Microsoft follows Valve? (Win2K/NT Source Code Leaked)

[w0lverine]

http://www.antionline.com/showthread...hreadid=254657

[edit]

not a secret any more..... . we know that a portion of code has leaked, what we don't know haw significant this portion is. where the hell is that code i would love to lay my hands on it

[MrLinus]

Sorry, unixjim, I had to merge yours with the existing thread.

What I find interesting was that originally MS denied the Source was leaked but then within hours reversed that statement to say that it actually was leaked on Thursday (?!). I think there's a little more going on than what they are telling people. I wonder if there was in fact a situation similar to what happened to Valve, especially given that it was only a portion of all the code rather than the full OS.

[Nizead]

The Register UK reckons its approx. 13 million lines of code leaked, out of a possible 30-40 million - contained in approx 30,000 files. The article is here:

http://www.theregister.co.uk/content/4/35547.html

[Nizead]

'Smoking Gun'............ update as to where the Win NT/2k source code leak may have come from:

http://www.theregister.co.uk/content/4/35564.html

[lpaulgib]

http://www.neowin.net/comments.php?i...&category=main

Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.

This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.

Update: Microsoft's Tom Pilla has confirmed the leak stating: "Today we became aware that incomplete portions of Windows 2000 and NT 4.0 source code was illegally made available on the Internet"

[MrLinus]

More thread mergings. Good idea to do searches before posting news to see if there are existing threads around.

Has there been any indication of how this happened? MS remains mum about the details and there still seems to be some conflict between the CEO of MS (who said it didn't happen) and Pilla saying it did, as early as Thursday. I suppose if you share out your code it shouldn't be too surprising that it gets around..

I also wonder if someone like Novell might benefit from it if they can make connections between NDS/ADS.

Source: CNN

Pilla said there was no indication the leak was a result of a breach of Microsoft's corporate network. There was no known immediate impact on Microsoft customers, he said.

Microsoft has previously shared some of its source code with some companies, U.S. government agencies, foreign governments and universities under tight restrictions that prevent such organizations from making it publicly available. But the company has generally argued the blueprint to its operating system is proprietary and shouldn't be made public.

Still, because some people outside Microsoft have had access to the code, analysts said it wasn't too surprising for such a leak to occur at some point.

"I don't understand why it hasn't happened sooner because there are so many (organizations) out there that have access to the source code," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, California.

But analysts and security experts cautioned that it was hard to assess any potential damage the leak could cause since so few details were available.

"Frankly, I'm not sure anybody can fully assess that, other than Microsoft," said Al Gillen, research director for systems software at research group IDC.

The leak could potentially put more Windows users at risk because it opens the door to more people finding vulnerabilities in Microsoft's code -- and using them in malicious ways, Maiffret said. That could, in turn, wreak havoc on Microsoft's ability to respond with fixes in a controlled manner.

But, he cautioned, it was too early to say whether such a major threat existed.

Some experts said it seemed more likely the leak could be most valuable to Microsoft rivals.

"What people could learn from it has the potential to make other organizations that are building competing products ... make products that can compete with (Microsoft) more effectively," Gillen said.

Others noted that the greatest damage may be to Microsoft's reputation.

"It seems unlikely this is going to create a material, significant security problem," said Rob Enderle, a technology expert and principal analyst with the Enderle Group. "It's more embarrassing than anything else because it makes it look like Microsoft can't control its code."

[MrLinus]

Update: Source of Leak!

BetaNews has learned that Thursday's leak of the Windows 2000 source code originated not from Microsoft, but from long-time Redmond partner Mainsoft.

The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes. Dated July 25, 2000, the source code represents Windows 2000 Service Pack 1.

Analysis indicates files within the leaked archive are only a subset of the Windows source code, which was licensed to Mainsoft for use in the company's MainWin product. MainWin utilizes the source to create native Unix versions of Windows applications.

Mainsoft says it has incorporated millions of lines of untouched Windows code into MainWin.

Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf.

References to MainWin can also be found throughout the leaked source files, which do not compile into a usable form of Windows.

Prior to Microsoft's Shared Source Initiative launched in 2001, Mainsoft, which calls itself "the software porting company," was one of only two partners with access to the Windows source code under Microsoft's Windows Interface Source Environment (WISE) program.

The goal of WISE is to enable developers to write applications using Windows APIs and deploy them on Unix operating systems such as Linux.

Mainsoft extended its WISE agreement with Microsoft in March 2000 to include access to the Windows 2000 source. Microsoft subsequently employed Mainsoft to port Windows Media Player 6.3 and Internet Explorer to Unix.

Although the leak poses a serious threat to Microsoft's intellectual property, its limited scope is sure to help the company alleviate fears of potential disaster. Microsoft has opened an investigation with the FBI and says its internal security in Redmond was not affected.

Because Mainsoft used only select portions of the Windows source for MainWin, Microsoft may find itself more worried about the egg on its face than possible exposure of its flagship operating system; Windows 2000 served as the foundation for Windows XP and Windows Server 2003.

It is not clear at this point how the three and a half year-old source code escaped Mainsoft.

[sumdumguy]

mainsoft's statement says hardly anything at all.
http://www.mainsoft.com/statement.html

Joe Wilcox, a Washington, D.C.-based Jupiter Research senior analyst.. needs to get his head out of the sand..

"I would consider it fairly unlikely that the Windows 2000 and Windows NT source code has leaked. However, if any source for either operating system were to leak on the Internet it would be devastating for Microsoft."
http://www.infoworld.com/article/04/...croleak_1.html

mecurynews doesn't add much..
http://www.mercurynews.com/mld/mercu...te/7949332.htm

but here is more from M$-- a rehash of mostly non interesting comments..
http://www.microsoft.com/presspass/p...dowssource.asp

REDMOND, Wash., Updated Feb. 13, 2004 -- On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft’s corporate network or internal security, nor is it related to Microsoft’s Shared Source Initiative or its Government Security Program, which enable our customers, partners and governments to legally access Microsoft source code.

Microsoft is working closely with the U.S. Federal Bureau of Investigation on this matter. Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property. Questions about the investigation should be referred to the FBI.

Microsoft reaffirms its support for both the Shared Source Initiative and the Government Security Program.

[Negative]

For those who downloaded the source code:

Statement from Microsoft Regarding Illegal Posting of Windows Source Code
Microsoft continues to work closely with the U.S. Federal Bureau of Investigation and other law enforcement authorities on this matter. Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property. These actions include communicating both directly and indirectly with those who possess or seek to possess, post, download or share the illegally disclosed source code.

Specifically, Microsoft is sending letters explaining to individuals who have already downloaded the source code that such actions are in violation of the law. Additionally, Microsoft has instituted the use of alerts on several peer-to-peer clients where such illegal sharing of the source code has taken place. These alerts are designed to inform any user who conducts specific searches on these networks to locate and download the source code that such activity is illegal.
...

The last paragraph in the quote is interesting, and this is what the "letter" from MicroSoft supposedly looks like:

Steven Bink and Ryan Hoffman

To the user at [ip removed]:

The unauthorized copying and distribution of Microsoft’s protected source code is a violation of both civil and criminal copyright and trade secret laws. If you have downloaded and are making the source code available for downloading by others, you are violating Microsoft’s rights, and could be subject to severe civil and criminal penalties.

Microsoft demands that you immediately (1) cease making Microsoft’s source code available or otherwise distributing it, (2) destroy any and all copies you may have in your possession, and (3) provide us any and all information about how you came into possession of this code.

Microsoft takes these issues very seriously, and will pursue legal action against individuals who take part in the proliferation of it source code. We look forward to your prompt cooperation. Should you need to contact me, I can be reached at the address above

Very truly yours,

By
J.K. W.

You could be faced with charges of trade-secret violations on top of software patent infringements

[Vorlin]

IMHO, why anyone would want to get the source code for Windows 2000 or WinNT is beyond me. It's been long known that if the source code was released, better fixes/etc could be made but then if you look at the fact that the code is so filled with holes, multiple layers involving different levels of experience, etc...it doesn't make it easy to fix anything. Instead of fixing the problem in foo.cpp in function do_this on line 192, they make a quick-fix in foo2.cpp which is referenced at line 18382. Not very easy. I wouldn't want to try to hammer out anything in windows source code at all, regardless of how much I'd like to fix anything. Not to mention, MS will put the money out to A: find and prosecute those who have the code or anything related to it, or B: a reward for turning it in, which is futile because it's all over kazaa/torrent/etc.

As for unix having more bugs, yeah..I would think so considering it's been around for 40 some-odd years. MS has been around for about 20 now. And MSIE is NOT secure.