Please create an account to participate in the Slashdot moderation system


Forgot your password?

The Impact on Open Source of Stolen Microsoft Code 388

Cabal writes: "I recently came across this article on Linux Journal. It discusses some of the more interesting legal ramifications of the theft of Microsoft's source code that I hadn't even thought of and it's effect on open-source projects. Basically, it's saying don't go near any code claiming to be stolen from MS, and with good reason, including quotations from the Samba project. Check it out, it's a good read."
This discussion has been archived. No new comments can be posted.

The Impact on Open Source of Stolen Microsoft Code

Comments Filter:
  • The police has a finite amount of resources for tracking criminals and they can't track down every criminal, and there are many crimes where they don't do much more than take a report (as you would find out if your car did get stolen).

    Computer crime investigations can be expensive. Let's say we are spending $XXX on trying to find whoever broke into Microsoft's system. Who are they likely going to find? A couple of high school students with no special skills: they apparently used a well-known exploit.

    That money could have gone to catching some violent criminal, or helping people with drug rehabilitation, or any of a number of purposes that would improve the lives of thousands of people.

    On the list of social priorities, the crime that has been committed against Microsoft is very low: it has virtually no consequences to anyone (other than Microsoft's PR and marketing), and the people who perpetrated it are unlikely to be a threat to anyone.

    Sure you can do something about [begin held at gunpoint]; you can carry a weapon yourself.

    You can't realistically defend yourself with a gun against someone who is reasonably skilled with a gun; if you try, you assume a huge risk. Defending yourself against an E-mail virus, however, exposes you to no risk at all and has almost no cost.

    And that's the reason why I would like to see our police going out on the streets tracking down gun toting criminals. OTOH, tracking down some "script kiddies" won't make my life or anybody else's life any safer. It won't even restore anything to Microsoft. All it does is waste a lot of money that could have been spent better.

    A crime has been committed, and Microsoft has both ethical and legal claims. If they can prove that stolen code was used in someone else's project, they will win in court.

    Whether Microsoft can claim IP once in court is an entirely separate issue from whether the police or legal system should make any significant effort in tracking down the people who broke in.

    However, while it is popular in some circles to try to invent new forms of IP protection, reality is that it's not clear they actually have much IP protection. There are really only four major forms of IP: copyrights, patents, trade secrets, and trademarks. Only trade secrets would seem to apply here (possibly copyrights, but they don't contaminate). And the legal reality is that trade secrets need to be protected carefully in order to receive any legal protection.

  • by torpor ( 458 ) <<ibisum> <at> <>> on Sunday October 29, 2000 @02:02PM (#667738) Homepage Journal
    But what about the flipside of this.

    Would it be at all feasible, from a law perspective, to counter-sue Microsoft for *NEGLIGENCE* in protecting their so-called trade secrets?

    Wouldn't it be possible to make the argument that since Microsoft *allowed* the source code to get out into the public domain, they are responsible for their own mess, and thus use that as a basis to dismiss any court cases that would be enacted based on this conspiracy theory.

    It seems to me that this argument could be made fairly strongly - as is the case with trademarks - if you do not protect it, you do not deserve the right to exclusivity, and thus there would be no basis for damages should the code be 'used' elsewhere?

    Can anyone with a strong legal background comment on the feasibility of this issue? It would seem to me that something like this could be argued in any case against Microsoft for this purpose.
  • No, they probably wouldn't write, "Hey Dudes, check this out! This is M$ Office Source Code!". They would most likely write, "Hey Dudez, check this out! This is M$ Office Source Code!". Actually, they would probably capitalize every other letter, too. I was into the warez scene right around the time the Win95 betas were coming out (I was 14 and stupid). Those kids don't have an ounce of subtlety in their bodies.
    Besides that, anyone who is a good enough programmer to contribute to any serious OSS project should be a good enough programmer to recognize code from an MS product (the fact that it's bloated and sucks should be a hint). Also, code posted with no license whatsoever should be pretty suspect.

  • But I see far more far-reaching impact on any open source project that seeks to integrate with MS products. Anything that succeeds must have come from the stolen IP! Sue everyone who might be involved with such products and force them to defend themselves in court and prove they never saw the code. (Oh, I forgot, you cannot prove a negative.)

    Oh, yeah, and we heard about this days after it was anounced that Excel and Word 2000 now work in WINE. Very interesting...

    I have said often that if I could just get Outlook to run in linux, I'd have no use for an MS OS. Guess someone overheard.
  • The GPL defends its software development model using copyright law,
    whilst the MS defence is based on trade secrets. Utterly incomparable
    from the legal point of view.
  • Banks don't run Microsoft products.

    Not true. For example, a system that runs on a mainframe is accessed via a tn3270 program running under Windows NT. Hack that and you can install a keyboard sniffer and remote control app and get everything you need to get into that non-Microsoft system that the bank runs...

  • "It might be difficult to know for an OSS maintainer that a contribution to his software does not come from M$ stolen code....It won't be as simple as it looks."

    I agree. There will be open source types who will use this code in a project regardless and in the end it will hurt us because microsoft will have access to the OSS source code of that project. The maintainer, on the other hand, may not have access to MS source code and won't know the difference until it's too late. So, should the maintainer get the illegal MS code to check against software submitted or should he sit blindly and assume the programmer submitting code is honest. This is a serious catch-22 here and it makes you wonder if there is a conspiracy behind the "stolen" code. Either way, OSS programmers have to be on red alert. A serious can of worms has been opened here and it could impact projects like SAMBA, WINE, or Win4Lin. Programmers of the aforementioned projects need to be cautious of anyone submitting a reverse engineering breaktrough of a Windows API.

    I do want these projects to succeed by any means, however, the use of MS code will come back and bite them in the butt if they are not careful. Many of anti-MS types were happy that MS got cracked, but I have mixed feelings. The timing of the crack is too perfect - Samba TNG was formed recently which promises to implement primary domain controller type services. Could Microsoft be planning evil or is this coincidence? If you do find the code, be very careful and be smart. As much as I'd like these guys to look at the code, laugh at the bugs, and reverse engineer it, cheating will only cheat the users of free software somewhere down the line. MS has enough money to file some serious lawsuits against people they feel have used their code and in the end good projects like WINE or SAMBA will be forced underground.

  • I hate microsoft as much as the next linux geek, but they're not just a huge group of millionaires sitting around plotting how to destroy Linux. They would not let someone steal their source code in such a risky venture just to shut down a few MS-related projects like samba, wine, and maybe abiword. It would turn them into who they hate most: people who give away thier source.
  • by MustardMan ( 52102 ) on Saturday October 28, 2000 @03:03PM (#667761)
    Forget the legal ramifications... using microsoft code in an Open Source and/or Free Software project would be like building your house out of straw when you get free bricks and know the Big Bad Wolf is on his way.
  • by joe user jr ( 230757 ) on Saturday October 28, 2000 @04:20PM (#667762)

    1. Bill Gates' credit card details
    2. Source code for Bob
    3. Cheat list for Solitaire
    4. Online application form for donations from the Bill and Melinda foundation
    5. Wish list for enhancements to MS-DOS 3.3
    6. Complete set of MP3s of Steve Ballmer rocking out
    7. Original code for Linux
    8. Discarded Office Assistants including Penfield the crazy Judge and Linus the toad
    9. Contents of Bill's desktop trash folders for the last five years
    10. Contact details for Bill's personal stylist

    ... if the register [] is to be believed..

  • The reports I've seen say code may have been stolen. They say that the Qaz trojan may have been the way the crackers gained entry.

    But I've heard/read nothing definitive. The whole thing screams 'inside job' to this clueless luser.

    For easy karma, does anyone have facts?
    For example, how did the crackers get around the (OpenBSD?) firewalls?
  • My attorney informed me you are probably correct, as far as the trade secrecy of the source codes. A trade secret is valid only as long as it is secret - you are responsible for taking precautions to protect trade secrets commensurate with their value. Given the value of the MS source code, it would seem that a "commensurate protection" would be to leave it totally off the net - on machines physically not connected to anything else.
    Of course, the code is still copyrighted, but you have fair use exemptions, specifically research, to argue about there.

    This is NOT sound legal advice, it was given to me off the cuff by a lawyer who gave up IP work a couple years back. Still worth a thought.
  • The trial isn't over yet. It will probably be drawn out for years to come. M$ will loose in some courts, the DOJ in others. No one will "Win" or "Loose" the trial until the Supreme Court hears or refuses to hear it, or one side gives up on further appeals.

    Even if M$ were to loose, it would still take another three to ten years to split them up.

    As for the whole "$$$ for the better lawyer" story, what do you think has been the major problem for the DECSS case? Judges who don't get it and lawyers who can talk circles around the truth.

    There are plenty of cases where a criminal went free because of the quality of their lawyers. Standard Oil was bigger and badder than M$ can ever dream of being and made Bill Gates look like a Saint. It took years to even touch them, but not until JDR's personal fortune was 2% of the entire US Economy.

    The "Teflon Don" escaped justice time and taime again, and OJ walked away a free man.

    These are all because of lawyers and the US legal system. It has nothing to do with what is right and wrong, but who has the best legal team. Anyone who really thinks the "truth will set you free" or that anything other than money runs the nation is a sad individual with no concept of reality who might as well believe in Santa Calus.
  • and your friend reading your book is copyright infringement.. yuk.. there should be laws against that.

  • I don't buy that whole "contamination" thing. If contamination exists then: Anybody who's ever used MFC is contaminated, because it comes with proprietary MS source code. Conversly, anybody who's ever patched gcc is a GPL violator unless they release all their work under the GPL.

    Unless Open Source projects start showing up with large swaths of code containing things like DWORD and LPVOID, I don't see how MS could prove anything.

    Oh no! I've just released the secret of DWORD and LPVOID! I'm doomed!!!

  • by jetson123 ( 13128 ) on Saturday October 28, 2000 @05:02PM (#667781)
    This whole incident looks almost like a publicity and PR stunt. Microsoft seems to have succeeded at two things.
    • First, they have created the impression that Windows source code actually has significant commercial value. That's, of course, nonsense. The only reason Windows source code is valuable is because of Microsoft's market position and commitment to enhancing it, not because there is anything intrinsically clever about it.

    • Second, Microsoft seem to have gotten people to believe that being infected by an E-mail virus is kind of like being the victim of a robbery at gunpoint--something they can't do anything about. That's, of course, non-sense, too. It would have been very easy for them to protect themselves from this kind of threat. Susceptibility to this kind of threat is a defect in Microsoft products (other products and systems have defects, too, but the issue is who Microsoft blames for their defects, not the existence of defects in other products).

    Microsoft has to take reasonable care in protecting valuable trade secrets. It is clear that they haven't. Even if they believe that their E-mail client has sufficient security, if they believe their source code is as valuable as it is, it should reside on a more protected part of the network. Microsoft is merely trying to avoid responsibility for their product defects and for their poor security policies.

    It is an outrage that the taxpayer now even has to foot the bill for trying to track down people who took advantage of security defects in Microsoft products. That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.

    It is still good advice for open source projects to stay away from any Microsoft source, legally or illegally obtained. But don't get suckered into believing that Microsoft has any ethical claims: they were negligent. And, objectively, they ought not to have any hope of legal success either--they should fix their products instead and stop shifting the cost of their defective products onto law enforcement and, ultimately, the tax payer. As long as they can get away with shifting cost and responsibility onto others, they will have no economic incetives to fix their software or procedures.

  • Nobody stole any Microsoft code. Microsoft staged the break-in to create a perception of greater value in their product & to get certain anti-hacker legislation shuttled through Congress (which will help them yield greater control over their product after you've bnought it & to fight against open source software's necessity to reverse engineer their proprietary standards and publish security exploits). The Microsoft staged break-in also helps to bolster their image as a victim, rather than the perpetrator.

    Be certain: these events did not transpire without a reason. Microsoft wants to control your computing experience from the ground up and will do whatever it can do to further that end.

  • Please!

    Assumption is the mother of all fuckups. Have you ever seen the Microsoft source code?

    And... have you never seen open source code that is beyond crap?

    Just because you can't read it, it doesn't mean it's badly written. Try seeing an implementation of a COM subsystem that is easy to read.

  • I tend to believe the AC since they are generally people who fear repercussions from what they post here, be it from their employer, future employers, or the community. Thankfully there is still the AC account available for these courageous souls to use to get this information out there.. otherwise it would be hidden in the closets of corporate america along with everything else.
  • Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects.

    If you emailed the linux source code to the Windows developers at MS, I don't think you could prevent them from working on proprietary software even if you could prove that they saw GPL'd code, so I don't think MS can prevent you from working on free software just because you saw proprietary code.
  • What if M$ decides to copy a chunk of GPL'd code and claim it was part of the super secret stolen source? Would anyone believe such a forgery?

  • Also I think at the current moment with the nature of the OSS movement if legal action was taken against the project someone would carry on
    the project after it has had a injunction against it etc.. I mean just look at DeSSC code that has been distriuted so many ways. ie this

    How many software distributions are there that publish DeCSS? None.

    The catch to the MS stuff is that if Samba were to get MS' code, they'd mostlikely obfuscate it in such a way that it'd be hard to prove it legally. As for MS' intellectual property rights, I say screw them. They're a monopoly; they thrive on not allowing other systems to network easily with them.
  • then, it seems to me that a way around this, if you mistakenly or intentionally saw some of this mysterious M$ source would be to go th M$ and sign an NDA. Basically admitting that you saw it, but that you have just said, legally, that you won't use it.

    Anyone? Anyone?

    After 16 years, MTV has finally completed its deevolution into the shiny things network
  • by Anonymous Coward
    Yeah, they don't want anyone reading that code. You know why? It's got stuff in there that breaks competitor's products. Stuff that would look really BAD in light of their DOJ troubles. Maybe they don't know just how much was taken, and what it reveals, which is giving them a case of the shits. They probably pray that nobody could really make heads or tails of it. AH but those friggin' Free Software hacker types could figure it out and they'd know the dirty tricks we put in our code. Yeah, that ESR guy could figure it out, and he could publish another one of those Halloween documents. Yikes, what's today's date??? Only two more days!

    We gotta make sure nobody looks at that code, especially those hackers. I mean, they're smart, they'd know what we were doing. Threaten to sue all of them? No, that would look bad, we've got enough bad press already. How about this: let's scare them into not looking at it. Spread the word that even looking at this code would threaten their ability to work on any free software projects in the future. That should scare anybody smart enough to figure what's in there.

  • by isorox ( 205688 ) on Saturday October 28, 2000 @06:52PM (#667818) Homepage Journal
    Everytime anything to do with decss is posted on /., a load of +5 informative posts pop up with the code. Slashdot refuse to take them off.

    If someone decided to post some key code to windows here, would it be kept on the server? How many nanoseconds would it take before 200,000 lawyers shut the site down?

    How far will slashdot go?
  • by R-2-RO ( 766 ) on Saturday October 28, 2000 @03:08PM (#667820) Homepage Journal
    Just a random thought that popped in my head, but what if it turned out that GPL'd code was found in Microsoft's source code?

    Maybe their 'innovative' re-invention of symlinks and mapping drives to directories was based on GPL'd code.

    Prolly not, but I say it was just a random thought I had. :P
  • by Wellspring ( 111524 ) on Saturday October 28, 2000 @05:26PM (#667823)

    To be honest, I had this smug feeling about the whole deal until I read the article. This is really an unfortunate situation. More importantly, it touches all of us, since anyone who tries to reverse engineer an API from MS is going to get painted with the haxor brush. The MS code isn't even that good. I only hope that they don't use this as an excuse to begin a litigious assault on the Open Source movement. Sustained lawsuits attacking key applications will slow development, and could influence virtually everything we do.

    One thing this means for us is this: concentrate in your source trees, now more than ever, on modularity. Any time a chunk of code becomes suspect, we should be able to isolate and replace it until the dispute is resolved.

    On another note, it would probably be a good idea for people in the Open Source community to alert the FBI to anything we might hear about who may be responsible for this. While I don't like MS, the courts will punish them for their monopoly, and the marketplace will punish them for their close source methodology. To not assist whereever appropriate will leave us open to accusations that our community is filled with criminals and warez d00dz.

    Besides, the sooner this is put to rest, the sooner we can dispel the myth that MS source code is actually valuable in the first place...

  • Warnings that even viewing MS source could damage the Open Source movement.

    Am I being paranoid^H^H^H^H^H^H^H^Hconcerned that MSs "theft" could be their carefully orchestrated, poorly disguised effort to discredit/destroy Open Source through oppresive application of litigation?

  • by ahaile ( 147873 ) on Saturday October 28, 2000 @06:58PM (#667829)
    It's been interesting to watch MS change the story about the hack. Every day, it becomes less severe:
    • first, it lasted three months [], and there was talk that not only was source downloaded, but it might have been modified
    • then, it was for six weeks [], and MS was sure that no source was modified
    • now, it was only one week [], and source was only "viewed", not downloaded, and to a minor "future product" at that.

    What's going on? Well, it seems like MS's PR department has been working hard to downplay the attack. Notice how the informant shifts over time from an unnamed "Microsoft engineer" to Balmer to MS's "corporate security officer." I assume that what happened went like this: 1) a mid-level MS engineer leaked the real story to the press, 2) PR (Balmer) steped in for damage control, and finally 3) PR propped up a puppet with a written script to try and kill the issue.

    The thing is, the strategy may backfire on MS. Now, they can't claim that open source developers are pirating their code. They've already gone on record saying no MS code exists in the wild. Which means that if you happen upon the source to Office, you are free to look at it, since MS has already declared that that code does not exist.


  • While I understand the legal issues involved... it still irks me that reading something can get you into trouble. I mean - is it a crime to read? I'll be sure to bring a pair of blinders with me everywhere I go now... I wouldn't want to accidently read something I shouldn't.

  • It is an outrage that the taxpayer now even has to foot the bill for trying to track down people who took advantage of security defects in Microsoft products. That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.

    It's not an outrage, it's just good ole plain business as usual, sucking-up for croporate welfare.

    For years, GM shifted the deadly burden of it's blatantly unsafe cars onto the back of "bad drivership" and "poor road design", until they were exposed as the frauds they are.

    Americans are bred for stupidity.

  • So, what happens if someone posts a review of the way MS did, say, real-time prioritization. Clearly the person who wrote this is treading thin ice, and MS will likely go after them.

    On the other hand, does the person who reads this review have any obligation not to use the info? It seems to me that there's no copyright OR trade secret protection for a method that you came across this way. Unless MS has patented the particular method, you SHOULD be free and clear.

    Lawyers? Thoughts?

    I, however, am most interested in just how bad the code is. I'd love to look at it, not because I think they have any good ideas, but because I want some humor in my life ;-)
  • Wait... so that would make working for Microsoft the equivalent of an Actor's inability to get legit roles after working in Stag films... I knew it all along...
  • I don't see the benefit to Microsoft for orchestrating this theft.

    Since the theft has occured and is in public, it brings to light a lot of questions regarding the security of NT (I'm assuming that their servers are NT). A MS loss.

    If Microsoft says that they are using *nix servers to discredit *nix hackers, then it is basically an open admission that *nix is a better server solution than NT. Again, a MS loss.

    Opressive application of litigation? They would only be able to go against the perpetrators of the crime and anyone using the stolen code. The rule of thumb for /.ers and anyone else is to stay away from the code.

    Discredit Open Source? MS surely sees Open Source as a threat to their business model, but to pull a stunt to discredit open source is a bad PR campaign. A few years ago, Open Source did not have respect or legitimacy from the "corporate" community, but with IBM throwing some muscle behind Open Source, it now has legitimacy from the business community. Forget the arguments regarding Open Source code being rock solid and around for a long time, the historical perception of Open Souce - from the perspective of the "corporate" community - is that it was just a bunch of software hacked out by every Tom, Dick and Harry. Now that some big corporate plays are getting behind Open Source, it is only beginning to see widespread respectibility from the suits.
  • I'm sure that the people who are working on the wine project can show tarballs of source code going farther back than microsoft could. it doesn't matter anyways, if they can show the source from four months ago (one month before MS got cracked) than they can prove beyond any doubt that they aren't receiving stolen code in any way shape or form and then also that MS is trying to sabbotage them, thats not only an unfair bussiness practice, but i doubt that the FBI likes it when big brother cries wolf...
  • by electricmonk ( 169355 ) on Saturday October 28, 2000 @03:13PM (#667851) Homepage

    It is hard to imagine that something that could look so good on the surface (Microsoft getting totally 0wned) could be so bad for the Free Software Movement. Now potentially any open source project that has anything to do with Microsoft interoperability is open to a law suit. At the very least, it will make accepting contributed code into the CVS tree more difficult.

    It has been said that one of the fundamental damages that security breaches cause is not only the loss of data, but the loss of the integrity of data. It is unfortunate that this loss of integrity has to spread to other victims that have basically nothing to do with Microsoft.

  • While I understand the legal issues involved... it still irks me that reading something can get you into trouble.

    Well, I DON'T understand something about this, and the flap surrounding it:

    As I understood it, a trade secret is GONE once the secret is out of the bag. The holder of the secret has an action ONLY aginst the person who improperly exposed it - either after stealing it, or in violation of a valid confidentiality agreement - and perhaps anyone in collusion with that person. (Collusion would be things like hiring him to steal it, or giving him some benefit in return for a copy you knew to be stolen. Downloading it from an open internet site would not be collusion.)

    Since when is there an action against anyone found using part of a FORMER secret that is now widely distributed? Since when is there NOT a big-time countersuit and other legal grief for anyone who brings such a bogus suit?

    Yes, you can sue anyone for anything. Yes, if you have enough lawyers you can cause anybody a lot of trouble. But you can't just use your money and the court system to make life hell on any random person or company you don't like. You have to have a palusible case. If you knowingly bring a bogus suit you're on the hook big-time - both civilly and (if you're blatant and unpopular enough) criminally.

    Has the deCSS case broken the legal system THAT badly?
  • Using the same reasoning, any MS employee who has seen the SAMBA code shouldn't be allowed to work for MS anymore?

    I'm serious. The fact that the source was stolen should not matter. Maybe accessing the MS source code would prevent you from claiming a "clean room implementation", but not from working on OSS at all.

    Just another idea... what if GPL'd code is found in Windows. I'd like MS being sued (by FSF?) over copyright infringement. it would look bad for them trying to fight OSS developers working on wine/samba/...
  • by mkachan ( 223539 ) on Saturday October 28, 2000 @03:15PM (#667862)
    If Microsoft's source code appears in public, downloadable from somewhere or in some other way, most likely they will not write on the page "Hey Dudes, check this out! This is M$ Office Source Code!". Maybe after the water calms down, something will appear in some anonymous way in some projects, in some webpages... It might be difficult to know for an OSS maintainer that a contribution to his software does not come from M$ stolen code. How should a maintainer behave? Should he be paranoid? Should he act "in good faith"? It won't be as simple as it looks.
  • Am I being paranoid^H^H^H^H^H^H^H^Hconcerned that MSs "theft" could be their carefully orchestrated, poorly disguised effort to discredit/destroy Open Source through oppresive application of litigation?

    ssshhhh. What was that sound?

  • ..I can't program an open source GORILLA.BAS for Gnulix?


  • If you read it you'll go blind!!!

    Prolly should of been AC for this one. :P
  • by Trepalium ( 109107 ) on Saturday October 28, 2000 @09:53PM (#667872)
    This is almost certainly already the case. It's just a matter of what and where. Bug fixes and exploits on the BSD TCP/IP stack revealed that NT essentially used BSD's TCP/IP logic (if not the code). But I haven't seen many dialogs in Windows saying "portions of this product are owned by the Regents of UC Berkeley".
    How about this. The following text appears in the program code for Windows 9x FTP.EXE:

    @(#) Copyright (c) 1983 The Regents of the University of California.
    All rights reserved.

    There's no way to generate this string from running the executable itself, it's only viewable in a hexeditor.

  • Considering that most MS code is written in C++, I think it's safe to say that OSS projects written in C and especially other, less common languages probably have less to worry about than OSS projects based primarily on C++. Granted, some MS code is written in C, but not very much these days, and certainly none is written in Perl, Python, Scheme, PHP, Eiffel, ML, Haskell, etc.

    In view of the possibility of OSS being contaminated with closed-source code, the use of a diversity of languages being used in OSS development is not just a good policy, it may end up affording some legal protection. Not being subject to the same forces of mindless conformity that prevail along the corporate C++/Java/VB axis, we ought to take advantage of it.


  • I've been biting my tongue on most of the other biased leaps of logic I've seen thus far in this thread, but this is ridiculous.

    Microsoft seem to have gotten people to believe that being infected by an E-mail virus is kind of like being the victim of a robbery at gunpoint--something they can't do anything about.

    Sure you can do something about that; you can carry a weapon yourself. Does this mean when you go to the tax-salaried police about it, you should be turned away for your lack of responsibility?

    That would be like GM selling cars with no locks and then claiming it's the taxpayer's responsibility to find all the stolen cars.

    Again, your leap in logic astounds me. GM doesn't sell cars without locks, but plenty of people don't lock their cars, and some of these unlocked cars become stolen. Taxpayer money goes towards tracking these stolen unlocked cars, and rightfully so . . . Whatever the circumstance, the criminal carries 100% of the responsibility for any crime, the victim 0%.

    Regardless of your opinions about the practices of the victim or the quality of the property, this is theft. A crime has been committed, and Microsoft has both ethical and legal claims. If they can prove that stolen code was used in someone else's project, they will win in court. Not because they're Microsoft, or the judge is stupid, but because they are the victim of a crime.

  • > Its hard to hide 1000 *.c files ;)

    you mean it's hard to hide 1000 *.vb files
  • Have someone (say, in Russia) read through the code for 'interesting' insights (such as how their undocumented protocols work, how they break competitor's products, how to work around some horrible bug, etc). That person (who you never talk to directly) then posts this info to a web page. You come along and read the web page. You've never looked at the Microsoft source code, but now you know the things you wanted/needed to know. Can you be held liable for that? I hope not?
  • by Andrew Dvorak ( 95538 ) on Saturday October 28, 2000 @03:18PM (#667882)

    Exactly, the benefits of implementing gpf-like functionality (better crash-dialog functionality) into kde or, for the gnome folk, gnome.

    Seriously, though, I know not what the true story is, but I'm sure there are many reasons Microsoft might execute such and infinately many reasons why they would not have. And, by the way, we don't even know what, if, or exactly how much code was stolen.

    Maybe this is another case of a hard drive being misplaced behind a copy machine, anyways.

    Microsoft has invested MANY millions of dollars into their software -- something they obviously don't want to lose -- against your theory. With all the funky legal stuff going on in recent years, I must say if Microsoft hasn't used this vehicle, you are first, in my book, to give ideas to those who will ;-)

  • Never attibute to competence that which can be explained by ... what do you mean you doubt they keep the code to W2000 in a folder called W2000? why not? Sure, they've probably got a code name, but once you identify it, it's probably called that on every machine. MS is not some magical kingdom which breaks all the rules. They pull their code on one JLE at a time like everybody else. Do you ROT13 all your folder names? Neither do they.
  • by SmileyBen ( 56580 ) on Saturday October 28, 2000 @03:19PM (#667889) Homepage
    So they're seriously suggesting that anyone who's ever worked for Microsoft or a licencee is not allowed to work on an Open Source project attempting to mimic functionality ever in their life? That can't be right, and if it is, isn't that a huge threat to individual freedom?
  • This is almost certainly already the case. It's just a matter of what and where. Bug fixes and exploits on the BSD TCP/IP stack revealed that NT essentially used BSD's TCP/IP logic (if not the code). But I haven't seen many dialogs in Windows saying "portions of this product are owned by the Regents of UC Berkeley".

    That doesn't mean you'll find the code from BSD lifted wholesale in there, but a search of the Windows or NT source would probably turn up a little intellectual property theft.

    Besides the network code, I'd look at the "Compress" attribute for files, the PostScript drivers, the POSIX "compatibility" sub-system, IIS, Internet Explorer (since it's based on the Spyglass browser), ftp client, telnet, and some of the networking services (DHCP, RCP). You all could probably name other likely candidates for GNU/BSD code lifts.

    Of course Windows Me has its particular code tree, so who knows what's there. There was also the mass exodus of Apple programmer to Microsoft in the 90s. So if you developed at Apple in the last 15 years, you might be able to find some of your own work in the source for various Microsoft products. Remember "Video for Windows"?

    Not that other companies don't do this too. Apple's Disk Copy utility makes disk images which are basically tar balls. Probably a little borrowing there, but it's convenient if you run Linux on your Macintosh.
  • by kennylives ( 27274 ) on Saturday October 28, 2000 @10:43PM (#667906) Journal

    I quite agree, MS, or anyone else for that matter does not have the resources, man power etc. to track down every developer or potential developer on projects such as samba, or wine.

    But they don't have to. Just pick one or two high-profile members of the group, and target them. As soon as everyone else in the project finds out what's happening, the project is dead. It may not be possible to eradicate all OSS projects, but a few well-delivered blows could seriously cripple most of the useful stuff out there. Besides, MS would likely only target those things that pose a threat to them. I doubt that they'd go after anyone working on vi, for instance.

    Besides the above constraints, MS would also be constrained by the fear of bad press, consumer/governmental reaction ...

    Question: When has Microsoft ever shown fear of any entity??? This is part of the reason they're perpetually in trouble with DOJ/FTC/etc...

  • by Andrew Cady ( 115471 ) on Saturday October 28, 2000 @07:48PM (#667912)
    So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they?
    From the Trademark FAQ [], whose authors (unlike me) actually are lawyers:
    A trade secret owner can prevent the following groups of people from copying, using and benefiting from its trade secrets or disclosing them to others without permission:


    • people who knowingly obtain trade secrets from people who have no right to disclose them
    • people who learn about a trade secret by accident or mistake, but had reason to know that the information was a protected trade secret,

    There is one group of people that cannot be stopped from using information protected under trade secret law. These are people who discover the secret independently, that is, without using illegal means or violating agreements or state laws. [...]

    The question becomes, does an individual who stumbles upon MSFT code have reason to know the information is protected trade secret? In most cases, probably. But then, an anonymous contribution in the form of a diff emailed to the SAMBA project is fair game -- without having seen the MSFT code themselves, SAMBA has no reason to believe it's a trade secret, and thus does not fall under the restrictions of trade secret law. Of course, it may also be protected by copyright, in which case (AFAIK) ignorance is not a valid defense.

  • by wass ( 72082 ) on Saturday October 28, 2000 @03:24PM (#667918)
    I was just reading about this article on LinuxToday [], so this scenario of paranoia isn't one I've crafted myself, but it presents some interesting ideas. A few people posted some comments there suggesting that perhaps MSFT itself either stole their own code, or maybe hired someone to steal it for them.

    Sounds strange? Think about the following reasons. We've seen many times previously that MSFT avoids admitting their own mistakes for as long as they possibly can. It takes them awhile to warn the public about known bugs or exploits in their various software products. Yet, in this case of the stolen source, they were seemingly very willing to let the press know about the break-in and apparent theft of the source code.

    Now that it is public knowledge that some MSFT source code has been stolen, imagine what it does for free/open-source development. Because of this, the FSF and other maintainers of free/OSS software now have to take extra measures to ensure that the code is free of any potential influence of the supposed 'stolen code'. This takes time, effort, and will generally serve to slow-down the development open-source software projects. A big 'plus' for MSFT.

    Also, suppose someone posts snippets of the 'Forbidden Source' to various newsgroups, like the public postings of DeCSS and MSFT's kerberos additions to slashdot. Or, say, someone emails some of this code to the kernel mailing list directly. Now, nearly the entire team of linux developers, among other projects, has seen the 'forbidden source'. IANAL, but MSFT could possibly use the fact that they saw the 'forbidden source' as justifications that now they're now privy to MSFT's proprietary software models. They may use this fact to either sue future developers, or inhibit future development of such projects. Both of these things are bad for OSS/free software, and are good for MSFT.

    This may sound like some grand paranoid conspiracy theory and doomsday scenario, but as someone posted to LinuxToday, "Just because you're paranoid doesn't mean they're NOT out to get you."

  • Actually, execution is exactly what comes to mind when I run M$ code.
  • When msc 5.x came out it was a much better compiler than any other that MS had ever developed before. At that point its optimiers actualy worked but like most it had a few flaws. Funny thing is that most of the flaws were the same that gcc had.

    Now if someone just had time to prove that some of the code was lifted it could be quite interesting.
  • that they'd 'stolen' the source code so that people could laugh at it .... (of course it wasn't stolen like a car is stolen - it was copied - information works differently than physical things ...)
  • MS would have a very hard time grinding all international free software devleopment to a halt

    Not only that, but even in high profile cases, just seeing source code or even signing an NDA does not disqualify you from working in the same area. Many consultants work for many companies in the same domain. Heck, Microsoft themselves hires engineers away from competitors.

    The opensource/freesoftware worlds are currently dominated by fussy little hairsplitters who have spent far too much time working on their licenses. The licenses are important, don't get me wrong, and somebody needed to work on them. But usually, when your lawyer is done you send him home, because lawyerthink is not the best for running things.

    Also, one should take the caution against knowingly passing illegal copies of anything around, not because the ideas would taint you, but the crime might.

  • I have a huge pile of DEC Sources, everything needed to build from scratch a VAX/VMS system (versions 2.0 up to 4.4). I also have piles of technical information and design information for buckets of DEC PDP/11 and VAX hardware. All of the above has been acquired lawfully over the past 20 years.

    Am I therefore prohibited in using my personal knowledge to benefit open source software? Do I have to seek Compaq's permission to release open source software?

    On a wider note, as I work with closed source software all day as part of my normal job, does this also disqualify me participating in OSS projects? I don't think so, because if it did, a lot of people on the linux kernel credits list would be in trouble for a start.

    What if any Microsoft programmers, who have presumably legally seen sources, joined an OSS project? Would Microsoft be able to stop them? The possibility for nasty legal precendents is rather alarming.
  • Apple's source code was stolen years ago, and somehow free software managed to flourish, untainted. A few months from now, this will be completely forgotten. So, yes, you're being paranoid.
  • Well, CNN, Fox, and other certainly picked it up. But Microsoft went to the FBI, and Microsoft keeps claiming that there is nothing wrong with the way their clients handle attachments and scripting. They could have kept quiet, or, even better, they could have said "oops, we made a mistake; we are going to fix our software, and here is what you should do to avoid the same problem".
  • According to the news reports I read, the email trojan gave the crackers passwords for access to MS code meant for employees working off-site. The crackers then proceeded to act as off-site workers and d/led the code (maybe).
  • by austad ( 22163 ) on Saturday October 28, 2000 @03:27PM (#667954) Homepage
    I haven't looked at how QAZ works, but wouldn't it get installed and then listen on some port?

    Doesn't microsoft keep all of their users behind a firewall? If so, QAZ would just be opening a port on the users computer behind the firewall, no one should be able to get in and actually connect to it, there would have to be a hole poked in the firewall for that to happen.

  • Pretty cool idea, almost blow-my-mind insightful, although not quite...

    I'm hoping that the problem isn't quite is grim as you portray it. You show it as a very computer "If A, then must not have B" thing going on here..... I'm thinking that it might be possible to balance the two if you add in a third element, something that sooo many people seem to be lacking these days... just a touch of common sense.

    Really, take it on a case-by-case issue. Yes it sometimes sounds good to make huge generalizations and sweeping "always" and "never" statements, but it's often better to look at specific occasions. Examples:

    • Big Brother wants to install telescreens in all rooms of all households, all cars, and all public places (read 1984, but the quickest summary I could give is telescreen=two way television, effectively, or radio at least)... my personal stance on this issue would be on the side of Privacy.
    • Big Brother wants to collect info to accurately be able to tax us in a manner that is fair. I'd side on the side of "Open Source", so to speak.... although "Open Information" might be a better name for it at the level we're talking about it...
    • Company wants to keep source code private.... I'd side on "Privacy", as the company has that right, but also push big time "Open Source/Information" as much as I can for myself and any like-minded people elsewhere in the world, in hopes of making products that are cooler, better, and free-er then those of company (i.e. Microsoft vs. Linux, duh duh duh).

    Well, enough said. Yes, you can't clamor for both privacy and open source at the same time, fair enough. However, a balance can be maintained where you say "Yes, MS has rights to privacy if they want, but I have the right to say I like open source and want to go out and make Linux, but I myself have the right for privacy when it comes to certain aspects of my personal life".... i.e. I believe in free source code, but not necessarily big brother and telescreens and every bit of info being "free".

  • by OnanTheBarbarian ( 245959 ) on Saturday October 28, 2000 @08:17PM (#667957)
    I think that a lot of Slashdotters went off their meds simultaneously, today. There's no other possible way to explain the weird paranoia that crops up every time this source code theft is mentioned.

    Conspiracy theory #1 - Microsoft faked it

    Come on. Microsoft does not possess an oracle that tells them things like "if you fake being hacked, your stock will stay high, people will not abandon your products (quite the possibility at the server end), and you'll get lots of clout in drafting new anti-hax0r legislation". And if you don't have that kind of oracle, you're not going to go out and pretend that you got hacked so that you can score some political points against the free software movement.

    They stand to lose far more business from 10% of their potential server market shifting to Sun/IBM/whoever (or deciding to stay with Sun) than they stand to gain from slightly helping the cause of some vague, unenforcable laws directed at reverse engineering.

    Yes, Microsoft will try to get as much advantage as they can from this. That's no suprise.

    Conspiracy theory #2 - Free software people did it

    If free software types (or supporters of same) were behind it, don't you think that someone would have seen the sources on freenet or some random ftp site by now? Or at least heard a couple of well-substantiated stories to that effect? ("I saw a huge tarball called microsoft-sources.tar.Z on ftp://....").

    Far more likely, it's either some script kiddiez, who probably didn't even get it together to the point where they could get the source in any useful form, or some low-level industrial espionage people who are discreetly shopping around their product to various shady firms.

    Incidentally, if it's the latter case, I wouldn't anticipate seeing the source showing up anywhere for free; why would the people who stole the source for profit give it away for free?
  • I've heard that big time, really famous song writers are instructed (by their legal eagles) to NOT LISTEN to compositions by amateur songwriters (for legal reasons) because they may accidentally unconsciously plagarize part of it and get hit with a lawsuit.
  • While your explanation of damage control is quite plausible I can see an alternative explanation:

    1. Breach is first detected, everyone is in a panic and assumes the worst.
    2. After a little checking it turns out not to be as bad as they thought at first.
    3. After careful analysis of logs, including the version control management logs it turns out that no modification took place and only a minor future product has been downloaded.

  • With 521 comments already, probably no one will ever read this but -- I have to say that in the 3+ years I've been reading Slashdot, this is the single most idiotic, clueless, divorced-from-reality discussion I have ever seen. I haven't been this embarassed to be part of the free software world since Eric Raymond marched on Microsoft dressed as Obi-Wan [].
  • #include "stdio.h"

    void vGenCrash(void);

    int iWinMain(int argc, char **argv)
    return 0;

    void vGenCrash(void)
  • by doublem ( 118724 ) on Saturday October 28, 2000 @03:33PM (#667986) Homepage Journal
    It's very simple. Have some code "Stolen," then use the whole "intellectual Property" issue to destroy the Linux Vendors a few upgrades from now. Don't you remember the Halloween documents? The proposal that Trade Secret Laws could be used to destroy open source???

    Six months from you you'll see the SAMBA and WINE teams being sued. M$ will win because the judges know nothing about computers and M$ money can buy the best lawyers.

    Oh well. I've been meaning to look at BEos for a while now anyway.

  • Would you turn down specifications that were engineered from tainted sources?
  • But I never claimed that MS did this on purpose.

    I'm just presenting one possible way in which they can recover their "losses" (real or perceived).

  • by divec ( 48748 ) on Sunday October 29, 2000 @12:24AM (#667994) Homepage
    now, it was only one week, and source was only "viewed", not downloaded

    Anyone understand what that statement is supposed to mean at all? How can they know that the source was ``only'' viewed? If the cracker was viewing the code, then copied-and-pasted out of his xterm/browser/whatever, then he has a permanent, downloaded copy! I suspect the use of these words is an attempt to fool non-technical people.
  • I like the "1983" part best.
  • Good lord you're paranoid!!! Seek professional help!

    You've never heard of just throwing out an idea to see what discussion it generates? I don't believe I ever stated that "this is what I firmly believe."

    It's just an idea, people. If you can't handle the thought of discussing strange and wacky concepts, you need to read some other website.

  • Mount the windows drive under a unix system (or copy the file to a unix system, or get strings ported to windows), and then run strings on it.
  • I'm sorry, but no court could even consider to give MS that big of a lever because of some potentially leaked code:

    I think the old "in dubio pro reo" applies here, so MS would have to prove:
    1) the code(fragment) was really developped by MS before the break in.
    2) the code was stolen from their website during the break in (according to latter MS statements it took them only a few minutes to discover the intruder)
    3) the code has been read by a developper
    4) the code could not have been created independly of MS code and is worthy of protection as a trade secret.

    If any court choose to make it to easy for MS anyone could cite this case as a reference and sue MS because some of their developpers surely looked at open-source code and choose not to honour the GPL when adapting some functionality to their OS.

    Also this would set an ideal precedent where any software-firm could sue the whole competition by claiming that some of their source code leaked. I think any decent judge would consider these facts before coming to a hasty decision. And even MS lawyers should hesitate to give the competition that big of a weapon if the case is used as a precedence against MS.

    Imagine, just set up a little software business, claim to be hacked and that part of your ingeneous solutions crept up in MS programs. If it even permits to temporarily halt MS shipping out products (imagine delaying Windows ME by half a year with such a scheme) the damage would be more than anything MS could gain using this scheme against others.
  • This is a very doable project provided we have acess to windows source code. I'm not sure of the legalities but I'm pretty sure of one thing...MS uses GPL'd code in their products. Lets prove it and force them to make Office public domain. I could care less about the rest of their embrace and extend crap. If Office was free, we could be rid of them.
  • 3. After careful analysis of logs, including the version control management logs it turns out that no modification took place and only a minor future product has been downloaded.

    Give me a break. A guy goes undetected on MS's network for 3 months and he can't modify a versioning log?

  • by weave ( 48069 ) on Sunday October 29, 2000 @01:30AM (#668014) Journal
    Forget it folks. If this was your typical leet h4k0r attack, they wouldn't be able to resist announcing it to the world or sneaking their little "greets and shouts" lines into their source code.

    No, it sounds like these puppies were real pros. If I was running a master criminal organization, stealing source to Microsoft code would be the best way to evaluate weaknesses in their code and use that quietly to hack into the world's biggest companies and banks undetected and run off with billions. Or how about hacking into foreign government intranets to get their secrets? Remember that this code has not received a critical eye looking at it with the intent to covertly break into it.

    There are real risks to the world going to 100% Microsoft solutions. It's like royal families inbreeding in medieval times. It ain't good and it's getting worse.

    Just think, your entire company may be Microsoft on the desktop, but at least the back ends are still something else. But soon no more. To leverage those nifty Active Directory benefits you need to move your DNS, LDAP, and Kerberos services to Windows 2000. Then you'll start to see the real benefits of moving that web server to IIS and e-mail to Exchange 2000.

    The real thing to fear here is what's going to happen behind closed doors outside of Redmond...

    I just don't understand the logic in trusting corporate and often national security interests running software you are unable to audit written by a private company whose only concern is maximizing their revenue and market share.

  • While I don't like MS, the courts will punish them for their monopoly

    No. It is your job to punish them for their monopoly. The courts have no authority to do so. It's this kind of attitude - expanding and extending the reach of government - that allows Microsoft and others to file spurious and anticompetitive lawsuits against (theoretically) any Free Software project because of this incident. You can't have it both ways.

  • by devphil ( 51341 ) on Saturday October 28, 2000 @03:39PM (#668016) Homepage

    ...just to be on the "safe" side.

    Consider. Free project GNUFoo comes out which competes with Microsoft Active FUBAR 2000. If it looks popular, M$ can just state that "there's a possibility that our proprietary source code influenced this design," and instantly GNUFoo is dropped like a hot potato.

    Now, there's none of M$'s code in GNUFoo, but the FSF and the GNUFoo programmers now have to prove that, because in the Real World you are presumed guilty until proven innocent, and even then you're still guilty of looking guilty.

    And in the years that it takes to satisfy the courts that GNUFoo is guilty of nothing but competing against The Man, the project will slowly grind to a halt. By the time GNUFoo is cleared of wrongdoing, M$ will have released their next project, and GNUFoo will be useless because it's so outdated.

  • I stand (Or sit to be more accurate) corrected.

    I remembered the story from a PBS documentary years ago. (Circa 1995) and must have messed up on the company name.

    Of course, the point wasn't about the company, but the whole idea of having one team hack the product and the other design a new one based on what they learned.
  • by mattbee ( 17533 ) <> on Saturday October 28, 2000 @03:40PM (#668019) Homepage

    Obviously MS have an excuse to sue if one person looks, but where's the harm in everybody looking? After all, the Windows programmers have had access to every piece of code ever relased under the GNU Public License since 1984! What I'm saying is based on the hypothetical that Windows source is / will be generally available, but then that's what all the don't-look-don't-touch hysteria is based on too.

    On the offchance this is the case, why should one free software programmer fear litigation for implementing something that MS also implemented? What's to stop the programmer of some major open source software taking the opportunity to scrutinise Windows for appropriated ideas from GPL code? Obviously no free software programmer would be idiot enough to cut and paste Windows code, so if we're arguing on the stealing of `ideas' from code, and code from both sides is available for scrutiny, surely lawsuits could fly both ways?

    I can see why the Samba / Wine people might be more wary than most but MS would have a very hard time grinding all international free software devleopment to a halt just because turned up on a few FTP sites.

  • It may have been microsoft, maybe they staged an attack against themself. After all who has more to gain by hurting the open source movement than them? If you think about this for a minute it was only last week if not this week that wine was running word and excel 2000. If M$ says that someone stole there code and the FBI believes them then this could directly hurt the wine project. This and the fact that they bought into Corel so they could undermine the linux wine movement.

    I know maybe this sounds a little parynoid, but with the past history of this company I think that anything is possible with them. They are a moralless company that sees nothing but there profits. They say that they listen to there users and that there users want more features and don't care about security. That is a load and they know it.

    On another hand, if Microsoft cannot secure there OWN software system and there network security is that crapy, do you really wnt ot be runnign that software? I mean really who leaves the source code to the OS connected to a system that is connected to the internet. Oh that's right they created that pptp crap and forgot to put security in in.

    Microsoft gives new meaning to VPN, Very Public Network!

    I don't want a lot, I just want it all!
    Flame away, I have a hose!

  • Well I think the problem is that a pretty good argument could be made that an OSS project like Samba, could be using the Windows source code to network perfectly with windows boxes.

    They could accuse them of obtaining the stolen source and using the knowledge they learned from it to advance the project.

    As far as I can tell, one lawsuit against a project like this could have the thing shut down. OSS projects don't have too many financial resources to fund a legal battle.
  • They may not be able to stop you and me from running Linux at home, but they could shut down Red Hat, VA Linux and kill corporate use of the OS.
  • I'd say more than that. If you're a developer you can no longer open any email from anyone other than those you already know, maybe even having to have someone screen them for you. Imagine this scenario;

    To:Linus Torvaldes[]
    From:Billy Bob []
    Subject: Kernel Patch.
    blah blah blah (insert MS code here).

    Or worse yet sending it to the kernel mailing list, tainting all the relevent people in one fell swoop? Even if MS doesn't do it, there are plenty of people out there with nothing better to do than try to fuck up other people's day.

    Fist Prost

    "We're talking about a planet of helpdesks."
  • by crovira ( 10242 ) on Sunday October 29, 2000 @10:37AM (#668033) Homepage
    The problems with M$, with understanding anything they do, what, when or why, is of course, the secrecy.

    Do I think that this will slow down the OpenSource community in the least... No!

    Secrecy is a double-edged sword. Any Linux distro could be entered into public record without a ripple. In fact that might be a good idea to do so now in preparation for any potential eventuality.

    But I don't see M$ dragging their APIs and source code into court for the public record anytime soon. That's what they would have to do to even allege with intent to procecute against anyone for supposedly stealing any of their code.

    They would have to identify the code and prove it came from them and the only way to do that is by bringing their own code to court and doing so in such a way as to prove the code repository had not been tampered with since the discovery of the break in.

    Then M$ would have to argue that it could not possibly have come from any other source but their code. All a developer has to do is keep a clear paper trail of what ideas come, as they come, and the very plausibility of the defense would dispell any allegation M$ might make.

    Making those allegations is a great deal more difficult than you think... Basically, M$ has a choice that I doubt they'd ever make even when their backs were against the wall.

    If you live in secrecy, you can't step into the sunlight too quickly. I think we're safe from an open source M$ for a long time to come.
  • So, the only think you can find wrong with my argument is the spelling of one word.

    Thank you. You defeat in this debate has been noted.

    "If you can not attack his logic and reasoning, attack his spelling. Loudly"
  • %mount /c
    %cd /c/winnt/system32/dllcache
    %strings -a -f * | grep "Copyright " | grep -v Microsoft

    asycfilt.dll: Copyright (C) 1995, Thomas G. Lane
    avicap.dll: Copyright
    avifile.dll: Copyright
    commdlg.dll: Copyright
    compobj.dll: Copyright
    ctl3dv2.dll: Copyright
    ddeml.dll: Copyright
    dmadmin.exe: 2.70 Copyright (C) NEC Corporation 1985,1995
    dmio.sys: Copyright (C) 1996 VERITAS Software Corporation. ALL RIGHTS RESERVED.
    dosapp.fon: Copyright
    drwatson.exe: Copyright
    dxmasf.dll: Copyright (C) 1996, Thomas G. Lane
    dxtmsft3.dll: Copyright (C) 1996, Thomas G. Lane
    finger.exe: @(#) Copyright (c) 1980 The Regents of the University of California.
    fontext.dll: Copyright 1988-1991 Adobe Systems Inc.
    ftp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
    gdi.exe: Copyright
    gpkrsrc.dll: Copyright (c)1996 VeriSign, Inc. All Rights
    gpkrsrc.dll: This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS), available at:; by E-mail at; or by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c) 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED and LIABILITY LIMITED
    gpkrsrc.dll: This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS), available at:; by E-mail at; or by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c) 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED and LIABILITY LIMITED.S Copyright Copyright
    infosoft.dll: Copyright [c] 1995 INSO Corporation
    keyboard.drv: Copyright
    krnl386.exe: Copyright
    lzexpand.dll: Copyright
    mciavi.drv: Copyright
    mciole16.dll: Copyright
    mciseq.drv: Copyright
    mciwave.drv: Copyright
    mei32api.dll: (C) Copyright IBM Corp. 1992, 1995
    mei32api.dll: (C) Copyright IBM Corp. 1993
    micross.ttf: Copyright
    micross.ttf: USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
    mmsystem.dll: Copyright
    mmtask.tsk: Copyright
    modern.fon: Copyright
    mouse.drv: Copyright
    msacm.dll: Copyright
    msawt.dll: Copyright (C) 1995, Thomas G. Lane
    msihnd.dll: Copyright (C) 1996, Thomas G. Lane
    msttssyn.dll: (c) Copyright 1993-1997
    msvideo.dll: Copyright
    mwblw32.dll: (C) Copyright IBM Corp. 1997 all rights reserved. US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    mwcnam32.dll: Mwave Software. (c) Copyright IBM Corp. 1994-1997. All Rights Reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Licensed Material - Property of IBM.
    mwcpyrt.exe: IBM Copyright Notice
    mwrcov16.exe: Borland C++ - Copyright 1994 Borland Intl.
    mwwtt32.dll: (C) Copyright IBM Corp. 1994 to 1997 all rights reserved. US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    netapi.dll: Copyright
    nslookup.exe: @(#) Copyright (c) 1985,1989 Regents of the University of California.
    ntvdm.exe: (C)Copyright Insignia Solutions Inc. 1987-1992
    ntvdm.exe: 1.2 5/24/91 Copyright Insignia Solutions Ltd.
    offfilt.dll: inflate 1.0.4 Copyright 1995-1996 Mark Adler
    ole2.dll: Copyright
    ole2disp.dll: Copyright
    ole2nls.dll: Copyright
    olecli.dll: Copyright
    olesvr.dll: Copyright
    os2.exe: Copyright (C) Rational Systems, Inc.
    pax.exe: Copyright (c) 1989 Mark H. Colburn.
    pax.exe: Copyright (c) 1989 Mark H. Colburn.
    pmspl.dll: Copyright
    pngfilt.dll: i inflate 1.0.4 Copyright 1995-1996 Mark Adler
    rcp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
    rsh.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
    script.fon: Copyright
    shdoclc.dll: Unix version contains software licensed from Mainsoft Corporation. Copyright (c) 1998-1999 Mainsoft Corporation. All rights reserved. Mainsoft is a trademark of Mainsoft Corporation.
    shell.dll: Copyright
    sound.drv: Copyright
    spcmdcon.sys: 2.70 Copyright (C) NEC Corporation 1985,1995
    storage.dll: Copyright
    sysedit.exe: Copyright
    sysedit.exe: Copyright
    system.drv: Copyright
    tahoma.ttf: USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
    tahomabd.ttf: USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
    tapi.dll: Copyright
    tcarc.sys: Thomas-Conrad ARCNET/TCNS Miniport Driver for NDIS 3.0, (C) Copyright 1990-94 Thomas-Conrad, Inc., All Rights Reserved,
    thumbvw.dll: Copyright (C) 1996, Thomas G. Lane
    timer.drv: Copyright
    toolhelp.dll: Copyright
    typelib.dll: Copyright
    user.exe: Copyright
    ver.dll: Copyright
    vga.drv: Copyright
    vgaoem.fon: (c) Copyright Bitstream Inc. 1984. All rights reserved.
    vgaoem.fon: (c) Copyright Bitstream Inc. 1984. All rights reserved.
    vgaoem.fon: Copyright
    vgx.dll: 4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
    vgx.dll: f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler
    webvw.dll: Copyright (c) 1998 Hewlett-Packard Company
    webvw.dll: Copyright (c) 1998 Hewlett-Packard Company
    wfwnet.drv: Copyright
    wifeman.dll: Copyright
    winhelp.exe: Copyright
    winhelp.exe: Copyright
    winnls.dll: Copyright
    winsock.dll: Copyright
    winspool.exe: Copyright
    wow32.dll: RQuickBooks for Windows Version 2. Copyright 1993 Intuit Inc. All rights reserved.
    wowdeb.exe: Copyright
    wowexec.exe: Copyright
    xenroll.dll: USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
    xiffr3_0.dll: Copyright (C) 1995, Thomas G. Lane
  • by TexasCowboy23 ( 189945 ) on Sunday October 29, 2000 @11:30AM (#668045)
    To start, I'll admit that I'm no major fan of Microsoft these days; yes, I even find it hysterical they've been hacked on this scale; yes, admittedly (regrettably?), I have sympathy for them. No matter how much I dislike the ethics (or lack thereof) of Bill Gates, he has been wronged: theft is theft (if indeed source code was stolen, which has yet to be proven, by the way). Of course, I'm wondering something of my own (away from all the flying conspiracy theories, rest assured). According to MSNBC, Microsoft has figured out that the passwords were being sent to an account somewhere in Russia. So what's taking so long? What's taking Microsoft so long to actually come up with something definitive? Enough "may have" and "could have" -- where is the "did" and "done"?

    Now, here's another thought. If the Linux community were behind this, we'd be unimaginable idiots every last one of us. Linux is so much more than Windows could ever hope to be. If you look at the track record of Microsoft and bugs, it don't look pretty. They have 7 service packs for Windows NT 4 (1,2,3,4,5,6,6a) ... They have 3 or 4 service packs for Visual Studio 6. Two service packs for SQL Server 7. Even their beloved Windows 2000 (not a few months after being released) now has its own Service Pack 1. I could keep going, but I'd be typing forever. No, nothing will be truly bug free upon release. Yes, bugs will always be one of the inherent problems behind code. But consider the overall amount of time between finding a bug and releasing a fix for it. Linux does it better and faster; Microsoft tries to mimic that behaviour and often times fails. Microsoft cannot keep up with the drive of Linux, and that's in out favour. If Microsoft source code ever became a part of Linux, I'd probably scream "Borg!" and run off to my own little planet somewhere in Andromeda. Assimilation of the illegal or the unwilling needs to be where the line is drawn.

    Though, I wouldn't mind someone stealing the source code for DirectX 7.0 and developing it over to Linux. *drool* I'd love to play Final Fantasy VIII under Linux. (And, for my legal sake, that is not a serious statement, though it would be a dream to play games of that magnitude under Linux. Of course I could just hope that Linux and Sony somehow combine forces and make a new distribution called Sony Linux or something...)

    This breakin at Microsoft also says something for off-site workers. As a consultant, at times I do work off-site, and I see some interesting effects in the worst case. Since the intruders appeared to the security logs as employees simply working off-site, security overlooked them for three months. For three months the intruders worked, doing only God knows what. (Like I said, there's been no real definitive proof to surface yet except for allegations about what "might have" and "could have" and "appears to have happened"...) But I still think this might produce some chilling and overly restrictive corporate policy changes on working off-site.

    I'm betting that nothing really serious did happen; I'd bet that the intruders only want to sit down and see how long it would be before someone noticed. In three months, you could cause all sorts of chaos for Goliath in his own camp. Blow out a few torches, bring down the mainframes, format a few servers, knock out corporate E-Mail, shut down all the domain controllers. (That latter one would be VERY interesting, believe me.) Maybe I'm wrong; maybe something serious did happen (not that a break in of this size isn't already something serious in and of itself)... I just want proof before I start my panic run. (Which, for me, consists of about 2 minutes of hyperventilating. *grin*)

    Enough rambling...
  • If stolen MS code DOES get widely distributed, it would be pretty amusing for the OSS community to start anonymously sending them diff's to fix up the bugs in the stolen code. I'd like to see the face of the tech support droid who gets that email...

    - Isaac =)
  • Compaq was very worried about this when they cloned the IBM PC. They had one group pf hackers chip away at an IBM PC to build the specs for what it needed to do, and a separate "Clean Room" team to use the specs and create the cloned BIOS. The "Clean room" designers had to be able to prove they had never worked with an IBM PC to get the job.

    And thus the IMB clone of the PC architecture was born.

    If they hadn't taken these precautions they would have been sued into oblivion by IBM and all PCs would be IBM PCs to this very day.
  • by BluedemonX ( 198949 ) on Saturday October 28, 2000 @03:43PM (#668049)
    Yes, they've basically stolen tons of stuff from everyone else... one MIGHT be tempted to say "fight fire with fire"... BUT...

    Here's the chance to publicly say "even if it was offered to us, we wouldn't take it." That kind of corporate-espionage B.S. belongs to a totally different world. Open Source is a philosophy, let it live and or die on its own two feet and by its merits.

    Showing the world the kind of class that Microsoft never had and never will should ratchet the public image of slashdot types way up, and counteract those stupid and offensive "hi! I'm the fat black hacker guy who has your credit card!" commercials...
  • by Fred Ferrigno ( 122319 ) on Saturday October 28, 2000 @03:44PM (#668057)
    I believe what happened was that the trojan was pre-programmed to scamper about looking for passwords, then emailed them to an account somewhere. Then the attackers could have used the passwords to log in in the same manner as regular employees for whom there was a hole in the firewall.

    Frankly, I'll be surprised if they got anything more sensitive than a newer build of Whistler.

  • by Global-Lightning ( 166494 ) on Saturday October 28, 2000 @04:00PM (#668062)
    From the Symatantec Antivirus Research Center: []

    [...] W32.HLLW.Qaz.A was first discovered in China in July of 2000. W32.HLLW.Qaz.A is a companion virus that can spread over the network and also has a backdoor that lets a remote hacker connect to and control the computer via port 7597. Since the virus does not have the ability to spread to computers outside the network, the virus might have originally been spammed out by email.

  • by schon ( 31600 ) on Sunday October 29, 2000 @03:34AM (#668086)
    a firewall should have prevented the attacker from exploiting the open port

    Who said anything about an open port?

    I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.

    First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.

    Let's look at some of the other ways to get in from the outside (Just off the top of my head):

    • Outbound sessions - have the victim initiate the TCP session. So instead of Attacker->Victim, you have Victim->Attacker. Set the destination port to something that the client may be likely to do (Such as port 80, or perhaps 22 or 25) to enhance the likelyhood that any packet filter would allow it.
    • Use UDP to do the transfer - again have the victim initiate the session, and send control packets via the UDP-return mechanism. This is harder to implement than TCP (you have to handle dropped packets and retransmits yourself,) but probably the best way to do it, considering the way that the MS Netmeeting protocol works. (If the victim is allowed to use Netmeeting to anywhere on the 'net, then you can't block unknown UDP packets.
    • Use another protocol, such as ICMP, or maybe a combination of UDP and ICMP - the victim sends data/ack/heartbeat packets to to the attacker, and the attacker sends commands embedded in ICMP destination-unreachable packets (IIRC, this is how the TRINOO trojans work - this is what was used in last year's DDOS attacks.)

    The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
  • by nels_tomlinson ( 106413 ) on Saturday October 28, 2000 @04:11PM (#668121) Homepage
    that you MUST keep the secret, right? So when Microsoft carelessly allowed spies to copy their secrets, they lost the trade secret protection, didn't they? The spies have broken the law, and should be punished, but if they publish the "secrets", it's none of my doing that that's not a secret any more. There may be a copyright to keep me from cutting and pasting, but other than that, it seems that I should be in the clear.

    In a nutshell,(TM) I thought that once a trade secret slipped out, it was no longer protected by law. Can someone who IS a lawyer comment on this? Is it true that it doesn't matter HOW a trade secret is divulged?

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.