VIA Pulls PadLockSL

yipyow writes "A few weeks ago VIA Technologies posted software based on Nullsoft's WASTE, as reported here a few days ago. VIA PadLockSL included both a Windows and Linux client and some special extensions to work with security hardware built into certain VIA products. It was released under the GPL so I managed to snag a copy of the source code right before VIA suddenly removed their page (Google cache). I have posted Linux compilation instructions and mirrored the source here. If VIA has decided not to pursue the project further, I think the F/OSS community should turn this project into something, it has potential to be a great tool."

Thank goodness for GPL conservators

[Saven+Marek]

I wonder sometimes how many projects start up, fail for some reason, and then the code is lost. Not lost because it's proprietary but lost because it just goes the way of crumbs under the table? How much good work is going down the drain.

I'm glad you managed to save the code, GPLd as it is it has the right to live or die according to popularity. Hope it works.

shak's nude anime gallery

Re:Thank goodness for GPL conservators

[Overand]

This makes the assumption that the GPL license originally given for the original code is actually valid. The common point that people make is that Justin Frankel wrote the code while working for AOL, and depending on his contract with AOL, code he writes while working for them (or while in the office?) may be owned by AOL, meaning the license he put on the code may not be valid. Like someone pointed out earlier, if I stuck a GPL COPYING file in with the Windows 2000 source code, it wouldn't suddenly become legit. So if AOL didn't "authorize" the release of the program, the source code for waste is just as 'leaked' as the win2k source code.

Re:Thank goodness for GPL conservators

[Trailer+Trash]

This makes the assumption that the GPL license originally given for the original code is actually valid. The common point that people make is that Justin Frankel wrote the code while working for AOL, and depending on his contract with AOL, code he writes while working for them (or while in the office?) may be owned by AOL, meaning the license he put on the code may not be valid.

It can be owned by AOL and still GPL'd. The real question is whether Justin Frankel has the organizational standing to make a decision like that. There's no "AOL" to authorize the release of the program; rather, there are people within AOL who have the standing to make such decisions.

I'm assuming that Justin isn't one of them given that it was pulled from their website.

Re:Thank goodness for GPL conservators

[theLOUDroom]

This makes the assumption that the GPL license originally given for the original code is actually valid. The common point that people make is that Justin Frankel wrote the code while working for AOL, and depending on his contract with AOL, code he writes while working for them (or while in the office?) may be owned by AOL, meaning the license he put on the code may not be valid.

Nope.

There are really several possibilities here:

1. Fankel owns the code. If this is true, the GPL release is valid.
2. AOL owns the code.
   1. If AOL owns the code and Frankel had no authority to release code, the release would be invalid.
   2. But even if AOL owns the code... if Frankel, acting on behalf of AOL released the code, the GPL sticks.

That's the key thing here, Frankel is the person who released Winamp, etc.

It's fairly easy to suggest that he had the authority to release code. This makes his decision also Nullsoft's decision. He essentially had the authority to represent Nullsoft and act in its interest, and so his actions should be legally treated as actions of nullsoft.

Any ruling that would let AOL retract the release of WASTE would make it ridiculously easy for companies to slip out of contracts they didn't like, but allowing companies to claim that the person who acted on their behalf (signing the contract) was not authorized, despite it seeming clear at the time that he was.

Example:
I could start a company and create a division called "emptysetsoft" and make Joe the head of it. Joe buys and sells houses as part of his duties for emptysetsoft. One day Joe makes a deal I don't like so I fire him, and then claim that Joe was making unauthorized deals. I demand that deal and only that deal be reversed.

See the problem? Joe clearly had the authority to make deals on behalf of emptysetsoft.

Has AOL claimed Frankel's releases of Winamp were unapproved and thus invalid? No.

Re:De-ja Vu?

The GPL is irrevocable, so they can't revoke it. The only "official" things they can do to stop people developing it further are:

• Claim that the employee didn't have permission to release it under the GPL, or
• Claim that they didn't have permission from the original copyright holder (as AOL claim WASTE wasn't really released under the GPL), or
• Stay quiet and hope AOL go after the others and not them.

Given that the second option would be an admission of copyright infringement, and the first option is on shaky ground, I can see them choosing the last option.

Re:Be careful

[SacredNaCl]

Perhaps they decided that it would be counter to their interest in selling hardware encryption appliances which do the same thing. Why release software that can do the job of something you can *sell* hardware for?

Oh please

How is the HURD development going?

It's magically GPL, yet it has been in the shitter for the last decade.

Possible unlawful use of code

[Richard_at_work]

People might want to consider that the release of WASTE was indeed unlawful under current law, AOL/Nullsoft was within their rights to withdraw the code and the GPL was applied to the code under wrong circumstances. A lot of people have mentioned in previous WASTE related stories something to the tune of "It was GPLed, I dont care who GPLed it, Im not discontinuing my use or distribution of it" while not actually considering that just because it had the GPL applied to it, the GPL was lawfully applied.

Since this product was based on WASTE, this is possibly why it was taken down, and if so, then the fact that a major company thinks the GPL wasnt applied lawfully to it, then Im inclined to think that all the other archives of it around are infringing as well.

Just my 2 cents on the matter. In the origional WASTE story, i offered to mirror the source code. I did this until i actually sat back and thought about it, then I removed the code because I didnt think its release was lawful.

Re:Possible unlawful use of code

[swv3752]

Most likely was lawfully posted and AOL does not have a legal leg to stand on. That doesn't mean that AOL can't bully you though. If the Head of comppany does not have legal authority to publish something, then who would?

The problem is proving that Frankel caved to pressure from AOL. The Feds could not prove that Capone was a Gangster. Yet everyone knew he was one anyways.

Re:Possible unlawful use of code

[theLOUDroom]

People might want to consider that the release of WASTE was indeed unlawful under current law, AOL/Nullsoft was within their rights to withdraw the code and the GPL was applied to the code under wrong circumstances.

You state that as if it's a fact, but it's actually your opinion and one I don't agree with at all.

If I work for a store, and it is normal duty of mine to do sales and quote prices. I'm am acting on behalf of that company when doing so.
If I work for Nullsoft and it is my normal duty to release software, I am acting on behalf of nullsoft when I do so.
If I have been delegated the authority to release software, and I release a software package, Nullsoft has just released that software package.

The person who release WASTE was pretty much, THE GUY at Nullsoft. While AOL, may not have liked Nullsoft's actions, the person releasing the software clearly had the authority to make them.
This would be like one of Apple's VPs setting ipod prices at $200, and then Apple later demanding that everyone who bought an ipod for $200 give them back.

The rest of the would had a reasonable right to believe that Apple really meant to sell ipods for $200. There's a big difference between making a business decision that is unpopular with your higher ups and doing something you aren't authorized to do.

Re:Possible unlawful use of code

[Jah-Wren+Ryel]

the fact that a major company thinks the GPL wasnt applied lawfully to it,

Sorry, but what a "major company" thinks about the application of the GPL doesn't mean shit (see that other long running story about this company called SCO). What matters is what the courts think and while I can completely understand not wanting to get embroiled in a court case, that doesn't mean you need to rationalize it by handing moral authority over to an organization that has, as its stated goal, complete self-interest without regard to the interests of anyone else.

There are a lot of mitigating circumstances regarding AOL's claim that WASTE was not authorized for release and they've been pointed out many times in each WASTE thread here on slashdot. In my opinion, the strongest point is that Frankel is (or at least was, maybe he got the smack-down over the WASTE release) positioned sufficiently high enough up the corporate ladder to be reasonably considered to be able to act for AOL on matters of his business domain. Since he wrote WASTE, it is clearly in his domain, since he published under the GPL while in the position to act for AOL it is entirely reasonable to expect that, despite AOL's attempt to rewrite history, the WASTE code is lawfully licensed under the GPL.

I suspect that, like yourself, Via did not want to risk testing the validity of the WASTE release in court, their project being little more than a technology showcase and not central to their business. But their decision has no bearing on the truth of the matter, only that they didn't care to spend the money to find the truth in court.

Re:I can see it already.

[Snowmit]

Oh yeah, and for our protection, I think laws should passed worldwide that anything posted on the Internet and subsequently removed cannot be recalled once downloaded by at least one person, so that if a company releases something as GPL and then pulls it, even if that is due to copyright violations on their part in including the thing in a GPL download, that company is subject to damages but not the downloaders, since they downloaded something as licensed under the GPL.

In other words, you want the international community to pass a law that makes it so that if someone steals my code and posts it online and then has a friend download it, I lose all rights to that code.

That's a very bad idea.

Re:Not a troll

[DrSkwid]

What *are* you talking about.

The idea isn't being hurt, just 1 particular project.

You cannot release someone else's code under a different license without their permission. This is exactly what keeps GPL software *free* so how could it possibly be ironic?

Licenses are *necessary*. They are, in essence, a contract between supplier and recipient. They detail that which each party can expect from the arrangement.

Without the licenses that say 'do what you will with this' there would be no OSS to keep airborne.

In case you hadn't noticed, OSS took off a long time ago.

TEN FOOT POLE

[ca1v1n]

If the Nullsoft release was unauthorized (what constitutes unauthorized is not as clear-cut as AOL would have us believe) then the fact that the code was GPL'd is irrelevant. Go roll your own people. Don't even look at the WASTE source. You'll be tainted.

Re:I can see it already.

You just wait. I give this thing about 30 days, and then people will start hearing from all kinds of lawyers, and we'll have another SCO on our hands, claiming we jacked source code which we did not, in fact, jack.

Huh? Tell me, if I had a job as a janitor at Microsoft headquarters, and grabbed a copy of the Windows source code, would I be able to release it as GPL? And would the people downloading and spreading it be in the right? Of course not!

This is essentially AOL's argument: that somebody released the WASTE code under the GPL when they had no right to. If that is true, then they acted accordingly - they pulled the source and put up a notice in its place.

Now along comes VIA, who haven't got the message that their license is not valid. They "release" their derivative work, and then find out about the licensing screwup. They pull the software.

No matter how many people have downloaded the code, none of them have a valid license. VIA were never in a position to grant licenses.

So sure, if somebody is mistakenly under the impression that their license is valid, then they shouldn't be punished. But you are advocating ignoring the fact that the license is invalid, and committing copyright infringement.

But instead of using it to build the product, use it to plan a completely new design, and build that as a separate project altogether, using none of the original source code. Call it a different name, make it do slightly different things... when they come to bitch and moan, the damn thing won't share any lines of code. Shit, if there's int i in that source, our version should define int to INT and write INT i, just to throw off code comparison.

No, that's a derivative work, and is also covered by AOL copyright. Any attempt to "throw off code comparison" would be strong evidence that you knew that the license wasn't valid, which, I believe, triples damages when you inevitably lose the copyright infringement lawsuit.

Oh yeah, and for our protection, I think laws should passed worldwide that anything posted on the Internet and subsequently removed cannot be recalled once downloaded by at least one person, so that if a company releases something as GPL and then pulls it, even if that is due to copyright violations on their part in including the thing in a GPL download, that company is subject to damages but not the downloaders, since they downloaded something as licensed under the GPL.

So the janitor at Microsoft snarfs the source code, gets a new job at Sun, and uploads it onto their servers. Bingo, Free Windows, no more Sun.

don't do that

[hak1du]

Merely the fact that the software had a GPL copyright on it and happened to be available somehow doesn't mean that you can redistribute it. Until a piece of software has been intentionally released by its owner under the GPL, it is not covered by the GPL.

Furthermore, one of the most likely reason VIA pulled this is that they don't have the right to distribute it (patents, other people's copyrights, etc.). Then, even if you acquired a copy under the GPL, you couldn't use it because the GPL would be invalid.

Also, the person posting it may not have been authorized to do so by the copyright holder (the company itself). That would also mean that you don't, in fact, have the right to use it under the GPL because the GPL is an agreement between you and the copyright holder (VIA), and VIA has not entered into that agreement with you.

Even if you could get away with it legally for some reason, I really think it's a bad idea to behave that way. Good relations between VIA and OSS developers are essential in order to have Linux run well on their hardware. There is no hard-and-fast line, but in a situation like this (it seems it has had no widespread announcement, no user community, no external contributions), the creators of such a software package should be allowed to change their mind at the last minute.

Re:Not a troll

[tomstdenis]

Licenses are not required. That's just a myth spread by the FSF fudmachine.

For example, you can quite easily give out public domain software. Of course you get the all-oft repeated argument "what if someone takes your code than turns it closed-source" to which I reply big fucking deal. I still can release my code openly. So if some company wants to use it on their own big deal. All the power.

Actually a public domain approach is more free/open because it allows commercial developers to create solutions faster without having to re-invent the wheel [while getting it all wrong] and not having to release stuff openly [e.g. works well for BitMover and Sony so far ;-)].

And before anyone replies with stupidity. I do appreciate GNU and GPLed software. I just don't use it for my own software. I can happily co-exist with the two licenses...

Tom

Re:Be careful

[sangreal66]

Again, you can only set copyright licensing terms if you own the copyright to begin with! The original WASTE was released under the GPL without permission by someone without the authority to license it (although he was the author, copyright is granted to the employer). Therefor the original GPL license is no more valid then if you were to release the leaked windows source under the GPL. That being said, unless VIA got permission from AOL to release it, they too licensed it illegaly making their GPL release invalid as well.

Re:Be careful

[Jeff+DeMaagd]

The first rule of the internet is like the first rule of the Westerns: download first and ask questions later.

Re:I can see it already.

[Snowmit]

I don't think I'm reading his post selectively.

If someone steals my code, then posts it online under the GPL illegally and then other people download it, I don't think that those other people should have Carte Blanche to do what they want with my code. I think that if I inform them and can prove to them that they are using code that should never have been in the GPL, then they have an obligation to stop using my code.

If we go with the great-grandparent's plan, then anything released under the GPL, no matter how it got there, would stay GPL. In other words, thieves would be totally free to steal and distribute code.

Which is a very bad idea, I think

Re:Why?

[drinkypoo]

Moderators: This person is not offtopic, they are WRONG. This is NOT "just a fancier GUI on WASTE". It is an entirely new GUI, and a different encryption algorithm. The RSA code was (C) RSA and including it in a GPL program is a GPL violation. The AES code used in Padlock SL is dual-licensable; The default license in the program is essentially BSD, but it says you can instead license it as GPL so long as you retain the original copyright notice. Sounds good to me.

Re:Via's RNG publicity and a conspiracy theory...

[Just+Some+Guy]

VIA's random number generator greatly increases the speed to generate the keys (ie faster than p4 2.6 ghz on VIA's 1Ghz proc).

There are other hardware crypto accelerators. OpenBSD uses them to offload all possible crypto and random functions from the CPU whenever one is present. VIA's is nice, in that it comes with the computer, but $100 will get you the same functionality in a PCI card.

Anybody here thinks that securei easy IM might not facilitate terrorist message interception?

You mean, like Jabber with SSL? That cat's already out of the bag.

I love it!

[daveman_1]

This program is just too cool! There are some things it could obviously use, such as an easier way for users to share their public keys(ala PGP key servers. The use of actual PGP/GPG keys would be really cool too!) and a few dedicated hosts to start a network(because direct peer to peer isn't always desireable or feasible, but the security through a dedicated host is good enough for most circumstances...) I guess what I'd really like to see is AIM support public key encryption, something that has always been lacking in the instant messenger app of choice for most people. Perhaps the open source community can make this a reality. And gaim encryption just doesn't work for enough people and isn't as strong as this...

Re:Be careful

"(although he was the author, copyright is granted to the employer)."

Have you read the employee's employment contract? Does it assign or exclusively license the rights to all work produced by the employee to the employer? Do you care to cite the portion of Title 17 of the United States Code that defines computer software as a statutory work for hire? (Hint: 17 U.S.C. 101 definitions, and no it is emphatically not).

IAAL. Your cursory analysis of the ownership and authority issue issue sucks.

Re:WASTE is GPL, set in stone.

[dfghjk]

It is likely that the author of the software was the company rather than the individual. We don't know without knowing the details of the employment contract. Externally, it might appear that the programmer was authorized by the company to release under the GPL but we don't know that either.

It's far from open and shut that the release under the GPL was legal and I don't think the courts will have a hard time deciding it without setting dangerous precedent. If an employee steals a product off the manufacturing line and sells it, is the sale legally binding because it was done by an employee? Hardly too late in that case. Just because a programmer writes code as an employee of a company it's not automatically assumed that he can distribute it as he/she wishes. The programer must either be authorized to do so or have language in his contract that permits it.

A company I worked for claimed IP rights on a consortium-led technology of which it was a member. Turns out an employee signed and agreement when he was not authorized and didn't discuss the matter with management. Don't know the legal questions that arose from that, but the company backed off its IP claims. One way or another it was necessary to do that. It's not clear to me that the situation is much different here.

Re:Be careful

This strikes me as akin to a company doing unauthorized work, billing for it and then hoping that you'll pay just because they sent you an invoice. Or better yet, you recieve an unsolicited radio in the mail in the mail from me. You turn it on and I attempt to bill you. In the US, it's a gift. No contract existed, I didn't ask for it and you sent me something with no legal strings attached.

Yes and no. If the company intentionally shipped you the unsolicited package and tried to bill you for it, then yes it would be a gift. However, if some disgruntled employee, without authorization decided to start mailing out radios at random, then the company could certainly take action to recover the radios, as they are company property and were illegally distributed without authorization--they couldn't bill you for it, but they could force you to give it back. If Nullsoft is correct in its assertion that the WASTE sourcecode was not authorized to be released, then like it or not the second case applies, and it was never legally released under the GPL at all. Of course you an't "revoke" the GPL from software that is legally licensed under the GPL (unless a particular party violates the terms of the GPL, but that's a specific case), but just because you slap the GPL on some source code doesn't mean it's suddenly free no matter what. This is the crux of the matter. The mere fact that WASTE appeared briefly on the Nullsoft website as released under the GPL is not proof positive that it was an official release. I think the strongest argument for the validity of the release of waste is the fact that one of the "conspirators" was an officer. But even an officer can act without authorization, so this is not an airtight argument.

Re:Be careful

The bare statement is a claim of ownership, and not evidence of ownership. The employment contract is the primary, if not sole, evidence that establishes whether Nullsoft held exclusive rights to the code AT THE TIME IT WAS PUBLICLY AVAILALABLE.

Of course, if you trust everything a corporation or individial tells you, I'm sure my bretheren will be happy to fire off C&D letters at the drop of a hat for the rest of eternity...

Misleading

[mcc]

The original WASTE was released under the GPL without permission by someone without the authority to license it

No. The original WASTE was released under the GPL by someone whose permission to license it is in dispute. I have yet to see any even remotely conclusive argument about this either way, and it looks like the kind of question that really only a court has the authority to answer.

Huge leap with no support

[theLOUDroom]

Was Winamp released under the GPL? If the answer is no then your post is meaningless.

How do you figure that?

Either he had the authority to act on behalf of Nullsoft or he did not. If he chose to use this authority to release winamp one way waste another, that would be at his discretion.

It is possible that Justin had authority to release binaries such as Winamp but no authority to release source.

People keep saying "well what if some internal document said XXX?"
What everyone seems to neglect is that people act as agents of the companies they work for.

If a manager at Walmart sells me a laptop for $10, he has that authority. Normally laptops sell for more than this, but this guy's a manager an I have a reasonable expectation that he can do this.
If it turns out the next day that his boss doesn't like it, they don't get the laptop back.

If we had to worry about internal agreements invalidating any contract made by employees who seemingly have the authority to do so, you'd never be able to trust a company to stick to an agreement. It would be too easy to weasel out.

I my Walmart example, maybe there's a document specfically saying he can't sell a laptop for less than $50. Why the hell should I know or care about it? The manager should know about it if he wants to keep his job, but in the end I still get my laptop for whatever he sells it to me for.
If Walmart doesn't like it they can fire the employee, or even go after him legally, but I'm in the clear. I bought my laptop at the price given to me by a Walmart representitive.