32TB of Windows 10 Internal Builds, Core Source Code Leak Online

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.

32TB?

[ArchieBunker]

Going to need a new storage array...

Re: 32TB?

[KGIII]

It isn't that interesting. Save the space. They are mostly just builds from the Insider Program, according to the folks with the actual data.

Re:32TB?

Don't worry, reports say 31.9TB is just their "phone home" technology.

Re:32TB?

[Z00L00K]

Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

Re: 32TB?

Driver sources could be handy for hose trying to make Linux drivers on some more recalcitrant hardware.

Re: 32TB?

Didn't know that a water hose can write code.

Re:32TB?

[scatbomb]

Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

Oh really? Is that what they meant in the summary by: "Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide."? Thanks for your insight.

Re: 32TB?

[cyber-vandal]

Better not use Linux or FreeBSD. I hear they let anyone look at the source.

Re:32TB?

[gweihir]

They had that capability before. It may not even have been that much more effort. Reviewing source-code is time-consuming, demanding and expensive.

Re: 32TB?

And you believe that? Naturally that is what some would say. Would you want competition when looking for bugs that could be worth alot of $$$?

Re:32TB?

[danomac]

Or, oddly enough, the opposite might happen. Maybe someone will actually submit patches to fix all those bugs.

Re: 32TB?

and then face civil, or even criminal charges...

Re: 32TB?

[KGIII]

This has now been verified by multiple independent parties.

Re: 32TB?

[KGIII]

There doesn't actually appear to be any source code in the files. Multiple parties have gone over it. It's just Insider Program builds, some tools (that may be handy - as they are special debuggers I guess), and a whole mess of internal nightly builds.

I haven't downloaded the files, but those who have checked it out are people that I'm inclined to trust - based on history. It's largely nothing. The debugging tools may reveal something and someone, with enough time, may be able to disassemble binaries that weren't public and find things that are different - which could, theoretically, find a bug - which could, theoretically, be exploited, which could, theoretically, be done by a malicious party.

Re: 32TB?

[Hylandr]

It's false.

Just the early preview versions.

Re: 32TB?

[KGIII]

That's what I said. ;-) Though two folks have said there's a proprietary debugger. I am not sure of the validity of that one.

Re: 32TB?

[ArmoredDragon]

I'd be more interested in finding out what the telemetry data actually contains.

Neat.

Maybe it tells us the secret to shutting down a laptop using ACPI in a way that doesn't drain the battery dead 2 hours after it "powers off" using Linux

Re:Neat.

[aliquis]

Or why the machine can't wake up if I let it park the CPU in Windows 10 but it worked fine in Windows 8.1.

(Phenom X4 9850 on ASUS 790FX board.)

Re:Neat.

[sound+vision]

I have the same Phenom, with an Asus M2N-SLI Deluxe board. The BIOS has an option for "C1E support", which sounds similar to your "CPU parking" - turning it on makes the system fail to boot. I don't remember exactly where the failure happens, but it's before GRUB can bring up the boot menu.

Re:Neat.

Not sure why the -1 mod, my battery is permanently dead because of this

Re:Neat.

[aliquis]

I said CPU parking because I don't know the name of it.

There's S1 and S3 and one is a a deeper sleep than the other and with the deeper sleep the CPU fan turns off as-well among other things but if I use that one then the machine can't be started without a cold reboot again. It used to work in Windows 8 but doesn't in Windows 10.

M3A32-MVP Deluxe and .. yet another one is what I have.

Re:Neat.

Err... so install Linux/OpenBSD/FreeBSD with Virtualbox and install Windows inside that. Then the host OS can handle the sleepy stuff for you.

Re:Neat.

Don't use Windows 10. Upgraded a Windows 7 machine to Windows 10, and it developed that same issue.

I know it was you Comey. Horrible. Horrible.

Really very, very horrible. Really horrible. Very very not good at all, let me tell you. Leakers on any media, horrible. Don't watch that video.

Oh no, security problems might be found!

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide.

You mean like.. BSD and Linux? Sounds like the way it should be -- the security by obscurity fad faded a long time ago.

Re: Oh no, security problems might be found!

Not exactly. The difference is that, with open source, anyone can fix bugs and contribute those fixes back for everyone to benefit. There's also no threat of legal action for reporting bugs to developers. In this case, we still have to rely on Microsoft to fix bugs, and it isn't practical for other developers to fix bugs and release the fixes. It's entirely possible that releasing fixes or even reporting bugs to Microsoft could result in legal action. Microsoft doesn't want people looking at leaked Windows source code, so it's entirely possible that the DMCA could be used against security researchers. Also, releasing fixes that include patched files could certainly bring legal action through the DMCA.

The primary differences are that with open source, anyone can produce bug fixes and they can disclose vulnerabilities or create bug fixes without the threat of legal action.

Re:Oh no, security problems might be found!

security problems in Linux and BSD aren't usually found through source code analysis, they are found through crashes, fuzzing, errors etc. source code analysis is painful and slow by comparison though the source code can make generating the exploit once you have found the vulnerability much easier.

Re:Oh no, security problems might be found!

[vux984]

the source code can make generating the exploit once you have found the vulnerability much easier.

That's an understatement.

Re:Oh no, security problems might be found!

[jimtheowl]

They are certainly fixed by first going through an analysis of the offending code.

But even though code analysis is painful and slow, it doesn't stop the OpenBSD people and others from doing some, historically demonstrating good results for their efforts.

Re: Oh no, security problems might be found!

Not exactly. The difference is that, with open source, anyone can fix bugs and contribute those fixes back for everyone to benefit.

In theory, yes. In reality, not so much.

Or maybe you've already forgotten "heartbleed" which went unnoticed for .... how many years? Or the glibc bug that went unnoticed for 8 years, or the major Linux kernel bugs that went unnoticed for 3-4 years. Etc ... etc ... etc ...

"Many eyes makes bugs shallow" is a lie. Because the truth is, people rarely look at source code, other than the code they are currently working on.

Re: Oh no, security problems might be found!

[Bert64]

"Many eyes makes bugs shallow" is not so much the point...
Rather is having a level playing field for everyone, anyone can see the code, good and bad guys alike.

With closed source *you* probably don't have the code and white hat security researchers probably don't have the code, but you have no idea who else (NSA and similar agencies, criminals etc) does. Chances are with closed source those who do have the code are more likely to have hostile motives.

Re:Oh no, security problems might be found!

the point is the number of people doing that analysis on BSD or Linux would be as small if not smaller than the numbers doing the same thing for Windows. It is such a highly specialized and time expensive task that open/closed source is irrelevant to the number of eyes doing it.

Re: Oh no, security problems might be found!

It's all so much better if only the law-evading criminals see the problem...
Hopefully Microsoft sees this, so they leave the good guys alone.

Re:Oh no, security problems might be found!

[gweihir]

Actually, it is not. In many cases the source will not help the attacker much or at all. It does make fixing a vulnerability a lot easier though.

Re:Oh no, security problems might be found!

Not really true. OpenBSD for example is reviewing their code. Linux maybe not, since that is where the SSL bugs came from.

Re:Oh no, security problems might be found!

[skullandbones99]

sigh, SSL is NOT in the Linux kernel! SSL is a cross-platform userland open source project.

Linux based distributions will include SSL userland components but SSL is not part of the Linux kernel. Just like gnome and KDE are not part of the Linux kernel but are included in Linux based distributions.

Re:Oh no, security problems might be found!

[K.+S.+Kyosuke]

Did the SSL bugs have actually anything to do with Linux? I mean, besides the library supporting Linux as one of the systems it can run on.

Re: Oh no, security problems might be found!

Or maybe you've already forgotten "heartbleed" which went unnoticed for .... how many years?

Approximately... none. OpenSSL's custom allocator - the source of the bug - drew criticism almost immediately, because it interfered with existing bug mitigation measures and correctness checkers, and could potentially be a vector for a security exploit. The OpenSSL team chose to keep their allocator on by default despite objections because there were no known exploits and they felt that their custom code addressed a perceived slowness in certain Microsoft Windows operating systems. I don't buy the Windows argument (were they testing on Windows 98 or something?) but to their credit it took nearly 2 years for somebody to actually exploit the problem even though the risk was known (ironically, without needing the source code). Thankfully, the discoverer of the exploit had the public's interests at heart, so instead of ransomware we got a massive awareness campaign. Within hours OS vendors were providing patches (either by compiling builds without the custom allocator or reverting to an unaffected version of OpenSSL), and in a day or so the exact flaw in the allocator was found and fixed for good, because lots of people were looking into it so it didn't take long for somebody to find it.

We can make several observations regarding this incident:
- A tiny number of extra "eyes" was sufficient to anticipate the problem
- The vendor could not be relied upon to discover and fix the problem by itself
- Security by obscurity would not have helped in the slightest
- With many "eyes", the bug became trivial to isolate and fix

Or the glibc bug that went unnoticed for 8 years, or the major Linux kernel bugs that went unnoticed for 3-4 years. Etc ... etc ... etc ...

Now you're moving the goalposts to a different continent. Who says that being open-source should make it impossible for bugs to go unnoticed? Also, that "Etc ... etc ... etc ..." is actually drawing attention to how few examples you could come up with, rather than disguising the fact.

"Many eyes makes bugs shallow" is a lie.

And why do you say that?

Because the truth is, people rarely look at source code, other than the code they are currently working on.

That's actually consistent with "Many eyes makes bugs shallow".

Look. essentially you're saying that the statement "If A then B" is false because A is not necessarily true, which is a complete non-sequitur. Logically, you need to show that the antecedent is TRUE if you want to demonstrate a contradiction - when it is false the proposition is perfectly consistent with any consequent.

By the way, why are you fixating on a small observation that ES Raymond once made and acting as though you've just toppled the central pillar of a belief system?

Re:Oh no, security problems might be found!

[jimtheowl]

It is relevant for at least the following reasons:

The OpenBSD project has a proactive approach to security https://www.openbsd.org/securi... with people who do what they do because they want to do it.

The Windows model is perpetuate the need for patches so you can make the customer dependent on continuous releases. They never had any intent to procure a secure system and likely never will.

Re: Oh no, security problems might be found!

Microsoft probably still offers its enterprise and educational source licenses, which allow large companies and universities to securely view Windows source code.

Re: Oh no, security problems might be found!

[thegarbz]

Chances are with closed source those who do have the code are more likely to have hostile motives.

Like the vendor.

Re: Oh no, security problems might be found!

[Brockmire]

Most? Wow, you have no clue what you're talking about.

Re: Oh no, security problems might be found!

[Brockmire]

Christ, I didn't quote "many" correctly. *palmface*

Re: Oh no, security problems might be found!

Oh no! Lenovo, Toshiba, Samsung, Dell, and Atheros have Windows source code for Wi-Fi drivers! The horror!

Re: Oh no, security problems might be found!

"Many eyes makes bugs shallow" is a lie.

It never was meant to state that just because everyone can access the source everyone will and magically all bugs get spotted and solved. The "many eyes" are people actively involved in developing and testing. It was meant to characterize Linus' approach to organizing the Linux kernel development: get many people involved, resulting in an increased probability that someone is around who understands a problem and knows how it can be solved.

You can find the original text here.

Re: Oh no, security problems might be found!

[gweihir]

I actually have hands-on experience in this area. What the general public thinks and what actual experts know is often quite a bit different. This is one such case.

Microsoft going open source :p

nt

Re:Microsoft going open source :p

Now that you mention it, every now and then I do miss Windows NT. -PCP

Top Secret?

hundreds of top-secret builds of Windows 10 and Windows Server 2016

Is this top-secret as in Top Secret? as in classified information?
Or just private custom builds?

Re:Top Secret?

[gravewax]

seems to Just be private/internal builds, nothing even remotely secret.

Re: Top Secret?

[niftydude]

Apparently "alpha/nightly build" = "top secret build" in super sensational hack journalist lingo.

Re:Top Secret?

[Z00L00K]

Not a Governmental Top Secret classification, just a company top secret classification.

Just stating "Classified" doesn't indicate anything about the classification level. It can be classified as "Open" as well.

Re:Top Secret?

this stuff is not in considered company top secret, it is shared with governments, partners and a shit load of companies. you would be pushing to even call it confidential.

Re:Top Secret?

[gweihir]

This is just hyperbole. Basically no private company does "Top Secret". The maximum level is usually "Secret" and that is it.

Re:Top Secret?

well that is blatantly false I can assure you, having worked with top secret and knowing plenty who still do in my company. regardless the article is complete and utter bullshit, their is nothing remotely top secret. It is all at best confidential and consists mainly of daily builds which are hardly secret.

old crap

It seems they are just a heap of old builds, nothing top secret about them, most interim builds are only valid for a day or 2 till the next one. The Shared Source stuff while not publically available is hardly top secret either with hundreds if not thousands of organizations with it.

Telemetry

[OtisSnerd]

Maybe now we'll be able to find out what the telemetry actually sends back to MS and the three-letter agencies. It would also be nice for some to develop a way to completely kill it.

Re:Telemetry

Yes, I am very interested in hearing more about this. I am of the opinion that Microsoft's monitoring of end users is morally wrong, and that they only get away with it due to their status in the market. I am keen on knowing the full depths of their evil, in this regard.

Re: Telemetry

You Sir, are the worst spy ever. rofl

Re:Telemetry

[sound+vision]

If MS gets away with it because of their market dominance, what's the reason that Apple gets away with it?

Re:Telemetry

and google. despite the atrocity that is telemetry it is actually the lesser evil compared to google and apples approach.

Re:Telemetry

Seems to be the same reason. They are part of a cartel.

Re: Telemetry

You, Sir, do not know how to properly use a goddamn comma.

Re:Telemetry

Apple/Google got away with it because a phones were a new paradigm without preexisting standards for user control and spying and whatnot. They did shit you would never have been able to get away with on a PC a decade ago, but no one complained because it wasn't a PC (AOL had pioneered the 'walled garden' thing years before and was met with universal derision). Then once phones and their attendant privacy invasions became ubiquitous and the public had gotten used to the idea of being tracked and monitored 24/7, the opening was there to backport all the creepy shit to desktops and laptops. MS catches the most shit because they were the most brazen about it, but none is really any better than the others (except Linux, natch)

Re:Telemetry

[kelanos]

Or another, equally likely, possibility is this is a controlled leak and it's meant to mislead us about the nature of the telemetry.

But this isn't the full source is it? So probably we'll never know. But do we need to? The Corporate Plutocracy is attempting to destroy us all anyway. Until there is a movement against the state, nothing matters but survival.

Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance, media consolidation, etc.

Re:Telemetry

Thank you for your valuable pro-Microsoft 'what about' contribution to this tech site, Pradeep! The sum of 150 rupees has been deposited to your Bing Rewards account.

Re:Telemetry

[Razed+By+TV]

Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance, media consolidation, etc.

You must be new here.

Re:Telemetry

[thegarbz]

If you want to know that just read through these 94 pages: https://docs.microsoft.com/en-...

Re:Telemetry

More interesting would be if the sources, which are already shown to governments, match with actual binaries they distribute. Perhaps the magic spyware sauce is not included in public source distributions.

Re: Telemetry

[allo]

You, Sir, are the worst spy ever. rofl

Are you now happy?

Re:Telemetry

Maybe all those police forces will now know what they can ask Microsoft for...

Re: Telemetry

> AOL had pioneered the 'walled garden' thing years before and was met with universal derision

Mmmmm, no, there was Prodigy, and CompuServe a decade before that, and various other services thatt tried the walled garden thing. Remember all the dial up services, each with their own special keyboard.

Re:Telemetry

[OtisSnerd]

I've seen that list before, but I suspect that it's not complete. After all the forced upgrades, and all but pointing guns at their 'customers' to force them to upgrade, I wouldn't trust them to tell me the the color of the sky, let alone believe that the list they posted is complete.

Re:Telemetry

[Opportunist]

The same. They are essentially in the Tablet market what MS is for Desktops. And the phone market they share with a company that's just as bad.

Re: Telemetry

You, Sir, are the worst spy ever. rofl

Are you now happy?

No. ROFL should be in upper case. It should at least start with an upper case "R" as it starts a new sentence, even if the rest of it is lower case, as in "Rofl".

Re:Telemetry

[Rick+Schumann]

Hear, hear!

Re:Telemetry

[oakgrove]

An aside to this thread, as a child of the MS dominated 90s, I sort of dig Android being dominant on phones, Apple having tablets, MS having the desktop, and Linux more or less having servers with a healthy competition in each segment. It's not a perfect situation but it beats the shit of the bad old days when IE 6 was "the internet."
>inb4 everything is just as bad as it ever was or worse

Re: Telemetry

[allo]

Maybe it's a name and he misspelled Rolf?

Re:Telemetry

[thegarbz]

Interestingly the less complete the list is the less care about their collection. The more data that is collected the less likely any database makes sense. The less likely they are able to extract information from it. The less likely I am to be affected if someone dumped the database online.

Re: Telemetry

[Brockmire]

There should have been a comma before "ever".

OMG

[bfmorgan]

Ooops!

"Many eyes"

[gawdonblue]

Security!

Re:Slashdot Reader Logic

[PPH]

I predict that Slashdot readers will be too cowardly to address my observation.

It's off-topic. Now, back to your containment board --> /pol/

Re:Slashdot Reader Logic

A) Plenty of muslims would disagree that you aren't born Muslim... you know, the sorts that would like to kill you.
B) Plenty of Muslims would disagree with the idea that you can just choose to leave... you know, the sorts that would like to kill you, and those who try to leave.
C) 'Muslim' isn't a race. Is a rabid atheist who hates religion racists for wanting to punish Christians?

Wait for it: Microsoft Intentionally Leaked It

[DatbeDank]

In an effort to get more people to probe Windows 10 and find software flaws as well as confirm they aren't completely stealing your data. It's like open sourcing your OS without really open sourcing it! /sarcsam

Re:Wait for it: Microsoft Intentionally Leaked It

they'll blame it on their migration to git as a way to tarnish linus' name, not the fact they used windows shit server 2k13 to host it on.

Re:Wait for it: Microsoft Intentionally Leaked It

Somebody please rebuild it without the spyware!

Okay....

[SeaFox]

/me goes to the store to get popcorn

32 TB?

[PPH]

How much is it if you skip all the #ifdef BUGS sections?

Re:32 TB?

[haruchai]

How much is it if you skip all the #ifdef BUGS sections?

That compiles down to 640k, just enough for everybody

WARNING DO NOT SELL THESE TO PEOPLE

If you sell these, even for 20 dollars to people claiming to be stupid enough not to download it for free. DO NOT DO IT.

You will get 2 years in prison and a news article and everyone will giggle.

sup willy beamer

captcha: carder (lol)

Re:WARNING DO NOT SELL THESE TO PEOPLE

are you retarded?

Re:WARNING DO NOT SELL THESE TO PEOPLE

[Z00L00K]

2 years in prison is not very likely. In civilized countries you will get a deal instead.

Re:WARNING DO NOT SELL THESE TO PEOPLE

Are you confused? Civilized countries have this thing called justice, there are no "deals".

Source code makes interesting reading

#ifdef US_GOVT_EDITION // Send stuff to Russia and China ...
#else // Send stuff to NSA ...
#endif

Perfect

Time for another round of exploits.

Too bad

[markdavis]

Too bad it STILL won't tell anyone what is actually on a machine when a binary MS-Windows is installed. You still won't know what back doors, spyware, weakened encryption, "telemetry" sharing, and extra code was injected for the governments. And good luck on building something you will be able to actually install and use. This breech is unlikely to help anyone but black hatters, looking for vulnerabilities.

Meanwhile, grab distro Linux sources legally, see anything and everything you desire, and compile it and run it if you like.... it is actually DESIGNED to be compiled by people and groups who use it, if wanted.

Re:Too bad

good luck vetting every line of code in Linux. after all you can't be sure which contributer was a black hat or government agent inserting a backdoor into the code for their own benefit. only a moron would think Linux is any safer from the point of view of government influence over the source code, that is not to safe closed source is safe but it probably has less accessibility to most people that are targeting you with the exception of the arseholes in the US government.

Re:Too bad

THIS IS NO GOOD.
I want the code to XP leaked, so a third party can supply fixes(repairs) to what I use.
In fact it is a reason for MS to flog off maintenance to 3rd party - given they are not interested. Mix n Match of DLL's is possible,

I wont ever use windows 10, because I found out they tipped other stuff into Win7 patches
that had nothing to do with security. In Win 10, they vary everything, including having executables in the registry!

BUT I will be interesting to see what turns up in the telemetry modules. It will also be interesting to read the comments . I presume they say
1) fix this bug date
2) Fix this date 2
3) Design flaw - this cant be fixed without breaking ..

Re:Too bad

"This breech is unlikely to help anyone but black hatters, looking for vulnerabilities."

How about people trying to fix obscure bugs in wine? Or Linux developers trying to figure out obscure bugs for devices that only have official windows support?
I think your imagination is a bit stunted if you think this can only help black hatters.

Re:Too bad

This is mostly hardware drivers source code. Wine doesnt go to that low level, they are just implementing the system api using unix libraries.

Re:Too bad

Too bad it STILL won't tell anyone what is actually on a machine when a binary MS-Windows is installed. You still won't know what back doors, spyware, weakened encryption, "telemetry" sharing, and extra code was injected for the governments.

Let's laugh at everyone who loves the open source meme but can't read source code.

Re:Too bad

[thegarbz]

I don't know that on any other installation either. I simply trust that any vendor provides me a binary that matches its source code. I and 99.999% of the people using computers have zero ability to audit binaries against source code. And I'm willing to bet you've never done it for your OS too.

Re:Too bad

I have no doubt you are a frequent visitor to infowars.com

Re:Too bad

[infolation]

The point is not a personal audit of every line of code, but a network of trust - code that is able to be audited by a network of known individuals who build trust in that code. GNU-Linux, and the code of free software, already relies on the notion of 'standing on the shoulders of giants' and the principle of an auditing process over time is no different. Auditors are motivated to work because they know their contributions build over time to a verifiable and trustworthy system.

It is the complete lack of transparancy that impedes trust in Microsoft's code. Inspecting a code dump does not build trust because there is no incentive for 3rd parties to audit the dump. In the long term it cannot contribute to an open, auditable Microsoft code base.

Re:Too bad

[markdavis]

+1 insightful
I couldn't have worded it better if I tried.

Re:Too bad

Standing on the shoulders of giants works for science and math because the universe is consistent, or so it appears. With software new commits are added all the time. If you don't verify that every commit is safe code that doesn't have some bug (which might be a very complex bug that interacts with various existing code to create some obscure vulnerability) then the giant you are standing on is actually sinking in quicksand.

Re:Too bad

How about people trying to fix obscure bugs in wine?

I believe that for obvious reasons Wine has a strict policy that no contributions ae permitted from anyone who has ever seen Windows source code (legally obtained or not).

Re:Too bad

[thegarbz]

but a network of trust - code that is able to be audited by a network of known individuals who build trust in that code.

Sorry but the benefit of a network of trust breaks down very rapidly when we actually look at how often projects actually get a security audit (you can probably count them on one hand) and how that audit has absolutely no relevance to the final binary that you download, not to mention the fact that by the time any audit process is finished you'll be very many commits behind.

The level of trust I have for software ranks as follows: Closed source > Open source > Closed source which has reached monopoly status. That trust is entirely based on how much the vendor/developer needs the user.
- Small closed source programs which are well funded have quality controls in place and still rely on the user to make money are least likely to have issues.
- Open source is a crapshoot. The Linux Kernel gets all the thumbs up. An excellent example of things done right, but mostly because they have customers to please. A lot of the remainder is buggy shite. Gnome is an example of the shitstorm that is can be an open source project.
- Closed source which has monopoly status has no incentive to ensure quality. Windows is a good example of that.

I don't need complete transparency to have trust. Actually that is a completely backwards idea. If you need transparency then by definition you don't have trust.

Security vulnerabilities?

[GrahamWert]

This just in: it appears that many terabytes of Linux and GNU source code have also been leaked to the internet. Anyone who has this information can scour it for security vulnerabilities.

Re:Security vulnerabilities?

This just in: it appears that many terabytes of Linux and GNU source code have also been leaked to the internet. Anyone who has this information can scour it for security vulnerabilities.

Pretty easy to find them too.

Though, I've never considered source code a necessary or even advantageous thing in hunting vulnerabilities. They are usually MORE apparent in disassembled binaries than the original source, but that could just be habit talking. Easier yet by automatic fuzzing and static analysis to find where things are getting hinky and trace values by back-propagation and forward-propagation to where the cat's getting out of the bag.

Yikes!

Microsoft should have protected their IP with APK's HOSTs file software! Some Trump supporting slashdotter probably thought running Linux on their nephew's PC was enough, though.

Time for OS/2

[martiniturbide]

Who is leaking that source code??

Re:Time for OS/2

[freeze128]

Who *WANTS* it?

Re:Time for OS/2

[Yaztromo]

Who *WANTS* it?

I would, if it meant we could port SOM and the Workplace Shell to Linux.

Yaz

Re:Time for OS/2

[Z00L00K]

Anyone that want a great upload quota on warez BBSes.

Re:Time for OS/2

[drinkypoo]

I would, if it meant we could port SOM and the Workplace Shell to Linux.

You can make fvwm work like the workplace shell if you want. Why would you want SOM? You can get a real CORBA ORB if you want.

Re:Time for OS/2

You can probably make fvwm *look* vaguely like workplace shell, but I highly doubt you can get it to function like the workplace shell.

Re:Time for OS/2

[drinkypoo]

You can probably make fvwm *look* vaguely like workplace shell, but I highly doubt you can get it to function like the workplace shell.

No, you can! You can even make it use inexplicable mouse button mappings, just like OS/2!

Reminds me ...

[CaptainDork]

... of the time the most religious manager at our Dallas office (nice guy, too) made me take a goddam trip to meet with him because he came in early and went to the network printer to get his stuff and his stack of papers included photos of nekkid wimmins.

He told me to look at the logs and tell him who printed the porn.

I informed the guy that with over 500 users who could choose any printer on any floor, that was not going to happen.

He was upset and frustrated and asked me why I couldn't help.

I told him that messages and logs related to printers were designed to aid in troubleshooting tech problems -- not to address personnel misconduct.

--

That's the answer here, as well.

No amount of infosec is going to stop determined employees.

For reference, see Manning, Snowden, and Winner.

Re:Reminds me ...

[Bert64]

Then you should have redesigned the network such that the printers were not directly accessible to users, and they had to funnel data through a central print server which *does* log what was printed and by whom. Aside from the reason given (likely a severe violation of the company code of conduct), you get other benefits too like keeping (usually horrendously insecure) printers away from the user network, being able to tell who's printing copies of company data that might have leaked out, and keeping track of how much is being printed.

Re:Reminds me ...

In addition to Bert64's insightful (seriously, give the guy mod points) comment:

> No amount of infosec is going to stop determined employees.

There was an irregularly-published humor column from a Microsoft employee a while back. One of the guy's columns was on personal infosec. His central theme was "Really, you have two classes of enemy; regular people and the Mossad. If the Mossad want YOU, there is NOTHING you can do to stop them.".

The big lesson here is that entities that have the backing of a nation-state can bring unthinkable quantities of resources to bear on a problem. This property cuts both ways; if an entity that has the backing of a nation-state WANTS to set things up so that materiel and information doesn't walk out of a facility without approval, it CAN.

Snowden, Manning, Winter, and countless others were able to do what they did because the entity that controlled that information didn't want to pay the cost required to set things up to be leak-proof.

The most amazing thing about Snowden's leaks wasn't their contents, but the fact that there was NO extended public discussion about any foreign spies embedded in the NSA. After all, the only reason we knew about Snowden was that he _very_ publicly announced his actions, identity, and intent. Foreign spies are... a bit more quiet than that.

Relatedly, read the pull quote from Marcy Wheeler's commentary here: https://www.schneier.com/blog/archives/2017/06/nsa_insider_sec.html

Re:Reminds me ...

[CaptainDork]

Disagree.

Sure, printing porn is a termination offense, but the damage (offending sensibilities) vs ROI of your proposal is simply not there.

Re:Reminds me ...

[Sir+Holo]

Then you should have redesigned the network such that the printers were not directly accessible to users, and they had to funnel data through a central print server which *does* log what was printed and by whom. Aside from the reason given (likely a severe violation of the company code of conduct), you get other benefits too like keeping (usually horrendously insecure) printers away from the user network, being able to tell who's printing copies of company data that might have leaked out, and keeping track of how much is being printed.

Please explain how he could have implemented such a system after the fact.

And moving forward... why? It sounds like a lot of effort and company money to waste just because the boss is a prude. . . It is a fire-able offense, but was likely one guy costing the company $10 a month in consumables. There are innumerable, more severely business-damaging offenses to be on the lookout for.

Re:Reminds me ...

[drinkypoo]

No, it's true. Printers are often tragically insecure, especially Postscript printers but including many if not all kinds. It's daft to put them on the same network as anything else.

Re:Reminds me ...

> And moving forward... why?

*cough*

> ...keeping (usually horrendously insecure) printers away from the user network, being able to tell who's printing copies of company data that might have leaked out, and keeping track of how much is being printed.

I know that some people's eyes glaze over if it takes longer than three seconds to read something, but do _try_. You're supposed to be a nerd.

Re:Reminds me ...

of course the real story is you have no idea how to admin.

Re:Reminds me ...

[CaptainDork]

I think you're adding a lot more to my example than is necessary for me to make my point.

I'm simply stating that infosec doesn't nothing to address inside jobs.

The guy who printed the porn did it from within the perimeter.

It wasn't done by an actor from Romania.

Re: Reminds me ...

[Brockmire]

Clever, the porn was yours!

Re:Reminds me ...

Um, the "why" for doing it going forward, is in the part of the comment you quoted.

Re:The sky is falling!

The sky is falling!

Why is this bring posted here? No more SJW stories?

Calm your tits, bitch

It's a trap!

No, Microsoft. Even if you give me the sources to Windows, I'm still not going to work on it for you.

How's that Windows Security?

[mpapet]

Hahahahahahaha!!!!

32TB lost

And nothing of value was lost. Yawn. Another slow "news" day for /.

This happened in the '90s

[magusxxx]

Some of the Windows code was released. It was downplayed. But everyone had a good laugh at the notes which were left in it like (language cleaned up and paraphrasing.): My personal favorite..."Why was this section added?" - "Because someone is doing something way above our pay grade." - "Take this out! It could be exploited" - "It's been two years, why is this still here?" - "This was put in for a reason. Don't take it out again." - "I removed it because It could be exploited!" - "I don't give a m***er f**k! As long as it's our exploit it stays in!"

Re:This happened in the '90s

So Linux is now using the BSD network stack? News to me, but truth is often stranger than fiction.

Captcha: unaware

Re:This happened in the '90s

[Z00L00K]

Virtual memory logic was around before Microsoft even thought of it. Maybe you think of the alleged Unix source code issues related to SCO?

Re:This happened in the '90s

No, and no.

No BitTorrent magnet link?

Sounds like a BS claim then.

Re: No BitTorrent magnet link?

This. Anyone can claim anything. The fact there is no torrent proves this isn't true.

Re: No BitTorrent magnet link?

Just be happy. That source code will make you want to jump off of a bridge if you're used to looking at quality code like the Linux kernel. It is just crap.

MICROSOFT CLOUD STORAGE

Trust us with your data.

Betaarchive admin official statement

[ark1]

https://www.betaarchive.com/fo...

Seems The Register story may not be accurate, or if you prefer FAKE NEWS!

Re:Betaarchive admin official statement

[pslytely+psycho]

Ah, shit, you just had to go and ruin a good story with fucking facts.
Dammit.

Seriously though, thanks. It is interesting to see just HOW FUCKING FAR OFF the claimed numbers are to the real numbers. I suck at math so I've no idea how many orders of magnitude they are off by, but it's fucking fantasy land for certain.
32TB vs. 1.2GB and seems rather benign compared to the sensationalism.
Thanks for putting things in perspective.

Media and politicians, repeatedly shooting themselves in the foot repeatedly for our amusement and bemusement.....

Re:Betaarchive admin official statement

[K.+S.+Kyosuke]

The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed “32TB” as stated in The Register’s article, and cannot possibly cover “core source code” as it would be simply too small, not to mention it is against our rules to store such data.

I though "too small" was Oberon's 12 kLOCs, but 1.2 GB or archives? Jevons' paradox at work right there...

In other news

[somenickname]

In other news, thousands of programmers appear to have gone blind and insane while screaming, "The Spaghetti! The Horror! It burns my eyes!"

Re:In other news

[fabioalcor]

Oh no! This is the Spaguetti Monster of that church everyone thought was created for mockery, BUT NO, THEY WERE RIGHT ALL THIS TIME! WE'RE ALL DOOMED!!!

Re: In other news

[Ukab+the+Great]

Is having 32 TB of Microsoft code the crime or the punishment?

Re:MICROSOFT CLOUD STORAGE

Don't worry, it "plays for sure!!"

Irony

[TheOuterLinux]

Source code for Window$ leaks and people freak like it's going to be used for exploits. A little late for that, don't you think? Yet, Linux developers release their code intentionally as open source and typically, the complete opposite happens.

How do you search multi terrabytes of source?

[Latent+Heat]

How do you find anything in thirty two or whatever number of terrabytes? Are their algorithms to search for certain patterns?

Re:How do you search multi terrabytes of source?

[gravewax]

there isn't 32TB of source, I doubt there is even a gb. it is all just a bunch of private/alpha and prelease builds together with all the debug symbols etc.

A major boost for Linux

Kind of like when IBM pushed source code belonging to SCO into Linux.

Don't run Windows

Run OS X

Open source

Stallman buys Microsoft since it got open sourced.

In a surprising development to the business world

[ZoomieDood]

Microsoft has moved to the open source license model!

Reminds me ...Apple leaks.

Yup, just look at all the APPLE leaks. OS source code everywhere.

Audit it for anti-competitive routines

I wonder if there are still secret "DOS ain't done 'till Lotus won't run" type traps in there anywhere. These days those would probably be aimed at things such as Firefox, Chrome, interop with competitors' cloud solutions vs. OneDrive, etc. ..and a real goldmine would be UEFI related stuff, or power management (Microsoft had intentionally made ACPI buggy and obtuse in order to discourage reliable Linux power management on laptops, if I recall correctly, years back when those standards were forming).

careful, MS software has a viral license

if you make derivative software from this MS software, that derivative software is under the same license (meaning copyright).

That's right, copyright itself is a viral license. Horrible isn't it.

Whew !

[harvey+the+nerd]

A first glance of the headline, I was worried that they were insinuating that the 10.x builds toward toward Win 11 were in the neighborhood of 1 TB....

Waste

[Air-conditioned+cowh]

What a horrific waste of valuable hard drive space.

Use it to build a fucking non-updating distro

[iamacat]

Every time I try to use a Windows laptop that I keep for Steam/Oculus games, it needs to install updates, or has installed updates and lost my game progress, or asks me to adjust my privacy settings for Windows 10 whatever edition. With source, one can presumably build a non-nagging distro with working DirectX and live free of this crap?

Re:Use it to build a fucking non-updating distro

[dwywit]

Start, run, services.msc
Scroll to Windows Updates
Right-click, stop
Right-click, properties
Select startup type, choose 'disabled', apply
OK, close

Happy now? Don't even need to reboot. Wow, didn't even need a command prompt to make that happen (although you could it that way if want to).

You can visit wsusoffline once a month or so - at *your* convenience, to download and install updates. BTW, you should donate a dollar or three to the site if you find it useful (not my site, just a happy user).

FWIW, mint and ubuntu also nag (albeit politely, and without forced reboots*).

* you can find the reboot trigger in Window's 'Scheduled tasks' and change the parameters, including when to reboot.

Total fake news, and will get BA shut down :(

Beta Archive is a huge resource for beta/abandoned/other material archiving, primarily of unusual windows builds (Think all the pre-Win2k/XP/Longhorn era stuff), as well as backups of other media at risk of being lost.

The trade something new for access attitude is kind of old school, but it has served well in increasing the quantity and quality of available material on the site.

My only hope at this point after all these dumbasses have reported on it and shined a bright light that will engender many C&Ds if not lawsuits against it, is that somebody has mirrored the most unusual of its files to other websites/torrents/etc and will ensure it is available in the future.

Also in case anyone with betaarchive ftp access is reading this: Can you please double-check if the SWG source code up in the http://www.mrpijey.net/betaarc... directory tree on ftp is just the leaked nge code, or if it is the Pre-CU/CU source code and/or media assets, and ensure a duplicate of it makes it onto torrent sites (ideally I2P) before access to it is lost forever! If you need to verify the archives, try tracker2.postman.i2p (via a browser configured use i2p-router or i2pd's http web proxy to access I2P darknet addresses) and search for 'swg-src.zip' or 'swg' to find out if it is the same code mirrored on BetaArchive! Now is the time to protect and mirror these works, before, like a virtual burning of the Library of Alexandria, the data contained within is irrevocably lost to the annals of history.

Bonus points if you can mirror large swaths of that data and see to it that it ends up on a darknet mirror before the site inevitably shuts down as a result of all this attention!

Leaking source code

[callahan2211]

Did they give it to James Comey?

Followup:

BA only has ~16 terabytes of online storage. The majority of the data on the site (everything past 7-10TB is Win10 iso builds and heavily deduplicated, since almost everything is decompressed to help make deduplication easier.) Mirroring it would be easy if someone had a half dozen 4TB+ drives with a deduplicating filesystem.

Relax...

[Lussarn]

Relax! Our most valuable and most secure operating system is out there for free! How am I suppose to explain that?

I don't know... Say it was all part of the plan!

Re:Relax...

Tron Legacy quote for the philistines who don't get it

Re:I know it was you Comey. Horrible. Horrible.

[Z00L00K]

What would be horrible would be if the Microsoft Certificate server was compromised allowing anyone to create certificates in the name of Microsoft using their private key.

On the other hand - if that happened we wouldn't be told because it would compromise every Windows computer out there.

Probably should read this first....

https://www.betaarchive.com/forum/viewtopic.php?t=37283

Level-playing field

... PnP code, its USB and Wi-Fi stacks, its storage drivers ...

Remember those Enterprise Partnerships where Microsoft demanded manufacturers show them the firmware code, then suddenly, the hardware wouldn't work with the latest MS operating system? Microsoft can't do that anymore.

Finally!

finally.

Not sure - Look at the source code!

Not sure - Look at the source code!

Eagerly waiting

[kelanos]

For the real story to be mined out of this trove.

I predict we will see that consumer and small business software is heavily back-doored while corporate software is less so.

Obviously

There is no way for me to trust that some leaked source code has anything to do with whatever runs M$ code on my machine. I would have to dump all the software I have on my machine, and then, keep doing that to make sure, there isn't anything foreign there.

Relatively simples to do....

You can usually compile the source and match it to the binaries - something new or different would then warrant further investigation. Depends on the compiler used for the output, and the binary matcher (probably diff would suffice!) but it wouldn't be too difficult to get the basics up and running.

Then it's just a case of looking for the differences that pop up, and working out why they're different.

(this assumes you have enough source code to produce binaries, and the same compiler/etc)

Re: Relatively simples to do....

Never heard of the Ken Thompson Hack?

Winbeta themselves have refuted almost everything

[Artem+S.+Tashkinov]

Source

The Register article has got BetaArchive a fair amount of attention this evening. They claim, and I quote âoe32TB of Windows 10 internal builds, core source code leak onlineâ.

First of all let us clear up a few facts. The âoeShared Source Kitâ folder did exist on the FTP until this article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.

The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed âoe32TBâ as stated in The Registerâ(TM)s article, and cannot possibly cover âoecore source codeâ as it would be simply too small, not to mention it is against our rules to store such data.

At this time all we can deduct is that The Register refers to the large Windows 10 release we had on March 24th which included a lot of Windows releases provided to us, sourced from various forum members, Windows Insider members, and Microsoft Connect members. All of these we deemed safe for release to BetaArchive as they are all beta releases and defunct builds superseded by newer ones, and they were covered under our rules.

If any of this should change we will remove these builds from the FTP and we will happily comply with any instructions to do so by Microsoft.

With regards to the BBC article http://www.bbc.co.uk/news/tech... about two Britons that have been arrested following an alleged Microsoft hack, we donâ(TM)t believe there is any connection with this alleged âoeWindows 10 core source code leakâ.

Update 09:58 GMT 24/06/2017 A spokesperson for Microsoft contacted The Register and said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners."

Really hope...

[hcs_$reboot]

Really hope Win 10 pure source code is way less than 1 TB, or that system is even more crappy than I thought, reusing old code as is, putting bandage on it to get something runable.

Hey Moron, you can stop now... apk

See subject: I see you also attempted to impersonate me https://it.slashdot.org/comments.pl?sid=10780983&cid=54678569/ there too.

* Grow up - get a life, loser!

APK

P.S.=> Moron... apk

Software freedom still missing

[jbn-o]

But the freedoms of free software are still missing. Having a snapshot of what Windows code looked like at one time doesn't grant one the freedom to improve that code, distribute (including commercially) that code (or a variant of that code), and thus control one's computer or help one's community by distributing improved code.

Code can change (so can undocumented backdoors)

[jbn-o]

Until Microsoft changes the source code to do something else. That's the thing about source code: people alter it and make programs do different things, so we need the freedoms of free software to control our computers, help keep people honest, and treat each other ethically.

Time for MS to give up and open a GitHub repo...

[mi]

Maybe, it is time for Microsoft to follow the NSA's recent example and just open-source their proprietary code...

Re:I know it was you Comey. Horrible. Horrible.

Fortunately, they use proper HSMs and whatnot, so even compromising their CA system couldn't get you the private key.

Re:Time for MS to give up and open a GitHub repo..

[beuges]

Here you go:
https://github.com/Microsoft

Is this a Git issue? They just switched.

[filesiteguy]

I know this may seem coincidental, but I recall MS just recently switched to Git for their source code. Wonder if one of their Linux servers were running unprotected.

And nothing of value was lost.

Mic drop.

Re:I know it was you Comey. Horrible. Horrible.

Woohoo! Maybe we can start fixing some of those assertion Microsoft left laying around for the last 20 years or so!!

Re:Probably a Compromised Linux Server

[hcs_$reboot]

And after digging deep into the 32 TB, what when they finally find out that the innermost GB is a Linux kernel...

And

nothing of value was lost...

Hell has frozen over

Microsoft has gone open source ;)

Re: Slashdot Reader Logic

Did you learn that via the Hasbara?
I bet your proctologist says, "Get your head out of your butt!", when you first walk into his office.
Now that I've stooped low enough to communicate with you on your level, I find your religion related comment is off topic, conjecture based, and blatant bigoted. I'm sorry for you, of you've suffered the tragic experience of being a feral child raised and educated by a pack of rats. I'll pray for your enlightenment, the rest is up to you. I suggest you repair your warped knowledge be reading the Torah, Gospel of Jesus, or Qur'an with an open, unbiased mindset.