Different View Of MS Code Theft 269
LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.
Re:At this rate... (Score:1)
Bollocks until proven (Score:5)
Where did the initial allegation (MS hacked) come from?
Is there more than one verifiable source?
What made MS admit to the crack? (They didn't have to - they could have denied it)
The QAZ/Russia stuff? Who is the source? I haven't seen the MS logfiles. How do we know it waz a trojan posting "some data" to Russia?
Which journalist/journal is prepared to stand up and say "This happened - I believe it - here is my evidence."?
Question: Why would *anyone* want to steal MS source code. They are happy to *sell* access for a small fee (100k+ last time I asked - which is chump change)
Who could benefit from a source release? (Answer - any *professional* cracker who wants to crack MS run boxes). I'll leave you to work out the consequences of that. But *my* NT/2000 net-facing boxes are running home to Solaris/HP-UX/AIX/OS-400
And, finally: MS admitted it. So, there must be evidence that it happened. Where the fuck is this evidence?
Pissed posting pisses people off. Perhaps people posting pissed should perceive the pseudo-plenipontentiary powers of the powerful people who perform peer-review. Or not.
Re:Source Code Obsession. (Score:1)
LAWSUITS!
It couldn't happen to nicer people.
Re:At this rate... (Score:1)
Re:racism? doubt it... wrong! (Score:1)
I've noticed racism is spawned by ignorance, and if you really think about it, it's plain dumb. They're humans, the difference is *skin color*. Let's be prejudiced against people with brown eyes and black hair while we're at it... Oh wait, hitler was. Prejudice is so sick.
Re:Obviously the security advisor (Score:1)
Still
This is a point worth contemplating, and a valid
one. I don't yet know how to be certain that my system has been secured. (Well, I use a dial-up connection, and I've been installing several distributions from scratch
Caution: Now approaching the (technological) singularity.
It's OK, they didn't steal the source code (Score:1)
Re:racism? doubt it... wrong! (Score:1)
Re:Why do it? (Score:1)
----
Re:Reading Comments Can Be Enlightening (Score:1)
Likely story. Why should I believe you? And even if I did, what are thousands of lines out of millions?
(and most of my co-workers were not white, American, Christian men).
I don't doubt that. It is known that Microsoft imports cheap labor from the indian sub-continent and south-east asia. This, in itself, is outrageos. No better than Nike using child labor in it's sweatshops and paying low wages. The saddest and most enraging part is that Microsoft is hiring foreigners when there are plenty of African-Americans right here at home who can't get work because of discrimination.
And that's all I gotta say about that.
I am,
Re:Source Code is both singular and plural!!!! (Score:1)
Re:Everything's a virus (Score:1)
How much does anyone trust M$NBC? (Score:1)
I'm a fucking Bhuddist. This is enlightenment. - Bjork
If you see this ad, be suspicious... (Score:5)
New Operating System!!!
Winski 2000 by MicroSlav
Operates just like Windows 2000!
Only 20 rubles. Put the money and your email address under the trash can on Ivanoff Street.
Re:IPv4 (Score:1)
---
Re:Its a Government Conspiracy! (Score:1)
But I also doubt if they care much. I don't see it doing them any harm. And we can expect them to take every PR opportunity that presents itself.
Caution: Now approaching the (technological) singularity.
Hacker was just playing the numbers. (Score:5)
Knowing this, it is just a matter of playing the numbers and eventually...BINGO! And of course if you spread out your attack over time, the failures would stay below the "Danger Will Robinson!" threshold. (Any sufficiently large and hated IT firm would have to expect a certain number of "incidents" over time - these wouldn't cause any undue alarm unless the density was high enough or there was a detectable pattern). Good ol' human engineering. You just can't protect against it. All you can hope to do is detect it quick enough and run your business such that you don't "have" too much info which if it got out would drive you under (can anyone say open source?)
What is REALLY interesting is the motive? Why would you do it? To improve WINE/SAMBA/XYZ??? I doubt it. These guys won't be touching any significant new changes with a ten foot pole for a while I bet. The competition? Why? What possible advantage could be worth the risk?
If its not just some dude who wanted to be the first to "plant the flag", then my money is on the mob. Why not? Just imagine how many buffer overflow bugs someone like Georgi Guninski (check out NTBugTraq) could discover with a good peek at the code. You could then use the knowledge when/where-ever. Alternatively, instead of using this knowledge themselves they may pass on the source to the "highest bidder" which would probably include the usual suspects (middle eastern "terrorists" etc).
Just my 5 rubles.
Re:I think people might have this backward... (Score:3)
First the obligatory joke: Isn't that what MS does anyway?
But, in all seriousness, MS does have internal protections in place. Consider this: When I interned there last summer, there were something on the order of 500 interns there. These were virtually all normal college-aged CS geeks -- and not all of them were die-hard Microsoft drones, either. With that many people, in that demographic, for that short of a time period, I'd be willing to bet that if all the Windows source code was open for the viewing, something would've happened already. On the other hand, what was generally accessible on the corporate network were the websites for each of the various projects -- the sort of stuff that'd be best kept secret from a business standpoint, but would have zero interest to the Slashdot crowd.
And as a random aside, even the developer kit for the Barney Actimates doll that MS produces is kept secured from general access, for reasons that should be fairly obvious. (Creating a humorous yet vulgar Barney dialog is left as an exercise to the reader.)
m$nbc (Score:1)
Re:Multimillion Dollar Russian Hackers? (Score:1)
---
In other news... (Score:3)
Obviously the security advisor (Score:4)
The Chief Security Officer is trying to cover his ass. Take what he says with a grain of salt.
Re:Source Code Obsession. (Score:2)
> a glimpse of some of the source code to Office or Windows?
Grab a bunch of old CS textbooks, & do a diff against various parts of the code. And publish the findings. Especially if the textbooks happen to date to the 1960's. (We all know how Microsoft uses modern code -- none of that old crap from the 1970's like UNIX does.)
I still want to know just how many rat's-nests of speghetti code are nothing more than thousands of man-hours of patches to fix a mistake caused when some coder forgot to include a line he was copying from a textbook at 4:00am.
Bet there's more than a few.
Geoff
Re:Source Code Obsession.NONSENSE (Score:3)
To a hacker or a cracker, source code is worth it's weight in gold! You can look for buffer overflows and figure out how to exploit them. You can find hidden API tricks that allow one to gain extra privileges. You can find bugs that defeat security measures. You can find lots of stuff.
If you thought windows was easy to hack before... well, it just got a lot easier!
US Trade Secret law (Score:5)
It is still a "Trade Secret" even if it is stolen, posted on the web, displayed on billboards, whatever. This is OK until you *use it*. Then, you're screwed.
If MS can prove to a court (in the US) that you used their trade secrets, and that you knew that you had acquired their trade secrets illegally (which *well* includes downloading the source from an FTP site), well, then you are so shafted it's unreal. Can you say "Punitive damages"? 'cos that's what you'll be paying.
All MS have to do to protect their trade secrets is to exercise "reasonable care". Now, try and prove they didn't.
FACT: Stolen secrets are still secrets in law. Half-witted sophistry doesn't change that.
The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context
Re:IPv4 (Score:2)
---
Of course it does, forget commerce for a second. (Score:5)
If Russian military intelligence got to go over Microsoft's source code with a fine-tooth comb (or anybody- I only say Russian because apparently that IS precisely who's going over the code now), they would be able to conduct information warfare much more effectively, whether or not there are intentional backdoors- if there aren't, all the military spooks would have to do is dig up overflow exploits and the like. They have the code, and lots of people find ways to do this even _without_ the code.
They're not interested in fixing it, selling it, posting it on the net or anything of the sort. Their only concern is being prepared to take all of American military IT _down_ before the missiles are launched. (And again, America doesn't have to be the target- any country with a modern computerised military could be the target.)
The problem with lazy-ass monopolised security through obscurity is just this: now there's no security at all- odds are, some country (possibly not even Russia?) now has what they need to be able to take out any and all Windows-based IT at will. They're not going to be filing bug reports, or _using_ their techniques, unless they are seriously taking action. The only defense against this is to persuade Microsoft to either open their process to outside auditing (for instance, the NSA or the military), or to ask Microsoft to please fix any bugs that might be a weak point in this sort of attack.
*bitter laugh* riiiight.
I want my country's military off Windows, dammit. Now. All that is _compromised_. It's one big trojan horse because of Microsoft's arrogance and belief that they are SO SMART that they don't need to let anyone else into their process.
Re:Reading Comments Can Be Enlightening (Score:2)
. At Redmond alone, we have the African American employee group, the Attention Deficit Disorder group, the Chinese employee group, the Deaf and Hard of Hearing group, the Filipino group, the Gay, Lesbian, Bisexual, and Transgender group, the Hispanic, Indian, Korean, and Native American groups, as well as heaps more. Don't sprout this rubbish about Microsoft being a racist company.
Re:racism? doubt it (Score:2)
And I've never forgiven the french over 1066!
In fact, I think that Og hit my great great great great
If someone scrawls some racist/sexist/agist/classist/anti microsoft slogan to a bridge, can you sue the council? No! (Well, I hope not). You tell them its tehir, they remove it.
Maybe a GOOD thing for M$? (Score:3)
If a C# compiler were to appear on the scene for a non-Windows platform, might the authors not be accused of having used M$'s IP in order to produce it? The same goes for any piece of code to appear that threatens their
I have not seen any definitive list of what code was compromised. Has that been made public? Or are they free to point to anything that appears in future and say it is based on their IP?
Hell, maybe they are making the whole incident up!
Microsoft Security = not much (Score:4)
I wasn't even looking for confidential information. Just turns out that I knew a couple of people who happened to work at Microsoft, and so I decided to pay one of them a visit at their office in Redmond, while I was vacationing in Seattle.
Now at each entrance to each M$ building there are Honeywell card readers, and each employee has a matching Honeywell card that opens the right doors so he can get to work. With the building I was at there is a front entrance and then a foyer with a receptionist's desk. During the day you have to get by the receptionist slash security guard to the second set of doors, which you also have to swipe your Honeywell card at. (At the building I was in, the receptionist desk was inside the second set of doors.) At night there isn't a receptionist or security guard, you just swipe both sets of doors and you're in. And once you're in a building you can go practically anywhere in that building; there aren't any other security checkpoints.
If you lose your card you can use the phone next to the card reader on the outside to call in to the receptionist, or to call your friend inside to let you in. This is how I got in. I called my friend's 5-digit extension and they came down to get me. (That's 2-xxxx inside; 425-882-xxxx outside.) There are refrigerators stocked with Coke (and Pepsi) products on nearly every floor. Just help yourself. There are also random arcade games, Ping-Pong and billiard tables scattered around. Each person has their own office, small as it may be; a few people share in some areas.
Anyway, inside, they have large supplies of blank CD-R's. All of them were factory labeled with the Microsoft logo and the words "Microsoft Confidential" and some other legalese. They are half blue and half white. And most of the developers that I met had their own burner.
I'm quite sure you can figure out the rest from here, and these are the details I have to omit. I can say it has something to do with caffeine's diuretic effects on developers. But I wil provide a few other details for you.
Microsoft has their own security people. At night they go around and turn off all the lights in the buildings. Only they do it from the outside, via remote control. I think the system uses RF. (If you're inside, you can turn them back on, though. And be careful, they even turn off the lights in the bathrooms, and the switch can be hard to find. In the bathroom I used, it was about eight inches higher than I expected it to be.)
Microsoft has an internal server with pre-built installers for most (all?) current Microsoft operating systems, applications, etc. If you need something, you just open the network drive and get it.
Microsoft's firewall prevents people internal from connecting to certain outside sites. In 1998 this included netscape.com (but not mozilla.org).
Certain parts of Microsoft source are written in C and/or C++, and these parts are LITTERED with gotos. I mean they're everywhere. It's almost like they'd never heard of do, while, break or continue.
Anyway, that's my story.
oh christ (Score:2)
Its the new age of racism, I'm not from the south, I don't have a rebel flag, a pickup truck, a shitty looking house or an ugly wife. I'm the average white guy who you can't tell from anyone else.
stealing millions of dollars ! (Score:2)
Did I miss a headline about this or is MSNBC talking out of their back orifice? Millions stolen? I think would have been headline news.
Core products? (Score:4)
Now I'm *really* intrigued. What constitutes a core product? Wouldn't it be interesting if certain languages were "core" and others weren't?
How would you feel if you paid $600 for Project to run major development work... or used Visual Basic to develop critical code for your company... or
If the cracker picked up Notepad, they wouldn't have asked for FBI help, would they? If it was MS Baseball 2002, they wouldn't have picked up the phone... it HAD to be something worth more than the bad press that could be generated!
--
Re:Its a Government Conspiracy! (Score:2)
Nobody stole any Microsoft code. Microsoft staged the break-in as part of its continual goal to create a perception of greater value in their product (if it weren't valuable why would people steal it; why would people pirate it; etc) & to get certain anti-hacker legislation shuttled through Congress (which will help them yield greater control over their product after you've bought it & to fight against open source software's reverse engineering of their proprietary standards for compatibility and publishing of security exploits). The Microsoft staged break-in also helps to bolster their image as a victim, like they claim in the ongoing anti-trust case, rather than the perpetrator, which they are.
These events did not transpire without a reason. Microsoft wants to control your computing experience from the ground up and will do whatever it can do to further that end.
--
Re:Open up some standards (Score:2)
Now Microsoft can use the documentation to understand what is going on in thier own shitty crufty code, thus saving themselves alot of time and money, all by violating the free software licences (GPL for Samba, X11-style for WINE).
They can also audit the WINE and Samba code to find areas where they can break Windows -> (Wine,Samba) compatibility while maintaining Windows -> Windows compatibility, causing the free software projects to waste more effort in reverse engineering the changes.
Even though the Halloween documents went public, Microsoft is doing EXACTLY what they set out to do.
Re:Everything's a virus (Score:2)
Yes, but in mainstream articles, everything is a virus. Thus, a worm becomes a "worm virus", or a trojan horse program becomes a "trojan virus".
"Virus" == "Malicious Program" in the mainstream view. Don't blame the journalists... their job is to tell the story. They have to speak in the common vernacular. "Hacker" == "Someone who breaks into computers", "Hack" == "A Golfer", "Operating System" is generally undefinable, and I knew one very intelligent person who does not use nor know computers who thought from early news stories that Linux replaced your BIOS (given their description of it).
--
Evan
Re:MS Code ... (Score:2)
> court warrent to confirm
Since when was reverse engineering illegal? What country would have jurisdiction anyway?
Re:Microsoft Security = not much (Score:2)
Re:If you see this ad, be suspicious... (Score:2)
Decompilation (Score:2)
In general, C decompiling doesn't recover macros, inlines, local variable names, or compiler idioms, so you get back something that looks like assembler expressed as C source. You're lucky to get something back you can compile. Decompiling is an area that needs more work.
MS Code ... (Score:5)
Think about it ... not a rogue OS based off of MS code ... but thousands upon thousands of exploits would turn up thus any computer connected to the internet through a (sarcasm) "secure" internet connection would now be at risk.
Another hypothetical ... company A comes out with a product that can run all win32 binaries... this os is based off of the source code of windows but is a closed source project. This project is then suspected by MS ... but it would take illegal reverse engineering or a court warrent to confirm ... thus another downfall to MS.
One more question I have ... If MS is SOOO concerned about their code ... why the hell is it so easy to remote access it?
The ships run on unix (Score:5)
Oh I don't know about that (Score:5)
--
Re:Industrial Espionage (Score:2)
Guess 1.5: Some MSFT employees are intentionally working on relaying MSFT source code to give their government employers better ability to commit IT sabotage at time of war. They ain't working for the US government.
Honestly, the world does not begin and end with e-commerce. Warfare still happens, and IT is militarily sensitive- it can be an absolute jugular vein if mishandled.
I'm not surprised, why should he be? (Score:2)
"We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppönen, anti-virus researcher for F-Secure Corp. "It has finally happened. I'm just surprised it happened at the top."
Since these guys are (by definition) running M$ cruft to the hilt and the worms usually take advantage of Outlook/Viral Basic. What better place to target? Someplace that runs Lotus Notes maybe??
Re:Source Code is both singular and plural!!!! (Score:2)
Yes.. Up up down down left right left right b a select start...
Re:The ships run on unix (Score:2)
___
It's in the OS! (Score:2)
Re:I think people might have this backward... (Score:2)
Re:Obviously the security advisor (Score:3)
While it *is* possible that he's just covering his ass, just because he works for Microsoft doesn't mean that's his only motivation, or that he's not capable of doing his job.
Re:Open up some standards (Score:2)
Right out of some satire (Score:4)
Sounds like it's OK if accounts create themselves, as long as it isn't too frequent. Just when you get a lot of them is it indicative of a breakin?
Good grief! What were they writing? Software bloat as a protection against theft? So, if it's so big, how do they know it wasn't hacked?
I still can't figure out who would want Microsoft source code. Basing a new product on code you have transferred from another group is hard enough with their cooperation, basing it on a snapshop stolen from a breaking would seem to be pointless: you are better off starting from scratch.
Ah, the media fully buying into the "security by obscurity" approach. The underlying assumption is that any software must be so full of security holes that we couldn't possibly let people look at the sources. How clueless.
I don't think one could have written a better satire if one tried. It is sad, however, that technical reporters write this kind of drivel as serious reporting (probably directly copied from some PR releases) and people in power believe it.
Re:Obviously the security advisor (Score:2)
Re:Windows is a moving target (Score:2)
Linux does support plug-n-play in 2.4 (beta) which will soon (within months) be a stable release. Dual monitors is completely up to the X server; I think Xfree86 does support dual monitors in 4.0 and I know there are many commericial X servers out there that do support multiple monitors.
expect the Open Source movement to start finally recognizing that the "high ground" they occupied not so long ago has been taken back by Microsoft, and respond in kind with a much better Linux.
No, I seriously doubt that. I instead expoect the community to continue to produce quality software without interruption, and without regard for anything M$ is doing. The Open Source community does not try to 'keep up with M$'.
God bless whoever invented dual-booting
Certainly not Micro$oft.
I have a question... (Score:2)
-Karl
Source code : blood (Score:2)
This is their stock in trade and they have hundreds (if not thousands) of people working with it and on it. I can assure you that it will always be 'close to the surface', as it were.
Take it for someone who also works for a big software company.
--
different view of code theft indeed (Score:2)
Code, code, code. Who gives a rat's ass about their hideous source code? Not me. If I were in the cracker's shoes (funny that, I'm white and look at my footgear often), I would carefully evaluate what actions would give the most bang for my hacking buck:
Hmm. If I were going to the trouble of entering the lair of the great software satan, I'd surely want more than to look at spagetti code from some hyped-up codeslave just out of college. I'd want to get some mileage out of it, and what better way than to do something with continuing returns? Better to salt the fields than just burn them, eh?
Re:It's in the OS! (Score:3)
Well, looks like they still have some bugs to iron out before 2001. Does this mean Office 2001 will be delayed?
Except new aircraft carriers... (Score:2)
It sure sounds like they are thinking of changing a sane policy for the worse.
Re:Obviously the security advisor (Score:2)
I won't just imply it, I'll say it. Linux's track record is better -- at least in this way:
MS has a reputation of denying and/or pooh-poohing security bugs. There have been a few cases of hackers going to MS, quietly, with bug reports and being given the runaround about them until they get frustrated enough that they simply report the bug to the press to light a fire under MS's ass.
I mean: how many people would have been surprised to find that MS would have let their employees get remote access using Win/95 boxes? For many security conscious types, that ideas is almost obscene. NT is slightly better, but I wouldn't even THINK of betting my life on it.
Given that kind of history, I wouldn't be all too surprised to find that there are a few bugs/design errors that Microsoft knows about internally, but "just hasn't had the time to fix" or considered "user enhancements". This probably includes a couple that black-hat hackers have found and not bothered to report to MS or the press.
This is what (I think) was probably meant by leaving your windows open.
In the open source community, there's always somebody out there who -- when a security bug is found -- feels some self-interest in closing the problem as soon as possible. This means that the space between reporting a bug, and having it closed by people who care, is as small as possible. If I'm feeling paranoid, I can always go to free BSD who apparently clame Zero remote-root exploits in the last 3 years. I don't have that sort of warm and fuzzy feeling with Microsoft.
'Nuff said.
`ø,,ø`ø,,ø!
Re:I think people might have this backward... (Score:2)
I think everything depends on whether the crackers got lucky and compromised somebody who had checked out some code that ran in some kind of trusted enviornment (something like kernel32, to be sure, but also portions of IIS).
The cruftiness of the code is some protection (as someone elsewhere suggested), but not much. Complex, ill-architected environments are the engineers nightmare and the cracker's natural habitat. The question is whether the crackers had time to figure out a good place to put their exploit.
Even if they failed to insert an exploit, they'd have a golden opportunity to search for naturally occuring ones.
The source code's not the important part (Score:3)
Many posters have noted that Microsoft's source code is notoriously bad, and from what code I've seen (i.e. what they distribute with their SDKs) they're right. The whole thing is one gigantic ugly hack -- they're living in a world where strict C and object-oriented C++ mix freely, and the only thing they do consistently is their stupid variable naming scheme. People whine about Netscape 4.x being an ugly hack, but Microsoft code is much much worse -- it just has the advantage of loading at OS boot time.
That said, there's very little anyone could pull from any source code they got. Picking it apart looking for weaknesses or trade secrets would be fruitless -- picking apart the source code to their DirectX demos is bad enough, let alone a whole OS. Even before you figure in the legal issues, it's much easier to just reverse engineer the blasted thing.
What's important here is now Microsoft has to admit that their products are exploit-ridden. One of the greatest problems that computer security advisors have had recently is Microsoft's attitude towards the VBScript exploits; basically, they think that their codebase is good enough as is, with maybe a few patches needed here and there, and if in the meantime a few exploits make their way through then tough. (In fact, security experts rightly point to Outlook Express as the sole reason that worms like Melissa can even exist.) After all, the Microsoft PR people say, it's good enough for us.
But now someone has forced them to own up to the fact that the security in their products is a joke. Before this exploit, Microsoft spent many a PR dollar blasting Linux for the 'inherit insecurity' of its open-source nature, pointing to the fact that Microsoft itself uses Windows NT/2000 for its servers and nobody's broken into them before. Now that's all changed, and someone has shown that not even Microsoft can trust their own products for maximum security operations.
The irony is that Microsoft has become a victim of its own policy -- if it works for the most part, there's no point in patching up the little security holes. Well, guess what -- those little security holes added up to one major security hole that struck Microsoft at its core!
So what does this mean to the average consumer? It means that Microsoft is going to have to work really hard to fix up its codebase. After such a high-profile attack, Fortune 500 companies are probably going to think twice before using Microsoft software for mission-critical operations. Microsoft really is going to have to prove itself in the future, and that means no more quick-fix patches to security holes that fix one hole but don't really fix the overall problem, like the series of IE and Outlook Express patches that come out after every new ActiveX or VBScript exploit is revealed.
Re:MS Code ... (Score:2)
I doubt that most MS developers use linux boxen.
`ø,,ø`ø,,ø!
Source Code Obsession. (Score:2)
Laugh at banal commentary? Giggle at a misused pointer? Squirm over the indentation? Be mildly shocked at the local variable names?
Say you got the lot -- now what are you going to do? Fiddle around with n zillion lines of tired, structurally decaying code to make a version of Windows that doesn't work as well as the binary on the box you bought? What's the chances that you will have the least clue what you're doing? Or that it will be actually *worth* anything to anybody? What are you going to do? Spend your life rebuilding Windows? Please, feel free . . .
Don't you get it it? IT DOESN'T MATTER WHO SAW MICROSOFT'S SOURCE CODE.
Re:Hacker was just playing the numbers. (Score:2)
This is a very interesting perspective, if you think it through a bit. It means that perhaps any source of software should, from a security standpoint, be considered potentially compromised.
This might be an argument for open source -- at least if you are vulnerable you can audit the vulnerability independently. But it is a very disturbing prospect because software is so ubiquitous, and updatable, it seems, all the way down the CPU microcode. Virtually everybody is working on closed source BIOSes.
Re:I think people might have this backward... (Score:2)
Quote (Score:3)
The full quote is "Information wants to be free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine -- too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. The result is a tension that will not go away."
It must be true - I saw it on
Re:different view of code theft indeed (Score:2)
J
Re:Its a Government Conspiracy! (Score:2)
It could have been a REAL minor virus/trojan occurrence. These happen at big companies all the time. (I'm a security consultant, I get to see the stuff...)
Microsoft is not famous for disclosure, even under oath. Nontheless, they have voluntarily made the decision to go public with a damaging publicity incident. They are sure to be milking the cow for a reason...
Generally, these things are not at all publicized. Keep it hush! Where did this story first break? MSNBC? Did they call a press conference?
Keep your eyes open. It will be interesting to watch the further developments here. Microsoft are surely interested in manipulation of laws and government, as amply evidenced by the behaviors exhibited in the course of their subpoenaed testimony.
Bill calls the shots from the top, and he's arrogant enough to think that the Constitutional mechanisms for statute and regulation are archaic impediments to himself, personally - and to Microsoft only by extension of his ego.
Jeremiah Cornelius
Re:Obviously the security advisor (Score:2)
Why do you hope he's not? Linux track record is better on this score. This security hole is a designed-in flaw in Windows. While all software has the potential to have bugs which cause security risks, the particular problem of launching emailed trojans or viruses is a Windows problem. Unix and Unix MTAs do not launch attachments. The user would be forced to save them to disk and manually make them executable.
Re:I'm not surprised, why should he be? (Score:3)
Persactly! (Score:2)
From the article:
You know, I read this and thought, "If the DoJ really wanted to stop the MSFT monopoly, why not force them to open their source?"
--
Re:Obviously the security advisor (Score:2)
Re:Source Code Obsession. (Score:2)
If the attacker can get access to one of the facilities where legitimate copies of Windows get installed onto OEM machines, then things become much more insteresting. "Here's $5000. Now, please look the other way while I replace Microsoft's master CD with Folger's Crystals...."
--
Re:The ships run on unix (Score:2)
Except on the USS Yorktown... Apparently this didn't result in Windows being thrown out of the program. Apparently no-one took the risk of kamakazi rowing boats seriously.
Everything's a virus (Score:3)
Couldn't help but notice that the story first said "trojan virus" and then later, "worm virus."
Nice to see that these "techincal" jounalists are have been keeping up with the lingo.
JOURNALISTS: You must choose between the words virus, trojan, or worm. They have different, but related meanings.
Also I'd like to applaud the media for finally giving some attention to a *real* hacker, and not some script kiddie. And d00d with the t00lz can shut down a poorly-maintained website, but it does take a bit of time and skill to track down a Micro$oft employee, find his home computer, and go looking around from there. From the sound of the article, they don't provide any evidence that any code was actually taken or downloaded, just that there is a very high probability that he got to glimpse at some of it, which they remind their readership in every other sentence.
Re:Source Code Obsession. (Score:5)
Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?
If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.
That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
Re:MS Code ... (Score:5)
As an ex-employee... all I have to say is "yeah, right". The level of cruftiness in certain codebases (NT, and Visual Studio, for example) is astounding. When I first started there, I was amazed that it worked at all.
And nothing says backwards-compatible-lovin like working on a file with a creation date over a decade ago.
Let's just put it this way: those who had access to MS source code probably didn't have a clue what to download or what would be useful. And even professional developers would have trouble making heads or tails of most of the MS code, even with complete access to it. With just bits and pieces, you could probably do better getting a non-tainted hacker (ex: Jeremy Allison) to explain it to you.
Remember awhile back, when crack dot com fucked up and someone managed to download the Quake source code from them? As a person who got a copy of this, I can tell you that it wasn't particularily useful. Without documentation, and without Carmack to tell you what the hell is going on, it would've been a tremendous task to go through that spaghetti and figure out what it was doing. I could understand most of the low level video functions and that sort of stuff, but when you get into the BSP and internals of the engine - no way.
And that was just a drop in the bucket compared to the MS source code behemoth.
- AC for obvious reasons
Re:MS Code ... (Score:3)
If your hypothetical company A produced a derivative product from Microsoft's source code, and Microsoft took action, the likeliest outcome (at least in the US) is that a court could order a comparison to be made by an independent expert of the two pieces of source code. If that expert found that there were "striking similarities" between the two, then the case would be part proven.
Secondly, how long did it take you to write this almost perfect clone of Windows? A week? Really? Can you show me the timekeeping records of the army of hackers you had working on this project to write a "new" Windows? Their names and addresses? No? (And so how long have those guys at Freedows been at it so far?) Your case is now in more trouble.
Finally, did you have access to the original source code? Can you prove that you didn't? Can all your army of programmers swear affidavits that they have never seen the Windows source code (and could not, therefore, have copied it)? Kinda tricky if it's been published for all to see on the Internet, don't you think.
Forget the reverse engineering, you're dead.
Re:Microsoft Security = not much (Score:2)
But, then again, you knew that, right?
Re:Why do it? (Score:2)
Then I'd TP Gates' house with it.
...
After using it.
Its a Government Conspiracy! (Score:2)
Am I the only one around here who finds the timing and announcement of this break-in happens to conincide with the timing of both the International Anti-Cyber-Crime Treaty and the anti-hacker bill going through congress? Common folks, this is exactly the ammunition the law enforcement community needs in order to shove down our throats increasing draconian surveillance and criminal laws that strip away what remains of a tattered constitution.
The timing of this reminds me of the DoS attacks earlier this year which them prompted Congress to increase the federal governments escalation of cracking down on so called 'hackers'.
Re:I'm not surprised, why should he be? (Score:2)
A Lotus Notes version of this sort of thing would also be pretty easy in most environments, providing you had access to somebody's User ID Certificate file. (Notes can restrict the programming interfaces to trusted developers, but the default setting is wide open to all users.)
--
New Copyleft clothes (Score:5)
Re:Source Code Obsession. (Score:3)
Re:Microsoft Security = not much (Score:2)
But, then again, you knew that, right?
I think people might have this backward... (Score:5)
Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.
With everyone and their sister using Windows these days, this could give a hacker access to most every industry out there. And given the loose security between MS products, the new code could be in Office, Explorer, Outlook, almost anything. So the hacker downloads heaps of source code from a variety of MS products, finds a good location to insert this code and then modifies and sends a bit back. In amongst all the code that MS has to manage - most of which I'm sure they rarely look at, who would notice? How hard would it be to find?
Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...
Using stolen code in a legal action... (Score:2)
As I recall, Alan Dershowitz did a column in the New York Times when the movie version of "Bonfire of the Vanities" came out. In it, he said only the government was not allowed to use evidence from an illegal wiretap (i.e., one which had been recorded without the knowledge of any of the parties to the conversation).
Dershowitz claimed (in my memory) that there were no restrictions in a civil suit such as was portrayed in the movie. He also said that it was even OK for the government to use evidence it had obtained illegally if it was being used to discredit perjurous testimony.
Perhaps an unintended consequence of this incident is that no Microsoft will be able to lie in court about source code without fear of dramatic repercussions. That should severely restrict their traditional deposition-courtroom strategies.
Anyone know what the law is on this matter?
It's never happened before? (Score:3)
Oh, come on. Are we honestly expected to believe that this is the first time this has happened? This sort of thing goes on all the time, they even admitted it earlier in the article. Perhaps this is the first time it's happened to a really large corporation that's then let it the information leak out to the public, but the first time it's ever happened?
Stolen code and open source (Score:2)
Oh boy are they wrong.
Imagine the stolen code surfaces on the net. Imagine Microsoft lawyers all of a sudden start targeting open source projects that are somehow related to the code that was stolen, accusing them of making use of the stolen code.
Microsoft is a large company with huge resources. Huge enough to take on the US department of justice. I am perfectly capable of imagining how Microsoft could strike a blow at the open source industry and leave it in a legal quagmire for years to come.
Re:Stolen code and open source (Score:2)
racism? doubt it (Score:2)
For crying out loud, Microsoft has thousands upon thousands of employees, and this is the U.S.A. - do you for a second doubt that among all those employees there are a few racists? The company I work for has maybe 250 employees in all and I personally know of at least a couple of fairly virulent racists among that lot.
I'm no fan of Microsoft at all but I'd bet you a hundred to one that there is no top-down official policy at MS which is racist in nature. Ageist, sure, I'm positive that like the rest of the software industry they blatantly (and illegally) discriminate against older coders, but racist, I seriously doubt it.
If you summarily shut down every American company with racists in it, you have to shut down damn near every company in the country. The way I feel about capitalism in general, I won't object too loudly, but, you know, there are some sensible people who might not think that is such a good idea.
Yours WDK - WKiernan@concentric.net
Did I miss something? (Score:2)
I can understand assuming that anyone who cracks into corporate computers would be capable, and willing to steal propietary source code. The script kiddies of the planet has destroyed an honest cracker's reputation long ago.
It seems to me that this is what we call hype. Maybe I'm just being ignorant, sorry if I am.
Re:Source Code Obsession. (Score:5)
/* They should be using Media Player anyway */
if(realAudio())
breakRealAudio();
/* Dang hippie OS */
if(linuxPartition())
corruptRandomLinuxBlock();
-----
Zennie
At this rate... (Score:3)
By the end of this week, the story will be that an employee got the flu and was home sick for a few days. While working from home under the influence of prescription drugs, he accidently renamed a user account which set off a few alarms, but everything is well because no product deadlines will slip because of it.
Several points, one slightly off topic (Score:2)
Secondly, what is this rubbish about a 'brief look'? We all know it'd take nothing more than use of a screenshot facility to preserve the data to read back at ones leisure.
Thirdly, considering the venom with which MS is likely to chase down anyone in possession of the source code, would it not be worthwhile using a random one-time-pad to encrypt the code and have two people post, independently, the two halves without making claim to it containing MS code? Then a third party could point out that the code can be obtained by the appropriate XORing, and noone (except perhaps the third party, who is doing little more than posting a link) can be blamed, as both the first two have posted nothing more than random data?
Where would the law stand on this issue?
Simple (Score:2)
If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.
That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
Or maybe this isn't so bad... (Score:2)
A worm virus trojan? (Score:3)
So the QAZ trojan is a well-known worm virus. Glad we got that straightened out.