Bill Gates fan leaks source code for a bunch of Microsoft OSes including Windows XP

[jagdtigger]

Because in case of a closed source you cant do an rdiff on a patched and a non patched file to see what changed an write and exploit based on that.... /s

 

Can we forget about this false sense of "source codes leaking means less security" BS?

[Sauron]

31 minutes ago, wanderingfool2 said:

...and you don't see a problem in that?  If a bad actor can now potentially scan the code or look at how a protocol was implemented to find a vulnerability it opens the door to potential abuse. 

Every security expert worth their salt will tell you that security through obscurity is a bad idea. A system needs to be robust even if everyone knows how it works precisely because you can't guarantee something like this won't happen.

 

Linux has been around for almost 30 years and it hasn't been any more prone to critical vulnerabilities and exploits being found than Windows despite being run on some very valuable servers over the years AND being completely open source. Open source being less secure is a myth propagated by corporations making terrible proprietary software looking for excuses when their bad security fails.

28 minutes ago, wanderingfool2 said:

Might I also remind you of heartbleed...

You mean the vulnerability that was found by security researchers and eventually fixed rather than left to rot for 10 years while black hats had time to find it for themselves and keep it a secret?

[wanderingfool2]

11 minutes ago, Sauron said:

Every security expert worth their salt will tell you that security through obscurity is a bad idea. A system needs to be robust even if everyone knows how it works precisely because you can't guarantee something like this won't happen.

 

Linux has been around for almost 30 years and it hasn't been any more prone to critical vulnerabilities and exploits being found than Windows despite being run on some very valuable servers over the years AND being completely open source. Open source being less secure is a myth propagated by corporations making terrible proprietary software looking for excuses when their bad security fails.

You mean the vulnerability that was found by security researchers and eventually fixed rather than left to rot for 10 years while black hats had time to find it for themselves and keep it a secret?

I never said Open Source was a bad thing, and I never said security through obscurity was a good thing either.  I am saying having an entire source code leaked of a previously closed source system puts additional risks, which is true.  There is a  lower barrier of entry and like it or not having code released on a previous close source system does open it up a lot more.

 

There is a key distinction between an open source project and having code leaked for a closed source project.  Since there would have been less eyes on it, there would likely be more instances of overlooked exploits.  While it is true that they could get patched and such, it's about the timing on things.

[Nayr438]

2 hours ago, Bombastinator said:

There’s a confusion I am having you might be able to clear up then: the list of included stuff stops at nt4, but people are talking about XP and vista which were later. NT4 is antique.  I was thin when people were using NT4.

There is no Vista Source. There is a Windows XP source archive in the dump, however it is password protected and no one knows the password. Several people including me have made fresh hash dumps and are attempting to basically brute force our way in, but the chances of being successful seem rather slim at this point. It's unknown at this time if its fake, real, or incomplete. All we do know is that it was originally leaked sometime between 2007 and 2008, and all I know is my CPU is working overtime lol.

[Sauron]

Just now, wanderingfool2 said:

I am saying having an entire source code leaked of a previously closed source system puts additional risks, which is true.  There is a  lower barrier of entry and like it or not having code released on a previous close source system does open it up a lot more.

A lower barrier of entry? Do you think anyone other than an expert can just open up decades old code for a highly complex system and find new exploits?

Just now, wanderingfool2 said:

There is a key distinction between an open source project and having code leaked for a closed source project.  Since there would have been less eyes on it, there would likely be more instances of overlooked exploits.  While it is true that they could get patched and such, it's about the timing on things.

Researchers would have the same time as everyone else to look into it so this doesn't make sense. Of course, if Microsoft starts going after researchers for downloading and reading this code then we might have a problem... but that's on them.

[Quinnell]

Wonder what Microsoft stocks are doing in light of this.

 

 

Looks like investors are unconcerned.

[pythonmegapixel]

7 hours ago, Trik'Stari said:

If only to piss off the Linux fanboys lol.

Linux will still have its place. in fact, my personal hope is that this leak could at least be used to help improve WINE so that software compatibility isn't so much of a barrier.

Plus don't forget this is WinXP, and probably has a load of security vulnerablilities that will never be found.

Personally I would want to rely on a fork of a leak of an outdated piece of software.

[Nayr438]

5 minutes ago, Quinnell said:

Wonder what Microsoft stocks are doing in light of this.

Looks like investors are unconcerned.

Probably because this is old news. This specific leak was leaked a couple weeks ago, everything inside of it however has already been leaked throughout the years, this is nothing more than a compilation of the leaks. In fact there are PDF's inside the link with captures of websites reporting the leaks going all the way back to 2003.

[pm128]

This article makes me happy, for some reason

[Trik'Stari]

24 minutes ago, pythonmegapixel said:

Linux will still have its place. in fact, my personal hope is that this leak could at least be used to help improve WINE so that software compatibility isn't so much of a barrier.

Plus don't forget this is WinXP, and probably has a load of security vulnerablilities that will never be found.

Personally I would want to rely on a fork of a leak of an outdated piece of software.

Oh I know it will.

 

I just think it would be funny if a Windows Open Source project managed to pwn Linux in popularity with the general population. Like I said, because of the fanboys.

[Mark Kaine]

15 minutes ago, Trik'Stari said:

 

 

I just think it would be funny if a Windows Open Source project managed to pwn Linux in popularity with the general population. Like I said, because of the fanboys.

I mean neither is likely. linux is good for servers and such, it's not really meant for the average consumer (they don't like it)and the same could probably be said about an allegedly "unsecure" WinXp open source fork. (also ms would sue the heck out of it)

[Trik'Stari]

4 minutes ago, Mark Kaine said:

I mean neither is likely. linux is good for servers and such, it's not really meant for the average consumer (they don't like it)and the same could probably be said about an allegedly "unsecure" WinXp open source fork. (also ms would sue the heck out of it)

My main issue with the Linux community is their strange obsession with CLI for everything.

 

I remember when I tried to switch over to Linux. I tried to do everything I would normally do, via the GUI, like applying updates. None of it worked and any time I asked about it, I was simply told "bruh who uses GUI!?! CLI is so much better".

 

Like, literally the button to update or download drivers, when clicked, would do absolutely nothing. But type in the proper command to CLI and hey presto it works.

 

I like Linux's performance, but I hate CLI. Very specifically I love how quick Linux starts up and shuts down compared to Windows.

 

If they could just get past their obsession with CLI, I think maybe Linux would gain a lot of popularity.

[Mark Kaine]

6 minutes ago, Trik'Stari said:

My main issue with the Linux community is their strange obsession with CLI for everything.

 

I remember when I tried to switch over to Linux. I tried to do everything I would normally do, via the GUI, like applying updates. None of it worked and any time I asked about it, I was simply told "bruh who uses GUI!?! CLI is so much better".

 

Like, literally the button to update or download drivers, when clicked, would do absolutely nothing. But type in the proper command to CLI and hey presto it works.

 

I like Linux's performance, but I hate CLI. Very specifically I love how quick Linux starts up and shuts down compared to Windows.

 

If they could just get past their obsession with CLI, I think maybe Linux would gain a lot of popularity.

well I agree, I was just commenting on the likelihood of both (a theoretical "WinXp open source", "linux") becoming popular in the consumer space.

 

best linux was and still is PS3 OS (though technically that's UNIX) u don't even need a keyboard!

 

(for gaming and multimedia this is) 

[Kisai]

12 minutes ago, Trik'Stari said:

My main issue with the Linux community is their strange obsession with CLI for everything.

 

 

Because tools can be written using the CLI, not GUI.

 

It's a very simple thing:

 

In Windows:

dir /b > list.txt

In Linux

ls > list.txt

 

You can't do that with windows explorer, and even if you did the above to get list.txt, the thing you want to do with list.txt , say iterate through the list, so you can run another tool on files that are on the list, like a compression or encryption tool, you aren't going to pull up a GUI for each file and manually set the settings. Even if the GUI could "default" to a bunch of settings, minor changes in the software may move where the options are, or some options might be removed. See FFMPEG and the various tools that use ffmpeg like handbrake and obs.

 

Basically, your starting point is "how do I do this in the CLI, even if the CLI parameters for it is 1000 characters long"

 

Every GUI has a different way of doing things, and since the way you do something in Windows native, or qt, or wxwidgets, or dearimgui are completely different and incompatible with each other, you can't write a dozen different front ends, because you'll break the tool, or you have to include the UI toolkit which can be thousands of times bigger than the cli tool.

 

The worst version of this are tools running on nw.js/electron (chromium) which take up hundreds of MB's of disk space and memory, just to launch some other program via the command line anyway (which is how essentially all MMO games, Steam and EGS work.)

 

So no, not everything needs a GUI, because it exponentially increases the work. If something is so much of a pain in the behind (like ffmpeg) configure things, it's easier to have a dozen batch files or shell scripts with those command line's already configured so you can just do "ffmpeg-recompress2mp4 filename.mkv". Then have to select dozens of dropdowns and radio boxes in something like handbrake.

 

[Trik'Stari]

40 minutes ago, Kisai said:

Because tools can be written using the CLI, not GUI.

 

It's a very simple thing:

 

In Windows:

dir /b > list.txt

In Linux

ls > list.txt

 

You can't do that with windows explorer, and even if you did the above to get list.txt, the thing you want to do with list.txt , say iterate through the list, so you can run another tool on files that are on the list, like a compression or encryption tool, you aren't going to pull up a GUI for each file and manually set the settings. Even if the GUI could "default" to a bunch of settings, minor changes in the software may move where the options are, or some options might be removed. See FFMPEG and the various tools that use ffmpeg like handbrake and obs.

 

Basically, your starting point is "how do I do this in the CLI, even if the CLI parameters for it is 1000 characters long"

 

Every GUI has a different way of doing things, and since the way you do something in Windows native, or qt, or wxwidgets, or dearimgui are completely different and incompatible with each other, you can't write a dozen different front ends, because you'll break the tool, or you have to include the UI toolkit which can be thousands of times bigger than the cli tool.

 

The worst version of this are tools running on nw.js/electron (chromium) which take up hundreds of MB's of disk space and memory, just to launch some other program via the command line anyway (which is how essentially all MMO games, Steam and EGS work.)

 

So no, not everything needs a GUI, because it exponentially increases the work. If something is so much of a pain in the behind (like ffmpeg) configure things, it's easier to have a dozen batch files or shell scripts with those command line's already configured so you can just do "ffmpeg-recompress2mp4 filename.mkv". Then have to select dozens of dropdowns and radio boxes in something like handbrake.

 

From what I understand of what you just said, basically CLI is beloved because it is standardized.

 

I get that, but I also hate the attitude it has created amongst the Linux community. Their disdain for GUI is part of what holds back the popularity of Linux to begin with.

 

Some of us just don't have the time or desire to learn all the commands and file names and file naming schemes necessary to learn CLI. It's far easier for me to just open a folder and click on things.

 

I just wish they would make the GUI actually be functional (like, the "update driver" button actually does something) so that it would be easier to use in general. Mainly I wish this because Linux is far more customizable and flexible than Windows, but then the adherence to "CLI IS BETTER" makes it more difficult to customize, to the point of not being worth the effort.

[Salv8 (sam)]

guess i'm NOT archiving it for future generations...

[LAwLz]

18 minutes ago, Trik'Stari said:

From what I understand of what you just said, basically CLI is beloved because it is standardized.

 

I get that, but I also hate the attitude it has created amongst the Linux community. Their disdain for GUI is part of what holds back the popularity of Linux to begin with.

 

Some of us just don't have the time or desire to learn all the commands and file names and file naming schemes necessary to learn CLI. It's far easier for me to just open a folder and click on things.

 

I just wish they would make the GUI actually be functional (like, the "update driver" button actually does something) so that it would be easier to use in general. Mainly I wish this because Linux is far more customizable and flexible than Windows, but then the adherence to "CLI IS BETTER" makes it more difficult to customize, to the point of not being worth the effort.

It's not really that it's standardized, although that can be a big plus in some cases too. Telling someone "run this command and everything will be fixed" is way easier than trying to guide someone to a specific button through a GUI over let's say the phone, especially since the GUI can look different from computer to computer.

But when you are dealing with things that can be configured in lots and lots of ways, it's simply not feasible to represent everything in a GUI.

 

Take enterprise switches as an example. This is a list of the different commands you can type in Cisco's OS they use on most switches. The document is 580 pages long and it's just page after page of commands you can use.

I tried counting them but it's a bit difficult. But it seems to be around 21,000 different commands, and that's without the different parameters. For example the command "Channel-group" can be configured in active, passive or on mode. So that single command is actually three commands in one but it's only listed once in the documentation.

 

Try creating a program with over 21,000 different buttons. It would be a nightmare to use. But doing the configuration in CLI is easy as pie because it's very well structured and build in a hierarchic way with guides and you can see which commands are applicable in the structure you are currently located.

 

 

And FFMpeg that Kisai mentioned is another great example. There are programs that are graphical frontends for FFMpeg, for example Handbrake. But even those programs has a command line mode hidden in the advanced settings. Why? Because even though the graphic interface exposes the most commonly used parameters, there are way too many options to feasibly show in a graphical way. Plus, being able to write in numbers and letters for things gives way more precision than some slider or on/off button (and if you try and implement writable text windows to give control you might as well just use the CLI anyway, because you'll have 100 text boxes as the "GUI").

 

 

And on top of all of that, GUIs can not be automated in any kind of satisfactory way, nor can they implement things like recursion well.

CLI is simply exposes way more features and are far more flexible than GUIs. 

[LAwLz]

Holy crap this actually seems legit.

Let's hope this leads to a lot of great things such as greater Windows application support in other OSes (primarily GNU/Linux), unofficial bug fixes for XP, and other things like it.

 

 

  

2 hours ago, Nayr438 said:

There is no Vista Source. There is a Windows XP source archive in the dump, however it is password protected and no one knows the password. Several people including me have made fresh hash dumps and are attempting to basically brute force our way in, but the chances of being successful seem rather slim at this point. It's unknown at this time if its fake, real, or incomplete. All we do know is that it was originally leaked sometime between 2007 and 2008, and all I know is my CPU is working overtime lol.

Ehm... Not sure which archive you downloaded but the one I found is not password protected.

[wanderingfool2]

2 hours ago, Sauron said:

A lower barrier of entry? Do you think anyone other than an expert can just open up decades old code for a highly complex system and find new exploits?

If you have source code, it becomes a lot easier to do so.  It is just inherently easier to find and exploit software vulnerabilities if you have the source code.  I'm not saying any person off the street could do it, but it beats using Ghidra/Ida Pro and trying to work out the areas that could be exploited.

 

2 hours ago, Sauron said:

Researchers would have the same time as everyone else to look into it so this doesn't make sense. Of course, if Microsoft starts going after researchers for downloading and reading this code then we might have a problem... but that's on them.

Patching takes time, and having a potential flood of things to patch makes it even slower.  Not everything can get patched without breaking backwards compatibility.  Also, yes there would be less researchers who would download and use it in their work.  (Since it is a legal aspect).  It's just like developers for WINE won't be downloading it (yes there will be some, but I can bet those who do and are found to have will get kicked off the project)

 

[Nayr438]

12 minutes ago, LAwLz said:

Holy crap this actually seems legit.

Let's hope this leads to a lot of great things such as greater Windows application support in other OSes (primarily GNU/Linux), unofficial bug fixes for XP, and other things like it.

 

 

  

Ehm... Not sure which archive you downloaded but the one I found is not password protected.

 

Guess I missed the one in "nt5src.7z". The one everyone is going crazy over however is "/misc/windows_xp_source.rar" It's the unknown.

With everyone going crazy over the one in misc, I have to guess that nt5src is incomplete in some way or is just the service pack. I will have to look into it. Regardless it's still a nice to have.

[Delicieuxz]

1 hour ago, LAwLz said:

 Ehm... Not sure which archive you downloaded but the one I found is not password protected.

Apart from the large torrent, I saw one archive for the XP stuff hosted on Mega.nz, and another on anonfiles.com. The anonfiles one seems to not be password encrypted. I think people with an encrypted archive might have the Mega.nz archive, or another one.

[Nayr438]

17 minutes ago, Delicieuxz said:

I saw one archive hosted on Mega.nz, and another on anonfiles.com. The anonfiles one seems to not be password encrypted. I think people with an encrypted archive might have the Mega.nz archive, or another one.

There are 2 Archives for Windows XP inside the main Archive. "/nt5src.7z/nt5src/XPSP1/" Not Protected and "/misc/windows_XP_source.rar" Protected.

Didn't obtain the dump from either of those sites. However "nt5src.7z" from the leak compilation has been re-uploaded a lot for some reason.

[Trik'Stari]

1 hour ago, LAwLz said:

It's not really that it's standardized, although that can be a big plus in some cases too. Telling someone "run this command and everything will be fixed" is way easier than trying to guide someone to a specific button through a GUI over let's say the phone, especially since the GUI can look different from computer to computer.

But when you are dealing with things that can be configured in lots and lots of ways, it's simply not feasible to represent everything in a GUI.

 

Take enterprise switches as an example. This is a list of the different commands you can type in Cisco's OS they use on most switches. The document is 580 pages long and it's just page after page of commands you can use.

I tried counting them but it's a bit difficult. But it seems to be around 21,000 different commands, and that's without the different parameters. For example the command "Channel-group" can be configured in active, passive or on mode. So that single command is actually three commands in one but it's only listed once in the documentation.

 

Try creating a program with over 21,000 different buttons. It would be a nightmare to use. But doing the configuration in CLI is easy as pie because it's very well structured and build in a hierarchic way with guides and you can see which commands are applicable in the structure you are currently located.

 

 

And FFMpeg that Kisai mentioned is another great example. There are programs that are graphical frontends for FFMpeg, for example Handbrake. But even those programs has a command line mode hidden in the advanced settings. Why? Because even though the graphic interface exposes the most commonly used parameters, there are way too many options to feasibly show in a graphical way. Plus, being able to write in numbers and letters for things gives way more precision than some slider or on/off button (and if you try and implement writable text windows to give control you might as well just use the CLI anyway, because you'll have 100 text boxes as the "GUI").

 

 

And on top of all of that, GUIs can not be automated in any kind of satisfactory way, nor can they implement things like recursion well.

CLI is simply exposes way more features and are far more flexible than GUIs. 

I understand all of that, however I feel the need to point out that almost all of it is entirely irrelevant to the average user. The overwhelming majority of the population of the entire planet would never need to make use of that many commands, even if they were computer savvy enough to remember them all.

 

I'm not saying get rid of CLI, I'm saying make GUI actually work to an acceptable level that average users can use. Which seems to be something that the Linux community thinks is idiotic for.... I guess elitist reasons? At least that has been my takeaway. They're just too focused on CLI to see anything else as useful.

 

Hence the issue I had where GUI buttons in Linux don't do the thing they are meant to do. Like updating drivers.

 

Windows updates drivers with the click of a button, sometimes even for multiple devices connected to the machine, why can't Linux? At least in my experience. Although that experience was 4 years ago.

[Delicieuxz]

4 minutes ago, Nayr438 said:

There are 2 Archives for Windows XP inside the main Archive. "/nt5src.7z/nt5src/XPSP1/" Not Protected and "/misc/windows_XP_source.rar" Protected.

Didn't obtain the dump from either of those sites. However "nt5src.7z" from the leak compilation has been re-uploaded a lot for some reason.

Hmm. The contents of the nt5src.7z I saw are different - there is no windows_XP_source.rar in it. It contains only two folders titled XPSP1 and Win2K3.

 

 

The contents of XPSP1 contain some .cab archives which extract to what is shown here. The admin folder contains the folders that LAwLz showed extracted in their image. The base folder also contains a lot of folders, more the admin folder does.

 

The Win2K3 folder contains the same file setup of cabs, and then admin, base, and com folders, each with more stuff in them.

[Nayr438]

Just now, Delicieuxz said:

Hmm. The contents of the nt5src.7z I saw are different - there is no windows_XP_source.rar in it. It contains only two folders titled XPSP1 and Win2K3.

 

The contents of XPSP1 contain some .cab archives which extract to what is shown here. The admin folder contains the folders that LAwLz showed extracted in their image. The base folder also contains a lot of folders, more the admin folder does.

 

The Win2K3 folder contains the same file setup of cabs, and then admin, base, and com folders, each with more stuff in them.

If you only have "nt5src.7z" you just have one of the pieces of the archive. The full dump should look like this. With my right pane being the misc folder.