Slashdot Mirror
Napster Attacks Open Source Clone
Anonymous Coward writes "In a
letter, the author of a Gnome-based
Napster clone was pressured
to remove distribution of the program due to the fear that
source availability would make the Napster servers less secure [if]
gnap
is not ceased." UPDATE by RM: Ryan Dahl, gnap author, has spoken with Napster, says they've come to a happy understanding, and has removed the "letter from Napster" (and his response to it) from his page. He also tells us that he and Napster are working together on an article for tomorrow, which we eagerly await.
http://www.gis.net/~nite/
-DAVEO
and end this before it gets silly, non-issue.
+&x
There seems to be a double standard in a borderline legal product that was created for the sole purpose of piracy (they say it wasn't, but come on, what did they think was going to happen?) complaining because a clone is compromising it's own security.
From the gnap homepage:
1999.11.29
Thank you to all the people that supported me today. The situation was fairly heated for awhile. All I really want to do is code this client. Let me say that Napster (the person) and I discussed this issue completely. He was very resonable and nice when I got to talk to him alone. I hope we can work together to make Napster a good service.
gnap is and will continue to be GPL.
---
What makes some of these companies think that whenever somebody writes a piece of software that exploits the flaws in their software, it's not their fault? This is just like the whole DeCSS business. Big (well, Napster isn't that big in this case) corporates trying to protect their "proprietary" software when the only reason it needs protection is because it's weak. It also seems pretty hipocritical to me when Napster, a company which is basically devoted to assiting people engaging in music piracy, tries to shout the same "it's mine!" call as the music industry. I don't know about you, but this I downloaded the gnap source code as soon as I saw this posted.
There's no reason for a sig here.
Miguel de Icaza's activity log has a link to the irc discussion that the author of gnap had with the people from Napster. I am not sure if this discussion took place before or after he received the letter.
Look at the comments on the main page.
The Napster guy is valid in his assumption that open specs will cause lots of hacking. However, he seems to forget that keeping it closed will not stop hacked clients from emerging. Gnap is proof of this.
If you're going to bombard Napster with email, don't flame. Just indicate that security-through-obscurity simply doesn't work. Any sort of protective measures he wants to do should be done on the servers, not so much the clients which everyone has access to.
I personally would like to see lots of encryption.
Gnot when Gnapster was just getting goood! Gnow the company had to go and pull this shit... goddam give it a break, its gnot like anyone's stealing money from the company, it has no real future except to helpe me pirate my mp3s...
never, apparently. Didn't ICQ teach us that putting 'security' in the client was pointless? Come on, whining because someone released information detailing the protocol(s) used is pathetic. Security through obscurity, client side security, whatever you want to call it.. developers need to understand the plus side of the open source movement, as they will have problems pointed out (and usually solutions presented) by people who care, rather than having the problems unknowingly exploited by some script kiddies.
People seem so quick to hop on the lawsuit bandwagon when the words "reverse engineering" emerge, but think.. Using tcpdump (or similar utilities), I can see what's being transmitted, and work from there. Thinking that your protocols will be kept secret by not releasing source doesn't make sense.
(a bit offtopic)
I'm reminded of one software reviewer's criticism against a windows "firewall" product called "Lockdown 2000". The creators of the product encrypted the executable, but they forgot that it was decrypted and loaded into memory.. just examine the memory with a utility and.. you get the idea. The company later threatened to sue the software reviewer for "cracking" their software (more than likely, fueled by the fact that the software blatantly lied about what it was "protecting" against, which was basically nil).
Let's just remember, something like napster obviously uses networking to communicate.. and as far as I know, sniffing your own system is perfectly legal.
(just my $.02)
--
The article is in correct. Napster is not sueing, is not planning on sueing, ever will sue , or has even ever threatened to sue me. The whole thing has been a massive misunderstanding. (i am the gnap author)
-- four
Roblimo, at least look at the link before you post a story. There's been a number of stories on /. lately that caused a lot of problems for a few people and got a whole lot more people in an uproar simply because the story poster didn't check the linked story properly.
I think that the headline for this story is very very very misleading. This is like the 5th time in the last couple weeks that /. has ramped things up more than they really are. He says specifically that Napster (the person) was a nice guy.. doesn't sound like a threatening attack to me from what I read. Please, try to be an unbiased news source from now on, I'm resorting to ignoring any and all comments from the posters at this point (Especially Roblimo and michael, hemos at least apologized)
I'm not trying to start a flame war,but I hope someone pays attention to this.
Dacels Jewelers can't be trusted.
According to this Salon article lovingly preserved by Yahoo news service, they have indeed started to try and do just that:
Hi!
Is whether or not it is illegal to utilize "public services" with non-approved access methods. In particular, utilizing public net services. I am of the belief that if you are running a public server on the internet, you cannot expect people to use the client you specify. Imagine if you only had one browser to choose from? The web is a different concept in that it's decentralized, but ICQ is a good example. ICQ has the lion's share of the latest "hot" market, and as much as they'd like to retain total control, I wouldn't appreciate being tied into one client.
If we get to the point where the precedent has been set that public services are within their legal right to restrict which clients are able to connect, we're in a position where competition will be severely stifled.
I'd really like to know if this type of concept already falls under some law, or if its just another grey area in the merging of law and the net.
First of all: that you for posting and contributing to this thread on /..
However, it would be so much more useful if you would help us to clear up the "misunderstanding". Obviously a lot of us were sufficiently concerned to (a) start this thread and (b) contribute to it.
It does not help that you have removed the original letter. That does not sound like a misunderstanding to paranoid /. readers like myself (:-)). It sounds like you were bullied into submission. And we don't like that, so this thread will continue and I suspect that Napster has lost whatever goodwill they had within this community at least.
If Napster is really serious that this is a misunderstanding then they should make public the whole story, unedited. This includes original e-mails, IRC logs, etc. Add whatever comments you and they think are appropriate. Then, perhaps, we will all forgive them and be friends ever after (or something)....
At the moment it looks like they are using strong-arm techniques against an Open Source movement. That approach is going to win them few friends.
Hi!
I have removed the logs and emails on the gnap site because they do not show Napster (the company) in very good light. This disision was mine and mine alone.
I had a long chat with Napster (the person, the owner of the company) this afternoon, and we worked everything out.
Many of the gnome developers had a meeting this afternoon (which I didn't join) with napster about this whole issue, everyone learned alot. After reading these logs I feel alot better too.
It turns out that Napster's (the person) request to have me remove the source code, was a request as a person (which didn't come clear across to me) not as a company. After that I wrote a letter back to them saying I would not remove the source. Then Saterday afternoon Napster (the person) his co-worker (?) nocarrier and I had a chat.
To say it bluntly, they were being rude and I was feeling threatened. (I WAS NEVER THREATENED THOUGH)
For about 24 hours the sourcecode was offline, before I decided to email them saying I would not take it off. That was that.
They have no legal case, nor do they want any legal case.
This has all been cleared up hours ago. I will put this on the gnap page.
-- four
1 - Napster owns the servers that the client uses. Period. They provide the servers for use by the client. Any unauthorized client using the servers is just that - unauthorized. This is exactly the same as someone relaying mail through your server that you do not authorize, and they should be equally free to do whatever they wish to make sure that only authorized clients use their servers.
2 - The service is provided without charge to the user. The client is provided without charge to the user. This does not == free, and it does not == public domain. The 'rights' of the users are just that of any other service - use it, enjoy it, if you don't like it, well... in so many words, shove it. I have yet to see someone build a free public domain server architecture and client to do the same, and when they do I hope that all of you will support it with gusto. Until then, you frankly have nothing to complain about. I don't see what is so wrong with using the client provided to you, and if you want to build your own and your own backend and open source it, more power to you.
As I understand the fear is that hacked napster clients will be able to report incorrectly what mp3's I have availible. But what prevents me from merely creating files of the appropriate size filled with random bytes?
It would appear that it is easier to fool the napster program in such a manner rather than messing with the source. Everyone can make a file not everyone can code a client.
Secondly who are they scared of? Even script kiddies probably have something better to do than falsely posting mp3's. If it is groups such as the RIAA flooding the server to make it unusable....well they could certainly reverse engineer the client just as well as I can.
Thridly while in this case the client seemed to be easily reverse engineerable security through obscurity is not impossible. If you capture a piece of my own private code the fact that you are unsure of the algorithm renders it difficult to decode (Re: those papers supposedly detailing buried gold in virginia where only one has been decrypted). Sure it isn't as secure as a well tested publicly availible algorithm but if your intent is to hide the actions of an algorithm your choices are limited.
Hell if security through obscurity never worked the wine project would be done.
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
I guess this is a little offtopic (if Slashdot had a general posts board I suppose it'd go there) but I've been seeing a lot of posts criticizing the headings/content/comments of topics lately. People criticizing i.e. Roblimo for "Napster Attacks Open Source Clone" (others come to mind, such as the ID spying post and the Bruce Perens vs. Corel thing).
I just have one thing to say. Grow up.
Slashdot as a media source is not your classic 1/2 hour news jive. It's an immediate source that shows what's being said in the moment, links us to where it's being said, and let's us hash it out on our own. So when it gets wind that something happens, when it gets a link to a rather rude (I take it, I didn't get to read it) email that may be threatening, it is Slashdot's place to post it. Things change, and updates can (and in this case, I expect will) be made. If you don't like it a little raw, what are you doing here in the first place?
Jose M. Weeks
What we really need, is a distributed form of the napster service. The protocol could be based loosely around IRC.. in fact it might just be easier to sit it on top of the IRC protocol. In any case, its not a terribly complex protocol.. and it would be so much nicer if the servers were distributed. Granted there is the whole speed issue.. but with some caching thrown in it could be pretty decent. We need a completely decentralized file search service ...
oh... and of course.. it'd be much harder for people to squash the service for distributing ~1 TB of mp3s =]
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Possibly, a permanent messageboard about Slashdot would serve to reduce the clutter in the news section.
--
Fuck the system? Nah, you might catch something.
Thing is, they're doing it in PHP.
Here's where you can find it.
Thing is, it's still the old version. Honestly, I think Rob should be putting out the source more ovten. Perhaps CVS access would be something to try? Yes, I know the code's beta; that's never stopped Open-Source development before.
Exactly my thoughts. This is not meant to really be dis against slashdot, believe me, I have loved slashdot since it was Chips and Dip. There are, however, some serious problems as mentioned by some AC's.
One is the things they are posting on slashdot. There is still alot of good articles, but not nearly as good as it originally was. I used to read every slashdot article and every comment associated with it. Now I find that only a few articles a day are even interesting. And lately Slashdot has been posting stories that were posted a year or so ago, like they forgot they were posted (which is understandable I guess, but if the news link is over a year old, at least search the archives).
Another big problem I see is the moderators. I am all for moderators moderating comments and such, but I disagree with some of the things they moderate. If anyone questions soemthing about slashdot, or the open source movement, it is considered troll bait and marked down to zero or below. I have seen an abundance of good, intellectual post in the past few months that should no have ever been moderated down. If anything, they should of been moderated up. Slashdot is starting to become like , say a government, someone questions it and they are silenced. No matter how intellectual and how good of apoint they have.
And about the issue of open source and slashdot, my sentiments exactly. I have always thought slashdot code should be CVS'ed. Dont get me wrong, I am not open source extremist, but if they are going to open the source, at least give us the most recent versions. Dont open source an initial version, then keep everything private. Thats not open source. I would also like the see the financial records of slashdot open sourced (or content, whatever you feel is appropriate), as in how much Andover paid for Slashdot. Rarely does a company not disclose the takeover/merger price, especially in the internet industry.
Anyway, I cant really say keep up the good work Rob. But you have a good site here, I hope it gets better then where its been going.
Jeff Knox
On the other hand, it is /their/ servers, and /their/ service, so they get to dictate who uses it and how it is used. Not unlike AOL dictating who can interoperate with its instant messaging software. Since they have put the time, money, and effort into building the backend they should be able to dictate how it is used. If I provided a service to users, I wouldn't want the possibility of a foreign client disrupting or corrupting that service. In reality, in light of the fact that they give out their own client free, an open-source client probably wouldn't hurt anything, and in fact probably help, since they would gain a rather large, tech-savvy audience (I'd guess geeks have the monopoly on MP3s right now anyway).
How many people who agree they should open up their backend to foreign clients agree that AOL should do the same for MSFTs messager? What if they weren't giving their client away free?
It's 10 PM. Do you know if you're un-American?
I have similar feelings to what this message mentioned. Somehow, Slashdot seems to start getting stale.
I think that one of the problems Slashdot is starting to face is that it is turning away news submitters. How many times have any of you submitted a story, just to find that it is never posted. Fine, it does not have to be posted. But after you have submitted item several times, none of them worked, then you think, "why bother?". The less people are willing to submit stories, the more difficult for Slashdot to be as comprehensive as fast in reporting news.
And then we are starting to read news that lean more towards gossiping than real jornalism (the Corel fiasco with regard to teenagers and the EULA). Yesterday we had to read a "press release" about Y2Brand that looked more like a commercial than a news item.
Slashdot is starting to offer t-shirts to book reviewers, why not offer something to the first whose news item is published? At least that will attract back some of those who have decided that everytime they fill the form is a waste of their time.
I suspect that like many, I am starting to mine for my own news. I don't find many pieces worth reading. In the past, I could spend all my free time reading Slashdot. Now, I just skip many of the headlines.
Don't get me wrong. I like Slashdot. I want to see it shinning. But I think that it has to continue to grow up. It has the money and the resources to do it, and that has increased our expectations. It cannot and should not continue as a "garage" project. After its takeover by Andover our expectations on Slashdot changed accordingly.
And like many, I think Roblimo is doing an excellent job and I love the interviews he is doing. We need more people like him, that bring a fresh air and a professinal face to Slashdot. We also need to have more relevant articles. Finally, make sure that you understand the ramifications of your postings and the responsibilities that the community has put on it. Somehow, Slashdot readers are starting to note this and they start to believe that they have to keep a cool head despite the "news" sometimes they are presented with. The item on Napster shows that sometimes, in an attempt to be the "first", Slashdot is willing to put a headline that might dramatically change the outcome of it. I just hope that we don't lose a battle because Slashdot worked against us. On the contrary, we have to make sure Slashdot works along our Free Software ideals.
Now I just have to wait for somebody else to pump the rating on this message. Otherwise, like many comments, it might be lost in a sea of many others.
I am one of the Gnomers who has been following this issue, and was also present at one of the irc conversations with the Napster people. I've done a little writeup of the events, which I'm hoping will help set the record straight.
The writeup is here, posted on Advogato. As usual, anyone can read, but posting is restricting to free software developers.
LILO boot: linux init=/usr/bin/emacs
If you poke around the link listed under "slashdot parent andover.net files for IPO", or whatever it is that the link says, you can find this. Looks like around 11 million? But who knows how much more if Andover successfully offers, and the stock price rises.
Slashdot.org Purchase Agreement
Under the terms of the Asset Purchase Agreement between BlockStackers, Inc. and Andover.Net, dated as of June 18, 1999,
Andover.Net purchased those assets of BlockStackers relating to the Slashdot.org web site for 1.5 million in cash paid at closing
and maximum future cash payments of $3.5 million payable over the next two years contingent on the continued employment of
two key employees. Maximum future stock consideration of $7.0 million is payable over a period of two years following this
offering. For the purposes of these issuances, the number of shares of common stock to be issued is determined using an assumed
initial public offering price of $13.50 per share. Thus, the total consideration that will be paid is valued at $8.5 million and the
maximum contingent consideration payable is $3.5 million. All consideration has been or will be paid to BlockStackers. The number
of shares paid is contingent on the continued employment of two key employees and the achievement of performance milestones
relating to traffic on the web site.
*
148,148 shares issuable upon the closing of this offering;
*
74,074 shares issuable seven months after the closing of this offering;
*
49,383 shares issuable 12 months after the closing of this offering;
*
98,763 shares issuable 12 months after the closing of this offering provided that the milestones in the agreement have been
met;
*
49,383 shares issuable 24 months after the closing of this offering; and
*
98,765 shares issuable 24 months after the closing of this offering provided that the milestones in the agreement have been
met.
Pursuant to this purchase agreement, BlockStackers also agreed not to compete with Andover.Net or to solicit its personnel,
customers or suppliers. Specifically, BlockStackers may not compete with Andover.Net, its subsidiaries or affiliates by engaging
in any business that involves a real-time or contemporaneous news web site until June 28, 2004. Prior to June 28, 2001,
BlockStackers may not solicit personnel, customers or suppliers from Andover.Net, its subsidiaries or affiliates. Mr. Malda, a
director of Andover.Net, owns 25% of BlockStackers. Mr. Malda, the President and co-founder of BlockStackers, was a web site
manager of BlockStackers, running Slashdot.org. Mr. Malda continues to run Slashdot.org as a web site manager and editor of
Andover.Net.
Obviously they're too busy trying to ride the wave they've created to worry about something as trivial as security.