Last month there was excitement when the source code for Windows XP was leaked online. The big question, however, was how quickly Microsoft would act to have it disappeared from the web. The partial answer is that the company took 10 days to have one public repository taken down. And that was hosted on Github, a platform owned by Microsoft itself.
Built on Windows NT and a clear step up from the consumer variants of Windows that preceded it, the OS reigned for years after being installed on millions of machines.
It’s currently estimated that around 0.8% of Windows PCs are still running Windows XP, despite Microsoft offering zero support for the relatively ancient OS. Nevertheless, there was mild euphoria among coders last month when it was confirmed that the source code for XP, among other things, had been leaked online, presumably to the dismay of Microsoft.
Leaked via 4chan, Distributed via Torrents and MEGA
For the vast majority of interested onlookers, the leak probably meant very little in practical terms. With no support from Microsoft, running Windows XP is already a security gamble, regardless of any additional leaks.
However, when Microsoft confirmed it was actively investigating the leak, some presumed the company would act very quickly to have the code disappeared from the web. Quite when the upload to MEGA was taken down is unclear but it didn’t take long for the file to be removed following a complaint.
Torrents, of course, are much more complicated. While it is possible to have some torrent sites respond to takedown requests, sites such as The Pirate Bay will happily index pretty much anything – including the source code leak.
Predictably, the leaked content is available via the site today and not even the mighty Microsoft can do much about that. However, when checking the hash value in Google search and scouring the DMCA notice archive hosted by Lumen Database, there appears to have been little or even no effort to have links to the source code removed from Google or Twitter.
Granted, most of the sites mentioning the content have taken care not to link directly to the leaked source itself, with many preferring to post unclickable but entirely usable magnet links instead. Nevertheless, just days after the leak was reported, a very public repository of the code appeared much closer to home and nothing was done about that either.
Source Code Published to Microsoft-Owned Github
On September 29, a handful of days after the leak reportedly appeared on 4chan, someone called ‘shaswata56’ thought it would be a good idea to post the source code for Windows XP on Github, for the world to see and download. The interesting thing here is that Github is owned by Microsoft, so the computing giant was effectively hosting its own leak.
Given the presumed sensitive nature of the source code, one might conclude that it would be spotted and deleted quickly. However, despite all the publicity, it took a full 10 days for Microsoft to do anything about it, at which point it had to serve its own company with a DMCA notice requesting that the code be taken down.
Takedown Notice to Github
“I work in Microsoft Security Incident Response. The code in question is from a Windows XP source code leak,” the DMCA notice dated October 8 and filed with Github reads.
“The GitHub content is pulled directly form [sic] a torrent (that was also taken down),” it continues.
The notice originally contained a hash value for the source but that was censored by Github, presumably to stop any additional infringement. However, archive copies of the now-removed repository show that hash value in full, which can be easily converted to a torrent, one that is very much alive and being shared by many people.
Microsoft Not Too Bothered By The Leak?
Clearly, Microsoft’s claim that the torrent was somehow taken down was incorrect but that’s not a huge surprise since once a torrent is being spread, stopping people with access to magnet links or even a hash is incredibly difficult.
That being said, it would’ve been trivial to remove the source from Github on the day it was published. Instead, it took exactly 10 days, a lifetime where leaks are concerned and a little bit embarrassing when it’s your own site doing the distribution.
Quite why a rapid removal wasn’t executed isn’t clear but coupled with what appears to be a lack of enthusiasm to remove links still available via Google, it makes one wonder how concerned Microsoft is about the leak after all.
Or, just possibly, the company realizes just how futile it all is.
The DMCA notice is available here
Many thanks to TorrentFreak for the breaking news.