dwEEziL February 17, 2004 Share dwEEziL Member February 17, 2004 (edited) Well, by now most everyone has probably learned that a portion of the Windows source code (some NT 4 code as well as some Win2k coce) was leaked to the public accidentally about a week ago. While this could be bad for Windows administrators, like myself, due to a possibility of increased unknown vulnerabilities being discovered on a much quicker pace, it could also be a good thing as the Unix/Linux/other open source OS community has been using an open review process for a very long time and is dedicated to finding and fixing vulnerabilities quickly. My topic for discussion here is, what are your thoughts on the ramifications it will have on the Windows community. Please don't just come in here bash Windows. You should be able to back up your opinion with some sort of logic. I will delete any posts along the lines of "Micro$oft is bad mm'kthx bye". Edited February 17, 2004 by dwEEziL Link to comment Share on other sites More sharing options...
Playaa February 17, 2004 Share Playaa Member February 17, 2004 well I find it odd that M$ said that there was no leak yet at the same time had the FBI hunting the leakers... I actually don't think it will cause as big of a problem as some people think...it's just a 400mb chunk of code (if I remember correctly) and the full OS is over 40gigs un-compiled... Link to comment Share on other sites More sharing options...
All Kill3r February 17, 2004 Share All Kill3r Member February 17, 2004 well I find it odd that M$ said that there was no leak yet at the same time had the FBI hunting the leakers... http://www.microsoft.com/presspass/press/2...ndowssource.asp im thinking this isnt a very big deal. The next SP will just be a bit bigger now that security codes are gonna need some re-coding, thats my guess. Maybe a few more viruses and few more headaches for networkers then usual but no large scale chaos from it. Link to comment Share on other sites More sharing options...
[VI]ROosTEr February 17, 2004 Share [VI]ROosTEr Member February 17, 2004 Yeah, this is probably overblown. These leaks, however, may someday challenge Microsoft to make a secure NOS. Link to comment Share on other sites More sharing options...
dwEEziL February 17, 2004 Author Share dwEEziL Member February 17, 2004 I am kind of interested in it. My gut tells me this might just be another scam from MS and they might have purposely leaked the code. Here is my thinking. The code that was leaked (portions of NT 4 and W2k) is from older software (XP and 2k3 are the current OS'es with W2k being almost 2 generations old since XP's real version name is NT 5.1). Second, based on the following article I read today, it seems that the code leaked will not lead to many new vulnerabilities being discovered based on it's content. Third, the leaked code, because of in-code comments, actually paints MS in a kinder light, i.e. some of the comments were for code exceptions that MS made for 3rd party software that broke because it used a known vulnerability that MS had patched. It shows that MS is willing to work with these companies to better software interaction/integration. Fourth, the code has been out for over a week now (or just at a week) and there has been plenty of time for the likes of SCO, Novell, IBM, etc to have looked it over and see if MS had used any of their code in Windows but there hasn't been any outcry. Also, no new vulnerabilities/viruses have come out yet although this might take a little more time to develop (but again, hackers usually work fast). In conclusion, this leaked source code so far has not shown any glowing problems for MS. One "problem" that might come of it is that MS might be less interested in supporting W2k now that some of the source is public and could realistically shorten support for W2k because of it. I quoted "problem" because it would be in MS's best financial interest to do so anyway and get people jumping on the XP/W2k3 bandwagon. All these reasons are why I think this might have been a purposeful leak by MS. Actual code review has only shown good things of MS and they now have a real legitimate reason to end W2k support early (security concerns). If within the next 2-4 weeks, nothing bad comes of this, I will feel justified even if nothing is ever revealed regarding it. The following commentary was in the latest Windows & .NET Magazinenewsletter. The article isn't currently available online so I have listed it in full below. It doesn't look like the actual amount of source code leaked will cause the number of vulnerabilities discovered to increase in number and, after inspecting the code, Paul Thurrott says it actually seems to show MS in a better light. ==== 1. Commentary: What the Windows Source Code Leak Means to You ==== by Paul Thurrott, News Editor, thurrott@winnetmag.com Last Thursday morning, I received an excited Instant Messaging (IM) alert from a friend at Microsoft: "Have you seen this?" he asked. He then sent me a file named "winver.c," reportedly part of the Windows 2000 source code. The source code for Win2K, as well as for Windows NT, he said, had leaked to the Internet. The file I was looking at was a source code listing for a short program written in the C language; it was described as the "Windows version program" and was written in March 1989 by someone identified as toddla. Several other C source code listings were leaked, including one purportedly written by NT architect David Cutler. The notion that Microsoft's crown jewels might leak publicly wasn't surprising to me; after all, the company had opened its source code to an increasingly large portion of the public in recent years through its Shared Source program, a response to the open-source threat of Linux. Since first announcing the Shared Source program, Microsoft has regularly extended the program's reach, and now many governments, corporations, educational institutions, hardware and software development partners, and even individuals have signed nondisclosure agreements (NDAs), giving them limited-rights access to the source code for various Windows versions. The software giant has even publicly acknowledged that it was considering opening the source code to Microsoft Office also. Microsoft disseminates its valuable source code to other institutions and individuals for various reasons. Historically, the company's hardware and software partners have received access to the source code to ensure that the products they develop work seamlessly with Microsoft systems. Under the Shared Source program, the reasons are a bit more varied. But one reason Microsoft has opened up its source code is to fend off competition from Linux and other open-source solutions, which provide users with modifiable source code. Microsoft doesn't let its Shared Source partners change the Windows source code and potentially make their own modified versions of Windows. Instead, the source code access provides suspicious governments with the evidence they need to prove that Microsoft isn't inserting back doors, especially US governmental back doors, into its software. And Microsoft has shown itself to be more, ahem, open to the notion of providing governments with specially tailored Windows versions when needed, as the company did recently with Thailand, although those will be developed inhouse, as the need arises. But here's what we know so far about the leak. Contrary to early reports, only a small portion of the source code for Win2K Service Pack 1 (SP1) and NT 4.0 leaked. Experts differ about how much code leaked--I've seen estimates in the 1 to 15 percent range--but using the code to build a working version of Windows would be impossible. I did obtain the leaked Win2K source code so that I could analyze it and confirm it was real, but I've never seen the NT source code. I'll be destroying my copy of the source code after completing my analysis and have no intention of publishing major portions of it, of course. At this time, a software company called Mainsoft is the most likely source of the leak, which means the leak had no ties to the Shared Source program. Mainsoft has had Windows source code access for years; longtime Windows & .NET Magazine UPDATE readers might recall my August 2000 revelation that Microsoft had hired the company to explore Linux ports of Office and Microsoft Internet Explorer (IE), for example--but uses the information for integration software development purposes. The leaked source code I've seen includes code for the Windows Explorer shell, among other things, and an interesting wealth of documentation that shows Microsoft's developers how to move pre-IE 4.0 Windows shell code to the then-new IE integrated shell. The code occupies about 147MB of space and includes about 12,900 files, mostly C, C++, and assembly source files, as well as C and C++ header files. And for you conspiracy theorists, sorry, the code doesn't appear to include any proof that Microsoft stole source code from UNIX, Linux, or other sources in a bid to make its systems better. Open-source enthusiasts probably spent the weekend poring over the code just to find such evidence. On a technical note, the source code is clean and well coded but is often devoid of useful comments. It's also quite frank in some places, with occasional swearing and name calling, usually aimed at Microsoft's own products. But what really stands out, is how often Microsoft must insert a minor coding change to accommodate the idiosyncrasies of one application. These hacks, as they're called in the code, are often aimed at third-party applications, letting the applications work after a bug or previous feature they've relied on has been eliminated. This is a good example of Microsoft going out of its way to ensure that its partners products work with Windows, a task the company has never received a lot of credit for. When the source code leak was first reported, security experts opined that it would have damaging effects on Microsoft's credibility and could lead to a new generation of software exploits that take advantage of hackers' newfound knowledge of the Windows source code. However, little networking or security code is included in the leaked source I've examined, and because the code comprises such a small portion of the entire source-code base, it will be impossible to figure out the complex interworkings of code that make up the complete OS and find some systemic flaw. So from a technical standpoint, I think that, for now at least, the Windows source code leak shouldn't affect any rollout decisions, though arguably you'd be better off going with Windows Server 2003 and Windows XP over Win2K right now for various unrelated reasons anyway. Indeed, with Microsoft's recent emphasis on upgrading to Windows 2003 and XP for security reasons, there's been some question about Microsoft's plans to adequately support Win2K going forward. For example, although both of these newer systems will get the improved Windows Firewall in service pack updates later this year, and Windows 2003 will get the roles-based Security Configuration Wizard, Microsoft hasn't said much about offering such improvements to Win2K users. For whatever it's worth, I do know that the company intends to soon reveal various Win2K security improvements that it will roll out this year, but I'm a little worried about its public silence thus far. I'm further concerned what the Win2K source code leak will do to put these plans on the back burner. It would be sad to see Microsoft take advantage of this episode to formalize its desire to deemphasize Win2K, years before the company should do so. ==================== Link to comment Share on other sites More sharing options...
[Mmmm]Homer February 17, 2004 Share [Mmmm]Homer Member February 17, 2004 How about a disgruntled ex-employee is blackmailing MS. He/she wants cash from Bill G., but he won't give it up. As a shot across the bow the blackmailer releases an older or less critical chunk to show they mean business and threatens to release more. MS's network was not breached, yet the FBI has someone to look for. Also, Kennedy was shot by the Mafia and there are WMD's in Iraq. Oh yeah, and Micro$oft is bad mm'kthx bye. Link to comment Share on other sites More sharing options...
dwEEziL February 17, 2004 Author Share dwEEziL Member February 17, 2004 Grrrrrr Link to comment Share on other sites More sharing options...
[Mmmm]Homer February 17, 2004 Share [Mmmm]Homer Member February 17, 2004 LOL Okay, the only thing I can contribute here really is that being in Seattle I've heard ex-employees and programmer types groan over how sloppy the MS code is. Maybe MS will be embarrassed by their glutton of code. Just a possible side effect though. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now