Microsoft cracks down on source code traders

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-7355_3-5161205.html

By Robert Lemos 
Staff Writer, CNET News.com
February 18, 2004

Microsoft has sent several letters to people known to have posted 
Windows source code on the Internet, warning them to stop offering the 
files and erase any copies. 

The letters explain to the individuals that downloading or using the 
source code is a violation of the law. Part of reason for taking the 
tack is to educate people who may be curious about the operating 
system source code that the files are proprietary and valuable, 
Microsoft spokesman Tom Pilla said Wednesday.

"I'm sure that there are many people that don't know that it is 
illegal to share our source code," he said, adding that the letters 
are just the logical next step in Microsoft's stated goals of 
protecting its trade secrets. "We have said from the beginning that we 
would take all appropriate action with regards to our intellectual 
property." 

Last week, Microsoft acknowledged that two 200MB files containing 
compressed partial copies of the company's Windows 2000 and Windows 
NT4 source code had been leaked to the Internet. Some evidence seems 
to point to Microsoft partner Mainsoft, a developer of Unix tools for 
Windows, as the source of the leaked code. 

Microsoft is now attempting to put the genie back in the bottle. In 
addition to the warning letters, the software giant has posted alerts 
on several peer-to-peer file-sharing networks where it believes that 
illegal sharing of the source code has taken place. Those warnings 
will appear when a user searches the network using certain keywords 
related to the source code, Pilla said. 

In a statement posted to its Web site, Microsoft stressed that the 
source code files are both copyrighted and protected as a trade 
secret. 

"As such, it is illegal to post it, make it available to others, 
download it or use it," the company said in a statement. "Microsoft 
will take all appropriate legal actions to protect its intellectual 
property. These actions include communicating both directly and 
indirectly with those who possess or seek to possess, post, download 
or share the illegally disclosed source code." 

The company's position could deter independent security consultants 
and hackers from analyzing the code for vulnerabilities. Many security 
researchers have expressed concerns that the leaked code would prove 
to be a good tool for hackers who try to find vulnerabilities in 
Windows code. However, the source code is more than two years old and 
doesn't appear to include server or network services, which could have 
been analyzed for vulnerabilities that would lay systems open to 
remote attack.

"The whole thing is more of an embarrassment for Microsoft," said Marc 
Maiffret, chief hacking officer for software firm eEye Digital 
Security. 

At least one vulnerability has been found by analyzing the source 
code. After a security researcher found a flaw in Internet Explorer 5, 
Microsoft urged customers to upgrade to the latest version of the 
browser, Internet Explorer 6 Service Pack 1. 

Maiffret said he didn't believe that Microsoft's pursuit of copies of 
the source code would stop the trading. 

"It seems like a pretty wasted endeavor," he said. "People are still 
going to use the code." 

Microsoft wouldn't comment on whether the company would go as far as 
suing security researchers who found vulnerabilities by analyzing the 
source code. 

"Our message is that we appreciate the sentiment of those that are 
well intentioned, but it doesn't change the fact that...no one should 
use it for any purpose," Pilla said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.