Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Different View Of MS Code Theft 269

LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.
This discussion has been archived. No new comments can be posted.

Different View Of M$ Code Theft

Comments Filter:
  • and you don't think MS have a safe copy of their latest binary/source kept somewhere off the network? they're not THAT stupid...if the worst came to the worst, whatever project they'd been working on woulde be set back back by a few weeks, nothing more.

  • by chazR ( 41002 ) on Sunday October 29, 2000 @03:52PM (#666084) Homepage
    I have followed this whole story in a desultory way. Now, I think it's time for some journalism. Only I'm too lazy to do it. But, if I were a journalist these would be my questions:

    Where did the initial allegation (MS hacked) come from?

    Is there more than one verifiable source?

    What made MS admit to the crack? (They didn't have to - they could have denied it)

    The QAZ/Russia stuff? Who is the source? I haven't seen the MS logfiles. How do we know it waz a trojan posting "some data" to Russia?

    Which journalist/journal is prepared to stand up and say "This happened - I believe it - here is my evidence."?

    Question: Why would *anyone* want to steal MS source code. They are happy to *sell* access for a small fee (100k+ last time I asked - which is chump change)

    Who could benefit from a source release? (Answer - any *professional* cracker who wants to crack MS run boxes). I'll leave you to work out the consequences of that. But *my* NT/2000 net-facing boxes are running home to Solaris/HP-UX/AIX/OS-400

    And, finally: MS admitted it. So, there must be evidence that it happened. Where the fuck is this evidence?

    Pissed posting pisses people off. Perhaps people posting pissed should perceive the pseudo-plenipontentiary powers of the powerful people who perform peer-review. Or not.

  • Actually, it does matter- a great deal! What happens when evidence of Microsoft's theft of Spyglass (and a host of others) makes it out?
    It couldn't happen to nicer people.
  • WHAT producy deadlines? ;-)
  • That's pretty sick. Considering most of your sources are from before 1960 when the Black Rights movement was still coming around, of course Blacks wouldn't have had as good of an education as Whites. They were totally prejudiced against! They got shit everything, and were never expected or encouraged to think for themselves.

    I've noticed racism is spawned by ignorance, and if you really think about it, it's plain dumb. They're humans, the difference is *skin color*. Let's be prejudiced against people with brown eyes and black hair while we're at it... Oh wait, hitler was. Prejudice is so sick.

  • OTOH, we don't need to worry about them stealing the source.

    Still ...
    This is a point worth contemplating, and a valid
    one. I don't yet know how to be certain that my system has been secured. (Well, I use a dial-up connection, and I've been installing several distributions from scratch .. so I doubt that I'm currently cracked. But it would be nice if it were easier to tell.)

    Caution: Now approaching the (technological) singularity.
  • As every media organisation has been at pains to point out ad nauseam, they only stole the BLUEPRINTS. Which , of course, is much less serious. Makes you wonder why the media don't trust the intelligence of the audience enough to say the words 'source code' Maybe they're right.
  • Don't let him get to you, that's what he wants.
  • Well it certainly wouldn't fit on a shirt....

  • There were no such comments in the many thousands of lines of code that I read and wrote at Microsoft while I was there (for five years, several years ago).
    Likely story. Why should I believe you? And even if I did, what are thousands of lines out of millions?

    (and most of my co-workers were not white, American, Christian men).
    I don't doubt that. It is known that Microsoft imports cheap labor from the indian sub-continent and south-east asia. This, in itself, is outrageos. No better than Nike using child labor in it's sweatshops and paying low wages. The saddest and most enraging part is that Microsoft is hiring foreigners when there are plenty of African-Americans right here at home who can't get work because of discrimination.

    And that's all I gotta say about that.

    I am,

  • My favourite was the line about email containing 'a hidden code'
  • actually, in GB/IRL terms, a hack is a journalist, but what's a little semantics among friends? :)
  • Does anyone really believe that MSNBC is uninfluenced by MS??? I am surprised that this article was even posted...

    I'm a fucking Bhuddist. This is enlightenment. - Bjork
  • by Michael Jennings ( 234334 ) on Sunday October 29, 2000 @03:59PM (#666096)

    New Operating System!!!

    Winski 2000 by MicroSlav

    Operates just like Windows 2000!

    Only 20 rubles. Put the money and your email address under the trash can on Ivanoff Street.
  • When Sir Linux Torvaldis invented IPX, he did so with the knowledge that if buffers were improperly evacuated such that Hq(x)=0, you could send a router into an infinite loop. The common workaround, is, as you suggest, to change the aggregate global unicast address to an unsigned integer. SO_LINGER serves a noble purpose (and rightly so!) when it pre-initializes a connection:address lookup table (CALUT) to preset the subnet ID. So you see for your workaround, you have no have no way of ensuring that the flow control window is sized correctly, thus growing asymptotically. This is the major downfall of TCP/IPX, as per your original post. But what I would recommend instead is that you re-regulate a UDP ARP mechanism such that the piggyback ARQ doesn't not SYN when echo response is requested. In other words, in half duplex-, or full-half-on mode, you don't have such a huge pipe to worrry about router loopback syndrome (RLS). In a common token-ring topology, as opposed to a shared-medium ethernet topology, this can get hairy, to use the technical term. This is why it is always necessary to synchronize to a simulation authority for verification. Thus the SMPP local link cannot, by definition, be adjusted thusly. O(log n) can cause performance problems, and thus is why Linux Torlavidis implemented the HTONS/HPOUNDS in such a way as to circumvent this problem, in his NetBUI implementation.
  • I really doubt if they let this happen on purpose. I do. Really.
    But I also doubt if they care much. I don't see it doing them any harm. And we can expect them to take every PR opportunity that presents itself.
    Caution: Now approaching the (technological) singularity.
  • by BlackSabbath ( 118110 ) on Sunday October 29, 2000 @03:59PM (#666099)
    It is interesting to note that the break-in was committed using an "old" trojan (ie anti-virus products were detecting it since July). Why? If you were trying to hack into some pretty big IT firm you would have to assume that they have SOME sort of anti-virus/content vetting software. However, you might also assume that among the thousands of staff, there would have to be some that decide (for whatever reason) that they don't need to be running the company's mandated anti-virus product because of "XYZ" (insert completely lame excuse here, probably related to "This is meant for those DUMB users not ME").

    Knowing this, it is just a matter of playing the numbers and eventually...BINGO! And of course if you spread out your attack over time, the failures would stay below the "Danger Will Robinson!" threshold. (Any sufficiently large and hated IT firm would have to expect a certain number of "incidents" over time - these wouldn't cause any undue alarm unless the density was high enough or there was a detectable pattern). Good ol' human engineering. You just can't protect against it. All you can hope to do is detect it quick enough and run your business such that you don't "have" too much info which if it got out would drive you under (can anyone say open source?)

    What is REALLY interesting is the motive? Why would you do it? To improve WINE/SAMBA/XYZ??? I doubt it. These guys won't be touching any significant new changes with a ten foot pole for a while I bet. The competition? Why? What possible advantage could be worth the risk?

    If its not just some dude who wanted to be the first to "plant the flag", then my money is on the mob. Why not? Just imagine how many buffer overflow bugs someone like Georgi Guninski (check out NTBugTraq) could discover with a good peek at the code. You could then use the knowledge when/where-ever. Alternatively, instead of using this knowledge themselves they may pass on the source to the "highest bidder" which would probably include the usual suspects (middle eastern "terrorists" etc).

    Just my 5 rubles.
  • by Erasmus Darwin ( 183180 ) on Sunday October 29, 2000 @05:25PM (#666100)
    Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.

    First the obligatory joke: Isn't that what MS does anyway?

    But, in all seriousness, MS does have internal protections in place. Consider this: When I interned there last summer, there were something on the order of 500 interns there. These were virtually all normal college-aged CS geeks -- and not all of them were die-hard Microsoft drones, either. With that many people, in that demographic, for that short of a time period, I'd be willing to bet that if all the Windows source code was open for the viewing, something would've happened already. On the other hand, what was generally accessible on the corporate network were the websites for each of the various projects -- the sort of stuff that'd be best kept secret from a business standpoint, but would have zero interest to the Slashdot crowd.

    And as a random aside, even the developer kit for the Barney Actimates doll that MS produces is kept secured from general access, for reasons that should be fairly obvious. (Creating a humorous yet vulgar Barney dialog is left as an exercise to the reader.)

  • Oh, good! They've told us everything's under control, situation normal... It's not like we can trust m$nbc to tell the truth about this one.
  • FYI, there are _buildings_ in our country that are twice as old as our _country_.
  • by mike260 ( 224212 ) on Sunday October 29, 2000 @04:02PM (#666103)
    ...Microsoft reports that Oceania has always been at war with Eurasia.
  • by bugg ( 65930 ) on Sunday October 29, 2000 @02:23PM (#666104) Homepage
    Doesn't want it to be linked to an earlier comprimse. There would be a lot of egg on his face if the problem was brought to his attention earlier and he didn't fix it.

    The Chief Security Officer is trying to cover his ass. Take what he says with a grain of salt.

  • > Why is everybody so obsessed with source code, Microsoft's or anybody else's? Just what in the heck are you going to *do* with
    > a glimpse of some of the source code to Office or Windows?

    Grab a bunch of old CS textbooks, & do a diff against various parts of the code. And publish the findings. Especially if the textbooks happen to date to the 1960's. (We all know how Microsoft uses modern code -- none of that old crap from the 1970's like UNIX does.)

    I still want to know just how many rat's-nests of speghetti code are nothing more than thousands of man-hours of patches to fix a mistake caused when some coder forgot to include a line he was copying from a textbook at 4:00am.

    Bet there's more than a few.

  • by mesocyclone ( 80188 ) on Sunday October 29, 2000 @08:41PM (#666114) Homepage Journal
    30 years ago, during my hacker days, a group of us got access to the source code of a pretty secure operating system (GCOS-III pre: GETSS). That source code enabled us to find a number of exploits that one would *never* find without it. We found about 12 ways to get into the equivalent of "root."

    To a hacker or a cracker, source code is worth it's weight in gold! You can look for buffer overflows and figure out how to exploit them. You can find hidden API tricks that allow one to gain extra privileges. You can find bugs that defeat security measures. You can find lots of stuff.

    If you thought windows was easy to hack before... well, it just got a lot easier!

  • by chazR ( 41002 ) on Sunday October 29, 2000 @04:11PM (#666120) Homepage
    MS code is a "Trade Secret".

    It is still a "Trade Secret" even if it is stolen, posted on the web, displayed on billboards, whatever. This is OK until you *use it*. Then, you're screwed.

    If MS can prove to a court (in the US) that you used their trade secrets, and that you knew that you had acquired their trade secrets illegally (which *well* includes downloading the source from an FTP site), well, then you are so shafted it's unreal. Can you say "Punitive damages"? 'cos that's what you'll be paying.

    All MS have to do to protect their trade secrets is to exercise "reasonable care". Now, try and prove they didn't.

    FACT: Stolen secrets are still secrets in law. Half-witted sophistry doesn't change that.

    The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context
  • While I agree you have a point, this discussion is about security, not performance. In that respect take linux. Linux, as long as you avoid X like the horrible plague upon humanity that it is, performs excellently. Windows, on the other hand, runs like shit, although, it is faster than linux running X. But then, consider how horribly insecure linux is. So you see it is a triple edged sword, with a cherry on top.
  • MS Windows massively monopolizes not only the consumer sector, but huge chunks of the military as well. Hell, _ships_ run off Windows, the Air Force is totally full of Windows, and who knows how many other countries in the world are totally standardised on Windows.

    If Russian military intelligence got to go over Microsoft's source code with a fine-tooth comb (or anybody- I only say Russian because apparently that IS precisely who's going over the code now), they would be able to conduct information warfare much more effectively, whether or not there are intentional backdoors- if there aren't, all the military spooks would have to do is dig up overflow exploits and the like. They have the code, and lots of people find ways to do this even _without_ the code.

    They're not interested in fixing it, selling it, posting it on the net or anything of the sort. Their only concern is being prepared to take all of American military IT _down_ before the missiles are launched. (And again, America doesn't have to be the target- any country with a modern computerised military could be the target.)

    The problem with lazy-ass monopolised security through obscurity is just this: now there's no security at all- odds are, some country (possibly not even Russia?) now has what they need to be able to take out any and all Windows-based IT at will. They're not going to be filing bug reports, or _using_ their techniques, unless they are seriously taking action. The only defense against this is to persuade Microsoft to either open their process to outside auditing (for instance, the NSA or the military), or to ask Microsoft to please fix any bugs that might be a weak point in this sort of attack.

    *bitter laugh* riiiight.

    I want my country's military off Windows, dammit. Now. All that is _compromised_. It's one big trojan horse because of Microsoft's arrogance and belief that they are SO SMART that they don't need to let anyone else into their process.

  • by Anonymous Coward
    I would not be surprised to find that Microsoft has racist and discriminatory comments in their code.

    . At Redmond alone, we have the African American employee group, the Attention Deficit Disorder group, the Chinese employee group, the Deaf and Hard of Hearing group, the Filipino group, the Gay, Lesbian, Bisexual, and Transgender group, the Hispanic, Indian, Korean, and Native American groups, as well as heaps more. Don't sprout this rubbish about Microsoft being a racist company.
  • You know I'm still pissed about the romans invading britain, perhaps I should moan at the italians now.

    And I've never forgiven the french over 1066!

    In fact, I think that Og hit my great great great great ..... great great great grandfather over the head with a club, and Og is releated to you, so you owe me all that extortion money you got from your last employer.

    If someone scrawls some racist/sexist/agist/classist/anti microsoft slogan to a bridge, can you sue the council? No! (Well, I hope not). You tell them its tehir, they remove it.

  • by Sly Mongoose ( 15286 ) on Sunday October 29, 2000 @05:52PM (#666127) Homepage
    Now that M$ have publicly admitted that their IP has been compromised, they are in a good position to complain about anyone producing any competing products.

    If a C# compiler were to appear on the scene for a non-Windows platform, might the authors not be accused of having used M$'s IP in order to produce it? The same goes for any piece of code to appear that threatens their .NET stranglehold strategy.

    I have not seen any definitive list of what code was compromised. Has that been made public? Or are they free to point to anything that appears in future and say it is based on their IP?

    Hell, maybe they are making the whole incident up!
  • by Anonymous Coward on Sunday October 29, 2000 @05:54PM (#666129)
    Today I'm going to tell you a little bit about Microsoft's physical security. Or, how J. Anonymous Coward walked into Microsoft and walked out with confidential data. (And a very large quantity of free Coke.) Unfortunately, I have to leave out a lot of details so as to protect the poor innocent M$ employees who did nothing wrong except choose the wrong employer. Also since this took place in 1998 some of this information may be out of date.

    I wasn't even looking for confidential information. Just turns out that I knew a couple of people who happened to work at Microsoft, and so I decided to pay one of them a visit at their office in Redmond, while I was vacationing in Seattle.

    Now at each entrance to each M$ building there are Honeywell card readers, and each employee has a matching Honeywell card that opens the right doors so he can get to work. With the building I was at there is a front entrance and then a foyer with a receptionist's desk. During the day you have to get by the receptionist slash security guard to the second set of doors, which you also have to swipe your Honeywell card at. (At the building I was in, the receptionist desk was inside the second set of doors.) At night there isn't a receptionist or security guard, you just swipe both sets of doors and you're in. And once you're in a building you can go practically anywhere in that building; there aren't any other security checkpoints.

    If you lose your card you can use the phone next to the card reader on the outside to call in to the receptionist, or to call your friend inside to let you in. This is how I got in. I called my friend's 5-digit extension and they came down to get me. (That's 2-xxxx inside; 425-882-xxxx outside.) There are refrigerators stocked with Coke (and Pepsi) products on nearly every floor. Just help yourself. There are also random arcade games, Ping-Pong and billiard tables scattered around. Each person has their own office, small as it may be; a few people share in some areas.

    Anyway, inside, they have large supplies of blank CD-R's. All of them were factory labeled with the Microsoft logo and the words "Microsoft Confidential" and some other legalese. They are half blue and half white. And most of the developers that I met had their own burner.

    I'm quite sure you can figure out the rest from here, and these are the details I have to omit. I can say it has something to do with caffeine's diuretic effects on developers. But I wil provide a few other details for you.

    Microsoft has their own security people. At night they go around and turn off all the lights in the buildings. Only they do it from the outside, via remote control. I think the system uses RF. (If you're inside, you can turn them back on, though. And be careful, they even turn off the lights in the bathrooms, and the switch can be hard to find. In the bathroom I used, it was about eight inches higher than I expected it to be.)

    Microsoft has an internal server with pre-built installers for most (all?) current Microsoft operating systems, applications, etc. If you need something, you just open the network drive and get it.

    Microsoft's firewall prevents people internal from connecting to certain outside sites. In 1998 this included netscape.com (but not mozilla.org).

    Certain parts of Microsoft source are written in C and/or C++, and these parts are LITTERED with gotos. I mean they're everywhere. It's almost like they'd never heard of do, while, break or continue.

    Anyway, that's my story.

  • you back again? fuck your ancestors. If you hate the white man so much why don't you leave this country?

    Its the new age of racism, I'm not from the south, I don't have a rebel flag, a pickup truck, a shitty looking house or an ugly wife. I'm the average white guy who you can't tell from anyone else.
  • Russia is known as a haven for criminal hackers who, among other exploits, have been fingered for stealing millions of dollars from banking networks.

    Did I miss a headline about this or is MSNBC talking out of their back orifice? Millions stolen? I think would have been headline news.

  • by Tony Shepps ( 333 ) on Sunday October 29, 2000 @04:28PM (#666136) Homepage
    "Microsoft said it was not part of the company's core products."

    Now I'm *really* intrigued. What constitutes a core product? Wouldn't it be interesting if certain languages were "core" and others weren't?

    How would you feel if you paid $600 for Project to run major development work... or used Visual Basic to develop critical code for your company... or

    If the cracker picked up Notepad, they wouldn't have asked for FBI help, would they? If it was MS Baseball 2002, they wouldn't have picked up the phone... it HAD to be something worth more than the bad press that could be generated!

  • No, you're not the only one.

    Nobody stole any Microsoft code. Microsoft staged the break-in as part of its continual goal to create a perception of greater value in their product (if it weren't valuable why would people steal it; why would people pirate it; etc) & to get certain anti-hacker legislation shuttled through Congress (which will help them yield greater control over their product after you've bought it & to fight against open source software's reverse engineering of their proprietary standards for compatibility and publishing of security exploits). The Microsoft staged break-in also helps to bolster their image as a victim, like they claim in the ongoing anti-trust case, rather than the perpetrator, which they are.

    These events did not transpire without a reason. Microsoft wants to control your computing experience from the ground up and will do whatever it can do to further that end.

  • Yes but it goes both ways. See, the whole SMB and Win32 API is so crufty and shitty that nobody at Microsoft (which has an employee turnover of about 98% every 6 months) really understands what is going on in the source. Hey look ! someone has reverse engineered it AND documented it AND commented the source!

    Now Microsoft can use the documentation to understand what is going on in thier own shitty crufty code, thus saving themselves alot of time and money, all by violating the free software licences (GPL for Samba, X11-style for WINE).

    They can also audit the WINE and Samba code to find areas where they can break Windows -> (Wine,Samba) compatibility while maintaining Windows -> Windows compatibility, causing the free software projects to waste more effort in reverse engineering the changes.

    Even though the Halloween documents went public, Microsoft is doing EXACTLY what they set out to do.
  • You must choose between the words virus, trojan, or worm. They have different, but related meanings.

    Yes, but in mainstream articles, everything is a virus. Thus, a worm becomes a "worm virus", or a trojan horse program becomes a "trojan virus".

    "Virus" == "Malicious Program" in the mainstream view. Don't blame the journalists... their job is to tell the story. They have to speak in the common vernacular. "Hacker" == "Someone who breaks into computers", "Hack" == "A Golfer", "Operating System" is generally undefinable, and I knew one very intelligent person who does not use nor know computers who thought from early news stories that Linux replaced your BIOS (given their description of it).


  • > This project is then suspected by MS ... but it would take illegal reverse engineering or a
    > court warrent to confirm ... thus another downfall to MS.

    Since when was reverse engineering illegal? What country would have jurisdiction anyway?
  • I know there's a place for while. But when you need the assembler to do what you want it to do (and btw switch is a redundant feature of C that should have been removed), and you're thinking of your code on the assembly level, you want to use goto.
  • Actually MS Win 2K sells for 60 roubles (about $2)in St. Petersburg. Office costs more because of the extra CDs. Moscow prices at the market are slighly less. It is openly sold and it is quite difficult to find legit versions. None of the clampdowns have been effective and most people stick with pirate distributions. If a top programmer costs about $1000/month, $300 for an OS is a lot of money.
  • You could presumably reverse-engineer the source with a C decompiler. [uq.edu.au] Existing decompilers aren't very good, but beat reading disassembler output.

    In general, C decompiling doesn't recover macros, inlines, local variable names, or compiler idioms, so you get back something that looks like assembler expressed as C source. You're lucky to get something back you can compile. Decompiling is an area that needs more work.

  • by SuperDuG ( 134989 ) <be@eclecREDHAT.tk minus distro> on Sunday October 29, 2000 @02:31PM (#666170) Homepage Journal
    Hypothetical ... but what would happen if the windows source code was released onto the internet ... (ie DeCSS) ... even if it was deemed illegal and the distributors were arrested ... the code would still live on and become what might be the downfall of MS.

    Think about it ... not a rogue OS based off of MS code ... but thousands upon thousands of exploits would turn up thus any computer connected to the internet through a (sarcasm) "secure" internet connection would now be at risk.

    Another hypothetical ... company A comes out with a product that can run all win32 binaries... this os is based off of the source code of windows but is a closed source project. This project is then suspected by MS ... but it would take illegal reverse engineering or a court warrent to confirm ... thus another downfall to MS.

    One more question I have ... If MS is SOOO concerned about their code ... why the hell is it so easy to remote access it?

  • by codepunk ( 167897 ) on Sunday October 29, 2000 @06:20PM (#666171)
    I just left the navy after 10 years of service as a IS type. I can tell you for a fact that Windoze does absolutly nothing mission critical. They might use it for typing up some messages but all combat / intel / recon software is all based on unix in most cases HP.
  • by xant ( 99438 ) on Sunday October 29, 2000 @02:31PM (#666175) Homepage
    Microsoft makes a living off not fixing problems that are brought to their attention in plenty of time. The security officer would probably get a bonus for adhering to company policy so well.
  • It's weird how nobody seems to think there's any other sort of espionage than industrial espionage these days. How about entertaining the possibility of:

    Guess 1.5: Some MSFT employees are intentionally working on relaying MSFT source code to give their government employers better ability to commit IT sabotage at time of war. They ain't working for the US government.

    Honestly, the world does not begin and end with e-commerce. Warfare still happens, and IT is militarily sensitive- it can be an absolute jugular vein if mishandled.

  • Last paragraph in the article is:

    "We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppönen, anti-virus researcher for F-Secure Corp. "It has finally happened. I'm just surprised it happened at the top."

    Since these guys are (by definition) running M$ cruft to the hilt and the worms usually take advantage of Outlook/Viral Basic. What better place to target? Someplace that runs Lotus Notes maybe??

  • My fave was a few days ago when Cnet explained the somebody had figured out a code to allow macintoshes on napster..

    Yes.. Up up down down left right left right b a select start...
  • So what about that warship that got stuck in the water because windows crashed?
  • My buddies in Russia sent me the source code of the next release of Microsoft Word. Here it is.
    /* Word 2001 */
    /* Unpublished proprietary source code of Microsoft */
    #include <winapi.h>
    /* call new WinAPI routine */
    Looks like they finally put Microsoft Office into the operating system!
  • Remember in the court case Digital Research bought against them. Microsoft's defense was that they had no version control so they had in effect "lost" all previous versions of Windows and so were unable to present the Windows 3.1 source code to the court as the court had ordered.
  • by Manaz ( 46799 ) on Sunday October 29, 2000 @02:35PM (#666194) Homepage
    Alternatively, he could actually be correct, and merely stating fact.

    While it *is* possible that he's just covering his ass, just because he works for Microsoft doesn't mean that's his only motivation, or that he's not capable of doing his job.
  • Sure, but as long as the source to a released build of windows exists, that constitutes a stable interface. If Samba and WINE strictly adhere to that interface, there's nothing MS can do to break Samba that won't also break at least one version of Windows.
  • by jetson123 ( 13128 ) on Sunday October 29, 2000 @07:04PM (#666200)
    From CNET/AP News [cnet.com]:

    "We start seeing these new accounts being created, but that could be an anomaly of the system," Miller said. "After a day or two, we realized it was someone hacking into the system."

    Sounds like it's OK if accounts create themselves, as long as it isn't too frequent. Just when you get a lot of them is it indicative of a breakin?

    If any attempts to download or transfer the source code were made, such activity was not recorded in Microsoft's logs, Miller said, adding that it is unlikely any source code files were copied because of their immense size.

    Good grief! What were they writing? Software bloat as a protection against theft? So, if it's so big, how do they know it wasn't hacked?

    Microsoft's source codes are the most coveted in the multibillion-dollar industry.

    I still can't figure out who would want Microsoft source code. Basing a new product on code you have transferred from another group is hard enough with their cooperation, basing it on a snapshop stolen from a breaking would seem to be pointless: you are better off starting from scratch.

    With access to these software blueprints, competitors could write programs that undermine Microsoft--or use the data to identify vulnerabilities, making computer break-ins and virus writing easier.

    Ah, the media fully buying into the "security by obscurity" approach. The underlying assumption is that any software must be so full of security holes that we couldn't possibly let people look at the sources. How clueless.

    I don't think one could have written a better satire if one tried. It is sad, however, that technical reporters write this kind of drivel as serious reporting (probably directly copied from some PR releases) and people in power believe it.

  • I'm not saying that he's lying, I'm not that cynical. But I am saying that we should take all first party diagnostics of the situation with a grain of salt.
  • Every day it seems like Linux moves a little bit further behind windows. I mean, this is 2000 and Linux doesn't even support plug and play or dual monitors! (at least not very well)

    Linux does support plug-n-play in 2.4 (beta) which will soon (within months) be a stable release. Dual monitors is completely up to the X server; I think Xfree86 does support dual monitors in 4.0 and I know there are many commericial X servers out there that do support multiple monitors.

    expect the Open Source movement to start finally recognizing that the "high ground" they occupied not so long ago has been taken back by Microsoft, and respond in kind with a much better Linux.

    No, I seriously doubt that. I instead expoect the community to continue to produce quality software without interruption, and without regard for anything M$ is doing. The Open Source community does not try to 'keep up with M$'.

    God bless whoever invented dual-booting

    Certainly not Micro$oft.
  • Is it just me, or does this not make any sense?
    At first Microsoft decided simply to deny access to the trespasser, and shut down the new accounts on Oct. 20, a Friday, Schmidt said. But the intruder returned on Monday through the same route and created more accounts.
    Now, I'm no hacker, but if I had created accounts, and they had mysteriously disappeared, I would be a bit suspicious. I don't think I'd go out and do the same thing again... it would have been obvious that they detected my presence. Does anybody else think this smells a bit funny?


  • Source code in a software company is a lot like the blood in your body. Sure, if you lose control of where it's going, you are in deep shit. But you cut yourself almost anywhere, and you're gonna find some.

    This is their stock in trade and they have hundreds (if not thousands) of people working with it and on it. I can assure you that it will always be 'close to the surface', as it were.

    Take it for someone who also works for a big software company.

  • Code, code, code. Who gives a rat's ass about their hideous source code? Not me. If I were in the cracker's shoes (funny that, I'm white and look at my footgear often), I would carefully evaluate what actions would give the most bang for my hacking buck:

    • Medium bang/buck option: Look at source for a mainstream product: I might figure out how to exploit errors and conditions I wouldn't otherwise find, if I could dig through the sea of crap code.
    • Big bang/buck but risky option: Modify the source for a mainstream product: I might be able to slide hooks or tools into a large population, but I run the risk of discovery when code is dif'ed for QA and component testing. Kind of inelegant, if you ask me.
    • Huge bang/buck option: Modify the code repository or insert hacked compilers at MS that add hooks or tools into libraries or other code at compile time: Then I can infiltrate a huge user base through multiple future MS products with little or no risk of discovery; i.e. no code review will show the hacks, because they never exist in the source. (Imagine if the compiler used to compile Visual C++ was hacked.) Then create unrelated accounts, copy some unrelated code and intentionally leave tracks as a cover.

    Hmm. If I were going to the trouble of entering the lair of the great software satan, I'd surely want more than to look at spagetti code from some hyped-up codeslave just out of college. I'd want to get some mileage out of it, and what better way than to do something with continuing returns? Better to salt the fields than just burn them, eh?

  • by jorgen ( 36633 ) <{jorgen} {at} {trej.net}> on Sunday October 29, 2000 @07:17PM (#666212) Homepage
    winword.c:3: `#include' expects "FILENAME" or <FILENAME>

    Well, looks like they still have some bugs to iron out before 2001. Does this mean Office 2001 will be delayed?

  • I don't doubt you describe things accurately from your time in the service. But this [] was in the Washington Post last July 28.

    It sure sounds like they are thinking of changing a sane policy for the worse.

  • I hope your not indirectly implying Linux's track record is any better?

    I won't just imply it, I'll say it. Linux's track record is better -- at least in this way:

    MS has a reputation of denying and/or pooh-poohing security bugs. There have been a few cases of hackers going to MS, quietly, with bug reports and being given the runaround about them until they get frustrated enough that they simply report the bug to the press to light a fire under MS's ass.

    I mean: how many people would have been surprised to find that MS would have let their employees get remote access using Win/95 boxes? For many security conscious types, that ideas is almost obscene. NT is slightly better, but I wouldn't even THINK of betting my life on it.

    Given that kind of history, I wouldn't be all too surprised to find that there are a few bugs/design errors that Microsoft knows about internally, but "just hasn't had the time to fix" or considered "user enhancements". This probably includes a couple that black-hat hackers have found and not bothered to report to MS or the press.

    This is what (I think) was probably meant by leaving your windows open.

    In the open source community, there's always somebody out there who -- when a security bug is found -- feels some self-interest in closing the problem as soon as possible. This means that the space between reporting a bug, and having it closed by people who care, is as small as possible. If I'm feeling paranoid, I can always go to free BSD who apparently clame Zero remote-root exploits in the last 3 years. I don't have that sort of warm and fuzzy feeling with Microsoft.

    'Nuff said.

  • The intentional back door has been my big concern about this incident from the start.

    I think everything depends on whether the crackers got lucky and compromised somebody who had checked out some code that ran in some kind of trusted enviornment (something like kernel32, to be sure, but also portions of IIS).

    The cruftiness of the code is some protection (as someone elsewhere suggested), but not much. Complex, ill-architected environments are the engineers nightmare and the cracker's natural habitat. The question is whether the crackers had time to figure out a good place to put their exploit.

    Even if they failed to insert an exploit, they'd have a golden opportunity to search for naturally occuring ones.

  • by DeadMeat (TM) ( 233768 ) on Sunday October 29, 2000 @07:20PM (#666224) Homepage
    The important part of the crack wasn't the source code, if they got it. So yippee, terrific, we've got some source code -- but what do you expect to do with it?

    Many posters have noted that Microsoft's source code is notoriously bad, and from what code I've seen (i.e. what they distribute with their SDKs) they're right. The whole thing is one gigantic ugly hack -- they're living in a world where strict C and object-oriented C++ mix freely, and the only thing they do consistently is their stupid variable naming scheme. People whine about Netscape 4.x being an ugly hack, but Microsoft code is much much worse -- it just has the advantage of loading at OS boot time.

    That said, there's very little anyone could pull from any source code they got. Picking it apart looking for weaknesses or trade secrets would be fruitless -- picking apart the source code to their DirectX demos is bad enough, let alone a whole OS. Even before you figure in the legal issues, it's much easier to just reverse engineer the blasted thing.

    What's important here is now Microsoft has to admit that their products are exploit-ridden. One of the greatest problems that computer security advisors have had recently is Microsoft's attitude towards the VBScript exploits; basically, they think that their codebase is good enough as is, with maybe a few patches needed here and there, and if in the meantime a few exploits make their way through then tough. (In fact, security experts rightly point to Outlook Express as the sole reason that worms like Melissa can even exist.) After all, the Microsoft PR people say, it's good enough for us.

    But now someone has forced them to own up to the fact that the security in their products is a joke. Before this exploit, Microsoft spent many a PR dollar blasting Linux for the 'inherit insecurity' of its open-source nature, pointing to the fact that Microsoft itself uses Windows NT/2000 for its servers and nobody's broken into them before. Now that's all changed, and someone has shown that not even Microsoft can trust their own products for maximum security operations.

    The irony is that Microsoft has become a victim of its own policy -- if it works for the most part, there's no point in patching up the little security holes. Well, guess what -- those little security holes added up to one major security hole that struck Microsoft at its core!

    So what does this mean to the average consumer? It means that Microsoft is going to have to work really hard to fix up its codebase. After such a high-profile attack, Fortune 500 companies are probably going to think twice before using Microsoft software for mission-critical operations. Microsoft really is going to have to prove itself in the future, and that means no more quick-fix patches to security holes that fix one hole but don't really fix the overall problem, like the series of IE and Outlook Express patches that come out after every new ActiveX or VBScript exploit is revealed.

  • (all the developers use linux boxen)
    I doubt that most MS developers use linux boxen.
  • Why is everybody so obsessed with source code, Microsoft's or anybody else's? Just what in the heck are you going to *do* with a glimpse of some of the source code to Office or Windows?

    Laugh at banal commentary? Giggle at a misused pointer? Squirm over the indentation? Be mildly shocked at the local variable names?

    Say you got the lot -- now what are you going to do? Fiddle around with n zillion lines of tired, structurally decaying code to make a version of Windows that doesn't work as well as the binary on the box you bought? What's the chances that you will have the least clue what you're doing? Or that it will be actually *worth* anything to anybody? What are you going to do? Spend your life rebuilding Windows? Please, feel free . . .


  • Knowing this, it is just a matter of playing the numbers and eventually...BINGO!

    This is a very interesting perspective, if you think it through a bit. It means that perhaps any source of software should, from a security standpoint, be considered potentially compromised.

    This might be an argument for open source -- at least if you are vulnerable you can audit the vulnerability independently. But it is a very disturbing prospect because software is so ubiquitous, and updatable, it seems, all the way down the CPU microcode. Virtually everybody is working on closed source BIOSes.

  • That might have a chance, that is, if Microsoft didn't use some sort of version control system. As it stands, I'm *sure* their version control/build management system ensures that you can't just 'add' in some code. You would have to go way deep to actually change it. I can say that, at work, I can easily get access to all our code.. but even as the sysadmin, actually changing that code throughout the revision history of our rev contorl system would be *very* difficult.
  • by chazR ( 41002 ) on Monday October 30, 2000 @05:20AM (#666244) Homepage
    I'm pretty sure it was Stewart Brand [edge.org]. There's a reference to it here [theatlantic.com]

    The full quote is "Information wants to be free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine -- too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. The result is a tension that will not go away."

    It must be true - I saw it on /.
  • Ain't no original thought in any of my suggestions, just a combination in this particular instance. (Isn't Thompson's suggestion pretty widely known?) In fact, I think someone alluded to a compiler hack earlier in the discussion. The point was that the viewed or stolen code might have been a cover for something else, and that there are a lot of insidious something-else's.

  • This is the most plausible theory, and makes sense to people who wouldn't usually associate with the wing-nuts in the tin-foil beanies.

    It could have been a REAL minor virus/trojan occurrence. These happen at big companies all the time. (I'm a security consultant, I get to see the stuff...)

    Microsoft is not famous for disclosure, even under oath. Nontheless, they have voluntarily made the decision to go public with a damaging publicity incident. They are sure to be milking the cow for a reason...

    Generally, these things are not at all publicized. Keep it hush! Where did this story first break? MSNBC? Did they call a press conference?

    Keep your eyes open. It will be interesting to watch the further developments here. Microsoft are surely interested in manipulation of laws and government, as amply evidenced by the behaviors exhibited in the course of their subpoenaed testimony.

    Bill calls the shots from the top, and he's arrogant enough to think that the Constitutional mechanisms for statute and regulation are archaic impediments to himself, personally - and to Microsoft only by extension of his ego.

    Jeremiah Cornelius

  • I hope your not indirectly implying Linux's track record is any better?

    Why do you hope he's not? Linux track record is better on this score. This security hole is a designed-in flaw in Windows. While all software has the potential to have bugs which cause security risks, the particular problem of launching emailed trojans or viruses is a Windows problem. Unix and Unix MTAs do not launch attachments. The user would be forced to save them to disk and manually make them executable.

  • by matman ( 71405 ) on Sunday October 29, 2000 @02:46PM (#666256)
    That end quote is sort of misleading. From what it sounds, this attack is nothing new - and it didnt first happen at the top. What's more interesting, and accurate, is that even with so much experience in worm vulnerability, Microsoft was not able to protect themselves from the threat.
  • From the article:

    Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products. Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier. Microsoft has shared parts of its source code with partners, but it has kept the vast majority of the data secret.

    You know, I read this and thought, "If the DoJ really wanted to stop the MSFT monopoly, why not force them to open their source?"

  • I hope your not indirectly implying Linux's track record is any better? It is very difficult to make sure there are no holes, especially when you are one of the most targetet corps on the planet. You can take a million precautions, and when someone does one thing stupid, people cry "no security". The good thing is that they found out, think of all the better hacks that are never found out at all...then you should be scared.
  • A friend of mine suggested a very simple use: Add another back door to the code, recompile it, and distribute it as warez. In countries where most running copies of Windows are pirated, this could be very useful for the attacker.

    If the attacker can get access to one of the facilities where legitimate copies of Windows get installed onto OEM machines, then things become much more insteresting. "Here's $5000. Now, please look the other way while I replace Microsoft's master CD with Folger's Crystals...."

  • I can tell you for a fact that Windoze does absolutly nothing mission critical.

    Except on the USS Yorktown... Apparently this didn't result in Windows being thrown out of the program. Apparently no-one took the risk of kamakazi rowing boats seriously.
  • by Eil ( 82413 ) on Sunday October 29, 2000 @02:51PM (#666275) Homepage Journal

    Couldn't help but notice that the story first said "trojan virus" and then later, "worm virus."

    Nice to see that these "techincal" jounalists are have been keeping up with the lingo.

    JOURNALISTS: You must choose between the words virus, trojan, or worm. They have different, but related meanings.

    Also I'd like to applaud the media for finally giving some attention to a *real* hacker, and not some script kiddie. And d00d with the t00lz can shut down a poorly-maintained website, but it does take a bit of time and skill to track down a Micro$oft employee, find his home computer, and go looking around from there. From the sound of the article, they don't provide any evidence that any code was actually taken or downloaded, just that there is a very high probability that he got to glimpse at some of it, which they remind their readership in every other sentence.
  • by finial ( 151096 ) on Sunday October 29, 2000 @02:53PM (#666278)
    Here's what you could do with it:

    Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?

    If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.

    That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
  • by Anonymous Coward on Sunday October 29, 2000 @02:54PM (#666282)
    the code would still live on and become what might be the downfall of MS

    As an ex-employee... all I have to say is "yeah, right". The level of cruftiness in certain codebases (NT, and Visual Studio, for example) is astounding. When I first started there, I was amazed that it worked at all.

    And nothing says backwards-compatible-lovin like working on a file with a creation date over a decade ago.

    Let's just put it this way: those who had access to MS source code probably didn't have a clue what to download or what would be useful. And even professional developers would have trouble making heads or tails of most of the MS code, even with complete access to it. With just bits and pieces, you could probably do better getting a non-tainted hacker (ex: Jeremy Allison) to explain it to you.

    Remember awhile back, when crack dot com fucked up and someone managed to download the Quake source code from them? As a person who got a copy of this, I can tell you that it wasn't particularily useful. Without documentation, and without Carmack to tell you what the hell is going on, it would've been a tremendous task to go through that spaghetti and figure out what it was doing. I could understand most of the low level video functions and that sort of stuff, but when you get into the BSP and internals of the engine - no way.

    And that was just a drop in the bucket compared to the MS source code behemoth.

    - AC for obvious reasons

  • by MightyMicro ( 111816 ) on Sunday October 29, 2000 @02:57PM (#666292)
    Hang on, hang on, you're missing a thing or two about software copyright.

    If your hypothetical company A produced a derivative product from Microsoft's source code, and Microsoft took action, the likeliest outcome (at least in the US) is that a court could order a comparison to be made by an independent expert of the two pieces of source code. If that expert found that there were "striking similarities" between the two, then the case would be part proven.

    Secondly, how long did it take you to write this almost perfect clone of Windows? A week? Really? Can you show me the timekeeping records of the army of hackers you had working on this project to write a "new" Windows? Their names and addresses? No? (And so how long have those guys at Freedows been at it so far?) Your case is now in more trouble.

    Finally, did you have access to the original source code? Can you prove that you didn't? Can all your army of programmers swear affidavits that they have never seen the Windows source code (and could not, therefore, have copied it)? Kinda tricky if it's been published for all to see on the Internet, don't you think.

    Forget the reverse engineering, you're dead.

  • So is Linux. goto's produce a perfect near jmp in quite a few incidinces, making cleaner assembly.

    But, then again, you knew that, right?

  • Print it on toilet paper.

    Then I'd TP Gates' house with it.


    After using it.
  • Am I the only one around here who finds the timing and announcement of this break-in happens to conincide with the timing of both the International Anti-Cyber-Crime Treaty and the anti-hacker bill going through congress? Common folks, this is exactly the ammunition the law enforcement community needs in order to shove down our throats increasing draconian surveillance and criminal laws that strip away what remains of a tattered constitution.

    The timing of this reminds me of the DoS attacks earlier this year which them prompted Congress to increase the federal governments escalation of cracking down on so called 'hackers'.

  • An industrial espionage Outlook script would be trival to write -- just scan public folders and shared drives and silently mail files out in the background.

    A Lotus Notes version of this sort of thing would also be pretty easy in most environments, providing you had access to somebody's User ID Certificate file. (Notes can restrict the programming interfaces to trusted developers, but the default setting is wide open to all users.)
  • by Anne Marie ( 239347 ) on Sunday October 29, 2000 @03:05PM (#666306)
    RIDGEWOOD, NEW JERSEY -- Copyleft [copyleft.net], an open source company that has made a significant effort to support the free software community with financial contributions financed through online sales of "geek chic" clothing, is poised to announce its new winter fashion line. Though no details are yet forthcoming, it is believed that central to Copyleft's new offerings is a blue cotton wedding dress with a thirty-foot train. When asked why, management denied comment except to mumble about needing more space to work with. Rumors of an apparent connection to Microsoft's recent break-ins and code theft remain unanswered.
  • Wrong. It does matter, for the following reasons:
    1. It's going to be a lot easier to find security holes in Windows if you've got the source code. Of course, in Linux this cuts both ways because the good guys can find and fix them much more easily too, but Microsoft aren't likely to be taking patches any time soon :)
    2. Having the source code would make figuring things out for interoperability purposes much easier for projects like Samba and WINE. Of course, neither of the above projects would use knowledge obtained from the crack (if the crackers actually downloaded any code worth looking at) - the legal risk is simply not worth taking.
    3. Finally, the Windows source code could get audited for code that really shouldn't be in there, such as unacknowledged BSD code, or any GPL'd code. I very much doubt that it actually contains any, but . . .
    So, yes, it *does* matter, but not in the ways the general media think.
  • good compilers (read : gcc) will produce near jmps when you use for, while, etc also. e.g., how do you think switch() is done? jump table. and that's the whole point of high level languages, isn't it? To NOT have to second-guess the complier, or try to optimize the code yourself? Now, if using a goto makes the code more readable (i.e., the only other option is 5 nested fors or whiles with bunches of varibles to break out, etc) then that's a good place to use goto...but using goto to try and optimize the assembly is bad.

    But, then again, you knew that, right?
  • by JohnsonWax ( 195390 ) on Sunday October 29, 2000 @03:22PM (#666310)
    Everyone is focusing on releasing Windows source code on the internet or basing products on that code. These I think are unlikely.

    Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.

    With everyone and their sister using Windows these days, this could give a hacker access to most every industry out there. And given the loose security between MS products, the new code could be in Office, Explorer, Outlook, almost anything. So the hacker downloads heaps of source code from a variety of MS products, finds a good location to insert this code and then modifies and sends a bit back. In amongst all the code that MS has to manage - most of which I'm sure they rarely look at, who would notice? How hard would it be to find?

    Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...
  • Does anybody know if there are any precedents on this? Does the law on evidence obtained by illegal wiretaps apply?

    As I recall, Alan Dershowitz did a column in the New York Times when the movie version of "Bonfire of the Vanities" came out. In it, he said only the government was not allowed to use evidence from an illegal wiretap (i.e., one which had been recorded without the knowledge of any of the parties to the conversation).

    Dershowitz claimed (in my memory) that there were no restrictions in a civil suit such as was portrayed in the movie. He also said that it was even OK for the government to use evidence it had obtained illegally if it was being used to discredit perjurous testimony.

    Perhaps an unintended consequence of this incident is that no Microsoft will be able to lie in court about source code without fear of dramatic repercussions. That should severely restrict their traditional deposition-courtroom strategies.

    Anyone know what the law is on this matter?
  • by klevin ( 11545 ) on Sunday October 29, 2000 @03:08PM (#666316) Homepage Journal
    "We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppönen, anti-virus researcher for F-Secure Corp.
    "It has finally happened. I'm just surprised it happened at the top."

    Oh, come on. Are we honestly expected to believe that this is the first time this has happened? This sort of thing goes on all the time, they even admitted it earlier in the article. Perhaps this is the first time it's happened to a really large corporation that's then let it the information leak out to the public, but the first time it's ever happened?

  • Some of the intellectually challenged journalists here in Norway have suggested that the event of open source developers having free access to the stolen code would be just what they wished for.

    Oh boy are they wrong.

    Imagine the stolen code surfaces on the net. Imagine Microsoft lawyers all of a sudden start targeting open source projects that are somehow related to the code that was stolen, accusing them of making use of the stolen code.

    Microsoft is a large company with huge resources. Huge enough to take on the US department of justice. I am perfectly capable of imagining how Microsoft could strike a blow at the open source industry and leave it in a legal quagmire for years to come.

  • We had an article in the Sydney Morning Herald today claiming open source was "people who think commmercial software code should be free". The journos have no idea at all. I think we need a company like red hat etc to explain to these people what it means.
  • ...Of course, iff any racist comments are found, that's further evidence that Microsoft needs to be disbanded.

    For crying out loud, Microsoft has thousands upon thousands of employees, and this is the U.S.A. - do you for a second doubt that among all those employees there are a few racists? The company I work for has maybe 250 employees in all and I personally know of at least a couple of fairly virulent racists among that lot.

    I'm no fan of Microsoft at all but I'd bet you a hundred to one that there is no top-down official policy at MS which is racist in nature. Ageist, sure, I'm positive that like the rest of the software industry they blatantly (and illegally) discriminate against older coders, but racist, I seriously doubt it.

    If you summarily shut down every American company with racists in it, you have to shut down damn near every company in the country. The way I feel about capitalism in general, I won't object too loudly, but, you know, there are some sensible people who might not think that is such a good idea.

    Yours WDK - WKiernan@concentric.net

  • When was the article on actually confirming that someone _took_ the code. I don't think anyone has seen it.
    I can understand assuming that anyone who cracks into corporate computers would be capable, and willing to steal propietary source code. The script kiddies of the planet has destroyed an honest cracker's reputation long ago.
    It seems to me that this is what we call hype. Maybe I'm just being ignorant, sorry if I am.
  • by Dharma ( 41782 ) on Sunday October 29, 2000 @03:18PM (#666328)
    Oh I dunno, how 'bout looking for lines such as...

    /* They should be using Media Player anyway */

    /* Dang hippie OS */

  • by weave ( 48069 ) on Sunday October 29, 2000 @03:19PM (#666331) Journal
    Every day the spin gets tigher and the compromise becomes less and less of a big deal.

    By the end of this week, the story will be that an employee got the flu and was home sick for a few days. While working from home under the influence of prescription drugs, he accidently renamed a user account which set off a few alarms, but everything is well because no product deadlines will slip because of it.

  • Firstly, MS are surely negligent and have only themselves to blame if they spotted the break-in several weeks ago (told the Times that the break-in was first noticed when irregular new accounts began appearing more than a week ago.) and did nothing to pull the plug. They could easily have physically seperated systems containing source code from those connected to the net. If code was stolen in these circumstances they only have themselves to blame.

    Secondly, what is this rubbish about a 'brief look'? We all know it'd take nothing more than use of a screenshot facility to preserve the data to read back at ones leisure.

    Thirdly, considering the venom with which MS is likely to chase down anyone in possession of the source code, would it not be worthwhile using a random one-time-pad to encrypt the code and have two people post, independently, the two halves without making claim to it containing MS code? Then a third party could point out that the code can be obtained by the appropriate XORing, and noone (except perhaps the third party, who is doing little more than posting a link) can be blamed, as both the first two have posted nothing more than random data?

    Where would the law stand on this issue?

  • by Anonymous Coward
    Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?

    If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.

    That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
  • Did anyone ever stop to think that maybe, if some hackers were to get ahold of the Windows source code, they wouldn't use it for malicious purposes? Perhaps some intelligent hackers would use it to fix some of the massive errors in Microsoft's OS instead of just writing yet another virus.
  • by Sebbo ( 28048 ) <sebbo@seb[ ]org ['bo.' in gap]> on Sunday October 29, 2000 @03:45PM (#666345) Homepage Journal
    The account given by Microsoft officials to the Times also cited the use of QAZ Trojan. Computer security experts said QAZ was a well-known worm virus that first surfaced in China several months ago.

    So the QAZ trojan is a well-known worm virus. Glad we got that straightened out.

To write good code is a worthy challenge, and a source of civilized delight. -- stolen and paraphrased from William Safire