Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec May Violate Linux GPL in Norton Core Router (zdnet.com)

Posted by msmash on from the closer-look dept.

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

3 of 144 comments (clear)

  1. Read-only firmware is good - most of the time by davidwr · · Score: 4, Insightful

    Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.

    For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?

    If I want to flash my firmware, I should have to toggle a switch.

    Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  2. Re:Minor correction by Anonymous Coward · · Score: 2, Insightful

    imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....

  3. Re:This approach is absolutely counterproductive by Anonymous Coward · · Score: 4, Insightful

    This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux?

    Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.

    If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.

    If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.

    As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.

    This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.

    It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.

    There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.

    Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.

    Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.

    Their own website says:

    Symantec respects the intellectual property rights of others and responds to notices of alleged infringement.

    and

    Report software piracy and other suspicious activity. Learn about types of piracy, fraud and other abuse (including Tech Support Scams), what are their consequences and how to avoid becoming a victim.

    Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.

    Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.