Slashdot Mirror
Microsoft Source Follow-Up
shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.
The Winsock API is included in the leaked source that's something fantastic hahaha.
Hm. I bet Andrew Morton has better things to do then trawl through WinNT code. Staying away from it does seem safest, though...
The Army reading list
What occured here looks like corporate espionage and theft, plain and simple. Whoever leaked this should be caught, and sent to Federal pound-you-in-the-ass prison. I know everyone here loves to hate on M$ (hahah funny), but nobody deserves to have their hard earned work lifted without their permission.
SIG:Slashdot: indymedia for nerds.
Is this damaging because 15% of the source to the NT / W2K tree was leaked and we're all suddenly vulnerable or is this no big deal since the code is three years old and it's only 15%? I haven't heard anyone talking about DRM, activation or serial code being in the leak, so I just don't see how this could affect MS other than to help interoperability of other software.
...of the total that accepted wisdom says makes up the full source tree, but what percentage of the full source is for the thousands of drivers etc. that really aren't part of the OS proper.
I wouldn't be so sure that what has leaked is an insignificant portion just because of the number of lines of code.
This may illustrate one of the halmarks of open source software-- that software open to prying eyes is inherently more secure than closed source. I won't be surprised if digging through the source reveals a number of exploitable security flaws, perhaps many more than have been revealed with the source closed!
To paraphrase Bruce Schneier, if I give you the plans to my safe, and 100 identical safes with the combinations so you can study the locking mechanism in detail, and you still can't crack my safe-- that's security!
Maybe I'm a little jaded, but my guess is that in about a year, when we're closer to the Longhorn release, Microsoft will claim that the heritage Win2000/NT4 core is "too compromised" because of this leak and officially discontinue support prior to its seven year life-cycle. Along then along with Win98, everyone will be compelled to migrate to their new products.
:)
Just a thought...
Anyone around here remember when the Apple QuickDraw code was leaked 1989?
It started quite a big ruckus, with the media making it out to be the entire OS, and the FBI starting what has been described as more or less a witch-hunt on 'hackers'..
I would not be surprized to see a repeat of that, substituting 'hackers' for 'file-sharers'..
None.
Submitting a patch would suggest you've seen their source code. You may be opening yourself up to legal problems. No, I want the black hats to look at it, after all Microsoft are the ones that claim closed source is more secure.
Trolling is a art,
Thats a good point.
1) Leak unimportant proprietary source and bait competing open source developers to download.
2) Initiate legal action against "tainted" developers contributing to open source projects.
3) Continue to PROFIT!!!
I mentioned that yesterday and was called some sort of IP alarmist. THIS IS SERIOUS - if you now or in the future contribute your own IP to the open-source world, don't look at Microsoft's source code. You won't learn anything useful, and more importantly, you need to be able to truthfully say "I've never seen it, and specifically and intentionally avoided getting a copy of it or looking at it".
The odds of coming up with something vaguely similar to their stuff is high enough that it's not worth being accused of copying their work. The best defense against such an accusation is to have never seen their work.
If I were a tinfoil-hat kind of person, I'd wonder if this isn't some sort of SCO-ish related thing.
Billy in the land of the underpants gnomes:
Step 1: 'accidentally' release windows source
Step 2: Secretly hire unafiliated programmer to copy blocks of windows source to OSS projects (comments intact)
Step 3: Sue IBM/RedHat/Novell into the ground
Step 4: Profit!
This comment is fully compliant with RFC 527.
This may be a little paranoid, but is it possible that this whole thing is a honeypot, and now MS can go around pulling SCO type stunts on OSS projects?
Lots of petrified grits
Is it just me or does this smell like a stealth PR stunt to you? Gee... source code gets leaked... this hits a few communities right in the nose. Now MS can say "See, open source is bad because all these new viruses are made because our source was leaked" and "File-sharing is bad because this is how this is moving around the internet". It's just too conveniently making MS look like a victim.
FLR
I've given this topic considerable thought, and here are the possible conclusions I've reached.
.NET framework out from underneath the Linux community (by claiming patent infringement again). Two shovels of dirt on the grave of linux.
1) MS will use this source leak in the future to claim that various open source projects (Samba, Gnome, KDE, OpenOffice(?), linux) that get new features which MS finds competitive are 'derivative' works, regardless of whether or not the developers actually looked at the source.
2) There will be enough people looking at this source for large portions of the code's functionality essentially entering into 'public domain', with people writing up how the components work. It will be essentially impossible for anyone to do 'virgin' development on 'windows-like' features for anything, as the information on precisely what the Windows version does will only be 2 steps of association from the programmer.
3) MS will pull a 'patent' or 'trade secret' violation claim on Samba/Linux/GNOME/KDE, in addition to pulling the
From my interpretation, this all seems quite feasable given current legal atmosphere. Any lawyers here have a comment on this?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
This is not a trivial problem.
Though many of us - myself included - would not mind a peek into the collective mindshare of the Evil One, one cannot look into the abysss and return unchanged.
Sorry. Debated last night with philosophy majors. They won, six shots to five black and tans.
To translate it bluntly: This is still copyrighted code, owned by Microsoft. Duping even their "badly-written routines" into an inocuous place may lead to an SCO-esque attack in the near future , claiming violations in certain filesystem and mounting routines, or possibly something involving Samba, or a myriad of other wincompatibility issues.
It feels like a tactic that may be conceived by some bright bulb in MS Legal to bring conflict to the competition, or at least stifle development past current kernels.
I am starting to get the shakes that I get in a poker game when my all-in bet is called when I have pocket kings. (Last time that happened, the opponent had A-J suited. He flopped aces-up. I swore loudly.)
I am not a lawyer. I play one online, and I'm studying for the patent bar, but I don't pretend to dish out legal advice. Still, if I go all-in, I have the goods.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Isn't interesting that the source for many projects is wide open ... and we don't have people running around with their heads cut off like the end of the world is coming.
So - which is it? Is closed-source or open-source more secure?
Looks like now we'll have the chance to find out!
- Release portions of an older baseline which have already been fixed/replaced (to minimize the hacker potential), but are algorithmically distinctive enough to be recognized if they were used in another product.
- Wait for a well-meaning open source user to submit one of the pieces as a patch to the Linux kernel
- Scan new kernels for distictive algorithm.
When found
- Launch expensive lawsuit at RedHat, Lindows, et al. Demand injunctions against distribution, damages, etc.
Or maybe, I've just read too much SCO-IBM coverage here. --JohnNotice the leak came ffrom ' a linux comptuer'..
Nice way to suggest its that damned linux that is to blame. At least to the common man, the linkage will be sublimina, but it will stick.
Its almost as bad as ' a red ford suv ran over the child ' or ' the gun killed the intruder '..
---- Booth was a patriot ----
"any legal action against opensource projects by microsoft relating to these leaks will still have to demonstrate that:
1. the opensource code was copied from the leaked nt code
2. the nt code wasn't boosted from opensource projects first"
The defendant will have to prove that the code was boosted. Microsoft is under no obligation to try to prove a negative.
A.
...bringing you cynical quips since 1998
The article doesn't say it was *stolen* from a Linux box, it just says that an analysis of the files suggests that it had come from a Linux box. For example, the image could have been a CD that was burned on a Linux box, and then misplaced. And given that Mainsoft's work is "Windows on *nix" I'd be surprised if they didn't have a few Linux boxes around ;-) As things stand, this says absolutely nothing about Linux security.
if the developers of B have never read the source of A, or anything derived from A, it's pretty sure that B will not look like A.
Except, in the realm of software, that just doesn't apply. A "best way" often exists to accomplish some simple task, and 20 good developers would all independantly "discover" that way. Even in more complicated code, you'll see a large overlap of broader ideas, all arising independantly
This makes one of my peeves about software patents... Patents include the critiria of non-obviousness. If 20 developers would all come up with the same solution, that seems like a pretty damned obvious technique, IMO.
Take the XOR'ed image patent, for example... Even ignoring the idea of prior art (which IMO existed), using XOR to put one image on top of another such that you can later remove the superimposed image cleanly (ie, a mouse cursor over a background), even a moron would use XOR. Yet, the USPTO still decided to grant that one.
So yes, very similar works do arise, totally independant of each other, in the field of software engineering. Unfortunately, considering our legal system's pro-corporate bias, that will most likely work against us. Rather than believing that Billy G and Linus both came up with printf("Hello World\n");, this source release will quite likely suffice to convince the courts that various open source projects "stole" such trivial statements from Microsoft code.
Or to borrow a joke from the SCO threads, "Wow, look at all of the i++; statements those damned open source commies used, just like in SCO's code!"
While you are absolutely correct, he with the most money wins in the US court system.
Microsoft will just sue you into oblivion, and when you run out of money, they'll have won.
i cannt re-iterate how stupid all thie fear is ....
check out this alternate universe:
musicians are fucked. apparently, we can't look at other peoples copywritten music without 'taining' our ability to write original music.
everybody from bach to bon jovi is now in violation of copywright law. musicians have henceforth been instructed never to look at somebody elses music lest they be sued later for copying the notes and rhythms.
harumph. this is rediculous.
"Old man yells at systemd"
I don't think this situation is good for anyone.
You're wrong -- it's good for Microsoft.
No competitor to MS can look at the code and expect to survive a lawsuit (at least if they compete well enought with MS). So, MS isn't going to lose any money like that.
Piracy isn't an issue -- Windows is already pirated enough, and MS probably profits from it in the end anyway.
As far as new vulnerabilities being discovered, well, MS already gets a mostly free ride from 90% of the population (who think they're computer viruses, not Outlook worms), so it doesn't matter that much, and probably won't hurt their bottom line (all they really care about in the end).
In the end, MS gets lots of free publicity as the victim. I don't see a downside for them.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
You could download the windows source code and have it sitting archived on your hard drive without ever looking at it. But if you independently write code that does something like windows does, and there is a copy of the windows source code on your hard drive, what do you think a jury would think?
The only GPL software I'm aware of MS distributing is with Unix Services For Windows (formerly interix) -- gcc and some other command line tools. You can bet big bucks the people that compile gcc don't do any work on VC.
Do you even lift?
These aren't the 'roids you're looking for.
And you think the entire community, including IBM and other companies that have bet the farm or at least huge sums of money on OSS are just going to roll over and take it?
If the lawsuits get too frivolous, not even Microsoft will be immune to countersuits, plus such massive lawsuits aren't going to be "free" in reputation terms, either. ("Gee, if all Microsoft can produce is lawsuits, maybe they aren't such a leading company after all?")
Besides, so they prove some small chunk of code is encumbered. (It is virtually inconceivable that huge chunks of code will make it in.) So we rip it out and keep going. Killing any given iteration of Apache may be possible, but taking down the entire thing legally is going to be quite a feat! (And remember that unlike SCO, Microsoft is limited by the fact that they are still selling software; they can't for instance go after the GPL in a really serious way because they'd likely end up invalidating their own licenses; "Unenforcable GPL" is good FUD but would be an atrocious court strategy for them!)
It's not hopeless, not by a long shot. I won't say they couldn't make a real annoyance of themselves and I won't say Total Open Source victory is some sort of inevitability, but it's not hopeless.
No, one reason Linux/*BSD/etc. are more secure is because the source code has always been available, and has been reviewed and hacked by thousands of people for 10 years. The source didn't just show up on the Internet yesterday.
If Linux's source had been developed in secret for the last ten years, you better believe its sudden revelation would lead to the discovery of new vulnerabilities and exploits, and that's exatly what will happen to NT/2000/XP if there are any substantive pieces of the OS in the partical source that has been released.
Microsoft is downplaying the whole situation as an intellecutal property issue, but I don't believe it. It will likely result in more vulnerabilities and exploits against Windows. Microsoft execs have been saying for years that revealing Windows source code would make the OS more vulnerable to attacks.
Windows kernel gets the kernel GPL'd
How can a site so full of OSS supporters have so many people so ignorant of how software licensing works? Yes, if they were found to be infringing the GPL they COULD GPL the whole kernel, but that would be stupid. They would just pay damages for infringement and remove the GPL code from future releases. This "viral licensing" bullshit is so idiotic, I can't understand how it got started. I blame SCO.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This seems to be a popular opinion, but it is false.
You are buying into the same FUD Microsoft is spewing about the GPL.
Just looking at the code does not "taint" you. There are plenty of ex-Microsoft employees who have looked at Microsoft source code and have then contributed to non-Microsoft projects (not just OSS, but closed-source from competing companies). Really, are you claiming that a coder that has seen Microsoft's code is legally impossible to employ except at Microsoft? What if some poor sap has seen both Microsoft's code and a competitor like Suns? They can't ever work on software again anywhere?
Conversely Microsoft hires people all the time that have looked at GPL code. They don't seem worried that these people are "tainted" despite the fact that their public announcements would seem to indicate that it is impossible for such people to work there.
The person/company in trouble is the one that made the code available. Apparently this is somebody at Mainsoft, who should be punished hard. This sort of behavior is extremely damaging to IT!
If it came to it, I highly doubt that would hold up legally. Besides, much of the stuff in Windows is patented, and there's simply no way to re-implment it (different code or no) without violating a patent.
Why in the hell do you want to copy windows anyway? Open source to me is about making new or simply better software. (Speaking generally to everyone here, not just the parent...) If you absolutely must have win32 compatibility, then buy a Windows license like everyone else. If that's not acceptable, then figure out a solution that doesn't require win32 compatibility. But for god's sake, don't be a common criminal and steal someone else's implementation.
I digress. Chances are pretty good that writing a specification from such crufty code (and a good deal of it is crufty) would be more difficult than legally reverse-engineering a working implementation anyway.