Microsoft Warning Leaked Code Traders 833
An anonymous reader writes "Broadand Reports notes that Microsoft is now sending snail mail warnings to downloaders of the leaked source code. They're also apparently working in conjunction with several un-named peer to peer vendors to send out legal warnings to any users who search for the leaked code. The notice on Microsoft's website has been updated to reflect the new warnings."
Don't mess with MS (Score:3, Insightful)
I will never download the source code and you should better not try too. Anyway what's the point in seeing/having it?
I think people don't really understand what having windows 2000 SP1 source code spreading on internet really means. That's quite important and even if it's only part of the source code it's already enough for the first exploits to appear.
The author was kind enough to tell us about the first one [slashdot.org], but I bet many others did find bugs and didn't report them because they are working on viruses and attacks using them.
Let's see what happens in the coming months. I'm already working on the switch from Windows 2003 Server to Linux in my company for this exact reason.
kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
the latter seem to traffic especially in things like leaked source RARs, and since most of the central servers are overseas and operated independently (and 'overnet' seems truly peer to peer with no central servers), it would be tough to crack down on them, besides having a bunch of fake clients that harvest IPs. anyone know if they do this?
(i imagine the same concept would apply for bittorrent [bitconjurer.org] downloaders -- except BT relies on central tracking servers which would be comparatively easy to shut down.)
seems like a natural, uh, application, for the freenet project
ah well. it's kinda scary that even the largest/richest software co in the world can't stop the spread of their IP, and that it takes only one person.
-fren
silly question (Score:5, Insightful)
is that you big bro?
Nothing like security through lawyers. (Score:5, Insightful)
Freenet (Score:3, Insightful)
Re:Don't mess with MS (Score:5, Insightful)
I have the power to track people through P2P, too. I've found people in my apartment complex on the networks. I've even met a few friends that way. Too bad that doesn't mean that I'm a multi-billion dollar company.
Please note, it is absurdly easy to track people on the networks. It is not indicative MS power, or their legal muscle.
As for seeing & having it, one major point is that you CAN. What was once taboo is now freely available (sorta), and people are reveling in like. To draw a completely inaccurate parallel, it's like the sexual revolution of the 70s/80s in the US.
Otherwise, I agree with your post.
Bad Reasoning (Score:4, Insightful)
Switching off of Windows sounds great to me, as I really dislike using it, but your reasoning sounds a bit flawed. If it's because the software's buggy and prone to exploitation, great. But if it's just because some code got leaked.. and OSS software generally has all the code available all the time.. then your reasoning sounds a little flawed.
Any software will have flaws. It's inevitable. Knee jerk reactions too those flaws generally aren't a good idea though.
per requirement to muddy the waters, spread FUD (Score:2, Insightful)
Got that one half right:
1) yup it's copyrighted and you can't have the code.
(so far so good)
2) there are no legal protections for "trade secrets" --- it means nothing that the "trade secrets" were leaked other than it's a violation of 1)
Re:Don't mess with MS (Score:3, Insightful)
A warning which is also a record (Score:3, Insightful)
Re:Freenet (Score:5, Insightful)
And Slashdotters STILL don't understand why so many people and companies perceive that most traffic on P2P networks involves either porn, infringed music/movies/software.
Suggestions like in the parent post do no favors for establishing legitimacy for P2P netowrks.
Re:kazaa, bittorrent, emule/edonkey? (Score:2, Insightful)
Which is what they seem to have done. I got it off of torrent, but now all the links seem dead.
It's interesting.. they were playing it down so much when it was announced, but then I guess reality struck. "Professional" analysts were saying it would have no impact on security, and less than a week later already an exploit was released based on the source. Albeit a pretty worthless exploit (IE5), but still. The point is.. if you read through the source, you'll see how much stuff was ripped from much earlier stuff (NT, IE3, etc).. so it's safe to assume that much of XP is based on that source. Much of their programming/security methodologies remain unchanged I'm sure.
Re:Don't mess with MS (Score:2, Insightful)
It took leaked source code to make you switch? Man, hackers and spammers have been taking advantage of exploits in Winndows for years without the source code! If that wasn't enough to convince you, why switch now?
Re:Public patches? (Score:2, Insightful)
On top of that, most 'pa-and-ma' users will not find such patch - come on, they can't even find the official updates!
Re:I'm skeptical (Score:3, Insightful)
If someone hacked JK Rowlings computer, and leaked the "source" for the next Harry Potter book, would it be OK to donwload and read it?
It's their copyrighted work. It's at least as illegal to download the Windows source as it is to download copyrighted films or music w/o permission.
Too little too late... (Score:5, Insightful)
There are hundreds and hundreds of sources in emule, and thousands have been downloading (5k requests the last 5 days). Not to mention irc, ftps, kazaa , winmx and the other stuff.
As an educated guess i would say that at least 50-100.000 people have the source currently on their harddisc.
Whoever wants it now has it....
Stop trading MS codes (Score:5, Insightful)
Re:kazaa, bittorrent, emule/edonkey? (Score:3, Insightful)
You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business.
But you can't break the law when it comes to GPL code.
Mod it flamebait, whatever, but look at the trends of moderations here anyways.
patches via email (Score:2, Insightful)
law (Score:5, Insightful)
If peoples' ability to disseminate information serves as a message to corporations that their attempts to turn the US into a police state won't work, then I can live with that.
Past security comparisons between Linux and Window (Score:5, Insightful)
But these security exposures have all been in an environment where Linux source was generally available for inspection, and Windows source wasn't. A corollary of this is that most of the Linux exposures have been proactively reported, prior to being exploited. With Windows that's not so clear.
In the future, there's not reason to expect Linux security exposures to change significantly, except through becoming a bigger target because of increased usage. But the fundamentals of bugs, bug reporting, bug fixing, and security haven't changed.
The future story for Windows is different now, because some source has become available. *Maybe* some people will begin proactive security work on the source, and *maybe* Microsoft will roll that work into fixes. But for certain, others wearing differnt color hats will be examining that code for security exposures, too.
Re:kazaa, bittorrent, emule/edonkey? (Score:1, Insightful)
Re:Stop trading MS codes (Score:5, Insightful)
Don't go to their level. Be better.
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
It's rather unfortunate that people like yourself base your morals on what papa gub'ment tells you they should be.
Re:Bad Reasoning (Score:5, Insightful)
Of course there are flaws in OSS too, but there's a much greater chance the good guys will find them first.
Re:Don't mess with MS (Score:1, Insightful)
a second show of hands from every programmer who has added a comment line, easter egg or meaningless fragment of code to his work as a digital fingerprint, much like the bogus entries you'll find in any telephone book
Re:I'm skeptical (Score:5, Insightful)
Re:Don't mess with MS (Score:5, Insightful)
Isn't it interesting that after a few days of access to the source code, exploits are appearing for obvious bugs; yet MS have had the source code available to themselves for years but still managed to neither find nor fix these same obvious problems.
Note also that in the past, lack of access to the source hasn't prevented the *ahem* occasional exploit being developed anyway.
Re:kazaa, bittorrent, emule/edonkey? (Score:3, Insightful)
-
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
Odd that, that on a community website, people don't have a problem with attacking those known to be actively hostile to the general public, yet they seem to stick up for projects which consist of lots of normal people giving their time freely for the benefit of society.
You'd have thought that we should teach people to believe whatever the lawmakers tell them to think. After all, if something is illegal, it must be immoral.
Stomp out IP (Score:5, Insightful)
Re:Traders or Traitors? (Score:5, Insightful)
Re:kazaa, bittorrent, emule/edonkey? (Score:2, Insightful)
And it's unfortunate that people like yourself try to equate petty crime like copyright infringement to some kind of noble civil rights struggle. Some of you will do anything to justify not wanting to pay for the software you use.
Re:silly question (Score:2, Insightful)
The IP addresses of those sharing the code may be available from the server, but isn't the download conducted peer to peer? If so, it's sharing the code that would be dangerous, not searching for it or downloading it.
Re:Freenet (Score:3, Insightful)
I understand perfectly well why that pereception exists. It's because is true. Not all, but most traffic on P2P networks does involve what you listed. Most money in the US has traces of cocaine in it. The implication being that most money has been used in the (highly illegal) drug trade. Does that do any favours for the legitimacy of money? Personally, I didn't realize we were trying to make KaZaa OK with Grandma and Grandpa. In 1995, I couldn't care less if people wanted to think the "interweb" was filled with nothing but kiddie porn (which was a popular perception at the time). I feel the same for P2P today. Let people demonize it all they want, it's still not going away.
When people advocate something like Freenet, and you shoot it down because it "illegitimizes P2P", you're missing the point. What's illegal in one country (criticizing the government) isn't necessarily illegal in another. Or hell, even wrong. Maybe someone out there thinks source code shouldn't be protected by law. Maybe in some countries it ISN'T. The point of Freenet is to allow that someone to post it, free of persecution. You can't advocate free speech based on "well, this part of speech is wrong".
Microsoft still insists... (Score:3, Insightful)
They are also still toeing the line that it was code from NT and 2000. Conveniently omitting XP and Server 2003 from the list. Aren't those OSes built on the same codebase? Isn'y it possible that they are also potentially affected? Wouldn't want to scare people with our latest OSes, now would we? And for those that haven't upgraded (most businesses?), upgrading now looks safer than not.
Also of note in the release is that not just IE 5.5 and older are succeptable to the expoloit that was released, but non-SP1 IE6 as well.
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business.
Thanks to precisely the "big business" you refer to, the idea of "do it because the law says so" has lost any meaning. Once upon a time, people respected the law, and usually obeyed it. They respected police, and thanked them for doing a hard job and protecting the community.
Now, people look at the law as a neverending set of snares that can catch even the most "upright" among us, for things that no one in their right mind considers an actual crime; at the same time, big business routinely engages in activities that even the most "ethically challenege" among us considers an abominable abuse of people and "the system", without committing the least misdemeanor. People consider police mere thugs, officially carrying out the whims of our megalomaniacal AG, and unofficially engaging in far more nefarious activity (rape, torture, extortion, "abuse of position", etc), which their "Policeman's Bill of Rights" makes exceedingly difficult to catch them at, let alone punish them for.
Possession of a joint will get you a heavier sentence than DUI, yet the government responds by requiring breathalizers in new cars.
Downloading a song worth less than $5 leads to a $150,000 fine (payable via bankruptcy or a "mere" $3k extortion rackett that even several of our corrupt state SCs have called fradulently misleading, since it doesn't prevent later suit by the actual copyright holders).
I could go on, but I don't want to start ranting, and those two seem the most relevant to recent Slashdot posts.
Basically, society no longer cares what the "law" says, because more and more people realize that the "law" says whatever the Honorable Senator from Disney wants it to say. Using it to defend your position compares well to using a pool of sewage runoff to take a bath in - You don't actually accomplish your goal, and you come out smelling like shit.
Re:Reading copyrighted at Barnes and Noble - ILLEG (Score:1, Insightful)
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
from http://www.gnu.org/philosophy/why-free.html
Good news (Score:3, Insightful)
Theres a great deal of ill feeling towards Microsoft, thanks to their annoying crashing OS, and anyone threatened with a lawsuit will be actually determined to send out the source code anonymously.
What I'm extremely interested in, is if someone has successfully compiled the code and tested it. I'm interested in knowing what parts of windows the code is from. Hopefully we get the kernel + binary execution segments so WINE is developed as well as SAMBA. I think as soon as we can run win32 binaries properly on Linux, along with at least directx8, linux will be a MUCH bigger competitor of both Microsoft and Apple.
Yadda yadda yadda (Score:5, Insightful)
I don't have their code, nor do I want it. But I realize that even if every single Linux user/GPL supporter refused to look at it or download it, it would still spread like wildfire. People download stuff like this just to say that they have it. I have a friend who is somewhat of a "collector" of things like this. He has no programming background whatsoever, he just wants to say that he has it. (ironically, he is actually in school getting a law degree with a concentration in Intellectual Property)
The cat-genie is out of the bag-bottle.
Re:kazaa, bittorrent, emule/edonkey? (Score:3, Insightful)
You can break the law if it's disobedience against Microsoft, RIAA labels, Disney or any other mean big business
Don't forget marijuana-related "crimes."
"You can break the law as long as you honestly believe that it is wrong." -Gandhi
Makes you think... (Score:5, Insightful)
Now heres the thought-provoking question of the day:
If the leak was not caused by a network security breach, a physical security breach, a troubled-employee, or it's code sharing initiatives; how the hell was the code leaked? They said it wasnt network security, and it wasnt internal security (which takes away a physical security breach or a troubled employee), and it wasnt't its code sharing initiatives... Makes you wonder... how the hell did the code get out?
Answer this and get a cookie.
Re:Don't mess with MS (Score:1, Insightful)
Re:Someone got kicked off their ISP... (Score:3, Insightful)
Re:Don't mess with MS (Score:5, Insightful)
Just maybe there is a difference between an open development process, like OpenBSD, where incremental changes are examined before becoming part of the production code and dumping on the web hundreds of meg of source of a finished product which has an installed base of millions. Open source OS's get security from having many people looking at code submissions and the opportunity to find and fix dangerous bugs before they are exploited. Making a bunch of Windows source code available on the net does neither of these things.
Civil Disobedience (Score:2, Insightful)
But you can only call it "Civil Disobedience" if you're willing to face the consequences of your act (and not try to weasel out of it).
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
I can't believe that Microsoft is actually threatening to "send out legal warnings to any users who search for the leaked code." Even SEARCHING for it? Please bite me.
According to Jigle, over 1,600 people are currently sharing the source on the edonkey network, which is quite a lot when compared to the average file (including pr0n vids).
--
Re:Can't take it back (Score:1, Insightful)
but sure, i'd give you a funny mod anyway....
weaseling (Score:3, Insightful)
Point #1: I don't think anybody in this thread has weighed in on whether facing consequences is or is not part of their plan.
Point #2: If someone chooses to break the law in an effort to cause change, what authority defines what "weaseling out of the consequences" is and its bearing on whether the term civil disobedience applies? Would Rosa Parks have been weaseling out if she'd accepted legal representation from a better attorney? Websters says that "civil disobedience" is:
I didn't notice anything in there regarding facing consequences or weaseling out. I wonder if the dictionary people are up to date.Point #3: What does it matter whether an illegal action gets to be called civil disobedience as long as the action has the desired effect?
If it will make anyone happy, then by all means people can invent a new term that categorically denotes breaking the law with the ultimate intent to increase freedom but with the specific proviso that the lawbreaker does not intend to face consequences. Then those same people can get busy debating just exactly what shall be deemed "facing consequences". Be sure to let us all know how it comes out, we'll be on the edges of our bus seats.
Re:Stop trading MS codes (Score:1, Insightful)
I don't see any reason to support a crappy system of copyright, instead of a good one.
You "insightful" folks realize there's a big difference between the GPL and the MS EULA's, right????
MS EULA -- requires the FBI to enforce
GPL - requires Ebon Mogwhatever from the FSF to send an email to a company, maybe 2-3 over a few months, and the issue gets resolved.
I don't get these "moral high" ground comments. I don't like MS copyrights, I like GPL copyrights, that's about all there is to it. MS copyrights take too much effort to enforce.. laws that are broken by millions of people every day are not good laws.
Note to microsoft and FBI: I have no interest in the MS source code, heck I'm on dialup!.. please don't put me in Gitmo for my comments, I love america, just want to see copyright returned to the founding father's original vision.
Re:Best threat of all (Score:4, Insightful)
You know, the entire non open source software world has access to the full source code of all GPL software and they do not seem to worried about being tainted by it. Just because the source is there does not mean you have to copy from it and the fact that you have it does not make you automatically guilty that either.
Re:Don't mess with MS (Score:3, Insightful)
All of the exploits that have been appearing out of the source code leak had all been fixed prior to the leak. At least all of the ones that I have heard about. This includes the one that was posted here on
I know I've seen plenty of obvious open source exploits that had been around for years too. So don't give me that crap about open source projects being imunne to stupid errors.
The fact of the matter is that these are very large projects. No one is going to argue that windows isn't a large project. And with any large project there are ALWAYS going to be bugs. It is inherent in software engineering.
Re:I'm skeptical (Score:5, Insightful)
This is roughly the same as picking up a set of photocopies you see sitting on the curb. Copywritten or not, you haven't done anything wrong by picking them up, as you didn't violate the author's copyright.
The person who made the copies is violating the copyright (originally two words, godamnit!) not the person who picked them up.
This is one of the issues with the RIAA going after Recipients, rather than Source.
If I buy stolen goods at a garage sale, and the cops find me, they take them away and give them back to the owners. They arrest the thief, not the poor sucker who bought the goods.
I'll at least give Redmond credit for issuing warnings rather than subpoenas. Though "Searching for phrase != downloading files I shouldn't have access to."
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
Yes, you're on SLASHDOT. When you're HERE, you may notice that people support Linux and the Mac (thanks to OS X) and don't really like MS. That's OUR culture.
Over on the Microsoft-Zealot boards, you'd notice that they support Microsoft's law-breaking as "smart business", while they attack the GPL as communist, a cancer, etc. Don't try to convince us to "play nice" with the people who are trying to kill us, please. Because *they're* not going to play nice, and any "sympathy for the devil" we adopt will end up with us dead.
Microsoft is Big Brother (Score:5, Insightful)
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
The civil rights movement was about protest, peaceably, against laws that were widely seen as unjust. So is this. If you feel a law is wrong, disobey it -- as long as no one else actually gets harmed -- and be prepared to suffer the consequences, but make sure that your experiences get widely publicized as examples of how laws are used to justify things that morally seem wrong.
Change takes time (a lot happened during the civil rights movement) and a lot of people went to jail for what they did, but in the end, the protests worked. Just because the issues aren't as, er, black and white (pun semi-intended!) doesn't mean some level of comparison isn't valid.
If no one protests when bad laws are passed, then not only will those bad laws stay on the books but even more bad laws will be passed in the future since it can be 'gotten away with' by those who want to push said laws through.
Re:I'm skeptical (Score:3, Insightful)
Before five million slashbots jump in here, I'll point out that the above is clearly untrue: there are enormous legal differences between infringing copyright and theft, and the judges haven't, don't and probably won't say they are the same. Ethically, it's an entirely different question, of course; I'm surprised none of the big media groups has yet started campaigning to make knowingly viewing illegally copied material an offence.
Here's one way MS could find P2P users (Score:5, Insightful)
Copy down the IP address of anyone who starts a multi-source download
Kill the download
Whois lookup
Letter to the ISP.
Of course if they're distributing it in that manner so that the hash codes match, does that qualify as them legally giving it away?
So has it made it onto Usenet yet?
Re:Don't mess with MS (Score:2, Insightful)
Traceroute is your friend. Port scanning is your friend. Social Engineering will make you a new best friend at the ISP central office.
And in general, knowing the topography of the network you are on is a good idea.
Trust me on this
Re:Traders or Traitors? (Score:5, Insightful)
Remember a while back when it came out that a group of hackers had compromised MS's internal network and had access to it for over a month. At the time they admitted it they denied that the group obtained access to the source code. Of course they would deny it regardless of the truth or whether or not they knew. Basic damage control.
So say in the interest of avoiding getting too much attention directed at them, perhaps they waited until now to release what they found.
Just a thought, but it seems as reasonable as their assertions.
Re:Bad Reasoning (Score:4, Insightful)
The vital difference, at least in theory, is that FLOSS developers are operating under the assumption that any would-be attacker can see the source, so they have to make damn sure it's secure. Microsoft developers, on the other hand, have been relying for years on security through obscurity, and have therefore been less careful.
This is obviously not going to be true in every case. BIND's developers, for example, are evidently entirely unaware that the source code is being distributed freely, or else they're relying on security-through-ugly-kludginess. Contrariwise, I'm sure that there are plenty of developers at Microsoft who care very much about security, but their managers see that sales are good despite the bugginess of the code, so they allocate their developers' time to new features instead of bugfixes.
The fact that Microsoft or any software company thinks it's a disaster to have the source leaked is, however, a cardinal sign of poor engineering. They should be pissed, perhaps, but not terrified.
So lemme get this straight? (Score:2, Insightful)
So does this mean that if I go into a P2P program and do a search for "Windows 2000 Source", I am seeking to possess the sourcecode?
That would be a pretty big assumption by Microsoft!
The first thing I did when I heard the source had been leaked was to hop on my favorite P2P network and search to see how many people had it. I did _NOT_ download it. If, for whatever reason, I get a letter in the mail from Microsoft ( highly doubt it ), I will be so pissed off. I mean, what would be the next step? If someone does a Google News search for "Leaked Microsoft Source", they're attempting to locate a place to download it?
Re:Bad Reasoning (Score:3, Insightful)
But if it's just because some code got leaked.. and OSS software generally has all the code available all the time.. then your reasoning sounds a little flawed.
At first thought it sounds flawed, but you're ignoring one major factor. The source for Linux has always been open. The source for Windows has always been closed.
Now it is possible that there are security vulnerabilities in Linux which have been there for a long time, but it is unlikely that there are a lot of bad ones.
This doesn't apply to brand new code added to Linux, of course.
If MS were to release their entire codebase for their latest OS today, there would almost certainly be many very serious issues since far fewer people with the appropriate skills have gone through it. Given the severity of the exploits found without the code, this is a reasonable assumption.
Now after a few years this discrepancy would go away, and all other things being equal, there would be about an equal number in each.
Get it?
Re:kazaa, bittorrent, emule/edonkey? (Score:2, Insightful)
No, I don't feel guilty when I exercise my inalienable human rights, even if it does get Microsoft's nose out of joint. They can go screw.
So I should feel guilty if I read some code that I downloaded from the Internet? I didn't pick any locks or hack any computers to steal it. I've done nothing wrong. Microsoft fumbled their trade secret, and now it's out there. They might be able to make a case for copyright infringement, but unless and until I damage them, they've got no real case.
And, in point of fact, I HAVEN'T downloaded the code, because there are few things I'm less interested in than Microsoft's 600 mb of crap.
Re:Traders or Traitors? (Score:3, Insightful)
How exactly do you know that?
Seems like they may be a scapegoat - their CEO says that they didn't do it - thats the same amount of evidence that says that Microsoft didn't do it...
Are we believing the Microsoft Marketing Machine when they say that their security was not breached? I mean, they've never had security issues before have they?
Re:kazaa, bittorrent, emule/edonkey? (Score:5, Insightful)
If you ask me, the fact that the legislators are considering the Orwellian and moronic concept of a car breathalyzer shows that there is no deterrent against drunk driving, but of course, why bother to enforce existing law when you can simply pass new ones?
If the U.S. Constitution were written today, it would be 12000 pages long and be understandable by only three people in the world, two of whom would be driven insane and the other would kill himself out of frustration. It's wonderful that the law of the U.S. could be spelled out simply enough to fit on the back of a cereal box. It's a travesty that U.S. law has become so complex no person could ever understand it all, leave alone be able to obey it all. We are all criminals, and when someone in the government wants to get you, they simply need to figure out what obscure, byzantine law you are ignornantly breaking and proceed to enforce it.
Re:Don't mess with MS (Score:1, Insightful)
MS and RIAA have this power too, they could just hire PI's to do the snarfing....unfortunately, this is illegal without a warrant so the information gathered would be inadmissable to court. It just makes it easier to force the ISPs to give you the info, that way they can multitask while waiting for the courts and ISPs to comply (or not).
Re:kazaa, bittorrent, emule/edonkey? (Score:2, Insightful)
Re:Don't mess with MS (Score:2, Insightful)
IMHO the same with closed source - people doesn't see the source code but they can try to reverse engineer the code and even steal the code - in this case all your security goes down the tubes. Remember Morris worm [worm.net] - Morris discovered buffer overflow bug in UNIX sendmail by reading the closed source he had access in DEC and wrote an exploit.
Such things will happen time to time and you will see how many new viruses for Win2K will appear shortly after this leak.
No sig is a good sig.