Weekly Edition
Return to the Press page
| |||||||||||||
Microsoft grapples with leak of source code (CNN)
CNN reports
on the apparent leak of some Windows code. "The leak could
potentially put more Windows users at risk because it opens the door to
more people finding vulnerabilities in Microsoft's code -- and using them
in malicious ways.... That could, in turn, wreak havoc on
Microsoft's ability to respond with fixes in a controlled manner."
(Log in to post comments)
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 18:08 UTC (Fri) by proski (subscriber, #104) [Link] Prepare to the worst. Make sure all your software can deal with extreme virus traffic, port scanning and other nasty things. In particular, mailing list software needs to be updated. It may be a good idea to learn and install antivirus software and strengthen firewall rules. Even if viruses won't infect your system, you don't want them to pound rather slow mailing list software or eat your CPU time on the systems where it's needed for other tasks.Maybe the smartest thing for Microsoft would be to allow free circulation of the leaked code to allow "good guys" the same acceess that "bad guys" already have. I don't mean changes in the copyright. They should just make it legal to distribute the leaked code without changes.
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 18:17 UTC (Fri) by allesfresser (subscriber, #216) [Link] Why should we be any more concerned about Windows vulnerabilities than we already have been? There's plenty of breaches for the black hats to play with already; I'm not convinced that source code access would give them all that much more than they already have. And we don't know which particular parts of Windows the code pertains to, do we? I think the Pearl Harbor reference is going a bit over the top.
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 18:17 UTC (Fri) by libra (guest, #2515) [Link] Microsoft can not do what you suggest because it would create a precedent. Anybody with access to Microsoft code could be tempted to leak it latter to then get a "free to see and speak about" right.So this won't happen.
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 20:47 UTC (Fri) by Eudyptes (guest, #15589) [Link] >Microsoft can not do what you suggest because it would create a>precedent. Anybody with access to Microsoft code could be tempted to leak >it latter to then get a "free to see and speak about" right. >So this won't happen. Well, there's that annoying little clause in the law related to "trade secrets" and "due diligence". IANAL, but plainly put once a trade secret makes it into the public domain and becomes extensibly common knowledge it is not longer considered a "secret" and therefore most of (if not for all practical purposes entirely) the IP rights get muted. In otherwords, if one uses a direct word for word - symbol for symbol form of something M$ has in the source than it could get sticky - but if one looks at the code, understands what it's purpose is and the manner in which it folds into the code overall one could write a piece of code that preforms the same function without crossing the dreaded "IP" boundry. This is what M$ worries about overall, not to mention it could be damaging in more than one way related to years of contention that M$ has misappropriated others IP into there kernel - it's pretty hard to argue you didn't rip someone off when the code in question is sitting there in the kernel. This is the contention of M$' evil little brother... SCO - and they have an open code base to point to and haven't proven jack, but I digress. The point is that there are those that have absolutely no love loss where M$ is concerned that will be picking this apart - Let the games begin.
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 20:36 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link] Until we know what systems, what modules, and how much of it has been exposed, we haven't enough information to even guess how big a threat this is. It could very well be the code for Minesweeper, after all. :-) On the other hand, if it's on the loose, can anyone supply a pointer? I'm awfully curious how the quality compares to stuff I'm familiar with.
Digital Pearl Harbol looming on the horizon Posted Feb 13, 2004 21:03 UTC (Fri) by allesfresser (subscriber, #216) [Link] Please, please, PLEASE DO NOT post a pointer to the stolen code here! Don't be that stupid! Wouldn't that be convenient for Microsoft to point to LWN and say, "see, they're all software pirates and terrorists"? Also, if you happen to know where it can be found, don't look at it at all if you ever want to contribute to any Free Software project. Despite what the law about trade secrets says (as posted above), since when has actual truth and legal precedent mattered when it comes to Microsoft's lawyers and press hounds? Think before you do something all of us will regret mightily...
No pointers please Posted Feb 13, 2004 21:34 UTC (Fri) by corbet (editor, #1) [Link] I will second that request: please do not post pointers to stolen code here. We would probably have to remove them.Besides, anybody who is concerned with his or her ability to write free software in the future absolutely does not want to look at this code. You don't want its owner coming after you for having misappropriated it in any way. The best defense against any such charge is to have never seen the code in question.
No pointers please Posted Feb 14, 2004 0:16 UTC (Sat) by mmarq (guest, #2332) [Link] strange!!... but i've to agree that it could very well be a trap, since the code in question about portions of NT and 2000 dont really wort much "per se",..., are questionable the issues about value, but i'm very confident that Open-source from Linux to Mac Darwin passing trough the best of the BSDs, are already more advanced than what was exposed......hmmm,... not heaven a serious security breach for Windows, because if this news are reliable (http://www.betanews.com/article.php3?sid=1076674118), then with a SP4, the SP1 patch for win2000 is clearly outdated.
My sincere apology for asking for code location Posted Feb 19, 2004 18:20 UTC (Thu) by Max.Hyre (subscriber, #1054) [Link] Dear LWN: My request for pointers was mostly in jest, and completely tasteless. If I could retract it, I would, and I'm sorry for the stupid implications. Ashamedly yours,Max Hyre
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 18:25 UTC (Fri) by mmarq (guest, #2332) [Link] I know from a secure and reliable source, confidential of course, that was a huge and scary(for M$ of course) penguin that did it.Pitty and dont have the "clouth" of a Ma$ter syndicate, or tomorrow i'll be giving interviews in CNN, and every where else in the press...
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 18:56 UTC (Fri) by beejaybee (guest, #1581) [Link] I smell another attack on linux...If the press can be persuaded that releasing M$ source is a security risk (and it seems that the bait has been swallowed whole) the next step is an assertion that open source software is immensely insecure. Naturally I don't believe this but the press probably will.
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 20:36 UTC (Fri) by tjc (subscriber, #137) [Link] If the press can be persuaded that releasing M$ source is a security risk (and it seems that the bait has been swallowed whole) the next step is an assertion that open source software is immensely insecure.Maybe, but I think this strategy will backfire, if it is a strategy. They run the risk of accentuating the fact that its mostly MSFT software that is insecure, whether the source code is available or not.
Microsoft grapples with leak of source code (CNN) Posted Feb 17, 2004 19:21 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] It appears that the blame will be pointed at Mainsoft, the Israeli company that produces a Windows-on-top-of-Unix layer as a commercial product and that has licensed at least part of the Windows source from Microsoft. From what I've been told, their fingerprints are all over the released code (there are references to Mainsoft in the release), so it appears that someone stole it from them (or it's an inside job). No, I haven't seen the code, nor am I interested. I have used their product in the past. Mainsoft has issued a statement, which indirectly acknowledges that suspicion points to them.
More detail on Mainsoft culpability Posted Feb 17, 2004 19:36 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] See this BetaNews article. There is a Linux connection, in the form of a Linux core dump that appears in the distribution.
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 19:12 UTC (Fri) by welinder (guest, #4699) [Link] Luckily there is a world of difference between the security of something that was intended for public scrutiny -- open source software -- and something that suddenly and unintentionally got published -- Windows.I seem to recall that Microsoft argued that publication of the Windows source code would be a national security threat. :-)
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 19:27 UTC (Fri) by allesfresser (subscriber, #216) [Link] > ... publication of the Windows source code would be a national security threat.What, by precipitously dropping their stock price once it becomes clear how ratty their coding is, and thereby threatening to Destroy The Economy? [collective gasp of sheer horror]...
Microsoft grapples with leak of source code (CNN) Posted Feb 14, 2004 22:34 UTC (Sat) by Switched (guest, #2475) [Link] > ... publication of the Windows source code would be a national security threat. What, by precipitously dropping their stock price once it becomes clear how ratty their coding is, and thereby threatening to Destroy The Economy? [collective gasp of sheer horror]...Heh, I'd go so far as to say that they aren't only scared of having poor coding exposed. More likely it's the possibility of stolen code being exposed. After all, with CSS, how can we be certain that it was totally developed in a clean room environment? If it wasn't for the possibility of the good guys tainting their future development efforts, it would be interesting to have someone do a SCO style audit of the MS code.
Microsoft grapples with leak of source code (CNN) Posted Feb 15, 2004 2:29 UTC (Sun) by allesfresser (subscriber, #216) [Link] Well, then I already have done a SCO-style audit of the MS code, since all that is necessary is to smell money on the wind--one doesn't need to even have the code to do that. :-) And I am quite sure that Microsoft used some of my valuable IP to generate their billions of dollars, so naturally I will sue for damages of treble the cost of each copy of Windows sold. Plus each Windows user needs to pay me a license fee for the use of my valuable IP; I'll start sending letters to 1000 or so prominent users next week.Heh.
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 19:34 UTC (Fri) by maney (subscriber, #12630) [Link] That could, in turn, wreak havoc on Microsoft's ability to respond with fixes in a controlled manner.Translation: they won't be able to sit on it for half a year. How will they cope, oh dear, oh dear?
--
I'm not proud. We really haven't done everything we could to
protect our customers ... Our products just aren't engineered
for security. -- Brian Valentine, Microsoft Senior VP
in charge of the Windows development team
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 22:09 UTC (Fri) by QuisUtDeus (guest, #14854) [Link] Sounds to me like a strategic ploy to cast further doubt on the origins of Linux system code in the future.M$ could claim a year from now that some paticularly piece of Great Software must have borrowed from the code that was leaked. If they can't (or won't) say what was leaked, then they can try to claim later that any algorithm "must have been included in what was leaked" and therefore give them some (dubious) justification to harrass the authors, for "copying the code" and maybe for helping in the "leak". It sounds like the start of an M$ version of the SCO mess.
Microsoft grapples with leak of source code (CNN) Posted Feb 13, 2004 23:06 UTC (Fri) by wildpossum (guest, #17744) [Link] Well one tinfoil hat theory says that M$ can now urge customers to upgrade by saying: the bad guys have the 2000 and NT4 code so you'd better sign up for our newest.Funny how when M$ code leaks it's a security risk, but FOSS has been available for all to see all the time and has a better security record.
Microsoft grapples with leak of source code (CNN) Posted Feb 14, 2004 12:51 UTC (Sat) by rankincj (subscriber, #4865) [Link] > Funny how when M$ code leaks it's a security risk, but FOSS has been> available for all to see all the time and has a better security record. There's no comparison between FOSS and the leaked MS code, because all the Good Guys are deliberately averting their "many eyes" from it. This is something for the Bad Guys only.
Microsoft grapples with leak of source code (CNN) Posted Feb 14, 2004 13:50 UTC (Sat) by wildpossum (guest, #17744) [Link] Precisely, it shows up the difference between the two development philosophies. Contradictory statements have been about Windows source. Ballmer: revealing our source is a security risk. M$ PR: our methodologies are secure.You can't have it both ways.
Microsoft grapples with leak of source code (CNN) Posted Feb 14, 2004 22:41 UTC (Sat) by kempelen (guest, #19458) [Link] Great comments!I completely agree, if you have any chance to get/look at that code, do not do! Reasons above. I was also thinking, that this might be just an introduction of another SCO like attack against Linux, like a comment said above. The comment about urge users to upgrade is also a good idea, I did not yet think of that, but now I agree. Somehow everyone thinks it's just another weapon. Wonder why ;-) Regarding security comparisons of OSS vs. proprietary, you can read a lot on the net, just do a search. Regarding more viruses, etc, I don't think the source code is needed for that, the net is already full of virus e-mail traffic with just using 1 or 2 bugs per virus.
Microsoft grapples with leak of source code (CNN) Posted Feb 16, 2004 19:50 UTC (Mon) by ahilliard (guest, #19049) [Link] Me too!;)
Microsoft: leak or bait Posted Feb 15, 2004 22:17 UTC (Sun) by FineThread (guest, #18744) [Link] Ok, one more conspiracy theoryWhere does OSS make major inroads into the M$ world? ==>Servers. Its is a lot cheaper to run Linux + Samba than it is to run some 2003Serf. The Samba team is known to play catch up with the M$ protocols. SCO said Linux advanced by taking their SMP code Same base argument again Stay away from this code, we don't need it. It may just be a provocation.
Microsoft: leak or bait Posted Feb 16, 2004 14:42 UTC (Mon) by the_JinX (guest, #3953) [Link] Same with the ntfsinstead of the reverse-engineered http://linux-ntfs.sourceforge.net For a judge there's no apperant difference (IANAL) And this is even worse then the samba deal, couse it might just end up in the kernel !!
Microsoft: leak or bait Posted Feb 17, 2004 19:29 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] SCO had no SMP code.
|
|||||||||||||