This
may very well have just
happened.
The news on this has just hit Slashdot. It first broke on neowin.net. Apparently, the source code to Windows NT and Windows 2000 has been leaked to the internet. It is floating around under the filename "Windows.Source.Code.w2k.nt4.wxp.tar", and there is also a torrent available for download. It still isn't clear whether the entirety of the source code is available, or if it is just more than Microsoft is comfortable with. The source code is only a partial copy.
The ramifications of this leak have yet to be realized. Either the the hacking community will get ahold of it, and help make it into something secure and usable, we can be expecting an entirely new onslaught of viruses and worms, or very possibly both.
A file list of the source tree is being bandied about. The address is 'http://heim.ifi.uio.no/~mortehu/files.txt'. The files listed under win2k/private/ntos do appear to be kernel material, even including .asm files. This doesn't appear to be the source tree for the entire operating system, but what is there does look legit.
More sources are popping up as we speak: ZDNet and Internetnews are both carrying articles on this, and Microsoft is officially investigating the issue. The source code files are 203 megabytes compressed, and expand to just under 660 megabytes. It is interesting to note that this is just about the capacity of a CD-R. Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, has examined the code, and believes it to be authentic.
The file is currently available on IRC and peer-to-peer networks, and I have also verified that there is a torrent file available.
'http://www.sschmidt.info/w2k_source.torrent' is one source for the torrent file, but be aware that this link may go down at any time. I'll try to keep it updated.
There is also an ed2k link at 'ed2k://|file|windows_2000_source_code.zip|213748207|34BB9F3A3E8D3E0C4490A96EC30B 9F3C|/'.
There are several reasons why this is a very important event. From one viewpoint, consider how much damage worms and viruses have wreaked upon the Windows operating system *without* freely available, valid source code to base them from. Suddenly the idea of black hat hackers finding backdoors, security flaws, and other instances of bad programming and taking advantage of them is a much more common risk. Many webservers run off of Windows 2000, along with many government computers. This is what we would call a BAD THINGTM.
From another viewpoint, the availability of the source code to the public may allow many of these security flaws to be identified, documented and fixed.
Events are still developing, and I will be updating details as they become available.
After a few months, this appears to have been much ado about nothing. However, considering how prevalent Windows is as an operating system today, and how much Microsoft relies on
security through obscurity, the situation could have been much worse.