Windows 2000 & Windows NT 4 Source Code Leaks

PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."

it's true

[sperling (524821)]

A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions [microsoft.com] with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

So much for security through obscurity

[by Anonymous Coward]

This pretty much destroy's any argument that Windows is more secure because "the bad guys" can't look at the source code. And yet it won't get the positive aspect of "the good guys" reviewing the source code for bugs as it is illegal to make a copy of the code without a license to do so.

Re:it's true

[by Anonymous Coward]

I wonder how long till hackers go in and fix some of the bugs. That's the real danger to microsoft, if the bugs were fixed people wouldn't have to upgrade.

Re:it's true

[Strudelkugel (594414)]

Seems a bit of a stretch to thing 'soft would have given all of these organizations the complete source tree. If they did, then I am far more amazed the source wasn't leaked a long time ago. It's a bit hard to believe 'soft licensed the entire build tree to anyone.

Makes a pretty good headline, though.

Re:it's true

[Zork the Almighty (599344)]

I'm a little curious as to why you seem so uncomfortable saying "Micro". Actually, scratch that. I don't want to know.

Re:it's true

[MenTaLguY (5483)]

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.

I doubt Microsoft would leak it deliberately, but this does open the door to a whole SCO-esque can of worms from now on.

Re:it's true

[sperling (524821)]

And that's exactly why I won't even consider downloading this. I make a living as a programmer, and if I have access to this source Microsoft, with the resources they posess, could make the rest of my professional life a nightmare.
As much as I'd love to peek around in this, I won't risk it.

MOD PARENT UP

[nickos (91443)]

For the same reasons that Microsoft warned its IE developers to stay clear of Mozilla, open source coders should avoid even seeing this.

That said, I'd love to get hold of the dll code that does the equivalent of a window manager in X. How cool would it be to swap out a dll on the Windows box at work and have a completely custom windowing environment?

Re:it's true

[Marillion (33728)]

Sure the source code will make it easier to find exploits, but I've believed for a few years that "institutional hackers" those who have long ago reversed compiled Windows into something suitable for writting worms. How else does the Code Red author decide, "Hey! I found this buffer overflow routine in the unicode support for URLs in the IIS Indexing Server"?

There are probably paranoid governments who have teams who do this just this kind of work just to make sure those fabled NSA back doors in either are or aren't windows.

Re:it's true

[uradu (10768)]

> I for one would love to peek around in this, more out of curiosity

Morbid curiosity perhaps. Considering the amount of backward compatibility in there, and the generations of tools and code frameworks used over the past decade and longer, I would expect the Windows code to be a BLOODY MESS. In fact it would probably be amusing to just grep for comments--"what does the next line do?!" or "what the h3ll were we thinking?!"

this could be really bad

[G27 Radio (78394)]

The Windows code hasn't had nearly as much peer review as open source OS's so I won't be suprised if this leads to a ton of exploits. The big problem here is that this source will be available to any black-hat that wants it--they obviously aren't going to be concerned about the legalities of obtaining leaked source code. But the businesses that use Windows aren't going to be able to audit the code for security leaks unless they obtain it illegally (or sign some agreements with Microsoft and shell out bundles of cash.)

Open Source

[The_Rippa (181699)]

Now will everyone stop bitching about Windows not being open source?!

New Licensing Model

[MADCOWbeserk (515545)]

GLL - General Leaked-Souce license

Re:Open Source

[eyegor (148503)]

Actually, now Microsoft can pull a SCO and sue anyone who produces an OS with lots of security holes and cruft.

Re:Open Source

[Rosco P. Coltrane (209368)]

I'm surprised nobody has sent them patches to fix security issues yet...

Server problems ALREADY...

[momerath2003 (606823)]

"The server is too busy at the moment. Please try again later."

Later isn't going to work, since the server was down even before it hit the Slashdot front page. I empathize with their server.

I did, however, managed to grab the news blurb (but not the, at that point, 214 comments) from the intermittent front page:

Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.

This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.

Please do not post any links/screenshots/hints or anything to do with the source code outbreak. Discussion is allowed but we will not condone people spreading this source code.

Torrent, anyone? ;) (not like I would have any reason to want to have several lines of bug-infested code, as who knows to where the bugs might spread in my system)

Re:Server problems ALREADY...

[Mr. Piddle (567882)]

At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them.

How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.

What now?

[Rosyna (80334)]

Are people deeply involved with OSS going to start fixing bugs in Win 2k? Might be fun and a dagger in MS's heart.

"We fix bugs in 24 to 40 hours, much faster than OSS."

What's the big deal?

[Fluk3 (742259)]

There's plenty of worthless spam on the internet already.

For those that need more proof

[timdorr (213400)]

Full file listing with sizes: http://heim.ifi.uio.no/~mortehu/files.txt [ifi.uio.no] I suggest mirroring ;)

Maybe they will rethink Open Source...

[viper21 (16860)]

Microsoft just needed a push in the right direction, right?

-S

One a related note

[ackthpt (218170)]

On a related note, Microsoft is reporting the number of bugs in Linux to have surged in recent weeks, thus proving Intellectual Property theft.

Seriously, the previous article [slashdot.org] lambasting open source for being vulnerable is nothing when compared to eyes backed with malicious intent poring over Windows source code for new exploits. So much for security through ignorance.

Fortune

[Tom Rothamel (16)]

The funny thing is the fortune that appeared in the appropriate slashbox when I first saw this article.

"Never trust an operating system you don't have sources for. ;-)
-- Unknown source"

Mirror With Comments

[RPoet (20693)]

Mirror with comments [student.uib.no].

Hope it's all just a bluff.

Re:Mirror With Comments

[RichMan (8097)]

You have commented all that Microsoft code already. Holy Crap that is fast.

Code

[daeley (126313)]

...Windows 2000 and Windows NT source code has been leaked to the internet.

The Internet, however, being a polite sort of fellow and completely undesirous of the undoubtedly horrible ramifications of having such a beastie running around loose, gently replaced the source code and gave Windows a friendly pat on the head.

Do NOT read that code!

[AuMatar (183847)]

Do NOT read that code if you ever wish to program for an open source OS, ever. Doing so will make you tainted- you open the project up to allegations of copyright infringement. Unless you never want to contribute a single line to Linux, *BSD, etc, checking out that code is a bad idea. Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.

Re:Do NOT read that code!

[TekPolitik (147802)]

Do NOT read that code if you ever wish to program for an open source OS, ever...

Of course those of us who are also lawyers can safely read other peoples' code, because we know exactly what to do to avoid infringing. It is possible to extract knowledge from the code without breaching copyright, but...

Getting a copy of the code at all is a breach of copyright.

error.h

[sarice (26064)]

We all know the real valuable stuff is in error.h.
So, what does it say?

Not good

[savagedome (742194)]

This is not good. Windows is designed primarily with 'security by obscurity' in mind. The security holes indeed show up every often and we have worms making it to the gazillion windows boxes before the patch does. Get ready for a deluge of worms/virri. Another bad week/month for sysadmins.

If this is true...

[thesolo (131008)]

I haven't been able to even get to Neowin, it's been slashdotted since before this story even made it to "The Mysterious Future" here on /., but think about what this means if this is actually true. The potential vulnerabilities. All the trade secrets Microsoft put in there. Hell, IE 5 was released with Windows 2000, so if this is full source, it means IE 5 and the trident engine are in there as well.

If this is true, today may be the day that everything changes.

In other news...

[zellyn (692627)]

ReactOS [reactos.com] have announced they have hit all upcoming milestones and consider their project "feature complete".

The comparator

[fava (513118)]

I wonder how long it will be until someone runs the comparator in it?

Here's the source

[FattMattP (86246)]

I found the source code here. [demon.co.uk]

tin foil hat

[wildcard023 (184139)]

Ok so here's MS's plan.

Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3) ... Ya, I'm sure you know what goes here.

Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.

Jerks.

--
Mike

Now W. Russell Jones can put his story to the test

[ThogScully (589935)]

In the last article on the /. home page, we have W. Russell Jones talking about all the insecurity of having source available in open source projects.

I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N

What's the big deal?

[Animats (122034)]

What the NT kernel does is well understood. The object code is widely available, and key parts, like file system formats, have been reverse engineered. There's plenty of documentation. A few major development shops have access to the source anyway. If you're into kernel architecture, it might be interesting, but otherwise, so what?

Why ofcourse!

[Soul-Burn666 (574119)]

It's only reasonable that software with so many holes will leak!

It's not a problem.

[ggruschow (78300)]

I've seen a fair chunk of the NT kernel code, legally, under NDA. The NDA bars me from revealing any details, but it doesn't prevent me from saying that, if I were MS, I wouldn't worry about anything aside from sheer embarassment.. However, I have to admit that getting something of that hulking size operating solidly is pretty respectable.

On the plus side, some of the comments are fairly humorous, especially when you note who wrote them and look up where they are today.

Re:Torrent?

[thelasttemptation (703311)]

I want a ebuild!

emerge win2000

Re:hmm seems a bit buggy

[fishbowl (7759)]

It *amazes* me that it hasn't been routine.

Windows source code is not some deep dark secret that is locked in a vault, only let out during builds for the product releases.

*MANY* people have access to the Windows source code. A number of people in my own university have it. There are strict licensing considerations, but when has that ever worked before? Surprisingly, none of the people with source access has ever pulled off the stunt where it's broadcasted. I have always wondered why.

Re:hmm seems a bit buggy

[jmorris42 (1458)]

> It *amazes* me that it hasn't been routine.

Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.

Re:I'll believe it when I see it.

[rritterson (588983)]

While you may not have heard of Neowin before, they are actually quite well known and are often placed in those '100 essential sites' lists.

They focus primarily on windows tech, and have a knack for breaking stories about Windows- leaked builds of future versions, beta builds of service packs, etc. Whoever runs the site is well connected in Microsoft.

Re:I'll believe it when I see it.

[BrianCarlstrom (717058)]

Second point: The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that. The code is probably scattered across multiple servers in Redmond, for starters, and you'd only be given access to the parts you needed to work with.

Microsoft gave a talk at usenix: Windows A Software Engineering Odyssey [usenix.org]

This slide [usenix.org] indicates the full source is 50gb and took a week to setup and 2 hours a day to update.

That implies to me that people could have the whole source but it would huge.

Slide 24 talks about their new perforce [perforce.com] based system that only takes 3 hours to setup and 5 minutes to update.

Re:So is this the beginning of something...

[webroach (655190)]

Sure it's illegal, but so have many things Microsoft has done.

I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.

Re:The shit will hit the fan + Mirror

[milgr (726027)]

Could this potentially help the WINE Project?

IANAL but I would avoid looking at the leaked code - especially if I was working on a project like wine. You wouldn't want wine to sued out of existence because it contains code derived from a proprietary, copywritten system.

Re:Just don't use the code

[aoteoroa (596031)]

What ever you do, don't let the code influence your projects

You beat me to the punch. This code leak could be a very good thing for Microsoft, and a trap for the open source community. I doubt that Microsoft intentionally planted this snare but if any future open source project even vaguely resembles this leaked code I have no doubt that Microsoft will open their full arsenal of lawyers.

Re:Just don't use the code

[SkArcher (676201)]

Exactly

In fact if you are involved with an Open Source project (especially Kernel and Window Manager projects) I suggest you do everything possible to avoid seeing this code.

Accusations of Taint are undoubtedly going to spring up from this, and you would be better to be well clear.

I will confess to a certain curiosity as to what the results of a comparator test would be though.

Re:Just don't use the code

[acousticiris (656375)]

Yeah... I can see it now.
"Microsoft is suing end-users of Linux due to the discovery that the latest version of the kernel incorporated Windows 2000 code. The discovery of the code theft was made after someone at Microsoft plugged a USB scanner into a system running the latest Linux kernel and received the Blue Screen of Death."

Re:There is no evidence listed

[RealityMogul (663835)]

Breaking News:

A member of the Slashdot cult has admitted he has stolen the source code to Microsoft's Windows XP operating system. PickyH3D is the handle the low-karma hacker used when bragging of his accomplishment to the world. He has also issued a challenge to Microsoft's legal team with the statement that "there is no evidence". More on this as we hear it.