Ask Hackaday: Is Windows XP Source Code Leak A Bad Thing?

News comes overnight that the Windows XP source code has been leaked. The Verge says they have “verified the material as legitimate” and that the leak also includes Windows Server 2003 and some DOS and CE code as well. The thing is, it has now been more than six years since Microsoft dropped support for XP, does it really matter if the source code is made public?

The Poison Pill

As Erin Pinheiro pointed out in her excellent article on the Nintendo IP leak earlier this year (perhaps the best Joe Kim artwork of the year on that one, by the way), legitimate developers can’t really make use of leaked code since it opens them up to potential litigation. Microsoft has a formidable legal machine that would surely go after misuse of the code from a leak like this. Erin mentions in her article that just looking at the code is the danger zone for competitors.

Even if other software companies did look at the source code and implement their own improvements without crossing the legal line, how much is there still to gain? Surely companies with this kind of motivation would have reverse engineered the secret sauce of the long dead OS by now, right?

Spy vs. Spy

The next thing that comes to mind are the security implications. At the time of writing, statcount pegs Windows XP at a 0.82% market share which is still going to be a very large number of machines. Perhaps a better question to consider is what types of machines are still running it? I didn’t find any hard data to answer this question, however there are dedicated machines like MRIs that don’t have easy upgrade paths and still use the OS and there is an embedded version of XP that runs on point-of-sale, automated teller machines, set-top boxes, and other long-life hardware that are notorious for not being upgraded by their owners.

From both the whitehat and blackhat side, source code is a boon for chasing down vulnerabilities. Is there more to be gained by cracking the systems or submitting bug fixes? The OS is end of life, however Microsoft has shown that a big enough security threat still warrants a patch like they did with a remote desktop protocol vuln patch in May of 2019. I wonder if any of this code is still used in Windows 10, as that would make it a juicy tool for security researchers.

As for dangerous information in the leak, there have been some private keys found, like the NetMeeting root certificate. But its hard to say how much of a risk keys like this are due to the age of the software. You should stop using NetMeeting for high-security video conferencing if you haven’t already… it was end of life thirteen years ago so there’s nothing surprising there.

You Just Might Learn Something

I think the biggest news with a leak of code like this is the ability to learn from it. Why do people look at the source code of open source projects? Sure, you might be fixing a bug or adding a feature, but a lot times it’s to see how other coders are doing things. It’s the apprenticeship program of the digital age and having source code of long-dead projects both preserves how things were done for later research, and lets the curious superstars of tomorrow hone their skills at the shoulder of the masters.

Like a Museum Vouching for the Legitimacy of Artifacts

Why don’t company’s get out in front of this and publish end-of-life code as open source? This would vouch for the validity of the code. As it stands, how do you verify leaked code acquired from the more dimly lit corners of the Internet? Publishing the official source code for end of life projects preserves the history, something the Internet age has never given much thought to, but we should. We’ve heard the company promoting the message that Microsoft loves open source, here’s another great chance to show that by releasing the source code since it’s already out there from this leak. It would be a great step to do so now, and an even better one to take before leaks happen with future end of life products.

This is a pie-in-the-sky idea that we often trot out when we encounter stories of IoT companies that go out of business and brick their hardware on their way out. In those cases, the source code would allow users to roll their own back-end services that no longer exist, but Microsoft would be likely to frown on a “LibreWinXP” project based on their own code. It’s likely that the company still has a few long-term contracts to provide support for entities using XP hardware.

So What Do You Think?

This is Ask Hackaday so we want to know your take on this. When old source code leaks, is it a bad thing? Are there any compelling reasons for keeping the source code from projects that have seen their last sunset a secret? And now that the XP code is out there somewhere, what do you think may come for it? Weigh in below!

58 thoughts on “Ask Hackaday: Is Windows XP Source Code Leak A Bad Thing?

    1. (Having not seen the source code) Yes there is.

      But it’s not like it has comments in the code labeling it as such, since that would make it easy for an intern to notice and blow the whistle. Also, I’d assume most governments have had a copy of the source code (even if they won’t admit it).

      1. Also, these US intelligence agencies hire more savant hackers and crypto nerds and obfuscation experts than anyone on the planet by a huge margin. Just go to a con sometime and watch the scalpers mingle about. It’s like a modern version of the Crypto AG front company. Making code open-source doesn’t mean that obfuscated backdoors or intentional flaws will be immediately visible. Heck, that encryption machine was a physical device that anybody could just take apart and examine and nobody spotted its backdoor for decades! It’s hidden in the math, somewhere that’s easy for even a good mathematician to overlook. Especially if they’re overconfident about the purity of people’s intentions and not thinking adversarially. Good boys miss dark intents, even if they’re very smart and thorough. It’s a different mindset.

        People act like reading the source code is a magic bullet for security. It isn’t. It’s a necessary step, not the total package. The fact that hundreds of accidental zero days can exist without even the original developers themselves knowing about them for years is plenty of proof of that. There are people who specialize in making very sneaky intentional zero days. It’s not like the source will just have a comment that says “NSA backdoor.” If somebody finds one, be sure there are others that are even deeper. These people aren’t careless—they always have insurance.

        In short, people should be far far far more skeptical than they are of Signal and Tor. And everything else. Especially if it claims to be secure and vetted. Maybe they’re really legit, but their patronage should surely make people think twice about it. In 2020, all software is extremely shady. Not to mention badly made. Hard to tell intentional breakage from natural defectiveness anymore. It’s all so cynical—we’ve been very poor custodians.

    2. Yes but it only shows up in the compiled code if you use the right compiler and settings at build time and it is conditional on the runtime choice of interface language and time zone. ;-)

  1. Windows CE has been “source available” by Microsoft for a while. So not sure what the news is there. But what can be done with a source available OS anyway? If it’s not open source and can be updated for new uses and processors then you are spending a lot of your time-resources on a dead end project.
    How to transition “source available” to “open source” is the question.

    1. The XP full source code has been available for over 15 years to certain universities and research groups.
      Only surprising news to me was that Microsoft had packaged up XP source that actually compiles!

      But even back in 2003, that source was not licensed for any distribution or derivative uses. It was basically under “NDA lite”

      A leak of the code isn’t like other entities can now legally get it, and illegal options were available for a long time now.
      The bad guys have had it ever since and don’t care about the legalities.

      Anything potentially bad that can happen, already happened long ago.

    1. None or in negative way, wine developers cant use this code because it is not theirs, it is not under open license.
      Even looking at it can cause you to lose right to submit code to projects such as wine, samba, reactos etc.
      There were other leaks before, search internet and see how it ended, eg ReactOS even had to do a complete review of whole codebase.

      1. Eh this is kind of an interpretation of a law that expects everybody to follow all letters of the law at all times and it naively assumes that all actions will be detected. It’s like assuming that running a red light is impossible because gasp—that would be illegal!

        It also assumes that the property owners will pursue all violations evenly without regard to the cost-benefit analysis. These companies let people pirate their stuff all the time when it’s not worth stopping. Hell, it’s arguable that Microsoft used that as an intentional strategy to make sure Linux didn’t grab hold of the emerging market in China a decade or so ago. I remember back then it was like clean pirated windows images grew on trees. Nobody seemed to get caught. Genuine windows software was as unintrusive as it could possibly be. I bet they themselves were distributing them, but that’s just my personal crank theory.

        Microsoft is going to still have a pretty embarrassing time if they start calling out people who steal their code, too. As far as I know, that’s still a kind of mutually assured destruction.

        I doubt it will make it into official wine distros, but somebody out there is going to make use of it and blast code all over the net.

  2. “I wonder if any of this code is still used in Windows 10, as that would make it a juicy tool for security researchers.”

    I think a lot of “new” software just builds on previous versions. I’ve heard that one of the reasons companies won’t release EOL versions is because a good chunk of it exists in their current versions.

    Even when a company says they’ve built their newest release “from the ground up”, I think it is a rare case that is really true. They may have started with a new underlying framework, but once they had that, they threw in a lot of existing functions and put on a fresh coat of paint (i.e. GUI).

    When Apple (10?) “went to” UN*X operating system, do we know how much existing UN*X/Linux code was already in #9?

    There might be A_LOT of Server 2003 code in Win10.

    1. When old source code leaks, is it a bad thing?

      Bad on the short term in this case I guess. There are surely a lot of vulnerabilities in old code that is still used today waiting for the bad guys to be harvested. But I will force MS to increase there effort in providing less vulnerable that need more then a ~100 security patches per month. And there a still people paying for this.

    2. I suppose they could have been using some Unix code in older versions of Mac OS, though that wouldn’t have necessarily been against the terms of the license it was released under.

      But the switchover to BSD in OS X was definitely a total do-over. The new OS shared nothing with previous versions, and backwards compatibility was achieved through a compatibility layer not unlike WINE on Linux. Though my understanding is this is no longer available as of the latest versions of the OS.

      I’ve always thought MS could stand to do something similar. Cut the cord on legacy Windows code base and start over with something more modular. But that would mean abandoning or at least hindering backwards compatibility, which is arguably one of the main things that keeps Windows going in the office/corporate world.

      1. From day 1 of OS X development Apple was working on an Intel CPU version in parallel. IBM/Freescale/Motorola was losing ground in keeping ahead of x86/x64, with a shorter time before getting passed up with each new CPU iteration.

        So when they couldn’t push the G5 any faster, it was a huge power hog, and no mobile suitable G5 was in the offing, Apple was ready to instantly switch CPUs.

  3. This seemed too familiar, so I googled a little. Would like to dig up from the collective memory hole, that we’ve also seen Windows source code leaks in the past. Partial Windows 10 leak in 2017 and a Windows 2000 leak in 2004.

        1. Microsoft released SP1 for Windows XP 2002-09-09 and the Windows XP SP1 source code is from ~2002-09-02, so probably pre-COFEE ?

          @RandyKC Like science, the correct answer will eventually be found.

  4. I have seen Automatic Teller Machines in Australia with an XP boot screen start up after an electricity crash. Did not get my phone out quick enough for a photo , and the hotel owners weren’t keen to start it up again for me just for the photo. This was around 2018. Not sure how these people would feel about the XP code being open viewable. The other time I saw it around the same time was on a jammed bootup screen in the paint mixing department of a very large hardware store. Not quite as profitable target.
    There must be a lot of “debugged” XP applications still tucked away around the world that have not moved on. Many of those will not be happy.

    1. Saw an XP boot-looped on a hamburg Public transport Bus advertisment/station-timetable screen (funily fliped upside down)

      And even On a huuuuge Advertisment screen on hamburg Reeperbahn 😅👍🏼

      (i suppose bothe where not internet connected?!🙈 we made some fun of playing *you name it* videos on it for everyone to see on Saturday night 🤷🏽‍♀️

    2. Walk into a university and you will find anything from MS-DOS to XP in active use. Just in our group there are 2 systems still running MS-DOS because the hardware uses a special interface card. And a dozen (network connected) 98 and XP machines are running anything from an AFM to some obscure measurement equipment with manufacturers that went out of business 10 years ago, or simply because it runs some custom software written by a PHD many many years ago that nobody still has the source code for so we can’t upgrade it to somethign newer.

  5. How many ways are there to write a loop?
    Remember when Windows 95 first came out, then 98 then SE, ME etc.?
    Built on DOS. Then they got rid of DOS and totally redesigned Windows if
    memory serves me correctly. A chip’s instructions (x86 etc.) are hard-coded
    into the chip itself and can’t be changed except by the manufacturer changing
    the chip design. So, how many ways can you write a loop?
    Sure, studying old source can be an interesting thing to do, but
    when it boils down to bits and bytes, it’s all just ones and zeros.
    Look at Microsoft Excel and Lotus 123. A lot of the same functionality
    with some differences. Lotus 123 revolutionized computing back then.
    For the first time, computers were useful for something other than scientific
    research and the public at large could do something with that new Apple ][.
    To sum it up, the more things “change” the more they stay the same.

  6. i remember back when it was cool for game devs to release their source code on their old titles. like doom, quake, etc. i added a few hundred lines to the freespace engine back in the day. of course that was back when game devs owned all their code (and even then they didnt always, i think descent released without its sound code and freepace without its video codec because it was 3rd party code). this was before rent-an-engine and asset bundles were a thing.

    doing same with other old software, including operating systems, is probably a good thing. like being able to use win 7 securely and id love to see the code for winamp or photoshop 7 get released, so they can be modernized to run on win 10 (or even native linux). almost all commercial software that i use is ancient by todays standards, but i like it because i dont have to learn new stuff and it was pre-cloud so i could keep in local. id prefer to use foss, but sometimes the switch can be brutal (ive been trying to use gimp as well as i could use photoshop and my results are still sub par).

  7. This is great news. We only use XP for in house (not networked) instruments and controllers. The small footprint is essential for us. No more crazy autoupdates. No more telemetry. And now, we don’t even need an activation key. Back to the future!

  8. As far as I’m concerned for a company to get a copyright on any software it should have to submit it’s entire source code and the second they stop supporting the software (really supporting, not just faking it) the source code should be made public domain permanently. And no source code up front no copyright whatsoever.

  9. The leak is not for everyone, more or less total useless.
    The xp source file is rar password protected, no password in the package.
    There are some codes, but without proper tools (compiler, linker), it’s impossible to compile.
    BTW searching through the code, it is outdated useless crap.

    1. The password for the RAR is ‘internaldev’, without the quotes. Turned out it was just junk in that file and not XP source code. That RAR file was first uploaded back in 2007 or 2008, and no one knew if it was genuine or not since no one had the password until now (it was cracked).

      But there is XP SP1 & Windows Server 2003 source in the ‘nt5src.7z’ archive. The archive torrent from 2020-09-24 includes that file. That 7z archive is not password protected and it’s the real deal. People on 4chan (/g/) are currently trying to build the source code into a runnable OS, and they want to make their own distribution of XP, fixing things, adding / removing things.

  10. Does anyone have any links to what is needed to compile the source, and which source should I compile? The rar file didn’t have a password included, and when someone apparently found it it was a corrupted archive. The closest I could find to compilable code was in the NT50.7z but I’m not 100% sure that’s for XP since I can’t find what was necessary to compile it.

  11. The whole damn OS needs to be open sourced by the company so that way legitimate facilities that really cannot afford to upgrade, or hire someone to migrate to an open source solution, may continue to operate securely. My local government still uses windows XP machines, it’s pathetic. But then again, this lack of security and infrastructure is what you get when you don’t want to fund your government.

    The best case for open sourcing it is schools and production machines that ONLY communicate with windows xp. Most of the machines that are left still running xp fall under said categories.

    Hell, I worked for a multi national corporation, who literally had thousands of xp machines still running, they didn’t upgrade to win 7 til a short time ago… of course they were also dumb enough to buy dedicated hardware for each machine, which literally just displayed a few pieces of information. They should have just virtualized the entire thing and saved literally millions, considering each machine cost around 2500 bucks for a slow turd of a machine, when I could have built them TONS more power and virtualized multiple machines for that same 2500. Now they are stuck in the same position because windows 7 is junk, and windows 10 won’t run on those crap machines. And they are too cheap to buy the extended support from micro$haft. I told them to virtualize the whole damn thing a long time ago and I’d do it for a sum, but they just didn’t want to listen because “it would cost money for a new project” and i was just shaking my head (not as much as migrating and changing your entire software and hardware for thousands of machines)…. idiots. literally idiots. Needless to say, I no longer bang my head against the wall of ignorance.

    So yeah, I have run into tons of cases where having copyright on old ass software is asinine. Give it up already… old works are public domain and should be public domain. If you don’t want to “lose market share” then literally build something that people want that works better for their use case.

    Til then, there’s always linux, and there’s always a better way to do it without your wallet being subjected to the pillage that is corporate software licensing, where they force you to buy the product, then they force you to go onto a payment plan because you built out millions or billions of dollars worth of infrastructure and, by design, your infrastructure won’t work with anything else.

  12. There are a few impacts of a leak like this.

    1. It gives clues as to how a major software developer approaches OS development. These are skills Microsoft built over time and a big shortcut for someone trying to learn to do so.
    2. I know there are still a lot of specialized systems still running XP. In my experience these are often controllers for high end lab devices and industrial systems. The fact that the systems are still running XP vs something newer sometime can show how critical it is to keep these systems up and running. A lot of commercial entities need high IT approval to keep running an XP based system based on criticality to their business and they have to prove that no alternative is available or is very expensive. If you find an XP system running in a major company, they are either woefully weak from an IT perspective or the system is super critical to the business. I am sure source code access is making them more vulnerable.
    3. Just in general it calls into question the security of Microsoft source. Sure, this is XP so wwho cares but is Win 10 or server code stored any more securely. How about the source code surrounding Office 365 or Azure? The compromise of source code to either of those would be a huge national level security threat.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.