Windows 2000 & Windows NT 4 Source Code Leaks 2764
PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."
There are two ways to write error-free programs; only the third one works.
Server problems ALREADY... (Score:5, Informative)
Later isn't going to work, since the server was down even before it hit the Slashdot front page. I empathize with their server.
I did, however, managed to grab the news blurb (but not the, at that point, 214 comments) from the intermittent front page:
Torrent, anyone?
site was /.ed before story went live (Score:2, Informative)
Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.
Please do not post any links/screenshots/hints or anything to do with the source code outbreak. Discussion is allowed but we will not condone people spreading this source code.
Mirror With Comments (Score:5, Informative)
Hope it's all just a bluff.
Re:I'll believe it when I see it. (Score:5, Informative)
They focus primarily on windows tech, and have a knack for breaking stories about Windows- leaked builds of future versions, beta builds of service packs, etc. Whoever runs the site is well connected in Microsoft.
Re:Server problems ALREADY... (Score:4, Informative)
It's allegedly from the file "windows_2000_source_code.zip."
(Who knows if it's real, as it's too early to tell, probably)
Source TREE, looking more legit now (Score:4, Informative)
Question is.. (Score:2, Informative)
Re:I'll believe it when I see it. (Score:2, Informative)
Download it HERE (Score:1, Informative)
Re:I'll believe it when I see it. (Score:5, Informative)
Microsoft gave a talk at usenix: Windows A Software Engineering Odyssey [usenix.org]
This slide [usenix.org] indicates the full source is 50gb and took a week to setup and 2 hours a day to update.
That implies to me that people could have the whole source but it would huge.
Slide 24 talks about their new perforce [perforce.com] based system that only takes 3 hours to setup and 5 minutes to update.
Re:For those that need more proof (Score:2, Informative)
This was interesting...
win2k/private/shell/shdocvw/
If it's real.. then someone has a good portion of the rendering engine behind IE....
Hmmmm.....
Also
win2k/private/shell/explorer/
Looks like there is the shell for windows also...
I don't see any kernel level stuff though...
Just a quick analysis though..
Re:The shit will hit the fan + Mirror (Score:3, Informative)
Re:For those that need more proof (Score:3, Informative)
files.txt [bu.edu]
Re:For those that need more proof (Score:2, Informative)
More Info + Source Snippet (Score:3, Informative)
See win2k/private/ntos/ for kernel stuff (Score:4, Informative)
Re:MOD PARENT UP (Score:3, Informative)
Compressed mirror (Score:3, Informative)
There ya go.
Stop beating that poor server - edonkey mirror (Score:2, Informative)
and since Slashcode mangles ed2k-links: here for copy&paste (remove any spaces)
ed2k://|file|files.txt|2390731|959770f9507c332f26
Oh and BTW, this is just a LIST of files, not the sourcecode itself. So don't get cocky about copyrights.
Mirror (Score:3, Informative)
Re:Do NOT read that code! (Score:5, Informative)
I personally think it's a bad analogy, but even that isn't as far-fetched as you might think.
George Harrison (of Beatles fame) was succesfully sued for _subconsciously_ ripping off the song "He's So Fine" (in "My Sweet Lord"). See here [benedict.com] for more details.
So, no, I don't think worrying about IP contamination from looking at Windows source code is paranoid at all.
Great for many Linux projects (Score:2, Informative)
Re:So... (Score:2, Informative)
The biggest hurdle to get over was figuring out that each directory needed to be its own library, and you had to turn on PASCAL calling methods by default in Visual Studio's C preferences for all the directories not named "private"
I found mine at http://www.skittlebrau.org/ring0_src.tar.bz2.torre nt but I don't know if that's still up.
The dirty room and the clean room (Score:5, Informative)
As long as you do not copy the code verbatim you are not in violation of copyright law.
Copying of nonliteral elements is actionable infringement. That's why many reverse engineering firms have two separate teams: one to describe a piece of copyrighted code and another to implement it.
In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.
Try telling that to the estate of George Harrison, who lost in Bright Tunes v. Harrisongs. It's possible to copy without knowing you're copying, and it's still infringement.
Re:So much for security through obscurity (Score:5, Informative)
List of the source means nothing (Score:1, Informative)
Re:That is a MYTH (Score:5, Informative)
(IANAL and this is not legal advice. Go talk to PJ. At least she's a paralegal.)
Re:I'll believe it when I see it. (Score:5, Informative)
Re:ReactOS (Score:3, Informative)
Ge van Geldorp
ReactOS developer
Code leaks not new (Score:5, Informative)
Code leaks from Microsoft are not new. Check this article [cioupdate.com] at CIO Update about a code leak a year ago: (emphasis mine)
Microsoft Corp. said it is tracing a key piece of code from its Windows Server 2003 software that was leaked onto the Internet, triggering concerns about piracy problems ahead of the company's scheduled product release later this month. The volume-licensing key in question allows for unlimited installations of Microsoft's Windows Server 2003 server operating system, the next upgrade from Windows NT that is slated for release on April 24.
However, this seems only to be a partial leak, not comparable to this complete (if it's real) source code leak.
Re:Suspicious files from the purported tree (Score:1, Informative)
Web Myth: Windows NT crippled ship (Score:3, Informative)
Many have heard the story, few have heard the truth. After all the early speculation (termed used by publisher who broke the story and later distanced themselves from it) by shoreside Unix advocates someone eventually talked to the Chief Engineer on board at the time and the software developer who wrote the code. They said it was not WinNT. If the OS had been Linux the ship would have been just as dead in the water. A naive server app corrupted it's own database and naive client apps (the infamous "LAN consoles" that crashed) needed that database to function properly and to operate equipment. In any case:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, "If you want to put a stick in anybody's eye, it should be in ours." But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
Re:ed2k link? (Score:1, Informative)
ed2k://|file|Windows_2000_Source_Code[NeoWin.Ne
Re:That is a MYTH (Score:5, Informative)
Also, because the act of copying is incredibly hard to prove unless you are dealing with a complete moron, it is not necessary under the law today for a copyright plaintiff to actually prove the act of "copying." Generally speaking, it is sufficient for them to prove "access" to the copyrighted work and "substantial similarity" between the two works. There is tons of case law on this stuff.
Re:Suspicious files from the purported tree (Score:3, Informative)
The fact that these are in an alpha folder supports the idea that they were trying to get these in, and simply didn't. These probably never got built.
The apache_install.eml is odd. However, elsewhere in the filelist are many
That's just that. But I'm still strongly leaning toward "hoax" myself. The filelist may even be legit, but that may be all there is.
I think it's great that the world, and Microsoft, will be publicly discussing and simply thinking about the ramifications of a windows source leak.
Re:Server problems ALREADY... (Score:2, Informative)
And has 4411 files of 0 bytes long
Maybe it's real, maybe it's not
Russian gov. gets full src windows http://amo.net/NT/01-20-03MSFT.html
Re:Compilation and Windows source code (Score:4, Informative)
Then there is a lot of c++.
Most of it is c.
Some other files exists, i dunno what they are..
Re:Server problems ALREADY... (Score:2, Informative)
Re:Mirror With Comments (Score:3, Informative)
Or better yet, update your link and sig to www.thescogroup.com, the litigious bastards [thescogroup.com].
Another link (Score:2, Informative)
http://itvibe.com/default.aspx?NewsID=1283
Re:MOD PARENT UP (Score:5, Informative)
Steven V.
Re:That is a MYTH (Score:4, Informative)
Correcting myself . . .
> from what I understand copyright restricts the act
> of copying (duplicating). You can study someone's
> implimentation of something as much as you like,
> then go impliment something similiar yourself.
> As long as you do not copy the code verbatim
> you are not in violation of copyright law.
What you're saying about copyright is correct;
[ snip ]
No, it isn't, and I don't know why I said it was. Too much crack today or something. The law on derivative works would make this not true, at least according to my understanding of Brad Templeton's 10 Big Myths about copyright [templetons.com].
Semi-slashdotted? Here's the text... (Score:5, Informative)
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.
Please do not post any links/screenshots/hints or anything to do with the source code outbreak. Discussion is allowed but we will not condone people spreading this source code.
(The rest is just the comments, you know, crap like you get on /.)
Re:Files with interesting names... (Score:3, Informative)
Re:Ballmer does NOT deny leak (Score:2, Informative)
He's saying that the leaked code is the same as the code in their version control system
Re:SHORT THE STOCK? (Score:5, Informative)
Re:define "derivative", please (Score:5, Informative)
17 USC 101 [cornell.edu] defines a derivative work as:
That really cleared things up, didn't it?
But seriously, my point was that what the parent was stating as an absolute is actually untrue. You can be guilty of copyright infringement even if you dont "copy."
Re:ed2k link? (Score:1, Informative)
on bytedevils.net/?88
Re:Ballmer does NOT deny leak (Score:2, Informative)
Although, reading it again, I don't agree that "He's saying that the leaked code is the same as the code in their version control system". He's just saying that Microsoft's own copy hasn't been tampered with.
That quote is from four years ago (Score:5, Informative)
Re:That is a MYTH (Score:3, Informative)
There's no such thing as a "trade secret violation" unless you are bound by an NDA. If the source is leaked and people not under NDA see it, the jig is up -- your trade "secret" is fucked.
That's the different between patents and trade secrets. With a patent, you must publish details of the invention publicly, but you have an exclusive right to license the use of that invention. With a trade secret, you have no legal protection against other people using it, but you don't disclose it publicly.
It's kind of like security through obscurity. With a patent you rely on force of law. With a trade secret you rely on people keeping their mouths shut. You might manage to keep it under wraps for years, but once it's out, you are fucked. Even if the person who leaked it was under NDA, the only recourse you have is against that particular individual. Your secret is still out, and suing the hell out of someone won't change that.
Re:SHORT THE STOCK? (Score:5, Informative)
btshowmetainfo.py windows_2000_source_code.zip.torrent
btshowmetai
metainfo file.: windows_2000_source_code.zip.torrent
info hash.....: f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
file name.....: windows_2000_source_code.zip
file size.....: 213748207 (815 * 262144 + 100847)
announce url..: http://alge.nlc.no:6969/announce
maybe its that thing, atm 23 seeders, 239 downloading and it was created on 2/12/2004 11:16:13 PM, so looks good so far
knock yourself out
Re:The real question is, of course - (Score:3, Informative)
Re:So much for security through obscurity (Score:5, Informative)
Re:MOD PARENT UP (Score:3, Informative)
TxMouse can almost do this. Its default settings are focus on hover but not bring to front; bring to front is accomplished by clicking on the window decoration (titlebar).
TxMouse can also be set to autoraise after a settable delay.
TxMouse can emulate an X-Windows mouse including copy-on-select and paste-with-third-button.
It works a bit better than the PowerToys version too; the PowerToys one regularly screwed up one app (Microspell) when that app was activated by hotkey. TxMouse doesn't screw it up.
On the assumption that a lot of you will want this, I'm going to go into some gory details not included in TxMouse's documentation now. If you have no desire to use TxMouse, you can skip the rest of this post in good conscience; I promise you won't be missing any anti-Ashcroft zingers.
TxMouse also changes the mouse cursor change when select is copying, and allows you to turn off copying by pressing the third button.
On my mouse, turning off copying doesn't work with the middle button, as the middle button gets physically trapped down until the left button is released. TxMouse allows you to set it up so that the right mouse button does all the work the middle would normally do, for people with two-button mice, but a better solution to my problem was to re-assign middle to right and right to middle in the Microsoft Intellimouse driver. So now the middle button drop down context menus, and the right button pastes, except in the browser, where the right works as a "back" button.
The TxMouse mouse cursor that indicates text is being copied does not show up if the "Link Select" cursor is the default (the pointing finger); in that case the copy indicator is the "Handwriting" cursor. So you can customize what shows up on copy if you don't customize "Link Select", and vice-versa.
TxMoue is free but not open source (which sucks, as I'd like to modify it -- any pointers to source for MS_Windows Mouse drivers is appreciated so I can replicate it), and can be found here [chalmers.se]. Get it while Ashcroft still lets you connect web sites in socialist Sweden.
Re:it's true (Score:5, Informative)
http://www.gzip.org/zlib/zlib_license.html [gzip.org]
version 1.2.1, November 17th, 2003
Copyright (C) 1995-2003 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly jloup@gzip.org
Mark Adler madler@alumni.caltech.edu
*/
Re:it's true (Score:2, Informative)
Re:Compilation and Windows source code (Score:5, Informative)
Some more other interrestings extentions: BAT(123), CMD(65), JAVA(37), SED(29), PL(17), JS(16), M4(5), AWK(3), BAS(2), VBS(1).
Documentations? EML(2213), TXT(382), HTM(212), HLP(23), RTF(9), PPT(3), PDF(1).
Media: ICO(1304), BMP(803), GIF(165), AVI(141), ANI(34), MID(3), JPG(2).
TOP11: H(5611), NoExt/Dirs?(4708), C(4675), CPP(2257), EML(2213), CXX(1466), ICO(1304), HXX(972), BMP(803), RC(702).
FULL SOURCE TREE IS FREE and legal HERE.... (Score:4, Informative)
full source tree is free, and generatable from the debug/dlls etc....
enjoy.
yes this is 100% legal
Re:See win2k/private/ntos/ for kernel stuff (Score:5, Informative)
I lived for years with full source access at a MS partner company.
Example of what's missing is the file systems (only the file system recognizers seem to be there, not the file system), the entire device driver tree, storage drivers, etc. Most of the core kernel functionality is there though, if pre-service pack levels.
Microsoft probes possible Windows source code leak (Score:1, Informative)
Re:Internet Explorer (Score:5, Informative)
The magical "hidden folder" that's "segregated from the main filesystem" and "doesn't seem to exist" (C:\DOCUME~1\YourName\Local Settings\History\History.IE5\) is really just a plain ol' system folder.
Go to a command prompt and run:
attrib -s C:\DOCUME~1\YourName\Local Settings\History\History.IE5\
Wow, now the folder appears just like any other folder.
As for the deeply mysterious "encrypted" file inside it, index.dat... it's just a plain ol' binary file. Open it up in any hex editor and you can read all of the URLs stashed inside just fine.
The file "cannot be deleted by any normal means" because it's in use by Explorer (which is always running - it's your shell). If you've ever done any work with programming shell extensions, you'll have run into the same problem.
Put the following into your autoexec.bat (or any similar startup file - anything that runs before Explorer starts) and you can delete it just fine:
del C:\DOCUME~1\YourName\Local Settings\History\History.IE5\index.dat
Granted, IE may not be worth its weight in spit, but this guy appears to be a little bit off his nut.
Re:it's true (Score:3, Informative)
MS isn't the first place where this has happened. For many years, Bell Labs would not modify the source code for "troff". The original author had died, and the code was so twisted that no one was willing to try making changes for fear of introducing bugs worse than the ones they were trying to fix. I believe that eventually there was a completely new implementation.
Here's an official current MS quote + more news (Score:5, Informative)
"The rumor regarding the availability of Windows source code is based on the speculation of an individual who saw a small section of un-identified code and thought it looked like Windows code. Microsoft is looking into this as a matter of due diligence," a company spokesman said. "If a small section of Windows source code were to be available, it would be a matter of intellectual property rights rather than security." - from Eweek [eweek.com].
Also see ZDNet [com.com], InternetNews [internetnews.com] and Google News [google.ie]
.eml files (Score:1, Informative)
Source Torrent (Score:2, Informative)
other sources (Score:5, Informative)
http://zdnet.com.com/2100-1104_2-5158496.html
http://www.infoworld.com/article/04/02/12/HNmic
http://www.eweek.com/article2/0,4149,1526390,00
Microsoft's initial response: (Score:5, Informative)
Parent is a fake - it's the source of linux 2.6.2! (Score:4, Informative)
Re:Kernel source here (Score:2, Informative)
har de har dar. well, it does what it says on the tin.
ed2k links (Score:0, Informative)
ed2k://|file|windows 2000 source code
ed2k://|file|Windows source code- evans|727875584|000a97a4c90a0eff2e579a82811332e9|
ed2k://|file|Windows.Source.Code.w2k.nt4.wxp.ta
Just the source tree listing ... so what? (Score:2, Informative)
Such a listing for XP has been available on the Sysinternals site for years:
XP Source Tree [sysinternals.com]
Re:GNU make users? (Score:2, Informative)
Some are saying Open Sourcer did it. I say bunk~! (Score:3, Informative)
"Up until now it was more like the 70/30 rule, where 70 percent of the threats are bogus. Now it's more like 50/50," Didio said. "With the open source community, there are a large percentage of tinkers and 'ankle biters' who are trying their hand at hacking. Some are even communicating with each other. So it only takes one or two of these groups sharing information to be able to pull something off. When you have this type of passion, it's hard to fight because these people are like virtual suicide car bombers."
Re:SCO Code in Win2000 (Score:5, Informative)
This is totally untrue. What happened was that Microsoft bought a compiler from Lattice which they retrofitted for Unix, and a source code licence from AT&T, but Microsoft did NOT, I repeat did NOT, work on that source code themselves.
That source code was given to Santa Cruz, who 'developed' Xenix from that.
And I am sorry, but the very thought that the dim-witted Microsofties would have 'written' their own Unix? Sorry, but that is just too laughable.
Here is a Torrent link ... 200MB download (Score:5, Informative)
I haven't finished downloading this, but it's 200MB in size, has 944 peers!
The tracker is the same one you have listed:
http://alge.nlc.no:6969/announce
The hash is also the same.
Re:So much for security through obscurity (Score:1, Informative)
As for the track record of NT/2000/XP, it's arguably been more vulnerable to Internet attacks than Win9x, but that's simply because it offers more network services. It's the same reason the major Linux distributions have had so many more vulnerabilities than UNIX or BSD (which typically include fewer services), which in turn have had more than, say, Win9x or MacOS9 (which typically include even fewer).
BSD (I know) and Linux (I think) learnt the Internet lesson pretty quickly, so these days typical distributions don't have many (if any) network services enabled by default, but that was a relatively recent change (within the last few years). If you enable tons of network services on a BSD or Linux system, you'll still be vulnerable to the numerous security holes repeatedly found in them.
For reaons known only to MS, Windows still runs all sorts of network services by default, and that's the key difference. It doesn't run the really obnoxious ones like IIS, but it still runs RPC, etc. If those are turned off or blocked, it will be safe from network attacks by default (i.e. only vulnerable to user ignorance). Even today, Windows users who know what they're doing typically turn on the inbuilt firewall (or use an external one), thereby protecting their systems from Internet attacks. The non-technical ones, on the other hand, don't even know what a firewall is.
At any rate, the main problem today is user ignorance, not vulnerabilities in OSes. Users have all the privileges necessary to propagate email worms, mount DoS attacks and so on, so all you have to do is trick a user into running your executable, and it's over. There are solutions to that too, but no mainstream OSes include any (yet). It will be interesting to see which major OS family (e.g. Windows, Linux, BSD, UNIX) is the first to include the necessary safeguards by default.
Re::: prediction :: (Score:1, Informative)
I have no idea how this would all play out under the DMCA (the only major law that I know of not existent in the early 80's). Let's suffice it to say that someone documenting the source code would have to be completely cut off from communication in the other direction and would exclusively analyze the source code as well as being willing to be denied access to any open source implementation (e.g. to check to see if it was done right). They'd also need to live on their own island without any real laws.
Re:No GPL - Lots of BSD (Score:3, Informative)
Err, yes, they are. How else do you suppose we know they're using BSD code? Running strings on the executables turns up the Regents copyright notice.
Re:nlc.no (Score:1, Informative)
Re:No GPL - Lots of BSD (Score:5, Informative)
Windows NT 3.1 was released in 1993, and replaced in 1994 by Windows NT 3.5, which was much smaller, much faster and used an MS-written TCP/IP stack (which was presumably smaller and faster than the BSD-derived Spider stack). The MS TCP/IP stack in NT 3.5 was then ported to Win9x for the release of Windows 95.
The lifetime of NT 3.1 was very brief, and during that brief lifetime, hardly anyone used it (because it was too big, too slow and there was no Win32 software), so the fact that its TCP/IP stack was BSD-derived is not really something to brag about.
Information (Score:3, Informative)
The zip file is 208 mb (213 748 207 bytes)
All the files with the "letts to children.eml" etc names are _completely_ empty.
All files are commented, some are said to be public implention examples while others got "semi public" or no note of being pubblic in the headers.
It doesn't really have any comments with personal twists etc, just facts from what I observed this far.
It only includes the OS stuff (e.g. mplayer/iis/ie isn't there in full or at all)
Got questions, just ask.
Re:So much for security through obscurity (Score:2, Informative)
Seriously, why is this insightful? Isn't it also possible that the punks I mentioned before don't know how to write code that would work on any other platform? The end result is the same, but you're making a big jump on the motivation.
The crap being released today is pathetic. The idiots writing this stuff probably can't even spell their own names. They probably wouldn't recognize a boot-sector virus if you beat them over the head with the monitor it was displayed on.
Whew, I feel better now.
Comment removed (Score:2, Informative)
The 203MB file expands to just under 660MB (Score:2, Informative)
Re:It's a TRAP!!! /Adm. Ackbar (Score:5, Informative)
I've seen the Windows CE source. Maybe I should never program again because MS could sue me! I think not.
PS No offence to homeopathics, I don't care what crazy shite you belive in.
Re:It's a TRAP!!! /Adm. Ackbar (Score:5, Informative)
1) You see some proprietary source, either legally or otherwise;
2) You later work on some open source project;
3) The copyright holder of the proprietary source in 1) looks at the open source project and decides that some sections of the code look strikingly similar to their own code. They further discover that you wrote or contributed to those sections. They call their lawyer. Now, it may well be a combination of "coincidence plus a limited number of ways to do X" that caused the similarity, but you're going to have to convince a judge and/or jury of that. The other side will have to convince them that you copied it. They've got the striking similarity plus the fact that you've seen their source. What have you got?
Now, since you've seen the Windows CE source, why don't you ask the Samba project if you can join, and tell them you've seen MS source code (whether legally or not doesn't matter; seeing it is all that matters) and see if they will take you on as a developer.
I bet they won't.
Re:it's true (Score:3, Informative)
http://www.sschmidt.info/w2k_source.torrent (Score:1, Informative)
Source Code Leak Verified by MS (Score:2, Informative)
"Microsoft Corp. on Thursday confirmed that the source code for its Windows 2000 operating system has been leaked, a security breach that could give hackers important intelligence about how to exploit flaws in software run by most of the world's computers.
A Microsoft spokeswoman said someone had illegally posted incomplete portions of Windows 2000 on the Internet."
Re:No GPL - Lots of BSD (Score:5, Informative)
open up a command window and type "strings c:\windows\system32\ftp.exe"
This will return:
KOMOTV link: Microsoft confirms? (Score:1, Informative)
"SEATTLE - Microsoft Corp. said late Thursday that portions of its Windows source code - the tightly guarded blueprints of its dominant operating system - had been leaked over the Internet."
News (Score:5, Informative)
http://www.infoworld.com/article/04/02/12/HNmicro
http://www.ebcvg.com/news.php?id=1903 [ebcvg.com]
http://arstechnica.com/news/posts/1076628412.html [arstechnica.com]
http://www.internetnews.com/ent-news/article.php/
http://www.sunherald.com/mld/sunherald/business/7
http://www.wvec.com/sharedcontent/nationworld/nat
http://www.komotv.com/stories/29778.htm [komotv.com]
http://www.cryptonomicon.net/modules.php?name=New
http://www.dvhardware.net/article2423.html [dvhardware.net]
http://searchwin2000.techtarget.com/originalConte
-- Analysis from a Windows Expert -- (Score:1, Informative)
Anyway, I digress. The following directories I recognize: kernel, GDI (where's GDI+?), comctl32, comdlg32, server/client separation, Microsoft Plus!, explorer, systray (I thought they would call it the Taskbar Notification Area internally...grr...stupid MSDN), walk (Dependency Walker?), built-in FTP, My Documents (something the world could do just fine without - I even see the COM object stuff there as well that makes it "permanent"), TweakUI, shell32, advapi (lots of NT-specific stuff in there that really should also be for 9x), MSGina, Video for Windows (and possibly Windows Media Player?), some codecs, the Windows Registry, all of the standard Accessory items (including a huge section for Hyper Terminal - and obviously MS Paint, Notepad, and OLE hooks into Paintbrush), Active Accessibility, Control Panel (and applets), Games, the _old_ Win3.x Program Manager, RegEdit, RegWiz (? Not quite sure what this refers to), and rundll32.
Someone made a comment about the
I'm getting around to my final analysis. Basically, what is here is a complete Windows 2000 _kernel_ and _user_ mode tree for the default installation of Windows 2000 (no Service Packs). This, however, does _NOT_ include any proprietary code such as drivers or the source code to DirectX/Direct3D/DirectShow (I know several programmers who would kill for the source to DirectX - it drives them bananas due to the lousy code on Microsoft's behalf). So, while someone _MAY_ be able to compile the whole thing, there are no drivers to go along with it and the Service Packs would overwrite any customization. Therefore, the OS, as a whole, is essentially worthless without the actual media that contains the drivers (and broken without at least SP1). However, there are components of the source code (that I've already mentioned) that Windows programmers would sell their souls for.
I suspect that this source code will become a prized item to have in about two years when Microsoft cuts off support for all existing Windows OSes. Win98 support was just to test the waters to see when companies would be ready for Microsoft to dump them and accept it. You may think I'm joking, but my gut feeling says that Win98 was just a test...and with the source to 2000 floating around, MS can shrug their shoulders and say, "support it yourself," just don't distribute patches or we'll come after you.
Re:GNU make users? (Score:2, Informative)
Having worked at Microsoft, I beg to differ. Source filenames are whatever you want. Files which have to be distributed externally are 8.3 because of ISO9660 (and a slight efficiency increase on VFAT systems). But files used internally? That's personal preference.
Microsoft confirms it (Score:3, Informative)
Re:it's true (Score:3, Informative)
Re:Bogus Bogus Bogus -- MS confirmed it's real (Score:3, Informative)
Transcript, before it gets Slashdotted... (Score:5, Informative)
---
Microsoft Corp. on Thursday confirmed that the source code for two versions of its Windows operating system has been leaked, a security breach that could give hackers important intelligence about how to exploit flaws in software run by most of the world's computers.
"Today we became aware that incomplete portions of Windows 2000 and NT 4.0 source code was illegally made available on the Internet," said Microsoft spokesman Tom Pilla. "It's illegal for third parties to post Microsoft source code and we take that activity very seriously."
Pilla said the company does not know how much of the operating system code was compromised, but he said Microsoft believes it was not a complete version of either operating system.
There was no indication that the code was stolen through a breach of Microsoft's internal network, Pilla said. He said the FBI is investigating the matter.
Computer security experts said the release of Windows source code could pose a significant threat to Internet security, depending on what portion of the code was leaked.
A leak of any portion of the Windows code "could dramatically increase the probability that new zero-day vulnerabilities will be found," said Alan Paller, director of research the SANS Institute, a security training group based in Bethesda, Md.
"Zero day" exploits are highly effective attacks that occur when hackers discover a way to exploit a security vulnerability before or at the same time as a software maker learns of the flaw. Attackers can then use this information to launch a virus or worm that exploits the security hole before a patch can be released to fix the problem.
Thor Larholm, senior security researcher at Newport Beach, Calif.-based PivX Solutions, said the Windows source code file being traded on the Internet appears to be roughly 660 megabytes in size, about the size of one CD-ROM's worth of data. That is far short of the estimated 40 gigabytes of data that makes up the entire 40 million lines of code in the Windows operating system.
Even a partial leak "is a potentially very serious problem for Microsoft," Larholm said. "Just look at the vulnerabilities that are discovered by people who didn't have access to the source code."
The origin of the leak is not currently known. The Redmond, Wash.-based software giant closely guards the computer code that comprises the company's operating system. But Microsoft does license portions of its programming code to security researchers and more than 50 universities under its "Shared Source Initiative."
Microsoft last year said it would began sharing complete copies of its source code with governments around the world that want to validate the security of the software before deploying it in national defense and other sensitive areas. Microsoft signed an agreement in 2003 that lets the Australian government inspect the source code of Windows 2000, Windows XP and Windows Server 2003. Other counties, including India, are exploring similar arrangements.
Unlike open-source software like the widely used Linux operating system, the code comprising Microsoft's Windows software is not open for public inspection. Linux users are encouraged to participate in an open, continuous cycle of modifications and upgrades that its proponents say results in systems that are more secure and reliable than those powered by proprietary code like Windows.
Re:So much for security through obscurity (Score:2, Informative)
It's official... (Score:3, Informative)
Re:I know that... (Score:3, Informative)
That's the double-edged sword that is the trade secret. Legal protection only lasts as long as you keep it a secret. So, once it's out, it's out. They could still claim copyright infringement on verbatim coping, but not derivative works.
You can read all about trade secrets at Nolo.com [nolo.com].
Re:Here is a Torrent link ... 200MB download (Score:2, Informative)
But it's certainly not "complete", i.e. I can't find the NTFS filesystem driver (or at least anything that would look like such a beast...), but I could find code from MSIE for importing Netscape cookies and bookmarks, some of which was under the windows/shell/ hierarchy (maybe that's MS's basis that MSIE is integrated with the core OS?)
I even saw some Java code referencing the "com.ms.xml" hierarchy, apparantly an XML parser MS wrote.
Plus some
Also, a core file under the 'security' folder, which was an ELF binary with some junk about Vi Improved 5.6 and some symbols starting with 'xterm'... maybe the guy working on that was using Linux?
Tracker (dead.) (Score:5, Informative)
Anyway, at least 1000 people got it down, so it shouldn't be too hard for some of them to make a new torrent. But I'm definetly not going to host it anymore.
--
alge of flauna
http://alge.nlc.no/
original quote (Score:3, Informative)
JAKE: Hit it.
ref: http://www.imdb.com/title/tt0080455/quotes
Confirmed by Microsoft (Score:2, Informative)
My favourite quote:
"But Microsoft's president and chief executive, Steve Ballmer, insisted they had not been able to tamper with any of the company's key programs."
Re:PATRIOT implications (Score:1, Informative)
ed2k://|file|windows_2000_source_code.zip.torrent
Re:For those that need more proof (Score:2, Informative)
Possibly. glimpse is a program that will create a database so that you can quickly search through all of your files, in UN*X.
Confirmed by MS (Score:2, Informative)
See Shit.
See fan.
See shit hit fan.
Duck!
Microsoft Confirms it (Score:5, Informative)
source:
http://www.washingtonpost.com/wp-dyn/articles/A37
"The Source" :) (Score:5, Informative)
$ grep -r strcpy -i . | wc
10454 42054 1069145
Where it was ganked from:
There is a core dump file inside the windows 2000 (sp1) archive, it clearly shows that the source was stolen from a system at Mainsoft. The following url confirms that they did have access to the leaked code. http://mainsoft.com/news/press_releases/2000_3_22
The actual strings which confirm this:
PWD=/usr/ms/win2k_sp1/private/security/msv_sspi
DOMAIN=mainsoft.com
REPLYTO=eyala@mainsoft.com
MWBATCH_SERVER=lod:8000
MSOFTLM_HOST=@xor
XAPPLRESDIR=/il2/users/eyal
EDITOR=vi
BASE_LIBPATH=/usr/lib
IT'S OFFICIAL: Microsoft Confirms Leak (Score:1, Informative)
Washington Post [washingtonpost.com]
More info. from Betanews (Score:1, Informative)
More at http://www.betanews.com/article.php3?sid=10766325
NTFS (Score:2, Informative)
It's an official leak! (Score:2, Informative)
Re:So much for security through obscurity (Score:2, Informative)
They have copyright notices in the docs (Score:5, Informative)
Re:"The Source" :) (Score:5, Informative)
Odd... That page doesn't exist anymore, and suddenly (according to their press page), nothing happened in March 2003.
Guess who's in save-my-butt mode? :)
Very smart - MSFT flooded Kazaa with bogus files (Score:1, Informative)
I must admit that they did a good job protecting themselves this way... Who says Microsoft isn't filled with clever people?
Re:it's true (Score:3, Informative)
Some P2P network, I guess. Or one of the aforementioned IRC channels.
Re:"The Source" :) (Score:4, Informative)
Mainsoft(TM) extends strategic relationship with Microsoft(TM)
Leading provider of cross-platform solutions for the enterprise to offer enhanced computing capabilities for the Unix environment; New source code available for CAD/CAM and Visual Simulation markets
SAN JOSE, Calif. - March 22, 2000 - Mainsoft Corporation, the leader in cross-platform solutions for the enterprise, today announced expanded terms of their WISE agreement with Microsoft Corp. The WISE agreement, signed in 1998, provides Mainsoft access to source code for Windows NTO including the recently released Windows 2000. As part of the new terms, Mainsoft will receive additional source code for Windows to provide advanced graphical capabilities for industries, specifically the CAD/CAM and Visual Simulation markets, that require this functionality on Windows and Unix. Today's announcement underscores the two companies' commitment to cross-platform support of Windows-based applications through the Win32 APIs.
Mainsoft's receipt of additional source code for Windows will provide leading technology capabilities for developers who rely heavily on extensive graphics applications. Based on Extensible Scene Graph (XSG) technology, Mainsoft will enhance graphic technology applications on Unix for the CAD/CAM and Visual Simulation industries. As the first deliverable of the "Fahrenheit" initiative, Microsoft's XSG technology offers modeling capabilities to provide a higher level of programming for developers to create consumer and professional 3D applications. XSG provides high-level data structures and algorithms that increase overall graphics performance to assist the development of sophisticated graphics-rich applications.
"We're excited to continue to work closely with Mainsoft to deliver customers advanced graphics technology," said Jeffrey Friedberg, Graphics Program Manager at Microsoft. "Our collaboration will extend XSG functionality to customers who require the advanced graphics technology in a cross-platform environment. We are looking forward to joining forces with Mainsoft on projects for the CAD/CAM and Visual Simulation industries. "
"Since 1994 when our relationship began with Microsoft, Mainsoft has delivered to the software development community a Windows platform for the Unix operating systems," said Yaacov Cohen, president of Mainsoft. "The availability of this new code launches the next logical stage in our alliance: into a new vertical category where we can offer our expertise to developers along with the Win32 APIs to work on Windows NT and port to Unix."
Through its relationship with Microsoft, Mainsoft has had access to the source code for Windows to provide a Windows platform for Unix, called MainWin. This is the leading technology infrastructure for Independent Software Vendors (ISV's) and IT professionals to re-host Windows NT-based applications onto the Unix and Linux platforms. By utilizing MainWin, companies have the power to develop software on the Windows NT platform and deploy it to several different operating environments simultaneously.
etc etc etc
new Working Torrent (Score:5, Informative)
Re:It's a TRAP!!! /Adm. Ackbar (Score:4, Informative)
scripsit AstroDrabb:
IANAL either, but I've had to deal with copyright issues in academe. You cannot create a derivative work -- that is part of the copyright-holder's monopoly. You needn't use a single line of text verbatim for it to be considered a derivative work; a movie adaptation which mangles the plot and doesn't use any of a book's dialogue is still a derivative work. So would a translation into Mandarin or a children's version.
There are exceptions, I believe, for parody -- various Star Wars knockoffs (e.g., the Death Star Clerks animation) are apparently legal as parody. Otherwise, you can get into hot water with the kind of things you're talking about. You have to be able to convince a jury that your work is not derivative of the earlier copyrighted work or you are infringing.
The painting one is an interesting example, because most of the `famous' paintings one would be inclined to make works derivative of are not in copyright any more. And when it comes to music, pop all sounds alike anyway, so it would be pretty hard to argue that anything is derivative of anything else, unless it copied bars on end of melody or something.
Now, academic plagiarism and copyright infringement are not the same thing, but the rule-of-thumb I tell students about plagiarism still applies: If I read your work and I think ``Hmm, I've read this somewhere before,'' there's already a problem. There doesn't have to be verbatim copying of text. It might not be enough to convict, so to speak, but unwelcome attention has been drawn and a legal fight is a possibility.
posted on usenet (Score:1, Informative)
alt.binaries.newsgroupcentral
header:
Windows.2000.source.code-NOGROUP - 2 of 2 - "windows_2000_source_code.zip"
the file is 209.3MB. it was posted about 2 hours ago. most likely this is the same file that was being distributed via torrent ect... enjoy
Looks like they will use it to harrass OS devs (Score:2, Informative)
"One main risk in having source code exposed to the public is the possibility that hackers could break into computers running Windows NT or Windows 2000 and destroy or steal data.
"Although the company said that was unlikely, given the relatively small portion of code that had been circulating, a greater risk could come from others using the code as a base for developing software that competes with Windows."
http://www.reuters.com/newsArticle.jhtml?type=t
Official Microsoft statement on the leak (Score:1, Informative)
Statement from Microsoft Regarding Illegal Posting of Windows Source Code
REDMOND, Wash., Feb. 12, 2004 -- On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It's illegal for third parties to post Microsoft source code, and we take such activity very seriously.
We are currently investigating these postings and are working with the appropriate law-enforcement authorities.
At this point it does not appear that this is the result of any breach of Microsoft's corporate network or internal security.
At this time there is no known impact on customers. We will continue to monitor the situation.
Re:"The Source" :) (Score:1, Informative)
For fuck's sake learn some basic HTML. Slashdot adds a space in URL's normally to stop them from linking so you have to use the proper HTML tags for URL linking to work.
Re:first time in the sun for MS source (Score:2, Informative)
From what I can gather you must have found the NT4 Installation CDRom? The "leaked" precompiled source code for NT4 must be at least 15GB (10+CDRoms) and I severly doubt it would be sitting in a small college's tape backup cabinet!
Just FYI
Re:No GPL - Lots of BSD (Score:2, Informative)
Re:OSS "Suicide car bombers" -- WTF??? (Score:2, Informative)
mp3s on kazaa? (Score:2, Informative)
Re:Code leaks not new (Score:2, Informative)
There was no Server 2003 source code leak.
Who the hell mods these things?
Re:It's a TRAP!!! /Adm. Ackbar (Score:5, Informative)
The Reuter's article on Yahoo [yahoo.com] contains a number of inaccuracies that are clearly prejudicial, and are probably sourced within Microsoft.
It (the story) amounts to an obvious attempt to spin up a scenario that will lead ultimately to criminal prosectution of persons involved in Open Source. And the story being such an obvious attempt at spin doctoring could lead one to believe there is more going on here than one poorly written news story...
Apparently Gates & Co. have decided their civil case fronted by SCO is not quite strong enough, and are trying to establish criminal precedent in order that, whether the current SCO effort succeeds or fails, the next case will be criminal.
One could hope that the courts will develop enough tech skillz to determine that the line
showing up in both windoze and Linux code does not constitute proof of theft under some Gatesien system of jurisprudence ...
Examples of the (imo) prejudicial language in the story [emphasis mine]:
There is no evidence cited that the code is being "traded". It appears that it is being distributed, but I haven't seen any reports of it being exchanged for anything else. This is key, since the languaged used here implies a profit motive on the part of the alleged "traders"; necesary for the criminal prosectution because there is a need to establish that the code is worth a great deal...
This sounds like it came straight out of a Microsoft publicist. It is an emotional appeal statement, designed to imply a henious threat to the alleged victim, Microsoft (and by implication, SCO).
The statement is factually inaccurate, even as metaphore. Source code is a principle part of the products manufactured by most software companies, but expertise in the creation of source code is more properly the "lifeblood" of the company.
Of course, Microsoft is a bit challenged in the expertise dept, but that should be applied to "any software company"....
If it is indeed "illegal" for 3rd parties to post the sources, then why would the aforementioned "agreements" require threat of civil action? If it's illegal, there should be no need to lititgate. The threats would be of prosecution, not litigation.
Furthermore, the word "share" here is ridiculous. If you've ever looked at what it takes to get an NDA to look at M$ sources, there's no "sharing" to it. It's a business transaction, and it doesn't happen unless M$ gets the lions "share" of any potential benefit.
WTF? Well, admittedly I haven't written any "programs running on Windows" in quite a few years, but I no idea things had changed quite that much... [that's sarcasm in case you can't tell; the statement is just plain wrong]
Seems like it is true (Score:2, Informative)
REDMOND, Wash., Feb. 12, 2004 -- On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It's illegal for third parties to post Microsoft source code, and we take such activity very seriously.
We are currently investigating these postings and are working with the appropriate law-enforcement authorities.
At this point it does not appear that this is the result of any breach of Microsoft's corporate network or internal security.
At this time there is no known impact on customers. We will continue to monitor the situation.