Security

Nope, this is the real deal. The estimates are that 13.5 million lines of code for Win2K (out of an estimated 35 million lines) were released. It is a post Win2K Gold source code released, with some references to Whistler (WinXP) in the notes.
http://www.betanews.com/ has additional info.
This is just really not a good week for our friends in Redmond!

http://tinyurl.com/34ch8
That is being claimed as the file list for what was released.

A. MS did not release it to the general public.

B. There is nothing to say that this is not a trojanized source code release.

C. there are no official MD5 checksums to verify the package against.

I would stay extremely far away from this. As the old adage says, only download software from known trusted sources, and only install it after you have verified the checksums to those posted on the official download site.

This ain't executeable...it's SOURCE code, which needs to be compiled or interpreted before it is a working binary.

Source code at the end of the day is just text. Yes, special text, with correct programming syntax, etc., but nevertheless...just text!

Now any programmer worth his or her salt can turn it into executeable code, or at the very least, browse it to see 'how Windows works'.

Of course, any half decent hacker would have already decompiled Windows and already know the exploits! I have myself decompiled certain chunks of earlier Windows code to rectify glaring bugs I have found over the years, and it's not exactly rocket science.

BUT.... What better place to put trojan code.

This has happened many times before in the linux world. Where the source has been tampered with, you download it without checking the signatures, you compile it and whamo, you now have yourself a trojaned binary.

MS put out a press release stating that they did not release the source.

Only an idiot would actually trust that this is a untampered source tree. (not calling you an idiot, i'm just saying use some common sense)

And by the same token, who is to say that Microsoft DIDN'T release this code. They may have deliberately 'spiked' it so that anyone compiling it and using it can be traced. I've known that to happen before.

In the glory days of VB3 and VB4, we had maybe two or three programmers besides myself. They were mostly students working in the summer holidays. Several other people worked in collaboration with me on one or two products and we found several interesting things. Despite compiling the source, and VB only 'partially' compiled back in those days, it was always possible to trace an exe back to the original programmer. Coding 'style' and programming technique always ended up affecting the speed of a program and there were several 'tools' to get a programmers 'signature' out of a compiled exe file!!

Perhaps this is their game. I think they have given up on chasing illegal copies of their bloatware...the more desktops they have their software running on, the better eh? What they are after is the people willing to blatantly steal code.

Why am iI hearing 'cons-piracy theory' at every turn?!!!

LordInfidel, I agree that anyone who gets the source code should be cautious. Personally, I have not found it yet, but I have been in conversations today with someone who claims to have it. I've sent him a few queries on things to look for, and he has graciously sent back a few answers. I am curious on if the DLL that the ANS.1 vulnerability is within the released source code, so I've had him look for it by searching the plain-text code. So far, nothing.
I don't think I will acutally download the source code, for the very reasons you state. By now, there are probably versions of the source code that people have stuffed trojan files into, making them look like innocent source code files. Double-click one and Wham! Trojan on your system.
As always, I am paranoid. So, I would rather have someone else get the code and look things up for me. And luckily, that is what is happening.
Plus, would it be illegal to have the source code?

It would be illegal for you to have a copy of the source.

I was involved with a discussion on Bugtraq about this, (taking the same high road). After I made the comment about "I wonder if M$ is monitoring Bugtraq to see who has downloaded the source"

The moderator sent me an e-mail saying he was killing the thread.... (hmmmmm......) His statement was he was agreeing with me that there is no way of knowing what the chain of trust is and thereby it should not be downloaded. But He went on to say that he was going to bounce everything dealing with this subject....