Microsoft Warning Leaked Code Traders

An anonymous reader writes "Broadand Reports notes that Microsoft is now sending snail mail warnings to downloaders of the leaked source code. They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code. The notice on Microsoft's website has been updated to reflect the new warnings."

Traders or Traitors?

[monstroyer]

[tin_foil_hat]

I think the title should have read "MS Warns Leaked Code TRAITORS" considering that the code probably got leaked from one of their own.

From the MS Notice page:

Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted

In other words: "Dear companies running on W2K, please pay for upgrades ASAP. We would like more money. Thanks."

[/tin_foil_hat]

Re:Traders or Traitors?

[JaredOfEuropa]

More from the MS notice page:

Subsequent investigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft source code.

So it wasn't an inside job, nor was their network compromised, nor any of the shared source partners leaked it. So... how did it get out in the open? The wind blew a stack of printed source code through an open window? The Underpants Gnomes (tm) took it? Someone left a CDROM on the seat of his BMW Z3 convertible and left the top down? What?

Re:Traders or Traitors?

[TobiasSodergren]

The phenomenon is called "quantum jumping". The code jumped from one Quantum harddrive to another.

Re:Traders or Traitors?

[H1r0Pr0tag0n1st]

I have his picture of Bill G. in my head walking around carrying a sack in the middle of the night going,
"Here kitty kitty.....
get back in this bag you little F---ing Batstard"

Re:Traders or Traitors?

If Vegetarians like aninmals so much, why are they eating all their food?

Best threat of all

[AvantLegion]

You download it, you gotta run it!

Can't take it back

Once its leaked on the Internet, you can't take it back. People WILL take a peek at it. If Microsoft really needs to be convinced, they should talk to Pam and Tommy :)

Re:Can't take it back

[bstil]

and paris hilton

Re:Can't take it back

[armando_wall]

Yeah, it's like that old pool analogy:

Putting something in the Internet is like peeing in a swimming pool. You just can't take it back.

I can see the letter now

[glen604]

Dear Sir, Please, please, please don't look for more exploits in our code! We've got enough already to keep us busy for the next decade or so. Signed, Your pals at Microsoft.

MS Snail Mail

[Erratio]

Probably a package that weighs 5 pounds, doesn't open right, has about 2 sentences of actual use, and then crubmles while being read.

Re:MS Snail Mail

don't forget the license on the inside that tells you what terms you agreed to when you opened it.

Warnings?

[Xeed]

I thought the thing to do nowadays was to sue the pants off downloaders. Is M$ trying to play good guy warning downloaders rather than suing them?

Re:Warnings?

[stratjakt]

What noone picked up on is MSFT is SNAIL MAILING downloaders.

No matter the text of the letter, the implication in recieving a snail mail vs. an e-mail is obvious: "WE KNOW WHO YOU ARE AND WHERE YOU LIVE, MOFO!"

THAT IS PERFECT.

They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code.

Oh my God, that's great.

Anyone want to suddenly start hopping on kazaa and posting spoofed search requests for "leaked windows 2000 code" which appear to be coming from the IP addresses of the White House, the Dennis Hastert re-election campaign, various randomly selected people, entire blocks inside of Time-Warner...

It could be like a p2p reverse honeypot.

Once a few thousand people start getting threatening legal notices from MS for something they didn't do, what happens next?

Nothing like security through lawyers.

[junkymailbox]

This has got to work even better than security through obscurity.

Wait.

[Omni+Magnus]

Does this mean that Windows is open source. Is it cool to use Windows yet?

I used to have the compiled code

[wardomon]

But it was kinda buggy.

Re:kazaa, bittorrent, emule/edonkey?

[W2k]

ah well. it's kinda scary that even the largest/richest software co in the world can't stop the spread of their IP, and that it takes only one person.

Not scary at all. I'd say it is a good thing that not even one of the most powerful forces on this planet can stop information from spreading across the web. Information wants to be free, remember?

I'm skeptical

[Doesn't_Comment_Code]

While it may be illegal to steal source code that is privately held. I don't know that it is illegal to view it once it has been released. Perhaps someone has a more educated viewpoint. But this seems like a scare tactic without much legal standing.

Re:I'm skeptical

you are completely uninformed. It is illegal to:

1. Distribute it
2. Use parts of it as your own

It is not illegal to:

1. Possess a copy of it
2. Read the code
3. Think about what you have read
4. Talk about what you have read

now it makes sense

[maxbang]

I was wondering why when I tried compiling it, it stopped halfway through and I heard Madonna's voice scream, "What the fuck do you think you're doing?"

MS warnings in the mail

[jonfromspace]

Dear Peer-to-Peer user,

Please do not download our source code or we will be forced to sue you. We are not kidding, we will sue you. Seriously, we'll sue...

Sincerly,

Bill Gates

Reply
Dear Bill.

Please stop poluting the internet with your crappy source. Every time I search for porn now, I get coppies of some crappy pile of shit called winedows or something. Furthermore, don't even talk to me about frivilous litigation bub. I wrote that book.

Besides, your source leak is stealing my valuable press. How am I supposed to dump my stock if I can't pump it first.

P.S. Thanks for the license fees.

Yours in infamy,

Darl.

For those sharing the source...

[Lovepump]

... or just using the P2P networks, PeerGuardian can help. I reject about 250 requests per day on the Emule network from tracking companies. Here's about 40 minutes worth:

Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:49:19)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:50:00)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:50:42)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:56:11)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:56:55)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:57:37)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:59:00)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 17:59:44)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:00:26)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:08:53)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:09:35)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:10:16)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:18:51)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:19:34)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:20:14)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:28:40)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:29:24)
Connection Rejected: 12.222.39.72 - Communications Resources PGIPDB (02-19-2004 @ 18:30:06)

You can get it from Methlabs.org. Windows only as far as I know.

Re:Don't mess with MS

[lambent]

"Don't mess with Microsoft, they have the money and the power to track you down, even on Internet and through P2P networks. And they will, this is just an example and a warning."

I have the power to track people through P2P, too. I've found people in my apartment complex on the networks. I've even met a few friends that way. Too bad that doesn't mean that I'm a multi-billion dollar company.

Please note, it is absurdly easy to track people on the networks. It is not indicative MS power, or their legal muscle.

As for seeing & having it, one major point is that you CAN. What was once taboo is now freely available (sorta), and people are reveling in like. To draw a completely inaccurate parallel, it's like the sexual revolution of the 70s/80s in the US.

Otherwise, I agree with your post.

ms warning

[theMerovingian]

I must have found one of these warnings - when I downloaded "Windows_source_code.zip", all it contained was a .wav file of Bill Gates cussing at me.

Re:Freenet

[TrollBridge]

Ahh yes, for all those LEGITIMATE uses for P2P networks, such as distributing MP3's and leaked source code, right?

And Slashdotters STILL don't understand why so many people and companies perceive that most traffic on P2P networks involves either porn, infringed music/movies/software.

Suggestions like in the parent post do no favors for establishing legitimacy for P2P netowrks.

The Leak Source

[ZHaDoom]

For those of you still looking for the leaked source code here it is:

#include "windows.h"
#include "system_errors.h"
#include "stdlib.h"
#include "msdos_bugs.h"

char make_prog_look_big[1600000];

main()
{
if (detect_OS2())
freeze();

if (detect_cache())
disable_cache();

if (fast_cpu())
set_wait_states(lots);

set_mouse(speed, very_slow);
set_mouse(action, jumpy);
set_mouse(reaction, sometimes);
set_icons(UGLY);

print("Welcome to Windoze 3.11111");

if (system_ok())
crash(to_dos_prompt);
else
system_memory = open("a:\swp0001.swp", O_CREATE);

while(1) {
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
if (rand() < 0.9)
crash(complete_system);
}
return(unrecoverable_system);
}

I don't get it!

[kyshtock]

Subsequent investigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft source code. Microsoft reaffirms its support for both the Shared Source Initiative and the Government Security Program.

I just don't get it. No security breach. Not related to the SSI, nor GSP. Then how did it leak???? Psychics?

Q: How do they know the snail addy of web users?

[sootman]

A: Why oh why did I register with Insta-Trace?!?

$100 for forwarding this email...

[cthulhubob]

Holy crap, Microsoft can find your physical mailing address if you download their source code...

Does that mean those people I laughed at in high school for circulating that thing about Bill Gates sending you $100 for forwarding this email were RIGHT?!

Damn, now I wish I'd been stupid enough to send that thing on - I could use an extra hundred bucks.

I got a letter from Microsoft today...

[Anubis333]

It had a EULA shrinkwrapped to it that said "Upon opening this letter I am hereby agreeing to..." so I just tossed it in the trash. I guess I'll wait till one of the letters gets leaked online, then I can just download it.

Stop trading MS codes

[Bull999999]

We should respect MS copyrights just as we expect MS to respect GPL. Sure MS may be dirty, but we are better than them.

Re:Stop trading MS codes

[DragonMagic]

The parents is what people should be saying here. Respect others as you would have them respect you, regardless of how evil/vile they are. MS may be a convicted monopoly and leveraging computer and software companies, but trading their copyrighted code illegally is not justified.

Don't go to their level. Be better.

Past security comparisons between Linux and Window

[dpilot]

There have been many security comparisons between Linux and Windows, and the conclusions have always been mixed. One reason is because of the scope of the included software - because it's "free" Linux distributions usually include the kitchen sink, so there are more packages to count security exposures in. Another reason is multiple counting - one exposure across multiple distributions. Yet another factor not well estimated has been the severity of the exposures.

But these security exposures have all been in an environment where Linux source was generally available for inspection, and Windows source wasn't. A corollary of this is that most of the Linux exposures have been proactively reported, prior to being exploited. With Windows that's not so clear.

In the future, there's not reason to expect Linux security exposures to change significantly, except through becoming a bigger target because of increased usage. But the fundamentals of bugs, bug reporting, bug fixing, and security haven't changed.

The future story for Windows is different now, because some source has become available. *Maybe* some people will begin proactive security work on the source, and *maybe* Microsoft will roll that work into fixes. But for certain, others wearing differnt color hats will be examining that code for security exposures, too.

Re:I Dare You: +1, Patriotic

Here you go:

#include <bsod.h>
#include <gigsofdlls.h>

int main (void) {

if ( 1 ) {
BSOD();
}

return 0;
}

Re:Someone got kicked off their ISP...

[cant_get_a_good_nick]

Don't know if you were joking, but some folks really got MS Office war3z letters from the BSA for putting up OpenOffice downloads.

Re:kazaa, bittorrent, emule/edonkey?

[bluprint]

So I guess the founding fathers of the US should have been modded down...or Harriet Tubman or Dr. Martin Luther King (and others that broke segregation laws)?

It's rather unfortunate that people like yourself base your morals on what papa gub'ment tells you they should be.

Re:Bad Reasoning

[The+Wannabe+King]

There's a big difference here. While only the virus writers are looking through the leaked Windows source, OSS is under heavy scrutiny from many parties. Most people who find a potential exploit in OSS will report it to someone who can write a patch, or they will do it themselves. Just look at MS' attempts to stop the distribution of the source, how many able programmers with good intentions will take the risk to read it?

Of course there are flaws in OSS too, but there's a much greater chance the good guys will find them first.

Re:Don't mess with MS

[Vainglorious+Coward]

I think people don't really understand what having windows 2000 SP1 source code spreading on internet really means. That's quite important and even if it's only part of the source code it's already enough for the first exploits to appear.

The author was kind enough to tell us about the first one, but I bet many others did find bugs and didn't report them because they are working on viruses and attacks using them.

Isn't it interesting that after a few days of access to the source code, exploits are appearing for obvious bugs; yet MS have had the source code available to themselves for years but still managed to neither find nor fix these same obvious problems.

Note also that in the past, lack of access to the source hasn't prevented the *ahem* occasional exploit being developed anyway.

My message from Microsoft

[Doobian+Coedifier]

When the news of the leak broke, I jumped on edonkey and downloaded it. Got this email via my ISP a couple days later, I've since deleted the code (it's not that interesting to me anyway. Bunch of BSD code in there tho...)

Microsoft Corporation
One Microsoft Way Redmond, WA 98052
14 Feb 2004 18:45:44 GMT
URGENT/IMMEDIATE ATTENTION REQUIRED VIA ELECTRONIC MAIL
Re: NOTICE OF POTENTIAL UNLAWFUL DISTRIBUTION OF MICROSOFT SOURCE CODE AT: [my IP address]
Date of Infringement: Detail below.

Dear [my ISP]: We have received information that one of your users as identified above by the SITE/URL [my IP address] may have engaged in the unlawful distribution of Microsoft's source code for Windows 2000, and/or Windows NT4, by distributing and offering for download these source code files via a peer-to-peer network. Since you own this IP address, we request that you take appropriate action against the account holder under your Abuse Policy/Terms of Service Agreement. We also kindly request that you forward this notice promptly to the user of the IP address listed above at the time and date stated.

To the user at [my IP address]: The unauthorized copying and distribution of Microsoft's protected source code is a violation of both civil and criminal copyright and trade secret laws. If you have downloaded and are making the source code available for downloading by others, you are violating Microsoft's rights, and could be subject to severe civil and criminal penalties. Microsoft demands that you immediately (1) cease making Microsoft's source code available or otherwise distributing it, (2) destroy any and all copies you may have in your possession, and (3) provide us any and all information about how you came into possession of this code. Microsoft takes these issues very seriously, and will pursue legal action against individuals who take part in the proliferation of it source code. We look forward to your prompt cooperation. Should you need to contact me, I can be reached at the address above or at someguy@microsoft.com.
Very truly yours,

Initial Infringement Timestamp: 14 Feb 2004 05:01:23 GMT
Recent Infringement Timestamp: 14 Feb 2004 05:01:23 GMT

Re:kazaa, bittorrent, emule/edonkey?

[gnu-generation-one]

"You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business. But you can't break the law when it comes to GPL code."

Odd that, that on a community website, people don't have a problem with attacking those known to be actively hostile to the general public, yet they seem to stick up for projects which consist of lots of normal people giving their time freely for the benefit of society.

You'd have thought that we should teach people to believe whatever the lawmakers tell them to think. After all, if something is illegal, it must be immoral.

Inside Microsoft...

[pclminion]

Ballmer: "Hey, Bill. Some intern from down in engineering came up with this great idea. No, don't worry, I fired him -- how dare he propose such a thing "

Gates: "Interesting Steve... What's this idea?"

Ballmer: "Well, suppose we leaked the 2K and NT4 sources on the Internet."

Gates: "I'm not sure I follow."

Ballmer: "Think about it. We've got stagnating revenue streams from companies who are still using NT4 and 2000. We've got people continually hacking our software. Are you seeing the connection here?"

Gates: "Sure, I get you: release the source code, so hackers can analyze it to find all the holes. We get free QA, and in the meantime, we can pressure our customers to upgrade to XP, because it's not vulnerable to these source code attacks. Thus, getting more money for us, from people who wouldn't have otherwise upgraded. Brilliant!"

Ballmer: "You're catching on. And hey, I just thought of an extra bonus! We can track down people who actually download the source code and sue them. That way, we get another auxiliary revenue stream from court, make ourselves look good by appearing to 'fight hackers,' and strengthen the hostile attitudes held toward open source software by linking them to our stolen source code! Another inch closer to having a lock-hold on the Supreme Court when they finally make the big decisions about the validity of intellectual property!"

Gates: "Why, this could have a favorable impact on the outcome of the SCO case, could it not?"

Ballmer: "Sure. Those stupid Linux fanboys and their 'take over the world' nonsense. They don't understand who they're playing ball with."

Stomp out IP

[deathofcats]

Microsoft says that it working with the FBI. How many DIY programmers could ever claim that they were getting help from the FBI to track down people who had pirated their software? This is an example of how intellectual property only exists to benefit the rich and powerful who can get the authorities to do their policing for them. Microsoft has the FBI. I guess the rest of us would have to resort to rent-a-cops and DIY cease-and-desist letters.

Re:kazaa, bittorrent, emule/edonkey?

[pla]

This is slashdot.
You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business.

Thanks to precisely the "big business" you refer to, the idea of "do it because the law says so" has lost any meaning. Once upon a time, people respected the law, and usually obeyed it. They respected police, and thanked them for doing a hard job and protecting the community.

Now, people look at the law as a neverending set of snares that can catch even the most "upright" among us, for things that no one in their right mind considers an actual crime; at the same time, big business routinely engages in activities that even the most "ethically challenege" among us considers an abominable abuse of people and "the system", without committing the least misdemeanor. People consider police mere thugs, officially carrying out the whims of our megalomaniacal AG, and unofficially engaging in far more nefarious activity (rape, torture, extortion, "abuse of position", etc), which their "Policeman's Bill of Rights" makes exceedingly difficult to catch them at, let alone punish them for.

Possession of a joint will get you a heavier sentence than DUI, yet the government responds by requiring breathalizers in new cars.

Downloading a song worth less than $5 leads to a $150,000 fine (payable via bankruptcy or a "mere" $3k extortion rackett that even several of our corrupt state SCs have called fradulently misleading, since it doesn't prevent later suit by the actual copyright holders).

I could go on, but I don't want to start ranting, and those two seem the most relevant to recent Slashdot posts.

Basically, society no longer cares what the "law" says, because more and more people realize that the "law" says whatever the Honorable Senator from Disney wants it to say. Using it to defend your position compares well to using a pool of sewage runoff to take a bath in - You don't actually accomplish your goal, and you come out smelling like shit.

Re:kazaa, bittorrent, emule/edonkey?

[Stallmanite]

"It's elementary that laws don't decide right and wrong. Every American should know that, forty years ago, it was against the law in many states for a black person to sit in the front of a bus; but only racists would say sitting there was wrong." --Stallman

from http://www.gnu.org/philosophy/why-free.html

Re:I Dare You: +1, Patriotic

I can't seem to find the gigsofdlls header file...

Makes you think...

[mtwalkup]

Statement from Microsoft Regarding Illegal Posting of Windows Source Code

Last updated: Feb. 18, 2004, 9:00 a.m. PST

REDMOND, Wash., Updated Feb. 18, 2004 -- On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft source code. Microsoft reaffirms its support for both the Shared Source Initiative and the Government Security Program.

Now heres the thought-provoking question of the day:

If the leak was not caused by a network security breach, a physical security breach, a troubled-employee, or it's code sharing initiatives; how the hell was the code leaked? They said it wasnt network security, and it wasnt internal security (which takes away a physical security breach or a troubled employee), and it wasnt't its code sharing initiatives... Makes you wonder... how the hell did the code get out?

Answer this and get a cookie.

OT - Re:Traders or Traitors?

[buzzdecafe]

Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted

The use of the word "impacted" here is classic corpo-Pentagon-speak.

The correct word is "affected." For a person to be "impacted" has an entirely different meaning.

You'd think Microsoft would care about the distinction, since they are so full of shit.

Re:Don't mess with MS

[DickBreath]

Yeah, released source code is horrible for security. Look at OpenBSD, all those servers just waiting to get hacked in to. Maybe now Microsoft will actually have to, I don't know...eliminate exploits instead of waiting for them to appear, then fixing them after it's too late (if it isn't already).

Here is the real crux of the problem. You are pointing at the wrong thing.

It is not whether the source is open and available that makes it insecure or more secure.

It is whether the soruce was developed as open source. It matters that all those eyeballs were watching while the source was being written. Taking a buggy closed source program and suddenly opening the source simply means that all of the bugs will be discovered, and exploited. Developing a program as open source means that those security problems often don't live long enough to reach a release. Even when they do, they are patched rapidly.

In fact, it simply may say more about the users or "administrators" than the availability of source. Remember the Bind 8 vulnerability? Remember how many servers run Bind 8? Remember how fast everything was upgraded all over the planet? Remember <Microsoft virus of the week>? Remember how many servers were vulnerable to that? Remember how slowly those vulnerable servers were upgraded? Even when the fix was available before the exploit? Now which of these two widely used software program vulnerabilities caused a huge upheavel affecting society as a whole?

Re:kazaa, bittorrent, emule/edonkey?

[bfg9000]

This is slashdot. You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business. But you can't break the law when it comes to GPL code. Mod it flamebait, whatever, but look at the trends of moderations here anyways.

Yes, you're on SLASHDOT. When you're HERE, you may notice that people support Linux and the Mac (thanks to OS X) and don't really like MS. That's OUR culture.

Over on the Microsoft-Zealot boards, you'd notice that they support Microsoft's law-breaking as "smart business", while they attack the GPL as communist, a cancer, etc. Don't try to convince us to "play nice" with the people who are trying to kill us, please. Because *they're* not going to play nice, and any "sympathy for the devil" we adopt will end up with us dead.

Microsoft is Big Brother

[ztirffritz]

Has anyone noticed that the RIAA has tried for two years to figure out how to connect an IP address to a snailmail address with out resorting to subpeonas, yet M$ did it in about 4 days? Has this not raised any eyebrows, made anyone look over their sholder, or consider buying a Mac, Unix, Linux, OS/2, anything not Microsoft box. In fact I'm probably putting myself at risk just by typing this. Oh crap, there here already...

Re:Don't mess with MS

[GrodinTierce]

I'd definitely have to second the parent. I'm in high school, and I know a little C++ (I took the APCS AB exam and got a 5), and I've played around with Linux. Basically, I couldn't really do anything with the source (even if I should ever chance to look upon it) beyond reading the code, and I don't really have any desire to go beyond that anyway.

Ultimately, like the parent said, it's the taboo that makes it interesting. If Microsoft had just posted the code on its website, I might not even be interested, but all the effort they're exerting has attracted my attention.