decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal


User Functions

Username:

Password:

Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Thursday, February 12 2004 @ 07:08 PM EST

UPDATE:

Now Microsoft confirms but says it isn't massive:

Microsoft spokesman Tom Pilla said in an interview with The Associated Press that some incomplete portions of the Windows 2000 and Windows NT4 source code had been "illegally made available on the Internet."
According to one security expert, it's about a CD's worth:
The 203MB file contains the code that appears to be from Microsoft's enterprise operating system, but the code is not complete, said Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, who has examined the file listing. . . .

The 203MB file expands to just under 660MB, he said, noting that the final code size almost perfectly matches the capacity of a typical CD-ROM. The entire source code, he said, is believed to be about 40GB, meaning that the file circulating Thursday would be only a fraction of the full code base . . .


Original Article:You probably heard that Slashdot has a story that there may have been a massive leak of code from Windows 2000 and NT. Microsoft denies it.

Groklaw normally doesn't report rumors, but in this case, it seems appropriate to say something early. If there is such a leak, I hope nobody looks at this code. Not one peek.

Here's why, taken from Franklin Pierce's "Copyright for Computer Authors" by Thomas G. Field, Jr. on avoiding copyright infringement:

As discussed earlier, copyright gives owners the exclusive right, for example, to reproduce protected subject matter (such things as ideas and facts being excluded). Sometimes a question arises as to whether a second, similar work was copied or independently created. If the person creating a second work had access to the original work and the works are virtually identical, copying is likely to be presumed even if the chance of access is remote.
Anyone looking at this code could bring to an end any opportunity to contribute to FOSS software in the future.

That's just copyright issues. Copyright isn't the only issue. Patents, trade secret, it's just a minefield. I hope the rumor is false, but if it isn't, please speak to your attorney and to FSF prior to even thinking about looking at such code.

And that isn't even addressing the Big Lie issue, with proprietary software companies trying to convince the world that open source coders are dying to steal software and use it to "attack" companies. Exhibit A, Ms. DiDio. If I put my tinfoil hat on, I'd wonder if this "leak" was deliberate, judging by the speed with which the PR machine went into gear, predicting that this leak will lead to such problems. Here is an example of what I mean, an article blatantly setting forth that open source leads to foul play the very same day the story of the MS "leak" occurs. It has the smell of an organized campaign, but I hope not. For now, let's just hope it didn't happen in the first place.

As for an increase in security problems, I think that might be hard to achieve. Microsoft has announced more security problems, one of which it took them half a year or so to fix. Some say it's the worst yet. The headline in the LA Times [sub req'd] says it all: "Peril in Microsoft's Laxity." In other words, Microsoft appears well able to achieve world records for security problems all on its own.

So much for security through obscurity.

Gartner's has an interesting report too. It seems a lot of customers are not upgrading:

Microsoft's controversial software licensing scheme has delivered little value and many users will not renew their agreements when they expire this year, according to Gartner.

The analyst estimates that 30 per cent of contracts with Microsoft's biggest customers for the Software Assurance (SA) maintenance programme will be up for renewal in the next six months.


  


Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms | 361 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 07:45 PM EST
Laura Didio just went off the deep end again:

http://www.internetnews.com/ent-news/article.php/3312451
---
Conspiracy theories aside, there are two real threats to Microsoft if
substantial code has been leaked, according to Yankee Group senior analyst Laura
Didio: even worse security for Microsoft apps and bootleg copies of the software
being passed around like bottles of Thunderbird wine.

Didio told internetnews.com that valid threats are on the increase because the
people creating the attacks are more sophisticated -- and the technology is more
available.

"Up until now it was more like the 70 - 30 rule, where 70 percent of the
threats are bogus. Now its more like 50 - 50," Didio said. "With the
open source community, there are a large percentage of tinkers and 'ankle
biters' who are trying their hand at hacking. Some are even communicating with
each other. So it only takes one or two of these groups sharing information to
be able to pull something off. When you have this type of passion, it's hard to
fight because these people are like virtual suicide car bombers."
---

wow.

-brendan

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 07:54 PM EST
The UCB CSRG folk spent 15 years looking at the AT&T restricted code.
Karels, Bostic, and McKusick co-founded BSDi and then released NET/2 to the
public, and themselves.

The SCO group has no IP problems with them or BSD. They are code poets and
heros, so talk to their lawyer first...;-)

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 07:59 PM EST
I have absolutely no interest in looking at any of their nasty buggy code. Heck,
it's probably all written in vbscript anyway. :)

Void

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Pierre on Thursday, February 12 2004 @ 07:59 PM EST
Couldn't this just up the ante for Microsoft when it comes to proving that you
had access to the source code? Couldn't a defendant simply assert that, yes,
they could have downloaded the source code, but who couldn't?

If leaked source code can contaminate all of OSS by default, just which model is
viral again, exactly?

Pierre

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: talamacus on Thursday, February 12 2004 @ 08:00 PM EST

This post is also available on my own site. I choose to make it available under the Creative Commons License.

So, there's a big fuss about how Windows source code may or may not have been leaked onto the internet.

Regardless of the veracity of this rumour, the blame has already been laid at the feet of OSS developers by the inimitable Laura Didio.

The following is quoted from InternetNews.com

Didio told internetnews.com that valid threats are on the increase because the people creating the attacks are more sophisticated -- and the technology is more available. "Up until now it was more like the 70/30 rule, where 70 percent of the threats are bogus. Now it's more like 50/50," Didio said. "With the open source community, there are a large percentage of tinkers and 'ankle biters' who are trying their hand at hacking. Some are even communicating with each other. So it only takes one or two of these groups sharing information to be able to pull something off. When you have this type of passion, it's hard to fight because these people are like virtual suicide car bombers."

Sure, there are a whole bunch of tinkers in the OSS community. People who like to see how stuff works. Benjamin Franklin was a great tinker too, when he wasn't busy being distracted by politics.

Didio is a little behind the times on the communications issue: the whole point of a community is communication, we'd be a little hard pressed to produce such great works as the Linux kernel if we didn't talk to each other once in a while.

I think Groklaw is a great example of how our passion drives us, leads us to achieve goals that are far beyond the abilities of any single member of the community. It's exactly the flavour of blind propoganda espoused by Ms Didio that further sparks that passion.

Virtual suicide car bombers? That's exactly the kind of sensationalist, emotional nonsense that I would expect from somebody who has exhausted the realm of logic in trying to justify their own position. In the same way that a usenet conversation can be ultimately ended according to Godwin's Law, Ms Didio's ability to offer rational opinion is devolving into a public attempt to discredit the entire OSS community by slinging insults thinly disguised as 'professional analysis'.

Of course, whilst she, and others like her, still have the ear of major news organisations, the particular brand of hysteria that they attempt to promulgate will still be the dominant source of 'informed opinion' that the industry and public as a whole are exposed to.

So, we need to start playing the same game. We need to start defending our community from such libellous attacks on our collective character in the media, by ensuring that our voice is heard equally and without prejudice.

Wow... just had to move this from posting at the foot of the last Groklaw story to the top of this one. Things sure move quickly around here, and hopefully here this comment is more relevant. This is something that I feel we can really hope to achieve, and Groklaw is the perfect forum for a reasoned discussion. I hope that we can collectively make a difference.

[ Reply to This | # ]

I Think I'm Having A Brain Fart...
Authored by: Weeble on Thursday, February 12 2004 @ 08:06 PM EST
"You probably heard that Slashdot has a story that there may have been a
massive leak of code from Windows 2000 and NT. Microsoft denies it."

I seem to recall reading something the other day (here or linked from here?)
that there was supposedly a big code steal from M$'s servers as WinXP was about
to go gold and that it might be part of the source of the exploits used in the
MyDoom series. Anybody else remember seeing that?

Also, I have a *vague* memory of a similar report being circulated at the time
of XP's "run for the gold".

Anybody else remember any of this, or am I just having a brain fart?

---
"Every time I think I've heard it all from SCO, they come
up with a new howler." Steven Vaughan-Nichols, eWeek

[ Reply to This | # ]

Is this like Hollywood lawsuits?
Authored by: Nick on Thursday, February 12 2004 @ 08:08 PM EST
When there is a lawsuit in Hollywood saying, "Hey, I sent in a script about
XYZ
years ago, and they just made a blockbuster with my same ideas in it but
gave me no credit or money," one of the defenses seems to be when the
scriptwriter or producer or director can honestly say, "I never saw that
script
in question," or "this is why I never look at unsolicited
scripts." In other
words, they try to ensure that no one can sue them down the road for
stealing ideas. They have to be careful not to even look at scripts sent to
them not on spec.

Is that a similar legal concept to what could happen here? Is it the same
copyright avoidance at work by being scrupulous not to even peek at the
code? To make it clear that you would never look at such code?

[ Reply to This | # ]

The smear has begun
Authored by: Anonymous on Thursday, February 12 2004 @ 08:10 PM EST
The great smear attack against open source software has begun. I'm sure that MS
and others are behind this.

The object is to use the "big lie" tactic and the "one of them
did it so they're all guilty" tactic. Both of these are common tactics
used by propagandists and bigots, and they work *very* well.

Expect the press to start getting saturated with Didio-esque smear campaigns--
campaigns calling OSS people terrorists, communists, "hackers,"
anarchists, etc. The object here is not to change the minds of the educated, as
laughter is the only thing they get from anyone who knows what they're talking
about. The object here is to get this into the hands of suits and politicians
to head off the possibility of a major exodus from proprietary platforms... and
maybe get some nice juicy anti-OSS legislation out of it too!

There are firms that specialize in this type of thing. Astroturfing is not a
myth-- it is a common tactic employed by many special interest groups.

[ Reply to This | # ]

The DevX editorial
Authored by: jhk on Thursday, February 12 2004 @ 08:11 PM EST
I think that the editorial by A. Russell Jones is either a coincidence or
inspired by the alleged leak. In my experience he is critical of OSS because he
wants it to get better. He has written other editorials with a somewhat
controversial viewpoint. I wrote him in reply to one of those and received a
long and well thought out response. Not typical of a hired hack. :)

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 08:14 PM EST
On the other hand, if it is a real leak: what if there was GPL'd code that
Microsoft had put in its own code without attribution? And was found out by
this means.

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Stumbles on Thursday, February 12 2004 @ 08:17 PM EST
Well....... as I put my tin foil hat on.

Maybe Microsoft accidentally leaked that source code so they can accuse and have some flimsy basis that open source is attacking the proprietary world.

Frankly given all the underhanded things they have done so far, I would not put it past them.

[ Reply to This | # ]

Probably wasn't any...
Authored by: inode_buddha on Thursday, February 12 2004 @ 08:18 PM EST
...F/OSS involved. Remember, MS has shown the code to plenty of 3rd parties,
including countries, universities, etc.

---
"Truly, if Te is strong in one, all one needs to do is sit on one's ass, and the
corpse of one's enemy shall be carried past shortly." (seen on USENET)

[ Reply to This | # ]

Bogus, even if true
Authored by: Anonymous on Thursday, February 12 2004 @ 08:28 PM EST
1. I checked what some ex-Microsoft people are saying on their board. They don't
even seem to be discussing it at all. And if there was a real issue, I bet they
would be.

While this is purely circumstantial, and not proof either way, I think it likely
that the story is based on a hoax.


2. Source being a danger for hack attacks?

Sorry this is just way off.

The number 1 and number 2 dangers in Windows are open ports and buffer overflow
exploits.

Having the source has no bearing on either.

Ports are a configuration/firewall thing, and in any case, can be readily
observed without reading the source.

Buffer overflow requires the assembler/machine code version of the code and
looking for where you can break the stack frame.

Guess what? *Every* person with an official Windows release has that *already*.
The source is *not* helpful for find these kinds of bugs, as you can't guarantee
that what you compile from the source will be the same as what is in Windnows
release versions - infact looking at the source would be a waste of time, if not
counterproductive to generating exploits of this type.

DiDio just shows her ignorance in her entire line of argument about why the
source being out there is dangerous for security (and I won't go into the other
points, if you can call them that, that she makes).


Quatermass


P.S.
I can read DiDio's articles, without signing an NDA. Does that mean they are a
danger to decent people?

[ Reply to This | # ]

What if
Authored by: Anonymous on Thursday, February 12 2004 @ 08:30 PM EST
What if it is leaked code and somebody uses a tool like
ESR's comparater to make a hash of it, and publishes just
the hash, so that other people can then test/compare gpl
licensed code from other places against the windows
codebase to determine if there is illegally copied code in
Microsoft Windows? What if someone's code is found in it?

[ Reply to This | # ]

  • What if - Authored by: Jude on Thursday, February 12 2004 @ 08:37 PM EST
  • Why - Authored by: guido on Thursday, February 12 2004 @ 08:39 PM EST
  • Unlikely - Authored by: Anonymous on Thursday, February 12 2004 @ 08:43 PM EST
    • Unlikely - Authored by: Anonymous on Thursday, February 12 2004 @ 08:48 PM EST
    • Unlikely - Authored by: Anonymous on Friday, February 13 2004 @ 07:56 AM EST
      • Unlikely - Authored by: Anonymous on Friday, February 13 2004 @ 09:51 AM EST
A dangerous doctrine
Authored by: TFBW on Thursday, February 12 2004 @ 08:30 PM EST
"If the person creating a second work had access to the
original work and the works are virtually identical,
copying is likely to be presumed even if the chance of
access is remote."

This doctrine, if applied uniformly (a fairly big "if")
must have seriously nasty implications for vendors of
proprietary software. Consider: if there's something very
like an excerpt of GPL code in a closed application, then
the "chance of access" to the GPL code must be considered
rather high (it's published openly as a matter of course).
This doctrine is all very well and good when standard
practice is to keep the source code as a trade secret, but
it strikes me as having troubling implications otherwise.

[ Reply to This | # ]

The Real Reason Not Too Look
Authored by: Ruidh on Thursday, February 12 2004 @ 08:31 PM EST

Because the code is so bad, it will melt your eyeballs.

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 08:34 PM EST
I don't think anyone plans on copying the code anytime soon... I think it's more
we are all glad MS got pwnd. With all their talk about how closed source is
better and blah blah blah, we will soon find out how secure it really is. If
this is true (which I believe it is, if you look hard enough there are plenty of
torrents out there), it's not a matter of if they'll be worms, it's a question
of how many.

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 08:35 PM EST
I have seen source code for Microsoft Windows NT, IBM DB2, and Lotus Notes. I
have seen, studied in-depth, and contributed to the devlopment of both SunOS and
Digital Unix. Some of this has cast doubts on my ability to travel freely to
certain parts of the world (due to crypto export restrictions), but nothing
abridges my right to contribute to any other product, FOSS or otherwise. To
imply as your article implies is irresponsible, you misrepresent the risks, and
you mischaracterize the consequences. A retraction would be appropriate. The
implication is a presumption of guilt of copyright infringement. It is useful
to enforce clean-room procedures when directly reverse-engineering a product,
in order to protect from allegations of infringement. It is NOT necessary to
change careers upon seeing a given implementation.

Such a system would require all novelists to be illiterate, and all composers to
be deaf.

[ Reply to This | # ]

OT: Novell notifies SCO
Authored by: Anonymous on Thursday, February 12 2004 @ 09:03 PM EST
I think a lot of people here don't get the significance of the notice from
Novell to SCO.

1) this means that SCO has to drop all their charges about Dynix code in the IBM
trial. If they don't, IBM just shows the judge the letter and the judge
dismisses those charges. That is because in the trial SCO is claiming Dynix
rights, and Novell has ordered SCO to waive claims to those rights.

2) Disputes about whether the copyrights were transfered to SCO don't matter.
That is because even if they were, the contract unequivocably says that Novell
has the right to order SCO to wave rights.

3) Arguments about derivative code don't matter. If SCO is right and code
written from scratch and put in Dynix became part of SVR4, then Novell is
waiving SCO's rights to that code when it waives SCO's rights to make claims
regarding DYNIX.

In other words, SCO's case regarding Dynix code is dead. And once SCO sends a
similar notice to SCO regarding AIX, then the rest of SCO's case is also
dismissed. End of story (except for all the countersuit fun)

[ Reply to This | # ]

OT: Microsoft lawyer to be on antitrust panel
Authored by: Anonymous on Thursday, February 12 2004 @ 09:17 PM EST
http://www.salon.com /tech/wire/2004/02/05/microsoft/

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 09:23 PM EST
There could be another angle to this "leak". Microsoft has been trying to get corporations to upgrade to the latest, greatest operating systems (XP Pro on the desktop and Windows 2003 servers) and office software (Office 2003). What better way to get it to happen than to say, "Oh, gee, we may have been leaked, and the leak was the previous version of code, Windows 2000/Office 2000/etc. Maybe you should upgrade to Windows XP Pro/Windows Server 2003/Office 2003 to prevent any possible attacks on this now (possibly, maybe, we think...) compromised code."

Think of it as "Daryl Marketing"...

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 09:41 PM EST

...hey guys...

At least MS was original. They could have copied SCO and said they were getting
DoS attacks from the evil, just-as-bad-as-a-suicide-bomber, Linux hacker.
Instead they just leak the code and take care of their security and Linux
problems all in one fell swoop. Smart move on their parts. I guess this is
just one phase of their security initiative.

[ Reply to This | # ]

Microsoft Denies Leaked Code - Here it is!!!
Authored by: Anonymous on Thursday, February 12 2004 @ 10:00 PM EST
I received this a few years ago (obviously circa 2000).
I haven't seen it come back around since then so I thought
some might enjoy it.

I leave the attribution just as I received it - don't know
if it is valid.


From UnixReview.com

Win2000 Source Revealed

From my old pal Kevin G. Barkes (www.kgb.com), shortly after Bill Gates
offered then refused to release the Win2000 source code (Kevin got this
anon., so I can't ack the genius originator):

Source Code to Windows 2000

#include "win31.h"
#include "win95.h"
#include "win98.h"
#include "workst~1.h"
#include "evenmore.h"
#include "oldstuff.h"
#include "billrulz.h"
#include "monopoly.h"
#define INSTALL = HARD
char make_prog_look_big[1600000];
void main()
{
while(!CRASHED)
{
display_copyright_message();
display_bill_rules_message();
do_nothing_loop();
if (first_time_installation)
{
make_50_megabyte_swapfile();
do_nothing_loop();
totally_screw_up_HPFS_file_system();
search_and_destroy_the_rest_of_OS/2();
make_futile_attempt_to_damage_Linux();
disable_Netscape();
disable_RealPlayer();
disable_Lotus_Products();
hang_system();
}
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if (still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_3.1();
do_nothing_loop();
do_nothing_loop();
}
}
if (detect_cache())
disable_cache();
if (fast_cpu())
{
set_wait_states(lots);
set_mouse(speed, very_slow);
set_mouse(action, jumpy);
set_mouse(reaction, sometimes);
}
/* printf("Welcome to Windows 3.1"); */
/* printf("Welcome to Windows 3.11");
*/
/* printf("Welcome to Windows 95"); */
/* printf("Welcome to Windows NT 3.0");
*/
/* printf("Welcome to Windows 98"); */
/* printf("Welcome to Windows NT 4.0");
*/
printf("Welcome to Windows 2000");
if (system_ok())
crash(to_dos_prompt)
else
system_memory = open("a:swp0001.swp",
O_CREATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
}
create_general_protection_fault();

[ Reply to This | # ]

You have got to be joking!
Authored by: Anonymous on Thursday, February 12 2004 @ 10:05 PM EST
Well, O.K., someone is trying to get me to believe M$ doesn't have security in
place to prevent this, or have an audit trail of WHO DID IT?

If I am correct, don't you "check out" code, and "check in"
code when you are done? It seems to me it would be fairly trivial to compare
the "leaked" (call me sceptical that M$ would be so loose with the
jewels) code to the check-in/out journal...

[ Reply to This | # ]

The Master Plan?
Authored by: Anonymous on Thursday, February 12 2004 @ 10:05 PM EST
My tin foil hat is smokin'

Iíve been trying to avoid the whole conspiracy theory throughout the SCO drama
but what if this is all part of the master plan.

Phase 1: SCO always knew they did not have a case. They were never suppose to
win. Maybe not even get to trail. Getting bought out was not the plan either.
Theyíve already been bought out, so to speak, by MS. Itís about increasing
media awareness of the perceived threats of open source (open source is
evil...read all about it!). Itís all about defeating open source. Just as
their case is beginning to unravel (weíve known for months) suddenly they are
quiet. We now get phase 2.

Phase 2: MS * leaking * some source code. Interestingly enough this is not
their current code nor is it likely that it is the complete code but it could
contain enough trade secrets, patents and copyrights to keep the lawyers busy
with open source for years. This may not happen now as the code has just
allegedly been released. Donít forget this is a long term plan and the stakes
are huge.

Phase 3: After open source starts making large inroads into all areas of
computing then the lawsuits start. Many of these issues have already been
brought up about being intellectually contaminated. After a period of several
years enough open source code will be written that it is likely they will be
able to find something that looks like windows code somewhere. This time
though, itís not about legacy code thatís been around for nearly thirty years
with source thatís been owned and licensed by who knows how many people. Itís
about code that can only come from one place: MS

OK Iíll stop now. My foil hat is melting and Iíve got to take it off!

[ Reply to This | # ]

Coincidence on whois?
Authored by: grouch on Thursday, February 12 2004 @ 10:11 PM EST
whois shows the same nameservers for internetnews.com and devx.com

Are there any other ties between the two?

[ Reply to This | # ]

Fox News
Authored by: Anonymous on Thursday, February 12 2004 @ 10:12 PM EST
Fox News just reported that Microsoft says the code *was* leaked. Of course,
this is likely the old "main-stream media can't get anything right"
trick.

[ Reply to This | # ]

Microsoft Confirms Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 10:13 PM EST
http://www.washingtonpost.com/wp-dyn/articles/A37648-2004Feb12.html

[ Reply to This | # ]

ABCNews listing Also
Authored by: avatar on Thursday, February 12 2004 @ 10:25 PM EST
Here's another news listing concerning this, from ABC. CNN's really slow
about this, as usual:

http://abcnews.go.com/wire/Business/ap20040212_2239.html

[ Reply to This | # ]

Microsoft Denies Leaked Code
Authored by: Anonymous on Thursday, February 12 2004 @ 10:25 PM EST
So if this alledged m$ code were published some where -- let's hope not -- would
their source code still be a trade secret?

[ Reply to This | # ]

Microsoft Confirms Source Code Leaked Over Internet
Authored by: Anonymous on Thursday, February 12 2004 @ 10:33 PM EST
From eWeek

[ Reply to This | # ]

Issues with Ethics?
Authored by: photocrimes on Thursday, February 12 2004 @ 10:46 PM EST
Is someone having some concerns about ethics?

http://www.thescogroup.com/images/company/SCO_Code_of_Conduct_and_Ethics_Policy-
Final.pdf

Enjoy!

---
//A picture is worth a thousand words//

[ Reply to This | # ]

She finally understands.
Authored by: Anonymous on Thursday, February 12 2004 @ 10:57 PM EST
"When you have this type of passion, it's hard to
fight because these people are like virtual suicide car bombers."

The only flaw I see for her argument is that we use our power for good and not
evil as implied. She is spot on, we have the passion and we are an unstoppable
force. I am virtual in a sense. I will stop at nothing to make sure that
everyone has a fair go at advancing humanity through computing. I will do it
legally and I am sure that some proprietary vendors consider that I am putting a
bomb under their market plans.

Join the good fight, if you are not a coder then go through some howto's,
verify that bugs are reproducible, do something even 1 hour a month makes a
difference no matter what project you choose.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: John Hasler on Thursday, February 12 2004 @ 11:11 PM EST
IBM doesn't seem too worried about the "mental contagion" theory.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Thursday, February 12 2004 @ 11:21 PM EST
"The entire source code, he said, is believed to be
about 40GB"

Holy Cow! That's on the order of a BILLION lines of code.

How could any army of programmers ever hope to retroactively
make all that secure.

[ Reply to This | # ]

Should MS be worried about code history?
Authored by: belzecue on Thursday, February 12 2004 @ 11:22 PM EST
I wonder if MS is concerned that people will examine the code history of the
leaked material. (Not us, of course -- unless the leaked code is exposed in a
way that does not expose us to legal liability.)

What if -- regardless of the legalities of actually seeing the code -- people
can prove that MS have illegally included third-party code into Windows? Does
the fact that the code was illegally leaked override the illegality of the code
itself?

[ Reply to This | # ]

didio
Authored by: brenda banks on Thursday, February 12 2004 @ 11:24 PM EST
http://www.findarticles.com/cf_0/m2843/1_27/95501858/p1/article.jhtml
has a real problem with paranoia
maybe her early job assignments contributed to that
we must pity her because of her lack of common sense
it would seem as she is saying everyone is out to get her then she needs to seek
mental health experts maybe?
might help darl also?


---
br3n

irc.fdfnet.net #groklaw
"sco's proof of one million lines of code are just as believable as the
raelians proof of the cloned baby"

[ Reply to This | # ]

The Enderle Oracle
Authored by: belzecue on Thursday, February 12 2004 @ 11:30 PM EST
http://www.foxnews.com/story/0,2933,111306,00.html

"It seems unlikely this is going to create a material, significant security
problem," said Rob Enderle, a technology expert and principal analyst with
the Enderle Group. "It's more embarrassing than anything else because it
makes it look like Microsoft can't control its code."

Once again, Enderle knows all. Even though he has not seen the leaked code and
MS are still scrambling to determine the leaked code, Enderle still manages to
conclude that it will not create 'a material, significant security problem'.
The man is a genius.

[ Reply to This | # ]

40GB?!?!?!?!
Authored by: ErichTheWebGuy on Thursday, February 12 2004 @ 11:45 PM EST
I knew there was code bloat, but MAN!!! I bought the full boxed set for RedHat
8, which comtained 5 CDs that included binaries, all the source, documentation,
supplemental apps, etc.

5 * 750 = 3750
3750 / 1024 ~ 3.6

So that's less than 4GB for everything, and I do mean everything, that was in
RedHat 8.

...

I'm speechless!

********
Erich

---
Striving daily to be RFC-2550 compliant

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: fmouse on Thursday, February 12 2004 @ 11:47 PM EST
I lived in Berkeley, CA in the late 60s. There were always people around itching for a fight with the cops, and always cops around with tear-gas at the ready. The whole thing was driven by the strong creative and socially active Berkeley community that had little to do with either group.

The point is that whenever creative people find a social outlet with power, as in the case of FOSS, there are always going to be people who are emotionally drawn to it for the same reasons the rest of us are, but whose reactions are going to be very different. IMHO, it's incumbent on the rest of us to more or less take this as an indication that we're on to something strong and right, and not waste too many words or too much time in berating either of the sides that have chosen to make a street fight out of it.

The real struggle is between the street fighters on both sides and people who are innovative and creative enough to circumvent the possibility of the disaster which would result if either side got their hands on the levers of political power. Imagine, for instance, having to have a government issued license to run a server with Linux/Apache on the public Internet. Or imagine an army of angry Luddites smashing computers in the same spirit that small-minded people with power have periodically engaged in wholesale book burning, or book-banning. It can happen, and if history teaches us anything, it probably will from time to time.

It's been said that the Internet was designed to route around censorship. In a similar fashion, FOSS has helped to redefine the nature of ownership when it comes to the tools we need to engage one another creatively using the Internet. It's an idea of great power. Ideas of great power always attract partisans. Some partisans will always throw bombs. I don't know if it can be helped, human nature being what it is. The the surest way to disassociate ourselves from that end of the spectrum is to keep on doing the things that keep us focused forward on the possible rather than focusing too much on the wolves that are slinking out of the forest behind us!

[ Reply to This | # ]

Microsoft Admits Leak
Authored by: fava on Thursday, February 12 2004 @ 11:49 PM EST
Did anyone notice the following quote at the end of the Microsoft admission:
    "It seems unlikely this is going to create a material, significant security problem," said Rob Enderle, a technology expert and principal analyst with the Enderle Group. "It's more embarrassing than anything else because it makes it look like Microsoft can't control its code."
So it seems that open source is a security risk because anybody can view the code, yet when Windows leaks it is not a security risk.

I wonder how that works?

[ Reply to This | # ]

GNU Makefiles?
Authored by: ErichTheWebGuy on Friday, February 13 2004 @ 12:04 AM EST
Some dude over at neowin.net says he looked at the source in question and found
several GNU Makefiles. I would take this with a serious grain of salt though.
Also, I would not go looking at the source because of PJ's prudent advice!

---
Striving daily to be RFC-2550 compliant

[ Reply to This | # ]

The non-renewals is what worries me.
Authored by: Anonymous on Friday, February 13 2004 @ 12:16 AM EST
That means another ream of shakedown letters from the BSA to everyone in the
company.

Me, "Hello."
Clerk in West Podunk, "I just got a letter saying I'll be sued for hundreds
of thousands of dollars. What should I do? Waaahh! They'll take my house!
Blubber blubber!"

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Nick Bridge on Friday, February 13 2004 @ 12:25 AM EST
Regardless of your position on conspiracies, it is impossible to ignore two
facts:

1. Someone inside Microsoft is most likely (almost certain?) to have leaked the
code.
2. Microsoft stands to gain most from the effects of the leak.

This leak, and the media attention, and the possible future lawsuits, have
indubitably strengthened Microsoft's position.

Imagine for a moment that Microsoft (who has a license to Sys V, and probably
other Unix code) uses Sys V or BSD, etc code in their NT or 2000 products.
There would be enough evidence to support a lawsuit in the future -
"Microsoft code found in Linux!" - even though the code is
incorporated legally. It is enough to throw FUD mud.

What defense do we have?

Don't forget who we are playing with. Sir Bill is setting up for an end game -
he won't quit, and he will use any means - even illegal.

I won't even suggest that it may be tempting for some reverse engineers to short
circuit the process - but I'm sure some d idiot might suggest it.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Nick Bridge on Friday, February 13 2004 @ 12:50 AM EST

From the A Russel Jones article:
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficienciesóand that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.

You can't hide the corrupted version.

Every distibutor compiles the Linux kernel from scratch. For malicious code to get into e.g. RedHat, it would either be within the source included with the distro, OR RedHat would have to be a party to it's inclusion.
Get your kernel from the NSA? Or maybe THEY are being accused?

It's an insane argument. Any organization can have the code reviewed, then recreate from MRPROPER. Governments are taking the view that software is insecure unless they can review the source - hence Microsoft agreeing to allow them to have it. And if they cannot recompile it, it's pointless.

[ Reply to This | # ]

I'd Love to look at it.
Authored by: Anonymous on Friday, February 13 2004 @ 12:57 AM EST
For one reason in particular.

1.) I'm not a programmer nor will I ever be. It's also safe to say I will never
contribute to an OSS project. But I do have the technical know-how to weed
through code and understand what's what. I'd like to know if there's any gpl
code in there.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: jrzagar on Friday, February 13 2004 @ 01:40 AM EST
Actually I wouldn't be surprised to find out that Microsoft secretly leaked the
code themselves... That way if anyone manages to make a compatible server (or
client), they can pursue copyright claims against them and drown them with
lawyers.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: blacklight on Friday, February 13 2004 @ 02:17 AM EST
We, the Open Source community, need Microsoft to have its source code leaked
like we need a hole in the head. But what would really annoy us is Microsoft's
blunder becoming somehow our problem: I will take PJ's suggestion and make sure
that I don't ever look at that source code until and unless I know exactly what
I am doing from a legal standpoint. Those of you who are far more knowledgeable
than me are free to disagree but if you screw up and get it wrong, the entire
Open Source community may end up paying for it.

[ Reply to This | # ]

Conspiracy Theories
Authored by: Anonymous on Friday, February 13 2004 @ 03:17 AM EST
The "MS leaked the code intentionally" theory doesn't hold water for a number of reasons:

1) Any "marketing" efforts by MS to pursuade people to upgrade just because the source code has leaked would be met with angry demands that:
a. MS instead upgrade them for free (since it is Microsoft's fault that the leak occured)
b. They have no assurance that there wont be another leak again in the future after they upgrade.
c. They would rather switch to Linux, which by its very design, can never have a "leak".

2) It is damaging to MS public relations that they can't keep their own code under wraps.

3) It draws attention to the inherent dangers of proprietary software as always having to be a secret, something (especially foriegn governments) are nervous about. That is exactly the international market MS is battling to keep right now.

4) The potential backlash of security issues which may arise when someone with evil intentions gets their hands on the code and knows what to do with it, something we can only begin to speculate on at this point. This is turn brings us back to point #1 at the start of this list; repeat as necessary.

However, since we are guests in an open discussion forum, and not paid journalists, we are allowed to wax-prophetic about whatever conspiracy theories come to mind, and that is what sharing is all about. While MS and others may be in the process of damage control right now, I would like to infer a few points of my own logical conclusion at the moment.

I am going to go out on a limb here and suggest that whoever leaked this code is probably in a position where he/she has enough access and knowledge that they would know what part of the code they would want to leak out. From that we can argue that the CD-ROM sized amount of data was specifically selected out of a much larger pool, and that potentially gives us a clue about the person's intentions. They may in fact have more of the code than what was released, just to show they have it.

There are also a number of ways the code could have been accessed, but I would think that an internal mole within the MS offices is a likely candidate. (If it was hacked from outside MS has much bigger problems.) The actual portion of the code released may tell us if it was possibly an outside entity which MS shares its code with.

Anyway, an analysis of what portion of the code was released may give us a better understanding of the scenario, and then maybe we can begin to theorize if it is a disgruntled employee, a foreign government, a paid mole, or Bill Gates himself. (Actually, if it was a paid mole, they wouldn't have made the theft public on the internet, so I retract that conspiracy theory.)

Mike A.

[ Reply to This | # ]

Possible source of leak
Authored by: Anonymous on Friday, February 13 2004 @ 03:48 AM EST

Taken from this Slashdot article.

There is a core dump file inside the windows 2000 (sp1) archive, it clearly shows that the source was stolen from a system at Mainsoft. The following url confirms that they did have access to the leaked code. http://mainsoft.com/news/press_releases/2000_3_22_ 01.html

[ Reply to This | # ]

An interesting find
Authored by: inode_buddha on Friday, February 13 2004 @ 04:06 AM EST
According to a few /. posts, the code was leaked from an insecure wu-ftpd server
at Mainsoft.com. Evidently it wasn't patched. Mainsoft was developing a set of
tools to port Windows apps to UNIX, as a full MS partner. I haven't verified any
of that (yet), but its very plausible.

---
"Truly, if Te is strong in one, all one needs to do is sit on one's ass, and the
corpse of one's enemy shall be carried past shortly." (seen on USENET)

[ Reply to This | # ]

Leaked MS Code injurious to Mental Health
Authored by: Wesley_Parish on Friday, February 13 2004 @ 04:10 AM EST

As the person who said this: An Open Source Challenge to Messrs. Gates and Ballmer, I might be expected to have an opinion on this matter.

I won't touch Microsoft's source code even under the somewhat less restrictive Academic Shared Source license - I had the opportunity to do so last year when I was a student at the University of Canterbury, NZ. I found it much too restrictive. And of course there are freely available alternatives, which are often better anyway.

A simple read of my Open Letter says I had other things on my mind. I wouldn't touch that unauthorized Windows Source Code release - the terms I regard as satisfactory I've stated in that letter. And strange as it may seem, I find myself thinking that if they had done as I requested, they might not have had this security breach in the first place. The energy that may now be exerted by the Black Hat Brigade, would've been easily matched by kernel hackers who would've secured any breaches long before Microsoft network or campus security was this badly breached.

---
finagement: The Vampire's veins and Pacific torturers stretching back through his own season. Well, cutting like a child on one of these states of view, I duck

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: seantellis on Friday, February 13 2004 @ 04:17 AM EST

If I put my tinfoil hat on, I'd wonder if this "leak" was deliberate, judging by the speed with which the PR machine went into gear, predicting that this leak will lead to such problems.

Put the tinfoil away, there's a much better explanation. Just as the news media in England had an obituary for the Queen Mother already in the can "just in case", it is likely that the Redmond PR machine had a press release ready for just this eventuality.

As for the theory that this will, by implication, poison FOSS efforts, I don't think that that will stand up to scrutiny either. After all, that's SCO's main plank of their "case" and it doesn't seem to be standing up too well when it comes to the courts.

---
Sean Ellis (sellis@geo-removethis-cities.com)

[ Reply to This | # ]

wait a minute
Authored by: Anonymous on Friday, February 13 2004 @ 04:31 AM EST
Is someone here actually suggesting that top secret MS source code can/was
hacked by someone outside their offices??

I thought something like that would never be placed on a network connected to
the outside world.

[ Reply to This | # ]

Send it to SCO
Authored by: Anonymous on Friday, February 13 2004 @ 04:34 AM EST
Someone should send it to SCO. After all, all operating systems are derivative
works of UNIX, right? And they seem to need code from IBM to prove
infringement… it'd be much more profitable for them if they could
prove Microsoft were infringing, and it really wouldn't bother me all that
much if they tried :-)

[ Reply to This | # ]

Size Matters
Authored by: Anonymous on Friday, February 13 2004 @ 05:53 AM EST
The comment that the /source/ would be 40Gb is a little surprising. Maybe the
entire source code repository?

For comparison, see this paper on the size of RH 7.1:
http://www.dwheeler.com/sloc/redhat71-v1/redhat71sloc.html

They describe RH 7.1 as being 17m SLOC (not just the kernel - all of it), NT5 as
20m. With code lines being at most 70 chars long and averaging more like half
that, you get rougly 20m SLOC on a CD, uncompressed. Windows will have, in
addition, a bunch of resource files (graphics etc) which would bulk up the code,
but whose size probably does not exceed another 500Mb since resource sizes come
through pretty much unchanged into the finished product.

So even if this is not compressed its a leak the size of NT5.

Another datapoint from Lucovsky's talk "A Software Engineering
Odyssey" (about the Win2k development, from an insider,
http://www.usenix.org/events/usenix-win2000/invitedtalks/lucovsky_html/sld035.ht
m) is that their entire source control system contained 411,000 files. For this
to be 40Gb, each file would have to be 100k on average, which is ludicrously
large for source code.

However you cut it, a source code leak that size is a large chunk of their
codebase.

-Baz

[ Reply to This | # ]

  • Size Matters - Authored by: Anonymous on Friday, February 13 2004 @ 08:32 AM EST
  • Size Matters - Authored by: Anonymous on Friday, February 13 2004 @ 10:29 AM EST
  • Size Matters - Authored by: Anonymous on Friday, February 13 2004 @ 10:49 AM EST
  • Size Matters - Authored by: rc on Monday, February 16 2004 @ 07:08 PM EST
Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 06:18 AM EST
Is it not funny that this happened just when microsoft was facing a big story on
there security problems such as taking 6 months to fix a big hole it seems they
are taking pages from sco's game plan maybe sco will sue them from stealing
there idea's.

Jack

[ Reply to This | # ]

Thousand Eyes
Authored by: auric on Friday, February 13 2004 @ 06:34 AM EST
Maybe I'm just cynical but it seem too coincidental. If the leak is true perhaps
it is one (or all) of the following:

1. MS can later claim Windows code is in Linux and sue ad nauseum.
2. As NT/2000 is 'compromised' everybody has to upgrade to XP.
3. MS want a thousand eyes to fix NT... (or just find the bugs)

[ Reply to This | # ]

BBC story
Authored by: bruce_s on Friday, February 13 2004 @ 06:38 AM EST
A fairly neutral href="http://news.bbc.co.uk/1/hi/technology/3484545.stm"> story from the BBC, apart from the last paragraph.

"But the other threat to Microsoft is the fact that such access could provide a competitive edge to its rivals, who would gain a much better understanding of the inner workings of Microsoft's technology. "

Bruce S.

[ Reply to This | # ]

Crazy Theory
Authored by: auric on Friday, February 13 2004 @ 07:56 AM EST
Remember when you were back in school and you'd forgotten to do your homework
and cribbed from a friend only to have the techer find out because you'd both
made exactly the same mistakes. Maybe the incomplete source code has deliberate
mistakes the will finger anyone who uses it. My thoughts are projects concerning
interoperability with Windows. Some have mentioned Wine. Can I say Samba here?

Another crazy theory that just popped into my head. Some have said that the
timeframe of the code agrees with that stolen from MS a few years back. It has
also been mentioned that it is thought to be by a group in Russia. MyDoom is
purported to be from Russia also. Coincidence? Could it be that they are the
same group and they released the stolen code now to keep up the attack against
F/OSS? I'm not sure what they would again from this. Perhaps as Linux is not
exploitable it cannot generate an income for them so is in their best interests
to keep MS dominant. Tin-foil hat time...

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: TerryL on Friday, February 13 2004 @ 08:05 AM EST
Hmmmmm

Windows: a closed source software product, the source is supposed to be kept secret but SOME of it's code gets made public and various people go nuts that this is a huge problem because it exposes to bad people how they could break into lots of secure systems running on Windows

Linux: an open source software product, ALL of it's code is open to public view and always has been, and very few people go nuts and claim it's a big problem because bad people can find out how to break into lots of secure systems running on Linux

It says something... anyone want to say what? :-)

---
All comment and ideas expressed are my own and do not necessarily reflect those of any other idiot...

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: zjimward on Friday, February 13 2004 @ 09:57 AM EST

The gentleman that wrote the article about how bad code or stolen code could be
incorporated into Linux misses a big point. He mentions how Debian was attacked
and how some one could use this as a way to put the code into Linux.
Unfortunately, this will not happen because checks are done to determine where
changes come from as well as what has changed since the last update. This was
how such attacks were discovered previously. The fact is that in the corporate
world they face the same problem with closed source. Having worked for several
companies that have so called controls for this happening. I found lots of cases
of people not knowing who made a change or checking things in and out under
other people's names. How did this happen? It happened because in the close
office atmosphere either all passwords were known by fellow workers or a manager
with administrator access thought nothing about circumventing the protections of
the control system. No, this doesn't happen every day or in every office, but it
happens enough behind closed source doors.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 11:40 AM EST
This is a perfect scam by M$$$$, yes, read the subliminals.

The Headlines read:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Microsoft Code STOLEN!!", "Worlds most secret code revealed to
hackers" "SECURITY! SECURITY! SECURITY!"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What does the average arthur & martha who barely click a mouse once a day
make out of these types of news headlines?

They react by thinking:

"If exposed M$ code is a security problem for M$, then Linux can't be
safe".

"How can this open source software be any good if it's open for all to
see??"

" OH those communist, dope smokin anti-socials in that Linux community are
to blame!"

Never underestimate how low M$ will go to keep it's corrupt criminal
monoploly.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Khelmar on Friday, February 13 2004 @ 11:43 AM EST
Something else to look at in one of the posts PJ linked to - the idiot spewing off about OSS coders deliberately inserting backdoors into their products. Did you look at the "security flaw comparison menu" he linked to in his article?

Secunia

They only have 58 security vulnerabilities listed for XP Pro, and I know I've downloaded more patches than that from M$.

And, one might argue, if Linux has more listed security vulnerabilities, doesn't that just mean that open source is better at finding AND FIXING them? Oh, sorry, inserting logic in this article isn't allowed. My mistake. =)

---
--
Mike Dark
darkmich@wsu.edu

[ Reply to This | # ]

Desperation Move
Authored by: Anonymous on Friday, February 13 2004 @ 11:50 AM EST
This is obviously a last ditch try by Microsoft in hopes that some hacker will
be so upset by their incompetent mess that he'll fix the bugs and send it back
to them. XP after all is just W2k with a pre-schooler game interface set as the
default.

[ Reply to This | # ]

Who would want it? and... Enderle Again?
Authored by: NicholasDonovan on Friday, February 13 2004 @ 11:51 AM EST
As a guy who owns a company that writes OS kernels, I can
tell you just from the way that Win2K et al. operate, it's
a piece of junk.

It's a microkernel implemented as a monolithic OS. A
horrible implementation at that. lousy scheduler etc.

Coming home from a meeting this morning I heard a news
report on this and the news announcer played a quote from
Rob Enderle. Enderle was announced on the news as "A
Source Code Control Expert".

Give me break. What makes this guy an expert on anything
relating to operating system development? The supposition
that the leak of source code means that there will be more
security risks is asinine. Especially assuming proper OS
development methodologies were used. (like peer reviewed
Open Source for example)

There is no great magic in Microsoft source code. What
little of it I have seen in the early was so poorly
written I swear they must have had college students
new-to-programming write it.

Security by obscurity is an amateur's approach to
security. The rash of virus and worm attacks against the
Microsoft OS's are a definitive statement in that regard.


Cheers,


Nick


---
Not an Attorney.
Views expressed are my personal opinions and not necessarily those of my
employer or its affiliates.

[ Reply to This | # ]

  • So-called experts - Authored by: Anonymous on Friday, February 13 2004 @ 01:44 PM EST
Could Microsoft be -testing- the waters?
Authored by: Anonymous on Friday, February 13 2004 @ 11:56 AM EST
Is it possible, being speculative, that MS volutarily leaked the code itself?
Beyond the possible legal ramifications of others "seeing" the code,
would it not be possible that Microsoft's intent, is to find out what is -wrong-
in the leaked code, by the assumption that the FOSS community will pick it up. .
. read it. . . figure out what's wrong. . . and openly suggest fixes via comment
boards all over the internet?

After all, people have been complaining about the lack of security in MS
products for years. This last security hole took them six months to fix. The
open source community claims fixes in as little as 10 minutes, up to a maximum
of 48 hours. That (to me anyway) is pretty impressive.

So why shouldn't MS test those waters? Most serious hacks who were interested
in MS W2K code have probably already reverse engineered portions of it. But by
releasing a snippit of source code, MS puts the meat right in the lions den,
then they see if the lion will bite.

Granted, we don't necessarily know what portion has been leaked, but wouldn't it
be interesting if it was a buggy piece, that when examined explained -some- kind
of known problem. And further, wouldn't it be interesting if a -fix- was found
by someone out in the open? And wouldn't it be interesting then, that MS made a
public statement to the affect that. . .

"... although the previous leak was accidental and unintentional on our
part, we recognize the value of having opened the source for critical scrutiny,
and have made a decision to open more of our code (not all) so that MS can
engage in more open standards and, to obtain faster and better coverage to fix
flaws. In the interest of creating a better product."


Or I can just stop smoking dope.

[ Reply to This | # ]

The Register: Source of Leak Found??
Authored by: Anonymous on Friday, February 13 2004 @ 12:07 PM EST
This article claims one of Microsoft's partners working on Unix integration left
the code on a Linux box.

http://www.theregister.co.uk/content/4/35564.html

Since it was a Linux box involved I guess this means the FOSS community is
guilty - NOT!

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 12:30 PM EST
There's a good story on The Register:

http://www.theregister.co.uk/content/4/35564.html

MS partner fingered in Windows code leak, Linux box implicated
By John Lettice
Posted: 13/02/2004 at 16:29 GMT

[ Reply to This | # ]

More likely injurious
Authored by: Anonymous on Friday, February 13 2004 @ 12:44 PM EST
Unless this really is a M$ deliberate leak, this is most likely not a good thing
for them. Previous minor exposures of their code in lawsuits and elsewhere have
revealed all kinds of underhanded tweaks designed to boost performance of their
own products (Office, IE) and hinder competing ones (WordPerfect, Netscape). If
this is a deliberate release, then theoretically they could have either
pre-cleansed the code of these hacks, or chosen a CD which doesn't contain these
routines. But otherwise it's probable that the undergrounders will comb through
the code and find yet more things damaging to M$. Not to mention the poor light
it casts on M$ security, once again.

The New Number Two
(still no account)

[ Reply to This | # ]

What is the agenda behind this leak?
Authored by: jrc on Friday, February 13 2004 @ 01:30 PM EST

In grad school, one of my history professors delivered an excellent piece of advice for working with source documents: to remember that manuscripts which survive have most often been preserved by someone who wanted them to survive. And those that did not make it often had a reason for being destroyed or lost. The same lesson must apply to leaks, political or technical.

So if there are over 40 GB of Microsoft source code for Win2K, why did the person who leaked the code release these particular 660MB? Were these data all that he/she had access to, or were these sections of code cherry-picked to match some agenda? And what did they not release? What's missing? If the person had only one CD onto which to copy the code, why did they pick these directories & files? Can anyone who has seen the file listing and is familiar with the Microsoft code comment (without breaching an NDA)? Or can someone at least clarify if this code is a random slice or something very calculated for maximum damage to security, IP, or any another aspect of Microsoft's business?

---

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 03:28 PM EST
Everyone should study the leaked Windows code for examples of how to write
buggy, insecure code.

lvteacher

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 03:44 PM EST
While reading the BBC story (http://news.bbc.co.uk/2/hi/technology/3485545.stm) I found this amousing: ********Excerpt******* Fourthly, for Microsoft to have this code paraded in public is hugely embarrassing. Not least because the code is littered with profanity and might show that many Microsoft programmers do not do a very good job. ***********************

[ Reply to This | # ]

Is this bad luck for wine and others.
Authored by: Anonymous on Friday, February 13 2004 @ 05:02 PM EST
I was just wondering if this is bad news for the wine project. This project
translates windows system calls to linux calls so the windows programs can run
on linux.

Before they did not have to worry about the copyright issue so much because the
windows source code was secret and therefore they couldn't copy it but now it is
available so they have to make sure none of their developers use it. And also
have to be realy carefull to make a development history available in case they
get sued in the future.

Is this going to be a major problem that will slow down such programs in the
future?

jerven

[ Reply to This | # ]

Leaked coredump analysis
Authored by: Anonymous on Friday, February 13 2004 @ 05:25 PM EST
"eyala@mainsoft.com" was using vim (VIM - Vi IMproved 5.6 (2000 Jan
16, compiled Mar 7 2000 12:18:07)) on a Redhat computer to view nlmain.c, a
Windows 2000 SP1 source file.

Look at the name at the bottom of this page:

http://www.mainsoft.com/corporate/exec_profiles.html

The following is a snippet from:
windows_2000_source_codewin2kprivatesecuritymsv_sspicore.

[...]

nlmain.c
LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=eyala
HISTSIZE=1000
HOSTNAME=voltaire
LOGNAME=eyala
INIT_VERSION=sysvinit-2.78
MAIL=/var/spool/mail/eyala
MACHTYPE=i386
TERM=xterm
HOSTTYPE=i386-linux
PATH=.:/il2/users/eyala/bin:/project/bin:/project/bin.linux:/bin:/etc:/sbin:/usr
/sbin:/usr/ucb:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/u/tools/sy
s/bin:/usr/atria/bin
CONSOLE=/dev/console
KDEDIR=/usr
HOME=/il2/users/eyala
INPUTRC=/etc/inputrc
PREVLEVEL=N
RUNLEVEL=5
SHELL=/bin/tcsh
XAUTHORITY=/il2/users/eyala/.Xauthority
USER=eyala
GDM_LANG=en_US
AUTOBOOT=YES
VENDOR=intel
GROUP=floppy
QTDIR=/usr/lib/qt-2.1.0
BOOT_IMAGE=linux_mvfs
DISPLAY=:0.0
LANG=en_US
HOST=voltaire
OSTYPE=linux
GDMSESSION=KDE
PWD=/usr/ms/win2k_sp1/private/security/msv_sspi
SHLVL=2
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;0
1:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.b
tm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:
*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*
.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3
5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
WINDOWID=50331657
lib_path_name=LD_LIBRARY_PATH
MWOS=linux
MWARCH=i86
MWARCH_OS=i86_linux
LD_LIBRARY_PATH=/usr/lib
MANPATH=/usr/man:/usr/local/man:/usr/share/man
DOMAIN=mainsoft.com
MAILCAPS=.mailcap:/usr/local/etc/mailcap
NNTPSERVER=cia
PAGER=less
REPLYTO=eyala@mainsoft.com
ORGANIZATION=Mainsoft Co. Ltd.
MWBATCH_SERVER=lod:8000
MSOFTLM_HOST=@xor
MAINSOFTLM_HOST=@xor
CC=gcc
CCPP=g++
previous_tty=pts/2
XHOME=/usr/X11R6/bin
XAPPLRESDIR=/il2/users/eyala/app-defaults
EDITOR=vi
BASE_LIBPATH=/usr/lib
BASE_PATH=.:/il2/users/eyala/bin:/project/bin:/project/bin.linux:/bin:/etc:/sbin
:/usr/sbin:/usr/ucb:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/u/too
ls/sys/bin:/usr/atria/bin
all_variables=USERNAME XAUTHORITY MWARCH_OS
lib_path_name LOGNAME OSTYPE WINDOWID INPUTRC CCPP
MWOS SHLVL HOME LESSOPEN PWD REPLYTO LD_LIBRARY_PATH
LS_COLORS CONSOLE KDEDIR DISPLAY MAINSOFTLM_HOST
NNTPSERVER GDM_LANG MACHTYPE MWBATCH_SERVER GDMSESSION
BASE_LIBPATH HOST HOSTNAME HOSTTYPE XHOME MWARCH LANG
MAIL QTDIR CC BASE_PATH EDITOR MANPATH MAILCAPS PATH
RUNLEVEL AUTOBOOT GROUP XAPPLRESDIR VENDOR PAGER
HISTSIZE ORGANIZATION PREVLEVEL BOOT_IMAGE DOMAIN
SHELL TERM INIT_VERSION previous_tty MSOFTLM_HOST USER
DISPLAY CLEARCASE_ROOT __________HOME
cleanup_included=1
/bin/vi

[EOF]

[ Reply to This | # ]

Windows now Open Source?
Authored by: Anonymous on Friday, February 13 2004 @ 06:23 PM EST
So, given that the source of Windows is now in the open, does that mean Windows
is Open Source?

BWAHAHAHAHAHAHA!

Sorry, just couldn't help myself...

[ Reply to This | # ]

I smell the stench of fear...
Authored by: NicholasDonovan on Friday, February 13 2004 @ 06:50 PM EST
[OK... It's tinfoil hat sitting in basemement in underwear
on my computer time. :-) Or maybe not???

Let's assume that Microsoft did this intentionally to
poison the waters for FLOSS. Also, let's assume that they
(as in backers of MS) have been backing the SCO effort in
a roundabout manner via the VC companies in my opinion.
(see Silverlake investments I believe)

They know now that the whole SCO fiasco is a bust. The
senior management of SCO has made complete idiots of
themselves in my opinion and Microsoft wants plausible
deniability, however they (Microsoft) knows that they're
screwed as Linux has already been dominating the server
market/grid/blade computing and soon the
desktop/DigitalDevice market will follow.

The question is how to slow it down? Maybe they figure the
poison pill will do it but the court case they supported,
is now proving that there is nothing SCO can do from a
licensing perspective. It has validated and will continue
to validate Linux from the legal perspective for a long
time to come. Strike that action plan.

The two operating systems (Linux and Win32) work in
fundamentally different
ways. Linux is primarily monolithic/modular in nature
while WinNT/2K etc. are microkernels (albeit implemented
in a monolithic fashion) The source code of Windows does
nothing for Linux. This leads us to the other hand.....

If indeed this was a poison pill, I can only wonder how
safe Windows customers are should something happen to the
company. Is there an escroll clause for the code? How
much liability will Microsoft attempt to shed?
If this is indeed traced to MainSoft what will happen
then? Will they blame 'Linux anti-social al queada
leaning' penguins? This seems to be the potentially
libelous story from Didio et al.

How much liability will Microsoft face if they attempt to
use this as an anti-Linux platform? Anti-defamation?
Libel? Slander?

By the way, the old OpenNT people made a Unix
compatibility layer for WindowsNT (Back when Microsoft
really believe people would be migrating from Unix -> NT)
that was basically CYGWIN (with lots of Open Source tools)
that they charge a huge sum of money for. Needless to say
it obviously didn't sell very well.

In the end, I smell desperation from Microsoft. Whether
this code was intentionally leaked or not they will try to
use this for an anti-Linux agenda in my opinion. Their
mouthpieces in the IT media are already at it.

Cheers,

Nick




---
Not an Attorney.
Views expressed are my personal opinions and not necessarily those of my
employer or its affiliates.

[ Reply to This | # ]

Let's calm the emotions
Authored by: Anonymous on Friday, February 13 2004 @ 07:46 PM EST
Now fellows,
Law is (or at least should be, and in simple cases is) a matter of
common sense. (Just think about the double yellow line on the road.)

If I'm writing code for an open-source project which is similar to a
proprietary project (mozilla / IE; abiword / Microsoft Word; etc.) OR
vice-versa, then I shouldn't be looking at the source code of the
corresponding open- or closed- source project. (More precisely, open-
and closed- source aren't necessarily such, but could be any two
incompatible licenses). OTOH, if I write device drivers for a
video-card company (whether open- or closed- source), it shouldn't be
a problem for me to write a computer card game or chess game that
doesn't have special animated graphics.

So, in a certain sense, a project like WINE (or MainSoft's inverse
project) is going to be more sensitive in this respect, as is any
project that involves reverse-engineering or copying some aspect of a
copyrighted work. And this is nothing new. WINE developers and
MainSoft's employees had to deal with this issue before any code was
leaked. I do not have actual experience with a reverse-engineering
project that had any kind of legal issues (all code and programmers
were totally within the same company), so I am not qualified to
specify the details here.

Time is also a factor here. Depending on the similarity and perceived
monetary value of the code or copyrighted work in question, activities
involving opposing sets of code may need to be done a certain amount
of time apart. It may be six months, 1 year, theoretically a career
(although some legal issues with respect to commerce and free trade
might come into play here). Microsoft's own disclosure agreements are
invaluable in ascertaining what the time period would be with respect
to Microsoft's own code. If any OSS programmer should accidentally
get whiff of Microsoft's code, it would only be ethical and proper to
consider Microsoft's disclosure agreement in light of the particular
code in question. And, yes, you might want to get a lawyer if it's
serious.

Now there is one inequality here: open source is very readily
available on the Internet, closed source is not. If you search the
Internet for a specific piece of hardware, the chance of a result
having GPL'ed source code is pretty high these days, and has been
nonzero for several years. If you were a programmer searching the
Internet for algorithms or other educational materials, it would be
even worse. OTOH, the chance of a result having proprietary source
code is extremely low (although there is a risk that may start to go
up now!). Once Linux began to become dominant and began to pop up
everywhere on the Internet, this must have been a thorn in Bill Gates'
side. Imagine: MS programmers accidentally run into GPL source code,
making it difficult for them to do the work they are hired to do; OSS
programmers rarely run into proprietary source code on the Internet so
as to encumber them. Of course, there is a good chance that an OSS
programmer will encounter proprietary source code in their workplace.
But I think what's been happening the last several years and what's
been giving Bill Gates fits, is the balance has tipped and continues
to tip in favor of OSS. Since about the turn of the century, a good
number of computer programmers and similar professions don't have jobs
with proprietary code anymore.

Thus it should be obvious why Bill Gates is enraged with Linux and
GPL'ed software, why he has called the GPL "viral," accused the
open-source community of so many things, and launched FUD and other
attacks on us.

We are, indeed, in the midst of a struggle - between open source,
which is not only epitomized but also climaxes in the GPL, and
proprietary source, which is not only epitomized but also has its
highest stakes in Microsoft.






The intellectual property issues dictated by today's legal framework
seem to be forcing divisions in the computer programming world,
between those who work on GPL and those who work on Microsoft. But we
must approach it as a fair playing field: If Microsoft actually tried
to pull a SCO-type lawsuit on individuals, no court of law can
logically or ethically let them run loose. SCO is probably getting so
much lenience only because they're small vs. big. OTOH, Microsoft
might have a valid claim if the abundance of GPL code was hindering
their development of Windows. But the proper relief would be
something more along the lines of, "Okay, Microsoft can do a
clean-room implementation of Linux feature X, and if they've done it
properly, it doesn't matter how much it resembles" or "Okay,
Microsoft
can use GPL header files for interface purposes or the like," not
"GPL
is illegal" or "let's send Linux coders to jail." Microsoft may
not be
the most ethical business in the marketplace, but anything repugnantly
sleazy is going to turn the rest of the world against them. And we
know there are governments who would grant amnesty.

I am not a lawyer, nor even a paralegal.

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Friday, February 13 2004 @ 11:00 PM EST
Anyone looking at this code could bring to an end any opportunity to contribute to FOSS software in the future. That's just copyright issues. Copyright isn't the only issue. Patents, trade secret, it's just a minefield. I hope the rumor is false, but if it isn't, please speak to your attorney and to FSF prior to even thinking about looking at such code.

Excellent advice...

[ Reply to This | # ]

Microsoft Denies Leaked Code -- UPDATE: Now MS Confirms
Authored by: Anonymous on Saturday, February 14 2004 @ 08:31 PM EST
PJ, I want to disagree here. I do not think there is much danger in seeing
Microsoft source. I have been looking at it all my life. No jeopardy. There
are tons of code made available all the time on MSDN CDs. This is
terrible
code, PJ, terrible stuff.

The one thing this leak will do is make the truth about Redmond
accessible to more people.

Consider the plight of the world right now, with an Internet nearly
unusable because Windows is so bad. Is it right for everyone to suddenly
turn their eyes when their oppressor is weakened?

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )