Windows Source Code Appears on the Web

by Timothy Prickett Morgan

Microsoft, having succeeded in deflecting the MayDoom.C virus, which targeted its Web site with a denial-of-service attack two weeks ago, has now announced that a significant portion of the source code for Windows NT 4.0 and Windows 2000 has been posted on the Internet. While Microsoft discloses its source code to key partners and customers, having even a portion of the source code posted on the Web presents difficulties for the company.

For one thing--and this is something that no one seemed to think about as the press reports of the posting of the code came to light last Friday--just because only a portion of Windows NT and Windows 2000 have been posted on the Net and passed around does not mean that the perpetrators of the crime (the act violates Microsoft's trade secrets and copyrights) do not have all of this code. Publishing snippets of the code might just be a way of demonstrating that the criminals have all of the code. Microsoft has not confirmed this, but various reports on Windows enthusiast sites said that 13.5 million lines of Windows 2000 code and 28 million line of Windows NT code had been leaked out. The unzipped snipped of Windows 2000 was said in the press reports to be about a quarter of the code in the operating system and fit onto one CD-ROM uncompressed. In other words, the snippet size that the perpetrators released may have had more to do with the size of a CD-ROM than with the amount of code that they had. These numbers look like they could be backward, since Windows NT was supposed to have only 17 million lines of code and Windows 2000 only had about 30 million lines. If this is the case, a very large portion of the source is out there. Microsoft has been inconsistent in talking about how many lines of code are in any given Windows release, and it's in no mood to clear up the numbers right now.

All Microsoft would say about the situation is that last Thursday the company became aware that portions of Windows NT and Windows 2000 were illegally available on the Internet. The company stressed that it was illegal to post its source code and that it took "such activity very seriously." Microsoft said that it was investigating the postings and is working with the FBI to figure out who had done it. Microsoft added that the posting of the Windows source code did not appear to be the result of a hack into its corporate systems.

However, this may prove not to be the case. No one seems to remember that Microsoft's corporate network was hacked into and pilfered in late 2000. In October 2000, after a story broke in the Wall Street Journal, Microsoft was forced to admit that hackers had been on its internal networks and stealing the source code to Windows, Office, and other programs for as many as three months before being shut out of the system. The hackers had used a Trojan horse virus to ascertain the user names and passwords of programmers working remotely on Microsoft's development systems. Microsoft's initial analysis after the Journal story ran was that these hackers did not get the source to Windows 2000 or Office, but rather to a beta version of what would become Windows 2003. No one ever followed up with Microsoft on this, but it could turn out that the hackers from late 2000 got a lot more than Microsoft thinks they got.

It is difficult to figure what the illegal distribution of Windows source code means. But having the source will initially have the effect of making it easier for hackers to break into Windows NT and Windows 2000, which comprise the largest portion of the 9.5-million-strong Windows server base. If hackers have all of the code, as well as earlier versions of Windows 2003, a lot of very nasty worms and viruses could be heading our way in the near future, since the Windows NT and Windows 2000 code snippets have been widely passed around on hacker sites. More than anything else, stealing and posting Windows source code on the Internet will be seen as a badge of honor for the hackers, which means word could eventually get out as someone brags about it. But maybe not. In late 1999, the alpha source code to Windows 2003 was very briefly posted on the Internet. No one was ever caught.