Inside Story: How Microsoft's Open Source Code Theft Was Discovered

On Friday, Microsoft completed its investigation into a little-known tool it provides to Windows 7 customers and determined that it illegally utilizes open-source code. The software giant said that the infraction was "not intentional," and that it will now re-release the tool and provide access to its source code publicly, as is required by the open-source license utilized by the stolen code.

"After looking at the code in question, we are now able to confirm ... that a free tool that was offered by the Microsoft Store contains GPLv2 code, although it was not intentional on our part," a Microsoft representative explained. "While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process. We have furthermore conducted a review of other code provided through the Microsoft Store and this was the only incident of this sort we could find."

The tool in question is the Windows 7 USB/DVD Download Tool (WUDT), and it's designed to help customers who purchase an electronic version of Windows 7 to burn the code to disc or copy its contents on a bootable USB memory device; they could then use either method to install the OS.

A few weeks earlier, my "Windows 7 Secrets" co-author Rafael Rivera began investigating the WUDT after I asked him about discrepancies in its behavior that I was seeing while preparing my own article about the tool. A veteran hacker and Windows internals expert, Rafael became immediately suspicious of the tool's code structure, which he described to me as inefficient and below Microsoft's usual standards. After a short investigation, he discovered that the offending code had been taken from an open-source project. He contacted the author of the code and found that he had never been approached by Microsoft or anyone representing Microsoft.

I was at the Microsoft campus the next week and asked the team responsible for the Windows Setup routine whether they were aware that the WUDT tool used open-source code. They were not, but they noted that the tool was certainly Microsoft's responsibility even though it had been created by a third party, since Microsoft was distributing it to customers from its own online store.

A few days later, Rafael posted about the code theft, although he was more political than I would have been. "The source code was obviously lifted from the CodePlex-hosted GPLv2-licensed ImageMaster project," he wrote. "I see two problems here ... First, Microsoft did not offer or provide source code for their modifications to ImageMaster nor their tool [as is legally required by the GPL.] Second, Microsoft glued in some of [its] own licensing terms, further restricting your rights to the software. [This is also contrary to the GPL.] I understand Microsoft is a big company and that this could have been externally contracted work, but someone dropped the ball during code review/licensing."

Days later, Microsoft pulled the WUDT from its online store and began its own investigation. Predictably, the company found exactly what Rafael had claimed: The code for the tool had been taken from an open-source project, in violation of the GPL. That the company is doing the right thing now is, in many ways, astonishing and admirable.

Sadly, Microsoft's official response to this event hasn't been admirable, although it has certainly been astonishing. The blog posting admitting to the GPL breach doesn't credit Rafael at all for his discovery and, as originally published, didn't even link to his blog post, which exposed the issue. (The link now exists, after some complaints, but Rafael's name still isn't mentioned.) More astonishing, the post actually links to a PC Magazine article describing the problem. No offense to PC Magazine, but it is only one of dozens of publications that picked up this story and was one of the last to do so. The Microsoft post as originally written was a clear snub to Rafael, who has taken a lot of heat for exposing this problem. In its current form, it's still not particularly respectful. You can read it here.

So I'm asking, publicly now, but not for the first time, for Microsoft to please publicly credit Rafael Rivera for his work uncovering this issue. And to remove the PC Magazine link, which unfairly provides a skewed view of how this event was reported. Microsoft appears to want to do the right thing here, so I think it should finish the job.

Rafael's post about the code theft is available on his WithinWindows website.