Earlier today tech and security site The Register posted an article claiming "32TB of Windows 10 internal builds, core source code leak online." The article stated that a massive archive of Windows 10 builds had been uploaded to the website BetaArchive.com, including source code. If that were true, as The Register points out, it could lead to a nasty wave of Windows 10 exploits, as hackers who gain access to the source code can pore over it for vulnerabilities.
We reached out to Microsoft to verify the claim and had a message forwarded to the Windows team. Update: Microsoft responded with this statement: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners."
According to The Register, the packages were uploaded on the private FTP server of BetaArchive.com, which has strict membership requirements to gain access to. We can't access the FTP ourselves to confirm the details of the leak; Register editor Chris Williams claims people who have seen the contents of the archive confirmed it contained source code as well as other Windows builds that haven't been publicly released.
The key bit of information here is The Register's claim that the leak included the Microsoft Shared Source Kit, which "includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code."
Members of BetaArchive have been discussing the alleged leak in a forum thread and debating its veracity. After several hours, an admin has released a statement on the topic confirming that the Shared Source Kit was on its FTP, but has now been removed. That statement in full:
First of all let us clear up a few facts. The “Shared Source Kit” folder did exist on the FTP until this article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.
The folder itself was 1.2GB in size, contained 12 releases each being 100MB. This is far from the claimed “32TB” as stated in The Register’s article, and cannot possibly cover “core source code” as it would be simply too small, not to mention it is against our rules to store such data.
At this time all we can deduct is that The Register refers to the large Windows 10 release we had on March 24th which included a lot of Windows releases provided to us, sourced from various forum members, Windows Insider members, and Microsoft Connect members. All of these we deemed safe for release to BetaArchive as they are all beta releases and defunct builds superseded by newer ones, and they were covered under our rules.
If any of this should change we will remove these builds from the FTP and we will happily comply with any instructions to do so by Microsoft.
With regards to the BBC article http://www.bbc.co.uk/news/technology-40366823 about two Britons that have been arrested following an alleged Microsoft hack, we don’t believe there is any connection with this alleged “Windows 10 core source code leak”.
Discussion on BetaArchive indicates that some claims are floating around online that the two British men referenced above were members of the forums and have since had accounts deleted. According to a BetaArchive staffer, "according to the logs no users have been deleted."
We'll have more on this story as more information becomes available, and a response from Microsoft if we receive one.