FBI on the Windows Source Code Theft

Chris Gondek writes "There are various articles about the Stolen Windows Source Code, but today it is confirmed that an FBI task force hunted for a cyber-criminal who posted on the internet source code for Windows which says 'I can confirm that the Northwest Cybercrime Task Force was investigating, FBI spokeswoman Robbie Burroughs said. The posted program is part of the source codes, or blueprints, for Windows 2000 and Windows NT 4.0, according to the company.' "

"In jeopardy is Microsoft's near-monopoly"

[zegebbers]

In any case, Microsoft's code allows the company to keep its near-monopoly on computer operating systems, for the same reason Coca-Cola guards its secret formula.
Yes, It's very lucky that there is absolutely no way to obtain any MS source code! [microsoft.com]

Not normally pro Microsoft

[John Seminal]

But I gotta tell you, whoever stole and posted the source code is an idiot. What good was gained from doing this? What benifit is there?

I wonder, if as a bi-product of releasing the Microsoft code, that hackers will write more viruses and worms after seeing the source code, if I can sue the person who let out the code because it will increase the time I have to spend securing my system.

I hope the FBI finds and nails this guy. Considering the scale of his/her actions, they should lock up the SOB for a long time. This person should be the person they make an example out of.

Illegal to download?

[Anonymous Coward]

The article says FBI spokesperson said 'It's illegal to download it.'. How can that be? Is it really so? What if your girlfriend downloads a file called 'cookingrecipes.zip' and it happens to contain stuff she did not know - such as Windows source code? Does that mean innocent downloaders can be put in jail?

MIcrosoft is ultradevious

[John Jorsett]

Aha. Microsoft gets one of its sock puppets to expose some obsolete source files of an old version of Windows, and has them do it on a Linux box in order to make it look like Linux is as shaky in the security department as Windows. My God those people are Machavellian. I'll bet some of the same people behind the fake Mars landers are behind this.

Re:Not normally pro Microsoft

[bhima]

The source for Linux is available.

I haven't had many problems with it.

Maybe you are over reacting.

Not that I condone this

Re:Scapegoat

[John Seminal]

Yep, I think they could catch you. Didn't you see the public camera behind you that photographed your plates?

Seriously, they can catch you. If you hack, you have the tools on your laptop or computer. Maybe you have a CD filled with them. That is all it will take to nail you. A few angry words told to people about how you dislike company X, an attack on company X, and you having tools that could complete the attack.

But it is not that bad. Just stop doing anything illegal. You have no right to mess with someone elses system.

And I would tell you this. If you happen to park your car and try hacking on my ststem, I have a nice honey pot waiting. It is like a guy in a house with a gun waiting for a burglar. Come on, come and get it. It's dinner time.

Re:Blueprints?

[Anonymous Coward]

Technically, you could call source code blueprints. The compiler follows the instructions you've requested, then translates it into assembly and then object code. Some compilers will do a good job (Intel's) and others will needlessly bloat the specifications (GCC). Just like building a house.

Re:Blueprints?

[lseltzer]

It's a perfect metaphor. Computers don't run C code, just as we don't live in drawings of houses. Both are human-readable representations that we can use to build the implementation.

Re:I don't know if this is true

[Anonymous Coward]

cough... cough... FUD...

Where is the link to that statement?

does microsoft.doj.gov gave him a warning? my ass..

Re:Not normally pro Microsoft

[smittyoneeach]

What good was gained from doing this? What benifit is there?
This whole affair is going to have one effect similar to that of major virus upgrades: it will scare the recalcitrant to upgrade.
Deliberately falling short of carrying that analysis any further...

Re:Not normally pro Microsoft

[calyptos]

I agree that it was wrong to release the source code without permission, but I disagree with you sueing the one who distributed it. If you have a problem with your computer's security and feel the need to sue someone, sue Microsoft. You'd lose though, you've already signed an agreement excusing them from practically everything. I have a feeling if the source code to my linux distribution was ilegally released (its not finished, and MY software isn't free until I say so) that the FBI wouldn't give a shit.

Re:Not normally pro Microsoft

[BorgDrone]

I wonder, (...) if I can sue the person who let out the code because it will increase the time I have to spend securing my system.

If you want to be secure, you shouldn't be using software whose security depends solely on the secrecy of the source. it's know as "security through obscurity" and almost everyone agrees it doesn't work.

Even microsoft won't be so stupid as to rely on it.

Re:Illegal to download?

[WIAKywbfatw]

Ignorance rarely is a valid defence in the eyes of the law. If you're speeding at 70mph in an area where the speed limit is 50 mph then you not knowing that you were above the speed limit is not a valid defence.

Similarly, if you hold a barbeque and your kids sneak off with some beers, get drunk and do something stupid then you're still liable for any laws that you may have unknowingly broken (providing alcohol to a minor, etc).

Just because you didn't know you were breaking the law that doesn't excuse you from any possible punishment. Look at what happened to the grandfather who got hit with a hammer by RIAA because his grandkids used his PC to download copyrighted material over P2P networks without his knowledge. He had no clue what the kids were up to but he was still held liable for their actions.

If your theoretical "cookingrecipes.zip" defence was held up in court I'd be surprised. It would be carte blanche for copyright infringers, paedophiles and anyone else intent on evading the law to disguise their activity by giving the files they were swapping innocent file names and then claiming that they "didn't know" what the files really contained.

Law enforcment

[panxerox]

the main functions of law enforcment are revenge and the instillment of fear rather than prevention. they seem to be performing thier function quite well.

Re:Not so much fuss about Debian or SF break ins

[krumms]

Duh. Corporate America and the US Government are business partners.

The more money you have, the more of an American you really are in the eyes of the government.

Re:Illegal to download?

[martinX]

Look at what happened to the grandfather who got hit with a hammer by RIAA because his grandkids used his PC to download copyrighted material over P2P networks without his knowledge. He had no clue what the kids were up to but he was still held liable for their actions.

And so you think it's right? Given the many many ways of disguising the true nature of files, images, URLs etc before they are downloaded, how can anyone in their right mind think that any computer user who had no intention to break the law could be held liable for grabbing something they didn't know was illegal to have.

Your analogies are bad analogies. Find some new ones.

Who'd want that old junk anyway?

[no longer myself]

I'm pretty sure from the posting pattern here on Slashdot that Microsoft has moles posting and trolling (and you guys know who you are), but for the life of me, I can't recall any law (IANAL) that prohibits the downloading of a "leaked file". Oh sure, we all know that possession of certain kinds of pornography and other files can get you into nasty trouble, but really... If that were the case, then why didn't the FBI start investigating IBM when SCO started belly-aching?

On the flip side, I've already given up on Microsoft, and want nothing further to do with them or their products, so somebody leaking their code is almost a bad joke to me at this point. The most likely conspiracy to come out of this is that the next version of the Linux kernal will have a cloud of accusations that it derived some of its functionality from Windows 2000 source. (Oh please...)

I guess the ugly part is dealing with the feds out there who are intent on taking names and kicking ass... After all, it's a national emergency! Microsoft's code has been leaked!

Feh.

Many of us have woke up to the fact that you don't need Windows to accomplish your goals on a computer. While the rest of of us are trying to actually get something done with our computers (instead of updating them every 15 minutes), Microsoft is suddenly crying out "Thieves!". Just how does MS come up with these horribly written plot devices?

The Immaculate Transmission

[grouse]

Here's what Microsoft's press release [microsoft.com] on the inadvertent release says:

[I]nvestigation has shown this was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program...

Interesting. From this, one must conclude that either (a) Microsoft legitimately releases the code to others outside these two programs, but we don't know about it; (b) Microsoft has absolutely no idea how the source was released but is lying through its teeth claiming there was no security breach nor an unauthorized release from its shared source programs; (c) Microsoft leaked the code itself for nefarious purposes (e.g. destroying ReactOS).

We report, you decide.

Re:Not normally pro Microsoft

[Baron_Yam]

You're quite right - but there is a difference...

Let's use the home metaphor - you live in a house in a neighbourhood built by "MS Homes". They are nice, comfortable homes, but the security system involves closing your front door with a plastic latch. Because the latch doesn't LOOK like plastic, everyone feels secure. Burglars, however, suspect there is an easy way in to the homes.

Now, if none of the good guys examine the security and say, "Hey, maybe these latches should be steel", then eventually a bad guy will figure it out and your home is open for business.

In such an event, if a good guy opened *a* front door on a *single* MS home, then posted a note in the local newpaper that maybe latches should be upgraded, I'd sleep with a shotgun until my latch was replaced. In the end, I'd have a safer home and know it. Without the good guy, I don't have a safe home, AND I'm unaware until a break in.

Tools alone dont assume guilt

[nurb432]

The same 'tools' can be used for legit purposes, like if you are the security admin of a company..

Its your JOB to make sure that you arent vunerable..

But, you have to convince the jury of that....

Re:Not normally pro Microsoft

[mgt]

True, but it was not developed as closed source and then made public over one night. Because that would not have been very smart, right...

That particular case would hold up

[nurb432]

All you need is a jury, and explain you were doing something LEGAL, that turned out to be illegal due to the actions out of your control.

( this is assuming her recipes were not restricted from re-distribution of course ).

It would be the same case if you went to a legit store ( like a pawn shop or antique store )..
and bought an item in good faith that anyone would assume was legally theirs to sell...that later turned out to be stolen ..

Sure, they take away the object, but you dont get arrested...

This isnt a matter of 'ignorance' of the law, its a matter of intent beyond your control.

That said, if you *kept* said mis-labeld file, then of course its minor to prove intent...

Re:Piracy != lost profit

[Anonymous Coward]

Shouldn't we adjust that "financial loss" number by subtracting out the $$$ made by selling people like me computers with Windows on them? Often without a choice? Only to have me reformat the drive and install Linux? Someone else gets Windows without paying, that should be balanced by me paying for Windows and not using it. It's like them rooting through my trash cans before the truck picks them up .

Re:Not normally pro Microsoft

[__past__]

But the source for Linux is available both for attackers and for white hats to find and fix bugs. If anyone would find a security problem in the leaked Windows code, they cannot simply send a patch to Microsoft - they would admit to have illegally obtained the code doing so.

Open Source code is available for everyone. Only criminals can use the Windows code.

The Federal Bureau of Investigation.

[Anonymous Coward]

Can we get the FBI to pin down GPL violations too, now ?

Toon Moene.

Re:Goto's goto's goto's

[Anonymous Coward]

There's nothing wrong with goto. You're just too influenced by Dijkstra's flamebait. Use it sometime... it's quite refreshing.

Re:Not normally pro Microsoft

[Thomas Shaddack]

The worse for Microsoft, the better for the world.

The more problems MS installations have, the higher the pressure for migrating away. The more systems migrated away, the higher heterogenity of the Net ecosystem, the higher overall resistance to platform-specific threats - and the higher pressure for compatible, standardized data-exchange formats; proprietary ones could then become a disadvantage instead of a lock-in advantage.

The computer world needs to be pushed into different dynamic-equilibrium mode. The sooner, the better.

Re:Illegal to download?

[Henry V .009]

True. And if you redefine copyright infringement as "theft," I suppose a downloader would be liable for "misappropriation damages" under the Uniform Trade Secret Act. But damages could only appear if the downloader were to do something commercial with the code (or possibly put it up for upload). So I don't think that the trade secret angle matters that much here.

Re:Illegal to download?

[badriram]

In this scenario, it is not ignorance of the law we are dealing with. We are dealing with not knowing what you are downloading. If you sign official documents, you would notice a line that says, to the best of my knowledge and belief, they are true, correct
So when you did download a file that was named as something else you cannot be held responsible. On the other hand if you hold on to the file after you realize that it is the windows source you will be in trouble.
Think about it as a virus.... If you accidentally clicked on a virus, you are not going to get into any trouble. If it was intentional you will.

Re:Piracy != lost profit

[thales]

The Piracy of Windows hurts Linux more than Microsoft because most of the piracy occurs in areas where the majority of the people can't afford the high cost of a Windows OS. If it were impossible to pirate a copy of MS Windows, then most of these people would be using more affordable Linux distros, rather than buying Windows and Windows software.

Re:"In jeopardy is Microsoft's near-monopoly"

[Epistax]

In any case, Microsoft's code allows the company to keep its near-monopoly on computer operating systems, for the same reason Coca-Cola guards its secret formula.

Water, high fructose corn syrup and/or sucrose, caramel color, phosphoric acid, natural flavors, caffeine.

Uh uh the fuzz is after me.

Re:Torrent for W2K and NT4 source

[phritz]

As has been pointed out, you are not anonymous when you use bitTorrent. If you're stupid enough to download from the links in the parent, there's a very good chance that someone at microsoft or even the FBI will be logging your IP address. Don't be stupid - ignore the parent.

Re:Blueprints?

[timotten]

Nope. A blueprint is a plan. A house is an implementation of the plan. Likewise source code is an _implementation_ of a plan - not a plan.

These things are relative:

1) flow chart:source code :: blueprint:house
2) source code:machine code :: blueprint:house
3) machine code:execution :: blueprint:house

4) building requirements spec:blueprint :: blueprint:house
5) blueprint:house :: blueprint:house
6) house:daily life :: blueprint:house /* a bit tenuous */

What I find neat is that the relation is transitive, i.e.

1+2) flow chart:machine code :: blueprint:house
1+2+3) flow chart:execution :: blueprint:house
2+3) source code:execution :: blueprint:house
4+5) building requirements spec:house :: blueprint:house

Re:Scapegoat

[mattyp]

you guys have it all wrong: IMHO, microsoft posted the code themselves. they are planning ahead, so they can be like SCO, and accuse linux of incorporating their IP in the future... the problem is, they had to leak it first... notice they released only old versions.

Why did they take the risk? Because it's not a risk. It turns out they've learned the lessons from opensource, and now they embrace it, though in a familiar embrace, extend and smother way.

Re:MIcrosoft is ultradevious

[One Louder]

If they were trying to make Linux look bad, then it probably would have been a good idea to remove all those bogus .eml files that indicate the server was infected by Nimda. Wherever these files came from, clearly security wasn't a very high priority.

there is no half of globalization

[axxackall]

Oh, that's easy: have your friend in Russia to give you stunnel address and enjoy how FBI is weak attempting to figure out anything about IP address in Russia. Or China. Well, actually in many countries.

I said it before and I'll say it again: the globalization MUST be improved. If they want investigations across the borders - they have to remove the borders. That include the freedom to trade across the borders, the freedom to hire across the borders, the freedom to ELECT across the borders, the freedom to immigrate across the borders.

You don't wanna give that freedom to people? Enjoy your useless attempts to sue DVD hackers in Norvey and find IP addresses in Russia.

Remember: there is no such thing as "half of globalization". It either exists givig equal opportunities and freedoms to everyone, or it doesn't exist at all.

Re:Torrent for W2K and NT4 source

[Anonymous Coward]

If this thing really is "all over p2p networks" as the media claims, then it's surpassed critical mass, and it's out in the wild forever. Sooo... do you really think they're tracking everyone who downloads it at this point? Don't you think they're more interested in finding out how it was leaked in the first place?

Windows AQ

[nerdin]

Whoever leaked the original code now is irrelevant, the consequences are far more bigger than just the leakage itself. FBI and every law enforcement or intelligence agency around the world should be *very* concerned about who is downloading _now_.
Why?
Let's be prepared now for Windows AQ (Al Qaeda), right from Redmond and a terrorist near you. Given enough code, spyes, terrorists or even corporations (or that jealous cousin you know), can remake core components in Windows and redistribute in order to sniff, crack or destroy whatever they want in Windows computers. This is a far bigger menace than many so toutted terror threats.
How will you differenciate a legitimate Windows version from a cracked one, pressed in legitimate looking CDs? No way.
Also, component substitution can come in any product that simply substitutes critical Windows files. It will perform the normal functions with whichever 'bonus' the cracker wants.
On the other side, on FS, diff is your friend if you're really paranoid about what's running on your computer.

Re:Simple question

[CaptainAx]

It doesn't matter how much work it is. If they trace the source of the leak to someone using this type of service, they will expend a vast amount of energy and money to find it. It doesn't matter how many tunnels, BNCs, VPNs, proxies or PGP encrypted sessions they need to get through, the FBI with the backing of Microsoft *will* find the perp. They have 52.78 billion in cash.

Don't even think about it.

[nberardi]

Just a reminder to anybody out there that is doing any kind of development for anything, don't even look at the code because if you do and you are caught, any of your work from this point on can be considered property of Microsoft. If you don't think this would happen look at IBM and SCO. And I doubt any of you have enough money to take on Microsoft, even the DOJ failed, so what chance do you have.

Re:Illegal to download?

[iceburglar]

Ignorance can be used as a defense in certain cases, such as the case the OP mentioned. You cannot claim ignorance of something that is considered common knowledge (like speed limits, where a "reasonable person" would be expected to check for signs before traveling at an excessive rate of speed). To go back to the OP's case, if his girlfriend downloaded a file from a cooking site named "cookingrecipes.zip" and it contained illegal data, her argument of ignorance would stand up in court (other things like her level of epertise with computers, which could be demonstrated by her education level, e.g. she has a culinary arts degree, rather than a CS degree). However, if she downloaded said file from Lotso-warez.ru, the ignorance thing probably would not work. This whole thing is MOOT however, since they don't care if your argument will stand up in court or not, they just care whether or not you can afford to defend yourself. See DirecTV [directvdefense.org] and the RIAA [stopriaalawsuits.com] extorting their customers to pay thousands or else be sued.

Speaks volumes about our society

[Aslan72]

I hope this doesn't sound too conspiracy-theory oriented, but I find it interesting the amount of pull MS has in our society now. We're talking about a product that, for all purposes, is still a product and yet the verbage that I've seen on it makes it sound like someone just gave out a key national secret.

Granted, we have so much riding on Windows that it being compromised is akin to loosing a national secret, but who is to blame here? If we lean so much on MS's code being secure, why are people storing data on there that could be a probem if the system was hacked?

--pete

Would somebody please tell me

[AnalogDiehard]

why it takes less than six days for M$ to be hot-n-heavy on the trail of the source of the leak while it takes M$ six months [slashdot.org] to patch a serious security vulnerability in their source code?

Source released by Microsoft already?

[Anonymous Coward]

As I recall reading recently, Microsoft has already released all its source to various universities, corporations, and developers with special agreements, for those os's. Correct me if I am wrong.

In which case, in typical Bill Gates style, he would be attempting to put kids in jail for distributing source code they probably copied from their university, all the while soaking the media attention by making it appear to be something other than what it is.

Lets re-iterate that. Bill Gates would be trying to throw people in jail, most likely kids, destroying their lives, for code he's already released to many people outside of Microsoft.