lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4030C324.21889.3F10C8E8@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Windows 2000 Source Leak Verified. Get ready for
 the havoc.

Valdis.Kletnieks@...edu wrote:

> On Sat, 14 Feb 2004 16:42:39 GMT, Lee <cheekypeople@...33.com>  said:
> > again its 1/100 of standardd MS code for a OS, lets get a grip please... and
> > I think I see the company who let the source get loose come out and say
> 
> Most earlier estimates of the Win2K source were about 45M lines of code (I think
> the "40 gig" being tossed around is the size of the source-control-system database).
> And I've seen the number 12.5M lines of code escaped.  That's closer to 1/3 than
> to 1/100.

Indeed -- there are some public domain references (from folk who should 
know) about the size of the source control system, but of course that 
is way more than just the final source.  Using the 45M lines of code 
estimate (was it reallY??  perhaps for server with IIS, etc?), some 
simple maths tells us something about the expected size of the source.

Assume an average of 60 characters per line (reasonable??), assume a 
simple .ZIP compression ratio of 70% (seems a tad low for .C source 
based on some large .ZIPs I just checked on this machine -- most ran
72-75%):

  45M * 60 * 0.30 = 810MB

Vary to suit your tastes regarding likely average line length and .ZIP 
compression ratio...

Also, consider that the directory listings I've seen posted for the 
"leaked" .ZIPs show that there is quite a bit of cruft included (.EML 
files and other non-source stuff like core dumps) and make further 
adjustments.  So, it seems that the "leaked" source is considerably 
more than 1/100th the original.  I think Valdis' 1/3 estimate may be a 
tad low as I think I saw the 12.5M lines estimate for the NT code base. 
Ahh, yes -- Russ Cooper posted the following to NTBugtraq:

   1. NT source is NT 4.0 SP3, contains 27000+ files (658MB). It is all
   NT 4.0 Server except IIS, includes IE 4. No references to Mainsoft
   (see http://www.eweek.com/article2/0,4149,1526830,00.asp.)

   2. W2K is SP1, a very small subset, IE 5, SNMP, PKI, networking and
   some SDK stuff. 28000+ files (338MB - although many of these are
   empty mail messages and other crap.) Does contain 3 references to
   MainSoft. Much of what is there is available elsewhere.

and in another message Russ wrote:

   Couple of corrections.

   1. There were 27,142 NT 4.0 SP3 files totaling 338MB.
   2. There were 28,782 W2K SP1 files totaling 658MB.
   3. It does appear that all of both versions are present, minus IIS.
   4. 10,425 of the 27k NT files are actually source totaling 193MB
      uncompressed.
   5. 8,367 of the 28k W2K files are actually source totaling 217MB
      uncompressed.

Archived copies of the full messages from which these comments were 
extracted are at (sorry, URLs will wrap):

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0402&L=ntbugtraq
& F=P&S=&P=2868  

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0402&L=ntbugtraq
&F=P&S=&P=2954


A followup comment by Dragos Ruiu may be of interest too:

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0402&L=ntbugtraq
&F=P&S=&P=3155


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ