MS Windows source code escapes onto Internet

Say it's a vital secret for long enough and it'll turn round and bite you...


Microsoft has suffered what appears to be a severe leak of Windows source code, with a file circulating on the Internet appearing to consist of several million lines of code from around mid-2000. The source code seems to relate to NT4 and Windows 2000, and in a statement the company has conceded that "portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.

"It's illegal for third parties to post Microsoft source code," the statement continues somewhat redundantly, "and we take such activity very seriously."

The impact of the leak is however massively more important for Microsoft than it is for the rest of the world, as it effectively blows the company's 'security via obscurity' approach to smithereens. Over the past year or so it has, with much pomp and ceremony, unveiled its shared source programme as a counter to open source, while in the same period it has repeatedly stressed that it cannot disclose some aspects of its code to rivals for security reasons. If they could see it, it would leak, and then evil terrorists would be able to break into Windows more easily. Microsoft, incidentally, currently has the shared source web site as a 'related link' on the leak statement page. Are you entirely sure about this relationship, dahlinks?

According to Neowin, there are two packages which appear to be the source of NT 4 and Win2k, respectively. The site says it's not yet clear whether or not the full source has leaked. Betanews says the claimed Win2k source contains 30,915 files and consists of 13.5 million lines, pointing out that this is considerably less than the 35-50 million the entire source should consist of.

This is still however a substantial slug, so if keeping source secret is important, then the leak is surely important. The leak will likely be of some help to people trying to find vulnerabilities in Windows (bear in mind that source for NT and Win2k has a great deal of relevance for XP), but the ready illegal availability of source presents a problem rather than an opportunity for security companies and for developers trying to make their products interoperate with Windows, given that having illegal knowledge of Windows' workings would massively compromise their ability to do legal work.

This may present particular problems owing to the likely entertainment value of Windows source. Betanews tells us that already people have been looking for the notorious "Weenies" jibe at Netscape developers, and although they've come up empty, there are numerous profanities and references to codenames long gone. The Register is confident that close study will reveal that it's all such a byzantine nightmare that our long-held theory that Microsoft doesn't know what's in there either will be proved, but don't look if you ever want to legally develop for Windows again.

What next? Microsoft says there has been no breach of its corporate network and internal security, which is possibly a first, but has called in the FBI. The dates of the code and the content will likely produce clues as to how and where it began to make its way out of the company, and if the mid-2000 claim is correct, that would suggest that it could have been outside of Microsoft for some considerable time. The likelihood is surely that it was associated with a development deal with an outside company whose safe has now fallen open, or something.

The weirdness here is that although Windows source code might be obscure, it's not exactly secret, nor has it ever been. Microsoft now does the shared source stuff, but it has been giving outside companies access for years. There are plenty of people out there who do know something about Windows source code, and under shared source deals plenty people can look at Windows source, but there's not a lot of point looking if you can't do anything much with the knowledge, and if you don't have a legal, development reason to look you're not exactly going to volunteer to do so.

It'd be nice if escaping source code prompted Microsoft to take a more rational view of the whole issue, stop pretending it's secret and adopted the rival view that openness helps security, but we fear that'll take a few more leaks. Windows source code - so secure we let the Chinese and the Russians look. Right. ®


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021