Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for October 7, 2004A busy week for the courts Various courts in the U.S. have handed down a set of decisions in the last week which have strong implications for the free software community. Here is a quick rundown of what the courts have been saying.
bnetdThe developers of bnetd had a straightforward goal: they wanted to be able to engage in networked gameplay, using their legally-purchased Blizzard games, without dealing with Blizzard's Battle.net servers. So they reverse-engineered the protocol used by Blizzard's games to talk to the server and implemented bnetd, which provides the same functionality. bnetd is licensed under the GPL.Blizzard did not like bnetd. The provision of alternative servers took players of Blizzard's games out of the company's control; it was no longer possible to throw advertisements at players. The Battle.net servers also check the registration key provided by the game client; if the key turns out not to be valid, or if multiple players attempt to use the same key, access to the server will be denied. The bnetd developers never quite got around to implementing the key checks; free software developers have little patience with that sort of thing, and, in any case, Blizzard provides no way for third parties to check the validity of registration keys. Blizzard's response was to send takedown notices, then file suit with a number of copyright infringement and contract claims. On September 30, a U.S. District Court in Missouri agreed with Blizzard, finding the bnetd developers guilty of breach of contract and violation of the anti-circumvention clauses of the Digital Millennium Copyright Act. The full ruling is available in PDF format. The contracts in question are the license agreement for the games and the terms of use for Battle.net. Among other things, these contracts forbid reverse engineering of the software and running services that compete with Battle.net. The court found that the EULA and TOU were binding in all respects. Among other things, a license agreement can forbid reverse engineering in all cases and that is just fine with the court. With regard to the DMCA charges, the court concluded that, by reverse engineering the handshake used to control access to the games' "Battle.net mode," the bnetd developers did circumvent an access control mechanism. In their defense, the developers stated that they fell within the DMCA's exemption for those trying to achieve interoperability. The court disagreed:
The Court find that the defendants' actions constituted more than
enabling interoperability. The bnetd emulator developed by the
defendants always allows the Blizzard game to access Battle.net
mode features even if the user does not have a valid or unique CD
Key, because the bnetd emulator does not determine whether the CD
Key is valid or currently in use by another player. Unauthorized
copies of the Blizzard games were played on bnetd servers. Then,
defendants distributed the bnetd program for free. Because the
bnetd source code was freely available, others developed
additional Battle.net emulators based on the bnetd source code....
Finally, the defendants did not create an independently created
computer program. The bnetd program was intended as a functional
alternative to the Battle.net service. Once game play starts there
are no differences between Battle.net and the bnetd emulator from
the standpoint of a user who is actually playing the game.
It is hard to know how to read this reasoning. Interoperability, it seems, is only a defense if the resulting program does not do anything interesting, and if it is not distributed as free software. The court also found that the developers had violated the DMCA's provisions regarding trafficking in anti-circumvention devices:
The defendants' purpose in developing the bnetd server was to avoid
the anti-circumvention restrictions of the game and to avoid the
restricted access to Battle.net. Thus, the sole purpose of the
bnetd emulator was not to enable interoperability. The bnetd
emulator had limited commercial purpose because it was free and
available to anyone who wanted to copy and use the program.
This language contradicts the court's statement of the "undisputed facts" in the first part of the ruling:
The users of the Battle.net service have occasionally experienced
difficulties with the service. Blizzard has also received
complaints about user profanity and users who cheated to win games
by modifying Blizzard's software ("client hacks")... To address
their frustrations with Battle.net, the defendants joined a group
of non-profit volunteer game hobbyists, programmers, and other
individuals called the "bnet project."
The above is, remember, an undisputed fact. The court chose, however, to ignore that fact and recast the purpose of bnetd to suit its reasoning. On top of that, the idea that bnetd is a circumvention device because it carries a free license is truly chilling. The end result is that Blizzard is able to place strong restrictions on the users of its games, preventing them from communicating via any sort of alternative service. Free software developers have been restricted in the sort of code they can develop, and the value of Blizzard's games for its own customers has been reduced. There are certainly problems with the DMCA which allow this sort of thing to happen. This is, however, also a problem with proprietary software; free software users do not have to cope with restrictions of this type. Unfortunately, it may be a long time before we see free games which offer the sort of experience provided by the best of today's proprietary offerings.
DieboldThe Diebold case was the source of another important ruling (PDF). In this case, Diebold attempted to use the DMCA to shut down distribution of leaked internal messages between its employees regarding problems with Diebold's electronic voting systems. The core of the ruling was that Diebold misused the DMCA by attempting to force a takedown of material which was not copyrightable.
The purpose, character, nature of the use, and the effect of the
use upon the potential market for or value of the copyrighted work
all indicate that at least part of the email archive is not
protected by copyright law. The email archive was posted or
hyperlinked to for the purpose of informing the public about the
problems associated with Diebold's electronic voting machines. It
is hard to imagine a subject the discussion of which could be more
in the public interest.
The Diebold ruling may not affect free software developers directly, but it should serve to put some limits on the use of DMCA takedown notices.
KodakA court in Rochester, NY (Kodak's home town) has found that Sun has infringed upon three of Kodak's patents. Kodak claims that Sun should owe it just over $1 billion for its crime. Intellectual property suits, it seems, are increasingly the strategy of choice for businesses in decline.The patents (numbers 5,421,012, 5,226,161, and 5,206,951) all read about the same; they would appear to describe any of a number of object request brokers or remote procedure call mechanisms. If they are upheld, Kodak can be expected to begin shaking down technology companies across the U.S.; they would be unlikely to limit themselves to those working with Java. This looks like a case with a reasonably high likelihood of being reversed on appeal. In the mean time, it serves as yet another reminder of what software patents are doing to the computing industry in the U.S. Until the U.S. patent system is reformed, these lawsuits will be a constant threat. One can only hope that the parts of the world which do not, yet, recognize software patents are paying attention.
SCOThe SCO group had a minor setback in the IBM case when Judge Kimball denied two of the company's motions regarding scheduling. The ruling is up on Groklaw. The judge had little sympathy for SCO's position:
However, there is nothing in the Amended Scheduling Order that
precludes IBM from filing motions for summary judgment, and there
is nothing in the Scheduling Order that relieves SCO from
responding to such motions. Thus, it is puzzling that SCO seeks to
"enforce" the Amended Scheduling Order when there is nothing in
that Order to justify SCO's request for a significant delay in
filing its responses.
The big ruling - on IBM's motion for a summary judgment on its tenth counterclaim (stating that its Linux work does not infringe SCO's copyrights) - is still pending. (What is also pending, incidentally, is the agreement with SCO's lawyers on putting a cap on SCO's legal costs. SCO may have encountered some difficulties in closing that deal.)
Red Hat acquiring Netscape Enterprise Solutions software Last week, Red Hat announced it had reached a deal to buy some of the software from the Netscape Enterprise Suite. Red Hat spokesperson Leigh Day said that the deal has not yet been finalized, but that it is expected to close in the next two weeks. Red Hat is paying $23 million for the software, but what is it getting, and why does the company want to buy software that it could develop instead? Day said that Red Hat is getting Netscape's Directory Server, Certificate Management, messaging and calendering software. According to Day, it was worth spending the $23 million because "Red Hat is gaining a tried and true technology that would take years to develop on its own." The company will also be taking on a team of developers from AOL/Netscape that have been working on the software. Though Netscape was acquired several years ago, the Directory Server software was still under active development. Netscape Directory Server 6.2 was released last December. It doesn't take a marketing expert to divine Red Hat's motives for the acquisition. When going head-to-head with Microsoft or Novell, Red Hat needs a mature directory services and groupware suite. Day confirmed that Red Hat would be using its acquisition to compete directly with directory server offerings from Microsoft and Novell. She also noted that Netscape's software is in use by a number of enterprise and government agencies. Whether Red Hat will gain those customers as part of the acquisition is another question. Day said that Red Hat has not yet announced whether the company would be taking over support for current users of Netscape Security Solutions. She also wasn't sure whether Red Hat's final product would support operating systems other than Linux. Netscape Directory Server currently runs on HP-UX, Solaris, Windows NT and 2000 and Red Hat Advanced Server. Red Hat currently ships OpenLDAP with its enterprise products. What does Netscape Directory Server offer that OpenLDAP does not? Both technologies implement the features of the Lightweight Directory Access Protocol (LDAP), but a glance at the features list for Netscape Directory Services shows that there are several features not implemented in OpenLDAP, including schema updates, server-side sort of search results, and a number of other features. Netscape's software also offers GUI administration tools and tuning tools that are probably a bit more user-friendly than OpenLDAP's tools. In keeping with Red Hat's open source policy, Red Hat will be releasing the software under the GPL, according to Day. As with the Sistina Global File System (GFS) software, it will be between six and twelve months before the code is released. Why such a lengthy process? Day said that Red Hat would use this time to optimize the code for its products, and for a community development process. Day said that the software would also be usable with Fedora, but wasn't sure if it would be released as part of Fedora Core. We also wondered whether any patents would be part of the deal. Netscape was issued several patents related to directory services prior to their acquisition by AOL. Patent 6,366,913 was issued to Netscape for "Centralized directory services supporting dynamic group membership," which no doubt applies to Netscape's Directory Server. Patent 6,094,485, covering a method for "SSL step-up" may apply to Netscape's Certificate Management software. Netscape also was issued patents for an automatic client configuration system, a system for schedule and task management, and others that may apply to the suite of applications Red Hat is buying. Day said that Red Hat's legal team is "probably still looking into that." One hopes that the lawyers are looking carefully, as it would not do to acquire the software while leaving AOL with the patents related to the software. Red Hat may also find need of a defensive patent portfolio in the future. In the long run, this should be very good for the Linux and open source community. The addition of Netscape's directory software and groupware solutions will give Linux yet another feature that it needs to compete with Microsoft in the enterprise market.
Page editor: Jonathan Corbet Security Inside SELinux on Fedora Core 3 Following up on a previous overview of Security Enhanced Linux (SELinux), this article looks more closely at the implementation of Security Enhanced Linux (SELinux) in Fedora Core 3 test2 (FC3). FC3 provides two separate SELinux policies, a default "targeted" policy and the more restrictive "strict" policy. The targeted policy focuses on a handful of specific system daemons and locks down their access while allowing the rest of the system to run using the standard Linux security mechanisms. The FC3 SELinux FAQ describes the reasoning behind the targeted policy:
Initially, when SELinux was included in Fedora Core, the NSA strict
policy was enforced. For testing purposes, this helped to find hundreds
of problems in the strict policy. In addition, it became obvious that
applying a single strict policy to the many environments of Fedora users
was not feasible. Managing a single strict policy for anything other
than default installation was going to require local expertise.
There are 9 daemons currently handled by the targeted policy, all network services of various sorts (httpd, named, snmpd, etc.) and more daemons will be added to the policy in the future. The top-level configuration file (/etc/selinux/config) for SELinux on FC3 allows one to choose which of the policies to use and also what enforcement level to use. In particular, the "permissive" level is useful for finding problems in the policy for a specific installation as it just warns when the policy has been violated. Once the policy has been adjusted, the level can be set to "enforcing," which will cause SELinux to enforce the policies. In addition, the enforcement level can be set to "disabled" which effectively turns off SELinux. Any changes made to the configuration file require a reboot to take effect, but the enforcement level can be changed in a running system using the setenforce command. While changing the enforcement level is painless, the same is not true for changing policies. SELinux uses the extended attributes in Linux filesystems to permanently associate a security context with each file and when changing policies, the attributes of many files in the filesystem must also be changed. The fixfiles command is available to traverse the filesystem and make the required changes based on the information provided in the file_contexts file associated with the policy. file_contexts maps a regular expression describing some subtree of the filesystem (possibly down to an individual file) to a security context and fixfiles (and the related setfiles command) parse this file and set the attributes appropriately. FC3 puts the SELinux configuration in the /etc/selinux directory and the specifics for each policy in /etc/selinux/<policyname>. For example: /etc/selinux/targeted/contexts/file_contexts provides the security context configuration for files in the targeted policy. To support examining the security context of various entities in the SELinux system, the -Z command line parameter has been added to several standard utilities. The ls, ps, and id commands have been modified to display the security context of files, processes and users respectively and are very useful when diagnosing policy issues. To get a sense of what goes into the policy configuration and how complex it is, we examined the targeted policy configuration for the ntpd program. Once the selinux-policy-targeted-sources package is installed, the configuration file for ntpd can be found in /etc/selinux/targeted/src/policy/domains/program/ntpd.te. This file specifies the access that the daemon will be allowed to have and should specify all of the system entities (files, sockets, etc.) that the program needs to access for correct operation. The level of detail required in this file is rather eye opening:
New vulnerabilities cups: information leak
freenet6: file protection problem
net-acct: temporary file vulnerability
netkit-telnet: invalid free pointer
php: information disclosure and file upload vulnerabilities
rp-pppoe, pppoe: missing privilege dropping
samba: unauthorized file access
sharutils: arbitrary code execution
Updated vulnerabilities Apache mod_proxy: denial of service
apache: protected pages vulnerability
apache2: stack-based buffer overflow in ssl_util.c
aspell: bounds checking problem
cdrecord: failure to drop privilege
cups: denial of service
Filename disclosure vulnerability in fam
flim: insecure file creation
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
Gaim: remote code execution vulnerability
gtk2, gdk-pixbuf: buffer overflows
getmail: filesystem overwrite vulnerability
glibc: Information leak with LD_DEBUG
gnome-vfs: backend script vulnerabilities
gtkhtml: malformed messages cause crash
apache2: IPv6 denial of service
imagemagick: buffer overflow vulnerability
imlib2: buffer overflows
iproute: local denial of service
jabberd: remote denial of service vulnerability
kdebase: multiple vulnerabilities
kernel information leak
kernel-utils: setuid vulnerability
lha: stack-based buffer overflow
libpng: multiple vulnerabilities
libxpm4: stack and integer overflows
logcheck: symlink vulnerability
Midnight Commander: extfs vfs vulnerability
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla products: arbitrary code execution and other vulnerabilities
mpg123: buffer overflow bug
mpg321: format string vulnerability
neon: buffer overflow
netpbm: insecure temporary files
OpenOffice: information disclosure
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||