Slashdot Mirror
Microsoft Source Follow-Up
shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.
The Winsock API is included in the leaked source that's something fantastic hahaha.
There is a utility "cb" for re-making C code which would have been good to use for Mainsoft if person there was trying to avoid identification!
Also probably cutting comments out.
Hm. I bet Andrew Morton has better things to do then trawl through WinNT code. Staying away from it does seem safest, though...
The Army reading list
What occured here looks like corporate espionage and theft, plain and simple. Whoever leaked this should be caught, and sent to Federal pound-you-in-the-ass prison. I know everyone here loves to hate on M$ (hahah funny), but nobody deserves to have their hard earned work lifted without their permission.
SIG:Slashdot: indymedia for nerds.
The first reports on how buggy the code really is... This will either refute or prove what the OSS community has always thought.
That OS software is viewed by many, and therefore fixed by many.
If there are holes.... it's just going to be some sort of patch fest / orgy. Redhat, MDK, et al, should get positioned just in case.
www.slightlycrewed.com - Because aren't we all?
Is this damaging because 15% of the source to the NT / W2K tree was leaked and we're all suddenly vulnerable or is this no big deal since the code is three years old and it's only 15%? I haven't heard anyone talking about DRM, activation or serial code being in the leak, so I just don't see how this could affect MS other than to help interoperability of other software.
...of the total that accepted wisdom says makes up the full source tree, but what percentage of the full source is for the thousands of drivers etc. that really aren't part of the OS proper.
I wouldn't be so sure that what has leaked is an insignificant portion just because of the number of lines of code.
This may illustrate one of the halmarks of open source software-- that software open to prying eyes is inherently more secure than closed source. I won't be surprised if digging through the source reveals a number of exploitable security flaws, perhaps many more than have been revealed with the source closed!
To paraphrase Bruce Schneier, if I give you the plans to my safe, and 100 identical safes with the combinations so you can study the locking mechanism in detail, and you still can't crack my safe-- that's security!
Maybe I'm a little jaded, but my guess is that in about a year, when we're closer to the Longhorn release, Microsoft will claim that the heritage Win2000/NT4 core is "too compromised" because of this leak and officially discontinue support prior to its seven year life-cycle. Along then along with Win98, everyone will be compelled to migrate to their new products.
:)
Just a thought...
Anyone around here remember when the Apple QuickDraw code was leaked 1989?
It started quite a big ruckus, with the media making it out to be the entire OS, and the FBI starting what has been described as more or less a witch-hunt on 'hackers'..
I would not be surprized to see a repeat of that, substituting 'hackers' for 'file-sharers'..
None.
Submitting a patch would suggest you've seen their source code. You may be opening yourself up to legal problems. No, I want the black hats to look at it, after all Microsoft are the ones that claim closed source is more secure.
Trolling is a art,
Thats a good point.
1) Leak unimportant proprietary source and bait competing open source developers to download.
2) Initiate legal action against "tainted" developers contributing to open source projects.
3) Continue to PROFIT!!!
I don't know what types of code (security/importance-wise) were involved, but have we considered that *MS* (and co-conspirators) may actually be behind the "leak" to let some code out and see what the world can find for them? Like a trial balloon?
I mentioned that yesterday and was called some sort of IP alarmist. THIS IS SERIOUS - if you now or in the future contribute your own IP to the open-source world, don't look at Microsoft's source code. You won't learn anything useful, and more importantly, you need to be able to truthfully say "I've never seen it, and specifically and intentionally avoided getting a copy of it or looking at it".
The odds of coming up with something vaguely similar to their stuff is high enough that it's not worth being accused of copying their work. The best defense against such an accusation is to have never seen their work.
If I were a tinfoil-hat kind of person, I'd wonder if this isn't some sort of SCO-ish related thing.
If you want to see something "viral", then by all means. Acessing the source code is only going to do you harm. It's not worth the risk, even if it may provide important answers about the mysteries of Windows.
Compare it to this:
http://en.wikipedia.org/wiki/Pandora
The source could do wonderful things. It could allow the use of NTFS on alternate platforms. It could enable major improvements in software like WINE. The benefits could go on and on... BUT IT ISN'T WORTH IT! You will put your own well being, and the well being of the entire programming community (not only open source) at risk if you tamper with this source!
I doubt it very much. FreeBSD code maybe found there but no Linux kernel code, MS don't need a better kernel, they need a better overal architecture that is not a gigantic blob of DLLs all linked to each other and difficult to split into standalone meaningfull packages. That's their argument, not mine, remember - IE cannot be safely removed from Windows?
You can't handle the truth.
Billy in the land of the underpants gnomes:
Step 1: 'accidentally' release windows source
Step 2: Secretly hire unafiliated programmer to copy blocks of windows source to OSS projects (comments intact)
Step 3: Sue IBM/RedHat/Novell into the ground
Step 4: Profit!
This comment is fully compliant with RFC 527.
This may be a little paranoid, but is it possible that this whole thing is a honeypot, and now MS can go around pulling SCO type stunts on OSS projects?
Lots of petrified grits
Is it just me or does this smell like a stealth PR stunt to you? Gee... source code gets leaked... this hits a few communities right in the nose. Now MS can say "See, open source is bad because all these new viruses are made because our source was leaked" and "File-sharing is bad because this is how this is moving around the internet". It's just too conveniently making MS look like a victim.
FLR
$5 says that this was an intentional leak on microsofts part. Its not the whole source, so theres no real danger to microsoft, but there is a significant danger to the open source community. Look at what SCO has been doing. How long before microsoft claims that some of its IP from the "leaked" code is in linux, and starts suing? Everyone in the OSS community needs to be super careful not to get tainted by looking at this code
If you work on open source... or anything else for that matter.. DON'T TOUCH THIS WITH A 50-FOOT POLE!
This is an exaggeration. YES, you are legally safer if you don't look at that code. Or any code for that matter.
But this idea that looking at someone else's source code would permanently and irrevocably taint you and make it impossible to work on any open source project is just ridiculous.
BSD was written by people with the full sources to Unix. People with Unix source licenses have contributed to Linux too.
AFAIK, noone out there is planning to use this to build a Windows clone. If they did, then they might be in trouble.
But if someone uses this for documenting previously undocmented APIs, and that documentation is subsequently used to improve windows emulation (for example), that is legal.
(With the exception of the copyright infringement necessary to aquire the leaked source)
Now, trade secrets and patents are a different matter, but you can infringe on those without looking at any MS source as well.
This is good. How many companies have the source to windows? IBM, ComHpaq, Motorola, a handful of others. With HP falling limp on Itanium and Sun being Sun, IBM is kind of in this poised-to-take-over position. We all now 64bit computing is spelled POWER... SCO is already beating up on them, it would be natural for MS to try to hang something like this on them.
I've given this topic considerable thought, and here are the possible conclusions I've reached.
.NET framework out from underneath the Linux community (by claiming patent infringement again). Two shovels of dirt on the grave of linux.
1) MS will use this source leak in the future to claim that various open source projects (Samba, Gnome, KDE, OpenOffice(?), linux) that get new features which MS finds competitive are 'derivative' works, regardless of whether or not the developers actually looked at the source.
2) There will be enough people looking at this source for large portions of the code's functionality essentially entering into 'public domain', with people writing up how the components work. It will be essentially impossible for anyone to do 'virgin' development on 'windows-like' features for anything, as the information on precisely what the Windows version does will only be 2 steps of association from the programmer.
3) MS will pull a 'patent' or 'trade secret' violation claim on Samba/Linux/GNOME/KDE, in addition to pulling the
From my interpretation, this all seems quite feasable given current legal atmosphere. Any lawyers here have a comment on this?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
That's as stupid as saying that I can't look at GPL'ed source code because it would forever taint my ability to be able to code anything outside the GPL.
-If God wanted people to be better than me, he would have made them that way.
This is not a trivial problem.
Though many of us - myself included - would not mind a peek into the collective mindshare of the Evil One, one cannot look into the abysss and return unchanged.
Sorry. Debated last night with philosophy majors. They won, six shots to five black and tans.
To translate it bluntly: This is still copyrighted code, owned by Microsoft. Duping even their "badly-written routines" into an inocuous place may lead to an SCO-esque attack in the near future , claiming violations in certain filesystem and mounting routines, or possibly something involving Samba, or a myriad of other wincompatibility issues.
It feels like a tactic that may be conceived by some bright bulb in MS Legal to bring conflict to the competition, or at least stifle development past current kernels.
I am starting to get the shakes that I get in a poker game when my all-in bet is called when I have pocket kings. (Last time that happened, the opponent had A-J suited. He flopped aces-up. I swore loudly.)
I am not a lawyer. I play one online, and I'm studying for the patent bar, but I don't pretend to dish out legal advice. Still, if I go all-in, I have the goods.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Do you actually believe that load of crap you just typed?
I bet the 30,000+ people who would get laid off view that as win-win huh?
Isn't interesting that the source for many projects is wide open ... and we don't have people running around with their heads cut off like the end of the world is coming.
So - which is it? Is closed-source or open-source more secure?
Looks like now we'll have the chance to find out!
- Release portions of an older baseline which have already been fixed/replaced (to minimize the hacker potential), but are algorithmically distinctive enough to be recognized if they were used in another product.
- Wait for a well-meaning open source user to submit one of the pieces as a patch to the Linux kernel
- Scan new kernels for distictive algorithm.
When found
- Launch expensive lawsuit at RedHat, Lindows, et al. Demand injunctions against distribution, damages, etc.
Or maybe, I've just read too much SCO-IBM coverage here. --JohnNotice the leak came ffrom ' a linux comptuer'..
Nice way to suggest its that damned linux that is to blame. At least to the common man, the linkage will be sublimina, but it will stick.
Its almost as bad as ' a red ford suv ran over the child ' or ' the gun killed the intruder '..
---- Booth was a patriot ----
"any legal action against opensource projects by microsoft relating to these leaks will still have to demonstrate that:
1. the opensource code was copied from the leaked nt code
2. the nt code wasn't boosted from opensource projects first"
The defendant will have to prove that the code was boosted. Microsoft is under no obligation to try to prove a negative.
A.
...bringing you cynical quips since 1998
IF the 15% they're talking about is some tools like mmc, then it's useless. If the 15% they're talking about is the kernel and the hal, then it's amazingly useful. If it's the Win32 API, then similarly, it's amazingly useful.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Everyone's saying this like it matters if you look at it or not.
Just because there is probably no stolen code in the linux kernel didn't stop SCO. Just the possibility of impropriety was enough to cause an uproar.
MS, as of Feb 10, has an ace in the hole against open source and free software - and they will use it whether or not you look at the source code, and whether or not your future works look anything like this tiny snippet. Just the leak will be enough for them to create more FUD.
The article doesn't say it was *stolen* from a Linux box, it just says that an analysis of the files suggests that it had come from a Linux box. For example, the image could have been a CD that was burned on a Linux box, and then misplaced. And given that Mainsoft's work is "Windows on *nix" I'd be surprised if they didn't have a few Linux boxes around ;-) As things stand, this says absolutely nothing about Linux security.
if the developers of B have never read the source of A, or anything derived from A, it's pretty sure that B will not look like A.
Except, in the realm of software, that just doesn't apply. A "best way" often exists to accomplish some simple task, and 20 good developers would all independantly "discover" that way. Even in more complicated code, you'll see a large overlap of broader ideas, all arising independantly
This makes one of my peeves about software patents... Patents include the critiria of non-obviousness. If 20 developers would all come up with the same solution, that seems like a pretty damned obvious technique, IMO.
Take the XOR'ed image patent, for example... Even ignoring the idea of prior art (which IMO existed), using XOR to put one image on top of another such that you can later remove the superimposed image cleanly (ie, a mouse cursor over a background), even a moron would use XOR. Yet, the USPTO still decided to grant that one.
So yes, very similar works do arise, totally independant of each other, in the field of software engineering. Unfortunately, considering our legal system's pro-corporate bias, that will most likely work against us. Rather than believing that Billy G and Linus both came up with printf("Hello World\n");, this source release will quite likely suffice to convince the courts that various open source projects "stole" such trivial statements from Microsoft code.
Or to borrow a joke from the SCO threads, "Wow, look at all of the i++; statements those damned open source commies used, just like in SCO's code!"
They would have reported more accurately if they reported "X claimed that...etc."
We are offered no evidence of what happened beyond assertions. And MS is not so honorable that I will accept their word as truth without more proof. Mainsoft? Well, I don't know them, but they are reportedly a willing partner with MS, and this is not something in their favor. It's not proof that they are a bunch of lying treacherous deceitful scoundrels. Perfectly decent companies have been known to work with MS. You can find their corpses all around.
I think we've pushed this "anyone can grow up to be president" thing too far.
While you are absolutely correct, he with the most money wins in the US court system.
Microsoft will just sue you into oblivion, and when you run out of money, they'll have won.
i cannt re-iterate how stupid all thie fear is ....
check out this alternate universe:
musicians are fucked. apparently, we can't look at other peoples copywritten music without 'taining' our ability to write original music.
everybody from bach to bon jovi is now in violation of copywright law. musicians have henceforth been instructed never to look at somebody elses music lest they be sued later for copying the notes and rhythms.
harumph. this is rediculous.
"Old man yells at systemd"
windows developers have had access to gpl'd source for well over a decade... but that hasn't legally impaired their ability to make their products.
The GPL allows you to read the source code, learn from it and incorporate ideas into your own proprietary code. What you may not do is copy GPL code into your project.
GPL code is like a book in a library you can check it out read it, learn from it, but you may not copy a chapter republish it and try to make money off the original authour's work with out his consent.
I don't think this situation is good for anyone.
You're wrong -- it's good for Microsoft.
No competitor to MS can look at the code and expect to survive a lawsuit (at least if they compete well enought with MS). So, MS isn't going to lose any money like that.
Piracy isn't an issue -- Windows is already pirated enough, and MS probably profits from it in the end anyway.
As far as new vulnerabilities being discovered, well, MS already gets a mostly free ride from 90% of the population (who think they're computer viruses, not Outlook worms), so it doesn't matter that much, and probably won't hurt their bottom line (all they really care about in the end).
In the end, MS gets lots of free publicity as the victim. I don't see a downside for them.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
You could download the windows source code and have it sitting archived on your hard drive without ever looking at it. But if you independently write code that does something like windows does, and there is a copy of the windows source code on your hard drive, what do you think a jury would think?
The only GPL software I'm aware of MS distributing is with Unix Services For Windows (formerly interix) -- gcc and some other command line tools. You can bet big bucks the people that compile gcc don't do any work on VC.
Do you even lift?
These aren't the 'roids you're looking for.
"Microsoft is after all the largest tech company in the world"
I think IBM may have issues with this.
*sigh*
There's one essential difference. *Anyone* can look at the Linux source, white and black hats, so, although it might make it easier for the black hats to find holes, the white hats can also find them and, more importantly, *close* them. With the leaked Windows source, the white hats won't look at out of fear of legal repercussions, and, even if they were to do so and find a potential hole, they can't do shit about it if MS doesn't feel like dealing with them, whereas if they find a hole in the Linux kernel, they cab submit a patch, and, even if their patch isn't accepted, anyone else can then go and write one, one of which will be accepted. I can patch MS's code all I want, but it could never get accepted into the actual OS.
A Minesweeper clone that doesn't suck
And you think the entire community, including IBM and other companies that have bet the farm or at least huge sums of money on OSS are just going to roll over and take it?
If the lawsuits get too frivolous, not even Microsoft will be immune to countersuits, plus such massive lawsuits aren't going to be "free" in reputation terms, either. ("Gee, if all Microsoft can produce is lawsuits, maybe they aren't such a leading company after all?")
Besides, so they prove some small chunk of code is encumbered. (It is virtually inconceivable that huge chunks of code will make it in.) So we rip it out and keep going. Killing any given iteration of Apache may be possible, but taking down the entire thing legally is going to be quite a feat! (And remember that unlike SCO, Microsoft is limited by the fact that they are still selling software; they can't for instance go after the GPL in a really serious way because they'd likely end up invalidating their own licenses; "Unenforcable GPL" is good FUD but would be an atrocious court strategy for them!)
It's not hopeless, not by a long shot. I won't say they couldn't make a real annoyance of themselves and I won't say Total Open Source victory is some sort of inevitability, but it's not hopeless.
No, one reason Linux/*BSD/etc. are more secure is because the source code has always been available, and has been reviewed and hacked by thousands of people for 10 years. The source didn't just show up on the Internet yesterday.
If Linux's source had been developed in secret for the last ten years, you better believe its sudden revelation would lead to the discovery of new vulnerabilities and exploits, and that's exatly what will happen to NT/2000/XP if there are any substantive pieces of the OS in the partical source that has been released.
Microsoft is downplaying the whole situation as an intellecutal property issue, but I don't believe it. It will likely result in more vulnerabilities and exploits against Windows. Microsoft execs have been saying for years that revealing Windows source code would make the OS more vulnerable to attacks.
Who could ever imagine source code having the same warnings as porn: its frowned upon and can ruin you but in the secrecy of your own home many can't help but take a peek.
Btw, I haven't even dled the source let alone see it so I'm safe I guess. Though really, how many suits are decided on who is right rather than who has the better more expensive lawyers. Whether any given person sees it or not, the developers of wine and probably any future version of linux are going to get blamed anyway and dragged into court simply becuase they won't be able to afford lawyers to defend themselves against the M$ heavyweights. So going ape shit about not looking at the code is important but we have to face the facts that it probably still won't protect us. But for the mere fact alone that if you look at it you won't be able to resist the powers of the darkside to copy some of the better algorithms (if there are any) and hence blind yourself to your own brilliance in coming up with your own possibly (probably) better solutions is enough to stop most of us from looking at the code. You want to study source code to an OS? Then study Linux. You not only won't get in trouble form copying from it (unless its the parts owned by SCO assuming there are any) and you will most likely be learning from superior code. Really who studies from a stolen second rate textbook when they can easily view a first rate one for free?
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
Windows kernel gets the kernel GPL'd
How can a site so full of OSS supporters have so many people so ignorant of how software licensing works? Yes, if they were found to be infringing the GPL they COULD GPL the whole kernel, but that would be stupid. They would just pay damages for infringement and remove the GPL code from future releases. This "viral licensing" bullshit is so idiotic, I can't understand how it got started. I blame SCO.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This seems to be a popular opinion, but it is false.
You are buying into the same FUD Microsoft is spewing about the GPL.
Just looking at the code does not "taint" you. There are plenty of ex-Microsoft employees who have looked at Microsoft source code and have then contributed to non-Microsoft projects (not just OSS, but closed-source from competing companies). Really, are you claiming that a coder that has seen Microsoft's code is legally impossible to employ except at Microsoft? What if some poor sap has seen both Microsoft's code and a competitor like Suns? They can't ever work on software again anywhere?
Conversely Microsoft hires people all the time that have looked at GPL code. They don't seem worried that these people are "tainted" despite the fact that their public announcements would seem to indicate that it is impossible for such people to work there.
The person/company in trouble is the one that made the code available. Apparently this is somebody at Mainsoft, who should be punished hard. This sort of behavior is extremely damaging to IT!
Duh: Mainsoft's job was to write a commercial windows-emulation for Unix. There is good reason for them to want to compile some of this code on Linux.
And this has nothing to do with a crack or security flaw. The code was leaked by somebody who had the ability to read the code anyway. Unless you think Linux's ability to retrieve information from a disk is a security flaw.
If something like that would happen, they could just sell it as a demonstration of the bad things that happen when source code is publicly available, like that of certain other systems...
It would demonstrate that closed source pushers are concerned with secrecy and profits.
If closed source is more secure, as MS and many others maintain, then they shouldn't be as concerned about the black hats looking at the source as they are how the source was leaked. Source code can be open and secure, much like any decent cryptographic system.
Trolling is a art,
If it came to it, I highly doubt that would hold up legally. Besides, much of the stuff in Windows is patented, and there's simply no way to re-implment it (different code or no) without violating a patent.
Why in the hell do you want to copy windows anyway? Open source to me is about making new or simply better software. (Speaking generally to everyone here, not just the parent...) If you absolutely must have win32 compatibility, then buy a Windows license like everyone else. If that's not acceptable, then figure out a solution that doesn't require win32 compatibility. But for god's sake, don't be a common criminal and steal someone else's implementation.
I digress. Chances are pretty good that writing a specification from such crufty code (and a good deal of it is crufty) would be more difficult than legally reverse-engineering a working implementation anyway.
Any code using "i" as a variable immediately goes on the Wall of Shame.
Oh, give it a rest!
For a nice small loop, "i" works perfectly well, and no one has a problem understanding what it does. And just to shock you, for a small nested loop, I often use "j", and occasionally <gasp!> even "k"! Yet, oddly, I've had numerous people compliment my code as both elegant and easily readably.
You can say all you want about readability, portability, and maintainability of code using various "standards". But I have yet to meet anyone who considers Hungarian anything better than "effective but very ugly". When even the most trivial "for()" statement ends up causing a line to wrap past 80 cols, a notational system has big problems.
How can they sue, when they weren't suppose to see the source in the first place, first a company would have to admit to looking at it...Not gonna hold water in court.