According to Neowin, the source code for Microsoft Windows NT 4 and 2000 has been leaked. A number of universities and institutes already have legal access to the source code, distributed by Microsoft. It is still not confirmed by the software giant of Redmond – but in the wrong hands, this could result in a major security catastrophe and a huge threat against Microsoft’s 32-bit operating system. Update 11:37 PM EST by AS: danjr lets us know, it’s official.
Wow… that sucks. NT 4 is w/e, but Win2k, good stuff man.
How does source code leakage correlate to security catastrophe?
Pretty obviously, if you’ve got access to the source then you can look at juicy things like the renderer in IE or take the Win2k kernel apart and look for vulnerabilities.
Having the windows source is a security issue because you can more or less do a text search to find targets for buffer overflows, stuff like that…
Ten thousand exploiters can code malicious stuff far faster than Microsoft could patch all those holes.
Ideally Microsoft would eventually open up to 3rd party patches and peer review of code to clean up exploits without letting them pile up but…thats probably not going to happen.
Expect lawsuits. And anyone doing linux work needs to be very careful NOT to see any of the stolen Microsoft code, lest they get targetted by hostile lawyers.
Yeah. You know, the same catastrophic security vulnerabilities that have plagued open source software for years.
Some virus or worm authors write their code based on observing any buffer-overflow vulnerabilities the OS may have. Knowing that Microsoft has a huge problem with security, just looking at the source code will give the virus/worm authors loads of new buffer-overflow spots to exploit.
If the source code were open and people could contribute (such the case with Linux) this would be less of a problem. Buffer-overflow vulnerabilities could be spotted and fixed within hours, and also before it becomes a problem.
MS’ security = obscurity AND Source Code != obscurity then MS’ security = (might be in) trouble!
Well, it was Microsoft that said in their DOJ trial that the Windows source was so full of holes that releasing the code would be a huge security risk.
I really don’t buy it, though. Tons of people already have access to the Windows source, including a lot of university students. If they wanted to look for security exploits, they’d be doing it already.
One interesting point brought up in the /. thread about this, though, is that now the “security through obscurity” argument is completely null. Linux and Windows both now have the source available, but Linux actually allows people to fix the holes they find.
But isn’t exposing these vulnerabilities a good thing? At least, they might get fixed now that they are public, if in fact this rumor is correct.
It doesn’t. People that will tell you that have a vested interest in keeping things under wraps. The only way this would be a serious problem is if Microsoft can’t keep up with issuing patches.
Peer review is the backbone of any scientific endevour and computer science should be no different. Closed source circumvents peer review. Opened source allows for in depth analysis of technique, implementation, and security review to identify weaknesses and strengths.
Keep in mind, there is very little proof of this. I’d wait until there’s more concrete evidence that anything actually happened.
Heh. Another problem with using C for anything. Basically grep for “strcpy” or “memcpy” in the source and step through potential buffer-overflows one-by-one…
I wouldn’t worr too much about NT4 because the numbers of users is getting low enough that malicious users would be far more interested in Win2K exploits.
Here is the problem in a nutshell (queue references to Austin Powers…):
In FOSS (Free and Open Source Software), you have access to the source code – and everybody can look at it and fix it. This usually means that problems are discovered and fixed (rinse, repeat…) until the program is reasonably safe for general consumption. Mozilla is a perfect example of this approach.
CLOSS (CLOsed Source Software) was never intended to be seen by anybody who really gives a crap about security. This means that only bugs that are actually stumbled upon by security researchers are found and fixed. There can potentially be hundreds of thousands of very serious security bugs in a CLOSS program — they just haven’t been found. When you take a CLOSS program and distribute the source code on the net, it is much more vulnerable. Furthermore, once all of the eggs are laid out in the basket, you can see just how incredibly bad the program was written. Netscape was a perfect example of this approach… and why Mozilla came into being in the first place.
What about if MS leaked its own code just to be able to sue Linux companies in a couple of months if any new feature that improves compatibility (WINE) or allows access NTFS partitions “seems” to be product of this leak???
Heh. Another problem with using C for anything. Basically grep for “strcpy” or “memcpy” in the source and step through potential buffer-overflows one-by-one…
Nice point. But I’d rather have potential buffer-overflows than have the kernel written in Java, no I’m serious.
This is old news, but part of why W2K IP stack is so much more of an improvement over NT4 is because MS used quite a bit of BSD code. I would be interested to see how much other stuff they “borrowed”.
Couldn’t this help the WINE project? They won’t *COPY* the code but they could look at the code to get a better idea how it works and the undocumented api is no longer undocumented.
Windows was designed insecurely, which is why so many worms exist for it.
This leak makes it no more insecure than it was before.
In fact, Microsoft’s customers shouldn’t be concerned about security because Microsoft has personally stated they will do something about it, either through TC or some other intiative. And most hackers would already be searching the binary code, which they can read just like source code, to find these vulnerabilities.
So if you are worried about security use OSX or OpenBSD or *nix or whatever. Or don’t worry, be happy.
How come source code leak lead to security problems? How stupid is that. Linux source code is available all the time, do we see security problems all the time? Suggesting that there is going to be big danger is quite stupid. It is like arguing that Linux is less secure because source code is available.
No it is not good for WINE. Remember that some licenses even prohibit reverse engineering the code, imagine the legal problem of even seen stolen code ….
Why, very, very evil h4x0rs can develop bad exploits by checking the source code and finding flaws!
IMO, the most important security risk would be the revelation of security algorithms… The revelation of the product key algorithm could also be a PITA for Microsoft and its WPA.
They just discovered that the open source movement can find security holes faster than they can.
Who said anything about Java? Lots of native-compiled languages are completely safe from buffer overflows. Hell, it’d be trivial to add array-bounds checking to C. And given the fact that processors with multiple integer pipes almost always have at least one idle, the runtime cost would be negligable. The one good thing Microsoft is doing security-wise these days is rewriting as much of Windows as possible in .NET. Yeah, they could have picked a better language to do it in, but its fricking 2004, and buffer overflows should have died a decade ago!
This should be obvious, but how great of an affect will this throw upon WinXP? It seems like a fair amount, as the foundation (as far as I know) is written from Win 2000 coding.
You have to take into consideration crackers also call themselves reverse engineers. That basically means that they try to break the code down into steps using debugging methods, source code examination, and examination of a program’s activity at runtime. The easiest one of these is source code examination, and it tends to expedite the use of those other two methods by a large factor.
I was just watching the film “Hackers”… (which sux big time at reality check, but so funny).
Now I really don’t see how this would make things worse anyway… M$ never cared about security anyway. Maybe that will have them move their … and find out that opensource is the way to go ?
Hi
Linux was designed to have the source open so that argument wont fly.
One important thing is there is obsolutely no proof about this.
so lets have some proof before we come up with security problems
ram
This is old news, but part of why W2K IP stack is so much more of an improvement over NT4 is because MS used quite a bit of BSD code. I would be interested to see how much other stuff they “borrowed”.
Yeah, it’d be kind of funny if the Windows code really was leaked and it turned out that half of it was GPL’d code
“CLOSS (CLOsed Source Software) was never intended to be seen by anybody who really gives a crap about security. This means that only bugs that are actually stumbled upon by security researchers are found and fixed. There can potentially be hundreds of thousands of very serious security bugs in a CLOSS program — they just haven’t been found. When you take a CLOSS program and distribute the ”
This is utter B.S…netware is a closed source product and it is renowned for it’s security and stability. Please do us a favor and stop repeating garbage that you heard from a friend or whatever ridiculous qoute Bruce Perens has decided to utter at any given moment.
How long would it take to download that? How many CDs or DVDs would one need to take the source home?
The Win2K TCP/IP stack is not from BSD. Microsoft bought it from another company. The Win2K CLI network tools (ping, ftp) are from BSD.
if that comes to be true then it would be really true to see what happens! afterall MS has been boasting of doing thing ‘radically’ differently than others!
LOL, this is so funny, now Linux can get a look at the code to see what Microsoft stole from Linux
Now if only we could legally use that…
it would solve many problems, like their abuse of monopoly, hardware support… It would solve what polititians fail to do…
BSD is not GPL. One thing people forget about is that, open source is not one unique entity. There are so many parts of it, and people forget that BSD license means that anybody can use it. Anybody, not just GPL people. GPL means that you can not use the source code easily, you have to release your source code too. That’s quite restrictive, not for non-developers of course. It is easy for an average Linux user to say that you should be releasing your source code, but if you put lots of effort into something, you naturally do not want to release it and make it free. There are reasons why people may release the source code and there are reasons why people chose one license over the other for it. But GPL is selected mostly to make sure that you can sell your code for commercial applications. Mysql is an example. Mysql makes it source code in GPL because they hope that commercial companies will buy a commercial license from them. So it is not entirely true that they want it to be free. BSD people on the other hand, truly release the source code and make it free.
By the way, the source code thing seem to be a scam. Nobody cares about it at this moment, but if GPLed code is found in Microsoft, GPL projects are also in danger. Cause definitely GPLed projects do not have any official records. They are generally managed by bunch of people over the world, it is quite possible that a criminal submitted that Microsoft code to the GPLed project. When the judge hears the case, you will have a bunch of kids at one hand and a corporate at the other hand. And I don’t think the judge will listen to the internet trolls or the internet magazines which publish lies.
Open Source now, eh?
Maybe now we could get Windows on the PPC platform. And before I get flamed, which I know I will, remember that WinNT at one time ran on the ALPHA.
My primary office computer is a Redhat Enterprise Workstation 3.0 but I must say that Windows 2003 Server is very nice and I’d love to run it on one of the dual G5 we have at work.
My teory by 0.1Cent.
Ms can’t find his own bugs, so… he sent code to some selected people. So all the young beta hacker testers do their work without pay.. hacking cracking code.
Result: Find bugs my pounds, maybe to fix in ‘time’
colateral result: breaking his own philosophy about open source
loosing people that have the money to change to Linux or other.
who says a few days this…
open source is a treat to security.. so micro now is too
Just think about all the incentive for companies that still use NT or Win2K to upgrade…
Nobody cares about it at this moment, but if GPLed code is found in Microsoft, GPL projects are also in danger.
Cause definitely GPLed projects do not have any official records.
——–
The OSS development process is completely transparent. Most of the major projects have have extensive records in the form of CVS logs and mailing lists that are mirrored over numerous computers on the internet. Yeah, in theory people could go back and change those records in theory, but going back and altering the electronic paper trail on servers located at reputable locations (major companies, universities, etc) would be nearly impossible. Read the Linux kernel mailinglist and see how they tracked down the original origin of some ancient header code that hadn’t been change in many years.
When the judge hears the case, you will have a bunch of kids at one hand and a corporate at the other hand.
——–
http://www.geek.com/news/geeknews/2002feb/gee20020206010156.htm
According to this study, the average open source developer is closing in on 30 years old, and has over 10 years of programming experience. 44% of them are professional programmers, and another 5% are academecians. 20% are students, but remember that tons of innovative software comes out of graduate programs. Not to mention that there are lots of corporations out there involved in OSS’ed software (20% of programmers reported being paid to work on OSS software). On the other side, you’d have a convicted monopolist who has lost court cases in the past for stealing code from other companies (eg: Stacker).
Windows NT ran on PPC too.
Cause definitely GPLed projects do not have any official records.
On the contrary, GPLed projects are open and therefore there are records of their development all over the Internet. It would be up to MS to prove beyond doubt that it developed the code before and that it was stolen and put into a GPLed product.
However, if that was the case, they would already have done so! So I don’t believe that there is Microsoft code in GPLed programs because MS would have already sent C&D letters to those responsible, or sued off the face of the planet (yes, that’s an image – I know MS doesn’t actually posess WMDs..)
It is, however, quite possible that MS used GPLed code in their own, which would have catastrophic repercussions for the company. I seriously doubt they have, as the implications of a possible leak wouldn’t be worth the time saved by stealing the code.
decide that Microsoft is a big waste of time. You can hardly just get on the internet and let your computer sit without getting over 200 spyware, & a few viruses. Everyone will look for another solution, of course it will be linux, witch, for anyone to say that it’s a perfect replacement for Windows is i total idiot when it comes to home users. Yes, I do see Lycoris, I do see Lindows.. they are GREAT alturnitives to windows… just not right now. Personally, I know I will see a wrath of comments on what I say here – But I see the MacOS as the Desktop of the future (providing that Microsoft just gets hammerd to distruction for this leak). Before your anger levels go up, please try MacOS X next time you have an optertunity – use it with good intentions, not going into it saying “Look, even the interface is gay! the buttons look like grandma’s fruit-cake!! haha” Stop and read articals on the internet with a basic search of “TCO Windows VS Mac” and I can assure you out of the 30 articles you read – you will find none out there that that show a Windows Baised PC is less expensive. I was never a Mac fan untill OSX – I hated macs… I would have used DOS before the Mac. I even made commends like “How could anyone use a computer that smiles at you, and has the logo of a fruit?”. In the case that you have not looked into reading about modern Macs, OS X has no viruses to date, No spyware to date, Built-in Mail filters for Spam mail. Heck the only virus that it does have is the virus of Excitement. You would learn that almost all of the top software is eather made for it, or there is an = alturnitve – or yet – a BETTER app that replaces it. And on-top of that… the names of the programs are not crazy like FNDCturbo2.Pre. ( see http://www.freshmeat.net ). All installable items, or at least a good 85% of them are pre-compiled, and ready to use without seeing “SHUNQD23.lib could not be found” to come to find out that that file requires 13 other files, and those files need X amount of other files – so on and so forth. There are no errors like “While starting the X window server, (something or another) killed (crap goes here) and is unrecoverable!” Junk Junk Junk. The MacOS X kernel does not start up flashing useless crap that just flys all over the screen (unless you hold a few commands down) Also some people say that all Mac OS X is is FreeBSD with a pritty interface.. This is simply untrue.. as a matter of a fact – durring install, you can even specify to not install the BSD subsytem. The kernel is a Apple made kernel, it’s called Darwin. There has even been a few stuidies showing that Apple users generally spend about 5 hours a month updating their computers. While the average Windows user spends almost an entire work week updating the newest virus defenitions, & updating to the newest patches from Microsoft. I will be posting my CTO report later this month or next month, when it’s complete. It will not turn any mindless heads, but it at least get’s it off my chest… [Written on an iBook 900Mhz with 184 days of uptime]
A remarkable coincedance. First Intel says that it will make 64 bit chips. Then windows annonce it will offer trial versions of its 64 bit os. Then the 32 bit os code sudden comes online. So now if you want a secure computer you gotta grab a new Windows 64 bit os oh you’ll also need a Intel 64 bit chip, plus a whole bunc of new hardware and software what next office 64 bit. My idea go tell windows to go fu(k itself and welcome apple. There about to come out with 90nm chips at 2.5 to 3 ghz chip. At least they have quality products and software
Who said anything about Java? Lots of native-compiled languages are completely safe from buffer overflows. Hell, it’d be trivial to add array-bounds checking to C. And given the fact that processors with multiple integer pipes almost always have at least one idle, the runtime cost would be negligable. The one good thing Microsoft is doing security-wise these days is rewriting as much of Windows as possible in .NET. Yeah, they could have picked a better language to do it in, but its fricking 2004, and buffer overflows should have died a decade ago!
I wouldn’t know what other native compiled language your are suggesting instead of C for the kernel. As for runtime and VM based languages, forget it.
If you have done a little embedded programming, you’d understand why OSes should never be written with VM based or runtime languages.
Embedded programmers will tell you runtime languages are step backwards in mordern computing. A few years ago, I’d have argued bitterly with them in past. But after some first hand experiences, I completely concur.
Besides with the wealth of security tools available for C code error/security checking and the abundance of literature on the issue, I really don’t see excuses for buffer over/underflows, especially ones committed by kernel hackers.
Of course, the kernel is a large beast, you might argue, but a corporation like Microsoft with all those resources should by default generate code free of buffer mishaps. Things really are bad if the supposed leaked kernel sources do contain numerous buffer overflows. In fact, I’d promptly remove all Windows software from my machines.
Especially knowing that there are several commercial development tools specialized at discovering buffer mishaps and other peculiar memory mismanagements. And buffer flows happen to be the easiest holes to fix, at least if you are a kernel hacker.
I’d be lenient with other programming flaws, but in this day and age, buffer overflows from a company like MS is just unacceptable. I mean, even OpenBSD which is confident that holes in the kernel will not be buffer flow related.
With big corporations like IBM, SUN, NOVELL, SGI to mention a few working to make the Linux kernel robust, by 3.0 is Linux still have buffer overflows, please switch to another OS.
That’s like a smallpox outbreak in the US today. It’s just unheard.
It might actually be possible, if you had multiple teams coordinated cleverly.
e.g.
Team 1: Looks at source code (illegally); finds hidden APIs
Team 2: Is told by team 1 verbally about hidden APIs and writes down important information
Team 3: Implements hidden APIs as described by Team 2
Team 3 will not have directly seen or even heard of anything in the original source code.
Team 2 will not have done anything illegal; they have simply exercised their freedom of speech.
Team 1 would be the only problem…
I have the feeling that ReactOS will experience a tremendous boost anytime soon…:)
No, I’m sure ReactOS is scared out of their mind right now. This event might have dire concequences for them.
I wouldn’t know what other native compiled language your are suggesting instead of C for the kernel.
————-
Lisp, Dylan, Scheme, Modula, Ada, and many other “safe” languages generate native code. Kernels (some of them embedded, real-time ones!) have been written just fine in Lisp, Modula, and Ada, for example. I’ve toyed with the idea of doing a toy kernel in Dylan, and from what I’ve seen, it should be perfectly doable.
If you have done a little embedded programming
————–
I have done embedded programming. We had C++ and Java on there, as well as a CORBA ORB. No problems at all. Of course, the target machine had a G4 with more than 128MB of RAM
Embedded programs do not necessarily run on a PIC microcontroller with 64KB of RAM.
Embedded programmers will tell you runtime languages are step backwards in mordern computing.
————–
Embedded programmers also argued against putting caches on CPUs. And against virtual memory. The requirements of the embedded world are very different from the requirements of the mainstream. But I agree that the popular VM languages are a step backwards, because they don’t buy you anything over compiled languages.
I really don’t see excuses for buffer over/underflows, especially ones committed by kernel hackers.
———–
Tools are nice to have, but obviously, they are not adequate. Buffer overflows are still *everywhere*. The only way to get rid of them once and for all is to start using safe languages.
I see no excuses for *not* making languages range-checked. Not only is it easy to optimize out more than 90% of such checks, but the runtime check is a simple, easily parallelized comparison!
Of course, a secret/hidden API is discovered and implemented in WINE … something that didn’t happen before, so how would you explain that to a judge? Something like ” … and then the blue fairy appeared and granted me the wish to be able to mistically know the code of Windows ..”
“I wouldn’t know what other native compiled language your are suggesting instead of C for the kernel. As for runtime and VM based languages, forget it.”
BeOS kernel was written in C++, IIRC. what about JavaOS? i’d assume its kernel is written in java (though i don’t know much about it)
as for the topic at hand, i would put money on more then a few worms, virii, exploits, whatever you want to call them coming out of this. and i bet these will have a serious impact on every supported version of windows available until longhorn is released. and i’d wager longhorn is either effected by this or pushed back to ensure its not effected.
basically for windows (l)users, this is bad. for us running BSD and/or Linux variants, we can go about our daily activity. nothing to see here.
Why would anyone add Windows code to Linux or any other program/OS? You know M$ knows its code by heart, and would sue the hell outta that company/developer/hacker, and win. As funny as this is, I really hope no one is dumb enough to add M$ code to their project.
I’m pretty sure the BeOS kernel was regular C. The Taligent kernel was C++ though, IIRC. C++ is a nice language for kernel development (though its not safe) because you can avoid some performance hacks with templates. For example, Linux users macros and some weird pointer magic for its generic data structures (lists, etc). The C++ way of doing this would be to use a template, and it would actually be much faster because there would be less indirection (no need for void pointers) and because things like predicates (eg: qsort()’s comparison parameter) can be inlined.
A remarkable coincedance. First Intel says that it will make 64 bit chips. Then windows annonce it will offer trial versions of its 64 bit os. Then the 32 bit os code sudden comes online. So now if you want a secure computer you gotta grab a new Windows 64 bit os oh you’ll also need a Intel 64 bit chip, plus a whole bunc of new hardware and software what next office 64 bit.
Except for the teensy detail that 64 bit Windows isn’t ported to the intel x86-64 chip
Now that its out in the open, perhaps someone could merge some of mozilla’s source into mshtml.dll and fix the buggy/incomplete implementations of standards in IE! Then we don’t have to code for 2 different main browsers!
the only people that need to or are going to look at that source code are the ones that wanna do bad with it and rip microsoft a new one. if the source has indeed be released, no one is gonna confront microsoft on it because the lawyers would come running for you downloading and looking at it. so im waiting for all the basement dwellers to hack it up and release some exploits. right now i got popcorn in the microwave and am waiting to see the show. there had better be a second act!
“Team 3 will not have directly seen or even heard of anything in the original source code.
Team 2 will not have done anything illegal; they have simply exercised their freedom of speech.”
*cough* derivitive works *cough
Expect lawsuits. And anyone doing linux work needs to be very careful NOT to see any of the stolen Microsoft code, lest they get targetted by hostile lawyers.
I think the likelihood of Windows contributing anything directly to Linux would be next nothing, the only *possible* one that could directly benefit from source code disclosure would be Wine.
With that being said, this is only a *rumour* not a fact. When you start *seeing* the code on Kazaa/limewire/bittorrent, then you should start to become worried.
do we need a security problems to makes us realize that an OS monoculture is a dangerous thing?
I wonder if all the MS security problems may eventually lead to adoption of alternative operating systems.
This is being actively distributed in the edonkey network and the overnet network. Boys, it’s real.
http://heim.ifi.uio.no/~mortehu/files.txt
here is a file list someone posted.
Lisp, Dylan, Scheme, Modula, Ada, and many other “safe” languages generate native code. Kernels (some of them embedded, real-time ones!) have been written just fine in Lisp, Modula, and Ada, for example. I’ve toyed with the idea of doing a toy kernel in Dylan, and from what I’ve seen, it should be perfectly doable.
I’d argue that most of the languages you have mentioned are way too high level for kernel programming, with the exception of probably Ada. Scheme, for instance is synonymous to writing a kernel in python. Yes, it is do able, but is it feasible? Absolutely not! Except you really don’t give a damn about your users, who like speed and efficiency. Heck you can write an operating system in BASH if you wish.
Note though that being able to do something doesn’t necessarily mean it would work out as planned.
I have done embedded programming. We had C++ and Java on there, as well as a CORBA ORB. No problems at all. Of course, the target machine had a G4 with more than 128MB of RAM
Embedded programs do not necessarily run on a PIC microcontroller with 64KB of RAM.
lol! 128MB of RAM. We might as well call it a laptop. 🙂 Three years ago at palm we needed to right an web proxy cache, much like squid, because of the limits of web broswing on handheld systems. I was a Java zealot then. I think we had about 2MB or 8MB of memory to work with then, or less. (Pardon me, my memory is fuzzy)
So, our project began. Then Java was been touted as an embedded developers dream come true and all what not. When we were done coding the project in Java, every thing went fine until we launched the broswer. After about twenty minutes or so, the battery of the palm handheld will just run down and kill the whole system.
Of course, we knew it was the Java. We thought it was an error in the code somewhere. A bug we thought. After weeks of debugging and trying to figure out what the hell we did wrong, a senior engineer who had been silently mocking us, told us what the problem was. It was quite embarassing. The VM was consuming way to much resourses and was draining the battery. Duh! That’s obvious. I guess we were blinded by zeal.
Ever since, all embedded project were done in C, and all palm OS APIs where strictly written in C, of late they added C++ APIs.
My point is, it is not just about you being able to do something in your favorite language, but how feasible it is to do so. Yes, the web proxy cache worked flawlessly in Java, but what happens to the user experience when they need to replace their batteries every 30 minutes?
Yes, it was easy to code it in Java, no memory fiddling, no buffer flaws, etc, but users don’t want to wait 3 seconds for a connection echo on a handheld, nor do they want to wait 2 seconds for the application to quit.
Java made our lives, developers, easier but it could have given our product a bad reputation. You’d argue these are handhelds. But I’d argue that this plague is slowly being carried over to the laptop/desktop world. What further pisses me off is talk from SUN and MS proponents saying hardware is cheap. The solution to their inefficient language is for the user to upgrade his machine.
In the end, it’s the user experience that matters, not the developers convenience. Just from my experience, I can tell you it is not practical to use those languages to write a kernel. You’d end up frustrated 6 months later. As a result of unforseen side effects, much like our case with trying to write java apps for 100Mhz 8MB RAM palm system.
In theory, certain calculations really sound plausible. Wait till you have to test it in the real world. “Let’s write our OS using .NET. Sweet!”, only to find out your laptop battery runs out after an hour, or your PC is consuming to much power, or you have to upgrade your PC to run your mew .NET web browser.
That’s why some of us are hell bent on using languages that are efficient, today only C(C++ to some extent even though I don’t like it, I prefer C#). Gone are the days when we needed a whole building to run a calculator. I fear these sexy languages are taken us back in time.
That being said, Ada and scheme are both great languages. I wouldn’t use scheme to write an app though, even though I know people who have. I used to use scheme and python for prototyping in the past.
One would have thought languages faster, more powerful, more convenient, more compact and much safer than C would have evolved over the last 30 years. It is dissappointing the opposite is happening. Yes, the sexy new ones give me convenience, but at what cost?
Hmmm, can’t use that, but where is the OS/2 source.??
What can I say… if it is true… well… the next few weeks are going to be interesting, to say the least…
I think this is fake, a hoax, Windows Code is locked down so tight you would think it was gold in fort Nox sp? The computers that hold it aren’t connected to the rest of MS’s networks in any way from what i’ve heard a few years ago. So you can’t access it and copy it over to CDR or just send it via an IRC DCC to someone you know etc.
The people outside MS who are able to see it do so in what i think they call clean rooms/labs, whats inside doesn’t leave the room and it’s look but don’t touch. and even then it’s not all the code, just select API’s they’ve signed up to view.
MS has already denied this story, from what i’ve read online it seems that someone saw some code and thought it was Windows code, if you look at the lists out there it looks really odd and weird to me. There’s stuff in there about apache and some other crazy stuff that just sounds stupid.
This is fake if you ask me.
the appearance of gnu-make in 2k. it’s been long known, even
long time b4 the src leak.
Nope, a Makefile is not the same as including the actual gnu-make on your source. This would be the same as using the gimp to retouch your photo, and claiming that because you used the GIMP that your photo is now GPL’ed.
If you use gcc to compile code you do not need to make that code GPL’ed, only if you include actual GNU code in your program… not when you use the tools.
Microsoft Says Portions of Its Windows Source Code Have Been Leaked Over Internet
http://abcnews.go.com/wire/Business/ap20040212_2239.html
Though apparently not all of the source code was leaked – I heard it was about 200MB, which is probably not even a quater of it.
Well, this is M$ we’re talking about…who knows what code they are using in Windows; but we’ll soon find out.
Michael Lauzon, Founder
The Quill Society
http://www.quillsociety.org/
[email protected]
The 203MB file expands to just under 660MB, he said, noting that the final code size almost perfectly matches the capacity of a typical CD-ROM. The entire source code, he said, is believed to be about 40GB, meaning that the file circulating Thursday would be only a fraction of the full code base–if it is authentic.
In the realm of C++ kernels, lets not forget Fiasco!
Hmm 40GB, what is that the source code from the Alpha, Beta, and Final versions of Windows 2000/NT4? I find it hard to believe that the Final version goes from 40GB all the way down to a compressed 650MB installation disc.
http://www.msnbc.msn.com/id/4253584/
for the record, the whole windows rcs repository numbers around 50GB according to a msft sendior softw. architect we hired for a lecture.
it is more than likely that this is a win2k rcs snapshot.
You are associating the languages I mentioned with Java and C#. Java and C# are regressions in the software industry. They are no more powerful than C++, while at the same time being significantly slower and more memory hungry.
The languages I mentioned are not like that. Given a good compiler, and similar code, they’ll generate binaries that are 80-90% as fast as C binaries. And this isn’t just theoretical. d2c, which is a 100,000+ line Dylan program starts up in 1/10 a second on my machine. Common Lisp was fast enough that they used it to write Jak and Daxter, a popular PS2 game.
They do require more memory overall, but less than you’d think, and not as much as Java/C#. Remember, one of the first things Apple used Dylan for as an OS for the Newton! “Hello World” with the d2c Dylan compiler generates a 1.7MB static binary, while “Hello World” with the G++ compiler generates a 1.0MB static binary. This is especially impressive given that d2c doesn’t have a link-optimizer that gets rid of unused functions!
Also, on the performance note — remember that lots of performance sapping things like IPC, virtual memory, system calls, etc, just go away when you have a safe language. I doubt Microsoft will go all the way and allow .NET apps to run in kernel mode, but they could certainly do that without affecting stability!
Anyway, about your concerns on whether this is feasible — Lots of OSs have been written in these languages. For example, Symbolics, Xerox and TI wrote OSs in Lisp. There are a number of Scheme OSs available, and MzScheme runs on bare hardware. Real-time OSs have been written in Modula and Ada. Hell, people have even done OSs in ML!
Even if there is any GPL’d code found in the source that was leaked you would not be able to use that code in a cort of law. Think about it. Are you going to walk into cort with stolen property? MS could claim anything the wanted. Even that you planted the code there and there is no way you could prove otherwise. It’s stolen property and therefore tainted.
It would be very hard to sneak Windows code into Linux. First, the OSs are very different. It’d be a major pain to have to port the code you’re stealing! Second, the Windows coding style is very different from the Linux coding style. Most Linux projects use the UNIX code style. Windows code would stick out like a sore thumb!
You are associating the languages I mentioned with Java and C#. Java and C# are regressions in the software industry.
I think both of your are just a little off topic – go have your pissing contest in a language forum, please ?
“But I see the MacOS as the Desktop of the future”
I whole-heartedly agree with you. OS X has many of the benefits of linux, but it goes much farther than linux does especially in the UI front. When I use OS X on the desktop, I feel the contrast it has to my windows box. When I use linux on the desktop, whether it be KDE or Gnome, it feels like a modified windows box. Shit, even the start button is there by default on so many linux desktops. Talk about lack of innovation.
This could realy help the wine project. You would not be able to use any of the windows code in wine but you could look for undocumented API’s, figure out how things work and then re-code that in the wine libs.
So you propose that MS should rewrite windows in Lisp or some other pet language flavor of the week that language geeks think can solve world hunger?
No, I propose that MS should write Windows in a safe language that isn’t vulnerable to buffer overflow exploits. That’s precisely what Microsoft is doing now. Obviously, all of Windows is too much to rewrite at once, but new development is being done in C#. C# certainly qualifies as a safe language that isn’t vulnerable to buffer overflow exploits.
I agree with Darius. This is OT. E-mail me if you’re interested in continuing the discussion.
Looks like we are back to more fud from M$
LongHaul will be next
I think we’re overlooking an obvious point here.
A buffer overflow is the result of a careless or inexperienced programmer. These people should not be coding kernels.
No, the point is that MS is a business and not a grad student playing around with pet projects. Longhorn is not being rewritten in c#. The developer libraries/tools are being rewritten in c#. The kernel will remain c.
I should clarify my previous post. The shell and other parts of might be rewritten in c#/c hybrids, but they’re not re-writing the kernel in a “safe” lanugage. Kernel developers , for the most part, haven’t even ventured into the C++ world, so any kernel development of a major OS being done in a “safe” language is decades off.
I’m pretty sure the BeOS kernel was regular C. The Taligent kernel was C++ though, IIRC. C++ is a nice language for kernel development (though its not safe) because you can avoid some performance hacks with templates. For example, Linux users macros and some weird pointer magic for its generic data structures (lists, etc). The C++ way of doing this would be to use a template, and it would actually be much faster because there would be less indirection (no need for void pointers) and because things like predicates (eg: qsort()’s comparison parameter) can be inlined.
Then there is OpenVMS which is written in BLISS/MACRO; has a security record second to none. As you said, there are loads of languages out there than don’t have the same issues that C/C++ face.
Not it isn’t. Microsoft has some very good programmers. Its their architecture (driven quite heavily by marketing and backwords compatibility) that causes Windows to have so many security holes, not so much its programmers. Plus, there is tons of software that suffers from buffer overflows, a lot of it written by experienced developers. Buffer overflows are *not* just the malady of newbies, but affect everyone.
Smart compilers can optimize away some bounds checking but not all obviously. The great thing about c# is that you if you need the performance boost from not having bounds checking you can drop down into writing unsafe code with pointers in c# proper without having to write c code.
No matter how you look at it though, bounds checking is going to have an performance impact. There’s just no getting around it.
Imagine what they can do to ppl that have DLed the source code? 😐
That there will be millions of Windows distros now, and software written for one distro will not run on others. Then Windows users can feel the pain I have been feeling for years!
I’m not saying that M$ doesn’t have experienced programmers. I’m just saying that experienced programmers that don’t do bounds checking are lazy.
Only the slashdweeb considers Microsoft kernel engineers to be stupid. That doesn’t excuse them or anybody else from buffer overflows, but as Raynier pointed out MS is a business and so engineers have to subcumb to Marketing time-tables. You also have to put everything into a historical context too. When NT was first being developed there wasn’t even a web and the internet was mainly for academics and some large companies who didn’t use MS for servers anyway. MS was late to the internet world the way it was and so back in early to mid 90’s when your XP/2000/2003 code was being written, engineers probably weren’t thinking that much about some basic intel box sitting open to the whole world to probe.
First off, hasn’t this soft of thing happened before? Seems like I remember this happening with some beta versions. Secondly, the news article says the cost incalculable. Outside of potential security vulnerabilities and FUD in general, I don’t see how having the source out there (that no one can legally use and any one who wants to do programming work probably can’t even legally look at) is a financial liability to Microsoft.
Maybe a dumb question but I had to ask.
The news reports say that leaking of the code will cause huge losses because it is their primary intellectual property and they have invested millions in it.
What I don’t understand :
– Say we look at Solaris
– It is not free / open source
– however, if you buy Solaris you get a copy of the source code (legally)
– but no one feels that this will hurts Sun
– after all, it is still copyrighted, and you cannot copy the code, though you can view
Can someone pls explain to a newbie. Or is my understanding completely incorrect.
Thanks….
The question is, how big of an impact is it? A good compiler can optimize away nearly all bounds checks. When they can’t, you can usually write the critical loop in a more FORTRAN style so it can. In the end, the few bounds checks that actually get executed are minimal.
PS: Note that some research shows bounds checks being very expensive for C code. A study shows a 117% performance hit for a Pentium III with the ‘bcc’ gcc bounds checking extension. These results are not representative of bounds-checks as a whole. There are one problems with C that makes bounds-checking a pain: pointer arithmatic. Pointer arithmatic means that bounds-checkers for C bloat a pointer to three machine words. This not only trashes the cache, but prevents the whole pointer from being loaded into registers. It also means that every pointer access requires a check. Most languages disallow pointer arithmatic, and thus do not have these problems.
MIcrosoft LOader did it
“No it is not good for WINE. Remember that some licenses even prohibit reverse engineering the code, imagine the legal problem of even seen stolen code ….”
Very true. Don’t even dare to view this code.
Same is true for Half Life 2.
Unless you really believe nobody would found it out.
Then still, does that really feel good? It is theft…
But in other legal projects like OpenVMS and Solaris it’s actually for real a problem.
The first thing i thought when MS wanted to share source code (“open source code”, like some sites screamed) was the problem which actually just now happened. MS _must_ know this could have happen. It’s that simple, there’s always a rotten apple somewhere.
Bottomline: For any Free software developer the source of propritary code (“shared code”), legal or illegal, is essentially useless… and imo unethical.
Oh dear, how is it possible? 40gb?! I don’t think I will want to work for Microsoft and clean up their source codes.
http://www-106.ibm.com/developerworks/linux/library/l-sp4.html?ca=d…
Seriously, any C/C++ programmer who doesn’t have a fundamental grasp of buffer overflows and how to counter them, really shouldn’t be hacking on kernel source codes.
As to using safe languages, hardly any language in totally, safe. At least I know Ada and C# have holes that can be exploited. C/C++ give coders are ridiculous amount of power, which of course comes with great responsibilities.
Using safe languages is like telling your kid not to go out because the world is a dangerous place to live in. How then do you expect him to develop as a member of the society? With the resources and tools available in C, you got to be a green horn, or just careless, to write code that exposes potential buffer overflows.
But wouldn’t it be somethin’ if, just hypothetically, there was a huge virus backlash that microsoft couldn’t keep up with and they buckled down and ‘officially’ released the pirated code under some half-thought-out liscense (impossible, but
) that in some strange way allowed groups like ReactOS or Wine to use the code as a referance?
Ok, I’m dreamin. But as the beachboys say – wouldn’t it be nice?
Oh, buffer overflows is another reason to true coders to learn Assembly. 🙂