Slashdot Mirror
Windows 2000 & Windows NT 4 Source Code Leaks
PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.
I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.
The next great MMORPG.
Do NOT read that code if you ever wish to program for an open source OS, ever. Doing so will make you tainted- you open the project up to allegations of copyright infringement. Unless you never want to contribute a single line to Linux, *BSD, etc, checking out that code is a bad idea. Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.
I still have more fans than freaks. WTF is wrong with you people?
This is not good. Windows is designed primarily with 'security by obscurity' in mind. The security holes indeed show up every often and we have worms making it to the gazillion windows boxes before the patch does. Get ready for a deluge of worms/virri. Another bad week/month for sysadmins.
Free XBox, PS2
I haven't been able to even get to Neowin, it's been slashdotted since before this story even made it to "The Mysterious Future" here on /., but think about what this means if this is actually true. The potential vulnerabilities. All the trade secrets Microsoft put in there. Hell, IE 5 was released with Windows 2000, so if this is full source, it means IE 5 and the trident engine are in there as well.
If this is true, today may be the day that everything changes.
Sure it's illegal, but so have many things Microsoft has done.
I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.
Ok so here's MS's plan.
... Ya, I'm sure you know what goes here.
Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3)
Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.
Jerks.
--
Mike
-- Mike wildcard@illuminatus.org
Where law ends, tyranny begins -- William Pitt
In the last article on the /. home page, we have W. Russell Jones talking about all the insecurity of having source available in open source projects.
I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N
I've nothing to say here...
At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them.
How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.
Vote in November. You won't regret it.
Exactly
In fact if you are involved with an Open Source project (especially Kernel and Window Manager projects) I suggest you do everything possible to avoid seeing this code.
Accusations of Taint are undoubtedly going to spring up from this, and you would be better to be well clear.
I will confess to a certain curiosity as to what the results of a comparator test would be though.
An infinite number of monkeys will eventually come up with the complete works of
What the NT kernel does is well understood. The object code is widely available, and key parts, like file system formats, have been reverse engineered. There's plenty of documentation. A few major development shops have access to the source anyway. If you're into kernel architecture, it might be interesting, but otherwise, so what?
> It *amazes* me that it hasn't been routine.
Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.
Democrat delenda est
The Windows code hasn't had nearly as much peer review as open source OS's so I won't be suprised if this leads to a ton of exploits. The big problem here is that this source will be available to any black-hat that wants it--they obviously aren't going to be concerned about the legalities of obtaining leaked source code. But the businesses that use Windows aren't going to be able to audit the code for security leaks unless they obtain it illegally (or sign some agreements with Microsoft and shell out bundles of cash.)
*** CONSPIRACY THEORY BEGIN ***
I remember someone on here, a while back during one of the SCO stories, wondered what would happen if Microsoft released the source code, but under such a devious license that contamination would be fatal to an open-source project.
Maybe someone at Microsoft thought that was a neat idea.
*** CONSPIRACY THEORY END ***
As far as looking at the code: the only real reason to examine it is to find new exploits. No developer is going to slave over that source in order to find bugs and repair them, since there is no legal way to do it.
...
It's in c (at least the core pieces). the older modules may contain assembler.
Mod +5 Drunk
I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.
... the textbook author would own all of your code.
... trivial code will generally be similiar regardless) the more difficult that is.
IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.
Otherwise, no student would be able to code having once looked at examples in a text book
The problem is, of course, proving one implimented the code oneself and did not in fact crib the whole thing from someone elses code, and the greater the similiarity (for code of sufficient complexity
In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.
The Future of Human Evolution: Autonomy
My question is, has anybody managed to get this steaming pile of manure to compile? Seems like one would need to do that and then compare the binaries (ignoring any timestamping) before assuming this is authentic.
"Freedom means freedom for everybody" -- Dick Cheney
No, but how long will it be until Microsoft pulls an SCO and accuses open source of integrating MS code? If it is indeed true, and the code is floating around out there, and within a few weeks a miracle version of Wine is released which suddenly has 100% compatibility, what would MS's reaction be?
www.litestep.net, or litestep.com. Works pretty good too.
i don't like my old sig.
Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,
Religion is a gateway psychosis. -- Dave Foley
If you work on any Open Source project, DO NOT LOOK!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Yup. And films should not be copyrighted because the film studios did not invent silver nitrate.
And CDs should not be copyrighted because they did not invent the photon used to read it.
If you take this to its logical extreme, any file is simply an extremely large digital number (millions of bits). How do you copyright a number? So it is then not possible to copyright ANY digital work.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I agree. Remember, at the trial MS argued that opening or showing parts of Windows source code would be a threat to national security. Not long after that, they gave their source code to Russia, China, and many multi-national corporations and other organizations as part of their Shared Source initiative. Now, don't know where the source was leaked from, but 1 + 1 = ?
If in fact, this story is true, MS is riding against the wind here. It is feeling pressure from the Open Source while its security, software, and business models are based on keeping the source secret. If so, how long can they keep up?
win2k+3? wow that's much easier that typing win2003...I don't care mod me down, abreviations and acronyms have gotten out of control!
Pretty widgets? What pretty widgets?
there might be patent issues, but i think they list those one the software or license somewhere. my understanding of trade secrets is that it is their reponsibility to maintain a the secret. and if this is *really* source code for nt4/win2k, it's not a secret anymore.
eric
Oh, come on, get real! You miss one very important point in your comment...
The source code to SAMBA is Open Source!
This means that MS have probably got a few copies of Samba themselves already and were there any licensed MS code in it, you can rest assured the Microsoft would have sent their lawyers over long before now.
Just accept that the Samba guys are a pretty neat bunch of programmers that have genuinely backwards engineered Samba from the word go - it's the likeliest and most realistic conclusion to draw.
Gentoo Linux - another day, another USE flag.
Speaking of "a world of hurt," wouldn't the general reaction to a leak of this kind cause a precipitous fall(big or small) in Microsoft's stock? If was an investor, I would totally short the stock right now, since there will probably be some crazy reaction at just the hint of a leak...probably because people will think it's a bigger deal than it will end up being.
It looks as though at the end of the trading day, MSFT did lose some value. If not short it, then maybe sell it, if only to pick up some deals later...
But, it only takes one person to look at the Windows source, then go do something vaguely similar in Linux (or any OSS project for that matter). The result would be devastating: Microsoft would litigate Linux to death.
As many have said, the principle behind these copyright suits is awful. Looking at code, then doing something somewhat similar (because of inspiration) should not be a copyright violation. But with Microsoft's legal and financial resources, the laws will "adapt" to what is most beneficial to them.
I can only echo what many other have said: for the sake of Linux and OSS in general, do not look at the Windows source!. That's a very conservative and overly-paranoid policy, but it's a invaluable measure for protection.
To me, general acceptance of open-source software is similar to political elections: every last spec of dirt is drug out and put under the spotlight. Any potential or suspect or even misunderstood characteristic is scrutinized, and the naysayers always manage to put a negative spin on it.
Open source only stands a chance if it can maintain the straight and narrow path... I hate to sound preachy, but any slight mishap, no matter how innocent or accidental, quickly turns into a major catastrophic disaster. There's just too much money and power interested in seeing OSS fail.
What part of "being proved guilty beyond reasonable doubt" didn't you understand? It's the accuser's task to prove the accused party guilty, not the other way round.
No, it's the same codebase. Big parts of it are rewritten for every release and new parts are written from scratch to support new features, but a lot of it is the same. How else do you explain that most of the security bugs affect every Windows NT version from 4.0 to Server 2003? They were rewritten from scratch with the same mistakes?
Adding Microsoft to the SCO mix would make no difference whatsoever.
IBM's legal team make Microsoft's look like first year law students. IBM's lawyers held the DoJ at bay for DECADES. Not even Microsoft are prepared to mess with IBM. The moment IBM called SCO's bluff SCO knew they were dead.
And if Microsoft could buy them with a month's revenue imagine what IBM could do. They are a little bit bigger than Microsoft you know...
I just think it's funny that IBM were everybody's worst enemy in the 70's and 80's, and now they are usually the ones doing the right thing by the industry.
I'd say that's misleading at best. The reason there have been more worms/virii/etc. that attack 2000/XP than 9x is purely numbers. There's so many more computers running than 2000/XP than 9x, why bother writing any kind of worm that targets 9x?
Coincidently, this is also one of the key reasons that there are more worms/virii released that target Windows than Mac or Linux - why target Mac or Linux when you can target Windows, with many, many times more users?
Why this is perceived as such a security threat to Microsoft, when it's not for Linux?
Not likely - the WINE folks could just show some code from before the leak with the "similar routines" included. That said, they'd have to find a way to *prove* that it came from before.
--- Bwah?
I guarantee, that if it was one of these countries who gave it away. They will be caught. Why? Because Microsoft probably made small but unique cosmetic changes to each of the codebases they released. Essentially, putting a unique fingerprint on it in each instance they have shared out the code.
This is extremely good advice. I would go even further and say that if you would ever like to work on an open source project, don't look. The presence on a project of a person who had seen the Windows source could put the entire project at risk.
For a very practical example, consider Samba. If a person who had seen the Windows source were to contribute to Samba and it were later to come to light that the contributor had seen the Windows source, in the name of safety every piece of code that person contributed would have to be ripped out and replaced. Worse, to guarantee that there was no trace of taint, it would probably have to be replaced by people who had not only never been exposed to the Windows source, but who had also not seen the contributor's tainted code. In short, it would require the recruitment of people who had never worked on the project before, or even read the source. Finding those people would not be easy, to say nothing of the time and credibility that would be lost.
For that matter, even if you have legally seen the Windows source because Microsoft has provided it to your employer under their shared source program, the same taint would follow you. If your employer has access to Windows source and your job does not require you to see that source, do yourself a favor: don't look.
If you look at the Windows source, you at the least taint yourself WRT working on any project aimed at interoperability with Windows, and quite possibly on a much wider variety of projects than that.
In short, JUST SAY NO.
When I go out in the sun, I wear sunscreen and although I'm fairly pale, I probably won't get burned too badly. If someone goes outside with a T-shirt and shorts for the first time in their life (say a 25-year old), they'll probably get burned fairly badly (unless they wear a lot of sunscreen or aren't out for long).
Linux and other open source OS have had people looking at them for a long time. The people looking at the source of Linux are less likely to be a monoculture than the people at MS who are hired to look over software. In addition (uninformed speculation) more of the Linux people may have been black hats once - the less ordered (as in cubicle order rather than procedure order) system may be more amenable to some who fit a less monolithic background. Linux is thus likely to have been looked at by people who might once have looked to hack it and by people with a wider variety of skill sets. MS knows a lot about software, but their diversity in software knowledge and opinion is likely smaller than that of either their user set or of that of white hat hackers.
The other factor is that having the MS source without a licence is illegal - thus the people who are most likely to take advantage of the availability of the source are people without much respect for the license in the first place - black hats. Linux source can be viewed legally, and so is just as likely to be looked over by white hats as black hats (probably more likely, because of the population ratio of BH and WH).
In one of the Clancy books (I think "Debt of Honor"), he talked about secrecy being good for hiding information that someone doesn't want you to know - but that when it broke, the news would be much worse for that someone, and harder to control. That seems applicable here - only the news is directed almost exclusively to those who would do them harm.
My guess, this is some of the source released to academic institutions for study. Lots of universities have access to a small portion of the windows source code, for use in various computer labs, and to create interoperable code. It comes on a single CD, and is not difficult to obtain.
.eml files be links to the original file? .eml files, like tcp-ip tutorial.eml. Would there really need to be a tutorial like this spread everywhere?
/. doing the trolling, this will probably hit the major news outlets tomorrow. No doubt, they will only quote the most pandering media whores around, to sensationalise the story. Any bets several major stories will point to /. as a culprit, or as a den of criminal hackers?
/.
I've studied one small section of M$'s source code, a single network module appearing in both NT4 and NT5.0, under NDA of course. I don't see it here. There are a lot of things I don't see here, and I'm still going through the tree. There are some things here that are clearly part of windoze, such as the source to regedit.
Some other things that make me suspicious this isn't all the source code:
1) lots of 0 length files, could all those
2) the win2k source just happens to total 658MBytes, about the size of a CD
3) there are a number of 0 length files of people's names with the letters CV next to them. cv - vered mazafi.eml, ronen-cv.eml
4) all through the file listing are repeats of
I think this is just a student prank, being trolled out of proportion. It's not just
the AC
I can't believe I'm admitting to extensive knowlege of windoze on
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
It is wise to keep a low profile from a company that offers bounties to hunt people down.
Yankee Group senior analyst (sic) Laura Didio has these alarming thoughts on internetnews.com about who might now be able to get their hands on the Windows source:
So Microsoft is the defender of truth and justice in the free world, and OSS hackers are like suicide car bombers?
She then went on to warn of the dangers of hackers using the several hundred megabytes worth of leaked source code to compile their own pirated copies of Windows 2000. What a dumbass.
And what exactly is a "tinker", anyway?
by a 500LB gorilla.
It has nothing to do with morals. It's self preservation.
Most companies don't have the resources to kick the crap out of warez distributors. MS isn't one of those companies.
Ben
Work Safe Porn
Whereas SCO were stupid to mess with IBM, for Microsoft to mess with China would be utter lunacy, especially given China has the source code. Regardless of what political ticking-off MS can ask for China to receive, China has the source. It has a regime where it can require (literally) millions of people to work their way through the code, write as many utterly hideous virii as they can and release them all. Make no mistake, while China might get a slap on the wrist it's nothing worse than they continually get for their human rights record: on the other hand, they seriously have the resources to destroy MS if they're pissed off enough. I think MS made a stupid deal when they gave the source code to an insecure OS to a government like China's.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
MS's game department isn't what brings in all the money. It's their Windows and Office products that make the money.
They can grin a bear it when some games are pirated. Why do you think they (try to) crush companies that make mod chips for the XBox? Some things are more important.
And this is the source code to Windows. This is NOT just another product.
Anyone who dares to host it will be sat on until they are dead. Hell hath no fury.
Claiming this is just another product shows your definit lack of ability to comprehend the scope of this leak and the importance of it to MS's bottom line.
The legal costs required to shut down warez sites over a game generally are more than the amount of the losses. The legal costs required to crush the fools who dare to host the Windows source comes nowhere near the potential losses due to the leak.
Ben
Work Safe Porn
Yeah, there are a few trivial and ancient/obsolete BSD command-line tools in Windows (finger, ftp, nslookup, rcp, rsh). They were ported from BSD, and you can see that they contain the appropriate copyright attribution. Note that none of the kernel-mode files (e.g. the TCP/IP drivers) contain any such strings.
MS is naturally not opposed to using freely-available BSD code to achieve better interoperability with BSD/UNIX. MS Windows Services for UNIX, for example, includes a lot of modern BSD tools ported from OpenBSD. That's reasonable, of course, since it's supposed to provide a set of command-line tools familiar to UNIX systems administrators, and OpenBSD tools are known to be relatively good in terms of security.
Importantly, MS's porting of OpenBSD userland tools to Services for UNIX is also good for OpenBSD, because it helps to establish those tools as something of a standard. If hordes of MS users become used to the OpenBSD userland tools, they'll be much likelier to start using OpenBSD if they want a UNIX-like OS than to start using, say, Linux.
The common claim about the MS TCP/IP stack from open source zealots is that MS 'stole' the Windows TCP/IP stack from BSD because it couldn't write one of its own, which is of course complete nonsense. The handful of BSD tools in Windows are/were there to make it easier for UNIX users to access their systems from Windows. They're in no way critical to Windows as an operating system (in the way that, for example, a TCP/IP stack is).
No, bah, way off...
The reason there are more worms on win2k/XP than the 9x series is because the 9x series doesn't DO anything. Win98 doesn't have "UPNP" or "Remote registry", or "windows messaging" or any other fancy services to speak of. Usually its all that crap (which is on by default!) that becomes the portal for worms. 2k/XP are a more powerful OS than 9x, which makes them inherently more dangerous. And now that more and more people are moving that way, of *course* chaos was going to break out, just as countless people predicted 4 years ago.
If the source code got leaked, Win2k will get exploited by...
Apparently the leak has been confirmed but it's some of the source code, not all of it. Only time will tell whether it's an important bit of source code.
I mean, with linux there's a temptation but nobody runs it.
You cannot think of Linux in the same way that you are thinking of Windows.
Two people who use a Linux system could be running entirely different systems with few or no common applications across the systems - this is why it is unlikely that something like a worm virus would propagate through the Linux community in the same way it would through the Windows community.
Linux is by no means immune from attack, but if one comes, it will be a particular application (e.g. Apache) that will get attacked and whether a specific Apache system is affected will depend on the version, what modules are loaded to allow things like CGI scripts, etc.
When you say nobody runs it, I agree it's a minority on the desktop but the applications that run on Linux (and the likes of BSD, Solaris, etc.) like sendmail, BIND, Apache, etc. are very widespread and a lot more so than IIS or Exchange in many cases.
MS leaked it intentionally so they can get everyone to patch with their DRM system.
Microsoft are an arrogant company and have no doubts about getting DRM through the door with the way they do things currently - DRM's success or failure is now simply based on the level of it's acceptance in the user base, nothing more.
If anything, a source code leakage would allow everyone access to how MS's DRM technology works.
Whatever the extent of the leak, MS will downplay it because to not do so will affect the share prices. There is no conspiracy theory here...
I mean, I like linux and all but this isn't the way to win at all.
There is no battle here. Linux exists despite Microsoft and offers an alternative way of doing things to Windows.
Microsoft may attack Open Source on a regular basis but the Open Source community does not care - it is just creating good quality, free software and defending it's right to do so. This will happen no differently with or without competition from Microsoft.
I thought we were going to slowly beat them back into submission and competition, not completly screw them and quite a few million over.
You're now implying that a member of the Linux / Open Source community stole the source code and I resent that.
No Open Source programmer cares about seeing MS proprietary code. To do so would run the strong risk of inadvertently incorporating MS code into an application and nothing would please MS more as it would allow them to send the copyright lawyers in.
The only thing the Open Source community will care about is if MS's code contains GPL code but I doubt even MS would be stupid enough to do something like that.
Well, time to begin caching DNS entries to websites I use the most, and it may be high time to backup some of this data and close all the nat ports on my router just to be extra safe.
Perhaps you'd also like to stock up your kitchen cupboard with canned food and make yourself up a tin foil helmet also...
If you haven't secured your router then I'm surprised you haven't been attacked already. Also, the core DNS system mainly runs on BIND & Solaris (so I'm led to believe) so it's unlikely that this would be affected.
In all honesty, you are being far too sensationalist at this stage and my advice is simply to wait and see what happens. I doubt it will be very much...
Gentoo Linux - another day, another USE flag.
So many people are talking about open source stuff that no one has looked at the obvious. Microsoft did this on purpose. Let the code conveniently get out onto the net and then let more and more security holes be found. Nice sales tactic to get everyone to move to Windows XP or Server 2003. Microsoft - "you know, if most of guys out there refuse to upgrade then we will give you real reason to upgrade, this is our new licensing plan." Reminds me of mechanics damaging cars themselves just to do repairs.