Windows 2000 & Windows NT 4 Source Code Leaks

PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."

it's true

A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions [microsoft.com] with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

So much for security through obscurity

This pretty much destroy's any argument that Windows is more secure because "the bad guys" can't look at the source code. And yet it won't get the positive aspect of "the good guys" reviewing the source code for bugs as it is illegal to make a copy of the code without a license to do so.

Re:So much for security through obscurity

Just remember, eEye doesn't have access to the code and they have been sitting on exploits for months.

Source helps, but it isn't everything.

Does anyone else just get a tingly feeling seeing this article sitting on top of an article on Open Source being less secure because of it's openness?

It's a TRAP!!! /Adm. Ackbar

Microsoft is sooooo obviously trying to pull an SCO here.

If you work on any Open Source project, DO NOT LOOK!

Re:It's a TRAP!!! /Adm. Ackbar

In my best Bruce Campbell voice "Stop, it's a trick. Get an axe!" Hail to the king baby!

Re:It's a TRAP!!! /Adm. Ackbar

What about the opposite:
Is there GPL code there?
Ask an auditing company to
diff NT4 2000 | grep -e yourcode
and get an answer.

I don't think they're playing SCO if they released just a part of it maybe but not the whole thing

No GPL - Lots of BSD

I know they have at least the TCP/IP stack from BSD. I would be interested to see if the copyright comments are still on the files.

They have copyright notices in the docs

Yes, Microsoft is acknowledging the use of BSD licensed code. I don't know if they are doing it in the source code, but since they are putting copyright notices in the release notes for their software [microsoft.com] they probably have copyright notices in the source code too. Look at the copyright information on their page, they not only honor Berkeley but also a lot of other people that have been actively contributing to various BSD software such as Luigi Rizzo [unipi.it].

Re:No GPL - Lots of BSD

The company was actually called Spider, and the Spider TCP/IP stack (which was BSD-derived) was used in exactly one MS operating system: Windows NT 3.1 (1993-1994).

Windows NT 3.1 was released in 1993, and replaced in 1994 by Windows NT 3.5, which was much smaller, much faster and used an MS-written TCP/IP stack (which was presumably smaller and faster than the BSD-derived Spider stack). The MS TCP/IP stack in NT 3.5 was then ported to Win9x for the release of Windows 95.

The lifetime of NT 3.1 was very brief, and during that brief lifetime, hardly anyone used it (because it was too big, too slow and there was no Win32 software), so the fact that its TCP/IP stack was BSD-derived is not really something to brag about.

Re:No GPL - Lots of BSD

That may be true, but there is BSD code in Windows XP.

open up a command window and type "strings c:\windows\system32\ftp.exe"

This will return:

@(#) Copyright (c) 1983 The Regents of the University of California.

All rights reserved.

Re:No GPL - Lots of BSD

Yeah, there are a few trivial and ancient/obsolete BSD command-line tools in Windows (finger, ftp, nslookup, rcp, rsh). They were ported from BSD, and you can see that they contain the appropriate copyright attribution. Note that none of the kernel-mode files (e.g. the TCP/IP drivers) contain any such strings.

MS is naturally not opposed to using freely-available BSD code to achieve better interoperability with BSD/UNIX. MS Windows Services for UNIX, for example, includes a lot of modern BSD tools ported from OpenBSD. That's reasonable, of course, since it's supposed to provide a set of command-line tools familiar to UNIX systems administrators, and OpenBSD tools are known to be relatively good in terms of security.

Importantly, MS's porting of OpenBSD userland tools to Services for UNIX is also good for OpenBSD, because it helps to establish those tools as something of a standard. If hordes of MS users become used to the OpenBSD userland tools, they'll be much likelier to start using OpenBSD if they want a UNIX-like OS than to start using, say, Linux.

The common claim about the MS TCP/IP stack from open source zealots is that MS 'stole' the Windows TCP/IP stack from BSD because it couldn't write one of its own, which is of course complete nonsense. The handful of BSD tools in Windows are/were there to make it easier for UNIX users to access their systems from Windows. They're in no way critical to Windows as an operating system (in the way that, for example, a TCP/IP stack is).

Re:It's a TRAP!!! /Adm. Ackbar

We have identified over one million lines of our IP in Microsoft's source code. While I cannot share most of them because they are a trade secret, here are three of the most glaring examples:

#include

for( ; ; )

if(!stop) {

Many of these lines have been copied verbatim several thousand times. We do not want to, but are forced to sue Microsoft for unlicensed use of our intellectual property.
We will institute a licensing program called gplSource which will allow Windows users to obtain the legal rights to use our IP. This cost will be significantly discounted to early adopters.
Already at least three Fortune 500 companies have seen the validity of our claims and have paid these fees on a per-CPU basis to continue using Windows. While we cannot divulge their names, they do exist. Really!

Re:It's a TRAP!!! /Adm. Ackbar

Worse still - if you work on any Open Source project, and you look at Microsoft Source code. . . DO NOT COPY IT!!!

We like Linux as it is. Reliable, stable, and fast. Copying Microsoft code in would jeopardize that. Never mind the IP issues. . .

Re:It's a TRAP!!! /Adm. Ackbar

I'm submitting patches to the 2.6 kernel for the blue screen of death. I'm hoping they make it in to the next release.

Re:It's a TRAP!!! /Adm. Ackbar

From bugcheck.c, the code which makes the screen blue...

if (InbvIsBootDriverInstalled()) {

InbvAcquireDisplayOwnership();

InbvResetDisplay();
InbvSolidColorFill(0,0,639,479,4); // make the screen blue
InbvSetTextColor(15);
InbvInstallDisplayStringFilter((INBV_DISPLAY_STRIN G_FILTER)NULL);
InbvEnableDisplayString(TRUE); // enable display string
InbvSetScrollRegion(0,0,639,479); // set to use entire screen
}

It's worse than that!

This is an attempt to corrupt your ability to write reliable code. It is the software equivalent of a Medusa. Once you've looked at it your mind will be agog to make blue screens. Do not look! For the love of Pete, DO NOT LOOK!!!!!

Life is good.

It's 5:15PM. I got home from work 2 hours ago, and had a nap. It is a beautiful day outside, and the Windows source code has been leaked.

And I have 5 Moderator points.

Today -- today, life is good.

Re:Life is good.

Except, of course, that you can no longer moderate this thread... :)

Re:Life is good.

Well maybe he can't, but I ca-.......aww, crap....

Re:Life is good.

Now all you need is a girlfriend.

Re:Life is good.

Now all you need is a girlfriend.

What, and ruin a perfect day?

Re:Life is good.

Now all you need is a girlfriend.

Do you have any idea how much that costs around this time of year?

Re:Life is good.

What, and ruin a perfect day?

So your girlfriend reads /. does she?

Re:Life is good.

Scene: Two guys in black suits [msu.edu] sitting in car

Guy 1: "It's midnight, the windows source in leaked, we have 5 moderator point and our sunglasses on..."

Guy 2: "hit it"

Sorry, that image just popped into my head ;-)

Re:It's a TRAP!!! /Adm. Ackbar

Microsoft is sooooo obviously trying to pull an SCO here.

If you work on any Open Source project, DO NOT LOOK!

Whoops! I looked. And now it's clear why Microsoft bought a license from SCO.

All these headers start with "Copyright, AT&T" and "Copyright, Regents of the University of California". I wonder what that's all about.

(For the more literal-minded Slashdot readers: no I haven't really seen the code. This is a cheap jab at Microsoft, implying their code is derivative of unix and linux code,)

Re:It's a TRAP!!! /Adm. Ackbar

If you work on any Open Source project, DO NOT LOOK!

This is extremely good advice. I would go even further and say that if you would ever like to work on an open source project, don't look. The presence on a project of a person who had seen the Windows source could put the entire project at risk.

For a very practical example, consider Samba. If a person who had seen the Windows source were to contribute to Samba and it were later to come to light that the contributor had seen the Windows source, in the name of safety every piece of code that person contributed would have to be ripped out and replaced. Worse, to guarantee that there was no trace of taint, it would probably have to be replaced by people who had not only never been exposed to the Windows source, but who had also not seen the contributor's tainted code. In short, it would require the recruitment of people who had never worked on the project before, or even read the source. Finding those people would not be easy, to say nothing of the time and credibility that would be lost.

For that matter, even if you have legally seen the Windows source because Microsoft has provided it to your employer under their shared source program, the same taint would follow you. If your employer has access to Windows source and your job does not require you to see that source, do yourself a favor: don't look.

If you look at the Windows source, you at the least taint yourself WRT working on any project aimed at interoperability with Windows, and quite possibly on a much wider variety of projects than that.

In short, JUST SAY NO.

Re:It's a TRAP!!! /Adm. Ackbar

I think you people are going a little overboard. Windows source code isn't like a virus or something.
Wait a minute....

Re:It's a TRAP!!! /Adm. Ackbar

Viruses are well supported by their authors, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.

So, Windows is not a virus.

Re:It's a TRAP!!! /Adm. Ackbar

I read rotten.com, I think I'm about as fscking tainted as they come. It's absurd to think that there would be ground for a lawsuit against an open source project you worked on because you had at one point glossed over the NT kernel source or something. That's like homeopathics [rotten.com] who believe that remedies should contain miniscule quantities of active ingredients. In fact, the "strongest" formulations usually contain not a single molecule of the substances in question. Zero parts per billion -- pure water.

I've seen the Windows CE source. Maybe I should never program again because MS could sue me! I think not.

PS No offence to homeopathics, I don't care what crazy shite you belive in.

Re:It's a TRAP!!! /Adm. Ackbar

Think it absurd if you want; the law certainly allows for it. It works like this:

1) You see some proprietary source, either legally or otherwise;

2) You later work on some open source project;

3) The copyright holder of the proprietary source in 1) looks at the open source project and decides that some sections of the code look strikingly similar to their own code. They further discover that you wrote or contributed to those sections. They call their lawyer. Now, it may well be a combination of "coincidence plus a limited number of ways to do X" that caused the similarity, but you're going to have to convince a judge and/or jury of that. The other side will have to convince them that you copied it. They've got the striking similarity plus the fact that you've seen their source. What have you got?

Now, since you've seen the Windows CE source, why don't you ask the Samba project if you can join, and tell them you've seen MS source code (whether legally or not doesn't matter; seeing it is all that matters) and see if they will take you on as a developer.

I bet they won't.

Re:It's a TRAP!!! /Adm. Ackbar

Looking at the code and gaining some insite and knowledge to the inner workings of MS software, and using that knowledge to incorporate into your own product, may be illegal.

But, it happens all the time. ALL the time. You think the programmers at MS haven't poured through the Linux code? If what you say is correct, then Windows must be littered with Linux code just because they studied and learned something from it?

There's a line between reverse engineering and access to source code; but you're unlikely to prove something wasn't reverse engineered unless you copy and paste the code.

It may be unethical to use leaked MS code to improve your compatibility solutions, but with all the underhanded and generally nasty things corporations are doing, it's just more of the same..

And about your comment about the "IBM PC BIOS." Not even close. Proving that you copied a 256kbit bios is a lot easier then proving you used information learned from studying 50 lines of code out of 40GB...

Hey, I'm no saint in real life.. no need to be one online.

Re:It's a TRAP!!! /Adm. Ackbar

What laws are you basing your comments on? I was under the impression that it is against the law to DISTRIBUTE a copyrighted work, not to look at it. Can the RIAA sue me for listening to a song I hear on my friends CD player if I have not purchased the song? Of course not. I also do not think it is illegal to use the knowledge you may gain from seeing the source code. Unless of course that knowledge is covered under a patent. I am not a lawyer and can be completely off-base here.

The other thing is that MS would have to PROVE that you did see/use the source code. You can just say that you reverse engineered it.

Of course it is illegal to USE the source code. So if some wine guy goes and plops down a chunk of MS's source code into wine, then yes, that would be illegal. I am not sure if it would be illegal for some wine guy to look at the code and use some of that knowlege gained that is not under a patent in wine. Think about this. I can walk into a book store and read through a book. I can later write a book with that very same theme and I have not broken any copyright laws. What I cannot do is copy the book verbatim or distribute that as my own work.

I am under the impression that copyright laws do not prevent you from creating a work based on knowledge of another work. As long as you do not use the original work verbatim. I can go and create a movie called Planet Wars with a lead character named Duke SlyStalker based on a very similiar theme as Star Wars. I can write a book with a theme just like LOTR with trolls, hobbits, elves, dwarfs, etc. I can paint my own version of very famous paintings. I can make music that sounds like other popular music.

I don't see what legal case MS would have against someone who viewed their source code and made an application that used that knowledge, again, as long as their is not a patent covering what you are re-creating. The only way I can see MS having a legal case is if you signed an NDA with MS.

*Note*: I am not a lawyer and I can be completely wrong about copyright laws.

Re:It's a TRAP!!! /Adm. Ackbar

scripsit AstroDrabb:

I am under the impression that copyright laws do not prevent you from creating a work based on knowledge of another work. As long as you do not use the original work verbatim. I can go and create a movie called Planet Wars with a lead character named Duke SlyStalker based on a very similiar theme as Star Wars. I can write a book with a theme just like LOTR with trolls, hobbits, elves, dwarfs, etc. I can paint my own version of very famous paintings. I can make music that sounds like other popular music.

IANAL either, but I've had to deal with copyright issues in academe. You cannot create a derivative work -- that is part of the copyright-holder's monopoly. You needn't use a single line of text verbatim for it to be considered a derivative work; a movie adaptation which mangles the plot and doesn't use any of a book's dialogue is still a derivative work. So would a translation into Mandarin or a children's version.

There are exceptions, I believe, for parody -- various Star Wars knockoffs (e.g., the Death Star Clerks animation) are apparently legal as parody. Otherwise, you can get into hot water with the kind of things you're talking about. You have to be able to convince a jury that your work is not derivative of the earlier copyrighted work or you are infringing.

The painting one is an interesting example, because most of the `famous' paintings one would be inclined to make works derivative of are not in copyright any more. And when it comes to music, pop all sounds alike anyway, so it would be pretty hard to argue that anything is derivative of anything else, unless it copied bars on end of melody or something.

Now, academic plagiarism and copyright infringement are not the same thing, but the rule-of-thumb I tell students about plagiarism still applies: If I read your work and I think ``Hmm, I've read this somewhere before,'' there's already a problem. There doesn't have to be verbatim copying of text. It might not be enough to convict, so to speak, but unwelcome attention has been drawn and a legal fight is a possibility.

Re:It's a TRAP!!! /Adm. Ackbar

Microsoft is sooooo obviously trying to pull an SCO here.

This is the among the most ridiculous theories that I've ever read on Slashdot (and I've seen some doozies in the past several years). Why would Microsoft go about trying to pull off what SCO did? So it could a bunch of Linux users (a LIBERAL estimate of 100M) for a paltry $500 a pop ... that's a mere $5B over the course of the next several years? Let's double it for a $1,000 each and it's still just $10B, nevermind all the expenses, including legal, to go about trying to collect something like that. Or, perhaps, they decide to go sue a handful of companies for a few billion dollars each after years of litigation and all kinds of negative PR. Microsoft's revenue was $34 billion for last year alone, $26B of it being profit.

SCO's actions are based on a company with little revenue, little cash, and nothing to lose. Microsoft has everything to lose. Say what you will about Microsoft, but they didn't get to where they are today with silly moves like that.

Re:It's a TRAP!!! /Adm. Ackbar

I think it's worse than just a simple trap.

The Reuter's article on Yahoo [yahoo.com] contains a number of inaccuracies that are clearly prejudicial, and are probably sourced within Microsoft.

It (the story) amounts to an obvious attempt to spin up a scenario that will lead ultimately to criminal prosectution of persons involved in Open Source. And the story being such an obvious attempt at spin doctoring could lead one to believe there is more going on here than one poorly written news story...

Apparently Gates & Co. have decided their civil case fronted by SCO is not quite strong enough, and are trying to establish criminal precedent in order that, whether the current SCO effort succeeds or fails, the next case will be criminal.

One could hope that the courts will develop enough tech skillz to determine that the line

for (int i=0; i < cnt; i++) {

showing up in both windoze and Linux code does not constitute proof of theft under some Gatesien system of jurisprudence ...

Examples of the (imo) prejudicial language in the story [emphasis mine]:

...copies of the source code [...] were being traded over the internet

There is no evidence cited that the code is being "traded". It appears that it is being distributed, but I haven't seen any reports of it being exchanged for anything else. This is key, since the languaged used here implies a profit motive on the part of the alleged "traders"; necesary for the criminal prosectution because there is a need to establish that the code is worth a great deal...

Source code is the ... lifeblood of any software company

This sounds like it came straight out of a Microsoft publicist. It is an emotional appeal statement, designed to imply a henious threat to the alleged victim, Microsoft (and by implication, SCO).

The statement is factually inaccurate, even as metaphore. Source code is a principle part of the products manufactured by most software companies, but expertise in the creation of source code is more properly the "lifeblood" of the company.

Of course, Microsoft is a bit challenged in the expertise dept, but that should be applied to "any software company"....

Microsoft has [...] shared its source code with close partners and carefully chosen organizations, with legal agreements that threaten litigation in the event of that any of is leaked.

...followed by...

"It's illegal for third parties to post Microsoft source code [...]"

If it is indeed "illegal" for 3rd parties to post the sources, then why would the aforementioned "agreements" require threat of civil action? If it's illegal, there should be no need to lititgate. The threats would be of prosecution, not litigation.

Furthermore, the word "share" here is ridiculous. If you've ever looked at what it takes to get an NDA to look at M$ sources, there's no "sharing" to it. It's a business transaction, and it doesn't happen unless M$ gets the lions "share" of any potential benefit.

Software companies that create programs running on Windows need access to source code to build their own products.

WTF? Well, admittedly I haven't written any "programs running on Windows" in quite a few years, but I no idea things had changed quite that much... [that's sarcasm in case you can't tell; the statement is just plain wrong]

Microsoft said that it was working with the Federal Bureau of Investigation and legal authorities to try and track the origin

Re:So much for security through obscurity

Due to the source code leak, Microsoft has delayed the release of the highly anticipated Windows 2000 till the summer of 2004.
*time passes*
Due to the source code leak, Microsoft has delayed the release of the highly anticipated Windows 2000 till the fall of 2004.
*time passes*
Due to the source code leak, Microsoft has delayed the release of the highly anticipated Windows 2000 till the release of Half-life 2.
*time passes*
Duke Nukem Forever released...

Re:So much for security through obscurity

Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,

Re:So much for security through obscurity

win2k+3? wow that's much easier that typing win2003...I don't care mod me down, abreviations and acronyms have gotten out of control!

Re:So much for security through obscurity

I prefer win3*23*29+2

Re:So much for security through obscurity

I prefer Windows 666*3+5.

Re:So much for security through obscurity

Windows 1337+666 seemed to always do it for me...

Re:So much for security through obscurity

Actually, I think it would be funny to see the open source community release a security patch for win2k before Windows does, proving that open source is more secure since it can be patched faster with more eyes looking at it.

Of course, MS would flip out, call it an exploit, and have the next patch uninstall it, since any patch for MS products that do not come from MS "can't be trusted". Another reason I like Linux more and more every day, not having to rely on a single company for patches.

Re:So much for security through obscurity

Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,

Not a very effective one, then. The key component - Windows Update - still fetches from the same place each time, and unless someone manages to fool that program into downloading from some other source, it's not a big problem.

The bigger issue here is the release of code that Microsoft may have licensed from third parties that they were not supposed to reveal, as well as the release of their own IP. I imagine someone's or some institution is going to be in a world of hurt if MS ever finds out who did it. Not terribly likely, but possible.

If it were me who did it, accidentally or on purpose, I'd be on a jet to some foreign country right now.

Re:So much for security through obscurity

Windows Update clients are hardly secure if you happen to modify the registry [experts-exchange.com] of the client system to use a differenet "WindowsUpdate" server...

Re:So much for security through obscurity

No, it's the same codebase. Big parts of it are rewritten for every release and new parts are written from scratch to support new features, but a lot of it is the same. How else do you explain that most of the security bugs affect every Windows NT version from 4.0 to Server 2003? They were rewritten from scratch with the same mistakes?

Mod Parent Up !!

He's correct. The tree is forked as needed for future versions. Heck, you can search through the asm files and still find ones with David Cutler's name in them that haven't been changed since he wrote them.

Re:So much for security through obscurity

So, when do you figure SCO will find their intellectual property in it?

Re:So much for security through obscurity

If its true (conspiracy theorists) that MS was behind the 50M cash investment into SCO a while back, then its possible MS is trying to provoke the playgournd wimp into picking a fight with the Big Blue bully for the sole purpose of being there first after getting his ass kicked. Its not out of the realm of possibility that the MS world domination plans include purchasing UNIX IP just to burn it in some pagan ritual.