Microsoft Source Follow-Up

shystershep writes "It's official. Microsoft admits that 'portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.' No more details, although it seems clear that it is only a portion of the code. Microsoft is, naturally, downplaying its impact, while everyone else is busy speculating about how serious this could get." A lot of you apparently haven't read yesterday's story. An investigation of the code is already underway.

Source of the leak

[cyt0plas]

There are a number of empty .eml files in the archive. While their FTP server looks like (didn't check) it is running a vulnerable version of wu-ftpd , it seems more likely Nimda got to them first.

I wonder what the final MS press release will name as the cause. "Evil Linux Hackers", perhaps?

BBC Q&A

[MoonFog]

BBC also has a Q&A [bbc.co.uk] on the recent event, including thoughts on how this may impact Microsoft themselves.

Microsoft has said that this represents about 15% of the total source code for the operating system. It is not enough to recreate the operating system.

Re:So the question is

[MoonFog]

Actually, it's supposedly only 15% of the source code. See here [bbc.co.uk].

Re:source out on the open

[dtfinch]

Groklaw has warned that anyone who gains access to the Windows source, whether or not they actually read it, may legally impair their ability to make contributions to open source resembling anything that exists in Windows.

Re:Of course!

[serfx]

yes that torrent file was only 205 meg's
Yet if you read yahoo news, they acctually mention that the amount of souce code that was "released" was acctually closer to 650meg. you can read it here [yahoo.com].
making todays statements mostly obsolete, or just re-hashes of older comments (wow its already a re-hash, noi pun intended)

wu-ftpd vulnerability strikes again!

[Exmet Paff Daxx]

"The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes.

Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf."

Wow, Microsoft's first source code leak in history came from running Linux. And they traced it because Linux's core files make forensics trivial!

I'm betting there's a lot of folks in Redmond right now saying: "who the hell decided to put Windows code on a Linux box?!!!"

P.S. Eyal is screwed, right?

Re:source out on the open

[Krunch]

The link to the Groklaw's article is here [groklaw.net].

Source was Mainsoft - and from a Linux machine

[blorg]

"Evil Linux Hackers", perhaps?" Ironically, there is a Linux connection. Betanews is reporting [betanews.com] that an analysis of the leaked Microsoft code indicates that it came from Mainsoft [mainsoft.com], specifically a Linux machine belonging to Mainsoft's Director of Technology.

Mainsoft specialise in cross-platform development, enabling devlopers to develop using MS tools for deployment on *nix. Interestingly, for the conspiracy theorists, their previous mentions [slashdot.org] on /. date from 2000 and center around rumours that they were porting Office and IE to Linux. More news on the leak from Internetnews.com [internetnews.com] and The Register [theregister.co.uk].

The code is said to be W2k-SP1.

Re:So the question is

[MoonFog]

From the article:
The Windows 2000 code is a 203MB chunk that expands to about 600MB - enough to fill one CD.

Microsoft has said that this represents about 15% of the total source code for the operating system. It is not enough to recreate the operating system.

What's vague about this ? I agree they don't say WHICH 15%, but it's clearly win2k they are talking about.

Re:Lesson for the kids out there

[prostoalex]

My bad. In my Fire$ANIMAL browser I had two tabs open, quoted the wrong one. The quote actually belongs to Jupiter Media analyst Joe Wilcox [microsoftmonitor.com]:

Folks who have seen the code report quite a few profane remarks by developers. Microsoft typically sanitizes comments for source code used in the Shared Source program. That the code contains these remarks has Microsoft believing the leak did not come through the Shared Source program.

Re:Swearing?

[omega9]

$ grep -Hirn "fuck" /usr/src/linux/*|wc -l

43

$ grep -Hirn " shit " /usr/src/linux/*|wc -l

14

And one occurrance of "piss". There're more, but I''m not spending more then a minute on this.

Windows developers do not read GPL source

[Anonymous Coward]

Microsoft has a company policy that Microsoft developers may not read GPL source. They have this policy precisely to avoid this type of contamination.

'Independent invention' generally does not happen in the domain of copyrighted works -- if the developers of B have never read the source of A, or anything derived from A, it's pretty sure that B will not look like A. Thus, if Microsoft's employees and contractors follow their policy, then no Windows code will look like any GPL code, ever.

What about the .eml files?

[enosys]

What about the .eml files? You wouldn't have those in Linux.

Re:So the question is

[confused one]

It's reportedly Windows 2000 Service Pack 1. That's why it's not complete -- it's the code necessary to create the components of the service pack

The Kiss of Death

[This is outrageous!]

Compare this: [yahoo.com]

"It seems unlikely this is going to create a material, significant security problem," said Rob Enderle, a technology expert and principal analyst with the Enderle Group.

and that: [daringfireball.net]

Speaking of jackasses, how about technology industry "analyst" Rob Enderle? Enderle is both:

• Frequently quoted in major mainstream media
• Nearly always completely wrong (at least regarding Apple)

Re:Is there any GPL Violating Software in it?

[slipgun]

Has any one taken a look to see if the old rumors that Win2K is more stable because it uses open source code is true? If so, would that make Microsoft in violation of the GPL?

If they're using GPL code, yes. They already use open source code, and admit it freely - however, it's licensed under the BSD license, and hence can be distributed in closed source systems.

(Someone correct me if I'm completely wrong, but I think that's right).

Re:So the question is

[HiThere]

Funny? Insightful would be better.

I agree the form is of a joke, but the message is the more important part:
So remember folks, don't download it, or look at it, or attempt to build it! It is evil, and answers only to the hand of The Dark One.

Unfortunately, sending one copy to the fires of /dev/null won't solve the problem. Somehow this needs to be guarded against without looking at it. In this, it's more like a basilisk than the ring, but a mirror won't answer this one.

Re:Open != Secure?

[tuffy]

So - which is it? Is closed-source or open-source more secure?

In theory, open-source should be more secure because it can be fixed by anyone. This leaked-source cannot be fixed by anyone but Microsoft, but can be exploited by anyone.

Re:a favourite from tweakui.h

[Anonymous Coward]

Background [quinion.com] on Hungarian notation, in case people don't get what this C comment (probably) refers to.

Re:You Should Not Be Cheering

[pirhana]

>> Linux and other open source software aren't targetted, not because of the quality of the code, but because less people use it.

When would people stop this bullshit ? This has been answered by many. I would repeat it . Why there is more vulnerability/attack against IIS than Apache ? why track record of IIS is worse than Apache? I am not saying that bigger install base is not a reason for microsoft to be targetted more. But its just ONE OF THE MANY reasons and not the prime one even.

Re:source out on the open

[SamSim]

You can [everything2.com]. The first part, at least.

More details on the Linux machine analysis...

[blorg]

...are provided by noisehole in this post [slashdot.org] from yeterday's discussion. He reckons [slashdot.org] Betanews lifted the analysis from his post.

DOWNLOAD IT HERE

[Anonymous Coward]

At least one of the 200mb files here [canaljuizdefora.com.br] on the download section.

Re:Security through obscurity?

[truthsearch]

This is very insightful. I've been writing a Windows 2000 service for work. It's in .Net and uses COM components. I can not count how many times I get COM failures with no system errors being raised ("Method '~' of object '~' failed" is the only message we sometimes get, how useful...). And .Net doesn't raise any errors at all on COM failures, so my application has no way to recover or even know something went wrong.

If they can't even trap and raise errors correctly I can't begin to imagine what a mess some of that code must be like inside.

Re:Winsock API Included.

[Kremit]

I've used the one available here [eae.net] a few times.

Re:Winsock API Included.

[AzrealAO]

Rumor is GNU style Makfiles (which isn't illegal) and parts of gnu autoconf (which I suspect is illegal, if they actually include it in the OS).

Of course there are. This source code leak came from a company who ports Windows software to Unix.

Re:alternate universe

[Cyberop5]

IANAL
Music and literature are art. Code is not art, despite what many think. Its not subject to the same rules. Its more than just copyrights; its patents, trade secrets, et al. Look into Source code and free speech. Wikipeida [wikipedia.org]provides an interesting read about source code and free speech.

THAT old saw again.

[dmaxwell]

For the kajillionth time, putting GPLed code into a proprietary codebase DOES NOT make the whole thing GPLed. If MS did put GPLed code into one of their products accidentally or otherwise and then distributed it, that is copyright violation. The GPL does not rely on contract law and therefore CANNOT specify the penalty for violating it. Since the GPL is a straight copyright license pure copyright law applies. This means MS' hypothetical penalty would be between them, a court of law and the aggreived FOSS project.

The judge is such a case is unlikely to order MS' codebase GPLed. MS would have to either put out a sanitized patch for the code in question or pay the developers for an alternative license. The exact circumstances of the case would determine what if any punitive damages MS would have to pay in addition to recompensating the developers.

MS would have the OPTION of making the entire contaminated codebase GPLed to satisfy the license but I doubt they would take that option. They could do it for the FUD value but since the aggrieved FOSS project wouldn't accept that as a settlement, MS would just have to do something else. Imagine that! A FOSS project could rule out an MS product being GPLed to PREVENT harm to a project or FOSS in general.

Re:More FUD within FUD?

[Etcetera]

What would the Microsoft source code be doing on a Linux machine? Mainsoft ports applications from Windows to Unix, not Linux. IE and WinAmp are two examples that they've ported.

...If this is the case, Mainsoft was porting Windows applications to Linux as well as Unix.


Umm.. did we not click on our links today? The article linked to has a big, fat link to the MainWin product page [mainsoft.com] which states, in part:

Visual MainWin is an enterprise-class application-porting platform that enables software developers to develop C++ applications on Windows using Visual Studio and deploy them on Unix

and Linux. Visual MainWin is a complete cross-platform solution that speeds development and deployment. Developers will also appreciate Visual MainWin's J2EE Integration Package and industry-leading XML support. And it actually recompiles Windows source code with the Unix compilers to create native Unix applications.

I think it's certainly safe to assume that they were compiling on a box.

Re:Winsock API Included.

[Anonymous Coward]

pointing to a Linux machine likely to have been used by Mainsoft technology director Eyal Alaluf.

Eyal Alaluf! http://www.mainsoft.com/images/exec_profiles/Eyal. jpg [mainsoft.com]

So much for "Security through Obscurity"

[mgpeter]

I have read a few articles on this, and most misrepresent why this could be very bad from a security issue as compared to Open Source Software.

First, just because you can see the code does not make a product less secure (in theory anyway). With Open Source Software, everyone can see the code and find flaws, but anyone can also submit a patch to fix the flaws.

With this Microsoft source code, anyone can find flaws and security issues, but NO-ONE would dare to send Microsoft a patch in fear of litigation.

Re:You Should Not Be Cheering

[the_mad_poster]

Yay for ignorance! Alive and well on Slashdot!

Quick! Give me an answer as to why the juciest targets are almost all running Linux/BSD/Unix but a bunch of crappy Windows machines with no strategic value what-so-ever are the constant victims of widespread, non-spam worms and viruses (I'll give benefit-of-the-doubt to Windows in the case of spam worms because of the need for wide deployment which makes Windows the perfect target)?

Oh, you can't give me an answer? That would be because no matter how hard you try, Windows is a homogenous environment with minimal control given to the system owner, whereas the *nix philosophy of piece-mealing a system means it's difficult to find well-maintained *nix systems that are reasonably similar such that a single exploit would work effectively across all of them. This is something *nix figured out 25 years ago. It's something Microsoft is just beginning to understand and incorporate into things like Win2003.

Oh, and of course there's always the fact that Windows is built on an inherently flawed philosophy of consumer marketability above all other concerns. Translation: If you care about network security, Windows sucks. Deal with it. Stop making unsubstantiated, lame brain excuses that don't even have so much as anecdotal evidence to support them. I'm tired of making excuses for it. Again and again Microsoft has proven that they can't be trusted when security is of any concern at all. If you can't recognize the pattern they developed over the last 15 years for themselves, that's YOUR problem, but don't bring your apologizing attitude over to Linux which has a pretty damn good track record.

I'll bet MY bottom dollar on all of THAT, thank you very much.

Re:This may sound crazy, but M$ would likely gain.

[Nimloth]

Longhorn is 6.0.

Won't be much time differential anyway...

[Anonymous Coward]

Windows 2000 support is set to expire in 2007 anyway... One year won't make a difference. That's assuming longhorn is out in 2006, which I think is a dubious claim.

Re:Entertainment value of media "experts"

[eddy]

It should be noted that the Didio quote as since been removed from that article, but here it is for those who missed it. Don't ever forget this one, this is straight from Yankee Group [yankeegroup.com] and they should not be allowed to get away with it without a public apology IMHO:

"With the open source community, there are a large percentage of tinkers and 'ankle biters' who are trying their hand at hacking. Some are even communicating with each other. So it only takes one or two of these groups sharing information to be able to pull something off. When you have this type of passion, it's hard to fight because these people are like virtual suicide car bombers."

Is this people you'd want to buy services of? I don't consider myself "PC" in the least, but this is so fucking wrong and off the track it's not funny.

Re:A question about source and product size

[Vexler]

No, not comments. Those are just ignored when the source is compiled and then passed through the linker. You only get to see the comments when you have the source. (The machine wouldn't understand them, anyway.)

Microsoft does have its own proprietary file compression format called ".CAB" file that can hold amazing amount of stuff. I don't know what the ratio is, though.

But since all their work is closed-source, we are ultimately speculating.

Re:Entertainment value of media "experts"

[paco verde]

Here's some general contact information for Yankee Group off their website:

Media Relations and
General Inquiry
Kim Vranas
Director of Marketing
kvranas@yankeegroup.com
Voice: 617.880.0214
Fax: 617.210.0014

MainSoft statement

[theCat]

This is from their web site:

Statement to the Media Regarding Microsoft Source Code Leak

Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation.

We will cooperate fully with Microsoft and all authorities in their investigation

We are unable to issue any further statement or answer questions until we have more information.

From Mike Gullard, Chairman of the Board, Mainsoft Corporation

Re:Traces back to Mainsoft?

[Blob Pet]

They indeed did port IE to UNIX and include in there development kits. I think it's hightly possible to port office through Mainsoft (I know notepad was lol), but judging by the performance of apps ported to Unix via mainsoft compared to their native windows performance, I wouldn't touch it with a ten foot pole.

Re:Winsock API Included.

[br0ck]

Mainsoft has released a short statement [mainsoft.com] which sounds like an admission that the code did indeed come from them.

Statement to the Media Regarding Microsoft Source Code Leak
Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation.

We will cooperate fully with Microsoft and all authorities in their investigation

We are unable to issue any further statement or answer questions until we have more information.

From Mike Gullard, Chairman of the Board, Mainsoft Corporation

MS is getting what they signed on for

[killmeplease]

Having the most widly used program in the world be closed source opens a company up for all kinds of problems. But this is to be expected when the source is also vital for low-level system developers to make programs that access the OS. MS can only have it both ways (Closed source, large software development community w/ source access) if they monitor computer security for any company with source code access.

It is impossible for every company to be unhackable and have every developer be moral and ethical. We already discussed that programmers leak confidential information about abused welfare children, Apple system APIs, and that large companies like Valve can get hacked and lose the source to a video game with huge development costs. Isn't it safe to say that the leak of this source is innevitable. I would be really interested to see if a lawyer could prove that this is an innevitable incedent and MS should have assumed a liability like this would occur. What were the minimum req. of the code repository and network security?

The other side of the coin is that MS can sue Micro**** that leaked the code for the 3 years of support on W2k that they are going to be at risk with over possible security threats because any hack can now create breaches in security, with the ability to see where buffer overflows are created in the code and such.

Re:alternate universe

[mitherial]

"The Unfinished Sonata" by Orson Scott Card, recently republished in tradepaperback form of his "Maps in a Mirror" short-story collection. Haunting tale.

Re:alternate universe

[Ironica]

apparently, we can't look at other peoples copywritten music without 'taining' our ability to write original music.

In the realm of natural language, there are literally thousands of ways to express similar ideas. Music is slightly more limited, but still has at least hundreds (if not thousands) of valid permutations for melodies within the same key.

A good programming language may give you as many as three or four different ways to do the same basic thing. You might wind up with a couple dozen different useful algorithms for the same function, but probably only one or two will emerge as clearly superior in speed, stability, and flexibility.

Therefore, it is far, far easier to "accidentally" duplicate code than a song. And it still happens in music... people hear a song, and then a while later subconsciously imitate it when creating their own music. They may have it come back to them in a dream and never realize that it's based on something that already exists. And copyright cases have been lost over such things.

Market predicts it?

[Knights who say 'INT]

I think everyone has seen the creepy creepy creepy plunge the S&P 500 has taken the September 10th, 2001.

But just looky at the MSFT [barchart.com] chart, specially if compared with the S&P 500 chart plot [barchart.com] for the same period.

MSFT has dived a whole 10% in one week.

Yes, it's nothing as obvious and strong as the September 10th mini-crash, but leaked sources don't exactly mean the same as the world as we know it being under attack.

Just clicky the charts.

This Sentence From The Investigation:

[Master of Transhuman]

The leaked code includes 30,915 files and was apparently removed FROM A LINUX COMPUTER USED BY MAINSOFT FOR DEVELOPMENT PURPOSES.

BWAHAHAHAHAHAH!!!! They're using a Linux box to write Windows-compatible code? Or maybe it's their CVS server?

My real question is:

Has anybody examined the Windows code to see HOW BAD IT IS? I mean, with all those 24-year-old Windows programmers Bill hires, I'd like to see the code quality.

Re:Is there any GPL Violating Software in it?

[Talinom]

I am woefully ignorant. Will someone please clue me in? How would you know that they are using GPL code unless you violated their TOS to look at their code? Or does the fact that it is out there already protect anyone who looks at it for this specific purpose?

Is one person going to take all of the heat and "find" all of the GPL code, or would the courts rule that it was inadmissable as evidence or something?

Re:Windows developers do not read GPL source

[addaon]

Just tokenize the source and search that... perfectly easy to search for i, or j, or even 1 or 0, with no false positives. There are more programs out there that do this than that check e-mail, I suspect.

Re:alternate universe

[CaptainCarrot]

...copywritten...

...copywright...

Gah! I know it's OT, but I can't stand it anymore!

The legal protection for creative works is copyright, as in the right to copy. A work that's protected by copyright is said to be copyrighted

Someone whose job it is to write advertising material and press releases, which writing is commonly called "copy" in those businesses, is a copywriter. Such copy isn't said to be "copywritten", but merely "written". There's no such word as "copywritten".

Someone whose occupation it is to create a thing is called a "wright", as in "wheelwright" or "playwright". (No, not "playwrite". Yes I know that plays are written down, but that's not what we say.) "Wright" here is related to the past tense "wrought", which we almost never hear nowadays except as an adjective, as in "wrought iron". There's no such thing as a "copywright".

Thiests & Science

[Sivaram_Velauthapill]

You either the follow the path of science or you don't. Everything in between is hypocrisy.

What the theists say (and what you claim in your last paragraph) is true. BUT 99% of science is like that. The vast majority of science is THEORIES (not laws; not facts). You cannot really "prove" many things. For instance, can you prove that the radiation and light emitted by the sun is due to nuclear reactions occuring within the sun? Not really. We have never gotten through the surface (any probe will melt long before it gets through the surface). All we have are theories. For all we know, there might be some aliens living in the center of the sun might be responsible for relasing the radiation and heat.

Can you prove that the techtonic plates underneath the surface of the earth causes earthquakes? Not really. It's just a theory. It's based on our best understanding.

Can you prove that matter is made up of particles? Not really. It's all based on indirect observation and theories. The way things are going, it might even be so that particles don't exist*; all you have are strings. Strings cannot be "proven" but that seems to be our best theories right now (actually, strings haven't been widely accepted yet; however, I expect them to be accepted within 20 years).

The same thing goes for theories relating to biology. Yes, you cannot prove the theory of evolution, natural selection, or anything like that. But that's our best models.

So the point that you are making (i.e. need to emphasize appearance) is totally irrelevant. Stricly speaking, 99% of science is appearance. If you follow the path of science, the theist argument of "evidence" is moot--because you hardly ever prove anything (even observational evidence can be wrong). If anything, the theists will disagree EVEN if someone observed it. After all, theists still don't support the view that the universe is billions of years old (religion says a few thousand (Christianity) to a few million (hinduism)--all wrong).

FOOTNOTE:

* By particles not existing, I'm referring to the view that everything in the universe is composed of strings (re: superstring theory; M-Theory). What we thought of as particles are the results of the oscillation of the strings. NOTE: I'm not a scientist but that's my understanding of it.

Sivaram Velauthapillai

Re:You Should Not Be Cheering

[Anonymous Coward]

From cpngfilt.cpp:

// BUGBUG we really should preserve the full 16-bit values
// for proper transparent calculation but our main client,
// MSHTML, doesn't preserve the RGB values at 16-bit resolution
// either so it doesn't matter.

Working torrent for NT source

[Anonymous Coward]

http://torrent.spyderlake.com/download.php?info_ha sh=66a26447f563c3dc2336de74ae37dc14d11dd8b9 [spyderlake.com]

windows longhorn source code

[Anonymous Coward]

As well as the nt4 and 2000 source code, part of a recent build of longhorn has had its source code leaked too.

edonkey/overnet url:

ed2k://|file|windows longhorn build 4008 source code (partial ).rar|1357906140|dba2a19a3c822837ad6ade3b7f178862|

I don't know of any torrents. If anyone finds one, please reply to this post with details.