Symantec May Violate Linux GPL in Norton Core Router

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

This could have been avoided

[OrangeTide]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

Re:This could have been avoided

I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~

Re:This could have been avoided

[Kludge]

But most companies would rather try to save some money and effort doing things the wrong way.... .

It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.

In the long run that strategy is most costly.

Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.

Re:This could have been avoided

[sjames]

Releasing the source isn't costly. NOT honoring the license by releasing the source is what can get costly.

Re:This could have been avoided

[Bruce+Perens]

There isn't really a BSD distribution comparable to OpenWRT. I suspect the BSD license is one reason for that. A lot of people don't want to spend their free time producing corporate welfare. If a corporation wants to participate, they expect the corporation to return value to the Free Software community.

Read-only firmware is good - most of the time

[davidwr]

Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.

For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

Re:Read-only firmware is good - most of the time

[Dutch+Gun]

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

I think your risk assessment needs re-assessing.

What do you think is more likely: that a) a vulnerability will be found in the router's firmware which requires patching, or b) that the encryption keys will be lost, the update domain hi-jacked or intercepted, and the bad actor will manage to deliver an update package complete with malware, signed with stolen keys?

I'd bet a goodly sum that option a) is vastly more likely to occur than b), simply based on history. And yet you want to disable automatic updates by default? For consumer-oriented products, that seems completely backwards to me.

Not... really

[DeathToBill]

If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.

Re:Not... really

[Bruce+Perens]

No. They are required by the license to distribute the source code themselves, whether or not they modified it. They can't satisfy the license obligation by pointing to a public web site, because the public web site is not itself obligated to stay running for the purpose of satsifying Symantec's license obligation.

Re:Minor correction

imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....

Re:not share with "the world" just "customers"

[HelpTheNewOverlord]

Yes, but the customer has the right to release it to the public as well. So in this case there is no real difference.

Re:not share with "the world" just "customers"

I've no idea if this opinion is common or if it's the same AC who appears to peddle it every time but it's wrong. GPL V2 gives 3 options to distributing binaries, one of which must be met.

1. 1. Accompany the binaries with the complete source code.
2. 2. Accompany the binaries with a written offer, valid for 3 years, to give any third party the complete source for no more than your cost.
3. 3. Pass on a written offer you received under the second option but ONLY for noncommercial distribution where you received such an offer.

So unless you provide the source with the binaries the only way you can commercially distribute is if you will give anyone the source for no more than cost.

Re:This approach is absolutely counterproductive

This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux?

Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.

If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.

If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.

As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.

This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.

It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.

There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.

Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.

Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.

Their own website says:

Symantec respects the intellectual property rights of others and responds to notices of alleged infringement.

and

Report software piracy and other suspicious activity. Learn about types of piracy, fraud and other abuse (including Tech Support Scams), what are their consequences and how to avoid becoming a victim.

Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.

Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.

This is why I'm against the soft-shoe approach

[Trailer+Trash]

This is why I'm against the soft-shoe approach to GPL violations in every case. Symantec is a large enough company and the people working there absolutely know what their responsibilities are. We need people who'll go after them for statutory damages to make an example.

Re:not share with "the world" just "customers"

[johnw]

The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers.

Not true - whilst it doesn't require public release (in the sense of publishing it on a web site or similar) the licence does require that they make the source code available to anyone who asks for it - there is no restriction to just customers or anything like that.

b) Accompany it with a written offer, valid for at least three
        years, to give any third party, for a charge no more than your
        cost of physically performing source distribution, a complete
        machine-readable copy of the corresponding source code, to be
        distributed under the terms of Sections 1 and 2 above on a medium
        customarily used for software interchange; or,

Note the

any third party

bit.

They could avoid this requirement by giving all their customers the source code with the units, but then there's nothing to stop their customers passing it on.

Re:No they are not.

[johnw]

A simple statement that the source is freely available elsewhere is sufficient to fulfill this requirement.

Again - not true. This option is available only in the case of non-commercial distribution. If you want a copy of Linux and I fling you one of my old CDs then I don't need to make you an offer of the source as well.

If OTOH, I sell CDs of Linux as a business, I do need to make provision for you to be able to ask for the source as well.

c) Accompany it with the information you received as to the offer
        to distribute corresponding source code. (This alternative is
        allowed only for noncommercial distribution and only if you
        received the program in object code or executable form with such
        an offer, in accord with Subsection b above.)

The text of the GPLv2 is freely available and very comprehensible - why don't people read it?

Re:not share with "the world" just "customers"

[Bruce+Perens]

One of those people is Matthew, who would definitely upload his copy to a public web site.

Re:Minor correction

[Bruce+Perens]

Sorry, Martin, it really is unlicensed copying that is the violation. The way it works is when you violate the license, the copyright holder (plaintiff) goes to court and says "the defendant is infringing my copyright by making unlicensed copies". The defendant answers with their defense: "I am not violating copyright because I have a license". The plaintiff then shows all of the ways that the defendant is not honoring the license terms, and thus demonstrates that the act of copying was unlicensed and that for the defendant, all rights were reserved and are thus being infringed. The tort is making unlicensed copies.

Re:Minor correction

[Bruce+Perens]

If you violate the GPL, what you are charged with is making unlicensed copies. The thing everyone gets wrong about that is that the license then becomes your defense and you have to prove that you were complying with the license, in order to defend yourself. And of course if you've been brought to court over this, you probably can't.

Re:not share with "the world" just "customers"

[mjg59]

There is no requirement to put up a download link, but there is a requirement to provide the source code to any third party that asks for it