Slashdot Mirror
ADTI Whitepaper Released
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
It is true that open source applications, being openly available on the internet and distributed in the same manner, are susceptible to backdooring and trojaning. Just look at IRSSI or FragRoute.
This risk factor is somewhat mitigated in commercial software, where the distribution is typically through CDs and other trusted media. Of course, someone can still somehow compromise a software developer's network, but it isn't exactly hanging out a sign saying "I'm the source code, hack me!" like the open source projects.
Just imagine, for a minute, how devastating it would be if Sourceforge was hacked and malicious code was inserted into a ton of the projects without anyone noticing for long enough that it could cause real damage? The danger is clear.
"I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush
Sauce for the goose is sauce for the gander; anyone can put a backdoor into an OSS program, but anyone can also see it. With closed source, you're trusting that the vendor won't put one in. Of course, now you're assuming that (1) the vendor has no malicious intent and (2) that they keep their code completely safe. Of course, that could never happen...
One day, a group of daring young renegades discovered that there were other ways to get air, just by moving some rocks that blocked openings to the outside. And they offered their air free. At first people were hesitant to use Free Air, thinking something must be wrong with it since it was free. Initially Microshaft ignored the renegades, dismissing them as a fringe movement and minor nuisance. But eventually Microshaft saw them as a threat. They started a major marketing campaign to convince people that the Free Air was bad for their health. But people found that they actually felt better and healthier breathing the free, fresh air. Microshaft added more and more features to their air, perfuming it and coloring it with smoke to give it "added value". Many people started to dislike Microshaft's heavy, bloated air that was hard to breath and began flocking in droves to the sources of Free Air.
About this time, after some years of hard volunteer work, Open Air developers finally increased the size of a Free Air portal so that a person could actually squeeze through to the outside. The first brave individuals who ventured through it discovered that not only was there an unlimited supply of air in the outside world, there was no way you could harness and control its supply.
Alarmed, Microshaft sought to have the government declare Free Air illegal since it threatened their business model, which they had developed and rightfully earned through many years of hard work. They called the use of Free Air "theft" and claimed that the "viral" nature of the Public Breathing License advocated by many Open Air rebels would threaten the livelihood of Microshaft's suppliers and distributors. Indeed, the whole economy of the cave would collapse, they said. Laws were quickly passed and the portals of Free Air were sealed off.
A charitable organization called the Business Air Alliance was formed to help protect businesses against the threat of Free Air portals. By proving that it was theoretically possible to fund terrorist organizations with the money saved by breathing Free Air, the BAA successfully lobbied to strengthen the laws so that any attempt to make an opening to the outside became punishable by death. Possession of shovels and picks became a criminal offense, and the BAA performed random audits to help citizens comply with the law. For their protection, everyone was required to wear an Air Rights Management security device, which would send an alarm to the authorities if it didn't detect a secret mix of fumes found only in Microshaft air.
As time passed, Microshaft and the government became indistinguishable. To prevent future uprisings, a new feature was added to the air to keep the people sedated happily ever after.
by its programmer, hiding the underlying code from its user. Software can only be modified in
its "unlocked" state when source code is viewable.
This is the assumption that is the flaw in the entire argument. While having the source code makes it easier in some ways to find exploits, it of course makes it easier to find them earlier and fix them. Whereas in a closed source implementation it's more likely that there are unidentified flaws in the software because there are fewer eyes willing to parse through assembly listings. But if a 'terrorist' is dedicated enough to do that, they're more likely to find such flaws.
The GPL is one of the most uniquely restrictive product
agreements in the technology industry.
Interesting. I never thought of it that way when I can use a program for whatever purpose I want, make modifications to that program, and distribute either the original or my modified version of that program. Maybe I'm just weird like that...
By the early 90's, open source enthusiasts began to view Stallman as an extremist and fanatic. The rise in the popularity of Linus Torvalds and the Linux
open source operating system began to create new supporters. Ironically, Linux supporters
became the biggest proponents of the GPL. Although Stallman is a fallen hero in the open
source world, most open source products today are distributed under the GPL license.
While I'm not the biggest RMS fan, uhh, I can't just let that statement go. For once, I agree that not calling it GNU/Linux really misleads readers in this case. Without the GNU tools, Linux wouldn't have a leg to stand on. It's tough to dismiss RMS's importance here (but the author manages somehow..)
The article goes on (and on and on), but I think it's fair to say that this is a fairly one-sided view of the GPL that looks like it was written by MS and Kenneth Brown just signed his name to it. Nothing here, just the usual FUD.
I suggest they read Villanueva's reply to Microsoft Peru, for its excellent and logical discussion of the reason why responsible government must use open-source software.
Remember the difference between the BSD-style and GPL-style freedoms are very important to MS. MS says BSD-licensed open code is good. Since MS can use it without contributing back, this is the kind of "free" that MS likes.
MS also says GPL-licensed open code is bad. Since MS can't use it without contributing back, it can only be used by MS's free-software competitors, thus MS strongly dislikes this kind of "free".
Now back to this study. Can anyone find the basic message surprising? "BSD code is benign, GPL is threatening". Microsoft-funded study, Microsoft-approved results.
As a side note, if MS didn't make this distinction and got everyone upset about using *any* free/open code, everyone would *also* have to stop using MS software. Remember, significant portions of their OS are built upon BSD-licensed code.
I'm missing the joke, here. Copyright and Copyleft rights aren't the same thing as trademarks at all, and it's perfectly acceptable to enforce your rights under one but not the other. Or neither, or both, as is your want.
Whatever irony the author tried to find in this alleged stance by "many open source enthusiasts" is lost on me.
Of course any normal person would be utterly humiliated to have their name associated with this piece of nonsense. Perhaps that's why it has been pulled? I'd be interested if Microsoft really did pay for it. If so, I think they should feel a little cheated. The standard of FUD required in 2002 is far higher than this. Even the mainstream press are going to tear this crap to pieces.
Reality is defined by the maddest person in the room
I love the quote on backdoors and viruses. Windows systems don't have their source code publically available, and yet that doesn't seem to stop the creation of backdoor programs and viruses.
I like how they insinuate that people would just download some code from the Internet, and then immediately put that into a production air traffic control system. Talk about a straw man argument.
Someone needs to explain to this think-tank (or senseless-opinion-tank) that people can do these things called code reviews. Ya see, if I download a new version of this mail client (for example), I can look at the differences between the current source and the last version I checked. Not only could I spot back doors, but I'd likely find some bugs too.
These guys that develop safety-critical systems (like air traffic control) are real sticklers for inspections, documentation, etc. I bet most of them would be glad for more independant reviews of the code they depend on, rather than just hoping Windows doesn't have bugs in it.
As for me, my requirements aren't as critical. When I downloaded OpenOffice from some mirror in Timbuktoo, all I did was check the MD5 sum. The five seconds that took assured me that at least no third-party inserted viruses or back doors in the program.
They play it as if it is, but by saying open-source good, GPL bad, they are clearly desperately attempting to keep the sea full of fish for MS when it needs a chunk of [stable and useful] code here and there for their projects. They hate the GPL cause theres no way they'll GPL the whole damn OS .. so this attack is specifically targetted at the GPL, with purely financial intentions in mind. The security angle is clearly just a way of getting people to read it, and to associate GPL with 'problems'. I'd imagine most decision-makers won't have to remember what those 'problems' are (much less understand them), but so long as they walk away going, 'open source good' (so MS can borrow at will, remember how much they like BSD license), 'GPL bad', they've done their job.
.. fortunately for them, in this day and age of specialization and legal and technological complexity, thats 99.9999% of the population on any particular issue.
.. "well, open source is fine, so long as we can keep the parts actually keeping the system secure obscured behind closed source?"
Ironic, huh? MS has the power and might to take and use, and they dont perceive having to apply the same standards as their code-base contributors (ie, the borrowed code) to their own product. It's flat out hypocracy to anyone with half a clue
Fuck 'em and their shareholders.
I assume by decrying the GPL for security, their lame argument is
So then why is open-source good? Seems to me that security is 80% of the benifit of open source. I guess MS's story is, 100% of the benifit of open source is 'borrowing' code, and 0% is security. Not surprising, but still infuriating.
"Old man yells at systemd"
How can an organization named after deToqueville make such an argument for something that deToqueville himself criticized? Chapters of "Democracy in America" are centred around the notion of the "Tyranny of the Majority" and how it restricts freedom rather than promoting it.
In fact, if I correctly recall, there is a phrase that goes something like (major paraphrase, if you can find the literal, let me know; it might be Fromm, not deToqueville) 'In no other society are so many individuals dedicated to performing activities that promote an unfree society".
I'm sure that there are other societies that engage in such inherently hypocritical naming schemes, but it is ironic that the name of a person which criticized problems with America's political system is used to further corrupt it.
If we blindly take the assumptions of this article then only some DoD funded Unix should be used for Mission/Life critical systems.
I guess you are probably not successful if you program open source. What do you suppose he means be successful?
Can I bum a sig?
Funnily enough, so does ADTI. HTTP/1.0 200 OK Date: Mon, 10 Jun 2002 19:41:00 GMT Server: Rapidsite/Apa/1.3.20 (Unix) FrontPage/4.0.4.3 mod_ssl/2.8.4 OpenSSL/0.9.6 Last-Modified: Mon, 10 Jun 2002 06:09:04 GMT ETag: "9020935-1af5-3d044280" Accept-Ranges: bytes Content-Length: 6901 Connection: close Content-Type: text/html
"Another security concern is that the primary distribution channel for proprietary software is CDROMs of unknown quality and origin, and could contain a critical problem, a backdoor or worse, a dangerous virus. Patches for proprietary software -- which is often released in a buggy state -- are made available over the internet, which isn't a trusted medium -- installing patches from the internet has the potential of making problems with proprietary software worse, not better."
"On a lighter note, while many proprietary software makers wish to use the 'treasure trove' of public domain, Open Source, and Free Software (GPL and similar licenses), they insist on strong copyright, patent and trademark protection for their own ideas and products -- in a manner of speaking, wanting to have their cake and eat yours too."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? After all, if proprietary software vendors don't like the terms of a software license, they should not reasonably be expected to abide by it. This point is of considerable concern to software companies who wish to use the work of other without compensation -- 'pirating' the free software, to use a popular industry term. Proponents of the GPL argue that each party in the exchange benefits, which is the basis for a free, capitalist society, but proprietary software vendors don't always like this arrangement. Interestingly, proprietary software vendors often include highly restrictive and draconian licenses with their products, and disallow all use of them by any other developers; this, somehow, is presented by them as the 'fair market solution' -- what ours it ours, and what's yours is ours."
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
On a lighter note, while many open source advocates atre proponents for copyleft, they insist on trademark protection for their ideas.
...by posting notices in publications and websites that their trademarks are protected. For example, the notice on the OSI website reads, "... To identify your software distribution as OSI Certified, you must attach one of the following two notices..." The same is true for a number of prominent open source firms including VA Linux.
You bet they do, or else commercial interests would steal their work and profit from it, without due compensation to the creator.
I hear the Red Cross and Salvation Army have trademarks as well, which they zealously protect, even though they are in the business of giving stuff away to those in need.
The Free Software Foundation, the Open Source Initiative and a number of other organized GPL enthusiasts protect their "marks"...
Putting the word "marks" in quotes in this context seems to imply that not-for-profit trademark holders are not holding "real" trademarks, and therefore the author of the paper feels entitled to sneer at them.
This is the most damning section of the entire document, im my opinion. The author betrays his contempt for the fact that open source advocates utilize the copyright system as it was intended: to control the distribution of their works. What burns this author the most however, is that he knows they are correct and the GPL succeeds at its aims, which is preventing GPL code from being hijacked by proprietary, closed source projects. This makes him very angry, and he can barely conceal it in this paragraph.
While each of these firms would insist that they are not against copyright protection, invoking the protections argues that they are against people copying their marketing documents and symbols.
He left out the crucial phrase at the end of the sentence: "without authorization." This guy is really burned that the GPL is successful. And it seems clear to me now that "this guy" is the Microsoft FUD^WMarketing department. Their past FUD releases on this topic have been infamous for conflating trademark and copyright, as well as copyright and copy-prevention.
Now I gotta go take a walk, because I am worked up. But man, this is the most blatant and desperate FUD I have read in a long, long time.
Edith Keeler Must Die
Actually, they are being fair in saying that you're stealing (if in fact the hundred hours is "pirated"). If they make a claim that you should pay them for all 5000 hours though, that's different. Your argument is flawed. The main thing here, though, is that nobody's forcing anyone to use gpl'd code. Don't like the license restrictions? Write your own damn code. Want to use the gpl'd code? Agree to the license. It's like any other software - agree to the licensing terms, or just don't use it.
do not read this line twice.
...are the politest things I can say about this.
The author has transparently started with the objective of rubbishing the GPL - then crudely constructs "evidence" to support this rubbishing.
It presents a world view that as a software developer I find difficult to recognise.
It probably isn't worth spending much effort reading or responding to this. So I will just pick on one aspect which struck me as interesting: The complete omission of any reference to standards and specifications. In my world software systems are underpinned if not driven by standards and specifications. Many of these standards are open and freely available. Some are ad-hoc. But they are always there.
Not so in Mr Brown's world. Everything is secret and proprietry. It is a given that for a piece of hardware, there will be no published specifications. The only way that a GPL driver for that hardware can be created is by reverse engineering the manufacturers own driver. Like wise there are no standards or even specifications for software systems. Everything is closed and therefore a GPL author must inevitably "steal" the creators "intellectual property"....
Sigh. There is lots more to be criticised but the premises are so illogical and falacious that it is soul destroying even to have to start.
Now I personally think that there is a role in the world for GPL, BSD and proprietry software licences. But this article neither makes the case for a multitude of licenses nor suceeds in saying why there is no place for the GPL (at least in any rational or credible way).
I would really like to see IBM explaining why they endorse the GPL, as this paper is sure to get a lot of coverage in the media - especially if Microsoft have paid for the article as has been rumoured.
I'm a firm believer in the GPL and Linux. That having been said, consider the following:
Eve wants to create a back door that lets her root by sending a particular, carefully-constructed packet to Apache. She discovers a way to do this by hiding it in a very subtle bug that she introduces to some component of the Apache system. After months of research, she finds a way to introduce the bug, by incorporating it in a modification that's too good for the Apache project to pass up. Eve's code becomes part of the next release, which is signed by the Apache project with a legitimate signature. Thousands of users worldwide download the buggy Apache RPM, verify the signature, install it on their machines, and restart httpd. Eve and her friends, perhaps months later, then use the compromised httpd to infiltrate a bunch of systems. The bug is finally found after hundreds of rooted boxes, and a patch released to fix the bug (and therefore the hole); but meanwhile, the damage has been done.
I'll grant that this is an awful lot of work to go through to get root; this scenario is strictly meant to be illustrative. My question is, what practices can we adopt, as a community, to prevent this from occuring in practice?
(We might also keep in mind that there are parties out there that are more interested in causing psychological damage than actual damage, and who may view this kind of operation as worthwhile if they can just get consumers into a panic.)
OK, done talking, now I listen :)
Finding God in a Dog
And your point, Mr. Brown, is exactly what?
First point: Today I mistakenly started up IE's infamous "Windows Update" feature for the Win2K installation on the SunPCI card in my Ultra 10. The first "update" it wanted to install was the MS "Automatic Updater" so that Microsoft could cram changes to my system software down my throat whenever they chose to. Mr. Gates does not own my hardware, the State of Texas does. Given Microsoft's track record in the security area, please explain to me the exact difference between this "feature" and a "back door or worse, a dangerous virus"?
Second point: Microsoft's "Windows update" service is ONLY available over the internet and is usually the ONLY source for critical security fixes and other patches for Microsoft products. Please tell me exactly how that differs from the normal distribution channel for GPL software.
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications."
Please show me your bar number before you start rendering legal opinions, Mr. Brown. The only class of Intellectual Property that is infringed by reverse engineering is patents. Specifically, so-called "clean room" reverse engineering of copyrighted works has been repeatedly blessed by the courts as an exercise of the fair-use doctrine.
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
Mr. Brown, this "lighter note" comment of yours is little more than a cheap shot that openly displays your lack of understanding of the subject matter on which you write.
"Open source enthusiasts" not only avail themselves of trademark protection, they also assert and defend their rights as copyright holders. This in no way conflicts with their advocacy of the principle of copyleft. What it DOES do is give them the power to enforce the particular license (GPL, LGPL BSD, or other) under which they choose to release their software.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Answering your questions in order:
Yes, if it's my GPL code, it most certainly IS fair. If Microsoft, Adobe, Symantec or whoever, wants to license my code for use in their proprietary product, I will be HAPPY to negotiate a special *non-exclusive* license with them for a SUBSTANTIAL fee. HOWEVER, if their objective is to take my code without payment and claim it as their own they had better be ready for MAJOR litigation.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as:
They already do. The FAA's Air Traffic Control Database uses Oracle 9i Real Application Clusters running on Dell PowerEdge servers and (surprise!) Red Hat Linux.
Apparently the FAA thinks it's a better gamble than hoping that no one with an old copy of debug.exe will find a buffer overflow in Windows 2000 Advanced Server.
Again, you clearly demonstrate your lack of knowledge in this field, Mr. Brown. GPL software is NOT public domain. It is private property released for public use under license. It is no more public domain software than Windows XP. And
However, a more cogent inquiry would be "If the FAA's Air Traffic Control System is exposed to access from the public internet, shouldn't we fire all the boneheaded bureaucrats that decided it SHOULD be?"
Most of the
Mr. Brown, your white paper exhibits a failure of understanding of your subject that I find very disappointing in one who would call his operation a "think-tank". You entitle your publication "Opening the Open-Source Debate,"
utter rubbish
Unfortunately, his countrymen didn't learn very well from his writings, as France has been through at least 7 forms of government since their revolution.
For more info, see his book: Democracy in America