows source:
So Microsoft is the defender of truth and justice in the free world, and OSS hackers are like suicide car bombers?
She then went on to warn of the dangers of hackers using the several hundred megabytes worth of leaked source code to compile their own pirated copies of Windows 2000. What a dumbass.
And what exactly is a "tinker", anyway?
Also there appear to be duplicate headers, repeated in various directories that I'm almost positive would end up screwing the compile process in a real build. Also, another thing is that, if their distributed files with VC6/7 are indicative of their internal naming, they stick to a strict 8.3 naming scheme, and make note of this in their documentation (don't remember *where* it was that I read it, but it was MS docs, and I remember being surprised by it). Another thing, again assuming that the files distributed with VC6/7 are a good model, their files tend to be all UPPERCASE! For example, here's a listing from their includes in for VC6:
1. Filenames can be shared in different folders with no issue. No problem whatsoever.
2. 8.3 filenames are *only* needed for ISO9660 CDRs. The source tree uses whatever filenames people want.
Coming soon - pyrogyra
It's damn near impossible to compile it in our own tweaked build environment. I'd like to shake the person's hand that figures out how to compile 15 gb of closed source code that was leaked onto the internet. Good Luck.
SCO's actions are based on a company with little revenue, little cash, and nothing to lose. Microsoft has everything to lose. Say what you will about Microsoft, but they didn't get to where they are today with silly moves like that.
by a 500LB gorilla.
It has nothing to do with morals. It's self preservation.
Most companies don't have the resources to kick the crap out of warez distributors. MS isn't one of those companies.
Ben
Work Safe Porn
email her. The link's on the story page (don't quite know where, 'cause I'm using lynx right now). Tell her nicely where she fucked up.
Don't just sit here and bitch on Slashdot...
From the article...
"
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
"
Devastating?? Devastating because of the possible worms, viruses that can araise from this?
Closed or open, a piece of software "should" be secure and clean regardless.. if it's devastating it just proves that MS creates shit, so the fact that a pro-windows site actually says that is sad.
[alk]
Yea because downloading it is the smart thing to do. *rollseyes*
http://www.smokeherb.com/windows/
the sourcees are only partial, a lot of little scripts, build tools, code/security/certificate signing tools are missing, 3rd party and drivers of course, its basically just some low level kernel and little shell and some apps sources.
you need a lot more if u wana build windows
check for some deeper info about win2k and nt3.x build and software engineering information here .
Rubbish. Definitely look - there's a lot of stuff you can learn from seeing the source that can't be traced back to your having seen it. Take wine, for example[0]: they're trying to implement a largely undocumented ABI. At the moment it's hard even to know what they have to code. If they look at the source they could see what functions they need to implement, how they need to work etc. Make basic notes, never look at the code again, go on holiday for a month, come back and write the missing bits semi-cleanly. They wouldn't need to copy any of the implementation (doing so would violate MS's copyright) but it would sure help to know what functions they needed to write (and I guess that would count as nothing more than utilising the widespread leaking of a former trade secret[1], which has no protection under law). The key point is, don't under any circumstances copy the code. And, if you do choose to look at the source, I suggest you get rid of it afterwards and don't tell anyone.
[0] I'm not suggesting for a second that the wine devs would look at the code, you understand: it's an example.
[1] If the leak is genuine, MS need have no doubt that this will be all over every p2p network in existence within an hour or so.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
That the article author describes it as potentially devestating and full of security risk with the source being leaked. And yet, look what that very same thing has done to the open source community. True, it probably is a very bad thing for windows security. Yet another reason to switch to another OS?
Wonder if that will be MS in the 2020s and 2030s?
Whereas SCO were stupid to mess with IBM, for Microsoft to mess with China would be utter lunacy, especially given China has the source code. Regardless of what political ticking-off MS can ask for China to receive, China has the source. It has a regime where it can require (literally) millions of people to work their way through the code, write as many utterly hideous virii as they can and release them all. Make no mistake, while China might get a slap on the wrist it's nothing worse than they continually get for their human rights record: on the other hand, they seriously have the resources to destroy MS if they're pissed off enough. I think MS made a stupid deal when they gave the source code to an insecure OS to a government like China's.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
And as you obviously don't know anything [....] why the fuck did you open your stupid mouth anyway?
Ever notice it's always the Anonymous Cowards who are so vehement in their criticism? Always with the "you're stupid" and the Mr. Tough Guy expletives: "why the fuck...."
Yeah, yeah, I know, Mr. Anonymous Coward: you're powerful and famous, in your mother's basement.
Opinions on the Twiddler2 hand-held keyboard?
On the other hand though, until now we have no way of knowing if a contributor has seen the M$ source, and is feeding it in to open source projects, trojan horse style. If this is true, we could do a proper audit ourselves, and rewrite anything that needs to be.
MS's game department isn't what brings in all the money. It's their Windows and Office products that make the money.
They can grin a bear it when some games are pirated. Why do you think they (try to) crush companies that make mod chips for the XBox? Some things are more important.
And this is the source code to Windows. This is NOT just another product.
Anyone who dares to host it will be sat on until they are dead. Hell hath no fury.
Claiming this is just another product shows your definit lack of ability to comprehend the scope of this leak and the importance of it to MS's bottom line.
The legal costs required to shut down warez sites over a game generally are more than the amount of the losses. The legal costs required to crush the fools who dare to host the Windows source comes nowhere near the potential losses due to the leak.
Ben
Work Safe Porn
Yeah, there are a few trivial and ancient/obsolete BSD command-line tools in Windows (finger, ftp, nslookup, rcp, rsh). They were ported from BSD, and you can see that they contain the appropriate copyright attribution. Note that none of the kernel-mode files (e.g. the TCP/IP drivers) contain any such strings.
MS is naturally not opposed to using freely-available BSD code to achieve better interoperability with BSD/UNIX. MS Windows Services for UNIX, for example, includes a lot of modern BSD tools ported from OpenBSD. That's reasonable, of course, since it's supposed to provide a set of command-line tools familiar to UNIX systems administrators, and OpenBSD tools are known to be relatively good in terms of security.
Importantly, MS's porting of OpenBSD userland tools to Services for UNIX is also good for OpenBSD, because it helps to establish those tools as something of a standard. If hordes of MS users become used to the OpenBSD userland tools, they'll be much likelier to start using OpenBSD if they want a UNIX-like OS than to start using, say, Linux.
The common claim about the MS TCP/IP stack from open source zealots is that MS 'stole' the Windows TCP/IP stack from BSD because it couldn't write one of its own, which is of course complete nonsense. The handful of BSD tools in Windows are/were there to make it easier for UNIX users to access their systems from Windows. They're in no way critical to Windows as an operating system (in the way that, for example, a TCP/IP stack is).
Without being arrogant in anyway, we really need to keep in mind we aren't looking at a mom and pop company here.
I highly doubt this will be the almighty downfall everyone thinks it is going to be. Try to keep in perspective that if this is true (and I have some pretty serious suspicions it isn't) if it costs MSFT $100 000 000, do you think they will even notice? Well maybe a bit but by fiscal 2005? I doubt it.
The source for NT will be useless for any kind of exploit in a year because support will be removed by then and the attitude in that end of the pool has been keep up or fall behind. And yes I do recognize the sickening number of them out there, I support the bloody things.
As for 2000, keep in mind that Linux may have 10 million developers constantly surveying the code on a part time basis, but they all have other jobs. MSFT has thousands of full time employees they can throw at one patch (in a pinch) that will deal with all of this.
Or maybe all the opportunists out there should look at it from a conspiracy theory point of view? Maybe they wanted this to happen.... (btw I love starting rumors) That oughtta keep people entertained for atleast a few terraflops.
In the long run it won't even phase them, and always remember that even if Linux/Unix/Novell(-laugh) ever wins out; they will then be the top dog and will subsequently be the center of scrutiny. Bias is based on prejudice, which is generally malfounded.
Remember....conspiracy theory....stay up all night tonight thinking about it....then show up late for work tomorrow...and get fired so you can work more open source code.
(btw the teeshirt and sunblock example was really shotty)
YEAH! ummm. actually, and this may sound silly to some, but don't we gain knowledge through the sharing of ideas? criminals would do like microsoft and repackage code under a different name and sell it for profit.
No, bah, way off...
The reason there are more worms on win2k/XP than the 9x series is because the 9x series doesn't DO anything. Win98 doesn't have "UPNP" or "Remote registry", or "windows messaging" or any other fancy services to speak of. Usually its all that crap (which is on by default!) that becomes the portal for worms. 2k/XP are a more powerful OS than 9x, which makes them inherently more dangerous. And now that more and more people are moving that way, of *course* chaos was going to break out, just as countless people predicted 4 years ago.
How about some rationality (and consistency) here guys. If simply being in the same room as a copy of the windows source code is sufficient to contaminate everything you write from that point on, then SCO is gonna win its court case for sure. After all the IBM AIX code it contributed to linux was written by people who had seen the SYS V source code. Yes?
Well, that's why it's called "Windows", a window is easy to break.
This is not the first, nor the last time this will happen.
How many times will it take to make people aware of the fact that such immense reliability on closed-source DRM-esque code will cause problems. Such closed-source *cannot* be closed forever. The information will be spread, and security through secrecy cannot win.
In addition, the mob-law illustrated here by the internet is an interesting phenomena (by no means unique to this incident - except maybe in the irony). LIterally thousands of people already have a copy of multi-million dollar source for free. It is an interesting epitomization of how such digital knowledge cannot be legally protected. What will MS do, sue any IP that shows up in BitTorrent or eDonkey? If the internet wants it, some individual might pay a few months behind bars, but the internet will have it...
free-enterprise, and free-information...
No. If the Wine folks look at the actual Windows source code, they aren't reverse engineering any more, they're copying, which is illegal.
IANAL. You are wrong. Non-clean-room reverse engineering is not only legal but is done at many, many companies. There is *absolutely no constraint* to use a clean room in reverse engineering.
The first clean room reverse engineering that I'm aware of is Phoenix of IBM's BIOS. They had *no* legal requirement to clean-room reverse engineer the BIOS. If they wanted to, they could hire IBM BIOS engineers for the job. However, by doing a clean room implementation, they ensured that they had an counterargument to *any* potential IBM claims of infringement. Had they not have used a cleanroom tactic, they might have had to actually have folks look at the code and at what people were doing with the code if charged with infringement. While this can be useful -- it's an immediate shutdown to any argument IBM might raise about infringement in court, and the judge doesn't even need to see the code -- it is definitely not necessary. I can look at GPL code and use the same approach said code does as long as I am not copying code verbatim (note that changing variables or something is not sufficient -- the work must be done by you, not be a mangled version of the original).
That being said, WINE has long had a policy of *not* accepting access to Windows source code. They've had people with access to it volunteer to give them stuff in the past, and they want to do a pseudo-cleanroom approach, since it makes matters simple from a legal standpoint. WINE will probably continue to ignore the source (and the WINE maintainers now have to worry about people submitting WINE patches containing Windows source...they may require indemnification or God knows what).
From a security standpoint, this is an utter disaster to Microsoft. They haven't had the benefit of many eyes all these years, and now they have a fucking lot of malicious eyes, and ten years of holes to remove in a week or so before the nastier exploits come out. None of those eyes have any incentive to submit patches to Microsoft. There will be attacks on relatively hardened systems, too.
This is going to suck for friends and family that I have using Windows.
May we never see th
The virus was cleaned from the comp (ie zeroed the eml files), but the backdoor (file sharing) remained. Most AV software don't remove backdoors after cleaning a virus.
I.O.U One Sig.
OK, so the way the source leaked was because of a wu-ftpd exploit. How long until Microsoft decides to use it as a base for FUD? After all, it is Open Source Software...
What in God's name is wrong with you people?
Do you even think about how many coders work for Microsoft? How many work for companies that depend on Microsoft technology? Do you think about the fact that people are busting their asses writing code, trying to make a living? Who cares about whether MS is full of crap or not? All companies have marketing. That's how business works.
You don't go and steal everything from a store just because the electricity goes out! It has repercussions! I have friends that work for Microsoft, and believe it or not, they are incredibly intelligent, honest, and good people. Each time you post a torrent link, you're helping to screw them.
You disgust me. This is NO DIFFERENT than a bunch of morons looting stores after a big game, just because they can... Can you possibly think that promoting these links on slashdot doesn't have a harmful effect? But you don't care about that. You just want to get your little jollies off thinking how neato it is that you can do something and a big corporation can't stop you.
Congratulations.
If the source code got leaked, Win2k will get exploited by...
Apparently the leak has been confirmed but it's some of the source code, not all of it. Only time will tell whether it's an important bit of source code.
I mean, with linux there's a temptation but nobody runs it.
You cannot think of Linux in the same way that you are thinking of Windows.
Two people who use a Linux system could be running entirely different systems with few or no common applications across the systems - this is why it is unlikely that something like a worm virus would propagate through the Linux community in the same way it would through the Windows community.
Linux is by no means immune from attack, but if one comes, it will be a particular application (e.g. Apache) that will get attacked and whether a specific Apache system is affected will depend on the version, what modules are loaded to allow things like CGI scripts, etc.
When you say nobody runs it, I agree it's a minority on the desktop but the applications that run on Linux (and the likes of BSD, Solaris, etc.) like sendmail, BIND, Apache, etc. are very widespread and a lot more so than IIS or Exchange in many cases.
MS leaked it intentionally so they can get everyone to patch with their DRM system.
Microsoft are an arrogant company and have no doubts about getting DRM through the door with the way they do things currently - DRM's success or failure is now simply based on the level of it's acceptance in the user base, nothing more.
If anything, a source code leakage would allow everyone access to how MS's DRM technology works.
Whatever the extent of the leak, MS will downplay it because to not do so will affect the share prices. There is no conspiracy theory here...
I mean, I like linux and all but this isn't the way to win at all.
There is no battle here. Linux exists despite Microsoft and offers an alternative way of doing things to Windows.
Microsoft may attack Open Source on a regular basis but the Open Source community does not care - it is just creating good quality, free software and defending it's right to do so. This will happen no differently with or without competition from Microsoft.
I thought we were going to slowly beat them back into submission and competition, not completly screw them and quite a few million over.
You're now implying that a member of the Linux / Open Source community stole the source code and I resent that.
No Open Source programmer cares about seeing MS proprietary code. To do so would run the strong risk of inadvertently incorporating MS code into an application and nothing would please MS more as it would allow them to send the copyright lawyers in.
The only thing the Open Source community will care about is if MS's code contains GPL code but I doubt even MS would be stupid enough to do something like that.
Well, time to begin caching DNS entries to websites I use the most, and it may be high time to backup some of this data and close all the nat ports on my router just to be extra safe.
Perhaps you'd also like to stock up your kitchen cupboard with canned food and make yourself up a tin foil helmet also...
If you haven't secured your router then I'm surprised you haven't been attacked already. Also, the core DNS system mainly runs on BIND & Solaris (so I'm led to believe) so it's unlikely that this would be affected.
In all honesty, you are being far too sensationalist at this stage and my advice is simply to wait and see what happens. I doubt it will be very much...
Gentoo Linux - another day, another USE flag.
Stop and think about it. Regardless of whether or not the leak was intentional or not, it hurts us. If the code leak was deliberate, it was a brilliant move, strategically. It will hurt the open source community far, far more than it will hurt Microsoft. Infact, this is probably the biggest punch Microsoft has landed on the face of Linux. If it was unintentional, the net result is the same. Here's why.
Think of the leaking of the Win2K/NT source tree as a virus.
It's a virus designed to undermine the credibility of open-source community. It operates by exploiting two well-known vulnerabilities in open-source coders---Their curiosity, and their propensity for sharing. The dispersal of portions of the Win2K/NT source tree effectively taints the entire open source community's efforts to develop cleanly. Think about it. By leaking the code, every new OSS project that has anything even remotely to do with Windows interoperability can now be accused of having it's hand in an (at best) an unethical cookie jar. The folks who maintain Windows-interoperable projects now have to second-guess every new submission they recieve. Even worse, the availability of portions of the Win2K/NT source tree means the functional validity of all open source projects can now be called into question. Before, it was certain that any "feature" present in open-source software was the result of hard work, close observation, and the occasional dose of clever back-engineering.. Now that we can see over the fence, we can be accused of everything from violating Microsoft's intellectual property rights to wholesale misappropriation of entire blocks of Windows code.. Sort of makes SCO's accusations seem a little more well-grounded, doesn't it?
The sad thing is, the virus is having an easy time making the rounds, since theres nothing we can do to stop it. We cant become "less curious". We can't become "less industrious". The only way to avoid being under the cloud of suspicion is to stop developing alltogether. Just watch what happens. My guess is, by the end of this year, the trade rags are going to begin to equate open-source software with "questionable parentage".
This game is gonna get interesting in a hurry.
Bowie J. Poag
a lot longer: Freenet
I wonder how many people will start using freenet just to get the sources and not get tagged as "one that downloaded the sources".
For once the BBC carried a tech story on the main news which was reported as follows:
Source code for Windows NT and 2000 was leaked onto the internet. Microsoft fear that the source code being open to view could make it easy for haclkers to attack these systems
So there you have it. Source code readable by plebs = security risk, a statement that will reflect on FOSS in the minds of joe public if you tell them that the Open Source means readable source code.
Hmmmmmm....
Hmmmmmm..... Deep fried and look like Squirrel.
You know, every evil empire is build by honest, intelligent and good people, the same with Microsoft.
Estimated 300,000,000 computers run with Windows NT/2K/XP and the source code is under seal, known security holes take 6 months to be fixed, where are the responsible and intelligent people at MS taking 6 months to fix it? Are they all taking vacation?
See, your friends may be true friends of yours, granted - but this is a corporation which doesn't behave as friendly, honest and ethical as your friends who work there. Enron employees are surely more honest as the managers who screw Enron.
So, just because you have simpathy for your friends working for MS doesn't make MS be like your friends. See the bigger picture of this leak!
http://heim.ifi.uio.no/~mortehu/files.txt seems to show signs of a Nimda (or similar) virus infection. Look at the number of 0-byte sized email messages distributed in inappropriate places throughout the tree. If whatever machine this source was ripped from did indeed have a virus then no wonder it was leaked.
doesn't appear that there is any NTFS code in what was leaked. why would microsoft share NTFS code with a developer? really doesn't have much to do with the API
So many people are talking about open source stuff that no one has looked at the obvious. Microsoft did this on purpose. Let the code conveniently get out onto the net and then let more and more security holes be found. Nice sales tactic to get everyone to move to Windows XP or Server 2003. Microsoft - "you know, if most of guys out there refuse to upgrade then we will give you real reason to upgrade, this is our new licensing plan." Reminds me of mechanics damaging cars themselves just to do repairs.
Unless of course it is the left-over garbage from Wordpad, which is of tolerable quality
Hey, edit.com was quite nice too. Split windows, automatic indenting, and other stuff all in a console text editor.
I know what Wine is. You apparantly failed to see the pun that was intended here.
Calling atheism and agnosticism a religion is like calling bald a hair color.