32TB of Windows 10 Internal Builds, Core Source Code Leak Online

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.

32TB?

[ArchieBunker]

Going to need a new storage array...

Re: 32TB?

[KGIII]

It isn't that interesting. Save the space. They are mostly just builds from the Insider Program, according to the folks with the actual data.

Re:

[KGIII]

This has now been verified by multiple independent parties.

Re:

[Hylandr]

It's false.

Just the early preview versions.

Re:

[KGIII]

That's what I said. ;-) Though two folks have said there's a proprietary debugger. I am not sure of the validity of that one.

Re:

[KGIII]

There doesn't actually appear to be any source code in the files. Multiple parties have gone over it. It's just Insider Program builds, some tools (that may be handy - as they are special debuggers I guess), and a whole mess of internal nightly builds.

I haven't downloaded the files, but those who have checked it out are people that I'm inclined to trust - based on history. It's largely nothing. The debugging tools may reveal something and someone, with enough time, may be able to disassemble binaries that w

Re:

[ArmoredDragon]

I'd be more interested in finding out what the telemetry data actually contains.

Re:

[Anonymous Coward]

Don't worry, reports say 31.9TB is just their "phone home" technology.

Re:

[Z00L00K]

Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

Re:

[scatbomb]

Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

Oh really? Is that what they meant in the summary by: "Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide."? Thanks for your insight.

Re: 32TB?

[cyber-vandal]

Better not use Linux or FreeBSD. I hear they let anyone look at the source.

Re:

[gweihir]

They had that capability before. It may not even have been that much more effort. Reviewing source-code is time-consuming, demanding and expensive.

Re:

[danomac]

Or, oddly enough, the opposite might happen. Maybe someone will actually submit patches to fix all those bugs.

Neat.

[Anonymous Coward]

Maybe it tells us the secret to shutting down a laptop using ACPI in a way that doesn't drain the battery dead 2 hours after it "powers off" using Linux

Re:

[aliquis]

Or why the machine can't wake up if I let it park the CPU in Windows 10 but it worked fine in Windows 8.1.

(Phenom X4 9850 on ASUS 790FX board.)

Re:

[sound+vision]

I have the same Phenom, with an Asus M2N-SLI Deluxe board. The BIOS has an option for "C1E support", which sounds similar to your "CPU parking" - turning it on makes the system fail to boot. I don't remember exactly where the failure happens, but it's before GRUB can bring up the boot menu.

Re:

[aliquis]

I said CPU parking because I don't know the name of it.

There's S1 and S3 and one is a a deeper sleep than the other and with the deeper sleep the CPU fan turns off as-well among other things but if I use that one then the machine can't be started without a cold reboot again. It used to work in Windows 8 but doesn't in Windows 10.

M3A32-MVP Deluxe and .. yet another one is what I have.

I know it was you Comey. Horrible. Horrible.

[Anonymous Coward]

Really very, very horrible. Really horrible. Very very not good at all, let me tell you. Leakers on any media, horrible. Don't watch that video.

Betaarchive admin official statement

[ark1]

https://www.betaarchive.com/fo... [betaarchive.com]

Seems The Register story may not be accurate, or if you prefer FAKE NEWS!

Re:

[pslytely psycho]

Ah, shit, you just had to go and ruin a good story with fucking facts.
Dammit.

Seriously though, thanks. It is interesting to see just HOW FUCKING FAR OFF the claimed numbers are to the real numbers. I suck at math so I've no idea how many orders of magnitude they are off by, but it's fucking fantasy land for certain.
32TB vs. 1.2GB and seems rather benign compared to the sensationalism.
Thanks for putting things in perspective.

Media and politicians, repeatedly shooting themselves in the foot repeatedly for our

Re:

[K. S. Kyosuke]

The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed “32TB” as stated in The Register’s article, and cannot possibly cover “core source code” as it would be simply too small, not to mention it is against our rules to store such data.

I though "too small" was Oberon's 12 kLOCs, but 1.2 GB or archives? Jevons' paradox at work right there...

Re:

[Z00L00K]

What would be horrible would be if the Microsoft Certificate server was compromised allowing anyone to create certificates in the name of Microsoft using their private key.

On the other hand - if that happened we wouldn't be told because it would compromise every Windows computer out there.

Oh no, security problems might be found!

[Anonymous Coward]

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide.

You mean like.. BSD and Linux? Sounds like the way it should be -- the security by obscurity fad faded a long time ago.

Re:

[Anonymous Coward]

security problems in Linux and BSD aren't usually found through source code analysis, they are found through crashes, fuzzing, errors etc. source code analysis is painful and slow by comparison though the source code can make generating the exploit once you have found the vulnerability much easier.

Re:

[vux984]

the source code can make generating the exploit once you have found the vulnerability much easier.

That's an understatement.

Re:

[gweihir]

Actually, it is not. In many cases the source will not help the attacker much or at all. It does make fixing a vulnerability a lot easier though.

Re:

[gweihir]

I actually have hands-on experience in this area. What the general public thinks and what actual experts know is often quite a bit different. This is one such case.

Re:

[jimtheowl]

They are certainly fixed by first going through an analysis of the offending code.

But even though code analysis is painful and slow, it doesn't stop the OpenBSD people and others from doing some, historically demonstrating good results for their efforts.

Re:

[jimtheowl]

It is relevant for at least the following reasons:

The OpenBSD project has a proactive approach to security https://www.openbsd.org/securi... [openbsd.org] with people who do what they do because they want to do it.

The Windows model is perpetuate the need for patches so you can make the customer dependent on continuous releases. They never had any intent to procure a secure system and likely never will.

Re:

[K. S. Kyosuke]

Did the SSL bugs have actually anything to do with Linux? I mean, besides the library supporting Linux as one of the systems it can run on.

Software freedom still missing

[jbn-o]

But the freedoms of free software are still missing. Having a snapshot of what Windows code looked like at one time doesn't grant one the freedom to improve that code, distribute (including commercially) that code (or a variant of that code), and thus control one's computer or help one's community by distributing improved code.

Re: Oh no, security problems might be found!

[Bert64]

"Many eyes makes bugs shallow" is not so much the point...
Rather is having a level playing field for everyone, anyone can see the code, good and bad guys alike.

With closed source *you* probably don't have the code and white hat security researchers probably don't have the code, but you have no idea who else (NSA and similar agencies, criminals etc) does. Chances are with closed source those who do have the code are more likely to have hostile motives.

Re:

[thegarbz]

Chances are with closed source those who do have the code are more likely to have hostile motives.

Like the vendor.

old crap

[Anonymous Coward]

It seems they are just a heap of old builds, nothing top secret about them, most interim builds are only valid for a day or 2 till the next one. The Shared Source stuff while not publically available is hardly top secret either with hundreds if not thousands of organizations with it.

Telemetry

[OtisSnerd]

Maybe now we'll be able to find out what the telemetry actually sends back to MS and the three-letter agencies. It would also be nice for some to develop a way to completely kill it.

Re:

[kelanos]

Or another, equally likely, possibility is this is a controlled leak and it's meant to mislead us about the nature of the telemetry.

But this isn't the full source is it? So probably we'll never know. But do we need to? The Corporate Plutocracy is attempting to destroy us all anyway. Until there is a movement against the state, nothing matters but survival.

Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance,

Re:

[Razed By TV]

Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance, media consolidation, etc.

You must be new here.

Re:

[thegarbz]

If you want to know that just read through these 94 pages: https://docs.microsoft.com/en-... [microsoft.com]

Re:

[OtisSnerd]

I've seen that list before, but I suspect that it's not complete. After all the forced upgrades, and all but pointing guns at their 'customers' to force them to upgrade, I wouldn't trust them to tell me the the color of the sky, let alone believe that the list they posted is complete.

Re:

[thegarbz]

Interestingly the less complete the list is the less care about their collection. The more data that is collected the less likely any database makes sense. The less likely they are able to extract information from it. The less likely I am to be affected if someone dumped the database online.

Code can change (so can undocumented backdoors)

[jbn-o]

Until Microsoft changes the source code to do something else. That's the thing about source code: people alter it and make programs do different things, so we need the freedoms of free software to control our computers, help keep people honest, and treat each other ethically.

Re:

[Rick Schumann]

Hear, hear!

Re:

[sound+vision]

If MS gets away with it because of their market dominance, what's the reason that Apple gets away with it?

Re:

[Anonymous Coward]

Apple/Google got away with it because a phones were a new paradigm without preexisting standards for user control and spying and whatnot. They did shit you would never have been able to get away with on a PC a decade ago, but no one complained because it wasn't a PC (AOL had pioneered the 'walled garden' thing years before and was met with universal derision). Then once phones and their attendant privacy invasions became ubiquitous and the public had gotten used to the idea of being tracked and monitored

Re:

[Opportunist]

The same. They are essentially in the Tablet market what MS is for Desktops. And the phone market they share with a company that's just as bad.

Re:

[oakgrove]

An aside to this thread, as a child of the MS dominated 90s, I sort of dig Android being dominant on phones, Apple having tablets, MS having the desktop, and Linux more or less having servers with a healthy competition in each segment. It's not a perfect situation but it beats the shit of the bad old days when IE 6 was "the internet."
>inb4 everything is just as bad as it ever was or worse

Re:

[allo]

You, Sir, are the worst spy ever. rofl

Are you now happy?

Re:

[allo]

Maybe it's a name and he misspelled Rolf?

OMG

[bfmorgan]

Ooops!

"Many eyes"

[gawdonblue]

Security!

Wait for it: Microsoft Intentionally Leaked It

[DatbeDank]

In an effort to get more people to probe Windows 10 and find software flaws as well as confirm they aren't completely stealing your data. It's like open sourcing your OS without really open sourcing it! /sarcsam

Re:

[Anonymous Coward]

they'll blame it on their migration to git [arstechnica.com] as a way to tarnish linus' name, not the fact they used windows shit server 2k13 to host it on.

Okay....

[SeaFox]

/me goes to the store to get popcorn

32 TB?

[PPH]

How much is it if you skip all the #ifdef BUGS sections?

Re:32 TB?

[haruchai]

How much is it if you skip all the #ifdef BUGS sections?

That compiles down to 640k, just enough for everybody

Too bad

[markdavis]

Too bad it STILL won't tell anyone what is actually on a machine when a binary MS-Windows is installed. You still won't know what back doors, spyware, weakened encryption, "telemetry" sharing, and extra code was injected for the governments. And good luck on building something you will be able to actually install and use. This breech is unlikely to help anyone but black hatters, looking for vulnerabilities.

Meanwhile, grab distro Linux sources legally, see anything and everything you desire, and compile i

Re:

[thegarbz]

I don't know that on any other installation either. I simply trust that any vendor provides me a binary that matches its source code. I and 99.999% of the people using computers have zero ability to audit binaries against source code. And I'm willing to bet you've never done it for your OS too.

Re:

[infolation]

The point is not a personal audit of every line of code, but a network of trust - code that is able to be audited by a network of known individuals who build trust in that code. GNU-Linux, and the code of free software, already relies on the notion of 'standing on the shoulders of giants' and the principle of an auditing process over time is no different. Auditors are motivated to work because they know their contributions build over time to a verifiable and trustworthy system.

It is the complete lack of t

Re:

[markdavis]

+1 insightful
I couldn't have worded it better if I tried.

Re:

[thegarbz]

but a network of trust - code that is able to be audited by a network of known individuals who build trust in that code.

Sorry but the benefit of a network of trust breaks down very rapidly when we actually look at how often projects actually get a security audit (you can probably count them on one hand) and how that audit has absolutely no relevance to the final binary that you download, not to mention the fact that by the time any audit process is finished you'll be very many commits behind.

The level of trust I have for software ranks as follows: Closed source > Open source > Closed source which has reached monopoly s

Security vulnerabilities?

[Graham Wert]

This just in: it appears that many terabytes of Linux and GNU source code have also been leaked to the internet. Anyone who has this information can scour it for security vulnerabilities.

Time for OS/2

[martiniturbide]

Who is leaking that source code??

Re:

[freeze128]

Who *WANTS* it?

Re:

[Yaztromo]

Who *WANTS* it?

I would, if it meant we could port SOM and the Workplace Shell to Linux.

Yaz

Re:

[drinkypoo]

I would, if it meant we could port SOM and the Workplace Shell to Linux.

You can make fvwm work like the workplace shell if you want. Why would you want SOM? You can get a real CORBA ORB if you want.

Re:

[drinkypoo]

You can probably make fvwm *look* vaguely like workplace shell, but I highly doubt you can get it to function like the workplace shell.

No, you can! You can even make it use inexplicable mouse button mappings, just like OS/2!

Re:

[Z00L00K]

Anyone that want a great upload quota on warez BBSes.

How's that Windows Security?

[mpapet]

Hahahahahahaha!!!!

This happened in the '90s

[magusxxx]

Some of the Windows code was released. It was downplayed. But everyone had a good laugh at the notes which were left in it like (language cleaned up and paraphrasing.): My personal favorite..."Why was this section added?" - "Because someone is doing something way above our pay grade." - "Take this out! It could be exploited" - "It's been two years, why is this still here?" - "This was put in for a reason. Don't take it out again." - "I removed it because It could be exploited!" - "I don't give a m***er f**

Re:

[Z00L00K]

Virtual memory logic was around before Microsoft even thought of it. Maybe you think of the alleged Unix source code issues related to SCO?

In other news

[somenickname]

In other news, thousands of programmers appear to have gone blind and insane while screaming, "The Spaghetti! The Horror! It burns my eyes!"

How do you search multi terrabytes of source?

[Latent Heat]

How do you find anything in thirty two or whatever number of terrabytes? Are their algorithms to search for certain patterns?

Re:

[gravewax]

there isn't 32TB of source, I doubt there is even a gb. it is all just a bunch of private/alpha and prelease builds together with all the debug symbols etc.

Re:

[fabioalcor]

Oh no! This is the Spaguetti Monster of that church everyone thought was created for mockery, BUT NO, THEY WERE RIGHT ALL THIS TIME! WE'RE ALL DOOMED!!!

Re: In other news

[Ukab the Great]

Is having 32 TB of Microsoft code the crime or the punishment?

Irony

[TheOuterLinux]

Source code for Window$ leaks and people freak like it's going to be used for exploits. A little late for that, don't you think? Yet, Linux developers release their code intentionally as open source and typically, the complete opposite happens.

In a surprising development to the business world

[ZoomieDood]

Microsoft has moved to the open source license model!

Whew !

[harvey the nerd]

A first glance of the headline, I was worried that they were insinuating that the 10.x builds toward toward Win 11 were in the neighborhood of 1 TB....

Waste

[Air-conditioned cowh]

What a horrific waste of valuable hard drive space.

Use it to build a fucking non-updating distro

[iamacat]

Every time I try to use a Windows laptop that I keep for Steam/Oculus games, it needs to install updates, or has installed updates and lost my game progress, or asks me to adjust my privacy settings for Windows 10 whatever edition. With source, one can presumably build a non-nagging distro with working DirectX and live free of this crap?

Re:

[dwywit]

Start, run, services.msc
Scroll to Windows Updates
Right-click, stop
Right-click, properties
Select startup type, choose 'disabled', apply
OK, close

Happy now? Don't even need to reboot. Wow, didn't even need a command prompt to make that happen (although you could it that way if want to).

You can visit wsusoffline once a month or so - at *your* convenience, to download and install updates. BTW, you should donate a dollar or three to the site if you find it useful (not my site, just a happy user).

FWIW, mint and ub

Leaking source code

[callahan2211]

Did they give it to James Comey?

Relax...

[Lussarn]

Relax! Our most valuable and most secure operating system is out there for free! How am I suppose to explain that?

I don't know... Say it was all part of the plan!

Eagerly waiting

[kelanos]

For the real story to be mined out of this trove.

I predict we will see that consumer and small business software is heavily back-doored while corporate software is less so.

Winbeta themselves have refuted almost everything

[Artem S. Tashkinov]

Source [betaarchive.com]

The Register article has got BetaArchive a fair amount of attention this evening. They claim, and I quote âoe32TB of Windows 10 internal builds, core source code leak onlineâ.

First of all let us clear up a few facts. The âoeShared Source Kitâ folder did exist on the FTP until this article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.

The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed âoe32TBâ as stated in The Registerâ(TM)s article, and cannot possibly cover âoecore source codeâ as it would be simply too small, not to mention it is against our rules to store such data.

At this time all we can deduct is that The Register refers to the large Windows 10 release we had on March 24th which included a lot of Windows releases provided to us, sourced from various forum members, Windows Insider members, and Microsoft Connect members. All of these we deemed safe for release to BetaArchive as they are all beta releases and defunct builds superseded by newer ones, and they were covered under our rules.

If any of this should change we will remove these builds from the FTP and we will happily comply with any instructions to do so by Microsoft.

With regards to the BBC article http://www.bbc.co.uk/news/tech... [bbc.co.uk] about two Britons that have been arrested following an alleged Microsoft hack, we donâ(TM)t believe there is any connection with this alleged âoeWindows 10 core source code leakâ.

Update 09:58 GMT 24/06/2017 A spokesperson for Microsoft contacted The Register and said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners."

Really hope...

[hcs_$reboot]

Really hope Win 10 pure source code is way less than 1 TB, or that system is even more crappy than I thought, reusing old code as is, putting bandage on it to get something runable.

Is this a Git issue? They just switched.

[filesiteguy]

I know this may seem coincidental, but I recall MS just recently switched to Git for their source code. Wonder if one of their Linux servers were running unprotected.

Re:

[gravewax]

seems to Just be private/internal builds, nothing even remotely secret.

Re: Top Secret?

[niftydude]

Apparently "alpha/nightly build" = "top secret build" in super sensational hack journalist lingo.

Re:

[Z00L00K]

Not a Governmental Top Secret classification, just a company top secret classification.

Just stating "Classified" doesn't indicate anything about the classification level. It can be classified as "Open" as well.

Re:

[gweihir]

This is just hyperbole. Basically no private company does "Top Secret". The maximum level is usually "Secret" and that is it.

Re:

[PPH]

I predict that Slashdot readers will be too cowardly to address my observation.

It's off-topic. Now, back to your containment board --> /pol/

Re:Reminds me ...

[Bert64]

Then you should have redesigned the network such that the printers were not directly accessible to users, and they had to funnel data through a central print server which *does* log what was printed and by whom. Aside from the reason given (likely a severe violation of the company code of conduct), you get other benefits too like keeping (usually horrendously insecure) printers away from the user network, being able to tell who's printing copies of company data that might have leaked out, and keeping track of how much is being printed.

Re:

[CaptainDork]

Disagree.

Sure, printing porn is a termination offense, but the damage (offending sensibilities) vs ROI of your proposal is simply not there.

Re:

[drinkypoo]

No, it's true. Printers are often tragically insecure, especially Postscript printers but including many if not all kinds. It's daft to put them on the same network as anything else.

Re:

[CaptainDork]

I think you're adding a lot more to my example than is necessary for me to make my point.

I'm simply stating that infosec doesn't nothing to address inside jobs.

The guy who printed the porn did it from within the perimeter.

It wasn't done by an actor from Romania.

Re:

[Sir Holo]

Then you should have redesigned the network such that the printers were not directly accessible to users, and they had to funnel data through a central print server which *does* log what was printed and by whom. Aside from the reason given (likely a severe violation of the company code of conduct), you get other benefits too like keeping (usually horrendously insecure) printers away from the user network, being able to tell who's printing copies of company data that might have leaked out, and keeping track of how much is being printed.

Please explain how he could have implemented such a system after the fact.

And moving forward... why? It sounds like a lot of effort and company money to waste just because the boss is a prude. . . It is a fire-able offense, but was likely one guy costing the company $10 a month in consumables. There are innumerable, more severely business-damaging offenses to be on the lookout for.

Re:

[Z00L00K]

2 years in prison is not very likely. In civilized countries you will get a deal instead.

Re:

[beuges]

Here you go:
https://github.com/Microsoft [github.com]

Re:

[hcs_$reboot]

And after digging deep into the 32 TB, what when they finally find out that the innermost GB is a Linux kernel...