Slashdot Mirror
Intel's ME May Be Massively Infringing on Minix3's Free Software License (ipwatchdog.com)
Software engineer (and IP Watchdog contributor) Fredrik Ohrstrom (a.k.a. Slashdot reader anjara) writes:
Almost all Free Software licenses (BSD, MIT, GPL...) require some sort of legal notice (legal attribution) given to the recipient of the software, both when the software is distributed in source and in binary forms. The legal notice usually contains the copyright holder's name and the license text. This means that it's not possible to hide and keep secret the existence of Free Software that you have stuck into your product that you distribute. If you do so, then you are not complying with the Free Software license and you are committing a copyright infringement!
This is exactly what Intel seems to have done with the Intel ME. The Minix3 operating system license requires a legal notice, but so far it seems like Intel has not given the necessary legal notices. (Probably because they want to keep the inside of the ME secret.) Thus not only is Minix3 the most installed OS on our recent x86 CPUs -- but it might also the most pirated OS on our recent x86 CPUs!
This is exactly what Intel seems to have done with the Intel ME. The Minix3 operating system license requires a legal notice, but so far it seems like Intel has not given the necessary legal notices. (Probably because they want to keep the inside of the ME secret.) Thus not only is Minix3 the most installed OS on our recent x86 CPUs -- but it might also the most pirated OS on our recent x86 CPUs!
They're a corporation.
Lol.
"Intel's ME **May** Be Massively Infringing on Minix3's Free Software License "
[Emphasis mine].
No. They aren't Even the author of Minix thinks it's fine. He thinks it's rude they didn't even tell him. But but didn't have to.
http://www.cs.vu.nl/~ast/intel/
Intel paid for a license and the parties involved are under an NDA.
But honestly I think we still need to focus on developing CPUs and SoC for which the end-users have complete control over every aspect if we want to inevitably gain control over our devices. We also need a complete set of source code for other chipsets. From wifi an GSM modem chips to graphics and keyboard controllers. It seems that right now the only real project with any progress aiming to do that is EOMA68. Unfortunately this stuff take YEARs and we still don't ultimately have a card or standard compliant device in hand yet. Though there are people already at work on CPUs and similar so it's a start and we do have EOMA68 designs that work and prototypes even if the final cards and devices aren't yet shipping.
Note that Intel doesn't violate IP, it licenses it. The idea that Intel could violate an IP law is ludicrous.
... For now.
1.) AST published an open letter, and the fact that the disclaimers are not posted does not seem to bother him much.
See here: http://www.cs.vu.nl/~ast/intel...
2.) Minix3 License, states that, when distributed in Binary form, the DOCUMENTATION has to reproduce the copyright notice and, well, there is no documentation whatsoever abut the ME.
See here: https://github.com/Stichting-M...
Having said that, security through obscurity is not a sensible policy, and AST's courtesy is not enough. If intel is using minix, they should say so and print the license.
*** Suerte a todos y Feliz dia!
The Minix3 standard license is four sentences:
http://git.minix3.org/index.cg...
The second clause / sentence of the license is:
--
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
--
Intel did not comply with that. Intel violated the license. That's a fact. Tanenbaum isn't too mad about it, and that's fine. If he chooses not to sue them that's all well and good, but it doesn't change the fact that they did not comply with the license. Note Minix can ALSO be licensed under other terms - a company can contact the copyright holders to negotiate a different license, which may include payment. Intel didn't do that.
They had no right to make and sell copies of Minix as part of their CPU, since they didn't do so under the normal license.
Many years ago, Minix wasn't open source. It was sold for $69 / copy. After inflation that's about $150 in 2017 dollars. If Intel has unlawfully sold 500 million copies which they'd now need to pay Tanenbaum for - well he could be a very rich man if he chose to. Even at $1 per copy that's $500 million that Intel owes him.
For those who wanted to know.
This does indeed require that something shipped with the hardware should say that MINIX is in there. Even if there is no documentation provided.
The BSD license is the most infringed. Most companies get this wrong. Many of them can tell you why they don't use GPL, and then they infringe on the BSD license, putting themselves in exactly the same place (being a copyright infringer) as if they had used GPL.
Bruce Perens.
The author of MINIX, Andrew Tannenbaum, wrote a public letter about hearing that MINIX was in the Management Engine. He did not indicate that Intel had any form of special license or had even informed him that MINIX was in the management engine.
He might not care that he's being infringed, he might not even have figured that out. But it really does look like he's being infringed.
Bruce Perens.
"ME is turning into a colossal dumpster fire."
Or maybe the equivalent of a billion dollar ad campaign against Intel.
Customers don't want spyware. It seems that, if Intel continues to try to force spyware on customers, Intel will eventually go bankrupt. That would be a very, very bad conclusion to the very, very bad management by Intel.
It is EXTREMELY important for the entire world, in my opinion, that Intel stay healthy. (The world needs AMD to stay healthy, also.)
Did the present Intel managers lack the social ability to understand that providing hidden access for hidden invaders would damage Intel's reputation? Apparently Intel needs a new CEO. Maybe other Intel managers should be replaced, also. Most of the technology development parts of Intel has seemed healthy to me; it's the business management that is failing, apparently.
The world was told more than 3 years ago about the hidden control: Secret of Intel Management Engine by Igor Skochinsky. (Mar 12, 2014)
Intel was told that there would be problems: Intel's Management Engine is a security hazard, and users need a way to disable it. (May 8, 2017)
Did the present managers lack the social ability to understand that it was likely that hackers would find defects in the Intel Management Engine? One article: Intel Patches Major Flaws in the Intel Management Engine. (Nov 22, 2017) Intel's reaction: Intel Management Engine Critical Firmware Update (Intel-SA-00086). (Dec 5, 2017)
People forget that the software author can always privately license software under whatever terms they like. The likelihood of a company like Intel improperly licensing a piece of software is highly unlikely when more likely is that they obtained a license allowing them to do with it what they want.
If I or anyone else publishes a work of open source software, we can always negotiate a different license with a company or individual to suit their purposes.
This isn't unlike the people who freak out when a company has a piece of software they've licensed as open source, but charge for it, then don't have the source freely available - because people think the GPL requires source to be given away when it doesn't. The source must only be made available at reasonable distribution/copying costs when the binaries are distributed. If I want to charge a million dollars for a piece of open-source software I've written, I don't have to give away the source to anyone except the person who bought a license to the software, but a different license can always be negotiated.
0x68ADA2CC
I'm willing to bet that if you can actually get a shell into the management engine Minix instance, and browse to /usr/share/doc or wherever, the license probably actually is in fact there, so the letter of the license is almost certainly fulfilled (because the license is going to be in the upstream distribution of Minix, and it would be extra work *and* would invite legal trouble for Intel to remove it, so why bother?), even if the spirit is violated.
You're quite correct. The Minix license is visible at https://github.com/minix3/mini... .
I'm not convinced BSD is the most infringed license, but you seem correct that infringing it is common place. One reason difficulty is that the BSD license does not have the clear consequences that GPL violation does, that violation loses access to all other GPL licenses from the same copyright owner. The Free Software Foundation has been using this successfully to enforce GPL compliance.
Sure he did
http://www.cs.vu.nl/~ast/intel/
My counter argument is what you said, just the other way around.
So copyright infringement is a good thing now? Funny how when corporations whine about all the programs and movies people "pirated" yadda yadda yadda.
Thing is whenever someone "steals" a $15 movie, damages in the thousands are claimed. When Intel makes billions using "stolen" minix... hey let's not nitpick.
Intel do have lawyers, and free software folk that understand licensing.
I'm sure they are capable of working out that all they need to do to be in compliance is to include the copyright notice somewhere in the binary blob that is ME.
Has anyone actually been in a position to check if they did that or not?
If not, I suspect that this is a non-story.
Also, even if AST were upset enough to sue (which does not appear to be the case), I don't suppose it would cost much to shut him up.
Are there any other copyright holders with standing here? (Minix used to be a one-person thing, but perhaps he's been accepting diverse contributions since relaxing the license). Even so, if they did include some sort of copyright notice, there's nothing for other copyright holders to say either.
Debian: GNU/Linux done the Linux way
The least Intel could do is dropping some sort funding on the MINIX 3 project.
Furthermore if x86 dies, there will now be room for both a new bios/firmware/boot environment as well as new cross-platform operating systems.
The way things are going that would be UEFI. Which is, you know, mostly locked down on non Intel platforms. Especially ARM ones -
https://www.extremetech.com/co...
If you haven't been following this fracas since it first started to emerge last year, it's all to do with UEFI - a long overdue replacement for BIOS - and a feature called Secure Boot. In essence, Secure Boot stops a computer from loading an operating system that hasn't been signed by the publisher (in this case, Microsoft or an OEM), and its signature added to the computer's firmware. On an x86 Windows 8 computer, you'll be able to sign your own operating systems (custom builds for Linux, for example), or disable Secure Boot entirely. On Windows 8 ARM computers, neither of these options will be available: You'll have official builds of Windows 8, and that's it.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Though PC monoculture is a very bad thing, so is too much variance. No one wants a computing world where you can't get more that 25% of software to run on any particular platform so you may need multiple PCs just to use all of the software titles you want to use. This is a minor problem with video game consoles today (I'm looking at you, "console exclusives"!) but, back when there were many more, there was no way to play all the games you wanted to play on a single system as the titles were just not available.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
The locking down on ARM has nothing to do with any limitations of UEFI on ARM. It was a move by Microsoft ... a choice to remove choice ... because they knew they could get away with it. They can do it on x86 just as easily from a technical perspective and many of us expect them to in the not too distant future if they think they can get away with it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You should have logged in. You could have won the internet in the "Most Stupid and Misinformed Post" category. Hint: Tanenbaum argued that Linux should take the Minix / Microkernel approach which Linux rejected in favor of a monolithic approach.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
So.. What you are essentially saying that the Year of the Linux/Minix desktop started decades ago??
To Terminate, or not to Terminate, that's the question - SCSIROB
FTFY
In the real world: where there are multiple architectures, you could reasonably expect people to write most software in high level languages, in a portable way.
Alternatively, the communists like you will take over, and we will all drive Trabants.
Sent from my ASR33 using ASCII
where there are multiple architectures, you could reasonably expect people to write most software in high level languages, in a portable way.
It costs money to support multiple architectures and multiple operating systems. Even though cross-compilation is possible, cross-testing is a bit more expensive, as it's not quite as practical to judge user interface responsiveness when you're relying on remote access to a leased VPS of the appropriate architecture through RDP, VNC, X11, GoToMyPC, LogMeIn, or the like. If a smaller company hasn't yet ramped up its collection of target hardware on which to test, end users will end up seeing notices like this on its applications:
x86-64: Buy Now
MIPS64: Sign Up to be notified when we expand to your architecture.
AArch64: Sign Up to be notified when we expand to your architecture.
RISC-V: Sign Up to be notified when we expand to your architecture.
Comment removed based on user account deletion
My point is that getting rid of x86 and the Bios doesn't necessarily mean a more competitive environment and open platforms.
Indeed the PC was only open because IBM used off the counter parts, documented the Bios and lost lawsuits against cloned hardware and clean room Bioses. That allowed other vendors to build clones.
And also that the notion of cryptographically signing OS loaders hadn't been invented then, which allowed Linux to run on hardware that was more or less optimized to run Windows.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I wonder if the folks that determine MInix was in it could face federal prosecution for DMCA.
Sometimes it's not about right or wrong, but about how deep the pockets go.
Hardware wasn't optimized to run Windows. That is ridiculous. I would agree with the other stuff you said of course, but keeping x86 / UEFI doesn't encourage lockdown either. The point is lockdown is a function of marketing and politics that leverages consumer ignorance, and is not tied to any processor.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Replies to:
"Our feelings are not doing any financial or reputational damage to the Intel brand."
and to:
"... what are the geeks (such a small market that it can not be measured) going to do about it?"
It is common, I've observed, that technically-knowledgeable people believe they should not get involved with social issues. In fact, however, they have discussions like this one and have a huge amount of power.
What are the legal issues? Can you recommend Intel or AMD hardware without telling the managers of your company or your customers that the hardware is not secure? Could you go to prison for knowingly selling insecure hardware without informing the customers in a way that causes them to fully understand? Suppose a company loses millions of dollars because Intel hardware you recommended was found to be hackable, especially since that kind of vulnerability has already happened. Can you be found liable?
"Intel has been richly rewarded for implementing ME and with AMD implementing similar backdoors..."
Intel SHOULD be "richly rewarded" for that. "Implementing ME" was a good idea. The issue is that was done in a way that Intel has kept hidden, and in a way that customers who don't need that feature are not allowed to understand and cannot control.
It seems to me that the business side of Intel is not being managed well. What I know about Intel management is from talking with Intel employees, sometimes at conventions, sometimes at social events not connected with technology, visiting an Intel campus during an open house event, and from news stories.
Here is one example of what I have learned, from a 2013 news story:
Intel has been emitting fluoride for years without state knowledge, permit. (Sept. 24, 2013)
Quote from that story: "When Intel applied for D1X approval, the company considered its fluoride emissions insignificant and did not include those. It was only when the company applied for the new DEQ permit required by greenhouse gas regulations that it [Intel] requested a 6.4-tons-per-year fluoride emission limit."
Intel is putting 6.4 TONS EACH YEAR of fluoride compounds into the air around its plant! Does that seem to you to be good business management?
My understanding is that there are many areas of bad business management at Intel. The central technological group, however, seems to me to be well-managed. For example, in recent years Intel has released CPUs that provide the same computational power, but lower the electrical energy required. That achievement is good for all humans on the planet.
You may be right. Tanenbaum or others at the University may be able to subpeona the code. I'm sending him a link to your post.
This seems like a great tool to use to force Intel to disable all the MEs out there. Since we know this is a very large security hole, at least with processors based on and newer than Sandy Bridge, it seems the right thing for Minix3 to do.
You are clearly one of those easily confused people who didn't notice when Microsoft starting trying to make it the hardware's fault when they didn't support it properly. "Do ARM processors support Windows?" News Flash: There is no processor technology that supports a particular OS. Originally VAX was designed so that VMS could support virtual addressing in hardware, but there is nothing, and I mean NOTHING about Windows that is innovative, or that Intel considered when designing their processors. They have processor technologies the OS is free to leverage, not techniques that leverage software. Saying they "support Windows" better is stupid, and ignores the fact that Linux, the BSDs, and MacOS are far superior systems.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Well it was optimized for Windows in the sense that 90% of desktops ran Windows and the OEMs pre-installed it. So it made sense for OEMs to make sure Windows ran well, even if other OSs didn't.
E.g. look at Winmodems. They were cheap and worked in Windows, but didn't work under Linux. OEMs did care about Windows and reducing costs but they didn't care about other OSs. So you got Winmodems.
And in a sense Secure Boot UEFI might well be the same thing. Microsoft require it for Windows. It's at the very least inconvenient for other OSs, even on x86.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
In general, anyone who was harmed by an unlawful act can sue. The plaintiff would show that:
1) The defendant did an unlawful act (including torts such as negligence)
And
2) That unlawful act caused harm to the plaintiff
In Megabyte vs Nvidia, the copyright infringement may have constituted unfair competition or unfair trade practices under state law. The court ruled that *if certain specific conditions are met*, the federal Copyright Act preempts state common law and the plaintiffs did not prevail.
So while *in general* anyone harmed by unlawful conduct has standing to sue, the Copyright Act specifically limits that, under certain conditions. There's not a clear, bright-line answer to these general types of cases.
Separately, *criminal* copyright infringement can be charged by a federal prosecutor. Criminal infringement is defined as:
infringes a copyright willfully and for purposes of commercial advantage or private financial gain ...valued at over $2,500
Millions of copies of Minix is more than $2,500 of value, so if Intel was willfull in their infringement they are guilty of criminal copyright infringement.
Intel isn't often this stupid. I propose an alternate explanation - NSL by the TLA's demanded they add this backdoor. And can't talk about it. We know this happens to other firms. Occam's razor.
Why guess when you can know? Measure!
Andrew Tanenbaum replied to me / us 20 minutes after I sent him a link to your post. He figures Intel would be will to spend millions fighting a subpeona, so it's not worth it. :(
There is a range, but basically $750 per copy, up to $150,000 per work. So Intel owes Tanenbaum $150,000, or whatever damages he can prove.
This had nothing to do with the hardware "running well" and is strictly about drivers (software.) Secure boot is an optional UEFI module. You can have UEFI without secure boot. Also, UEFI is software, not hardware. It offers the same features for Linux as Windows, and there are Linux distributions that support it. Winmodems were "Windows Only" because of lack of documentation and drivers; there was nothing about the hardware that made it work better with Windows than any other OS. In every case it was about getting software to support the hardware. At no time did a hardware engineer say "hey, we should do it this way so Windows works better" because, again, software supports hardware (or not), not the other way around.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
the jews where forced to wear Pieces Of Flair
"ME is turning into a colossal dumpster fire."
Or maybe the equivalent of a billion dollar ad campaign against Intel.
Yeah, but in favor of whom ?
Look the other giant desktop/workstation/server CPUs maker :
AMD.
Since the curent Zen generation (and in laptop APU, since the previous generation, too) they have AMD PSP : an ARM core, which has few useful uses (storing keys like TPM, can be used to encrypt RAM transparentrly to avoid VMs trying to hack each other, etc.) but is a closed signed blob that can't be audited and has full RAM and bus access.
(at least luckily, unlike Intel ME/AMT it doesn't listen on the network by default, doesn't handle firmware flashing, and doesn't keep working even when the CPU is powered off. These "light-out management" functionnality are usually handled by dedicated IPMI chips on server hardware - which luckily listens on a separate network).
Though it seems that, in the light of the Intel ME scandals, AMD are trying to provide ways to make the PSP stop communicate with the outside once the system has initialised.
Take a step further back and at other giant CPU manufacturer :
Qualcomm, the top maker of smartphone ARM SoCs.
Situation is even worse. On their socs, to make thing a tiny bit cheaper and a few functionnality easier, the baseband modem is integrated into the main SoC. And is in charge of tons of low-level functionnality - Init, RAM, etc. (basically, the modem serves as the chipset's northbridge).
The problem, is that for legal reason it cannot run arbitrary code (because it communicates over special radio frequencies that aren't open but licensed, unlike the usual 2.4Ghz used by Wifi/BT/etc). The baseband modem can only legally run code (enforced by signatures checks) that is written by people holding the necessary license to emit stuff on the restricted frequencies used by 3G/4G.
So only telco service providers and chipsets manufacturer can send code (with OTA) to the northbridge of your smartphone to run.
That's why projects like Purism's Librem 5 have to resort to underpowered unusual chips like Freescale 6mx / 8mx. That's about the largest popular manufacturer from which they can get SoC that don't require running any proprietary blob.
There's litteraly no huge big CPU manufacturer where you can avoid blobs at very frightening access levels to RAM.
But hey, at least all the above blobs are successfully used to handle DRM and thus online streaming works flawlessly. And all the clueless users are happy about their internet-TV working out of the box.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Nope. That's still software not supporting the hardware. There is no end run around it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Can somebody confirm or deny: Intel's built in spy/nanny system - all that keeps the free world safe from terrusts and peejafiddlers and cormanausts - is cribbed from a classroom exercise that became a joke that got out of hand before they could stop it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Correction, the author has made it sort of clear he has not explicitly given Intel a license. He did say they talked about licensing.
What is clear though, is the author in question has no right to give out any license. The copyright holder is the university he works at, not him. There has been no statement from the university.
Do 99% of the users not want their CPU to boot?
The management engine does more than just remote management. It manages the entire system. from first boot process to power management.
Jeeze, here I am on vacation and I get a notification from a friend that I'm being discussed on /.
And look, it's Alexander the fucking coward "Pussy" (that's what the P stands for) Kowalsky, the mentally-retarded that thinks any AC is either me or Creimer or someone else.
Too fucking stupid to know that plenty of *properly-educated* people type and speak just like I do.
And I've been saying use a router FOR YEARS ON THIS SITE, since it was revealed that the OS and some programs bypass HOSTs AT WILL, oh but suddenly you won't go back and post any of those links to the arguments, because that would MAKE YOU WRONG AND A LIAR, yet usually you're already set with links to everything else - hmmm. Isn't that suspicious? Your behavior is pretty fucking obvious, shitstain.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That's what I was thinking. EFF and others would support it. Tanenbaum doesn't seem to be interested, unfortunately. The copyright is actually held by the university. Possibly someone else at the university would be interested.
copyright laws are for people to obey, not for corporations.
copyright laws are for corporations to wield, not for people.
When you start to add raid cards and it fails to boot, the bios usually gets blamed due to some lack of memory from something old. OP rom or some such?
Holy shit look at this raging fuck. I come back from vacation and lookie here. Absolutely amusing how easy it is to make you mad. Let's keep playing this, because that means I control you.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.