Slashdot Mirror
How Ubiquiti Networks Is Creatively Violating the GPL
New submitter futuristicrabbit writes: Networking company Ubiquiti Networks violates the GPL, but not in the way you'd expect. Not only did the kernel shipped in their router firmware not correspond to the sources given, but their failure to provide the source led to a vulnerability they created being unpatched long after its disclosure. They're maintaining the appearance of compliance without actually complying with the GPL.
The GPL was violated. Doesn't matter how they did it.
Isn't outing a manufacturer over product issues more of a Twitter thing?
How is this not the way you'd expect? What were you expecting?
Interesting, I have been looking at their WISP stuff for awhile, and one thing I liked was they were using lots of COTS and open source software. Funny I would not want to publish my code either, as apparently it was buggy, they would have been lash wipped by Linus!
And in what way is this not how I'd expect?
Sleazy corporation skirts around rules, film at 11.
Lost at C:>. Found at C.
I have the edgerouter POE, which is a fantastic piece of hardware, but it still doesn't support proper vlan tagging controls on the embedded switch ports. A feature I would add myself but the hardware isn't open enough to do it without a lot of reverse engineering.
So, this makes me wonder if they are sort of stuck between stupid hardware companies and the GPL. They may not be able to publish changes to the open source products without violating their NDAs with the manufactures of assorted chips/etc they use.
I'm not trying to defend them, just point out a situation I've found myself in. GPL software is great for bootstraping a project, but for some of these platforms it can be a real PITA. I feel for small companies like Ubiquiti. But I'm pretty irritated by Sony, broadcom, cisco, etc which are also playing the same game.
Never attribute to malice that which is adequately explained by stupidity.
Some settling may occur during posting.
the GPL and going to BSD, MIT, others.
For my group, we are heading BSD. It just makes more sense to us to avoid stepping on toes, and the license is maximally free. Personally, I'm a pragmatist and not opposed to proprietary or open -- use what works for a given situation.
Still, if this company has violated the GPL, they should have been outed and still need to find remedy.
Get Linus to make the request and force the copyright issue. What are they going to say? No?
He owns their equipment now.
Never attribute to stupidity when it's a habitual offender.
ELOI, ELOI, LAMA SABACHTHANI!?
How will this impact BroadBand HamNet (formerly HSMM) which mainly targets Ubiquiti hardware, and obsolete Linksys stuff?
Red to red, black to black. Switch it on, but stand well back.
Never attribute to malice that which is adequately explained by stupidity.
Raise your hands if you have ever worked somewhere where there was an official build system and most developers did not get matching binaries from their development systems.
So you are saying that corporations don't trust the GPL because they do not comply with the GPL? Seems like an easy fix isn't it?
What's not to trust? Either you use the GPL code knowing full well the ramifications of doings so... or you Write It Yourself.
I am very small, utmostly microscopic.
Why because they want to steal other peoples work? It's a fucking copyright violation regardless of it's GPL status.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Yeah, really odd that. They don't trust the GPL because they can get into trouble when ignoring the license of someone else's code.
Unlike Microsoft...
Uh...
Well, I guess corporations don't trust EULAs or ToS either, then.
Right?
Sorry, but what?
Nobody forced the company to use GPL stuff. Nobody forced them to build a product around it.
That they failed to comply with their obligations under the license is their own damned problem.
Use the GPL stuff, don't use the GPL stuff .. it's your choice. But if you choose to use the GPL stuff, you don't get to piss and moan that you don't want to live by the license.
Corporations aren't entitled to use GPL code and not adhere to the license. It's not a situation in which you can just decide how you'll interpret releasing the code.
These corporations which don't trust the GPL are entirely free to piss off and write their own code, or start with something like BSD which says "go ahead, do whatever you want with it".
Lost at C:>. Found at C.
So you are saying that corporations don't trust the GPL because they do not comply with the GPL? Seems like an easy fix isn't it?
This.
It isn't the GPL that has earned distrust here. It's Ubiquiti Networks.
If it weren't for deadlines, nothing would be late.
People talk like companies are some single monolithic thing but that's seldom, if ever, the case, especially with anything bigger than a tiny startup. Companies are run by people but no matter how involved an upper manager or CEO thinks he or she is in the daily operation of the company it's 100% impossible for them to make, or even be aware of every single little decision (let alone every honest mistake, or poor training issue, or stupid/lazy practice) that goes on in the whole company. Sure, at the end of the day, management is _accountable_ for what employees do, but there's essentially no way some CxO said "hey, screw this GPL stuff, nobody will notice anyway." It's FAR more likely that some low-level employee (maybe with the knowledge of his low-level manager, maybe not) just screwed up, or two teams failed to communicate effectively, or similar. If outing them brings enough attention to the issue that upper management actually takes action and establishes strict polices for the use of open source/GPL code to avoid such things, that's probably a net-positive, but all this talk of "if company A decides X..." with regard to specific technical issues like this, is mostly just BS. A COMPANY IS NOT A PERSON. (and also shouldn't be able to "vote" and so forth, but that's another topic entirely).
Dev: we moved to new Gentoo servers over the weekend and the script that exports builds is broken. it dies trying to get to the compliance server
Ops: we shut that thing down, its ancient and would take too much time to patch for heartbleed. besides it only hosted an FTP server with some open source code. use the new server, USCMPSRV013435 to sync the GPL code outside the firewall
PHB: NO DONT i read an article on how GPL code is viral and also Edward Snowden stole Wikileaks 6 months ago from chinese hackers in the presidents internet.
Ops: er...okay...sooo....the last data up there is what we restored from old sparky...
Dev: oh dear thats ancient....we had to patch new GPL'd code into the product to get ipv6 to stop crashing
Good people go to bed earlier.
You are not getting my .config and trivial kernel patches either (for value of patches, a few well placed /* */'s). Do your own homework.
Finally, someone who has apparently actually worked in software...
It's at LOT easier to (even unintentionally) mess up than to get it right. Management should establish better polices and checks to ensure compliance and they deserve to suffer the legal consequences of failing to do so, but things like this are almost always "honest mistakes" by specific employees or sometimes specific teams and are very rarely if ever deliberate strategic decisions. This is made even worse by things like high turnover, offshoring, etc.
I have no affiliation with Ubiquiti, other than as a small customer, but I've had very good experiences with their products thus far and hope they fix their policy/training/oversight issue and move on. They're just another among thousands of companies who happen to employ one or more people that (strangely enough) aren't perfect and can therefore possibly screw up at times.
Well, this just screwed the legal pooch... your posting pretty much kills any recovery change you hd in court.
They could easily claim:
(1) Witness tampering
(2) Jury tampering
(3) Impossibility of a fair hearing (and they get to pick the venue; how's East Texas sound?)
(4) They were attempting to remedy the issue, and this posting did irreparable harm to their business
Most likely they are just trying to hide a hard-coded signing key.
Most likely, you are just bitching because you can't run your firmware on their hardware without the hard coded signing key.
The linked site in TFS is suffering from (possibly slashdot-induced) overload. Here's the text from the linked page:
Four ways Ubiquiti Networks is creatively violating the GPL
Ubiquiti Networks is a company which makes long-range wireless equipment. Admittedly, you can do some pretty amazing stuff with it, but the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents, which isn't as amazing.
In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.
Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.
1. Giving the appearance of compliance
'You can find the complete and corresponding source in the GPL archive.'
Ubiquiti had a website set up where you can download tarballs purportedly containing all GPL source for each and every firmware release. (I can't find it any more, but that doesn't mean that it isn't still there.) When you look through these tarballs, they appear to be complete, and there are build instructions which allow you to make your own custom firmware.
It's only when you look closer that you start to notice problems, such as...
2. Refusing to provide the source to their modified bootloader, even though they made changes that introduced security vulnerabilities
Security keys
Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified u-boot bootloader contained a security issue - It was possible to extract the plain-text config from devices running the firmware, without leaving a trace. And the plain-text config contains unencrypted WPA/WPA2/RADIUS passwords.
Even worse than this security issue, was Ubiquiti's response to it. Namely, they:
Refused to provide the source code, even though u-boot is under the GPL
Didn't fix the security issue for a long time after it was publicly disclosed
To this day, Ubiquiti still has not provided the u-boot source code.
3. Providing source code to a version of Linux, just not the one that they actually ship, and hoping that nobody notices
Ubiquiti Source Ubiquiti Binaries
It would be natural to think that the binaries that Ubiquiti provides were compiled from the source code that Ubiquti provides. As it turns out, for a large number of their releases, the kernel source given does not correspond to the kernel in the official firmware images.
As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.
Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.
And speaking of complaining...
4. Dragging out GPL code requests for months on end, then inexplicably going silent
Bureaucracy is a challenge to be conquered with a righteous attitude, a tolerance for stupidity, and a bulldozer when necessary
In case you think that I am being mean to Ubiquiti by going public, please note that I have been trying to contact Ubiquiti for the past year about the issue of the u-boot source code. You can see my attempts here, here and here.
In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.
From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward m
If it weren't for deadlines, nothing would be late.
from scratch to deal with the proprietary hardware, and talk to that from your GPL app. Or the other way around. It's not
impossible.
I used to work for a company that was meant to be a partner of Ubiquiti -- from the first meeting with Robert, one could tell this was not going to be a "share and share alike" partnership -- more likely it was going to be a one party gives, the other takes partnership. We as partners needed access to some parts of the code, and in meetings said we'd like to get the source, and given that it was built on GPL'd code, we figured it would be a non-issue. How wrong we were. Basically told that was never gonna happen, not for us, nor anyone else that wanted it, it was their IP. Robert's one of Forbe's 10 youngest billionaires. He's gotten stinking rich off others, and refuses to give back. It certainly douses your faith in the human spirit somewhat. Anyway, not that it's much better, but you can always buy from MikroTik (ducks! ;-) )
If "you" are a one-man shop, that's fine.
If "you" are the legal department for a company with 10,000 developers, the GPL is scary. You can either blanket-ban GPL code, and make your life easy, or create a system for separately evaluating the use of each and every piece of GPL code you allow in, plus some auditing process to catch cheaters (who check in GPL code as their own work, which happens).
Cloud services companies usually go with the latter: because you don't have to share your code if you don't distribute it, the payoff is good to allow use of GPL code, and police the corner cases where you do distribute code. Blanket bans on GPL code are still common at old-school software companies.
Socialism: a lie told by totalitarians and believed by fools.
If you can spare a minute, please do any or all of the following so that we can retain the GPL's power to help the community:
- Raise awareness - upvote it, send it to friends or write a blog post about it
- Write to Ubiquiti requesting the source - their email addresses are support@ubnt.com and info@ubnt.com. You should try both.
- Send me an email telling me what you've done. My email address is riley@openmailbox.org
This is too bad. They are currently the only supported hardware maker for one of ham radio's more interesting projects: A self discovering/healing/organizing mesh network providing WiFi networking over dozens of miles on the portions of the WiFi spectrum available to hams. http://www.broadband-hamnet.org The project still officially supports the venerable Linksys WRT54G, but official support for this router is ending this month and it is a pretty old router. Then again, when you use Ubiquiti hardware and this firmware, I suppose you are no longer violating the GPL! Still, it'd be nice to not give your dollars to a GPL violator.
Shouldn't that be to give head to Stallman? Having to put your face in his unwashed, lice-infested bush would be a fitting punishment.
The problem is that nobody would be able to find his member. In fact, he has not seen his penis in years.
Jesus was a compassionate social conservative who called individuals to sin no more.
The question is... do the developers of the Linux kernel actually care enough to do something about it? I tried getting the Linux kernel source from Checkpoint for the latest Linux kernel a few years ago to troubleshoot a problem myself but support claimed they don't release the source (???). I eventually found a link on their site to an old version which was not the latest that they had modified. I never could get the latest version that they released. I bet this happens a lot more than anyone realizes. The question is... do the developers of the Linux kernel actually care enough to do something about it? I don't know the current status of Checkpoint kernel source releases but I doubt it has changed.
How does this disagree with the GP? Comply with the license, or pay to license something proprietary. It's not that hard.
So if you make a deal, in your mind the deal does not have to be honored, because some part of it is inconvinient?
Breech of license of GPL code is like raping a three year old, and blaming the license for being restrictive is like blaming the child for being cute, therefore its their fault you raped them.
There is no viral nature to GPL.
The only viral nature is copyright. Get copyright banned if you like.
If you can't trust your developers, you have more than the GPL to worry about. If you think the cost of a GPL violation is bad, just wait and see the results of someone borrowing code claimed by a former employer (or even writing code too similar). Just ask Google where the one thing that has cost them the most pain so far, was a 9 line function that one of their programmers copied into the Android source code..
How does this disagree with the GP? Comply with the license, or pay to license something proprietary. It's not that hard.
I'm sure these guys did it on purpose, but that's not always the case. Many junior developers are simply oblivious to any concern about mixing GPL code in with their own work, and a few will cheat deliberately. Do you rely on code reviews? Do you run an auditing tool like Black Duck? In a large enough shop, you can't just make a policy and hope for the best, so the very existence of GPL code causes headaches for the legal team.
Yeah, sure, someone could copy closed source too, but that's much less likely to happen, especially by ignorance or accident.
Socialism: a lie told by totalitarians and believed by fools.
Forget to check the post anonymously box? Be careful, you might get attacked by Stallman and his followers :)
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
If "you" are a one-man shop, that's fine.
If "you" are the legal department for a company with 10,000 developers, the GPL is scary. You can either blanket-ban GPL code, and make your life easy, or create a system for separately evaluating the use of each and every piece of GPL code you allow in, plus some auditing process to catch cheaters (who check in GPL code as their own work, which happens).
Cloud services companies usually go with the latter: because you don't have to share your code if you don't distribute it, the payoff is good to allow use of GPL code, and police the corner cases where you do distribute code. Blanket bans on GPL code are still common at old-school software companies.
Most non-free licenses are quite scary too, but they often get a pass since they are not that open to begin with.
However, if GPL had been more permissive this whole incident would never have happened.
Of course it wouldn't. And Linux/U-Boot/Busybox wouldn't be as great as they currently are because corporations wouldn't have contributed back to these projects.
Legal departments already know how to deal with that (I've signed something at every new job promising I wouldn't do that, as a condition of employment), and it's obviously the wrong thing to do. Open source code is right there when you google for a solution to the problem in front of you, and it's often fine to incorporate. Quick, what license is the code you find on Stack Overflow under? OK to copy into commercial code or not?
p.s., probably not
Socialism: a lie told by totalitarians and believed by fools.
What if this was an intentional backdoor so that they-who-shall-not-be-named can spy on internet traffic of closed networks and WISPS?
And it was not included in the the source packages because the source is subjected to a gag order and publishing it would be showing it to the world.
Lastly, if this is true, what if this is "standard procedure" for backdoors inserted into many open-source projects, where the code presented is actually a fork of the true, backdoored code, running on lots of hardware? Or, as per Ken Thompson's watershed article, "Reflections on Trusting Trust", they-who-shall-not-be-named has a version of GCC capable of adding backdoors to open source code and we're all blaming Ubiquiti for something they didn't even put there?
I'll be the first to admit, there's plenty of speculation here. But if there's anything we've learned in the last few years, the state of spying is way more prevalent than we thought it was. So while I have no proof, I'm certainly holding onto this information should more evidence come out.
I'd bet good money this person feels they've been "wronged" by Ubiquiti and is essentially trying to get them back. Nobody writes unsubstantiated crap like "the company has a dark history of..." without an axe to grind. I'm actually very surprised you're the only one who apparently even noticed this. It's clear all they did was a few searches on terms like Ubiquiti [lawsuit, copyright, violation, business practices, fraud] in an attempt to dig up dirt and portray the company in as negative a light as possible. That's a very powerful indication that ALL OF THE STATEMENTS on that page need to be taken with a large grain of salt. I also notice most of the negatives are presented as generalities or are subjective. As such, it's certain that all details not directly supporting the author's position were also deliberately omitted in order to make the argument sound more convincing. The author may have a bight future in politics.
In short, be sure to take note of the axe to grind before getting out your pitchforks.
This 'news' should be posted on their wikipedia page, https://en.wikipedia.org/wiki/...
fuck the legal team they are the main cause for shit!
I feel for small companies like Ubiquiti.
So a multi-billion dollar company like Ubiquiti, which has made its CEO one of Forbes' 10 youngest billionaires, is a small company?
"Politicians and diapers must be changed often, and for the same reason."
Yeah either use BSD like Apple or pull a EEE like Google and be showered with praise for the teabagging by the FOSS community. Since they don't have the funds to pull the latter? The former would be the wise move.
ACs don't waste your time replying, your posts are never seen by me.
Microtik! Microtik!Microtik! Microtik!Microtik!Microtik!
Contract law is only supposed to be used against people taking out mortgages they can't afford. No corporation should ever be held to their signature.
They use Linux because they think it's a superior product. Despite the license. If they thought *BSD was superior, they'd use it. If they preferred the GPL, then they would make a GPL fork of *BSD.
So you are suggesting them to use an inferior product, just so that they don't have to release their minor modifications to the Linux kernel? Remember they are hardware companies. Their profit isn't on the kernel they are shipping with their routers.
And post unsubstantiated BS like the company's "dark history" to Wikipedia so it can just be reverted again by the few remaining non-idiots left on the Internet...
Internet lynch mobs have rarely benefited anyone much, and have demonstrably caused a lot of harm, often to the falsely accused or those guilty of nothing more than their accusers (and frequently guilty of /less/ than their accusers).
The authors of u-boot are stupid.
They can sue for wilful violation of copyright. According to the MPAA it is more than $1000 per copy. The u-boot team could easily sue for $1 MILLION.
The u-boot copyright holders need their head checked - this is a golden opportunity for them to make some big $$$.
I want to see Ubiquiti pay a huge sum for their GPL violation.
Hopefully the u-boot authors get their act together and go for them.
No, they used linux because that's what Atheros gave them as a base for the Atheros reference AP implementation.
Please don't make stuff up.
As the article said "the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents".
I personally discovered that their standard wifi board didn't follow the mini-pcie spec on flight mode (W_DISABLE). In fact there is no way, other than cutting power to the card, of disabling radio transmissions. Multiple inquiries on this topic were all met with stunned silence. At the time I was working for a substantial company buying boxes of cards at a time, I can't imagine their response to individuals raising issues would be better.
I wouldn't trust a Ubiquiti device in the future, their attitude to standards and specifications could best be described as flexible. As a manufacturer once you incorporate their device into your product you become liable for all their RF creativity, not something any rational company should accept.
Not so long ago we get told the NSA is intercepting and modifying Cisco routers. Now we have a major router manufacturer shipping modified "black box" binaries in the firmware.
It's at least possible that the reason they won't release the correct sources is because they didn't actually write the modified code but were induced to include it by a secret order or agreement with a spy agency.
Until Ubiquiti come clean I think this should be the default assumption.
My company (specifically, my department) uses and contributes to a number of open source projects. From time to time stuff gets lost in revision control and either a commit isn't upstreamed, upstream doesn't merge pull our changes right away, the patch hasn't made it to the mainline trunk or is staged for the next release.
It's not completely uncommon for me to pull from an upstream project and hit a bug I know we patched and then have to track down that patch's merge history internally (sometimes it doesn't make it from one developer's local working copy to our git/svn server) and then see if it's been accepted upstream. It's nothing intentional, but it happens; sometimes a commit just slips through the cracks and you don't realize it right away.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
> However, if GPL had been more permissive this whole incident would never have happened.
Riiiiight. "If only she had consented, I wouldn't have had to rape her!"
Classic.
Hyperkin Games sells a console (Retron5) that runs emulation software in clear violation of various licenses that the original emulator developers used. They have released the source code to appear compliant but absolutely are not.
http://www.libretro.com/index.php/retroarch-license-violations/
This isn't a new thing at all. Amstrad did the same thing with (at least) the E3 Emailer.
The reason why some were rude was because you either thought them idiots or were just so completely careless that yours was an obvious lie.
You claimed, and I quote, "My understanding was that..." followed by a claim that CANNOT have been gained by ANY reading of the GPL.
Either you knew you had no understanding of the license (had not read it at all), knew you were lying (but didn't care) or heard something that you thought, saw reality was not in accord, then didn't even bloody bother with the effort of reading the GPL, ****BUT STILL PUT THE EFFORT TO WRITE ABOUT YOUR IGNORANCE***. The latter showing complete and utter disregard for everyone else involved merely so you could preen yourself in public.
ANY of those are reason enough to treat your comment with contempt. IT DESERVED CONTEMPT.
Actually, their profit is in the software. Their hardware isn't significantly different from everyone else's hardware. The reason most people buy their hardware is because their software makes that hardware very easy to monitor and manage. With routers, just like with phones, good software sells hardware.
I love the comments from folks that either haven't really read the license terms, or just plain don't understand them. If this license was a GPL2 license then while Ubiquity does indeed have an obligation to post source, they still maintain the right to do so at their determination (in time) and in some cases just because the used GPL code it doesn't actually mean they need to release their code. A specific example of this would be a company that uses a GPLd kernel (unmodified) and writes custom code on top of it. In that case according to the official GPL FAQ (for laypersons)
"If the two programs remain well separated, like the compiler and the kernel, or like an editor and a shell, then you can treat them as two separate programsâ"but you have to do it properly. The issue is simply one of form: how you describe what you are doing. Why do we care about this? Because we want to make sure the users clearly understand the free status of the GPL-covered software in the collection."
Also you can restrict source distribution to people that buy your GPL based product and not to everyone, (again from the FAQ)
"I want to make binaries available for anonymous FTP, but send sources only to people who order them.
If you want to distribute binaries by anonymous FTP, you still have to provide source through one of the options listed in section 3. This should not be hard. You can provide a written offer for source if you want; section 3(b) allows this. But if you can find a site to distribute your program, you can surely find one that has room for the sources."
If this case since the binary hasn't been released to the public (it's a commercial sale) the subsequent public release of source is NOT required, however the release of source to binary obtainers is required and their subsequent release to a third party (everyone else) cannot be barred by the originator of the code.
They all have the same software functionality. Most people never access their router's web interface. They can differentiate their product on the web interface, but switching from Linux to BSD won't help them sell more routers.
You're suggesting that they should violate license terms because the product with the inconvenient license is superior? Most people consider Windows 7 to be a more useful operating system than Fedora Linux, so you say they should make their own copies of Windows 7 rather than use an inferior product?
They're a hardware company. In what way would releasing the kernel modifications they made hurt them?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Uh? Were you replying to me?
Why did Atheros use it? And was it theirs to "give".