They probably are just trying to hide a hard coded signing key, but that's the whole point of the GPL isn't it? That you can't get away with that kind of crap. The GPL exists to keep the ecosystem open for the people that want to use it, and prevent big portions of it from being co-opted by commercial organizations and hidden behind DRM like signing keys burried in bootloaders.
If someone wants to hide their firmware behind a hard coded signing key they have to write they're own boot loader, they're not allowed to use a GPL'd bootloader and then just ignore the rules because it's cheaper to steal someone elses.
And I think your legal analysis is incorrect, the gentlemen who wrote this blog entry doesn't have standing to sue and wouldn't be part of the case. My understanding is only the original copyright holder has standing to sue.
The original copyright holder wrote a threatening letter a year ago and did nothing. If he did sue he would win but get nothing, and probably doesn't think it's worth the trouble. Ubiquity is banking on him thinking it won't be worth the trouble because they know if they get sued and loose all they have to do is what they should have done in the first place.
Back in the day the GPL used to have a nuclear option that said that if you were found in violation of the GPL by any court you lost your ability to distribute any GPL software from that point on without the explicit permission of all copyright holders. Back in the day, the GPL had some teeth, and corporate legal departments did't fuck around with it like this. That was considered too extreme, unfortunately, and new versions make being found in violation pretty harmless.
Nope, I just microwaved some water in a bowl, then I placed the container of gallium in the bowl of warm water, it melted in a minute or so, and I poured it into a mold. Takes quite a while for it to melt at body temperature, so you'll have to hold hands for a while.:)
If I was guessing, I'd guess it was bitcoin, not Tor that did him in. He was moving way too much volume to hide all that. After all, the block chain is public. The FBI only has to lean on the various organizations that turn bitcoin into cash. If it gets the addresses of all their wallets, all their customer account information, and the identity of some coins that were spent on the silk road, it only has to work backwards to see who turned those coins into cash. People think bitcoin is anonymous, but it keeps a record of every transaction. This is probably the beginning of the end for bitcoin. I'm not sure it's mature enough to sustain itself without the black market support.
Well, the journey is long. To make it, you need psychological support. That's what the makerspace is for. You become friends with these people and hang out with them. They value building and making and engage in those activities. You naturally engage and get excited about the activities with them.
And here's what I recommend to get started on this long and rewarding journey. First of all, if you want to be successful, you need to make friends that are into this subject to learn from, and get inspired by. I teach at the local Makerspace. A Makerspace is where people go who like to build things congregate. Mine is called the Qc Co-lab, and you can view information about us on facebook or at qccolab.com to get an idea of the sorts of things we do. Makerspaces are also often called hackerspaces.
Next, you'll need a point of entry, a place to get started, and parts. Now, you've got a long road with many disciplines to master in order to actually create a soccer robot yourself. You can get started on the programming/electronics side or the mechanical/servo/motor side. In any case, I don't consider a soccer robot a good starting point unless you have help.
If you want to play with the programming and digital electronics, things like sensors and and control, I suggest you get an Arduino ($35). Get an Arduino kit with a good book and some toys to plug in and play with. Learn the electronics. Learn the C programming. "Getting Started with Arduino" is a good foot in the door of a very long hallway.
Next up is the mechanical/servo/motor stuff. Picking up a radio control hobby is a good way to get started with this. Remote control Styrofoam trainer plains can be purchased for $30. A good remote control can be purchased for $30. (Don't let them sell you a $200 control off the bat. By the time you're good enough to want a $200 control you'll decide you don't like the one you bought because of X, where X is some random reason related to your favorite parts of the hobby). Often these plains require you to do some assembly. You'll get experience with servo's, electric motors, batteries, and how all these things come together. Remote control cars are also very fun and exciting if you find those more interesting. (Make sure you get one that requires assembly and is customizable).
If you do want to buy a robot kit to knock around, I recommend the Arduino version of the boebot. I use this as a teach aid because Parallax produces very good documentation and training materials. See http://learn.parallax.com/ShieldRobot. I do not recommend the basic stamp version, because if you get into this hobby you're going to need to learn C, so don't waste your time learning some other language. What I linked is for the Arduino version. The Arduino uses C/C++ on an industry standard chip. It's important to develop skills that are going to give you the most bang for you buck because the rabbit hole you're heading into is deeper than any one person can ever plumb the depths of alone. The downside here is this kit is expensive at $120. For the people in my class I build them a clone of the kit for $40. Maybe your local Makerspace has something similar going on, check them out.
Best of luck. I'll keep an eye on this thread, so if you have questions I'll try to help.
The ability to make a transient copy of a work in order to use it should not be considered in regards to copyright law. It has always been implied that you have the right to make such copies. For example, when you read a book, light creates a copy of the work on your retina, and that's how we perceive it. These copies have never been considered for the purpose of copyright, and neither has the copies floating around in peoples brains.
Exactly, this is their real motivation. They want the drivers in the tree because they care more about getting people who want to run linux to run it under their new windows VM than trying to kill linux, which I assume they've given up on.
I've looked around and all I see is casual mentions of static linking, which I assume to mean static linking to the kernel. I would like to be enlightened if I am wrong.
I find it very hard to believe that Microsoft would copy/paste GPL code or that they would statically link to some random library, especially considering that kernel drivers usually statically link against nothing but the kernel.
Which, as I have said, has been said by Linus Torvalds himself not to be a violation.
The software freedom law center makes it's living by taking companys to court over GPL violations. At best anything it says must be taken with a grain of salt. The fact is, no amount of gyration or hand waving can magically make Microsoft code belong to the community. Microsoft wrote those drivers from scratch, and therefore can license them however it wants. Period. They are not required to use the GPL unless they incorporate GPL code into the drivers, which they did not.
Some people like to say that if you link your code with GPL code than your code must be GPL. It doesn't even say this in the GPL though some say it is implied. It's an untested legal theory. It's never even been brought to court and it has a very good chance of loosing because the court is likely to take a very dim view of the idea that one person magically owns another persons work. In the normal case, however, it might fly... That is of using a GPL library in a non-GPL program or linking a non-GPL library into a GPL program. This might be seen by the judge as taking advantage of something not yours, but in the case of loading drivers into the Kernel where there is longstanding acceptance of proprietary drivers it would fail, and this precedent would put even the widely accepted case in jeopardy.
But more importantly, Linus Torvalds himself does not believe the act of simply loading a proprietary driver module in a running kernel is a GPL violation, and he has explicitly stated this in the past, which means a lawsuit over this "violation" would be impossible to win, and even impossible to bring, considering Linus would not sign off on it. In addition, this is hardly the first proprietary software driver for Linux. There have been many over the years. Many of the wifi cards that have vender supplied Linux drivers, for example, use proprietary drivers because of an FCC mandate that the wireless products are not end-user modifiable.
A lot of people like to believe copyright is cut and dry. It's not. Let me assure you that the copyright act, written for books, says nothing about weather linking against another work makes your work a derivative work, which makes it a judgement call, and this issue has never been brought before a judge. When it is, you better hope it's over a better case than this, because if it was brought under this case it would have a very, very, good chance of loosing.
In my linux product which runs off compaq flash I can tell you that:
You often see lots of garbage and complaining in dmesg.
The flash chip fails to overwrite files properly. So that when I overwrite the file and try and read it back I get garbage.
Often the flash chip seems to have successfully overwritten the files and you don't realize anything is wrong until you reboot.
And... They don't last anything like the number of writes they pretend to. If you put even a light write load on a flash chip for any extended duration (Few days, few weeks) it will blow up.
God, I'm tired of it being repeated that IPV4 addresses are running out. Everybody who's not a journalist should know that it's not true.
There's no reason every person on earth needs an IP. Nat+uPNP is perfectly capable and 100% backwords compatible.
That's not even getting into all the millions of unused IP's being held by the early internet companies.
IP's just need to be charged for on a early basis. Start with $1 per year per ip to EVERYONE who owns an IP's and you'll see the "IP Shortage" vanish overnight.
>>Using CT, how easy or otherwise is it to bring down or attack vital systems?
Well protected, properly firewalled systems are extremely difficult to break, but government networks are notoriously easy to break. This is partially because their networks are admined by full time military personnel and contractors. The wages the government pays admins are ridiculously low for network admins and thus attract people who just don't have what it takes. From what I've been told, it's extremely unusual for a full time Unix contractor to make more than 45,000 a year in a government job. When working as a contractor for the military it's very usual to find sprawling networks of boxes that haven't been patched since they where put in. Often the security of these boxes is based on strange network topologies that the designers assumed (wrongly) would make them unreachable from the outside. It's amazing to me, but a friend of mine actually worked at a DISA facility where the head Unix admin didn't know how to patch the kernel on their HP-UX boxes.
>> What sort of skills would be needed to do so, and are they common/teachable?
Most exploits now-a-days are packaged in easy to use scripts than can be used by any one who can read English. Minor damage can be caused by any 12 year old who understands what an IP address is. A reasonably experienced Unix admin can use these scripts to slowly leverage as much power as he needs in an improperly secured network. www.rootshell.com has everything a person needs to break into a network as soft as a standard military system. And if the system you want to crack isn't vulnerable right now, all you have to do is wait, somebody will find a bug eventually.
The problem with these scripts is that once they become known it usually only takes a few weeks to a month for a commercial vendor to create a patch to protect the target from them. However, in practice, most patches don't get applied in a timely manner. Especially in a government network where low profile machines assumed to be unreachable from the outside may simply go un-patched.
>> Commercial-off-the-shelf software: can it really do CT?
Reading the Bugtrack list and keeping an eye on sites like www.rootshell.com and http://packetstorm.securify.com/index.shtml are much more effective than any commercial software I've seen. The problem with commercial CT utilities is that they don't have much of a market and by the time you get them on the shelves the bugs they exploit are too rare to be worth buying the software for. Good packet sniffers/port scanners/spoofers are very useful in the general case if you are reasonably adept. These can be bought commercial, but I prefer to get mine from ftp:\\sunsite.unc.edu.
>> Which systems are actually attachable?
All systems will have windows of opportunity. Open source systems have smaller windows because they have faster patch times and fewer bugs. Custom programs have the largest windows of opportunities because they are unlikely to ever get fixed.
>> Can a recovery be made from such attacks?
Complete backups and a rehearsed recovery plan can fix nearly anything I've ever seen unless the attacker has been insidiously poisoning your databases for months (Which is in my opinion the most detrimental type of attack, and also the least likely to be noticed).
>> Is it likely to improve/get worse?
Software and os's are becoming much more complex, feature rich, and flexible which dramatically increases the opportunity for attack. Example: Windows 98 had about 11 million lines of code, Windows 2000 I hear has upwards of 40 million lines. Complexity breads bugs, and flexibility allows attackers to use your systems in ways you never imagined possible.
>> What sort of preventative work would you recommend them to carry out?
1. Hire well paid and intelligent admins with a network penetration background. 2. Have at least one person who's whole job is properly configuring firewalls, another whose is maintaining patch levels. 3. If any of the people in the above teams of people ever have less than a few hours a work day to read web pages then double the size of the teams. 4. Routinely audit the security of every computer and system. 5. Never assume a machine can't be reached from the outside.
I would enjoy fielding any questions you or your readers may have. Contact me if you would like any clarifications. Please forgive my english, I'm an admin, not a writer.
The problem is not that you can't see the source or that they may not develope the software further, the problem is that when it's no longer in their best interest to suppor linux (to hurt Microsoft) they can simply stop distribution. Then suddenly linux will have no office suit, and what will fill the gap?
Slashdot Mirror
They probably are just trying to hide a hard coded signing key, but that's the whole point of the GPL isn't it? That you can't get away with that kind of crap. The GPL exists to keep the ecosystem open for the people that want to use it, and prevent big portions of it from being co-opted by commercial organizations and hidden behind DRM like signing keys burried in bootloaders.
If someone wants to hide their firmware behind a hard coded signing key they have to write they're own boot loader, they're not allowed to use a GPL'd bootloader and then just ignore the rules because it's cheaper to steal someone elses.
And I think your legal analysis is incorrect, the gentlemen who wrote this blog entry doesn't have standing to sue and wouldn't be part of the case. My understanding is only the original copyright holder has standing to sue.
The original copyright holder wrote a threatening letter a year ago and did nothing. If he did sue he would win but get nothing, and probably doesn't think it's worth the trouble. Ubiquity is banking on him thinking it won't be worth the trouble because they know if they get sued and loose all they have to do is what they should have done in the first place.
Back in the day the GPL used to have a nuclear option that said that if you were found in violation of the GPL by any court you lost your ability to distribute any GPL software from that point on without the explicit permission of all copyright holders. Back in the day, the GPL had some teeth, and corporate legal departments did't fuck around with it like this. That was considered too extreme, unfortunately, and new versions make being found in violation pretty harmless.
Nope, I just microwaved some water in a bowl, then I placed the container of gallium in the bowl of warm water, it melted in a minute or so, and I poured it into a mold. Takes quite a while for it to melt at body temperature, so you'll have to hold hands for a while. :)
Code name, Amazon Prime
http://www.amazon.com/Gallium-99-99%25-Pure-20-Grams/dp/B00BSRAH5M/ref=sr_1_1?ie=UTF8&qid=1414958244&sr=8-1&keywords=gallium
I used it to make a novelty heart, which melted in her hands.
They probably traced the bitcoin transactions he used to extract good old American cash.
https://en.bitcoin.it/wiki/Anonymity
If I was guessing, I'd guess it was bitcoin, not Tor that did him in. He was moving way too much volume to hide all that. After all, the block chain is public. The FBI only has to lean on the various organizations that turn bitcoin into cash. If it gets the addresses of all their wallets, all their customer account information, and the identity of some coins that were spent on the silk road, it only has to work backwards to see who turned those coins into cash. People think bitcoin is anonymous, but it keeps a record of every transaction. This is probably the beginning of the end for bitcoin. I'm not sure it's mature enough to sustain itself without the black market support.
Thank you for your kind words,
- David
Well, the journey is long. To make it, you need psychological support. That's what the makerspace is for. You become friends with these people and hang out with them. They value building and making and engage in those activities. You naturally engage and get excited about the activities with them.
- David
And here's what I recommend to get started on this long and rewarding journey. First of all, if you want to be successful, you need to make friends that are into this subject to learn from, and get inspired by. I teach at the local Makerspace. A Makerspace is where people go who like to build things congregate. Mine is called the Qc Co-lab, and you can view information about us on facebook or at qccolab.com to get an idea of the sorts of things we do. Makerspaces are also often called hackerspaces.
Next, you'll need a point of entry, a place to get started, and parts. Now, you've got a long road with many disciplines to master in order to actually create a soccer robot yourself. You can get started on the programming/electronics side or the mechanical/servo/motor side. In any case, I don't consider a soccer robot a good starting point unless you have help.
If you want to play with the programming and digital electronics, things like sensors and and control, I suggest you get an Arduino ($35). Get an Arduino kit with a good book and some toys to plug in and play with. Learn the electronics. Learn the C programming. "Getting Started with Arduino" is a good foot in the door of a very long hallway.
Next up is the mechanical/servo/motor stuff. Picking up a radio control hobby is a good way to get started with this. Remote control Styrofoam trainer plains can be purchased for $30. A good remote control can be purchased for $30. (Don't let them sell you a $200 control off the bat. By the time you're good enough to want a $200 control you'll decide you don't like the one you bought because of X, where X is some random reason related to your favorite parts of the hobby). Often these plains require you to do some assembly. You'll get experience with servo's, electric motors, batteries, and how all these things come together. Remote control cars are also very fun and exciting if you find those more interesting. (Make sure you get one that requires assembly and is customizable).
If you do want to buy a robot kit to knock around, I recommend the Arduino version of the boebot. I use this as a teach aid because Parallax produces very good documentation and training materials. See http://learn.parallax.com/ShieldRobot. I do not recommend the basic stamp version, because if you get into this hobby you're going to need to learn C, so don't waste your time learning some other language. What I linked is for the Arduino version. The Arduino uses C/C++ on an industry standard chip. It's important to develop skills that are going to give you the most bang for you buck because the rabbit hole you're heading into is deeper than any one person can ever plumb the depths of alone. The downside here is this kit is expensive at $120. For the people in my class I build them a clone of the kit for $40. Maybe your local Makerspace has something similar going on, check them out.
Best of luck. I'll keep an eye on this thread, so if you have questions I'll try to help.
The ability to make a transient copy of a work in order to use it should not be considered in regards to copyright law. It has always been implied that you have the right to make such copies. For example, when you read a book, light creates a copy of the work on your retina, and that's how we perceive it. These copies have never been considered for the purpose of copyright, and neither has the copies floating around in peoples brains.
Exactly, this is their real motivation. They want the drivers in the tree because they care more about getting people who want to run linux to run it under their new windows VM than trying to kill linux, which I assume they've given up on.
I've looked around and all I see is casual mentions of static linking, which I assume to mean static linking to the kernel. I would like to be enlightened if I am wrong.
I find it very hard to believe that Microsoft would copy/paste GPL code or that they would statically link to some random library, especially considering that kernel drivers usually statically link against nothing but the kernel.
Which, as I have said, has been said by Linus Torvalds himself not to be a violation.
I haven't read anywhere that GPL code was found in their drivers. I would like to read more about that, can you provide a link?
The software freedom law center makes it's living by taking companys to court over GPL violations. At best anything it says must be taken with a grain of salt. The fact is, no amount of gyration or hand waving can magically make Microsoft code belong to the community. Microsoft wrote those drivers from scratch, and therefore can license them however it wants. Period. They are not required to use the GPL unless they incorporate GPL code into the drivers, which they did not.
Some people like to say that if you link your code with GPL code than your code must be GPL. It doesn't even say this in the GPL though some say it is implied. It's an untested legal theory. It's never even been brought to court and it has a very good chance of loosing because the court is likely to take a very dim view of the idea that one person magically owns another persons work. In the normal case, however, it might fly... That is of using a GPL library in a non-GPL program or linking a non-GPL library into a GPL program. This might be seen by the judge as taking advantage of something not yours, but in the case of loading drivers into the Kernel where there is longstanding acceptance of proprietary drivers it would fail, and this precedent would put even the widely accepted case in jeopardy.
But more importantly, Linus Torvalds himself does not believe the act of simply loading a proprietary driver module in a running kernel is a GPL violation, and he has explicitly stated this in the past, which means a lawsuit over this "violation" would be impossible to win, and even impossible to bring, considering Linus would not sign off on it. In addition, this is hardly the first proprietary software driver for Linux. There have been many over the years. Many of the wifi cards that have vender supplied Linux drivers, for example, use proprietary drivers because of an FCC mandate that the wireless products are not end-user modifiable.
A lot of people like to believe copyright is cut and dry. It's not. Let me assure you that the copyright act, written for books, says nothing about weather linking against another work makes your work a derivative work, which makes it a judgement call, and this issue has never been brought before a judge. When it is, you better hope it's over a better case than this, because if it was brought under this case it would have a very, very, good chance of loosing.
In my linux product which runs off compaq flash I can tell you that:
You often see lots of garbage and complaining in dmesg.
The flash chip fails to overwrite files properly. So that when I overwrite the file and try and read it back I get garbage.
Often the flash chip seems to have successfully overwritten the files and you don't realize anything is wrong until you reboot.
And... They don't last anything like the number of writes they pretend to. If you put even a light write load on a flash chip for any extended duration (Few days, few weeks) it will blow up.
David
God, I'm tired of it being repeated that IPV4 addresses are running out. Everybody who's not a journalist should know that it's not true.
There's no reason every person on earth needs an IP. Nat+uPNP is perfectly capable and 100% backwords compatible.
That's not even getting into all the millions of unused IP's being held by the early internet companies.
IP's just need to be charged for on a early basis. Start with $1 per year per ip to EVERYONE who owns an IP's and you'll see the "IP Shortage" vanish overnight.
I've got the PCB layout and the bom... But where's the firmware??
>>Using CT, how easy or otherwise is it to bring down or attack vital systems?
Well protected, properly firewalled systems are extremely difficult to break, but government networks are notoriously easy to break. This is partially because their networks are admined by full time military personnel and contractors. The wages the government pays admins are ridiculously low for network admins and thus attract people who just don't have what it takes. From what I've been told, it's extremely unusual for a full time Unix contractor to make more than 45,000 a year in a government job. When working as a contractor for the military it's very usual to find sprawling networks of boxes that haven't been patched since they where put in. Often the security of these boxes is based on strange network topologies that the designers assumed (wrongly) would make them unreachable from the outside. It's amazing to me, but a friend of mine actually worked at a DISA facility where the head Unix admin didn't know how to patch the kernel on their HP-UX boxes.
>> What sort of skills would be needed to do so, and are they common/teachable?
Most exploits now-a-days are packaged in easy to use scripts than can be used by any one who can read English. Minor damage can be caused by any 12 year old who understands what an IP address is. A reasonably experienced Unix admin can use these scripts to slowly leverage as much power as he needs in an improperly secured network. www.rootshell.com has everything a person needs to break into a network as soft as a standard military system. And if the system you want to crack isn't vulnerable right now, all you have to do is wait, somebody will find a bug eventually.
The problem with these scripts is that once they become known it usually only takes a few weeks to a month for a commercial vendor to create a patch to protect the target from them. However, in practice, most patches don't get applied in a timely manner. Especially in a government network where low profile machines assumed to be unreachable from the outside may simply go un-patched.
>> Commercial-off-the-shelf software: can it really do CT?
Reading the Bugtrack list and keeping an eye on sites like www.rootshell.com and http://packetstorm.securify.com/index.shtml are much more effective than any commercial software I've seen. The problem with commercial CT utilities is that they don't have much of a market and by the time you get them on the shelves the bugs they exploit are too rare to be worth buying the software for. Good packet sniffers/port scanners/spoofers are very useful in the general case if you are reasonably adept. These can be bought commercial, but I prefer to get mine from ftp:\\sunsite.unc.edu.
>> Which systems are actually attachable?
All systems will have windows of opportunity. Open source systems have smaller windows because they have faster patch times and fewer bugs. Custom programs have the largest windows of opportunities because they are unlikely to ever get fixed.
>> Can a recovery be made from such attacks?
Complete backups and a rehearsed recovery plan can fix nearly anything I've ever seen unless the attacker has been insidiously poisoning your databases for months (Which is in my opinion the most detrimental type of attack, and also the least likely to be noticed).
>> Is it likely to improve/get worse?
Software and os's are becoming much more complex, feature rich, and flexible which dramatically increases the opportunity for attack. Example: Windows 98 had about 11 million lines of code, Windows 2000 I hear has upwards of 40 million lines. Complexity breads bugs, and flexibility allows attackers to use your systems in ways you never imagined possible.
>> What sort of preventative work would you recommend them to carry out?
1. Hire well paid and intelligent admins with a network penetration background.
2. Have at least one person who's whole job is properly configuring firewalls, another whose is maintaining patch levels.
3. If any of the people in the above teams of people ever have less than a few hours a work day to read web pages then double the size of the teams.
4. Routinely audit the security of every computer and system.
5. Never assume a machine can't be reached from the outside.
I would enjoy fielding any questions you or your readers may have. Contact me if you would like any clarifications. Please forgive my english, I'm an admin, not a writer.
Offended people offend me! I'm sick of all the politically correct whining! It was a joke for gods sake.
Here is the source and precompiled visual basic program to turn a binary string into a text string. Cut, Paste, Click, Walla.
BinaryToText
Here is the source and precompiled visual basic program to turn a binary string into a text string. Cut, Paste, Click, Walla. Binary2Text
"Edwards says that Linux lacks many advanced capabilities, such as the ability to run on computers with multiple processor chips."
Either Edwards has never used Linux and thus knows not of what he's speaking, or he's lying. Either way it's FUD.
The problem is not that you can't see the source or that they may not develope the software further, the problem is that when it's no longer in their best interest to suppor linux (to hurt Microsoft) they can simply stop distribution. Then suddenly linux will have no office suit, and what will fill the gap?
I'd donate too :) But we need someone with status to hold on to the cash, and administrate the money.
David
Here is a fix for your bug.
s /q196/3/30.asp
http://support.microsoft.com/support/kb/article
I hope it helps
David