Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet/Flame/Duqu Uses GPL Code

Posted by Unknown on from the state-sponsored-piracy dept.

David Gerard writes "It seems the authors of Stuxnet/Duqu/Flame used the LZO library, which is straight-up GPL. And so, someone has asked the U.S. government to release the code under the GPL. (Other code uses various permissive licenses. As works of the U.S. federal government, the rest is of course public domain.) Perhaps the author could enlist the SFLC to send a copyright notice to the U.S. government..."

28 of 221 comments (clear)

  1. Implications by tmosley · · Score: 5, Insightful

    That would imply that the government is ruled by law rather than the arbitrary decisions of a few "top men".

    It doesn't take long for such attitudes to spread throughout society.

    But hey, Obama said he would have, like, the totally most open presidency ever. Surely the new boss will prove himself different from the old boss in SOME way. Surely!

    1. Re:Implications by tnk1 · · Score: 4, Insightful

      Clearly we should take our cue to start a bloody revolution from music lyrics written by people 50 years ago.

      Speaking as someone who does actually read history, I know what happens to people while they are in the midst of their glorious revolutions. That is to say, privation, disorder and mass slaughter. That wonderful period is then most of the time followed by dictatorship or other forms of tyranny. The good times come decades later when someone has managed to restore order.

      You'll excuse me if I hope that no one gets around to it for another 50 years or so.

    2. Re:Implications by networkBoy · · Score: 4, Insightful

      And yet somewhere in the middle lies the answer.
      It is of use to note that we celebrate a war every year. On the 4th of July we light off fireworks to celebrate going to war with the British and winning (technically we celebrate our declaration to be independent, but we all know damn well that had we lost or had there been no contest, there likely wouldn't be fireworks every year).

      Our country does need a revolution. It needs a real tea party, a mass of people who simply refuse to follow governments orders.

      The challenge, of course is critical mass. I would wager that in 1776 well over 50% of the population of the nascent United States of America was willing to outright defy the ruling government, while somewhere north of 90% of the remainder at least supported said dissidents. With the combination of the Democrats buying votes from the poor/uneducated/minority/grafters/etc with entitlement programs and the Republicans selling government support to corporations, I believe a civil revolution is impossible.

      thk1 is right, an armed revolution is bad, but I'm not sure no revolution is better...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    3. Re:Implications by number11 · · Score: 4, Insightful

      It is of use to note that we celebrate a war every year. On the 4th of July we light off fireworks to celebrate going to war with the British and winning (technically we celebrate our declaration to be independent, but we all know damn well that had we lost or had there been no contest, there likely wouldn't be fireworks every year).

      Oh, I dunno. It probably wouldn't be on 4 July. But the Brits have fireworks on Guy Fawkes day (remember, remember, the fifth of November) to celebrate the capture and execution of terrorist plotters in 1605. There would probably be another annual celebration to commemorate the capture and execution of the colonial terrorists (or is that "militants"? it's so hard to remember the correct terminology) of 1776. So there would be fireworks twice a year.

    4. Re:Implications by Anonymous Coward · · Score: 5, Insightful

      The government, while it makes the laws, is subject to the rule of law. The government can be replaced and the laws changed. But by agreeing on a set of laws that apply to everyone is how we keep our noses out of the aforementioned violent chaos.

      Revolution is not the answer. Civic engagement is. If we take notice, if we talk about and we insist on accountability and seek to elect politicians that act in our interest. A mature and educated electorate is the required cultural change and I'm optimistic we're heading in that direction. The current shenanigans are not irreperable and are serving a purpose in getting people to take notice.

    5. Re:Implications by BKX · · Score: 5, Informative

      I would wager that in 1776 well over 50% of the population of the nascent United States of America was willing to outright defy the ruling government, while somewhere north of 90% of the remainder at least supported said dissidents.

      And you'd be wrong. It's widely accepted that only 1/5 of population were rebels. Another 1/5 were loyalists. The remaining 3/5 were neutral (with a number joining one army or the other for purely economic reasons without actually believing in one side or another). We only won because England was at war with everyone else at the same time.

    6. Re:Implications by jythie · · Score: 4, Insightful

      The thing is, the American Revolution worked because the local elites were driving it, not average people. That tends to be what determines if a revolution goes well or not. When you have two ruling classes struggling for power, the winner usually has the resources to restore order and most of their power structure already in place. When you have ruling class vs general population, it always ends badly regardless of who wins.

    7. Re:Implications by Entropius · · Score: 4, Insightful

      The information was leaked because the malware got out. Nobody "leaked" Stuxnet, other than Stuxnet itself.

    8. Re:Implications by s73v3r · · Score: 4, Insightful

      That's not the fault of the judicial system. That's largely the fault of the legislative branch, who enacts laws mandating certain levels of sentencing. And that blame can largely be brought back to the people who voted for those representatives, who demanded that people be "tough on crime."

    9. Re:Implications by davester666 · · Score: 5, Insightful

      Well, if 'hiding something' is a significant concern for you, perhaps you should discuss this with your congressman/senator. For example, your own gov't refuses to disclose it's own interpretation of the Patriot act.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Who gets to request code? by Anonymous Coward · · Score: 5, Insightful

    Under the GPL, only people that the executable was distributed to are allowed to request the code - and since it's a weapon, the US government isn't alliowed to send it to Iran.

    Problem solved.

    1. Re:Who gets to request code? by samkass · · Score: 4, Interesting

      Also, you'll have to prove in a court of law that the Government did, in fact, distribute the software; that the recipient requested and was denied the source code; and that the owners of the Copyright have standing to sue. That's even before Sovereign issues. I'm not optimistic.

      --
      E pluribus unum
    2. Re:Who gets to request code? by Neil_Brown · · Score: 4, Informative

      Under the GPL, only people that the executable was distributed to are allowed to request the code

      It's perhaps a little more nuanced than this, to my mind.

      Under GNU GPL 2.0, a distributor of a binary of the Program has two main options for distributing the source code:

      • a.) Accompany it with the complete corresponding machine-readable source code ... or,

      • b.) Accompany it with a written offer ... to give any third party ... a complete machine-readable copy of the corresponding source code...

      If the source code does not accompany the binary, the binary must be accompanied by a written offer to give the source to "any third party" — it does not say "to give any third party who possesses the object code" or similar.

      However, the GPL FAQs (which I'd treat as one interpretation of the licence), comment that:

      The offer must be open to everyone who has a copy of the binary that it accompanies. This is why the GPL says your friend must give you a copy of the offer along with a copy of the binary—so you can take advantage of it.

      However, this is not what the wording says — that the offer must be open to "any third party." If I get the binary directly from you, the status is clear, as is the situation in which I get the binary from my friend, who got it from you — but it's unclear, to my mind, what happens when I do not have the binary. I'd probably leave it that you have an obligation to provide the source code to me — an obligation to provide the source code to "any third party" — but that, without a copy of the offer myself, I'd likely have a very difficult time enforcing the obligation.

      GNU GPL 3.0 clears this up, with clause 6(b) providing that a non-source distribution on a physical medium can take place if

      accompanied by a written offer ... to give anyone who possesses the object code [the source or access to the source]

      However, the fact the words are *not* in GNU GPL 2.0 but *are* in GNU GPL 3.0 does not necessarily mean that they should be read in...

      YVMV, of course :)

  3. Re:is the CIA selling these viruses? by dnaumov · · Score: 4, Informative

    No, selling or not selling is irrelevant. "Distributing" is the key.

  4. Clever idea, actually. by drinkypoo · · Score: 4, Interesting

    Someone with gigantic balls of steel should file a FOIA on this basis.

    It would be interesting to see if the request would even be acknowledged.

    What makes the idea clever is that it's a public request (and publicise the hell out of it!) and it's powered by copyright. This is why the GPL is so effective...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re:is the CIA selling these viruses? by TheSpoom · · Score: 4, Interesting

    Distribute, not sell. (Though you absolutely have the right to sell GPL code as well, as long as you abide by the rest of the license and release your source.)

    In any case, I'm guessing that one of the following things will happen:

    - Some sort of secrecy / national security provision is given as a reason source cannot be released (1% probability)
    - Changes to the GPL portions are released (0.01% probability)
    - Stone-cold silence (98.99% probability)

    Remember, the US Government hasn't even acknowledged that they created these worms. We're still firmly in the "plausible deniability" phase.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  6. Re:Not gonna happen by DickBreath · · Score: 4, Insightful

    Why would you bother to acknowledge copyright? Because the people who have bought and own the US government want copyright and patents to touch every part of our lives. Buy a cell phone? You should be paying an ever increasing slice to every patent troll that crawls out of the woodwork. Buy blank media, or a blank SD card? You should be paying copyright owners a "tax" on that blank media you dirty filthy pirate! Why else, other than piracy, could you possibly be buying blank media?

    / end rant

    --

    I'll see your senator, and I'll raise you two judges.
  7. Re:Not gonna happen by ZeroSumHappiness · · Score: 5, Insightful

    Obviously copyright is the most important issue of our time. Look at how much went into ACTA/SOPA/PIPA/CISPA and how little is going into fixing our education, healthcare, research and poverty issues.

  8. Ask away by DaveV1.0 · · Score: 4, Insightful

    The thing is, no one knows who wrote it. Sure, there is speculation that the U.S. and/or Israel did, but no one knows for sure. The simplest thing for the government to do is say "We can't because we didn't write it." Then, it falls on the asker to prove they did.

    --
    There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  9. LZO Licensing by Anonymous Coward · · Score: 5, Informative

    From http://www.oberhumer.com/opensource/lzo/lzodoc.php:

    "Special licenses for commercial and other applications which are not willing to accept the GNU General Public License are available by contacting the author."

  10. OT - GPL violation doesn't necessarily open code by caseih · · Score: 5, Informative

    Just as an aside, whenever some commercial entity finds itself in violation of the GPL, people start talking like they expect the code to magically be revealed and gifted to the community. This perpetuates the lie that the GPL is viral and can "infect" closed-source code. The reality is far different. If a company is found to be in violation of the GPL, they find themselves in a copyright violation situation. This means that they must a) stop further distribution and b) potentially be held liable for monetary damages resulting from the distribution. They absolutely don't have to release their code. However if they want to continue to distribute and sell their product they will have to do one of three things: 1) remove infringing code, 2) license the infringing code under acceptable terms, possibly by paying a licensing fee to the copyright holder, or 3) release their derivative code under the GPL.

  11. Re:is the CIA selling these viruses? by fuzzyfuzzyfungus · · Score: 5, Funny

    Option #4: An obscure RFC describing the implementation of TCP/IP on a 5.56x45 'jumbo frame' physical layer is drafted.

  12. Re:Not gonna happen by kbonin · · Score: 4, Informative

    The FAQ section you linked to is specific to the LGPL. The LZO library is licensed under the GPL, which means any application that uses it, and is distributed publicly, must be released with full source licensed under the GPL. This is an important distinction between the LGPL and GPL...

  13. It's a joke by ildon · · Score: 4, Informative

    Quoting the article because so far no one actually followed the link and read it (as usual).

    Disclaimer: This post is for fun, don’t take it too seriously, but the questions are still valid. This post is a personal post of one of the Lab members and does not reflect the view of any organization.

  14. Re:Not gonna happen by Qzukk · · Score: 4, Informative

    LGPL provides a "just linking" exception and is used 99:1 instead of GPL for libraries because the GPL makes no exception for linking. If your code uses GPL code, your code must be GPL.

    Generally the only people who write GPL libraries is the GNU Foundation itself, and even then they only do it when they think they have something so awesome people will adopt the GPL license to use it (like libreadline, which is).

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  15. Re:is the CIA selling these viruses? by gman003 · · Score: 5, Informative

    5.56x45mm is the specifications for the NATO-standard small-arms ammunition, used by pretty much every modern military assault rifle that isn't a Kalashnikov derivative (and some that are), as well as some police sniper rifles and various civilian rifles.

    And now I've explained the joke.

  16. Re:Not gonna happen by T.E.D. · · Score: 4, Interesting
    I have three issues with this:
    1. Does a virus spreading itself really count as "distribution" under the GPL? It could be argued that copying itself (sometimes to places it isn't wanted) is just the normal execution of this particular program (which the GPL always allows), not a proper "distribution". It's not like Iran called up the DoD and asked for its latest malicious virus.
    2. Legally you have to hold the party you got your distribution from liable for a GPL violation. That's the way the license is written. Thus to hold the DoD liable, you'd have to be the person who got your copy of the virus direct from them, not from another infected party. In other words, you have to be "patient zero". Who could prove that in court?
    3. The USA has laws against copying classified programs. So its quite possible the DoD could decide to turn around and arrest the litigant for posessing and/or distributing classified material.
  17. Re:Not gonna happen by ZeroSumHappiness · · Score: 5, Funny

    Dammit, people, that was meant to be Funny, not Insightful!