Slashdot Mirror
Microsoft Source Follow-Up
shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.
The Winsock API is included in the leaked source that's something fantastic hahaha.
maybe open source developers get a chance to fix some bugs it may have ;)
"The quality of life is inversely proportional to the number of keys on your keyring."
There are a number of empty .eml files in the archive. While their FTP server looks like (didn't check) it is running a vulnerable version of wu-ftpd , it seems more likely Nimda got to them first.
I wonder what the final MS press release will name as the cause. "Evil Linux Hackers", perhaps?
Contact Me (got tired of viruses emailing me).
>>Microsoft is, naturally, downplaying its impact
Of couse they are. They don't want to admit that its 203MB of files, they will just say its a small fragment.
Makes me wonder about all the weird e-mail files in the zip though...
NeoThermic
Use my link above, or to view my server, NeoThermic.com
Has anyone actually built this code? Will it actually be useful to anyone? I could see how having enough of the code available might allow someone to create a version of windows 2000 that would work with plex86, which would be exceptionally exciting. Just how much of the code is there anyway? It's reputedly a ~200MB archive which also contains assorted tools needed to compile from the source, so only so much of that can be code. 200MB of pure source code would seem like it was probably enough to assemble most or all of Windows from.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
EWeek is reporting that Mainsoft, a partner with Microsoft, is the source of the source code leak.
eWeek article mentions that leaked code was not traced to the Shared Source licensing program, because there were so many profanities in it.
I hope the guys who left the f-words in will get a promotion or something for aiding the investigation.
formerly long-time Redmond partner Mainsoft.
Hm. I bet Andrew Morton has better things to do then trawl through WinNT code. Staying away from it does seem safest, though...
The Army reading list
What occured here looks like corporate espionage and theft, plain and simple. Whoever leaked this should be caught, and sent to Federal pound-you-in-the-ass prison. I know everyone here loves to hate on M$ (hahah funny), but nobody deserves to have their hard earned work lifted without their permission.
SIG:Slashdot: indymedia for nerds.
References to MainWin can also be found throughout the leaked source files, which do not compile into a usable form of Windows.
I don't think any code can claim this, no matter M$ says
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
Now I can play Half-life 2 on Windows 2000 all while keeping it real.
BBC also has a Q&A on the recent event, including thoughts on how this may impact Microsoft themselves.
Microsoft has said that this represents about 15% of the total source code for the operating system. It is not enough to recreate the operating system.
The first reports on how buggy the code really is... This will either refute or prove what the OSS community has always thought.
That OS software is viewed by many, and therefore fixed by many.
If there are holes.... it's just going to be some sort of patch fest / orgy. Redhat, MDK, et al, should get positioned just in case.
www.slightlycrewed.com - Because aren't we all?
THe most astonishing phrase is this:
Analysis indicates files within the leaked archive are only a subset of the Windows source code, which was licensed to Mainsoft for use in the company's MainWin product. MainWin utilizes the source to create native Unix versions of Windows applications.
Mainsoft says it has incorporated millions of lines of untouched Windows code into MainWin.
WHAT?!?!!?!??
how long until
The company I worked for 12 years ago was licensed to get part of the Windows 3.1 code in order to interface our product with theirs. There must be 1000's of companies that do this and have been doing this. I'm amazed it took this long for someone to finally steal it and post it.
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
Now that the source code to Paint is out there, we can expect many derivative works to surface in the coming months. The impact on the graphics software market will be devestating.
One bad monkey spoils the whole barrel.
"It is not clear at this point how the three and a half year-old source code escaped Mainsoft."
You know.. It's simple: code wants to be free
>The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes.
I wonder what Linux security hole allowed that to happen.
LAUGH, ITS A JOKE.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Is this damaging because 15% of the source to the NT / W2K tree was leaked and we're all suddenly vulnerable or is this no big deal since the code is three years old and it's only 15%? I haven't heard anyone talking about DRM, activation or serial code being in the leak, so I just don't see how this could affect MS other than to help interoperability of other software.
And knowing how prompt Microsoft are at fixing known exploits, I really wonder how anybody can consider their products secure. I mean, Valve cited the code leak as the reason for a long rewrite and delay for Half-Life 2 (it's a bloody GAME!), and Microsoft downplays such incidents. We have a new model: Security through ignoring.
Current favourite, the author of MyDoom, but many youngsters are looking to make their mark in this prestigious contest
Grab a beer, sit back, and enjoy this great sporting occassion - sponsored by Microsoft, Security Through Obscurity.
"If you think nobody cares if you're alive, try missing a couple of car payments." Earl Wilson
Steadily droppingtoday...
...of the total that accepted wisdom says makes up the full source tree, but what percentage of the full source is for the thousands of drivers etc. that really aren't part of the OS proper.
I wouldn't be so sure that what has leaked is an insignificant portion just because of the number of lines of code.
I'm shocked to find out that there is profanity in the comments/code. Anybody know specifically what they say? Seems a bit unprofessional.
M$ Programmer: Well, nobody's going to read this anyway, so "\\f*ck this bullsh*t"
For personal projects, this is fine (I've vented a bit in my personal coding projects), but I would never do anything like that at work...
-n-
I'm reminded that last time there was a windows source leak we were all encouraged NOT to look at it, so that we wouldn't have to deal with the source ending up in Linux.
Seems like a good idea, but...
Was it ESR that made that nifty app to compare SCO and Linux sources? Could it be fiddled with to see if Linux or other free/open source code made it's way into windows?
It would be quite a coup if we could somehow legally show that they stole from the community without having to deal with the gnarly mess of windows code finding it's way into Linux.
I'm not implying that such a thing HAS happened, but we're presented with an opportunity here.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
...from the source leak if it has occurred at the proper time.
One of Microsoft's big problems when introducing a new operating system (felt especially strongly when they released XP) is that they often have difficulty moving corporations and smaller companies to the new platform right away.
Many people still run 2000 (because it was M$'s first decent operating system) instead of XP because they have NO REASON to move to XP.
All of a sudden, 2000, and NT4 (which are holding strong in their pie-slice of the M$ OS world) have been subjected to enormous security liabilities.
Obviously the only answer for companies stuck with M$, move to XP! LOL.
Mighty convenient isn't it?
Loading...
This may illustrate one of the halmarks of open source software-- that software open to prying eyes is inherently more secure than closed source. I won't be surprised if digging through the source reveals a number of exploitable security flaws, perhaps many more than have been revealed with the source closed!
To paraphrase Bruce Schneier, if I give you the plans to my safe, and 100 identical safes with the combinations so you can study the locking mechanism in detail, and you still can't crack my safe-- that's security!
Maybe I'm a little jaded, but my guess is that in about a year, when we're closer to the Longhorn release, Microsoft will claim that the heritage Win2000/NT4 core is "too compromised" because of this leak and officially discontinue support prior to its seven year life-cycle. Along then along with Win98, everyone will be compelled to migrate to their new products.
:)
Just a thought...
"The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes.
Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf."
Wow, Microsoft's first source code leak in history came from running Linux. And they traced it because Linux's core files make forensics trivial!
I'm betting there's a lot of folks in Redmond right now saying: "who the hell decided to put Windows code on a Linux box?!!!"
P.S. Eyal is screwed, right?
If guns kill people, then CmdrTaco's keyboard misspells words.
Anyone around here remember when the Apple QuickDraw code was leaked 1989?
It started quite a big ruckus, with the media making it out to be the entire OS, and the FBI starting what has been described as more or less a witch-hunt on 'hackers'..
I would not be surprized to see a repeat of that, substituting 'hackers' for 'file-sharers'..
I'm sure that Microsoft now wishes that it source code files had been locked into self-expiring, heavily encrypted, copy-resistant file formats. Events like this can only increase demands for "Trusted Computing" initiatives that prevent accidental or intentional leakage of security-sensitive intellectual property.
Given that so many companies outsource or collaborate with a far-flung global network of suppliers -- I'm sure MSFT need only whisper about the threat of leaked trade secrets to get corporate IT to adopt DRM/Trusted computing for everyday use.
Two wrongs don't make a right, but three lefts do.
Everyone is panicking about how revelation of the source will open Windows up to hacks. In an ideal world, knowing how good code is written shouldn't give away the 'hacks'. In this case, MS is rightfully fearing review of places where they fail to check string lengths or buffer sizes, the way that they handle exceptions (if they do), the way that their logic copes, or fails to cope, with unexpected input.
However, good code wouldn't have this problem, string lengths would be checked, there wouldn't be hardcoded passwords, components that are not supposed to trust one another really don't, etc.
This exposure of the source may reveal just how crappy their code is. If its not crappy, I don't see necessarily how its more 'hackable'. Apache is open, and nobody hacks it to pieces on a daily basis. Can you imagine what would happen if the source of IIS was leaked?
I want to delete my account but Slashdot doesn't allow it.
SCO is adding Microsoft to its suit, claiming portions of Windows NT are software to which SCO holds the license and which were used without its permission. SCO declined, however, to say what specific lines of code were involved in its claim.
Bureaucracy loves company.
If this is true, then I suspect that the list of possible culprits is very short and some poor sap who didn't think things through is going to be in *very* hot water indeed early next week.
UNIX? They're not even circumcised! Savages!
Mainsoft specialise in cross-platform development, enabling devlopers to develop using MS tools for deployment on *nix. Interestingly, for the conspiracy theorists, their previous mentions on /. date from 2000 and center around rumours that they were porting Office and IE to Linux. More news on the leak from Internetnews.com and The Register.
The code is said to be W2k-SP1.
This may be a little paranoid, but is it possible that this whole thing is a honeypot, and now MS can go around pulling SCO type stunts on OSS projects?
Lots of petrified grits
Is it just me or does this smell like a stealth PR stunt to you? Gee... source code gets leaked... this hits a few communities right in the nose. Now MS can say "See, open source is bad because all these new viruses are made because our source was leaked" and "File-sharing is bad because this is how this is moving around the internet". It's just too conveniently making MS look like a victim.
FLR
Heck just go for it and make it part of KDE and Gnome !
If you work on open source... or anything else for that matter.. DON'T TOUCH THIS WITH A 50-FOOT POLE!
This is an exaggeration. YES, you are legally safer if you don't look at that code. Or any code for that matter.
But this idea that looking at someone else's source code would permanently and irrevocably taint you and make it impossible to work on any open source project is just ridiculous.
BSD was written by people with the full sources to Unix. People with Unix source licenses have contributed to Linux too.
AFAIK, noone out there is planning to use this to build a Windows clone. If they did, then they might be in trouble.
But if someone uses this for documenting previously undocmented APIs, and that documentation is subsequently used to improve windows emulation (for example), that is legal.
(With the exception of the copyright infringement necessary to aquire the leaked source)
Now, trade secrets and patents are a different matter, but you can infringe on those without looking at any MS source as well.
``It seems unlikely this is going to create a material, significant security problem,'' said Rob Enderle, a technology expert and principal analyst with the Enderle Group. ``It's more embarrassing than anything else because it makes it look like Microsoft can't control its code.''
It's disappointing to see such lazy reporting from the Times.
*** "Freiheit ist immer die Freiheit des Andersdenkenden". -- Rosa Luxemburg ***
Since we all agree that all code has bug in them and since this code is out we can safely assume that some bugs will be found.
Now all the white-hat hackers are prevented by law to take a look at the code and since all black-hat hackers don't give a damn about that law, those who run windows are in a pretty bad place right now. Even worse than usual actually.
Oh well, the windows admins who like working overtime will love the coming year I suspect.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
I think the most fascinating part of this whole fiasco is the fact that code for Microsoft "Bob" is still prevalent throughout the source. I can only wait in anticipation as the open source community takes advantage is this and quickly puts out its own variants.
Emerge Bob
I've given this topic considerable thought, and here are the possible conclusions I've reached.
.NET framework out from underneath the Linux community (by claiming patent infringement again). Two shovels of dirt on the grave of linux.
1) MS will use this source leak in the future to claim that various open source projects (Samba, Gnome, KDE, OpenOffice(?), linux) that get new features which MS finds competitive are 'derivative' works, regardless of whether or not the developers actually looked at the source.
2) There will be enough people looking at this source for large portions of the code's functionality essentially entering into 'public domain', with people writing up how the components work. It will be essentially impossible for anyone to do 'virgin' development on 'windows-like' features for anything, as the information on precisely what the Windows version does will only be 2 steps of association from the programmer.
3) MS will pull a 'patent' or 'trade secret' violation claim on Samba/Linux/GNOME/KDE, in addition to pulling the
From my interpretation, this all seems quite feasable given current legal atmosphere. Any lawyers here have a comment on this?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Microsoft has a company policy that Microsoft developers may not read GPL source. They have this policy precisely to avoid this type of contamination.
'Independent invention' generally does not happen in the domain of copyrighted works -- if the developers of B have never read the source of A, or anything derived from A, it's pretty sure that B will not look like A. Thus, if Microsoft's employees and contractors follow their policy, then no Windows code will look like any GPL code, ever.
[ I unintentionally posted as an AC first - hopefully it's interesting enough that I get more interesting mods than redundant.]
What about the .eml files? You wouldn't have those in Linux.
That's as stupid as saying that I can't look at GPL'ed source code because it would forever taint my ability to be able to code anything outside the GPL.
-If God wanted people to be better than me, he would have made them that way.
This is not a trivial problem.
Though many of us - myself included - would not mind a peek into the collective mindshare of the Evil One, one cannot look into the abysss and return unchanged.
Sorry. Debated last night with philosophy majors. They won, six shots to five black and tans.
To translate it bluntly: This is still copyrighted code, owned by Microsoft. Duping even their "badly-written routines" into an inocuous place may lead to an SCO-esque attack in the near future , claiming violations in certain filesystem and mounting routines, or possibly something involving Samba, or a myriad of other wincompatibility issues.
It feels like a tactic that may be conceived by some bright bulb in MS Legal to bring conflict to the competition, or at least stifle development past current kernels.
I am starting to get the shakes that I get in a poker game when my all-in bet is called when I have pocket kings. (Last time that happened, the opponent had A-J suited. He flopped aces-up. I swore loudly.)
I am not a lawyer. I play one online, and I'm studying for the patent bar, but I don't pretend to dish out legal advice. Still, if I go all-in, I have the goods.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Isn't interesting that the source for many projects is wide open ... and we don't have people running around with their heads cut off like the end of the world is coming.
So - which is it? Is closed-source or open-source more secure?
Looks like now we'll have the chance to find out!
Notice the leak came ffrom ' a linux comptuer'..
Nice way to suggest its that damned linux that is to blame. At least to the common man, the linkage will be sublimina, but it will stick.
Its almost as bad as ' a red ford suv ran over the child ' or ' the gun killed the intruder '..
---- Booth was a patriot ----
hello this is the world calling, 191 countries dont really give a shit about PATRIOT acts or any other usa rubbish
enjoy your stay
Everyone's saying this like it matters if you look at it or not.
Just because there is probably no stolen code in the linux kernel didn't stop SCO. Just the possibility of impropriety was enough to cause an uproar.
MS, as of Feb 10, has an ace in the hole against open source and free software - and they will use it whether or not you look at the source code, and whether or not your future works look anything like this tiny snippet. Just the leak will be enough for them to create more FUD.
Has any one taken a look to see if the old rumors that Win2K is more stable because it uses open source code is true? If so, would that make Microsoft in violation of the GPL?
This is...
O
U
T
R
A
G
E
O
U
S
!
Or an idiot developer working on a linux box happened to check in the core file with other work.
I've seen junk like that before, so it's entirely possible.
The funniest part of this whole thing has been the industry pundits explaining the ramifications of the source release in various media outlets.
The best I've seen today is on crn.com by some joker named Winell from Econium. He manages to say with a straight face:Mr. Winell has obviously never used Windows ME if he thinks Microsoft quality control prevents "bad releases". You know Econium must be a real player when the title of their home page is "Welcome to Econium who is a solutions provider."
The classic yesterday was Laura Didio from Yankee Group comparing OSS hackers to suicide car bombers.
Nothing like an embarassing Microsoft moment to get the "experts" out from under their rocks.
In a related story, Linus Torvalds was forced to announce today that the source code for the Linux operating system was made public on the Internet.
"We're not sure how it was leaked. What's up there certainly looks legitimate, and we've had some reports that some of it even compiles. It appears it may have been leaked back in August, 1991, originally to an FTP server in Finland."
There are at least 3 servers that appear to have Linux source code available, although online discussions indicate that there may be many more. There is speculation that the code can e acquired through FTP, Gopher, HTTP, Bittorrent, Rsync, SMB, NFS, AFS, Freenet, and that people may even be _selling_ CS's and DVD's with the code.
SCO was quick to comment that "After they copied those 5 lines from one of our header files, the {deleted} deserved it. As soon as we find a person in our company that knows how to download a file, we'll be comparing every line of Linux to this stuff we bought from AT&T. Oh hey! We've already found something - they copied the word '#include' from us!" The phone interview was cut short as Mr. McBride was called away to launch a new lawsuit.
Law enforcement agencies have been contacted and are investigating, but the process is slow as the officers are heard to exclaim "Wow, it has a GUI?", "Damn, this is stable - I can't crash it at all!", "Whadda you mean, Office is included?", and "How do I turn off the grappling hook and use the rocket launcher?"
Mason, Buildkernel and more: http://www.stearns.org/
The article doesn't say it was *stolen* from a Linux box, it just says that an analysis of the files suggests that it had come from a Linux box. For example, the image could have been a CD that was burned on a Linux box, and then misplaced. And given that Mainsoft's work is "Windows on *nix" I'd be surprised if they didn't have a few Linux boxes around ;-) As things stand, this says absolutely nothing about Linux security.
/*
* winnt.h uses these totally screwed up structure names.
* Does anybody speak Hungarian over there?
*/
I'd like to use this as vindication for all the times I've been criticised for my comments.
Zip files are rarely used for distributing source code amongst the Linux/Unix community because compressed tar files are far more efficient.
zip -r source.zip /usr/src/linux-2.4.22-1.2149.nptl /usr/src/linux-2.4.22-1.2149.nptl /usr/src/linux-2.4.22-1.2149.nptl
ls -l source.zip
-rw-rw-r-- 1 build build 49091705 Feb 14 06:20 source.zip
tar cjf source.tar.bz2
ls -l source.tar.bz2
-rw-rw-r-- 1 build build 31964979 Feb 14 06:23 source.tar.bz2
tar czf source.tar.gz
ls -l source.tar.gz rw-rw-r-- 1 build build 40689187 Feb 14 06:31 source.tar.gz
The resulting tarred archive compressed by bz2 is is around 35% smaller than the zipped source. With the exception of the the jar format for java classes, the zip format is rarely use by Linux/Unix developers for distributing source code.
IMO this points to the source code being lost by from a Microsoft based platform.
A low Slashdot user ID? *sniff, sniff* Well... that's just the nicest thing anyone's ever said about me! I feel so happy ... thanks anomynous coward!
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
i cannt re-iterate how stupid all thie fear is ....
check out this alternate universe:
musicians are fucked. apparently, we can't look at other peoples copywritten music without 'taining' our ability to write original music.
everybody from bach to bon jovi is now in violation of copywright law. musicians have henceforth been instructed never to look at somebody elses music lest they be sued later for copying the notes and rhythms.
harumph. this is rediculous.
"Old man yells at systemd"
if it's the 15% that works
Does Windows have even 15% that works???
I always thought Windows kinda creaked and groaned as it crawled along the information highway. Windows kinda reminds me of a Wile E. Coyote device for catching the RoadRunner, complete with parts falling off as it moves along until, just as the objective is reached, kerplowwie...it falls all the hell apart.
So tell me...how does it feel to be Wile E. Coyote?
SELECT * FROM User WHERE Clue > 0
0 rows returned
ask yourself why it isn't on the front page of cnn? Or at least on the front page under techology. Isn't the microsoft source code leak a bigger story than some silly write up on stock market AI and the FCC screwing with the internet?
Microsoft is after all the largest tech company in the world, and windows is it's flagship product. I wonder why this isn't being covered more by the mainstream press. Maybe it's my geekiness talking, but this is a big story at least the biggest tech story of the day.
You could download the windows source code and have it sitting archived on your hard drive without ever looking at it. But if you independently write code that does something like windows does, and there is a copy of the windows source code on your hard drive, what do you think a jury would think?
The only GPL software I'm aware of MS distributing is with Unix Services For Windows (formerly interix) -- gcc and some other command line tools. You can bet big bucks the people that compile gcc don't do any work on VC.
Do you even lift?
These aren't the 'roids you're looking for.
Does that mean *BSD is finally, after all that, dying?
sulli
RTFJ.
"Finally, this is very important: If you propose to continue working in the IT industry, and somebody offers you a look at the source, just say no. Remember - if you learn too much about the internals of Microsoft products, you may find yourself unable to work for anybody except Microsoft. Yike."
*sigh*
There's one essential difference. *Anyone* can look at the Linux source, white and black hats, so, although it might make it easier for the black hats to find holes, the white hats can also find them and, more importantly, *close* them. With the leaked Windows source, the white hats won't look at out of fear of legal repercussions, and, even if they were to do so and find a potential hole, they can't do shit about it if MS doesn't feel like dealing with them, whereas if they find a hole in the Linux kernel, they cab submit a patch, and, even if their patch isn't accepted, anyone else can then go and write one, one of which will be accepted. I can patch MS's code all I want, but it could never get accepted into the actual OS.
A Minesweeper clone that doesn't suck
has anybody attempted to use the code analyzer that was developed for the SCO / IBM case. it would interesting to see if there were any similarities between MS code and the multitude of OSS code.
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
Obviously the only answer for companies stuck with M$, move to XP
No. Windows 2000 is NT 5.0, XP is 5.1 and Server 2003 is 5.2. Notice the minor version bump which indicates that all these releases share a lot a code.
It is reasonable to think they want to have users switch to Longhorn (does anybody know if it will be NT 5.3 or 6.O ?), but then the leak occured too soon, for they're not ready yet.
Karma cannot be described by words alone.
And you think the entire community, including IBM and other companies that have bet the farm or at least huge sums of money on OSS are just going to roll over and take it?
If the lawsuits get too frivolous, not even Microsoft will be immune to countersuits, plus such massive lawsuits aren't going to be "free" in reputation terms, either. ("Gee, if all Microsoft can produce is lawsuits, maybe they aren't such a leading company after all?")
Besides, so they prove some small chunk of code is encumbered. (It is virtually inconceivable that huge chunks of code will make it in.) So we rip it out and keep going. Killing any given iteration of Apache may be possible, but taking down the entire thing legally is going to be quite a feat! (And remember that unlike SCO, Microsoft is limited by the fact that they are still selling software; they can't for instance go after the GPL in a really serious way because they'd likely end up invalidating their own licenses; "Unenforcable GPL" is good FUD but would be an atrocious court strategy for them!)
It's not hopeless, not by a long shot. I won't say they couldn't make a real annoyance of themselves and I won't say Total Open Source victory is some sort of inevitability, but it's not hopeless.
...are provided by noisehole in this post from yeterday's discussion. He reckons Betanews lifted the analysis from his post.
Say, a retired programmer took a look at the leaked Windows source code then published a "code specification" that another (still employed) programmer could look and and then write a program to meet that specification. Technically, he never saw the source code, in fact, he need never even know that the "code specification" was inspired by the leaked Windows source. ...just thinking out loud, as it were....
.
.
A goal is a dream with a deadline
The expanded contents of the zip file is around the size of a single CD. This points to the contents being originally distributed from Microsoft on CD-rom.
Microsoft has made so much fuss about retaining control of the source code. In May 2002, under oath at the antitrust hearing Jim Allchin, group vice president for platforms at Microsoft, stated that, because the Windows operating systems contained inherent flaws, disclosing the Windows operating system source code could damage national security and even threaten the U.S. war effort.
It's going to be interesting if it is subsequently found that Microsoft itself has been distributing said source code over the internet in zip format.
By the way, In February 2003, Microsoft signed a pact with Chinese officials to reveal the Windows operating system source code. Bill Gates even hinted that China will be privy to all, not just part, of the source code its government wished to inspect.
Dispite gaining more favored trading status with the USA, there remains many embargos over technology transfers which could put the US at future risk.
Either Jim Allchin lied under oath, to prevent code revelation being any part of the settlement, OR the Microsoft corporation is behaving traitorously, by exposing national security issues to foreign governments.
The exposure of Microsoft source code put users at risk because of the inherent design and implimentation flaws built into the source code.
In comparison open source development practices enables open source distributions and users to evaluate the source code from the start. This forces developers to build in security from the early outset of each project or risk abandonment for more secure alternate solutions. End users can particpate in the development process.
No, one reason Linux/*BSD/etc. are more secure is because the source code has always been available, and has been reviewed and hacked by thousands of people for 10 years. The source didn't just show up on the Internet yesterday.
If Linux's source had been developed in secret for the last ten years, you better believe its sudden revelation would lead to the discovery of new vulnerabilities and exploits, and that's exatly what will happen to NT/2000/XP if there are any substantive pieces of the OS in the partical source that has been released.
Microsoft is downplaying the whole situation as an intellecutal property issue, but I don't believe it. It will likely result in more vulnerabilities and exploits against Windows. Microsoft execs have been saying for years that revealing Windows source code would make the OS more vulnerable to attacks.
OK, the cat is out of the bag. Yeah this sucks for Microsoft. Yeah OSS developers need to stay away. But has anyone seriously considered reverse engineering the code? I mean if some self sacrificing developer was to check out the code and write up some specs it could provide to be helpful to such projects as WINE, Samba and ReactOS without their respective developers ever becomming tainted (dirty dirty ;). Obviously IANAL nor do I read Groklaw regularly and this is a little different than what Compaq (if memory serves) did with the origonal x86 BIOS but wouldn't a double blind reverse engineering still be legal?
They get paid for the first 40 hours in a week, then the other 60-70 hours is for the fun of it all.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Oh come on. This is just their way of complying with the anti-trust regulations, opening up the API's and stuff. ;-)
my other sig is a 500 page novel
First of all, look at the number of files and the amount of data that were leaked: Some 30,000 files, 660 MB worth of data. For reference, the entire source weighs in around 40 GB and 40 million lines of code. Then look at what portion of the OS it was taken from: Windows 2000 Service Pack 1, released around the end of 2000.
Now, before you start thinking "zero-day" or any such doomsday thought, keep in mind that this stuff is almost four years old and does not figure even 1% of the total code. If it had been a solid 50% of XP's or Server 2003's code, I can understand the concern.
The best response in this case is still: Keep patching those servers and workstations, and watch for announcements from Redmond. There is no need to be any more alarmist if you are already running Windows and are following good security practices.
It's evil!
Heh, I thought your comment was going to be a TIme Bandits reference.
I think this is FUD within FUD, to try to generate some ill-will towards Linux, as if the computer running Linux had something to do with the code being put on the Internet by a HUMAN process.
if they work too long they get fined (look at the parking ticket on ebay...)
I'm going to show my complete and total ignorance of programming here... but how can there be 40GB of source for a product that doesn't even half fill a 640MB CD? Even if you add in all the variants and patches, it doesn't approach a significantly larger fraction of 40GB.
MS has said for years that Linux is more vulnerable because the source is out there yet now a chunck of 2k(aka XP) is out there and its "no big deal". Sorry but XP is 2k with eye candy and an improved kernel. XP wasn't a new OS from the ground up and knowing how poor a job MS does with finding security problems I don't see how logically you can say this is anything but devastating. 15% of the source code for Microsoft's newest OS is floating around the Net. That is a big deal.
I don't know why I expected Microsoft to finally act like an honest company and tell the truth here, but they are in even worse denial then we oringally thought if they think we are buying the no big deal line.
If you wanna get rich, you know that payback is a bitch
For the kajillionth time, putting GPLed code into a proprietary codebase DOES NOT make the whole thing GPLed. If MS did put GPLed code into one of their products accidentally or otherwise and then distributed it, that is copyright violation. The GPL does not rely on contract law and therefore CANNOT specify the penalty for violating it. Since the GPL is a straight copyright license pure copyright law applies. This means MS' hypothetical penalty would be between them, a court of law and the aggreived FOSS project.
The judge is such a case is unlikely to order MS' codebase GPLed. MS would have to either put out a sanitized patch for the code in question or pay the developers for an alternative license. The exact circumstances of the case would determine what if any punitive damages MS would have to pay in addition to recompensating the developers.
MS would have the OPTION of making the entire contaminated codebase GPLed to satisfy the license but I doubt they would take that option. They could do it for the FUD value but since the aggrieved FOSS project wouldn't accept that as a settlement, MS would just have to do something else. Imagine that! A FOSS project could rule out an MS product being GPLed to PREVENT harm to a project or FOSS in general.
the best exemple of BSD code in Windows (all version I think) is the ftp.exe file... Just open it with notepad and search for:
"Copyright (c) 1983 The Regents of the University of California. All rights reserved."
And I think the TCP/IP stack is also based on it (they would be really stupid to do otherwise)... But I think this is all old news...and it's all very legal in case you didn't know
I live in Soviet Canuckistan you insensitive clod!
___FutureShoks___
The Xbox kernel + SDK source code leaked over a year ago. The Xbox source that was stolen is complete enough that at least one warez group - Xecuter - has compiled customized kernels from source. If you look at their compiled version, it is very obvious that they didn't do patches to make their hacks.
The forcedeth driver authors have ignored the many emails to them containing the nForce register list and documentation from the leaked Xbox source code.
WINE has ignored emails to them about the real name and purpose of the SystemFunctionXXX calls in advapi32.dll. (The header file doing the #define's to rename them was in the Xbox source, supposedly.)
anonymous woman
This seems to be a popular opinion, but it is false.
You are buying into the same FUD Microsoft is spewing about the GPL.
Just looking at the code does not "taint" you. There are plenty of ex-Microsoft employees who have looked at Microsoft source code and have then contributed to non-Microsoft projects (not just OSS, but closed-source from competing companies). Really, are you claiming that a coder that has seen Microsoft's code is legally impossible to employ except at Microsoft? What if some poor sap has seen both Microsoft's code and a competitor like Suns? They can't ever work on software again anywhere?
Conversely Microsoft hires people all the time that have looked at GPL code. They don't seem worried that these people are "tainted" despite the fact that their public announcements would seem to indicate that it is impossible for such people to work there.
The person/company in trouble is the one that made the code available. Apparently this is somebody at Mainsoft, who should be punished hard. This sort of behavior is extremely damaging to IT!
Guys, let me warn you, this is nothing to laugh about! DON'T TOUCH THAT STUFF! Two of my friends work in Motorola research laboratory. Yesterday one of the downloaded the code at home and then they both looked at it. One of them was lucky - his retina burned the second he saw the code. The second did not escape that easily. His eyes glued to the screen, his hands typing madly... the paramedics found him 20 minutes later clutching the mouse and writhing in agony. After 2 hours in intensive care he (or, rather what left of him) was sent home. Today, after they were not let into the office building, both of them got pink slips by courier mail.
A cousin of a girlfriend of my former classmate yesterday went to the university computer lab to print his essay. He catched a glimpse of some code on the screen and didn't even thought about it for a second. When he returned home, he logged on to sourceforge.net and before anyone could stop him, he tainted a dozen software projects there. Shit, two perfectly good Xeon servers had to be scrapped and replaced with clean machines in a hurry.
That's just crazy, this code is the strongest shit I ever saw... oh, fuck, forget what I just said - "the strongest shit I ever heard about and never saw". It's worse than the GPL, it taints your code so quickly you can't even notice that. PLEASE, FOR THE SAKE OF EVERYTHING GOOD IN THIS WORLD, DON'T DOWNLOAD THE CODE.
Copy this message and send it to all your friends! You need to warn them not to look at the code! POST IT ON FORUMS AND MESSAGE BOARDS! THIS IS AN EVIL PLOT TO TAINT ALL CODE IN THIS WORLD! DON'T LET THIS HAPPEN!
Future Wiki -- If you don't think about the future, you cannot have one.
Looks like now we've got a little issue here:
Some might believe MS has incorporated GPL'd code into windows.
However, in order to ascertain whether or not this is the case, and to provide proof, one would have to grep through the windows source. However, one cannot do that without violating MS's proprietary license. One cannot learn if MS is using GPL'd code without first subjecting oneself to a flurry of lawsuits...
But of course MS/SCO can look at GPL'd code whenever they want, and scream "They Stoled Our Source Codes" at the top of their lungs.....................
Defenestrate Windows...
I have read a few articles on this, and most misrepresent why this could be very bad from a security issue as compared to Open Source Software.
First, just because you can see the code does not make a product less secure (in theory anyway). With Open Source Software, everyone can see the code and find flaws, but anyone can also submit a patch to fix the flaws.
With this Microsoft source code, anyone can find flaws and security issues, but NO-ONE would dare to send Microsoft a patch in fear of litigation.
Well, it seems to have worked.
--
If I actually could spell I'd have spelled it right in the first place.
Hey, sorry but I wrote this and want to have my name on it. Ignore my AC post please. Contrary to what most posters here are advising, maybe we should set up a group, like a division of Groklaw for example, that has as much leaked closed-liscence code as possible.
The purpose of this closed-liscence division would be to run independant comparisons of new OSS contributions against a library of leaked closed-liscence code to ensure nothing gets slipped by the project managers and poisons the project source.
I was initially going to suggest that the project manager do this comparison, but that would be too risky for the project (closed-source legal teams might have a go at it). Instead using a trusted OSS community party to do the checking saves us the hassle of each project manager having to download all the latest leaked closed-source. The "source-notary" would have a central repository of leaked material, which would not be redistributed by them, only made available to the original authors and for use to run comparisons on new OSS project code submissions and therefore avoid having a company pay a developer to salt the OSS project with leaked code.
I think this is a pretty mature way of handling this and should satisfy all parties.
Isn't it traditional for someone to post a bittorrent?
Wikileaks, no DNS
This is from their web site:
Statement to the Media Regarding Microsoft Source Code Leak
Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation.
We will cooperate fully with Microsoft and all authorities in their investigation
We are unable to issue any further statement or answer questions until we have more information.
From Mike Gullard, Chairman of the Board, Mainsoft Corporation
=^..^= all your rodent are belong to us
I wonder how many people on /. will start using comments or code snippets from the windows source in their sigs?
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Having the most widly used program in the world be closed source opens a company up for all kinds of problems. But this is to be expected when the source is also vital for low-level system developers to make programs that access the OS. MS can only have it both ways (Closed source, large software development community w/ source access) if they monitor computer security for any company with source code access.
It is impossible for every company to be unhackable and have every developer be moral and ethical. We already discussed that programmers leak confidential information about abused welfare children, Apple system APIs, and that large companies like Valve can get hacked and lose the source to a video game with huge development costs. Isn't it safe to say that the leak of this source is innevitable. I would be really interested to see if a lawyer could prove that this is an innevitable incedent and MS should have assumed a liability like this would occur. What were the minimum req. of the code repository and network security?
The other side of the coin is that MS can sue Micro**** that leaked the code for the 3 years of support on W2k that they are going to be at risk with over possible security threats because any hack can now create breaches in security, with the ability to see where buffer overflows are created in the code and such.
- Kill Yourself, spare us all! -
Only w/ Microsoft will you find the code "escape". It may not be the smartest code... but its united in its resistance.
"The truth suffers from too much analysis"
I think everyone has seen the creepy creepy creepy plunge the S&P 500 has taken the September 10th, 2001.
But just looky at the MSFT chart, specially if compared with the S&P 500 chart plot for the same period.
MSFT has dived a whole 10% in one week.
Yes, it's nothing as obvious and strong as the September 10th mini-crash, but leaked sources don't exactly mean the same as the world as we know it being under attack.
Just clicky the charts.
There are two major problems blocking Linux uptake on the desktop. The windows binary pool is huge, and the lack of standards of packages, menus, interface etc on Linux.
Now if the WINE project can be merged with this source code, or if the raw hardware interfaces of Windows is translated to linux APIs to make it something like usermode linux only windows binary emulation in windows using windows source code, that will fix one part of the problem. I believe the other part, standardizing packages and the GUI will eventually happen...
With these two problems fixed, theres no reason Dell and HP wouldnt sell and promote Linux on laptops and desktops as the standard.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Microsoft has great "flextime". You can work any 80 hours per week you want.
You either the follow the path of science or you don't. Everything in between is hypocrisy.
What the theists say (and what you claim in your last paragraph) is true. BUT 99% of science is like that. The vast majority of science is THEORIES (not laws; not facts). You cannot really "prove" many things. For instance, can you prove that the radiation and light emitted by the sun is due to nuclear reactions occuring within the sun? Not really. We have never gotten through the surface (any probe will melt long before it gets through the surface). All we have are theories. For all we know, there might be some aliens living in the center of the sun might be responsible for relasing the radiation and heat.
Can you prove that the techtonic plates underneath the surface of the earth causes earthquakes? Not really. It's just a theory. It's based on our best understanding.
Can you prove that matter is made up of particles? Not really. It's all based on indirect observation and theories. The way things are going, it might even be so that particles don't exist*; all you have are strings. Strings cannot be "proven" but that seems to be our best theories right now (actually, strings haven't been widely accepted yet; however, I expect them to be accepted within 20 years).
The same thing goes for theories relating to biology. Yes, you cannot prove the theory of evolution, natural selection, or anything like that. But that's our best models.
So the point that you are making (i.e. need to emphasize appearance) is totally irrelevant. Stricly speaking, 99% of science is appearance. If you follow the path of science, the theist argument of "evidence" is moot--because you hardly ever prove anything (even observational evidence can be wrong). If anything, the theists will disagree EVEN if someone observed it. After all, theists still don't support the view that the universe is billions of years old (religion says a few thousand (Christianity) to a few million (hinduism)--all wrong).
FOOTNOTE:
* By particles not existing, I'm referring to the view that everything in the universe is composed of strings (re: superstring theory; M-Theory). What we thought of as particles are the results of the oscillation of the strings. NOTE: I'm not a scientist but that's my understanding of it.
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
You might have forgotton how recent last great leak of source code occured.
October 2003:Valve Software,Half Life 2 source,Microsoft Outlook
March 2000:Microsoft, "Whistler"/XP source code, QAZ Trojan The QAZ Trojan was confirmed as the source of the leak.http://torrent.spyderlake.com/download.php?info_ha sh=66a26447f563c3dc2336de74ae37dc14d11dd8b9
A female journalist mentioned she viewed the code and found snippets of foul language in the comments.
First of all, would Microsoft contract their code with curses to foreign governments and large corporations? If so is it possible that the copy was leaked directly from Microsoft or that the leaker inserted those comments?
Second of all, isn't it illegal even for a journalist to download illegally distributed source code?