Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Source Follow-Up

Posted by michael on from the no!-it-burns-my-eyes! dept.

shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.

32 of 1,090 comments (clear)

  1. Of course! by NeoThermic · · Score: 5, Interesting

    >>Microsoft is, naturally, downplaying its impact

    Of couse they are. They don't want to admit that its 203MB of files, they will just say its a small fragment.

    Makes me wonder about all the weird e-mail files in the zip though...

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
  2. So the question is by drinkypoo · · Score: 4, Interesting

    Has anyone actually built this code? Will it actually be useful to anyone? I could see how having enough of the code available might allow someone to create a version of windows 2000 that would work with plex86, which would be exceptionally exciting. Just how much of the code is there anyway? It's reputedly a ~200MB archive which also contains assorted tools needed to compile from the source, so only so much of that can be code. 200MB of pure source code would seem like it was probably enough to assemble most or all of Windows from.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:So the question is by cozziewozzie · · Score: 5, Interesting

      15% of what? They seem to be very vague about this. The link you mention claims it is 15% of the operating system. Does it mean 15% of Win2K or 15% of all Windows code (95+98+ME+NT+2000+XP+2003+CE)?

      Furthermore, the most of the code in a given operating system belongs to the drivers. If it's the important 15%, then it could be completely irrelevant that you don't have the 85% that deal with graphics cards and similar.

  3. Mainsoft is to blame... by JamesP · · Score: 5, Interesting

    THe most astonishing phrase is this:
    Analysis indicates files within the leaked archive are only a subset of the Windows source code, which was licensed to Mainsoft for use in the company's MainWin product. MainWin utilizes the source to create native Unix versions of Windows applications.

    Mainsoft says it has incorporated millions of lines of untouched Windows code into MainWin.

    WHAT?!?!!?!??

    --
    how long until /. fixes commenting on Chrome?
  4. Re:Traces back to Mainsoft? by sp00 · · Score: 5, Interesting

    Microsoft will probably use this to thier advantage: "The leaked code ... was apparently removed from a Linux computer "

  5. This can't be the first time by Schemat1c · · Score: 5, Interesting

    The company I worked for 12 years ago was licensed to get part of the Windows 3.1 code in order to interface our product with theirs. There must be 1000's of companies that do this and have been doing this. I'm amazed it took this long for someone to finally steal it and post it.

    --

    "Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
  6. Swearing? by thung226 · · Score: 5, Interesting

    I'm shocked to find out that there is profanity in the comments/code. Anybody know specifically what they say? Seems a bit unprofessional.

    M$ Programmer: Well, nobody's going to read this anyway, so "\\f*ck this bullsh*t"

    For personal projects, this is fine (I've vented a bit in my personal coding projects), but I would never do anything like that at work...

    --
    -n-
  7. Re:Traces back to Mainsoft? by cozziewozzie · · Score: 5, Interesting

    The link seems to be slashdotted, but isn't that the company which ported IE to Unix and was rumoured to be doing something similar for MS Office?

  8. should we be looking at this stuff? by mr_burns · · Score: 4, Interesting

    I'm reminded that last time there was a windows source leak we were all encouraged NOT to look at it, so that we wouldn't have to deal with the source ending up in Linux.

    Seems like a good idea, but...

    Was it ESR that made that nifty app to compare SCO and Linux sources? Could it be fiddled with to see if Linux or other free/open source code made it's way into windows?

    It would be quite a coup if we could somehow legally show that they stole from the community without having to deal with the gnarly mess of windows code finding it's way into Linux.

    I'm not implying that such a thing HAS happened, but we're presented with an opportunity here.

    --
    "Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
  9. Re:From Rich Bowen's blog... by guacamolefoo · · Score: 4, Interesting

    ...right here:

    Second, we're going to see lawsuits in the next 2 years where Microsoft identifies code in Linux, added after February 10, 2004, which are either copied from, or influenced by, the Windows source code. And, as absurd as this is, it will be used to have, as Microsoft would say, a chilling effect on innovation.

    Hm. I bet Andrew Morton has better things to do then trawl through WinNT code. Staying away from it does seem safest, though...

    Part of future kernen maintenance should probably include comparisons against this code, just to be safe. The worst possible thing would be for some witless idiot to include any of it into any OSS project and have this miss final review.

    IMHO, rather than chortling over this disclosure, I'd rather have the code be kept completely secret by MSFT. Unfortunately, information is hard to keep secret when so may people have it.

    GF.

    --
    Lots of petrified grits
  10. Will this increase calls for stronger DRM? by G4from128k · · Score: 4, Interesting

    I'm sure that Microsoft now wishes that it source code files had been locked into self-expiring, heavily encrypted, copy-resistant file formats. Events like this can only increase demands for "Trusted Computing" initiatives that prevent accidental or intentional leakage of security-sensitive intellectual property.

    Given that so many companies outsource or collaborate with a far-flung global network of suppliers -- I'm sure MSFT need only whisper about the threat of leaked trade secrets to get corporate IT to adopt DRM/Trusted computing for everyday use.

    --
    Two wrongs don't make a right, but three lefts do.
  11. Security through obscurity? by Gothmolly · · Score: 5, Interesting

    Everyone is panicking about how revelation of the source will open Windows up to hacks. In an ideal world, knowing how good code is written shouldn't give away the 'hacks'. In this case, MS is rightfully fearing review of places where they fail to check string lengths or buffer sizes, the way that they handle exceptions (if they do), the way that their logic copes, or fails to cope, with unexpected input.
    However, good code wouldn't have this problem, string lengths would be checked, there wouldn't be hardcoded passwords, components that are not supposed to trust one another really don't, etc.
    This exposure of the source may reveal just how crappy their code is. If its not crappy, I don't see necessarily how its more 'hackable'. Apache is open, and nobody hacks it to pieces on a daily basis. Can you imagine what would happen if the source of IIS was leaked?

    --
    I want to delete my account but Slashdot doesn't allow it.
  12. Possible "culprit" found by Zocalo · · Score: 5, Interesting
    According to this article at the Register, it looks like tracking the source of the leak wasn't that hard owing to very specific comments in the code. The theory is that it's the old tale of boss gets new PC, user inherits old PC and so on at Mainsoft, one of Microsoft's partners. The twist in the tale this time is that the in this case the PC may have ended up on the desk of someone who recognised the code for what it was and decided to post it.

    If this is true, then I suspect that the list of possible culprits is very short and some poor sap who didn't think things through is going to be in *very* hot water indeed early next week.

    --
    UNIX? They're not even circumcised! Savages!
  13. Re:source out on the open by Frymaster · · Score: 5, Interesting
    access to the Windows source... may legally impair their ability to make contributions to open source resembling anything that exists in Windows.

    windows developers have had access to gpl'd source for well over a decade... but that hasn't legally impaired their ability to make their products.

    any legal action against opensource projects by microsoft relating to these leaks will still have to demonstrate that:

    1. the opensource code was copied from the leaked nt code
    2. the nt code wasn't boosted from opensource projects first
    --

    2 1337 4 u!

  14. Re:You Should Not Be Cheering by Wireless+Joe · · Score: 5, Interesting

    "...nobody deserves to have their hard earned work lifted without their permission..."

    I agree...just ask Burst.com
  15. Bad for security... by haeger · · Score: 4, Interesting
    I think this could be very bad for Windows security (yeah, oxymoron, I know). This is bad news for all that in some way have to support windows at work.
    Since we all agree that all code has bug in them and since this code is out we can safely assume that some bugs will be found.
    Now all the white-hat hackers are prevented by law to take a look at the code and since all black-hat hackers don't give a damn about that law, those who run windows are in a pretty bad place right now. Even worse than usual actually.

    Oh well, the windows admins who like working overtime will love the coming year I suspect.

    .haeger

    --
    You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
  16. Re:source out on the open by bark · · Score: 5, Interesting

    I remember reading that Steve Balmer and Bill Gates specifically FORBID any MS employees from reading / accessing GPL'ed code unless given express permission from somewhere high up.

    They had their "don't touch gpl" rule in place for quite a few years now. But they can access BSD licensed code and incorporate them freely.

    Just because they had access doesn't mean MS employees are out to break the law ...

    it works in reverse too. To microsoft, all this free linux code floating around on the net is a huge temptation for its employees to cut some corners and potentially land ms in big legal trouble ... sounds familiar to all these conspiracy theories floating around about the leaked win2k source, doesn't it?

  17. Is there any GPL Violating Software in it? by NetSurferHI · · Score: 4, Interesting

    Has any one taken a look to see if the old rumors that Win2K is more stable because it uses open source code is true? If so, would that make Microsoft in violation of the GPL?

  18. Re:It was lifted from a Linux Box by sqlrob · · Score: 4, Interesting

    Or an idiot developer working on a linux box happened to check in the core file with other work.

    I've seen junk like that before, so it's entirely possible.

  19. Entertainment value of media "experts" by paco+verde · · Score: 5, Interesting

    The funniest part of this whole thing has been the industry pundits explaining the ramifications of the source release in various media outlets.

    The best I've seen today is on crn.com by some joker named Winell from Econium. He manages to say with a straight face:

    "Unlike Linux desktops, which is like the wild wild west and not controlled and enhanced all the time, Windows users have come to take a quality controlled operating system for granted and not have to worry about a bad release," Winell said. "We hope that Microsoft can swiftly identify how the code got released, prosecute the perpetrator and build a barrier/security patch to protect against intrusions."

    Mr. Winell has obviously never used Windows ME if he thinks Microsoft quality control prevents "bad releases". You know Econium must be a real player when the title of their home page is "Welcome to Econium who is a solutions provider."

    The classic yesterday was Laura Didio from Yankee Group comparing OSS hackers to suicide car bombers.

    Nothing like an embarassing Microsoft moment to get the "experts" out from under their rocks.

  20. Re:Winsock API Included. by noisehole · · Score: 5, Interesting

    Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf.

    right, betanews revealed it.. damnit. they could've at least credited me ;)
    bastards

  21. Then why was the code in a "zip" archive? by NZheretic · · Score: 4, Interesting
    If the code was leaked from a Linux/Unix computer, why was the code found being distributed in a zip archived file instead of a compressed tar archived file?

    Zip files are rarely used for distributing source code amongst the Linux/Unix community because compressed tar files are far more efficient.

    zip -r source.zip /usr/src/linux-2.4.22-1.2149.nptl
    ls -l source.zip
    -rw-rw-r-- 1 build build 49091705 Feb 14 06:20 source.zip
    tar cjf source.tar.bz2 /usr/src/linux-2.4.22-1.2149.nptl
    ls -l source.tar.bz2
    -rw-rw-r-- 1 build build 31964979 Feb 14 06:23 source.tar.bz2
    tar czf source.tar.gz /usr/src/linux-2.4.22-1.2149.nptl
    ls -l source.tar.gz rw-rw-r-- 1 build build 40689187 Feb 14 06:31 source.tar.gz

    The resulting tarred archive compressed by bz2 is is around 35% smaller than the zipped source. With the exception of the the jar format for java classes, the zip format is rarely use by Linux/Unix developers for distributing source code.

    IMO this points to the source code being lost by from a Microsoft based platform.

  22. Re:source out on the open by jtrascap · · Score: 4, Interesting

    I like the way this guy thinks - and I think this too.

    Let's do some math..and since we're talking conspiracy theory here, we only need to use addition!

    * MS "kills off" the old OSs, but not enough corp users move
    * MS goes security nuts and publicizes ever patch. Let's not mention that some patches take 6 months to come...
    * Release the code through a "trusted partner" - MS supports lots of partners which, via programming, politics or press, support the beast in return.
    * Frightened CEOs scream - CIOs look at updating to XPee vs. training staff on Linux and OpenOffice. Looks ok, until...
    * Frightened CEO's PowerPoint presentation doesn't work right

    SOLUTION:
    * CEO - "Upgrade!"
    * MS = PROFIT!

    C'mon - add to the panic...It's Fun!

  23. Re:You Should Not Be Cheering by koh · · Score: 5, Interesting
    The main prejudice may be caused by nastier side-effects such as a grep and analyse on all source code comments.

    Imagine the impact, if, say, the following comment is found in the IE PNG rendering engine :
    // don't know what this struct member does,
    // maybe transparency ?? too lazy to lookup
    // docs, leave as is for now
    This would be a hard time for PR given their current objectives... and I don't even think about security-related comments ;)

    (Disclaimer: this example is FICTIOUS. I do not have access to the code in any way. If such a comment is found, I hereby promise to imediately cease and desist watching Deadzone.)

    --
    Karma cannot be described by words alone.
  24. Re:Winsock API Included. by JebusIsLord · · Score: 4, Interesting

    or equally important, make it anchor CSS images properly?

    --
    Jeremy
  25. comparing MS code to OSS code by moojin · · Score: 5, Interesting

    has anybody attempted to use the code analyzer that was developed for the SCO / IBM case. it would interesting to see if there were any similarities between MS code and the multitude of OSS code.

    --
    Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
  26. Re:This may sound crazy, but M$ would likely gain. by koh · · Score: 4, Interesting

    Obviously the only answer for companies stuck with M$, move to XP

    No. Windows 2000 is NT 5.0, XP is 5.1 and Server 2003 is 5.2. Notice the minor version bump which indicates that all these releases share a lot a code.

    It is reasonable to think they want to have users switch to Longhorn (does anybody know if it will be NT 5.3 or 6.O ?), but then the leak occured too soon, for they're not ready yet.

    --
    Karma cannot be described by words alone.
  27. Re:Winsock API Included. by bangular · · Score: 5, Interesting

    There is actually a lot of network related code in there. Microsoft while trying to downplay, it can't deny that 13 million lines have been released. It doesn't matter the total size of windows and whether this is 1% or 25%. The old addage is you can count on one mistake for every thousand lines of code. Look at programs that are just a few thousand lines of code that have exploits. I'd say at the very least, we are looking at 20 buffer overflows in the code. Obviously not every single one will be found, but you can count on a few. Espically since people will be looking mighty hard. With comments like "this may be off by -1, but I'm not sure", I think we are almost guarenteed some buffer overflows.

    This will also give the daring souls willing to look at it a chance to tell us if there is GPL code. Rumor is GNU style Makfiles (which isn't illegal) and parts of gnu autoconf (which I suspect is illegal, if they actually include it in the OS).

  28. Yea, but what if..... by StressGuy · · Score: 5, Interesting

    Say, a retired programmer took a look at the leaked Windows source code then published a "code specification" that another (still employed) programmer could look and and then write a program to meet that specification. Technically, he never saw the source code, in fact, he need never even know that the "code specification" was inspired by the leaked Windows source.
    .
    . ...just thinking out loud, as it were....

    --
    A goal is a dream with a deadline
  29. Zipped contents of a CD-rom by NZheretic · · Score: 5, Interesting
    Phillup rightly raised the point: "Perhaps it got into the computer (from MS) as a zip file? And... they kept the original.".

    The expanded contents of the zip file is around the size of a single CD. This points to the contents being originally distributed from Microsoft on CD-rom.

    Microsoft has made so much fuss about retaining control of the source code. In May 2002, under oath at the antitrust hearing Jim Allchin, group vice president for platforms at Microsoft, stated that, because the Windows operating systems contained inherent flaws, disclosing the Windows operating system source code could damage national security and even threaten the U.S. war effort.

    It's going to be interesting if it is subsequently found that Microsoft itself has been distributing said source code over the internet in zip format.

    By the way, In February 2003, Microsoft signed a pact with Chinese officials to reveal the Windows operating system source code. Bill Gates even hinted that China will be privy to all, not just part, of the source code its government wished to inspect.

    Dispite gaining more favored trading status with the USA, there remains many embargos over technology transfers which could put the US at future risk.

    Either Jim Allchin lied under oath, to prevent code revelation being any part of the settlement, OR the Microsoft corporation is behaving traitorously, by exposing national security issues to foreign governments.

    The exposure of Microsoft source code put users at risk because of the inherent design and implimentation flaws built into the source code.

    In comparison open source development practices enables open source distributions and users to evaluate the source code from the start. This forces developers to build in security from the early outset of each project or risk abandonment for more secure alternate solutions. End users can particpate in the development process.

  30. BSD licence by Sepper · · Score: 4, Interesting

    the best exemple of BSD code in Windows (all version I think) is the ftp.exe file... Just open it with notepad and search for:

    "Copyright (c) 1983 The Regents of the University of California. All rights reserved."

    And I think the TCP/IP stack is also based on it (they would be really stupid to do otherwise)... But I think this is all old news...and it's all very legal in case you didn't know

    --
    I live in Soviet Canuckistan you insensitive clod!
  31. A way to avoid legal problems = Source-Notaries by johnny6vasquez · · Score: 4, Interesting

    Hey, sorry but I wrote this and want to have my name on it. Ignore my AC post please. Contrary to what most posters here are advising, maybe we should set up a group, like a division of Groklaw for example, that has as much leaked closed-liscence code as possible.

    The purpose of this closed-liscence division would be to run independant comparisons of new OSS contributions against a library of leaked closed-liscence code to ensure nothing gets slipped by the project managers and poisons the project source.

    I was initially going to suggest that the project manager do this comparison, but that would be too risky for the project (closed-source legal teams might have a go at it). Instead using a trusted OSS community party to do the checking saves us the hassle of each project manager having to download all the latest leaked closed-source. The "source-notary" would have a central repository of leaked material, which would not be redistributed by them, only made available to the original authors and for use to run comparisons on new OSS project code submissions and therefore avoid having a company pay a developer to salt the OSS project with leaked code.

    I think this is a pretty mature way of handling this and should satisfy all parties.