September 20, 2020

Windows Source Code Leaked?

Neowin is reporting that the source code for Windows 2000 and Windows NT4 has been leaked to the Internet. I haven’t looked at the code, and I won’t, so I can’t tell you whether the report is accurate. But based on the fragmentary information available, it appears more likely than not that the leak is real. If there was a leak, what are the consequences?

First, whoever leaked the code is obviously in big trouble. And Microsoft might respond by reducing the number of people who get to see the code, a number that had been increasing lately. In fact, a leak is not too surprising given how widely Microsoft distributed the source code.

Second, the leak will do some damage to the security of Windows machines, but it’s not clear how much. There’s a longstanding debate about the security implications of open source development. Source code access makes it easier to find security bugs. With open source, you make it easier for honest outsiders to find bugs, which is good, but you also make it easier for malicious outsiders to find bugs, which is bad. This kind of leak give us the worst of both worlds: honest outsiders will avoid looking at the stolen code, while malicious outsiders use the code; so you get the security drawbacks of open source without the security benefits. This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case.

UPDATE (February 13): The Associated Press is reporting that the source code leak did occur.

Comments

  1. It would actually be interesting to start, with proper legal advice, a formal project to analyze the code with the intention of using it lawfully to enhance interoperability between other operating systems and Windows. For example, some designated people would volunteer, or even be paid, to look at the code and write functional specifications (using guidelines supplied by experienced copyright lawyers). Then other people would be given those functional specifications and compare them to code in other systems in whose development they were lawful participants. But anyone who wants to attempt anything like this should first retain a real lawyer and get a specific legal opinion, not least including specific rules about how to go about it.

  2. I volunteer to get involved with Seth’s project if it ever flys…

  3. aNonMooseCowherd says:

    Legal considerations aside, Seth Schoen’s proposal is not likely to yield results the are useful for very long, because Microsoft can just change the protocols in the next version of Windows

  4. What I find more worrying is that Microsoft will, SCO-like, claim that some of their code has made its way into Linux (or other FOSS projects), and this will exert a chilling effect on open source development as a whole.

    Yes, I realise that the SCO case is not going well (http://www.groklaw.net), but that hasn’t stopped the mainstream press reporting it differently, and it doesn’t prevent Microsoft’s posse of Expensive Lawyers getting a different result next time around.

    As Dr. Felten says, the “good guys” working on open source projects will therefore be avoiding this code like the plague.

  5. If you ask Microsoft if they have reason to believe that source code for Windows 2000 and NT4 has ever leaked before, (and they answer honestly) they will tell you ‘yes’.

    I’m curious how Microsoft would differentiate between the results of the latest loss and previous loss of the source code, which occurred when their corporate security practices were much weaker.

  6. And why not use this release to actually engage the hordes of engineers that would like to contribute to MSFT? Of course, it is dangerous close to being open source, but now that the genie is out of the bottle, this could actually have a positive outcome.

  7. Windows and Open Source Security

    In the wake of reports that Microsoft Windows source code has leaked, commentators such as Ed Felten are asking about the implications for security of Windows machines. I thought it might be useful to repeat an anonymous posting of mine from July 4, 20…

  8. aNonMooseCowherd says:

    Has anyone considered the possibility that Microsoft intentionally leaked the source to their older operating systems as a ploy to persuade customers to buy XP, based on the fear that Windows 2000 and NT may be compromised by the leak?

  9. Jan Freijser says:

    Why doesn’t anyone remember that Microsoft ‘borrowed’ all of its so-called innovative ideas from other companies in the first place? DOS was a semi-legal copy of Kildall’s CP/M, Windows version 1.0 (of 1985) was entirely based on the Mac OS. Microsoft got out of its license contract with Apple only after a long legal battle.
    The concept of GUIs goes back to Doug Englebart’s ideas and prototypes of the 1960s.
    About the ‘leak’ itself: I have grave doubts about it being a leak by ill-meaning 3rd parties. Windows source code has been around since 1985, with big companies and all those PC makers that found it necessary to customize Windows for their machines. So I believe reams of Windows source code has been out there in all shapes and guises. ‘The leak’ falls in the big P category of publicity, why exactly escapes me, I admit, but it does seem to distract nicely from that other leak, the security leak found 8 months ago by Microsoft and publicized only days ago.

  10. Microsoft just needs to get with the GNU generation and have open scorce code like the real operating systems (Linux, Unix). Why should anyone have to pay for an OS like theirs when they can go to redhat.org and download a real operating system for free? I guess the people of Redman have more money then they have brains.

  11. I am not sure how to take all this. I can only make assumptions, but i guess i just assume, as do some others, that Microsoft leaked their own code. I will not look at the code until it is “Legal” to do so,…but what I will say is that I have used many distros of Windows, and since I was introduced to the LINUX community about a year ago, I have found the many different linux distros to be more stable, easier to figure out how to use, than windows has ever been. The availability to get the source code for Linux distros has made it possible for me to delve into development projects to find bugs, etc… to make better distros. To be honest,…does it really even matter that Microsoft code is leaked? When the world stops fearing LINUX,…and gives it a shot,… Microsoft will just be a long forgotten memory. How many more “leaks” is it going to take before the world realizes that Microsoft is not perfect. No software is perfect. At least in the linux community you have many people who can actually help you fix many problem with your particular distribution. Has anyone here EVER called microsoft to get tech help? Ever notice these problems are continual? I broke the WINDOW a year ago,…now I embrace the PENGUIN. Bill Gates should see this as his opportunity to join the Open Source Community,… and give up the monopoly. Please choose wisely, Mr. Gates