back to article Heaps of Windows 10 internal builds, private source code leak online

A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online. The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier …

Anonymous Coward

Re: Long File Path support

I wouldn't call it metadata because it doesn't tell you anything about the data.

0
0
Bronze badge

Re: Long File Path support

"I wouldn't call it metadata because it doesn't tell you anything about the data."

The original post about using an overly-long path was alluding to using the path to describe the data. For example, I had a user once trying to restore a file with a path something like this:

C:\Users\User Name\Documents\Meeting Minutes\Biggest Project Ever - Never Delete This Data - EVER\Project Scope Meeting With Bob Bill Jonathan Matthew and Jessica\Meetings in 2017\Meetings in March\Meetings on the 19th\Meeting where we discussed the Project Scope with Everyone and Jessica too\Part of meeting where Angela was there\Minutes.doc

THAT is including metadata in the path name. And no, the restore would not work to the original location (yet somehow the file had been created and backed up) while a restore to C:\Users\User Name\Documents worked great.

4
0

Re: Long File Path support

"That would be the file explorer that has always supported third party extensions"

So we are agreed that the problem is now confined to File Explorer extensions ?

Then we fix File Explorer when the user enables the Long File Path flag, and disable those extensions that are not marked as Long File Path compatible, and the rest of us can happliy use Long File Paths like any normal operating system and Windows is slightly less shit.

"Because Windows documentation has, for 25 years, consistently stated that a 260-character buffer is the maximum that you need to support, "

It does not matter what the crappy docs say. Files with longer paths will be on your drive and you need to handle them. File Explorer itself makes files with longer paths. AND CANNOT HANDLE THEM !

"Meh. It seems like a perfectly reasonable use of the term to me."

But only you actually use it like that.

"Meh" indeed.

4
1

Re: Long File Path support

No, what you show is putting metadata in the file path.

But the post in question called the file path "metadata".

Two seperate concepts.

2
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Vic
Silver badge

Re: Long File Path support

I suggest you to try the new long path tool

That's three times you've posted the same message - and it's all you've posted.

You're supposed to declare interests, y'know...

Vic.

3
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Vic
Silver badge

Re: Long File Path support

You lot really are spammy, aren't you?

You might want to read up on the Boulder Pledge, which simply states :-

"Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community."

You spam me - I refuse to do any business with your organisation. Permanently.

Vic.

0
0
Silver badge

Re: Long File Path support

"You spam me - I refuse to do any business with your organisation. Permanently.

Vic."

And then what if it turns out they're the ONLY supplier of something you REALLY need? And you lack the resources to roll your own? That's the problem with captive markets...

0
0
Vic
Silver badge

Re: Long File Path support

And then what if it turns out they're the ONLY supplier of something you REALLY need?

They're not.

My needs are simple; I can do without a whole load of things. I need food, warmth, shelter; everything else is just gravy.

And my dislike for spam runs deep; I have given up on several "sole" suppliers that spammed me. It means that I can no longer participate in what they were offering - that's the price of spam. And I told them so.

Vic.

0
0
Anonymous Coward

https://www.theregister.co.uk/2017/06/22/two_men_arrested_probe_microsoft_networks_hack/

Seems it wasn't just "a probe"

Which is the sort of thing you never want to say to a proctology practitioner.

5
0
Silver badge
Joke

Which is the sort of thing you never want to say to a proctology practitioner.

Even worse. The proctologist examines you thoroughly, then leaves the room. His nurse comes in as he leaves. She walks up to you and says quietly "who was that?".

20
1
Silver badge

Worth noting, of course, that MS supposedly checked over their systems and said nothing was taken.

It appears they missed a bit.

7
0
Bronze badge
Megaphone

Perhaps someone can use it no make the windows 10 we want

Not the steaming turd they are currently trying to force feed everyone.

18
8
Anonymous Coward

Re: Perhaps someone can use it no make the windows 10 we want

That was my first thought as well, but no reputable developers are going to go near this.

Looking at proprietary code you're not supposed to have and telling someone about it is a shitty career-move for devs and coders, it opens you up to very nasty IP / copyright allegations / lawsuits.

18
1
Silver badge

Re: Perhaps someone can use it no make the windows 10 we want

It's the logical extension. The Home and Professional versions turn the user community into beta testers. It's only natural to let them bug-fix it as well.

11
2
Silver badge

Re: Perhaps someone can use it no make the windows 10 we want

Looking at proprietary code you're not supposed to have and telling someone about it is a shitty career-move for devs and coders, it opens you up to very nasty IP / copyright allegations / lawsuits.

Then just don't tell someone about it.

3
0

So how is this a bad thing unless Microsoft DOESN'T fix stuff?

Perhaps the community can fix... oh wait

10
2

Tron replay?

Sounds like the Tron Legacy movie. This year we put a 10 on the box! And oh yeah by the way flynn OS I mean EncomOS is available for download on the web. And yes I know, comparing win10 to flynnOS is a horrible insult.

3
1
Anonymous Coward

MS should bite the bullet and

- just tell all developers that they are free to look at the sources, MS will not go after them for IP theft claims or copywrong infringement

- lay out sizable bug bounty rewards for bugs discovered via src code audit

Really not all that many good options out there, this might be the best way to limit the damages securitywise. This would at least give them the reputation of owning up.

20
4
Bronze badge

Bugs Bounty - Coconut Release

Hi,

To quote : "- lay out sizable bug bounty rewards for bugs discovered via src code audit"

I thought that Microsoft were releasing 2 builds per year, and only the last 3 builds will be supported for security patches ?.

If they make changes so rapidly, it may be a moving target ???

Regards,

Shadmeister.

4
2
Gold badge

"tell all developers that they are free to look at the sources"

I see where you are coming from but I think that would kill Windows as a platform.

Developers would look at the current source code and write apps that depend on behaviour that is currently true but which is merely an accident of the current implementation. Since Windows apps are typically sold as closed source and typically not updated for free by vendors to track OS changes, the result would be that each new version of Windows would break about half the software that you've paid for, with fixes only available if you pay the vendor again.

As readers of Raymond Chen's blog will know, this already happens to a debilitating extent. That's surprising because the only way to create such dependencies right now is to reverse engineer Windows. Apparently some programmers are smart enough to walk over assembly listings and reverse engineer how Windows currently works but not smart enough to realise how fragile this is. Worse, many of these programmers do this even when there is a documented alternative.

11
0
Bronze badge

It must be a cultural thing because Linux source is available but people use the API as intended not back doors hidden in the code.

1
0
Gold badge
Unhappy

"Windows 10 Mobile Adaptation Kit, "

Bet you won't be seeing too many of those in the wild.

And plenty to chew on on the PnP and WiFi stacks I think as we get to see just how good those MS training for coders really are.

10
3
Anonymous Coward

Re: "Windows 10 Mobile Adaptation Kit, "

mcse?

hahahahahaha

3
5
Silver badge
Trollface

I'm gonna get popcorn...

5
2
Bronze badge

it's a shill to get people to fix their bugs for free..

11
4
Silver badge

...or a scam to make it easier for MS to sue all coders who produce any code that looks even slightly similar to something in MS own codebase. MS will claim they saw the source code and go with wilful infringement instead of just infringement.

4
1

Debug symbols, you say...

Maybe we finally find out what _NSAKEY is for?

18
2
Anonymous Coward

I'm done with Windows.

Forced automatic updates were the last straw for me. I completely purged it from my home boxen about a year ago and replaced it with Linux.

Now all that's left is my work laptop that was pre-loaded with Win10. I work alongside the IT guys and understand that Linux is a bit of a struggle to integrate with most of our tools, so I said to myself that I'd give Microsoft a little rope and leave it alone.

But this is completely different. This isn't WannaCry, you can't fix this shit with a patch. Complete inability to mitigate potential threats has made this OS the single biggest liability in any IT organization.

Fuck you Microsoft. Your very existence and ubiquity is just making everyone's job harder at this point.

27
8

Re: I'm done with Windows.

Well said!!

I swap dozens of users over to Linux every year, now. They never return with problems, only an occasional question on how to do something - so satisfying.

Prior to that it was customers returning every 6 months, infected, or crashed, or missing files, or running slow, can't get on this site, can't open this file, or or or ...

I bet Gates secretly uses Linux so he doesn't have to worry about getting a virus, or hacked, or ransomware, lol.

17
9
Bronze badge

Re: I'm done with Windows.

If you don't mind me asking, what do you mean by "this" when stating "But this is completely different."?

And which threats has MS not addressed lately?

And, the lack of mitigation of threats? Is this only when you avoid forced upgrades? Did you want more secure software or to stay with older and less maintained software which might not be patched? Did you not want the Windows update which blocked wannacry?

You are very excited about Linux. Do you keep it up to date? Do you run antivirus? Do you allow network applications access via SE Linux and later close the holes when you no longer use the app? Have you configured different network profiles for home or public? Do you continue using apps with dependencies on libraries with known vulnerabilities? How do you manage your private keys?

Linux is fun. I spend most of my Linux time reading driver and network stack source looking for rootkits for fun. I love finding nifty things like code injection opportunities in the forwarding tables. Or better, methods of replacing openssl.so with a copy that backdoors the private keys.

Linux's greatest weakness is its dependency on C for everything. It's like placing a welcome mat on the floor and leaving the key beneath it. As such, Linux, GTK, Gnome... not even a challenge.

So... back to "This"?

13
12
Anonymous Coward

Re: I'm done with Windows.

"Forced automatic updates were the last straw for me"

Instructions on stopping forced updates have been online for years. Apparently you weren't frustrated enough to do a simple search.

6
8
Silver badge

Re: I'm done with Windows.

That advice essentially amounts to "turn off the update service", followed by laborious manual checking every day. That is not in any way acceptable.

16
4
Silver badge
Trollface

Re: I'm done with Windows.

The funny thing is that all the IP laws around software are designed to stop people grabbing other people's work.

Then I tried to think of anyone who might have the slightest interest in stealing MS' code so they didn't have to code things themselves... and I came up blank. Who would ever want to steal MS' code?

All those IP laws and they only thing they could be used for is to stop people finding out about MS' bad coding.

10
1
Gold badge

Re: I'm done with Windows.

As has been widely publicised on these pages, those instructions don't work for Windows 10. Apparently you were too smug to do a simple search.

10
0

Re: Instructions on stopping forced updates have been online for years.

Those instructions don't work on Windows 10 since the anniversary update.

9
0
Silver badge
Trollface

Re: I'm done with Windows.

"Linux's greatest weakness is its dependency on C for everything."

Uh, *WHAT* *THE* *FEEL* is *THAT* supposed to mean?

Linux's greatest weakness is (most likely) LACK OF MARKETING. Otherwise we wouldn't even have this article.

The C language might as well have been created by THE PROGRAMMING GODS. It is SUPERIOR to most other languages in just about every way, in its simplicity AND flexibility, and applicability to both low-level "hardware" coding, and high-level "UI" coding.

If you code in languages like C-pound and think that '.Not' is GOOD in any way, then I'll just sit back and laugh at you, really really hard.

So thanks SO much for the FUD. It echos like a Micro-shaft propaganda ad for NT4 server from the 90's.

6
12
Anonymous Coward

Re: I'm done with Windows.

@Ken Hagen - "As has been widely publicised on these pages, those instructions don't work for Windows 10. Apparently you were too smug to do a simple search."

Apparently you didn't look for the updated instructions, or aren't able to figure out how to navigate the new windows settings menus. Been working fine on several systems at our office, even ones with the new creators update. There's both an updated registry hack, as well as the old "metered connection" setting readily available for your use if you want them, although the metered connection setting has moved.

1
1
Silver badge

Re: I'm done with Windows.

It is SUPERIOR to most other languages in just about every way, in its simplicity AND flexibility, and applicability to both low-level "hardware" coding, and high-level "UI" coding.

Absolutely.

But today, we have Typed Assembly Language. It is time to go all the way and leave kid stuff behind.

0
1
Bronze badge

Re: I'm done with Windows.

I remember looking at the MSDN driver code for the serial ports, all written in C. C is what operating systems are written in.

4
0
Bronze badge

Re: I'm done with Windows.

Andy P, obviously turning off updates is an ongoing battle. We have enough battles with the bad guys without having to battle with the good guys too. Don't you think this means that Windows is not for people who have to keep fighting it? Surely the effort would be better spent customizing their own version of Linux. At least the improvements could be shared and not wiped out by someone in an update.

3
0
Vic
Silver badge

Re: I'm done with Windows.

We have enough battles with the bad guys without having to battle with the good guys too

There are good guys?

Vic.

2
0
Anonymous Coward

Re: I'm done with Windows.

I don't personally enjoy having to hack a Windows laptop to bits to get it to run in the way I prefer. But MS isn't worried about me. They're worried about Joe Schmoe who doesn't know a registry entry from a hair dryer. I don't blame them for forcing updates on the hundreds of millions of sheep. Any more than I blame Apple for auto updating iPads, or Google for auto updating Chromebooks.

As we all know, if you want fine-grained control of a computer system, you are going to be using Linux or some version of BSD. No sense complaining that Windows doesn't fit the bill when it was never meant to in the first place.

3
0
Silver badge

Re: I'm done with Windows.

They're worried about Joe Schmoe who doesn't know a registry entry from a hair dryer.

That's true, and I have no problem with that (and with all my Linux oldies I tell them to update when they see the blue icon). But often the level of their updates is an issue. Does a working device need the latest drivers, other than where there is a security issue? Does every bit of software need to be at the latest version, especially when there isn't an update for security? Performance improvements are fine, and adding functionality can be fine, but removing stuff?

During updates, W10 deletes programs people use. I don't know if it's that common but it's common enough to be getting a lot of complaints. Settings that people may find hard to locate get reset to MS's preferences, and reportedly (even by MS supporters) get moved to other locations. Manufacturer's drivers get replaced with MS ones, which may not be as good (maybe in some instances better, but I have not yet heard someone thank MS for that). They make the system restart when they want to, rather than when the user wants to (and most home users don't leave their machine on 24/7!).

While I can understand the desire to make stuff more secure, forcing it on people in this manner is not a good way to do things. When people lose work, their internet connection, and sometimes even lose their system, forced updates are a problem.

Making security patches forced, and others optional (especially driver and software/feature removal) would go a long way to addressing these issues.

Making your update process something that doesn't involve a ton of pain would go a long way to helping encourage people to do it. My Linux oldies? They see the blue icon. They click on it. They click on "Install updates" (the program is up in a second or two with a list of updates already ready to go), and type in their password (you don't do day-to-day work in an admin account!). The updates start downloading, and a few minutes later (at most) are installed. The update program closes. They can click on the window behind the update one to go back to what they were doing previously, and will not even notice the rest of the process. At the end of their session they turn their machine off, and a few seconds later (usually within 15 and I cannot recall a Linux machine taking more than a minute to shut down) it has powered down. Next session they turn their machine on and start up is as normal, maybe a little faster if an update did something to improve start up speed. And if there is a restart desired, there is an icon left on the taskbar to let them know that when they're ready, their computer would like a restart.

It is a quick, easy and painless process on Linux. If MS worked on making their updates less noticeable, and only requiring a few moments to do, then people would be happier with them.

1
0
Bronze badge

Re: I'm done with Windows.

Ohhh... I'm glad I came back here.

C is a great language and it's extremely diverse. It's absolutely horrifying for something like the Linux kernel though. Consider this, it has no meaningful standard set of libraries which means that support for things like collections and passing collections is a nightmare. Sure you have things like rbtree.[hc] in the kernel, but as anyone who has studied algorithms knows, there is no single algorithm which suites everything.

Let's talk about bounds, stacks, etc... there's absolutely no reason you can't enhance the C compiler to support more memory protection as well. C itself is a very primitive language and it's great for writing the boot code and code which does not need to alter data structures. But there are severe shortcomings in C. Yes, it's 100% possible to add millions of additional lines of repetitive and uninteresting code to implement all those protection checks. But a simple language extension could do a lot more.

Let's talk about where I find nearly all of the exploits in the kernel. This is in error handling and return values. It's amazing how you can cause problems with most code written at two different times by the same person or by two different people. The reason for this is that there's no meaningful way to handle error complex error conditions. Almost all code depends on just returning a negative value which is supposed to mean everything. The solution to this is to return a data structure which is basically a stack of results and error information and then handle it properly. The reason this isn't done is because people get really upset when implementing anything resembling exceptions in C. And yet, nearly every exploit I've found wouldn't have been there if someone implemented try/catch/finally.

Let's talk about data structure leaking and cleanup related to the above. Better yet, let's not... pretty sure that one sentence was enough to cover it all.

This is 2017, not 1969. In 2017, we have language development tools and technologies that allow us to make compilers in a day. This isn't K&R sitting around inventing the table based lexical analyzer. Sticking with the C language instead of creating a proper compiler designed specifically for the implementation of the Linux kernel is just plain stupid.

More importantly, there's absolutely no reason you have to use a standardized programming language for writing anything anymore. If your code... for example an operating system kernel would profit from writing a new programming language for it... do it. You can base it on anything you want. It's actually quite easy... unless you write the language itself in C. Use a language suited for language development instead. Get the point yet?

The next big operating system to follow the Linux kernel will be the operating system which leaves 95% of the C language in tact and implements a compiler which :

a) Eliminates remaining dependencies on assembler by implementing a contextual mode for fixed memory position development.

b) Provides a standard implementation of data structures as the foundation of the language

c) Implements a standard method of handling complex returns... or exceptions (possibly <result,errorstack>)

d) Implements safe vs. non-safe modes of coding. 90% of the Linux kernel could easily have been done in safe mode

e) Offers references instead of pointers as an option. This is REALLY important. Probably the greatest weakness of C for security is the fixed memory location bits. Relocatable memory is really really useful.If you read the kernel and see how many ugly hacks have been made because of it not being present, you'd be shocked. The Linux kernel is completely slammed full of shit code for handling out of memory conditions which exist purely because of supporting architectures lacking MMUs. References can be implemented in C using A LOT of bad and generally inconsistent code. It can be added to a compiler with a bit of work, but when combined with the kernel code, can implement a memory defragmenter that could fix A LOT of the kernel.

And since you're kind enough to respond aggressively, allow me respond somewhat in kind. You're an absolute idiot... though maybe you're only a fool. C# and .NET are actually very good. So is C, Java, C++, and many others. Heck, I write several good language a year when a domain would profit from it. I you don't know why C# and .NET or even better, Javascript are often better than plain C, you probably shouldn't pretend like you know computers.

Did you know that Javascript generally produces far faster and better code in most contexts than C and Assembler today? If you understood how microcode and memory access function, you'd realize there's a huge benefit to recompiling code on the fly. Consider that Javascript spends most of its time recompiling code as it's being run. This is because the first time you compiled it, it was optimal for the current state of the CPU, but as the state of the system changed (that's what happens in multitasking systems) the cache has changed and the CPU core being used may have changed (power state, etc..) and the Javascript compiler will reoptimize the code. It's even possible with Javascript that if you're on a hybrid system containing multiple CPU architectures or generations, the code can be relocated to a CPU which is better suited for the process.

Of course C could be compiled into Javascript or WebAssembly and have the same benefits. The main issue is that you lose support for relocatable memory as WebAssembly to support C/C++ is flat memory. But at least for execution, it's very likely your C code will run faster on WebAssembly than on bare metal. If you then start making use of Javascript/WebAssembly libraries for things like string processing, it will be even faster. If you move all threading to Javascript threading, it will be even better.

This does not mean you should write an operating system kernel in Javascript. Just as C is not suitable for OS development anymore, Javascript never will be.

0
1
Bronze badge

Re: I'm done with Windows.

Windows 10 Serial driver (C code, based on the same code you've seen... still works) : https://github.com/Microsoft/Windows-driver-samples/tree/master/serial/serial

Windows 10 Virtual Serial driver (C++ code, based on the new SDK with memory safety consider) : https://github.com/Microsoft/Windows-driver-samples/tree/master/serial/VirtualSerial

Mac OS X Serial Driver (C++ code... runs in user mode) : https://opensource.apple.com/source/IOSerialFamily/IOSerialFamily-91/IOSerialFamily.kmodproj/

Using a domain specific language for a kernel which can implement the core kernel code in "unsafe mode" and then implementing the drivers, file systems, etc... in a "safe mode" language meaning memory references instead of pointers (see C11 which makes moves this way... but refuses to break with tradition by doing it as library changes instead of a language feature).

In reality, this is 2017 and if your OS kernel still has a strict language dependence for things like file systems and device drivers, you probably aren't doing it right. These days most of that code should be user mode anyway. And no, user/kernel mode discussions stopped making sense when we started using containers and Intel and AMD started shipping 12+ core consumer CPUs

0
0
Silver badge
Facepalm

Wow

Just... wow.

5
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017