Windows 2000 & Windows NT 4 Source Code Leaks

PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."

it's true

[sperling]

A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions [microsoft.com] with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

I'll believe it when I see it.

[American AC in Paris]

Zeroeth point: Who? Neowin.net? ...now where have I heard that name before...oh--that's right! Nowhere! It's one of umpteen-dozen Slashdot wannabe sites, your basic news feed/PHP comment page model. I can't imagine they have that much of an investigative team...

First point: The tagline for Neowin.net is "Where unprofessional journalism looks better" I'll take what they say with a block of salt.

Second point: The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that. The code is probably scattered across multiple servers in Redmond, for starters, and you'd only be given access to the parts you needed to work with.

Third point: The article has absolutely no detail to it whatsoever. For all we know, they've released a trojan masquerading as the source code and are trying to sucker geeks and 14m2rZ into downloading it.

...as the site is probably going to crash hard very quickly, here's the article text:

Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.

This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.

Close you eyes!

[exhilaration]

...LEST YOU ARE CORRUPTED!!!

Seriously, don't look at it, you will no longer be considered "clean" and might become a liability to any project you work on.

Just don't use the code

[Midnight Thunder]

What ever you do, don't let the code influence your projects. The last thing we want is Microsoft joining in with SCO and accusing the open source community of using MS code in an open source project such as Linux. Sure you probably wouldn't want to with its reputation, but I am sure there would be those who would be tempted.

Do NOT read that code!

[AuMatar]

Do NOT read that code if you ever wish to program for an open source OS, ever. Doing so will make you tainted- you open the project up to allegations of copyright infringement. Unless you never want to contribute a single line to Linux, *BSD, etc, checking out that code is a bad idea. Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.

Not good

[savagedome]

This is not good. Windows is designed primarily with 'security by obscurity' in mind. The security holes indeed show up every often and we have worms making it to the gazillion windows boxes before the patch does. Get ready for a deluge of worms/virri. Another bad week/month for sysadmins.

If this is true...

[thesolo]

I haven't been able to even get to Neowin, it's been slashdotted since before this story even made it to "The Mysterious Future" here on /., but think about what this means if this is actually true. The potential vulnerabilities. All the trade secrets Microsoft put in there. Hell, IE 5 was released with Windows 2000, so if this is full source, it means IE 5 and the trident engine are in there as well.

If this is true, today may be the day that everything changes.

Re:Do NOT read that code!

[Samari711]

oh take off the tinfoil hat already.

that's like saying the beatles can sue every musician who ever listened to them for copyright infringement

Is the code that bad

[jhoger]

Is the code that bad such that this news story considers this so dangerous to Microsoft? Seems a bit hysterical to me.

I don't know how useful it is to WINE, etc... OSS developers not wanting to be "contaminated" by looking at the source code won't look at this stuff anyway.

Re:So is this the beginning of something...

[webroach]

Sure it's illegal, but so have many things Microsoft has done.

I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.

Re:Close you eyes!

[djh101010]

This is actually very good advice. There's probably not a lot of "Wow, that's a great way to do things" in there, and you certainly don't want to be in the position someday of sitting in a courtroom with a bunch of MS lawyers, explaining how even though you downloaded a copy of it, the work you produced since isn't derived from their IP.

It wouldn't be the first company to pull someting silly like that, after all...

tin foil hat

[wildcard023]

Ok so here's MS's plan.

Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3) ... Ya, I'm sure you know what goes here.

Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.

Jerks.

--
Mike

Re:The shit will hit the fan + Mirror

[milgr]

Could this potentially help the WINE Project?

IANAL but I would avoid looking at the leaked code - especially if I was working on a project like wine. You wouldn't want wine to sued out of existence because it contains code derived from a proprietary, copywritten system.

Re:Server problems ALREADY...

[Docrates]

but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

I disagree with the reporter. Because of the added scrutinity a widespread access to the sourcecoude will generate, it's more likely that we'll finally see a tight, secure Windows 2000 and NT. That is, if Microsoft accepts fixes, tips and advices from the hacker community as they should. If they don't, I can already see the unofficial Service Packs doing a much better job than Microsoft's.

Re:omg

[Dreadlord]

Mr Bill isn't the only one in a bad situation here, with the source code available to all those crackers/virus writers, there will be lots of new worms and exploits, millions of Windows users will be in a much worse situation too.

Worms and exploits will start to appear quicker, and more frequently than ever.

Re:The shit will hit the fan + Mirror

[lcde]

Allthough driver 'wrappers' and the like would be awesome for the linux community. think of the lawsuits that would start if linux 2.7.0 had much much better support for NTFS and the like.

this actually can hurt us more than help.

Re:it's true

[MenTaLguY]

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.

I doubt Microsoft would leak it deliberately, but this does open the door to a whole SCO-esque can of worms from now on.

Now W. Russell Jones can put his story to the test

[ThogScully]

In the last article on the /. home page, we have W. Russell Jones talking about all the insecurity of having source available in open source projects.

I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N

Re:Server problems ALREADY...

[Mr. Piddle]

At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them.

How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.

The danger of tainting

[12dec0de]

Now I guess those of us who write code for free project have to be double carefull what code we read and who tracks us doing so.

I can allready forsee the seize-and-desist letters to free projects, claiming that one or more developers are have been tainted by knowledge of 'proprietory information' from microsoft, and the enclosed clicktrail on www.w2k-source.com provides the nessecary evidence. And you thought you were just checking out driver support info on a community site.

mfg lutz

Re:Just don't use the code

[SkArcher]

Exactly

In fact if you are involved with an Open Source project (especially Kernel and Window Manager projects) I suggest you do everything possible to avoid seeing this code.

Accusations of Taint are undoubtedly going to spring up from this, and you would be better to be well clear.

I will confess to a certain curiosity as to what the results of a comparator test would be though.

What's the big deal?

[Animats]

What the NT kernel does is well understood. The object code is widely available, and key parts, like file system formats, have been reverse engineered. There's plenty of documentation. A few major development shops have access to the source anyway. If you're into kernel architecture, it might be interesting, but otherwise, so what?

Re:Do NOT read that code!

[TekPolitik]

Do NOT read that code if you ever wish to program for an open source OS, ever...

Of course those of us who are also lawyers can safely read other peoples' code, because we know exactly what to do to avoid infringing. It is possible to extract knowledge from the code without breaching copyright, but...

Getting a copy of the code at all is a breach of copyright.

Re:So is this the beginning of something...

[damiam]

Anyone who looks at that source is pretty much legally prohibited from ever writing a line of remotely related code for any project. If Wine attempted to make any use of this leak, it would immediately become illegal in the US, EU, and most other copyright-enforcing countries. Probably no one would bother the users, but anyone redistributing it (or developing it) in the US would be cracked down on.

Re:it's true

[sperling]

And that's exactly why I won't even consider downloading this. I make a living as a programmer, and if I have access to this source Microsoft, with the resources they posess, could make the rest of my professional life a nightmare.
As much as I'd love to peek around in this, I won't risk it.

Re:hmm seems a bit buggy

[jmorris42]

> It *amazes* me that it hasn't been routine.

Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.

this could be really bad

[G27 Radio]

The Windows code hasn't had nearly as much peer review as open source OS's so I won't be suprised if this leads to a ton of exploits. The big problem here is that this source will be available to any black-hat that wants it--they obviously aren't going to be concerned about the legalities of obtaining leaked source code. But the businesses that use Windows aren't going to be able to audit the code for security leaks unless they obtain it illegally (or sign some agreements with Microsoft and shell out bundles of cash.)

OSS developers, don't be tempted to look

[jd142]

I think from a legal standpoint it might be very important that OSS developers not look at the code. Even though they didn't leak it, MS still has rights to the code. If an open source program took advantage of illegally leaked code, what would the legal ramifications be on the OSS project? I don't know the answer, but I'd be willing to be real money that MS would sue. I remember reading an article where the SAMBA developer said he was very careful not to look at any code because of this. Reverse engineering is fine, but you don't get any help to do it.

Re:Do NOT read that code!

[GoofyBoy]

>Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.

Please, you are talking about sacrificing the source code for NT and 2000 just to hold off OpenSource projects, which WILL happen eventually regardless of what lawyers say. They can't stop every comptuer science student out there from writing and giving away programs.

The number of virus created and holes which will be found (now and years in the future), IF this is true, will almost destroy any IT administrator to a weaping mound of tears and make them seriously consider moving to Linux/BSD/Mac.

Moving to XP won't help because this could happen with that code also.

So, IF this is true, this MIGHT be more damaging to MS than the Dept of Justice thingy from years ago. Not something MS would want to do on purpose no matter what they think about OpenSource.

Re:Do NOT read that code!

[cmowire]

That's not entirely in the tinfoil zone.

The basic problem is that if it's clear that you have viewed the source code and make substantial contributions to a project that competes with Windows, MS will be able to, without being laughed out of court, at least file a lawsuit against you and ruin your day.

The correct analogy is sampling large portions of a beatles song or performing your own rendition of it. If you try to record a beatles song and sell it, you had better pay the proper song royalties or you will get sued.

I'm really fascinated about, if this turns out to not be a lie, the long-term ramifications of this. It's a can of worms that you can't undo. Its impact on the number of security holes, any commentary by third party sources, etc. will be most interesting. Especailly given that it's probably reached areas already where it doesn't have the sort of protections that it has under US laws. ;)

Re:it's true

[El]

So, if any Micro$oft employees have ever looked at Linux kernel source, they are no longer allowed to work on Windows 'cause now they are tainted? Either the sword cuts both ways, or not at all.

Re:An open source of Windows... of sorts?

[DaHat]

No, no and no.

Unless this source 'leak' was officially sanctioned (which we know it wasn't), possession, use, distribution, etc of said source would be illegal, regardless of if you have a legitimate copy of windows 2000 sitting on your home pc.

Also, the EULA covers the final product, not the original source. There are separate license agreements for that source.

Re:Just don't use the code

[cybermace5]

*** CONSPIRACY THEORY BEGIN ***

I remember someone on here, a while back during one of the SCO stories, wondered what would happen if Microsoft released the source code, but under such a devious license that contamination would be fatal to an open-source project.

Maybe someone at Microsoft thought that was a neat idea.

*** CONSPIRACY THEORY END ***

As far as looking at the code: the only real reason to examine it is to find new exploits. No developer is going to slave over that source in order to find bugs and repair them, since there is no legal way to do it.

Re:Compilation and Windows source code

[DR SoB]

It's in c (at least the core pieces). the older modules may contain assembler.

That is a MYTH

[FreeUser]

I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.

IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.

Otherwise, no student would be able to code having once looked at examples in a text book ... the textbook author would own all of your code.

The problem is, of course, proving one implimented the code oneself and did not in fact crib the whole thing from someone elses code, and the greater the similiarity (for code of sufficient complexity ... trivial code will generally be similiar regardless) the more difficult that is.

In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.

Re:this could be really bad

[cmowire]

That is exactly my thoughts.

The interesting part is the difference between Win2k and Linux. In both cases now, the black hats have access to the source code. However, there are more white hats who have access to the Linux codebase, which will make for some interesting long-term implications.

This also has the potential to solve the NSAKEY contriversy once and for all and provide some interesting insights into how Windows works. I'm wondering if, through the use of countries with more flexible copyright systems, it would be possible to document interesting attributes and then pass them back to WINE and other open-source folk.

So...

[El]

My question is, has anybody managed to get this steaming pile of manure to compile? Seems like one would need to do that and then compare the binaries (ignoring any timestamping) before assuming this is authentic.

Re:Open Source

[DarkBlackFox]

No, but how long will it be until Microsoft pulls an SCO and accuses open source of integrating MS code? If it is indeed true, and the code is floating around out there, and within a few weeks a miracle version of Wine is released which suddenly has 100% compatibility, what would MS's reaction be?

Re:MOD PARENT UP

[jason0000042]

www.litestep.net, or litestep.com. Works pretty good too.

Re:it's true

[weileong]

Either the sword cuts both ways

You're assuming the law will be applied fairly and evenly.

Screw legality

[schmiddy]

Know what. Screw the whole legality issue. Those who have a foot in both the software design (even OSS?) and warez scene need to nab this. Much positive work could be done with windows/linux compatibility once we figure out the obscure protocols that windows uses. Yeah, it'll be legally grey, but who cares.

This will probably elicit a lot of replies about how Linux needs, especially now, legitimacy, especially under scrutiny of corps hoping to use it on desktops/servers. Individuals wouldn't care as much, obviously. They're right, in part at least. However, I've always admired the range of software choice Linux has, and just like Debian doesn't ship with all the necessary mplayer codecs.. they're out there, if you want 'em.

On another note.. what if someone took the code, released Linux software designed to help, say, samba, or something. Then another developer, without looking at the actual code for that program, made their own derivative by decompiling/whatever?

Re:Seems a little small

[opusman]

Source code (being mostly text) should compress a lot better than compiled binaries.

Re:Do NOT read that code!

[Samari711]

i think my analogy in context of its parent makes sense. the parent sound like the mere act of viewing the code forever infects you with microsoft code and you can never make any contributions to any open source project ever again (talk about viral). obviously copying code from windows into linux would be a big no no, but to just looking at it does nothing.

to further my analogy a little bit, say a beatles song uses a C G D chord progression and i've written a song using the same progression i'm still safe even if i know that i'm using the same chord progression so long as i didn't take it from the beatles. i could either have come up with it on my own messing around or been shown it elsewhere.

Re:So much for security through obscurity

[Monkelectric]

Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,

It's a TRAP!!! /Adm. Ackbar

[Thud457]

Microsoft is sooooo obviously trying to pull an SCO here.

If you work on any Open Source project, DO NOT LOOK!

A lot more lawsuits are coming?

[ezh]

Now SCO can sue Microsoft for stealing their code, too! *LOL*

Seriously, though... If the circulating source is really NT4 & W2K, that would give a powerful instrument to both sides - the ones who wants to sue Microsoft for stealing their technologies and for Microsoft, too, since from now on they will be looking very closely at newcoming products of their rivals.

Re:Do NOT read that code!

[happyfrogcow]

The correct analogy is sampling large portions of a beatles song or performing your own rendition of it. If you try to record a beatles song and sell it, you had better pay the proper song royalties or you will get sued.

Yet if I learn to play guitar by among other things, listening to all of the Beatles songs and playing along, do the Beatles own the rights to any future song I write? Goddamn hell freakin no! How is that any different from learning things from viewing MS, or any other persons code?

I've learned to code by doing all sorts of things over the years. Among them, learning from coworkers code. Applying that knowledge at my current job doesn't make the propoerty of my current employer a derivitive work of my employer from 5 years ago, even though I had access to the source code of that previous job.

Re:it's true

[Anonymous Coward]

And that, more than anything else, is why this code leak helps the black hats far more than the white hats.

Mirror: An Insightful comment from Neowin

[metroid composite]

#1.3 Reply by cowabunga on 13 Feb 2004 - 02:16

About when is it time to buy som Microsoft stock? In an hour when it plummets and then sell tomorrow when its back up after they find out its all bull

Maybe someone trying to make some money this way or MS is agressivly pushing their customers over to XP

Worth mirroring I thought.

Re:That is a MYTH

[Bootsy Collins]

> I hope you weren't planning on ever contributing
> to any Open Source projects after doing that. If
> it's later demonstrated that you had access to
> the W2K source and contributed vaguely similar
> code (even by accident) to a project, it could
> have severe repercussions for that project.

IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.

What you're saying about copyright is correct; but that probably isn't what MS would come after you (and your open source project) for. It'd be patent and trade secret violations.

That said, I don't know whether the unauthorized release of code would invalidate subsequent trade secret claims. On one hand, it seems crazy to lose trade secret protections because of an illegal or unauthorized act; OTOH, it seems crazy to call something a secret that, well, isn't. Maybe someone who is a lawyer can discuss.

Re:Now? Improve emulators!

[harrkev]

Yup. And films should not be copyrighted because the film studios did not invent silver nitrate.

And CDs should not be copyrighted because they did not invent the photon used to read it.

If you take this to its logical extreme, any file is simply an extremely large digital number (millions of bits). How do you copyright a number? So it is then not possible to copyright ANY digital work.

Re:That is a MYTH

[Anonymous Coward]

You're missing the point of how you got the code in the first place. You had to make a COPY to read it and that copy is a violation of copyright.

Re:hmm seems a bit buggy

[zurab]

It *amazes* me that it hasn't been routine.

I agree. Remember, at the trial MS argued that opening or showing parts of Windows source code would be a threat to national security. Not long after that, they gave their source code to Russia, China, and many multi-national corporations and other organizations as part of their Shared Source initiative. Now, don't know where the source was leaked from, but 1 + 1 = ?

If in fact, this story is true, MS is riding against the wind here. It is feeling pressure from the Open Source while its security, software, and business models are based on keeping the source secret. If so, how long can they keep up?

Re:MOD PARENT UP

[nickos]

I thought Litestep just replaces the shell (ie explorer.exe). Is there any way I can change the click-to-front behaviour of Windows to use the Amigas (or WindowLabs) click-to-focus but not click-to-front model.

Nope? - didn't think so.

The only way I can think of doing it is using hardcore hook stuff. Having the code would be *much* easier.

Re:The shit will hit the fan + Mirror

[philci52]

Possibly, but would they really want to? The samba group ended up with faster code then MS by reverse engineering the SMB protocol instead of inheriting a bunch of code patched by different people over the years. I would imagine looking at the source would solve a bunch of problems for the short term.

Of course if this turns out to be true and all.

Re:So much for security through obscurity

[mwheeler01]

win2k+3? wow that's much easier that typing win2003...I don't care mod me down, abreviations and acronyms have gotten out of control!

Re:In other news...

[isolation]

This is not funny. I have been working on ReactOS and WINE for quite a few years and do not want to see my work put at risk. Or have my project become the target of of a Microsoft Sco-like case because some twit puts Microsoft code in to ReactOS.

- Steven

Samba 3.0 is potentially, royally, screwed.

[Ayanami Rei]

Before now, it could be assumed that Samba developers were working from scratch- clean room implementations, because it wouldn't be possible for them to have the source code.

Now, unless the leak and spread can be precisely pinpointed, the Samba project could be the target for attacks under the "assumption" that they were sitting on this and that's why it works as well as it does. Whether or not they think this is true is irrelevant, they just need to let their legal team sink their claws into it, and muddy the waters.

patents and trade secrets.

[ecalkin]

there might be patent issues, but i think they list those one the software or license somewhere. my understanding of trade secrets is that it is their reponsibility to maintain a the secret. and if this is *really* source code for nt4/win2k, it's not a secret anymore.

eric

Re:The shit will hit the fan + Mirror

[happyfrogcow]

No. If the Wine folks look at the actual Windows source code, they aren't reverse engineering any more, they're copying, which is illegal

I'm tired of this b.s. Since when has looking at something been equated to copying it? Copying is copying. Looking is looking. However, obtaining the code is probably a copyright violation. After all, this post is not a copy of your post. It was inspired by it, I looked at your post, I legally cited your post, but I did not give you the rights to my post by doing so, nor can you force me to remove my post.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The shit will hit the fan + Mirror

[jps3]

The contention is that you would have a dickens of a time proving in court that you were not directly influenced or did not directly copy the copyright work. Do you have the financial security to take this through the courts and win? No? Then, keep your nose clean. If you don't want to stink, don't go near the shit.

I understand what you're saying, but it's best to steer far and wide and very clear of it. Treat it like nuclear waste. You don't even look at it no one can try to taint you.

Expected

[marko123]

Forget your brand of "MS is doing it to get us on the sly".

How about:

MS took a calculated risk in allowing the Chinese government access to the code in order to secure more sales, and are now paying for it, because someone Freed Billy!

SHORT THE STOCK?

[macshune]

Speaking of "a world of hurt," wouldn't the general reaction to a leak of this kind cause a precipitous fall(big or small) in Microsoft's stock? If was an investor, I would totally short the stock right now, since there will probably be some crazy reaction at just the hint of a leak...probably because people will think it's a bigger deal than it will end up being.

It looks as though at the end of the trading day, MSFT did lose some value. [yahoo.com] If not short it, then maybe sell it, if only to pick up some deals later...

Re:How it can go wrong

[Anonymous Coward]

ummm he let detectives do a raid?

i would have kicked them the hell out then called the police for attempted burgarly AND pretending to be a law enforcement officer.

Re:Interesting...

[gui_tarzan2000]

You know, something really bothers me about this whole stealing code thing. You can only write how to do a certain thing just so many ways. This is true in any programming language.

So having said that, why does it surprise anyone that two identical lines (or whole procedures) of code end up in two different programs or operating systems? The code to control the hardware can only be written so many ways.

Besides, if the way all MS code acts is any indication of how it's written, the only place I can see it being of use is with virus/worm/trojan writers and geek comedy clubs.

Please be a hoax!

[raw-sewage]

I sincerely hope this is a hoax. On the one hand, it would be great to point to the Windows source code and say, "See how terribly written, buggy, crufty, etc closed-source code is?" And the rash of exploits, worms and virii that would follow would only underscore that comment.

But, it only takes one person to look at the Windows source, then go do something vaguely similar in Linux (or any OSS project for that matter). The result would be devastating: Microsoft would litigate Linux to death.

As many have said, the principle behind these copyright suits is awful. Looking at code, then doing something somewhat similar (because of inspiration) should not be a copyright violation. But with Microsoft's legal and financial resources, the laws will "adapt" to what is most beneficial to them.

I can only echo what many other have said: for the sake of Linux and OSS in general, do not look at the Windows source!. That's a very conservative and overly-paranoid policy, but it's a invaluable measure for protection.

To me, general acceptance of open-source software is similar to political elections: every last spec of dirt is drug out and put under the spotlight. Any potential or suspect or even misunderstood characteristic is scrutinized, and the naysayers always manage to put a negative spin on it.

Open source only stands a chance if it can maintain the straight and narrow path... I hate to sound preachy, but any slight mishap, no matter how innocent or accidental, quickly turns into a major catastrophic disaster. There's just too much money and power interested in seeing OSS fail.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Analogy

[t_allardyce]

Penguins spend their lives in the freezing cold fending off polar bears and rouge iceburgs and catching fish, they are totally used to it and even if a particular nasty polar bear comes around they can usually deal with it. If you release a home-trained hampster into that environment its just gonna die.

Re:The shit will hit the fan + Mirror

[mangu]

The contention is that you would have a dickens of a time proving in court that you were not directly influenced or did not directly copy the copyright work

What part of "being proved guilty beyond reasonable doubt" didn't you understand? It's the accuser's task to prove the accused party guilty, not the other way round.

Re:it's true

[iminplaya]

And that's exactly why I won't even consider downloading this.

And here lies one of the most basic problems of copyright. Nobody can see the other's code...to build on and possibly improve. Everybody has to learn what is already known by themselves. That slows down the whole developement process to a virtual standstill. I think this whole copyright mess has probably set us back anywhere between 50 and 200 years. This applies to all human work, not just computers.

Re:So much for security through obscurity

[homer_ca]

No, it's the same codebase. Big parts of it are rewritten for every release and new parts are written from scratch to support new features, but a lot of it is the same. How else do you explain that most of the security bugs affect every Windows NT version from 4.0 to Server 2003? They were rewritten from scratch with the same mistakes?

Re:Now? Improve emulators!

[axxackall]

So it is then not possible to copyright ANY digital work.

Finally you are getting smarter. But just for case if don't understand it yet: all copyrights are bad. The world without copyrights would be much better. Demonstration: compare the quality of copyrighted Windows to copylefted Linux.

America is great because America is good, and if America ever ceases to be good, she will cease to be great.

And this is exactly what's happened to America after 2001/09/11.

By the way, America was never better than many other countries, like England or Australia. So, guess what?..

Re:So much for security through obscurity

[Fizzog]

Adding Microsoft to the SCO mix would make no difference whatsoever.

IBM's legal team make Microsoft's look like first year law students. IBM's lawyers held the DoJ at bay for DECADES. Not even Microsoft are prepared to mess with IBM. The moment IBM called SCO's bluff SCO knew they were dead.

And if Microsoft could buy them with a month's revenue imagine what IBM could do. They are a little bit bigger than Microsoft you know...

I just think it's funny that IBM were everybody's worst enemy in the 70's and 80's, and now they are usually the ones doing the right thing by the industry.

Are you sure ?

[bmajik]

The Windows code hasn't had nearly as much peer review as open source OS's

What do you know about who reviews the windows code ?

Also, what assumptions are you making about the number of people, and their qualifications, that are reviewing OSS code ?

Re:So much for security through obscurity

[puck71]

I'd say that's misleading at best. The reason there have been more worms/virii/etc. that attack 2000/XP than 9x is purely numbers. There's so many more computers running than 2000/XP than 9x, why bother writing any kind of worm that targets 9x?

Coincidently, this is also one of the key reasons that there are more worms/virii released that target Windows than Mac or Linux - why target Mac or Linux when you can target Windows, with many, many times more users?

The real question is, of course -

[blorg]

Why this is perceived as such a security threat to Microsoft, when it's not for Linux?

Re:this could be really bad

[ianr44]

This also has the potential to solve the NSAKEY contriversy once and for all It only has the potential to show that there are backdoors. If there are no backdoors are in the source, the tinfoil hat crowd will just say that the leaked source isn't the version used to build windows binaries, and the controversy will continue.

Someone please check against DDK

[Googol]

or other released code. It should be possible to triangulate the source against existing released software, so at least we can know what exactly it is and whether this is a hoax or not.

Re:it's true

[rixstep]

Moving from cathedral to bazaar isn't easy. This stuff has been closed all along, and although people have been able to sense what moronic code the Beast has produced, it will be first now that they'll see with their own eyes.

Linux has had the advantage of being checked, line for line, from the beginning. NT was an estimate 16 million lines of code; 2K three times that much. That's a lot of code.

I think what people will see, most for the first time, is exactly how bad the coding is in Redmond. This will cause some laughter, and some shock. I think they'll find that parts of the NT kernel were strangely well-written, coming as they did from David Cutler's 'tribe' and the DEC Prism project on which NT was based. On the other hand, I think they will find that other parts, such as the GDI, were horribly written.

And it's all good, IMHO: eEye and Guninski and others have been able to give us a bit of a picture of how bad things are there, but we'll finally be able to see with our own eyes.

It won't be a pleasurable experience.

Re:The real question is, of course -

[kaschei]

Because Microsoft doesn't accept code updates from people who know better than they, so any bugs that are revealed are not going to be fixed through the increased visibility of the code. Having open code is only good if you have the will, the ability, and the infrastructure to make use of its openness. Microsoft is famous (infamous?) for lacking all three.
The short of it is: no "free" security updates a la linux, just more visible bugs to exploit.

Re:The real question is, of course -

[DarthTaco]

" Why this is perceived as such a security threat to Microsoft, when it's not for Linux?"

The assumption is that microsoft writes insecure code, and depends on it's non-publication to keep this a secret.

I think this assumption is mitigated by the fact that so many universities have a license to look at the source.

The real source is 300GB

[PaulMaximne]

I have a friend who had access to the source in his last job and he told me that it is 300GB. So if this thing that's floating around is any less than that it can't be the entire source, or it's a fake.

Paul

Re:Time to look for GPL violations!

[kisak]

But assuming they find some lines of GPL, can't microsoft just deny that the source code in the wild is the propert code for Win2000?

Re:Life is good.

[PeeweeJD]

ummm... prolly because you post as Anonymous Coward? Its just a thought...

Re:You're missing the point

[conteXXt]

It seems that you are not looking far enough.

Computers are necessary.

If windows is untrustable, what do you do?

(Hint: There ARE other operating systems that run on PCs)

Re:What now?

[Bagels]

Not likely - the WINE folks could just show some code from before the leak with the "similar routines" included. That said, they'd have to find a way to *prove* that it came from before.

Re:Just curious...

[GoofyBoy]

>I respect your integrity, but as far as I'm concerned MS is a pretty sleezy company so I'm not gonna shed any tears for them.

Its about not stooping to their level.

The main drivers of OpenSource are those which just program and share, not those that fight dirty/go on illogical and embarassing rants.

Look at SCO. I assume that there are many fine people there, but how do you view the company as a whole? After this SCO vs. IBM thing is over, what is your impression of them?

Re:MS giving source code to countries

[leerpm]

I guarantee, that if it was one of these countries who gave it away. They will be caught. Why? Because Microsoft probably made small but unique cosmetic changes to each of the codebases they released. Essentially, putting a unique fingerprint on it in each instance they have shared out the code.

Re:It's a TRAP!!! /Adm. Ackbar

[gujo-odori]

If you work on any Open Source project, DO NOT LOOK!

This is extremely good advice. I would go even further and say that if you would ever like to work on an open source project, don't look. The presence on a project of a person who had seen the Windows source could put the entire project at risk.

For a very practical example, consider Samba. If a person who had seen the Windows source were to contribute to Samba and it were later to come to light that the contributor had seen the Windows source, in the name of safety every piece of code that person contributed would have to be ripped out and replaced. Worse, to guarantee that there was no trace of taint, it would probably have to be replaced by people who had not only never been exposed to the Windows source, but who had also not seen the contributor's tainted code. In short, it would require the recruitment of people who had never worked on the project before, or even read the source. Finding those people would not be easy, to say nothing of the time and credibility that would be lost.

For that matter, even if you have legally seen the Windows source because Microsoft has provided it to your employer under their shared source program, the same taint would follow you. If your employer has access to Windows source and your job does not require you to see that source, do yourself a favor: don't look.

If you look at the Windows source, you at the least taint yourself WRT working on any project aimed at interoperability with Windows, and quite possibly on a much wider variety of projects than that.

In short, JUST SAY NO.

Re:it's true

[mix_master_mike]

"A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating"

How does one take a quick peek to see such a file is circulating?

The point?

[miffo.swe]

In this case the point should be that people who bought into the MS security concept will feel screwed. The ones on other systems will be able to do their business as usual while crazed windows admins run around firefighting for their lives.

I cant imagine how this could have a bad effect on linux at all. A big boost for ABM and the industry as a whole would survive just fine without MS. It isnt like MS has really truly made something significant other than piggybacking and marketing.

Re:The real question is, of course -

[mangu]

Why this is perceived as such a security threat to Microsoft, when it's not for Linux?

Because the Linux source code can be legally downloaded by the "good" guys, who go and fix the holes. OTOH, only the "bad" guys download the Windows source code (it's illegal to do so, you know), and they go and create exploits based on the holes.

Re:it's true

[GlassHeart]

here lies one of the most basic problems of copyright. Nobody can see the other's code...to build on and possibly improve. Everybody has to learn what is already known by themselves. That slows down the whole developement process to a virtual standstill.

I agree that a lot of reinvention has to go on, but I think you exaggerate the effects of not being able to reuse code. To begin with, people tend to forget the steep learning curve required if you choose to reuse code as opposed to rolling your own.

Case in point: Microsoft started nearly from scratch (licensed a simpler browser, IIRC) with IE, at around the same time Netscape decided it was unable to maintain its aging source code. IE overtook Netscape 4 in terms of quality (despite illegal bundling) over a few years. We cannot know if Netscape could've survived if they kept maintaining their 4.x browser, but it's pretty clear that Microsoft wasn't moving slowly at all.

Apple then did the same years later, starting with KHTML (generally considered inferior to Gecko), and within a pretty short time has a really polished Safari browser. It's not as maximally compatible as some of the more established browsers, but it's probably 90% of the way there within a year or two of development.

In fact, the projects that truly move at a glacial pace tend to be the free software projects. Sourceforge is full of these projects, gasping for attention, despite disclosing full source code. In the commercial world, when you throw money at a problem, code gets written from scratch pretty quickly.

first time in the sun for MS source

[rbird76]

When I go out in the sun, I wear sunscreen and although I'm fairly pale, I probably won't get burned too badly. If someone goes outside with a T-shirt and shorts for the first time in their life (say a 25-year old), they'll probably get burned fairly badly (unless they wear a lot of sunscreen or aren't out for long).

Linux and other open source OS have had people looking at them for a long time. The people looking at the source of Linux are less likely to be a monoculture than the people at MS who are hired to look over software. In addition (uninformed speculation) more of the Linux people may have been black hats once - the less ordered (as in cubicle order rather than procedure order) system may be more amenable to some who fit a less monolithic background. Linux is thus likely to have been looked at by people who might once have looked to hack it and by people with a wider variety of skill sets. MS knows a lot about software, but their diversity in software knowledge and opinion is likely smaller than that of either their user set or of that of white hat hackers.

The other factor is that having the MS source without a licence is illegal - thus the people who are most likely to take advantage of the availability of the source are people without much respect for the license in the first place - black hats. Linux source can be viewed legally, and so is just as likely to be looked over by white hats as black hats (probably more likely, because of the population ratio of BH and WH).

In one of the Clancy books (I think "Debt of Honor"), he talked about secrecy being good for hiding information that someone doesn't want you to know - but that when it broke, the news would be much worse for that someone, and harder to control. That seems applicable here - only the news is directed almost exclusively to those who would do them harm.

Re:So much for security through obscurity

[LurkerXXX]

If you look back at past slashdot stories, you'll find exactly that was done several months ago. An opensource patch was released for a windows exploid before MS could release one. Everyone raved about it that day.

The next day it was discovered the patch was very badly coded, and included a backdoor...

I think I'll stay away from 'opensource' MS patches, thank you very much.

Re:The real question is, of course -

[dubious9]

Because Microsoft never had its code freely audited. Because they won't take patches from Joe Shmo. Because they design for features first, security third. Because they relied on security through obsurity. Because they don't have a global network of developer-users to fix patches when they see them. Because it takes Microsoft a relatively long time to fix bugs. Because...

Re:An open source of Windows... of sorts?

[canajin56]

Wrong. Only distribution would be illegal. Copyright only protects from making COPIES. Just like MP3's. Having 10GB of MP3's on your hard-drive is only illegal if you distribute them. It doesn't even matter whether or not you have the original CD's, either. (But if you don't, it was probably illegal to GET them. But not to possess or use them)

Re:The real question is, of course -

[negacao]

All right, I'll eat the troll bait.

MAINLY BECAUSE YOU CAN PATCH LINUX, GIVE THE PATCH TO THE OWNER, AND HAVE THE VULNERABILITY FIXED.

Now you're gonna tell MSFT would take such a patch, rather than sue you into the ground for having the source in the first place?

I'll second that, not the whole tree

[anticypher]

My guess, this is some of the source released to academic institutions for study. Lots of universities have access to a small portion of the windows source code, for use in various computer labs, and to create interoperable code. It comes on a single CD, and is not difficult to obtain.

I've studied one small section of M$'s source code, a single network module appearing in both NT4 and NT5.0, under NDA of course. I don't see it here. There are a lot of things I don't see here, and I'm still going through the tree. There are some things here that are clearly part of windoze, such as the source to regedit.

Some other things that make me suspicious this isn't all the source code:
1) lots of 0 length files, could all those .eml files be links to the original file?
2) the win2k source just happens to total 658MBytes, about the size of a CD
3) there are a number of 0 length files of people's names with the letters CV next to them. cv - vered mazafi.eml, ronen-cv.eml
4) all through the file listing are repeats of .eml files, like tcp-ip tutorial.eml. Would there really need to be a tutorial like this spread everywhere?

I think this is just a student prank, being trolled out of proportion. It's not just /. doing the trolling, this will probably hit the major news outlets tomorrow. No doubt, they will only quote the most pandering media whores around, to sensationalise the story. Any bets several major stories will point to /. as a culprit, or as a den of criminal hackers?

the AC
I can't believe I'm admitting to extensive knowlege of windoze on /.

Re:ReactOS

[theCat]

I should think that the lawyers at M$ will wait a suitable period of time and then, once ReactOS looks good, swoop in with a C&D order. They will have a long list of "similarities" in source, and charts showing how development of ROS features and stability has become accelerated since the release (though ReactOS was picking up anyway, as has WINE, as does any project gaining mindshare) and even if it makes no sense M$ will be able to hold up everything for years in litigation and findings.

This whole thing has a really high suck factor.

Combined with SCO FUD and that fscking MyDoom nonsense, this is really bad.

Re:So much for security through obscurity

[soramimicake]

Sorry for pointing out the obvious, but you really don't want to end up being as a scapegoat in a high profile case this one has the potential of turning into. Getting blamed for distributing a million copies of Windows and ending up in jail for years is not fun.

It is wise to keep a low profile from a company that offers bounties to hunt people down.

Re:The real question is, of course -

[mangu]

good guys are actually hiding back doors in the Linux code

They can't do that, since the source code is open. That Edgar Allan Poe "Purloined Letter" story set the precedent. Nowadays, any self-repsecting investigator will check first the obvious, before checking the obscure stuff.

OSS "Suicide car bombers" -- WTF???

[paco verde]

Yankee Group [yankeegroup.com] senior analyst (sic) Laura Didio has these alarming thoughts on internetnews.com [internetnews.com] about who might now be able to get their hands on the Windows source:

"With the open source community, there are a large percentage of tinkers and 'ankle biters' who are trying their hand at hacking. Some are even communicating with each other. So it only takes one or two of these groups sharing information to be able to pull something off. When you have this type of passion, it's hard to fight because these people are like virtual suicide car bombers."

So Microsoft is the defender of truth and justice in the free world, and OSS hackers are like suicide car bombers?

She then went on to warn of the dangers of hackers using the several hundred megabytes worth of leaked source code to compile their own pirated copies of Windows 2000. What a dumbass.

And what exactly is a "tinker", anyway?

Re:The real question is, of course -

[KarmaMB84]

Because people assume that because its closed source, Microsoft leaves in gaping security holes rather than fix them. They forget that Microsoft does use its own products and would probably fix this stuff if aware of it if only for their own benefit.

Re:The real question is, of course -

[Attaturk]

Why this is perceived as such a security threat to Microsoft, when it's not for Linux?

Because Microsoft's OS was, and is, designed and developed based on a principle of closed source. Generally speaking, with closed source development potential black hats can't see how you do things without significant reverse engineering. This gives the OS programmers a 'safe' framework to work within. So when that source later becomes available to the general public, it leaves the OS programmers facing a huge legacy of problems that should, in theory, never have become problems.

Linux was open source from the outset. Therefore it is designed and developed relying absolutely on the principle that it's secure because everyone has equal access to see how things are done.

Furthermore, if and when there are security holes then at least with OSS you can never be held to ransom by the people owning the source. i.e. "Windows 98 has this huge security hole and it's no longer supported - go buy Win2k."

Re:GNU make users?

[spectecjr]

Also there appear to be duplicate headers, repeated in various directories that I'm almost positive would end up screwing the compile process in a real build. Also, another thing is that, if their distributed files with VC6/7 are indicative of their internal naming, they stick to a strict 8.3 naming scheme, and make note of this in their documentation (don't remember *where* it was that I read it, but it was MS docs, and I remember being surprised by it). Another thing, again assuming that the files distributed with VC6/7 are a good model, their files tend to be all UPPERCASE! For example, here's a listing from their includes in for VC6:


1. Filenames can be shared in different folders with no issue. No problem whatsoever.

2. 8.3 filenames are *only* needed for ISO9660 CDRs. The source tree uses whatever filenames people want.

Re:The real question is, of course -

[shep1972]

simple.....relatively few people/business use linux compared to windows....if you are an attention seeking idiot who writes malicious code, who would you target? the population that gets you on the national news, or the small group of users who probably know better than to launch the worm carrier to begin with?

Re:That leads to a fascinating question

[abradsn]

It's damn near impossible to compile it in our own tweaked build environment. I'd like to shake the person's hand that figures out how to compile 15 gb of closed source code that was leaked onto the internet. Good Luck.

Re:It's a TRAP!!! /Adm. Ackbar

[marauder404]

Microsoft is sooooo obviously trying to pull an SCO here.

This is the among the most ridiculous theories that I've ever read on Slashdot (and I've seen some doozies in the past several years). Why would Microsoft go about trying to pull off what SCO did? So it could a bunch of Linux users (a LIBERAL estimate of 100M) for a paltry $500 a pop ... that's a mere $5B over the course of the next several years? Let's double it for a $1,000 each and it's still just $10B, nevermind all the expenses, including legal, to go about trying to collect something like that. Or, perhaps, they decide to go sue a handful of companies for a few billion dollars each after years of litigation and all kinds of negative PR. Microsoft's revenue was $34 billion for last year alone, $26B of it being profit.

SCO's actions are based on a company with little revenue, little cash, and nothing to lose. Microsoft has everything to lose. Say what you will about Microsoft, but they didn't get to where they are today with silly moves like that.

Nobody wants to be sat on

[KalvinB]

by a 500LB gorilla.

It has nothing to do with morals. It's self preservation.

Most companies don't have the resources to kick the crap out of warez distributors. MS isn't one of those companies.

Ben

OK, she's warping the truth. So...

[bersl2]

email her. The link's on the story page (don't quite know where, 'cause I'm using lynx right now). Tell her nicely where she fucked up.

Don't just sit here and bitch on Slashdot...

Devastating?

[loconet]

From the article...

"
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
"

Devastating?? Devastating because of the possible worms, viruses that can araise from this?

Closed or open, a piece of software "should" be secure and clean regardless.. if it's devastating it just proves that MS creates shit, so the fact that a pro-windows site actually says that is sad.

Re:Here is a Torrent link ... 200MB download

[Anonymous Coward]

Yea because downloading it is the smart thing to do. *rollseyes*

not the whole source - only parts of it

[Anonymous Coward]

http://www.smokeherb.com/windows/ [smokeherb.com]


the sourcees are only partial, a lot of little scripts, build tools, code/security/certificate signing tools are missing, 3rd party and drivers of course, its basically just some low level kernel and little shell and some apps sources.

you need a lot more if u wana build windows

check for some deeper info about win2k and nt3.x build and software engineering information here [seanm.ca] .

Re:It's a TRAP!!! /Adm. Ackbar

[adrianbaugh]

Rubbish. Definitely look - there's a lot of stuff you can learn from seeing the source that can't be traced back to your having seen it. Take wine, for example[0]: they're trying to implement a largely undocumented ABI. At the moment it's hard even to know what they have to code. If they look at the source they could see what functions they need to implement, how they need to work etc. Make basic notes, never look at the code again, go on holiday for a month, come back and write the missing bits semi-cleanly. They wouldn't need to copy any of the implementation (doing so would violate MS's copyright) but it would sure help to know what functions they needed to write (and I guess that would count as nothing more than utilising the widespread leaking of a former trade secret[1], which has no protection under law). The key point is, don't under any circumstances copy the code. And, if you do choose to look at the source, I suggest you get rid of it afterwards and don't tell anyone.

[0] I'm not suggesting for a second that the wine devs would look at the code, you understand: it's an example.

[1] If the leak is genuine, MS need have no doubt that this will be all over every p2p network in existence within an hour or so.

Re:Nobody wants to be sat on

[Anonymous Coward]

Bullshit. They're not scared of MS. If they were, they wouldn't release and trade other MS products. No products are left unreleased because anyone is afraid.

I just find it interesting...

[Fiz Ocelot]

That the article author describes it as potentially devestating and full of security risk with the source being leaked. And yet, look what that very same thing has done to the open source community. True, it probably is a very bad thing for windows security. Yet another reason to switch to another OS?

Re:So much for security through obscurity

[Anonymous Coward]

Wonder if that will be MS in the 2020s and 2030s?

Re:MS giving source code to countries

[adrianbaugh]

Whereas SCO were stupid to mess with IBM, for Microsoft to mess with China would be utter lunacy, especially given China has the source code. Regardless of what political ticking-off MS can ask for China to receive, China has the source. It has a regime where it can require (literally) millions of people to work their way through the code, write as many utterly hideous virii as they can and release them all. Make no mistake, while China might get a slap on the wrist it's nothing worse than they continually get for their human rights record: on the other hand, they seriously have the resources to destroy MS if they're pissed off enough. I think MS made a stupid deal when they gave the source code to an insecure OS to a government like China's.

Re:It's a TRAP!!! /Adm. Ackbar

[orthogonal]

And as you obviously don't know anything [....] why the fuck did you open your stupid mouth anyway?

Ever notice it's always the Anonymous Cowards who are so vehement in their criticism? Always with the "you're stupid" and the Mr. Tough Guy expletives: "why the fuck...."

Yeah, yeah, I know, Mr. Anonymous Coward: you're powerful and famous, in your mother's basement.

Re:Don't Touch that SOURCE!

[Curtman]

On the other hand though, until now we have no way of knowing if a contributor has seen the M$ source, and is feeding it in to open source projects, trojan horse style. If this is true, we could do a proper audit ourselves, and rewrite anything that needs to be.

Re:SHORT THE STOCK?

[DakotaK]

Gee, when MS gets their grubby hands on server records, they'll have fun suing the hell out of all the downloaders. Thanks!

Windows is their baby

[KalvinB]

MS's game department isn't what brings in all the money. It's their Windows and Office products that make the money.

They can grin a bear it when some games are pirated. Why do you think they (try to) crush companies that make mod chips for the XBox? Some things are more important.

And this is the source code to Windows. This is NOT just another product.

Anyone who dares to host it will be sat on until they are dead. Hell hath no fury.

Claiming this is just another product shows your definit lack of ability to comprehend the scope of this leak and the importance of it to MS's bottom line.

The legal costs required to shut down warez sites over a game generally are more than the amount of the losses. The legal costs required to crush the fools who dare to host the Windows source comes nowhere near the potential losses due to the leak.

Ben

Re:No GPL - Lots of BSD

[Anonymous Coward]

Yeah, there are a few trivial and ancient/obsolete BSD command-line tools in Windows (finger, ftp, nslookup, rcp, rsh). They were ported from BSD, and you can see that they contain the appropriate copyright attribution. Note that none of the kernel-mode files (e.g. the TCP/IP drivers) contain any such strings.

MS is naturally not opposed to using freely-available BSD code to achieve better interoperability with BSD/UNIX. MS Windows Services for UNIX, for example, includes a lot of modern BSD tools ported from OpenBSD. That's reasonable, of course, since it's supposed to provide a set of command-line tools familiar to UNIX systems administrators, and OpenBSD tools are known to be relatively good in terms of security.

Importantly, MS's porting of OpenBSD userland tools to Services for UNIX is also good for OpenBSD, because it helps to establish those tools as something of a standard. If hordes of MS users become used to the OpenBSD userland tools, they'll be much likelier to start using OpenBSD if they want a UNIX-like OS than to start using, say, Linux.

The common claim about the MS TCP/IP stack from open source zealots is that MS 'stole' the Windows TCP/IP stack from BSD because it couldn't write one of its own, which is of course complete nonsense. The handful of BSD tools in Windows are/were there to make it easier for UNIX users to access their systems from Windows. They're in no way critical to Windows as an operating system (in the way that, for example, a TCP/IP stack is).

Lets be realistic

[Anonymous Coward]

Without being arrogant in anyway, we really need to keep in mind we aren't looking at a mom and pop company here.

I highly doubt this will be the almighty downfall everyone thinks it is going to be. Try to keep in perspective that if this is true (and I have some pretty serious suspicions it isn't) if it costs MSFT $100 000 000, do you think they will even notice? Well maybe a bit but by fiscal 2005? I doubt it.

The source for NT will be useless for any kind of exploit in a year because support will be removed by then and the attitude in that end of the pool has been keep up or fall behind. And yes I do recognize the sickening number of them out there, I support the bloody things.

As for 2000, keep in mind that Linux may have 10 million developers constantly surveying the code on a part time basis, but they all have other jobs. MSFT has thousands of full time employees they can throw at one patch (in a pinch) that will deal with all of this.

Or maybe all the opportunists out there should look at it from a conspiracy theory point of view? Maybe they wanted this to happen.... (btw I love starting rumors) That oughtta keep people entertained for atleast a few terraflops.

In the long run it won't even phase them, and always remember that even if Linux/Unix/Novell(-laugh) ever wins out; they will then be the top dog and will subsequently be the center of scrutiny. Bias is based on prejudice, which is generally malfounded.

Remember....conspiracy theory....stay up all night tonight thinking about it....then show up late for work tomorrow...and get fired so you can work more open source code.

(btw the teeshirt and sunblock example was really shotty)

Re:PATRIOT implications

[Anonymous Coward]

YEAH! ummm. actually, and this may sound silly to some, but don't we gain knowledge through the sharing of ideas? criminals would do like microsoft and repackage code under a different name and sell it for profit.

Re:So much for security through obscurity

[ImpTech]

No, bah, way off...

The reason there are more worms on win2k/XP than the 9x series is because the 9x series doesn't DO anything. Win98 doesn't have "UPNP" or "Remote registry", or "windows messaging" or any other fancy services to speak of. Usually its all that crap (which is on by default!) that becomes the portal for worms. 2k/XP are a more powerful OS than 9x, which makes them inherently more dangerous. And now that more and more people are moving that way, of *course* chaos was going to break out, just as countless people predicted 4 years ago.

Re:The real question is, of course -

[sealawyer2003]

You may look at it as long as your method for doing so does not make a copy. But downloading the code will make a copy, and so will viewing at on a browser.

A TRAP?

[polkadotduck]

How about some rationality (and consistency) here guys. If simply being in the same room as a copy of the windows source code is sufficient to contaminate everything you write from that point on, then SCO is gonna win its court case for sure. After all the IBM AIX code it contributed to linux was written by people who had seen the SYS V source code. Yes?

Re:Why ofcourse!

[MobyTurbo]

Well, that's why it's called "Windows", a window is easy to break.

How many times?

[Rand310]

This is not the first, nor the last time this will happen.

How many times will it take to make people aware of the fact that such immense reliability on closed-source DRM-esque code will cause problems. Such closed-source *cannot* be closed forever. The information will be spread, and security through secrecy cannot win.

In addition, the mob-law illustrated here by the internet is an interesting phenomena (by no means unique to this incident - except maybe in the irony). LIterally thousands of people already have a copy of multi-million dollar source for free. It is an interesting epitomization of how such digital knowledge cannot be legally protected. What will MS do, sue any IP that shows up in BitTorrent or eDonkey? If the internet wants it, some individual might pay a few months behind bars, but the internet will have it...

free-enterprise, and free-information...

Wrong

[0x0d0a]

No. If the Wine folks look at the actual Windows source code, they aren't reverse engineering any more, they're copying, which is illegal.

IANAL. You are wrong. Non-clean-room reverse engineering is not only legal but is done at many, many companies. There is *absolutely no constraint* to use a clean room in reverse engineering.

The first clean room reverse engineering that I'm aware of is Phoenix of IBM's BIOS. They had *no* legal requirement to clean-room reverse engineer the BIOS. If they wanted to, they could hire IBM BIOS engineers for the job. However, by doing a clean room implementation, they ensured that they had an counterargument to *any* potential IBM claims of infringement. Had they not have used a cleanroom tactic, they might have had to actually have folks look at the code and at what people were doing with the code if charged with infringement. While this can be useful -- it's an immediate shutdown to any argument IBM might raise about infringement in court, and the judge doesn't even need to see the code -- it is definitely not necessary. I can look at GPL code and use the same approach said code does as long as I am not copying code verbatim (note that changing variables or something is not sufficient -- the work must be done by you, not be a mangled version of the original).

That being said, WINE has long had a policy of *not* accepting access to Windows source code. They've had people with access to it volunteer to give them stuff in the past, and they want to do a pseudo-cleanroom approach, since it makes matters simple from a legal standpoint. WINE will probably continue to ignore the source (and the WINE maintainers now have to worry about people submitting WINE patches containing Windows source...they may require indemnification or God knows what).

From a security standpoint, this is an utter disaster to Microsoft. They haven't had the benefit of many eyes all these years, and now they have a fucking lot of malicious eyes, and ten years of holes to remove in a week or so before the nastier exploits come out. None of those eyes have any incentive to submit patches to Microsoft. There will be attacks on relatively hardened systems, too.

This is going to suck for friends and family that I have using Windows.

Re:The EML Files

[shird]

The virus was cleaned from the comp (ie zeroed the eml files), but the backdoor (file sharing) remained. Most AV software don't remove backdoors after cleaning a virus.

Re:A bit about the developer...

[Anonymous Coward]

OK, so the way the source leaked was because of a wu-ftpd exploit. How long until Microsoft decides to use it as a base for FUD? After all, it is Open Source Software...

Re:Here is a Torrent link ... 200MB download

[torokun]

What in God's name is wrong with you people?

Do you even think about how many coders work for Microsoft? How many work for companies that depend on Microsoft technology? Do you think about the fact that people are busting their asses writing code, trying to make a living? Who cares about whether MS is full of crap or not? All companies have marketing. That's how business works.

You don't go and steal everything from a store just because the electricity goes out! It has repercussions! I have friends that work for Microsoft, and believe it or not, they are incredibly intelligent, honest, and good people. Each time you post a torrent link, you're helping to screw them.

You disgust me. This is NO DIFFERENT than a bunch of morons looting stores after a big game, just because they can... Can you possibly think that promoting these links on slashdot doesn't have a harmful effect? But you don't care about that. You just want to get your little jollies off thinking how neato it is that you can do something and a big corporation can't stop you.

Congratulations.

Comment removed

[account_deleted]

Comment removed based on user account deletion

One Man's Source Code Is Another Man's Virus

[Bowie J. Poag]

Stop and think about it. Regardless of whether or not the leak was intentional or not, it hurts us. If the code leak was deliberate, it was a brilliant move, strategically. It will hurt the open source community far, far more than it will hurt Microsoft. Infact, this is probably the biggest punch Microsoft has landed on the face of Linux. If it was unintentional, the net result is the same. Here's why.

Think of the leaking of the Win2K/NT source tree as a virus.

It's a virus designed to undermine the credibility of open-source community. It operates by exploiting two well-known vulnerabilities in open-source coders---Their curiosity, and their propensity for sharing. The dispersal of portions of the Win2K/NT source tree effectively taints the entire open source community's efforts to develop cleanly. Think about it. By leaking the code, every new OSS project that has anything even remotely to do with Windows interoperability can now be accused of having it's hand in an (at best) an unethical cookie jar. The folks who maintain Windows-interoperable projects now have to second-guess every new submission they recieve. Even worse, the availability of portions of the Win2K/NT source tree means the functional validity of all open source projects can now be called into question. Before, it was certain that any "feature" present in open-source software was the result of hard work, close observation, and the occasional dose of clever back-engineering.. Now that we can see over the fence, we can be accused of everything from violating Microsoft's intellectual property rights to wholesale misappropriation of entire blocks of Windows code.. Sort of makes SCO's accusations seem a little more well-grounded, doesn't it?

The sad thing is, the virus is having an easy time making the rounds, since theres nothing we can do to stop it. We cant become "less curious". We can't become "less industrious". The only way to avoid being under the cloud of suspicion is to stop developing alltogether. Just watch what happens. My guess is, by the end of this year, the trade rags are going to begin to equate open-source software with "questionable parentage".

This game is gonna get interesting in a hurry.

probably a source code source that's going to last

[robby2]

a lot longer: Freenet [sourceforge.net]
I wonder how many people will start using freenet just to get the sources and not get tagged as "one that downloaded the sources".

Possible reason....

[mormop]

For once the BBC carried a tech story on the main news which was reported as follows:

Source code for Windows NT and 2000 was leaked onto the internet. Microsoft fear that the source code being open to view could make it easy for haclkers to attack these systems

So there you have it. Source code readable by plebs = security risk, a statement that will reflect on FOSS in the minds of joe public if you tell them that the Open Source means readable source code.

Hmmmmmm....

Re:Here is a Torrent link ... 200MB download

[Anonymous Coward]

You know, every evil empire is build by honest, intelligent and good people, the same with Microsoft.

Estimated 300,000,000 computers run with Windows NT/2K/XP and the source code is under seal, known security holes take 6 months to be fixed, where are the responsible and intelligent people at MS taking 6 months to fix it? Are they all taking vacation?

See, your friends may be true friends of yours, granted - but this is a corporation which doesn't behave as friendly, honest and ethical as your friends who work there. Enron employees are surely more honest as the managers who screw Enron.

So, just because you have simpathy for your friends working for MS doesn't make MS be like your friends. See the bigger picture of this leak!

Re:One Man's Source Code Is Another Man's Virus

[Boltronics]

"this is probably the biggest punch Microsoft has landed"

Don't you think maybe you are just a little too paranoid? I could understand this possibly being a problem for the WINE project, but I wouldn't expect it to go any futher than that. NTFS code wasn't leaked, and samba/vfat is probably already as good as it can get.

Filelist shows virus infection?

[TwistedSpring]

http://heim.ifi.uio.no/~mortehu/files.txt seems to show signs of a Nimda (or similar) virus infection. Look at the number of 0-byte sized email messages distributed in inappropriate places throughout the tree. If whatever machine this source was ripped from did indeed have a virus then no wonder it was leaked.

Re:it's true

[mpe]

Moving from cathedral to bazaar isn't easy.

As shown with Mozilla and OpenOffice.org.

Re:NTFS...

[Anonymous Coward]

doesn't appear that there is any NTFS code in what was leaked. why would microsoft share NTFS code with a developer? really doesn't have much to do with the API

It was done intentionally!!!

[rippleone]

So many people are talking about open source stuff that no one has looked at the obvious. Microsoft did this on purpose. Let the code conveniently get out onto the net and then let more and more security holes be found. Nice sales tactic to get everyone to move to Windows XP or Server 2003. Microsoft - "you know, if most of guys out there refuse to upgrade then we will give you real reason to upgrade, this is our new licensing plan." Reminds me of mechanics damaging cars themselves just to do repairs.

Re:Why does trash attract so much interest?

[Anonymous Coward]

Unless of course it is the left-over garbage from Wordpad, which is of tolerable quality

Hey, edit.com was quite nice too. Split windows, automatic indenting, and other stuff all in a console text editor.

Re:Why worry about Wine???

[localhost00]

I know what Wine is. You apparantly failed to see the pun that was intended here.