From: InfoSec News (isnc4i.org)
Date: Thu Feb 19 2004 - 04:18:33 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.com.com/2100-7355_3-5161205.html

By Robert Lemos
Staff Writer, CNET News.com
February 18, 2004

Microsoft has sent several letters to people known to have posted
Windows source code on the Internet, warning them to stop offering the
files and erase any copies.

The letters explain to the individuals that downloading or using the
source code is a violation of the law. Part of reason for taking the
tack is to educate people who may be curious about the operating
system source code that the files are proprietary and valuable,
Microsoft spokesman Tom Pilla said Wednesday.

"I'm sure that there are many people that don't know that it is
illegal to share our source code," he said, adding that the letters
are just the logical next step in Microsoft's stated goals of
protecting its trade secrets. "We have said from the beginning that we
would take all appropriate action with regards to our intellectual
property."

Last week, Microsoft acknowledged that two 200MB files containing
compressed partial copies of the company's Windows 2000 and Windows
NT4 source code had been leaked to the Internet. Some evidence seems
to point to Microsoft partner Mainsoft, a developer of Unix tools for
Windows, as the source of the leaked code.

Microsoft is now attempting to put the genie back in the bottle. In
addition to the warning letters, the software giant has posted alerts
on several peer-to-peer file-sharing networks where it believes that
illegal sharing of the source code has taken place. Those warnings
will appear when a user searches the network using certain keywords
related to the source code, Pilla said.

In a statement posted to its Web site, Microsoft stressed that the
source code files are both copyrighted and protected as a trade
secret.

"As such, it is illegal to post it, make it available to others,
download it or use it," the company said in a statement. "Microsoft
will take all appropriate legal actions to protect its intellectual
property. These actions include communicating both directly and
indirectly with those who possess or seek to possess, post, download
or share the illegally disclosed source code."

The company's position could deter independent security consultants
and hackers from analyzing the code for vulnerabilities. Many security
researchers have expressed concerns that the leaked code would prove
to be a good tool for hackers who try to find vulnerabilities in
Windows code. However, the source code is more than two years old and
doesn't appear to include server or network services, which could have
been analyzed for vulnerabilities that would lay systems open to
remote attack.

"The whole thing is more of an embarrassment for Microsoft," said Marc
Maiffret, chief hacking officer for software firm eEye Digital
Security.

At least one vulnerability has been found by analyzing the source
code. After a security researcher found a flaw in Internet Explorer 5,
Microsoft urged customers to upgrade to the latest version of the
browser, Internet Explorer 6 Service Pack 1.

Maiffret said he didn't believe that Microsoft's pursuit of copies of
the source code would stop the trading.

"It seems like a pretty wasted endeavor," he said. "People are still
going to use the code."

Microsoft wouldn't comment on whether the company would go as far as
suing security researchers who found vulnerabilities by analyzing the
source code.

"Our message is that we appreciate the sentiment of those that are
well intentioned, but it doesn't change the fact that...no one should
use it for any purpose," Pilla said.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.
-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]