Slashdot Mirror
Microsoft Warning Leaked Code Traders
An anonymous reader writes "Broadand Reports notes that Microsoft is now sending snail mail warnings to downloaders of the leaked source code. They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code. The notice on Microsoft's website has been updated to reflect the new warnings."
[tin_foil_hat]
I think the title should have read "MS Warns Leaked Code TRAITORS" considering that the code probably got leaked from one of their own.
From the MS Notice page:
Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted
In other words: "Dear companies running on W2K, please pay for upgrades ASAP. We would like more money. Thanks."
[/tin_foil_hat]
Don't mess with Microsoft, they have the money and the power to track you down, even on Internet and through P2P networks. And they will, this is just an example and a warning.
I will never download the source code and you should better not try too. Anyway what's the point in seeing/having it?
I think people don't really understand what having windows 2000 SP1 source code spreading on internet really means. That's quite important and even if it's only part of the source code it's already enough for the first exploits to appear.
The author was kind enough to tell us about the first one, but I bet many others did find bugs and didn't report them because they are working on viruses and attacks using them.
Let's see what happens in the coming months. I'm already working on the switch from Windows 2003 Server to Linux in my company for this exact reason.
Iraq: war to save the U
is kazaa one of the vendors? is there anything they can do about emule or edonkey users?
;)
the latter seem to traffic especially in things like leaked source RARs, and since most of the central servers are overseas and operated independently (and 'overnet' seems truly peer to peer with no central servers), it would be tough to crack down on them, besides having a bunch of fake clients that harvest IPs. anyone know if they do this?
(i imagine the same concept would apply for bittorrent downloaders -- except BT relies on central tracking servers which would be comparatively easy to shut down.)
seems like a natural, uh, application, for the freenet project
ah well. it's kinda scary that even the largest/richest software co in the world can't stop the spread of their IP, and that it takes only one person.
-fren
"Where are we going, and why am I in this handbasket?"
Once its leaked on the Internet, you can't take it back. People WILL take a peek at it. If Microsoft really needs to be convinced, they should talk to Pam and Tommy :)
Dear Sir, Please, please, please don't look for more exploits in our code! We've got enough already to keep us busy for the next decade or so. Signed, Your pals at Microsoft.
Probably a package that weighs 5 pounds, doesn't open right, has about 2 sentences of actual use, and then crubmles while being read.
I don't try to be right, I just try to make people think
how are they able to know who's downloading the files from p2p network?
is that you big bro?
I thought the thing to do nowadays was to sue the pants off downloaders. Is M$ trying to play good guy warning downloaders rather than suing them?
...don't question it!!!
They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code.
Oh my God, that's great.
Anyone want to suddenly start hopping on kazaa and posting spoofed search requests for "leaked windows 2000 code" which appear to be coming from the IP addresses of the White House, the Dennis Hastert re-election campaign, various randomly selected people, entire blocks inside of Time-Warner...
It could be like a p2p reverse honeypot.
Once a few thousand people start getting threatening legal notices from MS for something they didn't do, what happens next?
This has got to work even better than security through obscurity.
Now do you understand why we need Freenet?
Does this mean that Windows is open source. Is it cool to use Windows yet?
But it was kinda buggy.
- - - If the sun is a star, why can't I see it at night?
While it may be illegal to steal source code that is privately held. I don't know that it is illegal to view it once it has been released. Perhaps someone has a more educated viewpoint. But this seems like a scare tactic without much legal standing.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
I was wondering why when I tried compiling it, it stopped halfway through and I heard Madonna's voice scream, "What the fuck do you think you're doing?"
I also reply below your current threshold.
Dear Peer-to-Peer user,
Please do not download our source code or we will be forced to sue you. We are not kidding, we will sue you. Seriously, we'll sue...
Sincerly,
Bill Gates
Reply
Dear Bill.
Please stop poluting the internet with your crappy source. Every time I search for porn now, I get coppies of some crappy pile of shit called winedows or something. Furthermore, don't even talk to me about frivilous litigation bub. I wrote that book.
Besides, your source leak is stealing my valuable press. How am I supposed to dump my stock if I can't pump it first.
P.S. Thanks for the license fees.
Yours in infamy,
Darl.
I am become Troll, destroyer of threads
... or just using the P2P networks, PeerGuardian can help. I reject about 250 requests per day on the Emule network from tracking companies. Here's about 40 minutes worth:
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:49:19)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:50:00)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:50:42)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:56:11)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:56:55)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:57:37)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:59:00)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:59:44)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:00:26)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:08:53)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:09:35)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:10:16)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:18:51)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:19:34)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:20:14)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:28:40)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:29:24)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:30:06)
You can get it from Methlabs.org. Windows only as far as I know.
What will happen when the Linux project servers for the version you use get breached. Or what if there are exploits that can't be fixed immediatly?
Switching off of Windows sounds great to me, as I really dislike using it, but your reasoning sounds a bit flawed. If it's because the software's buggy and prone to exploitation, great. But if it's just because some code got leaked.. and OSS software generally has all the code available all the time.. then your reasoning sounds a little flawed.
Any software will have flaws. It's inevitable. Knee jerk reactions too those flaws generally aren't a good idea though.
You're reading Slashdot. Of course you like Linux and pc hardware
I must have found one of these warnings - when I downloaded "Windows_source_code.zip", all it contained was a
"If you think you have things under control, you're not going fast enough." --Mario Andretti
Seeing that MS is sending out warning to those downloaders, it already knew who they are, thus it could be just a warning to those downloaders that if any exploits were out, they will be the first to be investigated.
Rock that crushes, Paper & Scissors that don't matter.
On Monday, February 16, Microsoft began investigating a reported exploit on versions of Internet Explorer allegedly discovered by an individual studying the leaked source code. This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer -- Internet Explorer 6.0 Service Pack 1.
Um, don't usually like to argue semantics, but what was discovered was a security vulnerability (bug) in the code, not an "exploit".
Devising and revealing a method to take advantage of this problem (a virus, worm, bitmap) is an "exploit", right?
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
For those of you still looking for the leaked source code here it is:
#include "windows.h"
#include "system_errors.h"
#include "stdlib.h"
#include "msdos_bugs.h"
char make_prog_look_big[1600000];
main()
{
if (detect_OS2())
freeze();
if (detect_cache())
disable_cache();
if (fast_cpu())
set_wait_states(lots);
set_mouse(speed, very_slow);
set_mouse(action, jumpy);
set_mouse(reaction, sometimes);
set_icons(UGLY);
print("Welcome to Windoze 3.11111");
if (system_ok())
crash(to_dos_prompt);
else
system_memory = open("a:\swp0001.swp", O_CREATE);
while(1) {
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
if (rand() < 0.9)
crash(complete_system);
}
return(unrecoverable_system);
}
War isn't about who's right. It's about who's left.
The first companys named for inspection are google, sony playstation and Mac OS X.
I used to work for MacOSX, but they fired me. Now I work for Playstation.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
CTO: 2k isn't safe anymore... you set aside funding for Longhorn, right?
CFO: Yeah, we put $100,000 in 10-year T-bonds yesterday...
-Rob
Marriage doesn't have to suck!
I just don't get it. No security breach. Not related to the SSI, nor GSP. Then how did it leak???? Psychics?
Bite my shiny metal... oops... Nevermind!
... because they put up an archive called "kernel-source-2.6.3.tar.bz2"
No one actually checked what it contained but blindly assumed it was windows. Heh. Funny world.
chris at darkrock dot co dot uk
http colon slash slash www dot darkrock dot co dot uk
A: Why oh why did I register with Insta-Trace?!?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Holy crap, Microsoft can find your physical mailing address if you download their source code...
Does that mean those people I laughed at in high school for circulating that thing about Bill Gates sending you $100 for forwarding this email were RIGHT?!
Damn, now I wish I'd been stupid enough to send that thing on - I could use an extra hundred bucks.
In post-9/11 America, the CIA interrogates YOU!
It had a EULA shrinkwrapped to it that said "Upon opening this letter I am hereby agreeing to..." so I just tossed it in the trash. I guess I'll wait till one of the letters gets leaked online, then I can just download it.
The only logical inference to be made is that they deliberately 'leaked' it themselves (as already made here and also quoted elsewhere).
A more psychological one is that they are not in a position to observe that there is no logic in their proposition.
CC.
TaijiQuan (Huang, 5 loosenings)
The code is out, it wont come back.
There are hundreds and hundreds of sources in emule, and thousands have been downloading (5k requests the last 5 days). Not to mention irc, ftps, kazaa , winmx and the other stuff.
As an educated guess i would say that at least 50-100.000 people have the source currently on their harddisc.
Whoever wants it now has it....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
We should respect MS copyrights just as we expect MS to respect GPL. Sure MS may be dirty, but we are better than them.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
If peoples' ability to disseminate information serves as a message to corporations that their attempts to turn the US into a police state won't work, then I can live with that.
- First they ignore you, then they laugh at you, then ???, then profit.
Barn Door
Close
Oh wait.....
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
There have been many security comparisons between Linux and Windows, and the conclusions have always been mixed. One reason is because of the scope of the included software - because it's "free" Linux distributions usually include the kitchen sink, so there are more packages to count security exposures in. Another reason is multiple counting - one exposure across multiple distributions. Yet another factor not well estimated has been the severity of the exposures.
But these security exposures have all been in an environment where Linux source was generally available for inspection, and Windows source wasn't. A corollary of this is that most of the Linux exposures have been proactively reported, prior to being exploited. With Windows that's not so clear.
In the future, there's not reason to expect Linux security exposures to change significantly, except through becoming a bigger target because of increased usage. But the fundamentals of bugs, bug reporting, bug fixing, and security haven't changed.
The future story for Windows is different now, because some source has become available. *Maybe* some people will begin proactive security work on the source, and *maybe* Microsoft will roll that work into fixes. But for certain, others wearing differnt color hats will be examining that code for security exposures, too.
The living have better things to do than to continue hating the dead.
Here you go:
#include <bsod.h>
#include <gigsofdlls.h>
int main (void) {
if ( 1 ) {
BSOD();
}
return 0;
}
After I get my network connection killed
X(7): A program for managing terminal windows. See also screen(1).
Copyrights might have been extended by Congress, but they can still lapse if they aren't defended comensurate to their value.
That's trademarks, not copyrights.
Gates: "Interesting Steve... What's this idea?"
Ballmer: "Well, suppose we leaked the 2K and NT4 sources on the Internet."
Gates: "I'm not sure I follow."
Ballmer: "Think about it. We've got stagnating revenue streams from companies who are still using NT4 and 2000. We've got people continually hacking our software. Are you seeing the connection here?"
Gates: "Sure, I get you: release the source code, so hackers can analyze it to find all the holes. We get free QA, and in the meantime, we can pressure our customers to upgrade to XP, because it's not vulnerable to these source code attacks. Thus, getting more money for us, from people who wouldn't have otherwise upgraded. Brilliant!"
Ballmer: "You're catching on. And hey, I just thought of an extra bonus! We can track down people who actually download the source code and sue them. That way, we get another auxiliary revenue stream from court, make ourselves look good by appearing to 'fight hackers,' and strengthen the hostile attitudes held toward open source software by linking them to our stolen source code! Another inch closer to having a lock-hold on the Supreme Court when they finally make the big decisions about the validity of intellectual property!"
Gates: "Why, this could have a favorable impact on the outcome of the SCO case, could it not?"
Ballmer: "Sure. Those stupid Linux fanboys and their 'take over the world' nonsense. They don't understand who they're playing ball with."
Microsoft says that it working with the FBI. How many DIY programmers could ever claim that they were getting help from the FBI to track down people who had pirated their software? This is an example of how intellectual property only exists to benefit the rich and powerful who can get the authorities to do their policing for them. Microsoft has the FBI. I guess the rest of us would have to resort to rent-a-cops and DIY cease-and-desist letters.
It looks like they have a fairly extensive IP block list. It shouldn't be too hard to get this list to work w/ IPtables.
My question -- will IPtables run "okay" with a few thousand block rules?
Evolution: love it or leave it
I got two calls yesterday from my on-campus network administrator's office asking to speak to my room mate. This is odd because I believe he downloaded it through a DC++ connection, as he seems to avoid bittorrent for some reason. All they asked was that he removed the source from his computer, I don't think there were any other consequences. Anyone else have a similar experience?
I should not talk so much about myself if there were anybody else whom I knew as well. -Henry David Thoreau
why Microsoft isn't so rabid about stopping the spread of Windows XP and 2000 ISOs on filesharing services...
-Jem
I don't have their code, nor do I want it. But I realize that even if every single Linux user/GPL supporter refused to look at it or download it, it would still spread like wildfire. People download stuff like this just to say that they have it. I have a friend who is somewhat of a "collector" of things like this. He has no programming background whatsoever, he just wants to say that he has it. (ironically, he is actually in school getting a law degree with a concentration in Intellectual Property)
The cat-genie is out of the bag-bottle.
My beliefs do not require that you agree with them.
Copyright cannot lapse per se, the right is unconditionally granted and there is no concept of abandonment (which you can do with patents and trademarks): however, if a copyright owner didn't take any action against infringements - when it knew that they were happening - it could be a good arguement that the owner has "allowed" an implicit license to come into effect. This is just a common legal principle of estoppel: if you passively consent to something, it becomes difficult to later turn around and retract.
Trust no one!
If the local state-run university my sons attends is any indication, everybody who wants a copy ALREADY has it!!
My son says that every computer science student he knows already has downloaded a copy and that students are eagerly trading copies among themselves!
I can't seem to find the gigsofdlls header file...
Now heres the thought-provoking question of the day:
If the leak was not caused by a network security breach, a physical security breach, a troubled-employee, or it's code sharing initiatives; how the hell was the code leaked? They said it wasnt network security, and it wasnt internal security (which takes away a physical security breach or a troubled employee), and it wasnt't its code sharing initiatives... Makes you wonder... how the hell did the code get out?
Answer this and get a cookie.
Well personally i find it pretty shitty that some corporation thinks it has the right to tell me what i can and cannot 'search' for. Microsoft, go fuck yourselves, you let the code out, its in the open, you cant make that go-away.
This comment does not represent the views or opinions of the user.
Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted
The use of the word "impacted" here is classic corpo-Pentagon-speak.
The correct word is "affected." For a person to be "impacted" has an entirely different meaning.
You'd think Microsoft would care about the distinction, since they are so full of shit.
Another inch closer to having a lock-hold on the Supreme Court when they finally make the big decisions about the validity of intellectual property!
Funny, but it's worth pointing out that the USSC is not going to be making any big decisions about the validity of intellectual property... the US Constitution explicitly provides Congress with the right to make IP laws and even provides a brief rationale for them.
What Congress should be looking at, though, is whether or not the current laws make any sense at all. What is really bizarre to me is this notion that you can keep something secret and yet still have copyright protection on it.
The original reasoning behind copyright as we know it (as opposed to the true original reasoning, which was about facilitating censorship by the British Crown) was to enable authors to retain limited control of their published works, in order to encourage them to publish. When you publish a book, the content is out there for the world to see and potentially copy; there's no way to publish a book and keep it secret at the same time, so some legal protections are necessary if we want to enable authors to control and profit from their work.
These "legal protections" are really limitations on what society is allowed to do with the work, in other words, freedoms we choose to give away, and the reason this is a good trade is because (a) it makes more material available now for people to read, learn from and build off of and (b) it ultimately puts more material in the public domain for anyone to use however they see fit when the copyright expires.
Patents are really the same idea applied to a different space: Getting the details of inventions published for everyone to read theoretically encourages more invention. With patents, there's a *requirement* that the details be published, because unlike a book, it often is possible to keep secret the details of a piece of machinery.
Even for copyrights, there is and always has been a sort of a requirement to publish -- under current law you cannot sue over copyright unless you have registered your work with the copyright office, and doing that requires you to submit a copy to them, placing it in the public record. Kind of. In the case of code, you only have to submit a few pages from the beginning and the end. The rationale behind copy registration was primarily to establish ownership, not to publish, because when all of this was set up publishing was just a given. Because that was the rationale, when code copyrights came along it was deemed too burdensome to deal with full printouts of the registered code (because they're really, really big) and, of course, the copyright office wouldn't have had any idea what to do with magnetic media.
So now we've arrived at a situation that cannot have been expected or planned by the designers of the system: You can obtain copyright protection on something that you never published and never have to publish, even when you go to court to enforce your rights. The "trade" is no longer a trade, because society no longer gets to benefit from seeing what it is giving you protection for. There's no requirement that the code *ever* be published, even after the copyright has expired (assuming current copyrights ever will expire).
In my opinion, it should only be possible to obtain protection for what you publish. If you want to keep your source secret and only publish binaries, fine. You get copyright protection for the binaries and you can use trade secret law to protect your source code -- but remember the caveat in trade secret law that once it's published it's no longer a secret, so you can only go after the person who gave it away the first time.
On the other hand, if you want the full protection of copyright law applied to your source code, then you have to publish the code, at least before going to court over it. Publish *all* of it. I don't think the US Copyright Office of 2004 will have any trouble at all understanding how to manage data delivered on a stack of DVD-ROMs.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
From Kuro5hin...
I have something in common with Stephen Hawking...
Once upon a time, people respected the law, and usually obeyed it. They respected police, and thanked them for doing a hard job and protecting the community.
Specifically, that was from 12:30 to 3:45 PM, October 24th, 1955.
Just in case anyone was curious.
Has anyone noticed that the RIAA has tried for two years to figure out how to connect an IP address to a snailmail address with out resorting to subpeonas, yet M$ did it in about 4 days? Has this not raised any eyebrows, made anyone look over their sholder, or consider buying a Mac, Unix, Linux, OS/2, anything not Microsoft box. In fact I'm probably putting myself at risk just by typing this. Oh crap, there here already...
Why doesn't anything interesting happen when I have mod points?
Copy down the IP address of anyone who starts a multi-source download
Kill the download
Whois lookup
Letter to the ISP.
Of course if they're distributing it in that manner so that the hash codes match, does that qualify as them legally giving it away?
So has it made it onto Usenet yet?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
They didnt goto court to supeona the information, how are they getting the home address of people so quickly?
... )
Is that even legal for them to do ( assuming they didnt get a court order.
---- Booth was a patriot ----
An infinite number of monkeys at an infinite number of keyboards....