Slashdot Mirror
AOLServer Open Sourced
Quite a number of people have written in with the news that AOLServer has been open-sourced under a GPLish looking license. You can grab the source or the documentation.
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
...of course. Mozilla Public License v 1.1 according to the site.
This just isn't true. Sure, the press reports that things are found now and then, and there may have been problems in the past, but his posting about the so-called "client-based security model" is just plain incorrect, wrong, and downright clueless.
One: this one never got into the press.
Two: I'm afraid it's quite true. It was true then, and it's true now. If you have an old copy of AOL 2.6 I believe I still have the patch lying around; the patch is useless now (though I'd imagine it would still run, but what's the point?) but I'll show you if you like.
Three: You're right, a client-based security model is incorrect, wrong, and downright clueless. But remember who we're talking about here.
If he really knew what he was talking about, he'd have been able to exploit any security hole --which he admits he was not able to do.
This was years ago, before I knew how to program (much less hack Mac program code using nothing but ResEdit). Just because I know how a program works doesn't mean I can write a program to exploit security holes, much less hack another program to do it. Especially when I don't know how to program, which I didn't back then.
Look, I know what I saw; I used this program for a while, in fact. And I don't appreciate being called clueless for bringing up an old AOL hack which likely invokes nostalgia in more than one Slashdotter.
Besides, what does it have to do with AOLserver at all?
Directly, nothing. But consider the following: one, the server's name is confusingly worded, such that people often think it's the server for AOL's content. Two, people have been clamoring for AOL to Open-Source their stuff. Three, AOL can't do this, and there's actually a damn good reason for it, namely bad software design (which I suppose isn't a good reason, but it's a valid one nonetheless).
Maybe, at some point in the past, in a much older version of the client and server software that no longer run anymore, this was true. Maybe.
Perhaps in an older version of the client software that no longer ran anymore, this would be true.
Just one problem: all versions of the AOL software still run. I believe I still have the oldest AOL frontend (version 1.0 for MacOS; it should be noted that AOL was originally Mac-only unless you count Q-Link which was C64-only). Last time I ran it, it worked fine (and allowed you to enter fake credit card numbers as long as they were theoretically valid, yet another security hole).
That's just it. Perhaps in the 4.0 version, some of these security holes were closed up. But AOL prides itself on its backward-compatibility, and all of the security holes present in the older versions are still valid. There's a price to pay for the exploits: you miss out on the features of the new software. But they all still run fine.
I always forget that it's a web server, not their own content server. I get my hopes up that AOL's gone Open-Source, and then it's a big letdown.
Then again, AOL can't Open-Source its stuff; if it did it would die withim days. No, this is not anti-Open-Source FUD: let me explain. You see, most (if not all) of AOL's security features are implemented solely in the client. This means that if you figure out how to access AOL via a terminal (it IS possible, but exceedingly difficult; I've never managed it myself) you essentially have admin access, minus the pretty icons and such, no matter what screen name you use. You still can't get other people's passwords, but who cares; other than that it's more or less like having root access to AOL (if such a thing existed).
In other words, if you Open-Source the client, it's a trivial matter to remove all of the readblocks in the client, recompile, and have an "instant admin" client. And you know all of the AOL lamers would have a field day with that.
The Mac (or former Mac users) here who used to be on AOL might remember a program called AOL4Free (made by a guy calling himself Happy Hardcore). This nifty little hack undid one of these locks in the client... the one which told the AOL server to bill the user (this was back in the days before AOL went flat-rate). The way it did this, however, tended to overload the server with a certain kind of packet. When the program got popular, the server eventually ground to a chronic halt; although AOL doesn't like people to know about it this was the real reason AOL was so slow until their server upgrade of a few years back; Mac users were getting free time and flooding the server as a side effect (I don't think a Windoze equivalent was ever made).
The program eventually started undoing other locks, allowing the user access to admin-only areas (such as the fabled "Center of the Earth" chatroom, which at the time had double the capacity of normal chatrooms). The guides eventually had to move out of that chatroom, and went to one called "Wonderland"; Hardcore cracked that one too, and I don't even know where the guides hang out now.
So you see, in AOL's case, Open-Sourcing the client really does mean death. But they have only themselves to blame for not designing their software right in the first place.
This is the same AOL that some unauthorized character at Sun told us was thinking of giving up the Mozilla license. We already knew that report was bogus, but this is just more evidence.
Thanks
Bruce
Bruce Perens.
Is it just me, or is this generic joke getting really old.
--- Jeff
I've looked over the code with my legal eye and see a few imperfections. It seems like AOL is trying very hard to understand, and in my opinion they're doing very well. I congratulate them on this license, yet I think by version 1.2 they could fix a few of the obvious problems very easily.
;-)
My disection follows:
AOL is using the Mozilla license with some amendments following, having never read the Mozilla license before I did notice some problems with it itself. I knew the MPL wasn't completely perfect, but it is a very well written license that closely follows what I consider a good open source/free software license standard.
Enough with the psychobabble, and onto the legalbabble.
Everything looked okay until I arrived at Section 2.2 Contributer Grant. Section 2.2.a gives the contributer exactly the same rights the "Initial Developer" (in this case, AOL) has. However, Section 2.2.c denies these rights and makes both Section 2.2.a and 2.2.b invalid if the contributer does not use the "Covered Code" (all code including original code and modified code) commercially. It is quite obvious that hobby programmers will be screwed legally, having inherited absolutely no rights whatsoever in the agreeing to this license. This also means a hobbyist developer isn't allowed to modify or redistribute the code.
Section 3.1 denies the contributer the right to sub-license the code. (Does this mean AOL isn't allowed to make amendments? No. Section 6.3 claims you can create your own license using the MPL but you must show significant differences and use a name not related to Mozilla or Netscape in any way. Would having left sections 6.1 - 6.3 unmodified be deemed inproper modification? These sections contain sentances stating the license is controlled by Netscape/Mozilla and related to them, otherwise they are important parts of the license and should stay the way they are.)
The rest of the MPL seemed ok, now onto AOL's amendments:
Amendment IV basically says AOL has the right to add proprietary code to the AOL/MPL'ed code.
Amendment V is intentionally omitted?!?!?!?
Exhibit A which is an external part of the license implies that the provisions of the AOL/MPL license can be swapped with the provisions of the GPL license... Anyone confused yet?
Sincerely,
Nelson Rush
"God prevent we should ever be twenty years without a revolution." -- Thomas Jefferson
No, Apache isn't, but aolserver has the option to be used under the GPL. Due to the GPL's viral nature, the Apache group would probably not accept patches containing GPLed code, but the Apache license permits you to do what you want as long as you give due credit. So aolserver can steal from Apache, but not vice versa.
I built it on Debian and it works!
If AOLServer is half as good as Greenspun says, it will be serious competition indeed for Apache. With its GPL, people can rip out chunks of Apache wholesale and stick them in aolserver. A mod_perl interface would be my first suggestion.
More info about the AOLserver can be found at http://www.aolserver.com/
-phazer
Keep in mind the number of users that AOL serves.
AOLserver (a www server) has to be fairly decent.
http://photo.net/bboard/q-and-a-fetch-msg.tcl?msg_ id=000Vt4
Date: Thu, 24 Jun 1999 22:24:53 -0400
From: Philip Greenspun
Subject: speculation on why AOL ripped out so much stuff
It is fun to speculate on why AOL ripped out so much stuff from 3.0.
Here are my favorites from recent mailing list:
features. I wonder if there are third party licensing concerns or security issues behind these ommisions? Any one of these ommisions would provide a good reason not to move to 3.0 and yet they provide a whole list!
I suspect a lot of code was removed because AOL didn't want it to become Open Source.
I've been working with AOL since December to open-source the thing. Thetruth is much simpler than some of you guys might suppose:
1) they waited for 3.0 to open source the server because they were a bit embarrassed by some of the cruft that had accumulated over four years in Navi/GNN/AOLserver
2) they ripped out a bunch of features because (a) they don't use them on AOL's high-volume sites (like DigitalCity), (b) they complicate maintenance and extension of the server code base, and (c) they think they could be done in modules outside of the server core
This is actually pretty common in the world of complex software. It eventually gets too complex for anyone to understand so people do a leaner meaner rewrite.
Don't cry too hard for your lost feature bloat. Be assured that four years from now AOLserver will be just as bloated with new and even weirder features.
I also know that AOL itself is working on making Tcl 8.1 part of the server. They just couldn't get it done in time and sensibly decided to release an improvement. Jim Davidson, the original NaviServer architect, worked a lot on 3.0. He is a tasteful thoughtful guy and 3.0 is the best Web server for his needs (i.e., heavy and reliable support
for Tcl, databases, ADP; clean and fast static file serving; easyconfiguration).
Philip
Dynamic Page scripting (using a tested language, TCL), Autoindexing, Archiving, with a c-API.
Oh, yea, and the first to use HTTP PUT to create web pages. Using version 2 of AOLpress, the publishing of material to the server was/is transparent. A web server was treated just like a local directory.
Best designed server/web publishing system. It just lost out to money, and bigger development budgets (and a slow browser/publisher). Most of the admin interface was done in TCl, so you could modify it.
May be you are wrong. I read his book. It's nice. The only things that I really did not like about his methods are:
:-)
1) He ditched Perl in favor of a broken thing known as tcl. Perl, the language that is loved and successfully used by so many. When he talks about perl or C, is usually to remind us how much both of them suck and how much Lisp rules over them..
2) On one of his lectures (in California) he mentioned that Apache is not really supported and no one distributes it in binary form. He also mentioned that back in 1993 he could no compile apache.. but come on, compiling linux and gcc back in 1993 was not much fun either. But today, apache and gcc will compile and install on any unix box with simple "./configure;make;make install" from the source directory as long as you have a C compiler, C header files and make.. and there are also lots of places where you can find compiled binaried (ftp.apache.org comes to mind) All linux distributions come with binary apache packages, MacOSX, etc.
3) He ditched vi in favor of emacs. That hurt my feelings
We really like the 2.3 version, nice fast multi-threaded server. Web based admin (nuked in 3.0) was really slick, very configurable server.
We serve over 1.5M hits per day with ease, never taking more than 8% CPU or more than 12M of RAM. Sometimes we'll take 25-35 hits per sec....
Unfortunately no mod_perl/velocigen backend, seems to lean towards TCL.
Jim