Microsoft Source Follow-Up

shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.

Source of the leak

[cyt0plas]

There are a number of empty .eml files in the archive. While their FTP server looks like (didn't check) it is running a vulnerable version of wu-ftpd , it seems more likely Nimda got to them first.

I wonder what the final MS press release will name as the cause. "Evil Linux Hackers", perhaps?

BBC Q&A

[MoonFog]

BBC also has a Q&A on the recent event, including thoughts on how this may impact Microsoft themselves.

Microsoft has said that this represents about 15% of the total source code for the operating system. It is not enough to recreate the operating system.

Re:So the question is

[MoonFog]

Actually, it's supposedly only 15% of the source code. See here.

Re:source out on the open

[dtfinch]

Groklaw has warned that anyone who gains access to the Windows source, whether or not they actually read it, may legally impair their ability to make contributions to open source resembling anything that exists in Windows.

Re:source out on the open

[Krunch]

The link to the Groklaw's article is here.

Source was Mainsoft - and from a Linux machine

[blorg]

"Evil Linux Hackers", perhaps?" Ironically, there is a Linux connection. Betanews is reporting that an analysis of the leaked Microsoft code indicates that it came from Mainsoft, specifically a Linux machine belonging to Mainsoft's Director of Technology.

Mainsoft specialise in cross-platform development, enabling devlopers to develop using MS tools for deployment on *nix. Interestingly, for the conspiracy theorists, their previous mentions on /. date from 2000 and center around rumours that they were porting Office and IE to Linux. More news on the leak from Internetnews.com and The Register.

The code is said to be W2k-SP1.

Re:So the question is

[MoonFog]

From the article:
The Windows 2000 code is a 203MB chunk that expands to about 600MB - enough to fill one CD.

Microsoft has said that this represents about 15% of the total source code for the operating system. It is not enough to recreate the operating system.

What's vague about this ? I agree they don't say WHICH 15%, but it's clearly win2k they are talking about.

Re:Lesson for the kids out there

[prostoalex]

My bad. In my Fire$ANIMAL browser I had two tabs open, quoted the wrong one. The quote actually belongs to Jupiter Media analyst Joe Wilcox:

Folks who have seen the code report quite a few profane remarks by developers. Microsoft typically sanitizes comments for source code used in the Shared Source program. That the code contains these remarks has Microsoft believing the leak did not come through the Shared Source program.

Re:Swearing?

[omega9]

$ grep -Hirn "fuck" /usr/src/linux/*|wc -l

43

$ grep -Hirn " shit " /usr/src/linux/*|wc -l

14

And one occurrance of "piss". There're more, but I''m not spending more then a minute on this.

What about the .eml files?

[enosys]

What about the .eml files? You wouldn't have those in Linux.

Re:So the question is

[confused+one]

It's reportedly Windows 2000 Service Pack 1. That's why it's not complete -- it's the code necessary to create the components of the service pack

The Kiss of Death

[This+is+outrageous!]

Compare this:

"It seems unlikely this is going to create a material, significant security problem," said Rob Enderle, a technology expert and principal analyst with the Enderle Group.

and that:

Speaking of jackasses, how about technology industry "analyst" Rob Enderle? Enderle is both:

• Frequently quoted in major mainstream media
• Nearly always completely wrong (at least regarding Apple)

Re:Is there any GPL Violating Software in it?

[slipgun]

Has any one taken a look to see if the old rumors that Win2K is more stable because it uses open source code is true? If so, would that make Microsoft in violation of the GPL?

If they're using GPL code, yes. They already use open source code, and admit it freely - however, it's licensed under the BSD license, and hence can be distributed in closed source systems.

(Someone correct me if I'm completely wrong, but I think that's right).

More details on the Linux machine analysis...

[blorg]

...are provided by noisehole in this post from yeterday's discussion. He reckons Betanews lifted the analysis from his post.

Re:Winsock API Included.

[Kremit]

I've used the one available here a few times.

Re:Winsock API Included.

[AzrealAO]

Rumor is GNU style Makfiles (which isn't illegal) and parts of gnu autoconf (which I suspect is illegal, if they actually include it in the OS).

Of course there are. This source code leak came from a company who ports Windows software to Unix.

THAT old saw again.

[dmaxwell]

For the kajillionth time, putting GPLed code into a proprietary codebase DOES NOT make the whole thing GPLed. If MS did put GPLed code into one of their products accidentally or otherwise and then distributed it, that is copyright violation. The GPL does not rely on contract law and therefore CANNOT specify the penalty for violating it. Since the GPL is a straight copyright license pure copyright law applies. This means MS' hypothetical penalty would be between them, a court of law and the aggreived FOSS project.

The judge is such a case is unlikely to order MS' codebase GPLed. MS would have to either put out a sanitized patch for the code in question or pay the developers for an alternative license. The exact circumstances of the case would determine what if any punitive damages MS would have to pay in addition to recompensating the developers.

MS would have the OPTION of making the entire contaminated codebase GPLed to satisfy the license but I doubt they would take that option. They could do it for the FUD value but since the aggrieved FOSS project wouldn't accept that as a settlement, MS would just have to do something else. Imagine that! A FOSS project could rule out an MS product being GPLed to PREVENT harm to a project or FOSS in general.

Re:More FUD within FUD?

[Etcetera]

What would the Microsoft source code be doing on a Linux machine? Mainsoft ports applications from Windows to Unix, not Linux. IE and WinAmp are two examples that they've ported.

...If this is the case, Mainsoft was porting Windows applications to Linux as well as Unix.


Umm.. did we not click on our links today? The article linked to has a big, fat link to the MainWin product page which states, in part:

Visual MainWin is an enterprise-class application-porting platform that enables software developers to develop C++ applications on Windows using Visual Studio and deploy them on Unix and Linux. Visual MainWin is a complete cross-platform solution that speeds development and deployment. Developers will also appreciate Visual MainWin's J2EE Integration Package and industry-leading XML support. And it actually recompiles Windows source code with the Unix compilers to create native Unix applications.

I think it's certainly safe to assume that they were compiling on a box.

So much for "Security through Obscurity"

[mgpeter]

I have read a few articles on this, and most misrepresent why this could be very bad from a security issue as compared to Open Source Software.

First, just because you can see the code does not make a product less secure (in theory anyway). With Open Source Software, everyone can see the code and find flaws, but anyone can also submit a patch to fix the flaws.

With this Microsoft source code, anyone can find flaws and security issues, but NO-ONE would dare to send Microsoft a patch in fear of litigation.

Re:Entertainment value of media "experts"

[eddy]

It should be noted that the Didio quote as since been removed from that article, but here it is for those who missed it. Don't ever forget this one, this is straight from Yankee Group and they should not be allowed to get away with it without a public apology IMHO:

"With the open source community, there are a large percentage of tinkers and 'ankle biters' who are trying their hand at hacking. Some are even communicating with each other. So it only takes one or two of these groups sharing information to be able to pull something off. When you have this type of passion, it's hard to fight because these people are like virtual suicide car bombers."

Is this people you'd want to buy services of? I don't consider myself "PC" in the least, but this is so fucking wrong and off the track it's not funny.

Re:Entertainment value of media "experts"

[paco+verde]

Here's some general contact information for Yankee Group off their website:

Media Relations and
General Inquiry
Kim Vranas
Director of Marketing
kvranas@yankeegroup.com
Voice: 617.880.0214
Fax: 617.210.0014

MainSoft statement

[theCat]

This is from their web site:

Statement to the Media Regarding Microsoft Source Code Leak

Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation.

We will cooperate fully with Microsoft and all authorities in their investigation

We are unable to issue any further statement or answer questions until we have more information.

From Mike Gullard, Chairman of the Board, Mainsoft Corporation

Re:Winsock API Included.

[br0ck]

Mainsoft has released a short statement which sounds like an admission that the code did indeed come from them.

Statement to the Media Regarding Microsoft Source Code Leak
Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation.

We will cooperate fully with Microsoft and all authorities in their investigation

We are unable to issue any further statement or answer questions until we have more information.

From Mike Gullard, Chairman of the Board, Mainsoft Corporation

Re:alternate universe

[mitherial]

"The Unfinished Sonata" by Orson Scott Card, recently republished in tradepaperback form of his "Maps in a Mirror" short-story collection. Haunting tale.

Re:alternate universe

[CaptainCarrot]

...copywritten...

...copywright...

Gah! I know it's OT, but I can't stand it anymore!

The legal protection for creative works is copyright, as in the right to copy. A work that's protected by copyright is said to be copyrighted

Someone whose job it is to write advertising material and press releases, which writing is commonly called "copy" in those businesses, is a copywriter. Such copy isn't said to be "copywritten", but merely "written". There's no such word as "copywritten".

Someone whose occupation it is to create a thing is called a "wright", as in "wheelwright" or "playwright". (No, not "playwrite". Yes I know that plays are written down, but that's not what we say.) "Wright" here is related to the past tense "wrought", which we almost never hear nowadays except as an adjective, as in "wrought iron". There's no such thing as a "copywright".