Windows 2000 & Windows NT 4 Source Code Leaks 2764
PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."
Mystics always hope that science will some day overtake them. -- Booth Tarkington
it's true (Score:5, Insightful)
I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.
I'll believe it when I see it. (Score:1, Insightful)
First point: The tagline for Neowin.net is "Where unprofessional journalism looks better" I'll take what they say with a block of salt.
Second point: The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that. The code is probably scattered across multiple servers in Redmond, for starters, and you'd only be given access to the parts you needed to work with.
Third point: The article has absolutely no detail to it whatsoever. For all we know, they've released a trojan masquerading as the source code and are trying to sucker geeks and 14m2rZ into downloading it.
Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.
Close you eyes! (Score:3, Insightful)
Seriously, don't look at it, you will no longer be considered "clean" and might become a liability to any project you work on.
Just don't use the code (Score:3, Insightful)
Do NOT read that code! (Score:5, Insightful)
Not good (Score:5, Insightful)
If this is true... (Score:5, Insightful)
If this is true, today may be the day that everything changes.
Re:Do NOT read that code! (Score:3, Insightful)
that's like saying the beatles can sue every musician who ever listened to them for copyright infringement
Is the code that bad (Score:3, Insightful)
I don't know how useful it is to WINE, etc... OSS developers not wanting to be "contaminated" by looking at the source code won't look at this stuff anyway.
Re:So is this the beginning of something... (Score:5, Insightful)
I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.
Re:Close you eyes! (Score:3, Insightful)
It wouldn't be the first company to pull someting silly like that, after all...
tin foil hat (Score:5, Insightful)
Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3)
Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.
Jerks.
--
Mike
Re:The shit will hit the fan + Mirror (Score:5, Insightful)
Re:Server problems ALREADY... (Score:3, Insightful)
I disagree with the reporter. Because of the added scrutinity a widespread access to the sourcecoude will generate, it's more likely that we'll finally see a tight, secure Windows 2000 and NT. That is, if Microsoft accepts fixes, tips and advices from the hacker community as they should. If they don't, I can already see the unofficial Service Packs doing a much better job than Microsoft's.
Re:omg (Score:2, Insightful)
Worms and exploits will start to appear quicker, and more frequently than ever.
Re:The shit will hit the fan + Mirror (Score:2, Insightful)
this actually can hurt us more than help.
Re:it's true (Score:5, Insightful)
I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.
I doubt Microsoft would leak it deliberately, but this does open the door to a whole SCO-esque can of worms from now on.
Now W. Russell Jones can put his story to the test (Score:5, Insightful)
I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N
Re:Server problems ALREADY... (Score:5, Insightful)
How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.
The danger of tainting (Score:3, Insightful)
I can allready forsee the seize-and-desist letters to free projects, claiming that one or more developers are have been tainted by knowledge of 'proprietory information' from microsoft, and the enclosed clicktrail on www.w2k-source.com provides the nessecary evidence. And you thought you were just checking out driver support info on a community site.
mfg lutz
Re:Just don't use the code (Score:5, Insightful)
In fact if you are involved with an Open Source project (especially Kernel and Window Manager projects) I suggest you do everything possible to avoid seeing this code.
Accusations of Taint are undoubtedly going to spring up from this, and you would be better to be well clear.
I will confess to a certain curiosity as to what the results of a comparator test would be though.
What's the big deal? (Score:5, Insightful)
Re:Do NOT read that code! (Score:5, Insightful)
Of course those of us who are also lawyers can safely read other peoples' code, because we know exactly what to do to avoid infringing. It is possible to extract knowledge from the code without breaching copyright, but...
Getting a copy of the code at all is a breach of copyright.
Re:So is this the beginning of something... (Score:2, Insightful)
Re:it's true (Score:5, Insightful)
As much as I'd love to peek around in this, I won't risk it.
Re:hmm seems a bit buggy (Score:5, Insightful)
Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.
this could be really bad (Score:5, Insightful)
OSS developers, don't be tempted to look (Score:3, Insightful)
Re:Do NOT read that code! (Score:4, Insightful)
Please, you are talking about sacrificing the source code for NT and 2000 just to hold off OpenSource projects, which WILL happen eventually regardless of what lawyers say. They can't stop every comptuer science student out there from writing and giving away programs.
The number of virus created and holes which will be found (now and years in the future), IF this is true, will almost destroy any IT administrator to a weaping mound of tears and make them seriously consider moving to Linux/BSD/Mac.
Moving to XP won't help because this could happen with that code also.
So, IF this is true, this MIGHT be more damaging to MS than the Dept of Justice thingy from years ago. Not something MS would want to do on purpose no matter what they think about OpenSource.
Re:Do NOT read that code! (Score:4, Insightful)
The basic problem is that if it's clear that you have viewed the source code and make substantial contributions to a project that competes with Windows, MS will be able to, without being laughed out of court, at least file a lawsuit against you and ruin your day.
The correct analogy is sampling large portions of a beatles song or performing your own rendition of it. If you try to record a beatles song and sell it, you had better pay the proper song royalties or you will get sued.
I'm really fascinated about, if this turns out to not be a lie, the long-term ramifications of this. It's a can of worms that you can't undo. Its impact on the number of security holes, any commentary by third party sources, etc. will be most interesting. Especailly given that it's probably reached areas already where it doesn't have the sort of protections that it has under US laws.
Re:it's true (Score:5, Insightful)
Re:An open source of Windows... of sorts? (Score:4, Insightful)
Unless this source 'leak' was officially sanctioned (which we know it wasn't), possession, use, distribution, etc of said source would be illegal, regardless of if you have a legitimate copy of windows 2000 sitting on your home pc.
Also, the EULA covers the final product, not the original source. There are separate license agreements for that source.
Re:Just don't use the code (Score:5, Insightful)
I remember someone on here, a while back during one of the SCO stories, wondered what would happen if Microsoft released the source code, but under such a devious license that contamination would be fatal to an open-source project.
Maybe someone at Microsoft thought that was a neat idea.
*** CONSPIRACY THEORY END ***
As far as looking at the code: the only real reason to examine it is to find new exploits. No developer is going to slave over that source in order to find bugs and repair them, since there is no legal way to do it.
Re:Compilation and Windows source code (Score:4, Insightful)
That is a MYTH (Score:5, Insightful)
IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.
Otherwise, no student would be able to code having once looked at examples in a text book
The problem is, of course, proving one implimented the code oneself and did not in fact crib the whole thing from someone elses code, and the greater the similiarity (for code of sufficient complexity
In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.
Re:this could be really bad (Score:5, Insightful)
The interesting part is the difference between Win2k and Linux. In both cases now, the black hats have access to the source code. However, there are more white hats who have access to the Linux codebase, which will make for some interesting long-term implications.
This also has the potential to solve the NSAKEY contriversy once and for all and provide some interesting insights into how Windows works. I'm wondering if, through the use of countries with more flexible copyright systems, it would be possible to document interesting attributes and then pass them back to WINE and other open-source folk.
So... (Score:5, Insightful)
Re:Open Source (Score:5, Insightful)
Re:MOD PARENT UP (Score:5, Insightful)
Re:it's true (Score:5, Insightful)
You're assuming the law will be applied fairly and evenly.
Screw legality (Score:2, Insightful)
This will probably elicit a lot of replies about how Linux needs, especially now, legitimacy, especially under scrutiny of corps hoping to use it on desktops/servers. Individuals wouldn't care as much, obviously. They're right, in part at least. However, I've always admired the range of software choice Linux has, and just like Debian doesn't ship with all the necessary mplayer codecs.. they're out there, if you want 'em.
On another note.. what if someone took the code, released Linux software designed to help, say, samba, or something. Then another developer, without looking at the actual code for that program, made their own derivative by decompiling/whatever?
Re:Seems a little small (Score:2, Insightful)
Re:Do NOT read that code! (Score:3, Insightful)
to further my analogy a little bit, say a beatles song uses a C G D chord progression and i've written a song using the same progression i'm still safe even if i know that i'm using the same chord progression so long as i didn't take it from the beatles. i could either have come up with it on my own messing around or been shown it elsewhere.
Re:So much for security through obscurity (Score:5, Insightful)
It's a TRAP!!! /Adm. Ackbar (Score:4, Insightful)
If you work on any Open Source project, DO NOT LOOK!
A lot more lawsuits are coming? (Score:2, Insightful)
Now SCO can sue Microsoft for stealing their code, too! *LOL*
Seriously, though... If the circulating source is really NT4 & W2K, that would give a powerful instrument to both sides - the ones who wants to sue Microsoft for stealing their technologies and for Microsoft, too, since from now on they will be looking very closely at newcoming products of their rivals.
Re:Do NOT read that code! (Score:5, Insightful)
Yet if I learn to play guitar by among other things, listening to all of the Beatles songs and playing along, do the Beatles own the rights to any future song I write? Goddamn hell freakin no! How is that any different from learning things from viewing MS, or any other persons code?
I've learned to code by doing all sorts of things over the years. Among them, learning from coworkers code. Applying that knowledge at my current job doesn't make the propoerty of my current employer a derivitive work of my employer from 5 years ago, even though I had access to the source code of that previous job.
Re:it's true (Score:5, Insightful)
Mirror: An Insightful comment from Neowin (Score:5, Insightful)
Re:That is a MYTH (Score:5, Insightful)
> I hope you weren't planning on ever contributing
> to any Open Source projects after doing that. If
> it's later demonstrated that you had access to
> the W2K source and contributed vaguely similar
> code (even by accident) to a project, it could
> have severe repercussions for that project.
IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.
What you're saying about copyright is correct; but that probably isn't what MS would come after you (and your open source project) for. It'd be patent and trade secret violations.
That said, I don't know whether the unauthorized release of code would invalidate subsequent trade secret claims. On one hand, it seems crazy to lose trade secret protections because of an illegal or unauthorized act; OTOH, it seems crazy to call something a secret that, well, isn't. Maybe someone who is a lawyer can discuss.
Re:Now? Improve emulators! (Score:5, Insightful)
And CDs should not be copyrighted because they did not invent the photon used to read it.
If you take this to its logical extreme, any file is simply an extremely large digital number (millions of bits). How do you copyright a number? So it is then not possible to copyright ANY digital work.
Re:That is a MYTH (Score:1, Insightful)
Re:hmm seems a bit buggy (Score:5, Insightful)
I agree. Remember, at the trial MS argued that opening or showing parts of Windows source code would be a threat to national security. Not long after that, they gave their source code to Russia, China, and many multi-national corporations and other organizations as part of their Shared Source initiative. Now, don't know where the source was leaked from, but 1 + 1 = ?
If in fact, this story is true, MS is riding against the wind here. It is feeling pressure from the Open Source while its security, software, and business models are based on keeping the source secret. If so, how long can they keep up?
Re:MOD PARENT UP (Score:4, Insightful)
Nope? - didn't think so.
The only way I can think of doing it is using hardcore hook stuff. Having the code would be *much* easier.
Re:The shit will hit the fan + Mirror (Score:2, Insightful)
Of course if this turns out to be true and all.
Re:So much for security through obscurity (Score:4, Insightful)
Re:In other news... (Score:1, Insightful)
- Steven
Samba 3.0 is potentially, royally, screwed. (Score:1, Insightful)
Now, unless the leak and spread can be precisely pinpointed, the Samba project could be the target for attacks under the "assumption" that they were sitting on this and that's why it works as well as it does. Whether or not they think this is true is irrelevant, they just need to let their legal team sink their claws into it, and muddy the waters.
patents and trade secrets. (Score:5, Insightful)
eric
Re:The shit will hit the fan + Mirror (Score:4, Insightful)
I'm tired of this b.s. Since when has looking at something been equated to copying it? Copying is copying. Looking is looking. However, obtaining the code is probably a copyright violation. After all, this post is not a copy of your post. It was inspired by it, I looked at your post, I legally cited your post, but I did not give you the rights to my post by doing so, nor can you force me to remove my post.
Comment removed (Score:5, Insightful)
Re:The shit will hit the fan + Mirror (Score:3, Insightful)
I understand what you're saying, but it's best to steer far and wide and very clear of it. Treat it like nuclear waste. You don't even look at it no one can try to taint you.
Expected (Score:3, Insightful)
How about:
MS took a calculated risk in allowing the Chinese government access to the code in order to secure more sales, and are now paying for it, because someone Freed Billy!
SHORT THE STOCK? (Score:4, Insightful)
It looks as though at the end of the trading day, MSFT did lose some value. [yahoo.com] If not short it, then maybe sell it, if only to pick up some deals later...
Re:How it can go wrong (Score:3, Insightful)
i would have kicked them the hell out then called the police for attempted burgarly AND pretending to be a law enforcement officer.
Re:Interesting... (Score:2, Insightful)
So having said that, why does it surprise anyone that two identical lines (or whole procedures) of code end up in two different programs or operating systems? The code to control the hardware can only be written so many ways.
Besides, if the way all MS code acts is any indication of how it's written, the only place I can see it being of use is with virus/worm/trojan writers and geek comedy clubs.
Please be a hoax! (Score:5, Insightful)
But, it only takes one person to look at the Windows source, then go do something vaguely similar in Linux (or any OSS project for that matter). The result would be devastating: Microsoft would litigate Linux to death.
As many have said, the principle behind these copyright suits is awful. Looking at code, then doing something somewhat similar (because of inspiration) should not be a copyright violation. But with Microsoft's legal and financial resources, the laws will "adapt" to what is most beneficial to them.
I can only echo what many other have said: for the sake of Linux and OSS in general, do not look at the Windows source!. That's a very conservative and overly-paranoid policy, but it's a invaluable measure for protection.
To me, general acceptance of open-source software is similar to political elections: every last spec of dirt is drug out and put under the spotlight. Any potential or suspect or even misunderstood characteristic is scrutinized, and the naysayers always manage to put a negative spin on it.
Open source only stands a chance if it can maintain the straight and narrow path... I hate to sound preachy, but any slight mishap, no matter how innocent or accidental, quickly turns into a major catastrophic disaster. There's just too much money and power interested in seeing OSS fail.
Comment removed (Score:3, Insightful)
Analogy (Score:2, Insightful)
Re:The shit will hit the fan + Mirror (Score:5, Insightful)
What part of "being proved guilty beyond reasonable doubt" didn't you understand? It's the accuser's task to prove the accused party guilty, not the other way round.
Re:it's true (Score:5, Insightful)
And here lies one of the most basic problems of copyright. Nobody can see the other's code...to build on and possibly improve. Everybody has to learn what is already known by themselves. That slows down the whole developement process to a virtual standstill. I think this whole copyright mess has probably set us back anywhere between 50 and 200 years. This applies to all human work, not just computers.
Re:So much for security through obscurity (Score:5, Insightful)
Re:Now? Improve emulators! (Score:1, Insightful)
Finally you are getting smarter. But just for case if don't understand it yet: all copyrights are bad. The world without copyrights would be much better. Demonstration: compare the quality of copyrighted Windows to copylefted Linux.
America is great because America is good, and if America ever ceases to be good, she will cease to be great.
And this is exactly what's happened to America after 2001/09/11.
By the way, America was never better than many other countries, like England or Australia. So, guess what?..
Re:So much for security through obscurity (Score:4, Insightful)
IBM's legal team make Microsoft's look like first year law students. IBM's lawyers held the DoJ at bay for DECADES. Not even Microsoft are prepared to mess with IBM. The moment IBM called SCO's bluff SCO knew they were dead.
And if Microsoft could buy them with a month's revenue imagine what IBM could do. They are a little bit bigger than Microsoft you know...
I just think it's funny that IBM were everybody's worst enemy in the 70's and 80's, and now they are usually the ones doing the right thing by the industry.
Are you sure ? (Score:3, Insightful)
What do you know about who reviews the windows code ?
Also, what assumptions are you making about the number of people, and their qualifications, that are reviewing OSS code ?
Re:So much for security through obscurity (Score:5, Insightful)
Coincidently, this is also one of the key reasons that there are more worms/virii released that target Windows than Mac or Linux - why target Mac or Linux when you can target Windows, with many, many times more users?
The real question is, of course - (Score:4, Insightful)
Re:this could be really bad (Score:5, Insightful)
Someone please check against DDK (Score:3, Insightful)
or other released code. It should be possible to triangulate the source against existing released software, so at least we can know what exactly it is and whether this is a hoax or not.
Re:it's true (Score:5, Insightful)
Linux has had the advantage of being checked, line for line, from the beginning. NT was an estimate 16 million lines of code; 2K three times that much. That's a lot of code.
I think what people will see, most for the first time, is exactly how bad the coding is in Redmond. This will cause some laughter, and some shock. I think they'll find that parts of the NT kernel were strangely well-written, coming as they did from David Cutler's 'tribe' and the DEC Prism project on which NT was based. On the other hand, I think they will find that other parts, such as the GDI, were horribly written.
And it's all good, IMHO: eEye and Guninski and others have been able to give us a bit of a picture of how bad things are there, but we'll finally be able to see with our own eyes.
It won't be a pleasurable experience.
Re:The real question is, of course - (Score:5, Insightful)
The short of it is: no "free" security updates a la linux, just more visible bugs to exploit.
Re:The real question is, of course - (Score:3, Insightful)
The assumption is that microsoft writes insecure code, and depends on it's non-publication to keep this a secret.
I think this assumption is mitigated by the fact that so many universities have a license to look at the source.
The real source is 300GB (Score:1, Insightful)
Paul
Re:Time to look for GPL violations! (Score:3, Insightful)
Re:Life is good. (Score:2, Insightful)
Re:You're missing the point (Score:2, Insightful)
Computers are necessary.
If windows is untrustable, what do you do?
(Hint: There ARE other operating systems that run on PCs)
Re:What now? (Score:5, Insightful)
Re:Just curious... (Score:3, Insightful)
Its about not stooping to their level.
The main drivers of OpenSource are those which just program and share, not those that fight dirty/go on illogical and embarassing rants.
Look at SCO. I assume that there are many fine people there, but how do you view the company as a whole? After this SCO vs. IBM thing is over, what is your impression of them?
Re:MS giving source code to countries (Score:5, Insightful)
Re:It's a TRAP!!! /Adm. Ackbar (Score:5, Insightful)
This is extremely good advice. I would go even further and say that if you would ever like to work on an open source project, don't look. The presence on a project of a person who had seen the Windows source could put the entire project at risk.
For a very practical example, consider Samba. If a person who had seen the Windows source were to contribute to Samba and it were later to come to light that the contributor had seen the Windows source, in the name of safety every piece of code that person contributed would have to be ripped out and replaced. Worse, to guarantee that there was no trace of taint, it would probably have to be replaced by people who had not only never been exposed to the Windows source, but who had also not seen the contributor's tainted code. In short, it would require the recruitment of people who had never worked on the project before, or even read the source. Finding those people would not be easy, to say nothing of the time and credibility that would be lost.
For that matter, even if you have legally seen the Windows source because Microsoft has provided it to your employer under their shared source program, the same taint would follow you. If your employer has access to Windows source and your job does not require you to see that source, do yourself a favor: don't look.
If you look at the Windows source, you at the least taint yourself WRT working on any project aimed at interoperability with Windows, and quite possibly on a much wider variety of projects than that.
In short, JUST SAY NO.
Re:it's true (Score:4, Insightful)
How does one take a quick peek to see such a file is circulating?
The point? (Score:3, Insightful)
I cant imagine how this could have a bad effect on linux at all. A big boost for ABM and the industry as a whole would survive just fine without MS. It isnt like MS has really truly made something significant other than piggybacking and marketing.
Re:The real question is, of course - (Score:5, Insightful)
Because the Linux source code can be legally downloaded by the "good" guys, who go and fix the holes. OTOH, only the "bad" guys download the Windows source code (it's illegal to do so, you know), and they go and create exploits based on the holes.
Re:it's true (Score:5, Insightful)
I agree that a lot of reinvention has to go on, but I think you exaggerate the effects of not being able to reuse code. To begin with, people tend to forget the steep learning curve required if you choose to reuse code as opposed to rolling your own.
Case in point: Microsoft started nearly from scratch (licensed a simpler browser, IIRC) with IE, at around the same time Netscape decided it was unable to maintain its aging source code. IE overtook Netscape 4 in terms of quality (despite illegal bundling) over a few years. We cannot know if Netscape could've survived if they kept maintaining their 4.x browser, but it's pretty clear that Microsoft wasn't moving slowly at all.
Apple then did the same years later, starting with KHTML (generally considered inferior to Gecko), and within a pretty short time has a really polished Safari browser. It's not as maximally compatible as some of the more established browsers, but it's probably 90% of the way there within a year or two of development.
In fact, the projects that truly move at a glacial pace tend to be the free software projects. Sourceforge is full of these projects, gasping for attention, despite disclosing full source code. In the commercial world, when you throw money at a problem, code gets written from scratch pretty quickly.
first time in the sun for MS source (Score:5, Insightful)
Linux and other open source OS have had people looking at them for a long time. The people looking at the source of Linux are less likely to be a monoculture than the people at MS who are hired to look over software. In addition (uninformed speculation) more of the Linux people may have been black hats once - the less ordered (as in cubicle order rather than procedure order) system may be more amenable to some who fit a less monolithic background. Linux is thus likely to have been looked at by people who might once have looked to hack it and by people with a wider variety of skill sets. MS knows a lot about software, but their diversity in software knowledge and opinion is likely smaller than that of either their user set or of that of white hat hackers.
The other factor is that having the MS source without a licence is illegal - thus the people who are most likely to take advantage of the availability of the source are people without much respect for the license in the first place - black hats. Linux source can be viewed legally, and so is just as likely to be looked over by white hats as black hats (probably more likely, because of the population ratio of BH and WH).
In one of the Clancy books (I think "Debt of Honor"), he talked about secrecy being good for hiding information that someone doesn't want you to know - but that when it broke, the news would be much worse for that someone, and harder to control. That seems applicable here - only the news is directed almost exclusively to those who would do them harm.
Re:So much for security through obscurity (Score:3, Insightful)
The next day it was discovered the patch was very badly coded, and included a backdoor...
I think I'll stay away from 'opensource' MS patches, thank you very much.
Re:The real question is, of course - (Score:5, Insightful)
Re:An open source of Windows... of sorts? (Score:3, Insightful)
Re:The real question is, of course - (Score:2, Insightful)
MAINLY BECAUSE YOU CAN PATCH LINUX, GIVE THE PATCH TO THE OWNER, AND HAVE THE VULNERABILITY FIXED.
Now you're gonna tell MSFT would take such a patch, rather than sue you into the ground for having the source in the first place?
I'll second that, not the whole tree (Score:5, Insightful)
I've studied one small section of M$'s source code, a single network module appearing in both NT4 and NT5.0, under NDA of course. I don't see it here. There are a lot of things I don't see here, and I'm still going through the tree. There are some things here that are clearly part of windoze, such as the source to regedit.
Some other things that make me suspicious this isn't all the source code:
1) lots of 0 length files, could all those
2) the win2k source just happens to total 658MBytes, about the size of a CD
3) there are a number of 0 length files of people's names with the letters CV next to them. cv - vered mazafi.eml, ronen-cv.eml
4) all through the file listing are repeats of
I think this is just a student prank, being trolled out of proportion. It's not just
the AC
I can't believe I'm admitting to extensive knowlege of windoze on
Re:ReactOS (Score:3, Insightful)
This whole thing has a really high suck factor.
Combined with SCO FUD and that fscking MyDoom nonsense, this is really bad.
Re:So much for security through obscurity (Score:5, Insightful)
It is wise to keep a low profile from a company that offers bounties to hunt people down.
Re:The real question is, of course - (Score:5, Insightful)
They can't do that, since the source code is open. That Edgar Allan Poe "Purloined Letter" story set the precedent. Nowadays, any self-repsecting investigator will check first the obvious, before checking the obscure stuff.
OSS "Suicide car bombers" -- WTF??? (Score:4, Insightful)
Yankee Group [yankeegroup.com] senior analyst (sic) Laura Didio has these alarming thoughts on internetnews.com [internetnews.com] about who might now be able to get their hands on the Windows source:
So Microsoft is the defender of truth and justice in the free world, and OSS hackers are like suicide car bombers?
She then went on to warn of the dangers of hackers using the several hundred megabytes worth of leaked source code to compile their own pirated copies of Windows 2000. What a dumbass.
And what exactly is a "tinker", anyway?
Re:The real question is, of course - (Score:4, Insightful)
Re:The real question is, of course - (Score:5, Insightful)
Because Microsoft's OS was, and is, designed and developed based on a principle of closed source. Generally speaking, with closed source development potential black hats can't see how you do things without significant reverse engineering. This gives the OS programmers a 'safe' framework to work within. So when that source later becomes available to the general public, it leaves the OS programmers facing a huge legacy of problems that should, in theory, never have become problems.
Linux was open source from the outset. Therefore it is designed and developed relying absolutely on the principle that it's secure because everyone has equal access to see how things are done.
Furthermore, if and when there are security holes then at least with OSS you can never be held to ransom by the people owning the source. i.e. "Windows 98 has this huge security hole and it's no longer supported - go buy Win2k."
Re:GNU make users? (Score:3, Insightful)
1. Filenames can be shared in different folders with no issue. No problem whatsoever.
2. 8.3 filenames are *only* needed for ISO9660 CDRs. The source tree uses whatever filenames people want.
Re:The real question is, of course - (Score:2, Insightful)
Re:That leads to a fascinating question (Score:2, Insightful)
Re:It's a TRAP!!! /Adm. Ackbar (Score:4, Insightful)
SCO's actions are based on a company with little revenue, little cash, and nothing to lose. Microsoft has everything to lose. Say what you will about Microsoft, but they didn't get to where they are today with silly moves like that.
Nobody wants to be sat on (Score:5, Insightful)
It has nothing to do with morals. It's self preservation.
Most companies don't have the resources to kick the crap out of warez distributors. MS isn't one of those companies.
Ben
OK, she's warping the truth. So... (Score:3, Insightful)
Don't just sit here and bitch on Slashdot...
Devastating? (Score:3, Insightful)
"
This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.
"
Devastating?? Devastating because of the possible worms, viruses that can araise from this?
Closed or open, a piece of software "should" be secure and clean regardless.. if it's devastating it just proves that MS creates shit, so the fact that a pro-windows site actually says that is sad.
Re:Here is a Torrent link ... 200MB download (Score:0, Insightful)
not the whole source - only parts of it (Score:1, Insightful)
the sourcees are only partial, a lot of little scripts, build tools, code/security/certificate signing tools are missing, 3rd party and drivers of course, its basically just some low level kernel and little shell and some apps sources.
you need a lot more if u wana build windows
check for some deeper info about win2k and nt3.x build and software engineering information here [seanm.ca] .
Re:It's a TRAP!!! /Adm. Ackbar (Score:3, Insightful)
[0] I'm not suggesting for a second that the wine devs would look at the code, you understand: it's an example.
[1] If the leak is genuine, MS need have no doubt that this will be all over every p2p network in existence within an hour or so.
Re:Nobody wants to be sat on (Score:1, Insightful)
I just find it interesting... (Score:2, Insightful)
Re:So much for security through obscurity (Score:1, Insightful)
Re:MS giving source code to countries (Score:5, Insightful)
Re:It's a TRAP!!! /Adm. Ackbar (Score:3, Insightful)
Ever notice it's always the Anonymous Cowards who are so vehement in their criticism? Always with the "you're stupid" and the Mr. Tough Guy expletives: "why the fuck...."
Yeah, yeah, I know, Mr. Anonymous Coward: you're powerful and famous, in your mother's basement.
Re:Don't Touch that SOURCE! (Score:2, Insightful)
Re:SHORT THE STOCK? (Score:3, Insightful)
Windows is their baby (Score:5, Insightful)
They can grin a bear it when some games are pirated. Why do you think they (try to) crush companies that make mod chips for the XBox? Some things are more important.
And this is the source code to Windows. This is NOT just another product.
Anyone who dares to host it will be sat on until they are dead. Hell hath no fury.
Claiming this is just another product shows your definit lack of ability to comprehend the scope of this leak and the importance of it to MS's bottom line.
The legal costs required to shut down warez sites over a game generally are more than the amount of the losses. The legal costs required to crush the fools who dare to host the Windows source comes nowhere near the potential losses due to the leak.
Ben
Re:No GPL - Lots of BSD (Score:5, Insightful)
MS is naturally not opposed to using freely-available BSD code to achieve better interoperability with BSD/UNIX. MS Windows Services for UNIX, for example, includes a lot of modern BSD tools ported from OpenBSD. That's reasonable, of course, since it's supposed to provide a set of command-line tools familiar to UNIX systems administrators, and OpenBSD tools are known to be relatively good in terms of security.
Importantly, MS's porting of OpenBSD userland tools to Services for UNIX is also good for OpenBSD, because it helps to establish those tools as something of a standard. If hordes of MS users become used to the OpenBSD userland tools, they'll be much likelier to start using OpenBSD if they want a UNIX-like OS than to start using, say, Linux.
The common claim about the MS TCP/IP stack from open source zealots is that MS 'stole' the Windows TCP/IP stack from BSD because it couldn't write one of its own, which is of course complete nonsense. The handful of BSD tools in Windows are/were there to make it easier for UNIX users to access their systems from Windows. They're in no way critical to Windows as an operating system (in the way that, for example, a TCP/IP stack is).
Lets be realistic (Score:3, Insightful)
I highly doubt this will be the almighty downfall everyone thinks it is going to be. Try to keep in perspective that if this is true (and I have some pretty serious suspicions it isn't) if it costs MSFT $100 000 000, do you think they will even notice? Well maybe a bit but by fiscal 2005? I doubt it.
The source for NT will be useless for any kind of exploit in a year because support will be removed by then and the attitude in that end of the pool has been keep up or fall behind. And yes I do recognize the sickening number of them out there, I support the bloody things.
As for 2000, keep in mind that Linux may have 10 million developers constantly surveying the code on a part time basis, but they all have other jobs. MSFT has thousands of full time employees they can throw at one patch (in a pinch) that will deal with all of this.
Or maybe all the opportunists out there should look at it from a conspiracy theory point of view? Maybe they wanted this to happen.... (btw I love starting rumors) That oughtta keep people entertained for atleast a few terraflops.
In the long run it won't even phase them, and always remember that even if Linux/Unix/Novell(-laugh) ever wins out; they will then be the top dog and will subsequently be the center of scrutiny. Bias is based on prejudice, which is generally malfounded.
Remember....conspiracy theory....stay up all night tonight thinking about it....then show up late for work tomorrow...and get fired so you can work more open source code.
(btw the teeshirt and sunblock example was really shotty)
Re:PATRIOT implications (Score:1, Insightful)
Re:So much for security through obscurity (Score:5, Insightful)
The reason there are more worms on win2k/XP than the 9x series is because the 9x series doesn't DO anything. Win98 doesn't have "UPNP" or "Remote registry", or "windows messaging" or any other fancy services to speak of. Usually its all that crap (which is on by default!) that becomes the portal for worms. 2k/XP are a more powerful OS than 9x, which makes them inherently more dangerous. And now that more and more people are moving that way, of *course* chaos was going to break out, just as countless people predicted 4 years ago.
Re:The real question is, of course - (Score:3, Insightful)
A TRAP? (Score:2, Insightful)
Re:Why ofcourse! (Score:3, Insightful)
How many times? (Score:2, Insightful)
How many times will it take to make people aware of the fact that such immense reliability on closed-source DRM-esque code will cause problems. Such closed-source *cannot* be closed forever. The information will be spread, and security through secrecy cannot win.
In addition, the mob-law illustrated here by the internet is an interesting phenomena (by no means unique to this incident - except maybe in the irony). LIterally thousands of people already have a copy of multi-million dollar source for free. It is an interesting epitomization of how such digital knowledge cannot be legally protected. What will MS do, sue any IP that shows up in BitTorrent or eDonkey? If the internet wants it, some individual might pay a few months behind bars, but the internet will have it...
free-enterprise, and free-information...
Wrong (Score:3, Insightful)
IANAL. You are wrong. Non-clean-room reverse engineering is not only legal but is done at many, many companies. There is *absolutely no constraint* to use a clean room in reverse engineering.
The first clean room reverse engineering that I'm aware of is Phoenix of IBM's BIOS. They had *no* legal requirement to clean-room reverse engineer the BIOS. If they wanted to, they could hire IBM BIOS engineers for the job. However, by doing a clean room implementation, they ensured that they had an counterargument to *any* potential IBM claims of infringement. Had they not have used a cleanroom tactic, they might have had to actually have folks look at the code and at what people were doing with the code if charged with infringement. While this can be useful -- it's an immediate shutdown to any argument IBM might raise about infringement in court, and the judge doesn't even need to see the code -- it is definitely not necessary. I can look at GPL code and use the same approach said code does as long as I am not copying code verbatim (note that changing variables or something is not sufficient -- the work must be done by you, not be a mangled version of the original).
That being said, WINE has long had a policy of *not* accepting access to Windows source code. They've had people with access to it volunteer to give them stuff in the past, and they want to do a pseudo-cleanroom approach, since it makes matters simple from a legal standpoint. WINE will probably continue to ignore the source (and the WINE maintainers now have to worry about people submitting WINE patches containing Windows source...they may require indemnification or God knows what).
From a security standpoint, this is an utter disaster to Microsoft. They haven't had the benefit of many eyes all these years, and now they have a fucking lot of malicious eyes, and ten years of holes to remove in a week or so before the nastier exploits come out. None of those eyes have any incentive to submit patches to Microsoft. There will be attacks on relatively hardened systems, too.
This is going to suck for friends and family that I have using Windows.
Re:The EML Files (Score:4, Insightful)
Re:A bit about the developer... (Score:1, Insightful)
Re:Here is a Torrent link ... 200MB download (Score:2, Insightful)
What in God's name is wrong with you people?
Do you even think about how many coders work for Microsoft? How many work for companies that depend on Microsoft technology? Do you think about the fact that people are busting their asses writing code, trying to make a living? Who cares about whether MS is full of crap or not? All companies have marketing. That's how business works.
You don't go and steal everything from a store just because the electricity goes out! It has repercussions! I have friends that work for Microsoft, and believe it or not, they are incredibly intelligent, honest, and good people. Each time you post a torrent link, you're helping to screw them.
You disgust me. This is NO DIFFERENT than a bunch of morons looting stores after a big game, just because they can... Can you possibly think that promoting these links on slashdot doesn't have a harmful effect? But you don't care about that. You just want to get your little jollies off thinking how neato it is that you can do something and a big corporation can't stop you.
Congratulations.
Comment removed (Score:5, Insightful)
One Man's Source Code Is Another Man's Virus (Score:3, Insightful)
Stop and think about it. Regardless of whether or not the leak was intentional or not, it hurts us. If the code leak was deliberate, it was a brilliant move, strategically. It will hurt the open source community far, far more than it will hurt Microsoft. Infact, this is probably the biggest punch Microsoft has landed on the face of Linux. If it was unintentional, the net result is the same. Here's why.
Think of the leaking of the Win2K/NT source tree as a virus.
It's a virus designed to undermine the credibility of open-source community. It operates by exploiting two well-known vulnerabilities in open-source coders---Their curiosity, and their propensity for sharing. The dispersal of portions of the Win2K/NT source tree effectively taints the entire open source community's efforts to develop cleanly. Think about it. By leaking the code, every new OSS project that has anything even remotely to do with Windows interoperability can now be accused of having it's hand in an (at best) an unethical cookie jar. The folks who maintain Windows-interoperable projects now have to second-guess every new submission they recieve. Even worse, the availability of portions of the Win2K/NT source tree means the functional validity of all open source projects can now be called into question. Before, it was certain that any "feature" present in open-source software was the result of hard work, close observation, and the occasional dose of clever back-engineering.. Now that we can see over the fence, we can be accused of everything from violating Microsoft's intellectual property rights to wholesale misappropriation of entire blocks of Windows code.. Sort of makes SCO's accusations seem a little more well-grounded, doesn't it?
The sad thing is, the virus is having an easy time making the rounds, since theres nothing we can do to stop it. We cant become "less curious". We can't become "less industrious". The only way to avoid being under the cloud of suspicion is to stop developing alltogether. Just watch what happens. My guess is, by the end of this year, the trade rags are going to begin to equate open-source software with "questionable parentage".
This game is gonna get interesting in a hurry.
probably a source code source that's going to last (Score:2, Insightful)
I wonder how many people will start using freenet just to get the sources and not get tagged as "one that downloaded the sources".
Possible reason.... (Score:3, Insightful)
Source code for Windows NT and 2000 was leaked onto the internet. Microsoft fear that the source code being open to view could make it easy for haclkers to attack these systems
So there you have it. Source code readable by plebs = security risk, a statement that will reflect on FOSS in the minds of joe public if you tell them that the Open Source means readable source code.
Hmmmmmm....
Re:Here is a Torrent link ... 200MB download (Score:1, Insightful)
Estimated 300,000,000 computers run with Windows NT/2K/XP and the source code is under seal, known security holes take 6 months to be fixed, where are the responsible and intelligent people at MS taking 6 months to fix it? Are they all taking vacation?
See, your friends may be true friends of yours, granted - but this is a corporation which doesn't behave as friendly, honest and ethical as your friends who work there. Enron employees are surely more honest as the managers who screw Enron.
So, just because you have simpathy for your friends working for MS doesn't make MS be like your friends. See the bigger picture of this leak!
Re:One Man's Source Code Is Another Man's Virus (Score:3, Insightful)
Filelist shows virus infection? (Score:3, Insightful)
Re:it's true (Score:3, Insightful)
As shown with Mozilla and OpenOffice.org.
Re:NTFS... (Score:1, Insightful)
It was done intentionally!!! (Score:4, Insightful)
Re:Why does trash attract so much interest? (Score:1, Insightful)
Hey, edit.com was quite nice too. Split windows, automatic indenting, and other stuff all in a console text editor.
Re:Why worry about Wine??? (Score:2, Insightful)