Microsoft Warning Leaked Code Traders

An anonymous reader writes "Broadand Reports notes that Microsoft is now sending snail mail warnings to downloaders of the leaked source code. They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code. The notice on Microsoft's website has been updated to reflect the new warnings."

kazaa, bittorrent, emule/edonkey?

[frenetic3]

is kazaa one of the vendors? is there anything they can do about emule or edonkey users?

the latter seem to traffic especially in things like leaked source RARs, and since most of the central servers are overseas and operated independently (and 'overnet' seems truly peer to peer with no central servers), it would be tough to crack down on them, besides having a bunch of fake clients that harvest IPs. anyone know if they do this?

(i imagine the same concept would apply for bittorrent downloaders -- except BT relies on central tracking servers which would be comparatively easy to shut down.)

seems like a natural, uh, application, for the freenet project ;)

ah well. it's kinda scary that even the largest/richest software co in the world can't stop the spread of their IP, and that it takes only one person.

-fren

Re:kazaa, bittorrent, emule/edonkey?

[bluprint]

So I guess the founding fathers of the US should have been modded down...or Harriet Tubman or Dr. Martin Luther King (and others that broke segregation laws)?

It's rather unfortunate that people like yourself base your morals on what papa gub'ment tells you they should be.

Re:kazaa, bittorrent, emule/edonkey?

[gnu-generation-one]

"You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business. But you can't break the law when it comes to GPL code."

Odd that, that on a community website, people don't have a problem with attacking those known to be actively hostile to the general public, yet they seem to stick up for projects which consist of lots of normal people giving their time freely for the benefit of society.

You'd have thought that we should teach people to believe whatever the lawmakers tell them to think. After all, if something is illegal, it must be immoral.

Re:kazaa, bittorrent, emule/edonkey?

[pla]

This is slashdot.
You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business.

Thanks to precisely the "big business" you refer to, the idea of "do it because the law says so" has lost any meaning. Once upon a time, people respected the law, and usually obeyed it. They respected police, and thanked them for doing a hard job and protecting the community.

Now, people look at the law as a neverending set of snares that can catch even the most "upright" among us, for things that no one in their right mind considers an actual crime; at the same time, big business routinely engages in activities that even the most "ethically challenege" among us considers an abominable abuse of people and "the system", without committing the least misdemeanor. People consider police mere thugs, officially carrying out the whims of our megalomaniacal AG, and unofficially engaging in far more nefarious activity (rape, torture, extortion, "abuse of position", etc), which their "Policeman's Bill of Rights" makes exceedingly difficult to catch them at, let alone punish them for.

Possession of a joint will get you a heavier sentence than DUI, yet the government responds by requiring breathalizers in new cars.

Downloading a song worth less than $5 leads to a $150,000 fine (payable via bankruptcy or a "mere" $3k extortion rackett that even several of our corrupt state SCs have called fradulently misleading, since it doesn't prevent later suit by the actual copyright holders).

I could go on, but I don't want to start ranting, and those two seem the most relevant to recent Slashdot posts.

Basically, society no longer cares what the "law" says, because more and more people realize that the "law" says whatever the Honorable Senator from Disney wants it to say. Using it to defend your position compares well to using a pool of sewage runoff to take a bath in - You don't actually accomplish your goal, and you come out smelling like shit.

Re:kazaa, bittorrent, emule/edonkey?

[Stallmanite]

"It's elementary that laws don't decide right and wrong. Every American should know that, forty years ago, it was against the law in many states for a black person to sit in the front of a bus; but only racists would say sitting there was wrong." --Stallman

from http://www.gnu.org/philosophy/why-free.html

Re:kazaa, bittorrent, emule/edonkey?

[Saeger]

I haven't downloaded the leaked source (because I don't care), but I *DID* search for it (on Jigle and NovaSearch) for shits'n'giggles.

I can't believe that Microsoft is actually threatening to "send out legal warnings to any users who search for the leaked code." Even SEARCHING for it? Please bite me.

According to Jigle, over 1,600 people are currently sharing the source on the edonkey network, which is quite a lot when compared to the average file (including pr0n vids).

--

Re:kazaa, bittorrent, emule/edonkey?

[bfg9000]

This is slashdot. You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business. But you can't break the law when it comes to GPL code. Mod it flamebait, whatever, but look at the trends of moderations here anyways.

Yes, you're on SLASHDOT. When you're HERE, you may notice that people support Linux and the Mac (thanks to OS X) and don't really like MS. That's OUR culture.

Over on the Microsoft-Zealot boards, you'd notice that they support Microsoft's law-breaking as "smart business", while they attack the GPL as communist, a cancer, etc. Don't try to convince us to "play nice" with the people who are trying to kill us, please. Because *they're* not going to play nice, and any "sympathy for the devil" we adopt will end up with us dead.

Re:kazaa, bittorrent, emule/edonkey?

[Buran]

And why shouldn't the comparison be made?

The civil rights movement was about protest, peaceably, against laws that were widely seen as unjust. So is this. If you feel a law is wrong, disobey it -- as long as no one else actually gets harmed -- and be prepared to suffer the consequences, but make sure that your experiences get widely publicized as examples of how laws are used to justify things that morally seem wrong.

Change takes time (a lot happened during the civil rights movement) and a lot of people went to jail for what they did, but in the end, the protests worked. Just because the issues aren't as, er, black and white (pun semi-intended!) doesn't mean some level of comparison isn't valid.

If no one protests when bad laws are passed, then not only will those bad laws stay on the books but even more bad laws will be passed in the future since it can be 'gotten away with' by those who want to push said laws through.

Re:kazaa, bittorrent, emule/edonkey?

[ConceptJunkie]

I think the parent post was saying "That's just wrong." as in "That's just wrong for the U.S. to do that." and then cites examples in other countries where the penalties are more in line with reality.

If you ask me, the fact that the legislators are considering the Orwellian and moronic concept of a car breathalyzer shows that there is no deterrent against drunk driving, but of course, why bother to enforce existing law when you can simply pass new ones?

If the U.S. Constitution were written today, it would be 12000 pages long and be understandable by only three people in the world, two of whom would be driven insane and the other would kill himself out of frustration. It's wonderful that the law of the U.S. could be spelled out simply enough to fit on the back of a cereal box. It's a travesty that U.S. law has become so complex no person could ever understand it all, leave alone be able to obey it all. We are all criminals, and when someone in the government wants to get you, they simply need to figure out what obscure, byzantine law you are ignornantly breaking and proceed to enforce it.

silly question

[deadmongrel]

how are they able to know who's downloading the files from p2p network?
is that you big bro?

Nothing like security through lawyers.

[junkymailbox]

This has got to work even better than security through obscurity.

Re:Don't mess with MS

[lambent]

"Don't mess with Microsoft, they have the money and the power to track you down, even on Internet and through P2P networks. And they will, this is just an example and a warning."

I have the power to track people through P2P, too. I've found people in my apartment complex on the networks. I've even met a few friends that way. Too bad that doesn't mean that I'm a multi-billion dollar company.

Please note, it is absurdly easy to track people on the networks. It is not indicative MS power, or their legal muscle.

As for seeing & having it, one major point is that you CAN. What was once taboo is now freely available (sorta), and people are reveling in like. To draw a completely inaccurate parallel, it's like the sexual revolution of the 70s/80s in the US.

Otherwise, I agree with your post.

Bad Reasoning

[Inhibit]

What will happen when the Linux project servers for the version you use get breached. Or what if there are exploits that can't be fixed immediatly?

Switching off of Windows sounds great to me, as I really dislike using it, but your reasoning sounds a bit flawed. If it's because the software's buggy and prone to exploitation, great. But if it's just because some code got leaked.. and OSS software generally has all the code available all the time.. then your reasoning sounds a little flawed.

Any software will have flaws. It's inevitable. Knee jerk reactions too those flaws generally aren't a good idea though.

Re:Bad Reasoning

[The+Wannabe+King]

There's a big difference here. While only the virus writers are looking through the leaked Windows source, OSS is under heavy scrutiny from many parties. Most people who find a potential exploit in OSS will report it to someone who can write a patch, or they will do it themselves. Just look at MS' attempts to stop the distribution of the source, how many able programmers with good intentions will take the risk to read it?

Of course there are flaws in OSS too, but there's a much greater chance the good guys will find them first.

Re:Freenet

[TrollBridge]

Ahh yes, for all those LEGITIMATE uses for P2P networks, such as distributing MP3's and leaked source code, right?

And Slashdotters STILL don't understand why so many people and companies perceive that most traffic on P2P networks involves either porn, infringed music/movies/software.

Suggestions like in the parent post do no favors for establishing legitimacy for P2P netowrks.

Too little too late...

[imsabbel]

The code is out, it wont come back.
There are hundreds and hundreds of sources in emule, and thousands have been downloading (5k requests the last 5 days). Not to mention irc, ftps, kazaa , winmx and the other stuff.

As an educated guess i would say that at least 50-100.000 people have the source currently on their harddisc.
Whoever wants it now has it....

Stop trading MS codes

[Bull999999]

We should respect MS copyrights just as we expect MS to respect GPL. Sure MS may be dirty, but we are better than them.

Re:Stop trading MS codes

[DragonMagic]

The parents is what people should be saying here. Respect others as you would have them respect you, regardless of how evil/vile they are. MS may be a convicted monopoly and leveraging computer and software companies, but trading their copyrighted code illegally is not justified.

Don't go to their level. Be better.

law

[sacrilicious]

Nothing like being moderated up for encouraging people to break the law.

If peoples' ability to disseminate information serves as a message to corporations that their attempts to turn the US into a police state won't work, then I can live with that.

Past security comparisons between Linux and Window

[dpilot]

There have been many security comparisons between Linux and Windows, and the conclusions have always been mixed. One reason is because of the scope of the included software - because it's "free" Linux distributions usually include the kitchen sink, so there are more packages to count security exposures in. Another reason is multiple counting - one exposure across multiple distributions. Yet another factor not well estimated has been the severity of the exposures.

But these security exposures have all been in an environment where Linux source was generally available for inspection, and Windows source wasn't. A corollary of this is that most of the Linux exposures have been proactively reported, prior to being exploited. With Windows that's not so clear.

In the future, there's not reason to expect Linux security exposures to change significantly, except through becoming a bigger target because of increased usage. But the fundamentals of bugs, bug reporting, bug fixing, and security haven't changed.

The future story for Windows is different now, because some source has become available. *Maybe* some people will begin proactive security work on the source, and *maybe* Microsoft will roll that work into fixes. But for certain, others wearing differnt color hats will be examining that code for security exposures, too.

Re:I'm skeptical

[leerpm]

It is not illegal to view it. It is illegal to download it.

Re:Don't mess with MS

[Vainglorious+Coward]

I think people don't really understand what having windows 2000 SP1 source code spreading on internet really means. That's quite important and even if it's only part of the source code it's already enough for the first exploits to appear.

The author was kind enough to tell us about the first one, but I bet many others did find bugs and didn't report them because they are working on viruses and attacks using them.

Isn't it interesting that after a few days of access to the source code, exploits are appearing for obvious bugs; yet MS have had the source code available to themselves for years but still managed to neither find nor fix these same obvious problems.

Note also that in the past, lack of access to the source hasn't prevented the *ahem* occasional exploit being developed anyway.

Stomp out IP

[deathofcats]

Microsoft says that it working with the FBI. How many DIY programmers could ever claim that they were getting help from the FBI to track down people who had pirated their software? This is an example of how intellectual property only exists to benefit the rich and powerful who can get the authorities to do their policing for them. Microsoft has the FBI. I guess the rest of us would have to resort to rent-a-cops and DIY cease-and-desist letters.

Re:Traders or Traitors?

[JaredOfEuropa]

More from the MS notice page:

Subsequent investigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft source code.

So it wasn't an inside job, nor was their network compromised, nor any of the shared source partners leaked it. So... how did it get out in the open? The wind blew a stack of printed source code through an open window? The Underpants Gnomes (tm) took it? Someone left a CDROM on the seat of his BMW Z3 convertible and left the top down? What?

Yadda yadda yadda

[gosand]

We should respect MS copyrights just as we expect MS to respect GPL. Sure MS may be dirty, but we are better than them.

I don't have their code, nor do I want it. But I realize that even if every single Linux user/GPL supporter refused to look at it or download it, it would still spread like wildfire. People download stuff like this just to say that they have it. I have a friend who is somewhat of a "collector" of things like this. He has no programming background whatsoever, he just wants to say that he has it. (ironically, he is actually in school getting a law degree with a concentration in Intellectual Property)

The cat-genie is out of the bag-bottle.

Makes you think...

[mtwalkup]

Statement from Microsoft Regarding Illegal Posting of Windows Source Code

Last updated: Feb. 18, 2004, 9:00 a.m. PST

REDMOND, Wash., Updated Feb. 18, 2004 -- On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft source code. Microsoft reaffirms its support for both the Shared Source Initiative and the Government Security Program.

Now heres the thought-provoking question of the day:

If the leak was not caused by a network security breach, a physical security breach, a troubled-employee, or it's code sharing initiatives; how the hell was the code leaked? They said it wasnt network security, and it wasnt internal security (which takes away a physical security breach or a troubled employee), and it wasnt't its code sharing initiatives... Makes you wonder... how the hell did the code get out?

Answer this and get a cookie.

Re:Don't mess with MS

[Crispy+Critters]

"...released source code is horrible for security. Look at OpenBSD..."

Just maybe there is a difference between an open development process, like OpenBSD, where incremental changes are examined before becoming part of the production code and dumping on the web hundreds of meg of source of a finished product which has an installed base of millions. Open source OS's get security from having many people looking at code submissions and the opportunity to find and fix dangerous bugs before they are exploited. Making a bunch of Windows source code available on the net does neither of these things.

Re:I'm skeptical

[Bagheera]

Actually, I believe it's illegal to upload it, rather than download it.

This is roughly the same as picking up a set of photocopies you see sitting on the curb. Copywritten or not, you haven't done anything wrong by picking them up, as you didn't violate the author's copyright.

The person who made the copies is violating the copyright (originally two words, godamnit!) not the person who picked them up.

This is one of the issues with the RIAA going after Recipients, rather than Source.

If I buy stolen goods at a garage sale, and the cops find me, they take them away and give them back to the owners. They arrest the thief, not the poor sucker who bought the goods.

I'll at least give Redmond credit for issuing warnings rather than subpoenas. Though "Searching for phrase != downloading files I shouldn't have access to."

Microsoft is Big Brother

[ztirffritz]

Has anyone noticed that the RIAA has tried for two years to figure out how to connect an IP address to a snailmail address with out resorting to subpeonas, yet M$ did it in about 4 days? Has this not raised any eyebrows, made anyone look over their sholder, or consider buying a Mac, Unix, Linux, OS/2, anything not Microsoft box. In fact I'm probably putting myself at risk just by typing this. Oh crap, there here already...

Here's one way MS could find P2P users

[Nom+du+Keyboard]

One way Microsoft could be finding P2P users would be to be running clients on all P2P networks with a copy of the leaked code being shared. Then:

Copy down the IP address of anyone who starts a multi-source download
Kill the download
Whois lookup
Letter to the ISP.

Of course if they're distributing it in that manner so that the hash codes match, does that qualify as them legally giving it away?

So has it made it onto Usenet yet?

Re:Traders or Traitors?

[Darby]

Given that the code that was released is all older code, I have another reasonable theory about where it came from.

Remember a while back when it came out that a group of hackers had compromised MS's internal network and had access to it for over a month. At the time they admitted it they denied that the group obtained access to the source code. Of course they would deny it regardless of the truth or whether or not they knew. Basic damage control.

So say in the interest of avoiding getting too much attention directed at them, perhaps they waited until now to release what they found.

Just a thought, but it seems as reasonable as their assertions.