Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Operating Systems Bug Microsoft Privacy Programming Security Windows Build

32TB of Windows 10 Internal Builds, Core Source Code Leak Online (theregister.co.uk) 201

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.
This discussion has been archived. No new comments can be posted.

32TB of Windows 10 Internal Builds, Core Source Code Leak Online

Comments Filter:
  • Going to need a new storage array...

    • It isn't that interesting. Save the space. They are mostly just builds from the Insider Program, according to the folks with the actual data.

    • by Anonymous Coward
      Don't worry, reports say 31.9TB is just their "phone home" technology.
    • by Z00L00K ( 682162 )

      Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

      • Going to need a new OS because now the malware creators have the ability to find yet undiscovered security holes and utilize them.

        Oh really? Is that what they meant in the summary by: "Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide."? Thanks for your insight.

      • Re: 32TB? (Score:5, Funny)

        by cyber-vandal ( 148830 ) on Saturday June 24, 2017 @03:18AM (#54680625) Homepage

        Better not use Linux or FreeBSD. I hear they let anyone look at the source.

      • by gweihir ( 88907 )

        They had that capability before. It may not even have been that much more effort. Reviewing source-code is time-consuming, demanding and expensive.

      • Or, oddly enough, the opposite might happen. Maybe someone will actually submit patches to fix all those bugs.

  • Neat. (Score:5, Interesting)

    by Anonymous Coward on Friday June 23, 2017 @10:10PM (#54679557)

    Maybe it tells us the secret to shutting down a laptop using ACPI in a way that doesn't drain the battery dead 2 hours after it "powers off" using Linux

    • by aliquis ( 678370 )

      Or why the machine can't wake up if I let it park the CPU in Windows 10 but it worked fine in Windows 8.1.

      (Phenom X4 9850 on ASUS 790FX board.)

      • I have the same Phenom, with an Asus M2N-SLI Deluxe board. The BIOS has an option for "C1E support", which sounds similar to your "CPU parking" - turning it on makes the system fail to boot. I don't remember exactly where the failure happens, but it's before GRUB can bring up the boot menu.
        • by aliquis ( 678370 )

          I said CPU parking because I don't know the name of it.

          There's S1 and S3 and one is a a deeper sleep than the other and with the deeper sleep the CPU fan turns off as-well among other things but if I use that one then the machine can't be started without a cold reboot again. It used to work in Windows 8 but doesn't in Windows 10.

          M3A32-MVP Deluxe and .. yet another one is what I have.

  • by Anonymous Coward on Friday June 23, 2017 @10:10PM (#54679559)

    Really very, very horrible. Really horrible. Very very not good at all, let me tell you. Leakers on any media, horrible. Don't watch that video.

    • by ark1 ( 873448 ) on Friday June 23, 2017 @11:46PM (#54679953)
      https://www.betaarchive.com/fo... [betaarchive.com]

      Seems The Register story may not be accurate, or if you prefer FAKE NEWS!
      • Ah, shit, you just had to go and ruin a good story with fucking facts.
        Dammit.

        Seriously though, thanks. It is interesting to see just HOW FUCKING FAR OFF the claimed numbers are to the real numbers. I suck at math so I've no idea how many orders of magnitude they are off by, but it's fucking fantasy land for certain.
        32TB vs. 1.2GB and seems rather benign compared to the sensationalism.
        Thanks for putting things in perspective.

        Media and politicians, repeatedly shooting themselves in the foot repeatedly for our
      • The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed “32TB” as stated in The Register’s article, and cannot possibly cover “core source code” as it would be simply too small, not to mention it is against our rules to store such data.

        I though "too small" was Oberon's 12 kLOCs, but 1.2 GB or archives? Jevons' paradox at work right there...

    • by Z00L00K ( 682162 )

      What would be horrible would be if the Microsoft Certificate server was compromised allowing anyone to create certificates in the name of Microsoft using their private key.

      On the other hand - if that happened we wouldn't be told because it would compromise every Windows computer out there.

  • by Anonymous Coward on Friday June 23, 2017 @10:11PM (#54679569)

    Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide.

    You mean like.. BSD and Linux? Sounds like the way it should be -- the security by obscurity fad faded a long time ago.

    • by Anonymous Coward
      security problems in Linux and BSD aren't usually found through source code analysis, they are found through crashes, fuzzing, errors etc. source code analysis is painful and slow by comparison though the source code can make generating the exploit once you have found the vulnerability much easier.
      • by vux984 ( 928602 )

        the source code can make generating the exploit once you have found the vulnerability much easier.

        That's an understatement.

        • by gweihir ( 88907 )

          Actually, it is not. In many cases the source will not help the attacker much or at all. It does make fixing a vulnerability a lot easier though.

      • They are certainly fixed by first going through an analysis of the offending code.

        But even though code analysis is painful and slow, it doesn't stop the OpenBSD people and others from doing some, historically demonstrating good results for their efforts.
    • But the freedoms of free software are still missing. Having a snapshot of what Windows code looked like at one time doesn't grant one the freedom to improve that code, distribute (including commercially) that code (or a variant of that code), and thus control one's computer or help one's community by distributing improved code.

  • by Anonymous Coward
    It seems they are just a heap of old builds, nothing top secret about them, most interim builds are only valid for a day or 2 till the next one. The Shared Source stuff while not publically available is hardly top secret either with hundreds if not thousands of organizations with it.
  • Telemetry (Score:5, Interesting)

    by OtisSnerd ( 600854 ) on Friday June 23, 2017 @10:13PM (#54679579)
    Maybe now we'll be able to find out what the telemetry actually sends back to MS and the three-letter agencies. It would also be nice for some to develop a way to completely kill it.
    • Or another, equally likely, possibility is this is a controlled leak and it's meant to mislead us about the nature of the telemetry.

      But this isn't the full source is it? So probably we'll never know. But do we need to? The Corporate Plutocracy is attempting to destroy us all anyway. Until there is a movement against the state, nothing matters but survival.

      Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance,

      • Standing by to be modded down by cowards who refuse to realize the implications of things like federally mandated education standards, mass surveillance, media consolidation, etc.

        You must be new here.

    • If you want to know that just read through these 94 pages: https://docs.microsoft.com/en-... [microsoft.com]

      • I've seen that list before, but I suspect that it's not complete. After all the forced upgrades, and all but pointing guns at their 'customers' to force them to upgrade, I wouldn't trust them to tell me the the color of the sky, let alone believe that the list they posted is complete.
        • Interestingly the less complete the list is the less care about their collection. The more data that is collected the less likely any database makes sense. The less likely they are able to extract information from it. The less likely I am to be affected if someone dumped the database online.

    • Until Microsoft changes the source code to do something else. That's the thing about source code: people alter it and make programs do different things, so we need the freedoms of free software to control our computers, help keep people honest, and treat each other ethically.

    • Hear, hear!
  • OMG (Score:2, Insightful)

    by bfmorgan ( 839462 )
    Ooops!
  • Security!

  • In an effort to get more people to probe Windows 10 and find software flaws as well as confirm they aren't completely stealing your data. It's like open sourcing your OS without really open sourcing it! /sarcsam
    • by Anonymous Coward

      they'll blame it on their migration to git [arstechnica.com] as a way to tarnish linus' name, not the fact they used windows shit server 2k13 to host it on.

  • /me goes to the store to get popcorn

  • by PPH ( 736903 )

    How much is it if you skip all the #ifdef BUGS sections?

  • Too bad (Score:2, Insightful)

    by markdavis ( 642305 )

    Too bad it STILL won't tell anyone what is actually on a machine when a binary MS-Windows is installed. You still won't know what back doors, spyware, weakened encryption, "telemetry" sharing, and extra code was injected for the governments. And good luck on building something you will be able to actually install and use. This breech is unlikely to help anyone but black hatters, looking for vulnerabilities.

    Meanwhile, grab distro Linux sources legally, see anything and everything you desire, and compile i

    • I don't know that on any other installation either. I simply trust that any vendor provides me a binary that matches its source code. I and 99.999% of the people using computers have zero ability to audit binaries against source code. And I'm willing to bet you've never done it for your OS too.

  • This just in: it appears that many terabytes of Linux and GNU source code have also been leaked to the internet. Anyone who has this information can scour it for security vulnerabilities.
  • Who is leaking that source code??
    • Who *WANTS* it?
      • Who *WANTS* it?

        I would, if it meant we could port SOM and the Workplace Shell to Linux.

        Yaz

        • I would, if it meant we could port SOM and the Workplace Shell to Linux.

          You can make fvwm work like the workplace shell if you want. Why would you want SOM? You can get a real CORBA ORB if you want.

      • by Z00L00K ( 682162 )

        Anyone that want a great upload quota on warez BBSes.

  • Hahahahahahaha!!!!

  • Some of the Windows code was released. It was downplayed. But everyone had a good laugh at the notes which were left in it like (language cleaned up and paraphrasing.): My personal favorite..."Why was this section added?" - "Because someone is doing something way above our pay grade." - "Take this out! It could be exploited" - "It's been two years, why is this still here?" - "This was put in for a reason. Don't take it out again." - "I removed it because It could be exploited!" - "I don't give a m***er f**
  • In other news, thousands of programmers appear to have gone blind and insane while screaming, "The Spaghetti! The Horror! It burns my eyes!"

  • Source code for Window$ leaks and people freak like it's going to be used for exploits. A little late for that, don't you think? Yet, Linux developers release their code intentionally as open source and typically, the complete opposite happens.
  • Microsoft has moved to the open source license model!
  • A first glance of the headline, I was worried that they were insinuating that the 10.x builds toward toward Win 11 were in the neighborhood of 1 TB....
  • Waste (Score:4, Funny)

    by Air-conditioned cowh ( 552882 ) on Saturday June 24, 2017 @01:16AM (#54680303)
    What a horrific waste of valuable hard drive space.
  • Every time I try to use a Windows laptop that I keep for Steam/Oculus games, it needs to install updates, or has installed updates and lost my game progress, or asks me to adjust my privacy settings for Windows 10 whatever edition. With source, one can presumably build a non-nagging distro with working DirectX and live free of this crap?

    • by dwywit ( 1109409 )

      Start, run, services.msc
      Scroll to Windows Updates
      Right-click, stop
      Right-click, properties
      Select startup type, choose 'disabled', apply
      OK, close

      Happy now? Don't even need to reboot. Wow, didn't even need a command prompt to make that happen (although you could it that way if want to).

      You can visit wsusoffline once a month or so - at *your* convenience, to download and install updates. BTW, you should donate a dollar or three to the site if you find it useful (not my site, just a happy user).

      FWIW, mint and ub

  • Did they give it to James Comey?
  • by Lussarn ( 105276 ) on Saturday June 24, 2017 @01:56AM (#54680435)

    Relax! Our most valuable and most secure operating system is out there for free! How am I suppose to explain that?

    I don't know... Say it was all part of the plan!

  • For the real story to be mined out of this trove.

    I predict we will see that consumer and small business software is heavily back-doored while corporate software is less so.

  • by Artem Tashkinov ( 764309 ) on Saturday June 24, 2017 @05:05AM (#54680819)

    Source [betaarchive.com]

    The Register article has got BetaArchive a fair amount of attention this evening. They claim, and I quote âoe32TB of Windows 10 internal builds, core source code leak onlineâ.

    First of all let us clear up a few facts. The âoeShared Source Kitâ folder did exist on the FTP until this article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.

    The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed âoe32TBâ as stated in The Registerâ(TM)s article, and cannot possibly cover âoecore source codeâ as it would be simply too small, not to mention it is against our rules to store such data.

    At this time all we can deduct is that The Register refers to the large Windows 10 release we had on March 24th which included a lot of Windows releases provided to us, sourced from various forum members, Windows Insider members, and Microsoft Connect members. All of these we deemed safe for release to BetaArchive as they are all beta releases and defunct builds superseded by newer ones, and they were covered under our rules.

    If any of this should change we will remove these builds from the FTP and we will happily comply with any instructions to do so by Microsoft.

    With regards to the BBC article http://www.bbc.co.uk/news/tech... [bbc.co.uk] about two Britons that have been arrested following an alleged Microsoft hack, we donâ(TM)t believe there is any connection with this alleged âoeWindows 10 core source code leakâ.

    Update 09:58 GMT 24/06/2017 A spokesperson for Microsoft contacted The Register and said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners."

  • Really hope Win 10 pure source code is way less than 1 TB, or that system is even more crappy than I thought, reusing old code as is, putting bandage on it to get something runable.
  • I know this may seem coincidental, but I recall MS just recently switched to Git for their source code. Wonder if one of their Linux servers were running unprotected.

One good suit is worth a thousand resumes.

Working...