Fog Creek Software
Discussion Board




Leaked W2k Source code.. is it real?

I figured I might aswell start the topic and be done with it. Its only a matter of time anyway, and we all have thoughts  and opinions on this.. dont we?

A zipfile is circulating on Kazaa and other nets. A file list has been spread about on the web and it looks legit to me. (Well, not legit, but it looks like the real thing.)
Check slashdot or neowin.com for more info.

Have you looked at it?
Do you think its real?
And what do you think will happen if it is?



Eric Debois
Thursday, February 12, 2004

I've seen the file list, but not the ZIP file. I won't believe a ZIP file exists until I see it. I used to work at Microsoft on the Windows 2000 QA team and the file list looks pretty real.

runtime
Thursday, February 12, 2004

"And what do you think will happen if it is?"

<g> if its the complete set of code, then there is no less than _12_ different bugs Im going to be fixing asap.

FullNameRequired
Thursday, February 12, 2004

... or the more intriguing question: In the days of the Internet, why did it take so long?

FredF
Thursday, February 12, 2004

If it is real, then anyone who intends to contribute to things like Samba, Mono, etc, might think twice before looking at it.

Would you be able to prove that you didn't take ideas from it and put them into some open source project?

Of course, it's unlikely that "they" would be able to prove that "you" even looked at it, but still....

Michael Kale
Thursday, February 12, 2004

You mention neowin.com which is one of those fradulent sites run by the mafia to reel suckers in. Your reason for wentioning this site is what again?

Is JoS under a full sized guerilla marketing attack by disreputable underworld elements?

Dennis Atkins
Thursday, February 12, 2004

Could this be a strategic move by MS to get a legal "foothold" on the open source community?
I agree that it may serve as that whether intentional or not.

Eric Debois
Thursday, February 12, 2004

Now this is interesting. So neowin (which probably used to be something useful that got hijacked) forwards to the notorious mafia attack site seek2. But after pinging seek2, I got instantly hit with a DNS attack. Fortunately I have more than one IP address and was able to get back on.

A few minutes ago there was a post that was deleted which pointed to another internet fraud scam the home page of which contained 220k of html, plus images. It managed to take down my browser, possibly exploiting some weakness in it...

Be careful what you click on - the organized crime syndicates that have hired all the script kiddies and script teens are extremely active nowadays.

Dennis Atkins
Thursday, February 12, 2004

OK, i see - Eric meant to mention neowin.net. That's where the talk is going on, though their server has gone down. Stay away from neowin.com unless you are locked down.

Dennis Atkins
Thursday, February 12, 2004

Ahh yes... sorry about that.. neowin.net it is...

Eric Debois
Thursday, February 12, 2004

Michael Kale, the open source people will survive without that kind of tainted information thank you. If anything, without some of the free stuff out there, the commercial stuff would never have the inspiration to be anywhere as good. Again, the argument is, should the Samba team benefit? The real question is, why did Microsoft, an international IT company, decided to make a commodity file transfer protocol close sourced?

Li-fan Chen
Thursday, February 12, 2004

Michael, you are right though, it won't be right to read these code, most OSS projects have prominent notices or discussions to make this clear.

Li-fan Chen
Thursday, February 12, 2004

"Be careful what you click on - the organized crime syndicates that have hired all the script kiddies and script teens are extremely active nowadays."

keep wearing your tinfoil hat old boy :)  that'll mess 'em up.

FullNameRequired
Thursday, February 12, 2004

I agree with the runtime.

I used to work at Citrix, a Windows source licensee.

The list of files looks real.

Mark
Thursday, February 12, 2004

'Would you be able to prove that you didn't take ideas from it and put them into some open source project?'

Last I checked, you aren't required to prove it.


Thursday, February 12, 2004

Looks to be real.  Here are some interesting comments gleaned from a recursive grep:

// hack, get the pid for netscape.exe so we can make it run slower

// this might result in a buffer overflow, but it's not an accessible api so no security risk

// passes my test data, good enough to ship :)

// yet another optimization for IE

(Just kidding folks... for the humor impaired)

Should be working
Thursday, February 12, 2004

If it's a hoax it's a good one.

The responsibility lies with Microsoft to prove anyone involved with an open source project has seen trhis leaked source code before htey can claim they copied from it.

You're innocent until proven guilty, remember.

So I don't think this really has any implications for Open Source software. They can't use the code, and Microsoft can't use it to sue people (unless they're stupid enough to download and use the code).

However, if someone anonymously cleanroomed it, it could be interesting. Then the people actually writing the Open Source code wouldn't be tainted, and things could get really interesting. Microsoft wouldn't be able to stop them, as far as I can tell. They'd be able to go after whoever actually read the code and produced the doco, but that's not going to get the code out of the Open Source projects.

Sum Dum Gai
Thursday, February 12, 2004

I wasn't suggesting that the folks writing Samba and other windows interop products *need* something like this.  Or that they would look at it with the intent of getting insider info from it.  I have nothing but respect for both the intentions and coding ability of most open source people...

I was merely suggesting that it might be safer to be able to say "I've never seen the windows code".

Michael Kale
Thursday, February 12, 2004

"keep wearing your tinfoil hat old boy"

You're right, there are no exploits. The internet is safe. Firewalls are not needed. We have always been at war with Microsoftia.

Dennis Atkins
Thursday, February 12, 2004

<g> I have problems with you dennis, I cant decide to my own satisfaction whether you are a wildly unstable paranoid schizophrenic, or a smartish guy with a wicked sense of humour.

FullNameRequired
Thursday, February 12, 2004

I've not seen either, but remember reading somewhere about reconstructing the list of windows (kernel) source files from publically accessible information - mainly symbol files I think.

Rob Walker
Thursday, February 12, 2004

Thanks Full Name, but does it have to be one or the other?

Dennis Atkins
Thursday, February 12, 2004

"Thanks Full Name, but does it have to be one or the other?"

good point :)  ok, Ill assume you are a wildly unstable paranoid schizophrenic with a sense of humour..

<g> possibly explains why you make me feel mildy unsafe even in my own home..

FullNameRequired
Thursday, February 12, 2004

From Neowin's site:  "This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about."

If true, could just be what MS needs to get off their ass and fix it rather than adding features.

It probably was a compromised XP firewall that let the bad guys in.  Darn it.  This was the most secure version of Windows ever.

Balmer's new chant:  Deny, Deny, Deny.

"In today's financial news, Microsoft lower"

Laurel
Thursday, February 12, 2004

What's the betting it was leaked from a "shared source" government partner?

More interesting, I bet the code contained identifying fingerprints so that Microsoft can identify which partner the code was released from.

Whoever did this should probably start looking for a new job or hiring a (criminal) lawyer.

me
Friday, February 13, 2004

I've heard it was leaked from inside microsoft. The story I've heard was that someone hacked in and put it on their public ftp site.

Of course, it's all just speculation, since I doubt Microsoft is going to tell us exactly what happened.

Sum Dum Gai
Friday, February 13, 2004

it's real if partial--

http://www.washingtonpost.com/wp-dyn/articles/A37648-2004Feb12.html?nav=most_emailed

frankly i'm surprised it took this long to be widely leaked. i'm sure that nefarious people have had portions of the source code for years, be it from disgruntled employees or corporate espionage or one of the partners microsoft managed to yank the rug out from under. i never quite understood the 'showing the source to everyone is dangerous, so we'll just give it to the chinese government' model.

mb
Friday, February 13, 2004

Here is the official statement from MS http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp

"REDMOND, Wash., Feb. 12, 2004 -- On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It’s illegal for third parties to post Microsoft source code, and we take such activity very seriously.

We are currently investigating these postings and are working with the appropriate law-enforcement authorities.

At this point it does not appear that this is the result of any breach of Microsoft’s corporate network or internal security.

At this time there is no known impact on customers. We will continue to monitor the situation. "

I am a bit skeptical about the "no known impact on customers" bit. I know the Windows sources have become  more and more open in recent times. Governements, edu's (my money is on this group for the leak), MVP's ... the access was becoming quiet widespread. Still, there is a substantial difference between "a limited group of know individuals" and "the whole of the blackhat community".

I have always believed that public access to the source code in the MS case would not be a good thing for customers for several reasons.
The two main ones I believe are the imbalance between the attacker and the defender, and the loosening of the interface boundary.
Let's take the imbalance thing first. The "defender" community has to plug every little hole in an incredibly big and complex codebase to succeed in total safety. By contrast, the "attacker" community just has to find one flaw to succeed, so even if the defenders where 100 times better than the attackers, they would still not be successful.
As for the loosening of the boundary: history has shown that no matter how many warnings are put out, no matter how difficult you try to make it, no discouragement is enough. Developers always try to use whatever knowledge they can gleam, even when there do not seem to be any benefits whatsoever, to build code that transgresses the designated interfaces. Raymond Chen's blog http://weblogs.asp.net/oldnewthing/ has at times shown us some nice examples of this behavior.

So who's having a field day (appart from the obvious group that will just "learn" from this code and use it to improve other systems, but that is a different story)? The people that are out to harm you on purpose and the ones that are out to do it through pure stupidity. Great!

It will be interesting to see what spin MS is going to put on this now that it has happened. Robert? http://scoble.weblogs.com/

Just me (Sir to you)
Friday, February 13, 2004

Preliminary examination seems to show that the source was leaked from a Nimda infected machine at Mainsoft.

Nice irony, isn't it ?

Renaud Martinon
Friday, February 13, 2004

Right, right, we all have thought and opinions on this... so, where can I get it?

TJ Haeser
Friday, February 13, 2004

thoughtS

TJ Haeser
Friday, February 13, 2004

Now MS has become "Open Source". what will MS do when some public spirited hacker writes a patch for a security hole, possibly even before it happens?

a) Pay them
b) Thank them and offer them a job
c)  Thank them and send them a free 3D plastic clippy.
d) Sue them

Answers on a postcard please.

Stephen Jones
Friday, February 13, 2004

Apparently "the code is littered with profanity" (according to the BBC News website). Well, who would have guessed it ;-)


Friday, February 13, 2004

In my previous job I worked at a large investment bank that had access to the MS OS source code (one of the first I think).  I seem to remember that it was several gigs or so, so whatever has been posted is presumably small.  I did have the good 'fortune' to see the code, but only two people had access to the code itself on certain machines, we just looked over their shoulders out of pure curiosity.  There were all sorts of non-disclosure agreements and things.  I was MS I'd start looking at places like that.

Barry
Friday, February 13, 2004

<conspiracy>
Microsoft leaked the code deliberately so it would be incorporated by the open source community.  Then they'll try and sue everyone in sight.
</conspiracy>

Drat! No cool handle
Friday, February 13, 2004

"seem to remember that it was several gigs or so, so whatever has been posted is presumably small."

Most reports are that the code is a compressed version of around a CD worth of code.

Mind you there is one metric that humors me: I've seen several comments stated that the complete code is 40 million lines, and comes in at about 40GB -- So the average line of code is 1,000 bytes? I think they use overly descriptive variable names....

I've noticed several comments on differing boards mentioning the "unprofessional comments", and this reminds me of back when I was at a small engineering firm when they brought in an "Enterprise Programmer" to shape things up. One of his comments was that we needed strictly professional, absolutely utilitarian comments (you know -- the classic pre-function header blocks redundantly, and often divergently, telling brilliant things like the name of the function and the names and types of the variables). Being the only programmer with any real code portfolio at the firm, this was pretty much directed at me as I regularly wrote meandering comments, explitives, etc.  throughout my code. After working with several teams in differing sizes and types of organizations, I have to state that I will, without an ounce of hesitation, take "natural speak" `dialogue comments' over completely redundant so-called professoinal comments any day, and it increases my respect of Microsoft knowing that they don't have a McLeader proclaiming that all comments must follow strictly defined criteria and satisfy board reviews, etc.

Dennis Forbes
Friday, February 13, 2004

What are comments?

veal
Friday, February 13, 2004

I had to go look up the bbc article mentioned. Here's the link and the relevant quote:

http://news.bbc.co.uk/1/hi/technology/3485545.stm

>Fourthly, for Microsoft to have this code paraded in public is hugely embarrassing. Not least because the code is littered with profanity and might show that many Microsoft programmers do not do a very good job.

>In the past independent programmers that have deconstructed other Microsoft applications have been shocked at what they found within the code. Rivals and critics will be able to see exactly how Microsoft staff do their work.

--

On another topic:

LOC counts don't include comments or blank lines. Not including comments is why the source averages to 1000 bytes per code line.

Dennis Atkins
Friday, February 13, 2004

...and graphics and sounds.

To those of you who haven't been reading Slashdot or TheRegister, it seems that a core dump identifies that these files at some point were on the machine of a now-CTO at Mainsoft, MS partners and makers of Windows-on-UNIX products.

Either a hard disk was not properly whiped or a backup tape got in the wrong hands.

My guess is that this 15% is a very important 15% and a lot of the code that was left out was non-MS property like device drivers.  Seeing as Mainsoft is one of the steps along the leak trail, I would imagine this source has everything you would need to write software on any OS that is compatible with Windows stuff.

This is BAD news for MS.

Richard P
Friday, February 13, 2004

> What are comments?

They're what the unlucky sap who has to fix your bugs reads so he knows what your code was supposed to do.

Brian
Friday, February 13, 2004

*  Recent Topics

*  Fog Creek Home