Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for April 27, 2006Time to expand the DMCA? Since it was enacted, the U.S. Digital Millennium Copyright Act (DMCA) has stifled security research, led to the arrest of visiting programmers, shut down fair use, prohibited the creation of free DVD players for Linux, and facilitated anti-competitive moves by manufacturers of printer cartridges and garage door openers, among others. The EFF and others have been pushing for a reform of the DMCA for some time, and the occasional member of Congress has tried to bring that about. The DMCA is a law which clearly needs fixing.Now, there is a new attempt to amend the DMCA in the works; a copy of the DMCA with the proposed changes highlighted [PDF] is available for those who are interested. This proposal, however, would have the effect of making the DMCA significantly worse. Here are a few highlights:
The addition of forfeiture powers is, perhaps, the scariest part of this whole proposal. Civil forfeiture has long been a part of the U.S. "drug war," with the result that many law enforcement actions - often against innocent people - have been motivated primarily by the prospect of seizing valuable property. If this law goes through, any music player, laptop, or server deemed to have somehow participated in copyright infringement will be subject to seizure by the police - along with the houses they are found in. Anybody who thinks this power would not be abused has not been paying much attention. As of this writing, the proposed legislation has not yet been formally introduced for consideration, but has been circulated among some members of the House of Representatives. A different bill which, according to the EFF has been introduced is the "PERFORM act." This law can be thought of as a sort of broadcast flag for the net; it would require those broadcasting copyrighted material on the net to use DRM-afflicted formats. No more Vorbis or Theora streams - or even MP3. And, obviously, no way to tune into such streams using free software. These bills make it clear that the powers behind the expansion of "intellectual property rights" are not yet satisfied and want more. This sort of thing will keep coming, and not just in the U.S. If we value our freedom, we must be prepared to keep fighting - and to work to push the pendulum in the other direction.
The JMRI Project and software patents [Editor's note: The case of KAM Industries and the JMRI project is an important one; it is one of the first times where a free software developer has been directly attacked by a patent holder and held responsible for royalties for every downloaded copy. If we wish to be able to post software without risking hundreds of thousands of dollars (or more) in royalty demands, we must quickly put an end to this sort of thing. We asked Groklaw founder Pamela Jones to put together a summary of this case and what we can do about it; the following is her response.]The Right to Create blog has a letter from the attorney, Victoria K. Hall, who is representing Robert Jacobsen, the man who was sent the bill for $203.000 for allegedly infringing patents with his open source model train software. He has struck first, filing a lawsuit himself, Jacobsen v. Katzer et al, charging that the patent was fraudulently obtained and hence is invalid and unenforceable. The complaint also says the patent is invalid on the grounds of obviousness and for failure to meet the written description requirement of 35 U.S.C. Sec. 112. So, on one side we find an Open Source developer, and, on the other, a guy wielding questionable software patents. Of course, as in all litigation, it's important to keep in mind that nothing is proven by a complaint. It's just the opening salvo, and we haven't yet heard the defendants' side. Hall is asking the community to look for prior art. Let me tell you a little bit about the case, from the materials in the complaint Jacobsen has filed. It may help you to more effectively find prior art. It will surely motivate you.
The lawsuitThe case is 5:2006cv01905, filed in the US District Court for the Northern District of California, San Francisco Division, for those of you with Pacer accounts. The plaintiff lives there and works at the Lawrence Berkeley National Laboratory of the University of California and he also teaches physics there. He's also a model train hobbyist who has written, with others, open source code called JMRI, or Java Model Railroad Interface, which allows you to control how model trains run on a track. He's the primary developer of the software through the JMRI Project. Ms. Hall, although located in Maryland, is admitted to practice in California as well as in Maryland state courts and is a patent attorney admitted to practice before the USPTO. Interestingly, she worked in the chemical engineering and software industries for nine years before she went to law school. The suit is an action for declaratory judgment that Katzer's patent, US Patent No. 6,530,329, called the '329 patent, is "invalid, unenforceable, void and/or not infringed by Plaintiff Jacobsen". What's a declaratory judgment? Here's US Code Title 28, Ch 151, § 2201, the Declaratory Judgment Act. And here is a definition from Cornell's Legal Information Institute. If someone is threatening to sue you, but hasn't yet, in certain limited circumstances, you can take the initiative rather than waiting for the axe to fall, go to court and in essence say: "This person or this company is threatening to sue me and I need our respective rights with respect to this dispute settled, so this cloud over my or my company's head doesn't ruin my business." The court doesn't have to hear a request for a declaratory judgment. It has discretion. It's an enabling statute, and your case has to fit into the confines of the Declaratory Judgment Act, namely you have to have an actual "controversy" in the constitutional sense. That means it isn't a hypothetical problem and it isn't moot, meaning, first, that you really have a realistic and reasonable apprehension of actually being sued, and second, that the court can settle your problem with a declaratory judgment. If the judge accepts the dispute, he can issue a declaratory judgment, in which he "declares" what each party's rights are, the idea being that if, for example, he declares that you aren't infringing your adversary's patent, then you can't be sued. Mr. Jacobsen's complaint is also a complaint for "violation of federal antitrust laws, the Lanham Act, and California Unfair Competition Act and for libel." The Complaint asks for a decree that the defendants Katzer and his company "have attempted to monopolize the market for multi-train control systems software in the United States" in violation of Section 2 of the Sherman Act.
The defendantsThe named defendants are Matthew Katzer, KAMIND Associates, Inc. d/b/a KAM Industries, and Kevin Russell. Katzer is a model train hobbyist who has written software code for controlling model trains and is an expert in the field. He has several patents, and the complaint states that Jacobsen believes there are more pending. KAM is Katzer's business, selling products embodying Katzer's patents. Here's the surprising twist. The third defendant, Kevin Russell, is their lawyer. He works for a firm in Oregon, Chernoff, Vilhauer, McClung & Stenzel. He's now accused of libel, and the court is asked to find against the defendants, jointly and severally, to the tune of $50,000 plus punitive damages. Russell filed a a request under the U.S. Freedom of Information Act, with the Lawrence Berkeley National Laboratory, not only accusing Jacobsen of patent infringement, but claiming that the Lab "had sponsored the allegedly infringing JMRI Project's activities." The DOE turned down the request in December of 2005, but not before Jacobsen was embarrassed and had to explain the whole "harassment story," as he describes it, to his boss and the DOE FOIA liaison. The complaint also says it interfered with his work, resulting in a loss of income. The FOIA request, Jacobsen says, caused him embarrassment, particularly because he's "a scientist whose work involves the creation of intellectual property." The complaint continues, saying that Russell knew that the Lab, which has a contract with the U.S. Department of Energy, which has nothing to do with the JMRI Project. The defendants made the allegation, says the complaint, "to effect Defendants' goal to embarrass Plaintiff Jacobsen and force him to shut down the JMRI Project and to pay royalties to Defendant KAM."
The patentAccording to Jacobson, the basis for claiming that the patent is not valid is the defendant's history of applying for patents on what others invent without telling the patent office about the prior art. Another charge is that Katzer didn't tell the patent office that some of KAM's products "were in public use, published, offered for sale or sold more than 1 year before Defendant Katzer filed the '461 application," which would disqualify them for patent protection. The patent in question, '329, claims the benefit of earlier patent applications' filing dates, '461 being the earliest filed in the chain that '329 issues from. The complaint lists prior art dating back to the 1986 that it says Katzer ought to have told the USPTO about, since the complaint alleges he knew about them. For example, in late March of 2002, the story continues, the JMRI Project software's client-server capabilities were described in a posting to a public mailing list, which Katzer is on. Then in April 14, 2002, the first version of JMRI with the new capabilities was released for public download and announced on several mailing lists and on the JMRI website. "Three days later, Defendant Katzer filed a patent application tailored to claim the capabilities of the JMRI Project software." Again, the Complaint says, Katzer didn't tell the patent examiner about the JMRI Project. Jacobsen says he received a letter from KAM in March of 2005, offering to license for $19 per program installed on a computer, saying that JMRI was infringing claim 1 of the '329 patent. Jacobsen says he wrote a letter back asking exactly how he was infringing, and his answer was a letter in August, saying that he was infringing claim 1 and that they were now investigating to see if any other patents were infringed by JMRI. Oh, and the price to license was now $29. The letter also demanded $203,000 for the 7,000 copies already distributed. In October came a bill with finance charges, so the total had risen to more than $206,000. He's gotten bills roughly every month since. Jacobsen is about to release a new version of his software, and that's why he's asking the Court to bring resolution to the matter, because he believes the defendants will sue him when he releases the new version. He's also asking for redress.
The requestAside from the declaratory judgments, the antitrust decree, and the libel damages, the Plaintiff is asking for the following:
What you can doMs. Hall in her letter asks that no one harass the defendants "through calls, letters, faxes, emails, etc. It does NOT advance the case in Mr. Jacobsen’s favor." What does help is to find prior art. Groklaw just published a basic tutorial on prior art, Prior Art and Its Uses - a Primer, by a patent attorney, Theodore C. McCullough. It might help you. Here is what Ms. Hall is asking for: The key date is prior art existing
before June 24, 1998, and more importantly, prior art existing before
June 24, 1997. The prior art that we are looking for is:
Here's her contact information, if you do find prior art. Snail mail is the best, she says. I can't help but point out that had the Peer to Patent Project mentioned in McCullough's article been in place a few years ago, these patents might well have been blocked before they issued, and all this woe could have been prevented. If nothing else, this incident can help us to understand what patents project like that are designed to address. So, there you have the information and the tools to get started searching for prior art. Happy hunting.
Learning the lesson: open content licensing
As the previous feature on open content noted, the need for an appropriate license was felt from the earliest days. Strangely, it was not Richard Stallman who filled this gap: even though the GNU General Public License dates back to 1984, it was only in 2000 that the corresponding GNU Free Documentation License was created. As a result, the honor for the creation of the first formal non-software open license goes to David Wiley.
In the summer of 1998, Wiley had joined the graduate program in Instructional Psychology and Technology at Brigham Young University, where he began doctoral work on “learning objects” - small-scale, reusable computer-based educational materials designed to be used in a variety of settings. This was just a couple of months after the term “open source” had been devised at the Freeware Summit, and Wiley realized that what was needed was a kind of open source for instructional content.
He contacted people like Richard Stallman and Eric Raymond to ask their advice, and drew up his first license in July 1998. Wiley decided to call his approach “open content” - a term which he seems to have been the first to use consistently. For Stallman, the idea of “open” as opposed to “free” is anathema, and he also refuses to refer to works as “content”, so ultimately he wanted nothing to do with this new “OpenContent License”, even though he and Wiley had previously worked together in an attempt to tweak the GNU GPL for content. Raymond, by contrast, was an important influence on the fledgling open content idea, as the following passage from the newly-created Opencontent.org site indicates:
OpenContent
advocates adoption of the principles Eric S. Raymond outlines in his
essay “The Cathedral and the Bazaar” for use in the
development of Content. ... The Bazaar model for Content development
will bring these same benefits to online instructional content;
namely the creativity, expertise, and problem-solving power of a
potentially infinite team of instructional designers and subject
matter experts. A development effort of this kind will fill the
Internet with high quality, well-maintained, frequently updated
Content.
More input was provided by Tim O'Reilly and Andy Oram, making the license more palatable to publishers so that online versions of printed books and journals could be distributed for free. The result was the Open Publication License (OPL), released in June 1999. Appropriately enough, Raymond's “Cathedral and the Bazaar” was released under the OPL (as was his “Brief History of Hackerdom”). A number of other books, mostly in the field of computing, adopted the license, including GTK+/Gnome Application Development by Havoc Pennington, and Grokking the GIMP, by Carey Bunks. It was also adopted for Bruce Perens' Open Source Series, published by Prentice Hall.
Although the OPL led to a modest increase in open content being made available, the license still had some problems. One was that it came in four versions – OPL, OPL-A, OPL-B and OPL-AB - according to which, if any, of two optional clauses were included. These dealt with the thorny issues of “substantively modified works” and whether the work or derivatives of it could be published in book form for commercial purposes. The combinations obviously made it harder to be sure what exactly an OPL license permitted, and meant that users were forced to refer to the license to find out what their rights were. What was needed was some legal input to produce a series of open content licenses that clearly delineated what could and could not be done with them.
Fortunately, in the second half of the 1990s, a group of lawyers were becoming increasingly interested in the interrelated issues of copyright, intellectual property, digital content and the public domain. Pioneers here include Pamela Samuelson, James Boyle and Yochai Benkler. But the person who has become most closely associated with this whole area is undoubtedly Larry Lessig.
He rose to prominence with his book “Code and other laws of Cyberspace”, which asserted that the Net's software codes necessarily implied legal codes. From this early interest in architectures and their growing power to affect everyday life, Lessig's focus gradually shifted back to the legal domain, where he sought to counter the threats posed by the music and film industries to the new creative possibilities opened up by the Net.
His first attempt at a solution was the creation of Copyright's Commons in 1999, “a coalition devoted to promoting the public availability of literature, art, music, and film.” Its principal instrument was the use of what it called “counter-copyright”, which “strips away the exclusivity that a copyright provides and allows others to use your work as a source or a foundation for their own creative ideas. The counter-copyright initiative is analogous to the idea of open source in the software context.”
When Copyright's Commons became involved in the Eldred vs. Ashcroft lawsuit – which tried to block the extension of US copyright by 20 years - it also pioneered what it called “openlaw”, where legal arguments were posted online for open discussion.
It was Lessig who argued the Eldred vs. Ashcroft case in court – and lost, much to his chagrin. A more positive outcome from this work was the creation of a second, more ambitious, organization called Creative Commons, and the drawing up of a series of formal open content licenses. Like Wiley's Open Publication license, these Creative Commons licenses allow several options. While this lends them great flexibility, it also means that there is now a confusing array of Creative Commons licenses. Indeed, Richard Stallman no longer supports the Creative Commons project because not all of these licenses meet his requirements for freedom.
Despite Stallman's concerns, there is no doubt that the Creative Commons licenses have transformed the open content scene. They offer creators a range of rigorous licenses that have been drawn up by lawyers with a deep understanding of the issues of copyright in the Net age. An important recent court case in the Netherlands has confirmed their legality, at least in that jurisdiction.
Wiley's original licenses were created for educational materials, and among the first applications of the Creative Commons licenses were two major open content projects in the field of what has come to be called open courseware, both funded by the Hewlett Foundation. Just as open source avoids re-inventing the wheel by building on existing code, so open courseware aims to save time, effort and money by making educational material freely available for others to re-use, extend and improve.
The first such project, Connexions, came from Rice University. It was the brainchild of Richard Baraniuk, professor of electrical engineering, who was directly inspired by the example of open source. Connexions uses a content creation platform called Rhaptos, which is released under the GNU GPL. The other major open courseware project came from MIT. One of the people behind the OpenCourseWare idea – which arose out of an earlier failed attempt to make money from selling MIT courses online – was Hal Abelson, who is also one of the founders of Creative Commons. This joint involvement simplified the issue of licensing, something that was a major issue for Rice initially, until it too adopted a Creative Commons license.
MIT does not use an open source platform, but David Wiley has started a project called eduCommons, based on Plone, that offers this facility. Another of his free software projects, called Open Learning Support, and now part of eduCommons, provides Rice's Connexions and MIT's OpenCourseWare with online discussion boards. Baraniuk, for his part, is working on a range of ancillary open source software, including systems to aid translation, and a rating system for courses. It is also worth mentioning the free software course management package Moodle, which is widely used around the world, and Sakai, a similar project, funded by the Hewlett Foundation.
Although both Connexions and OpenCourseWare allow course materials to be modified, they do not make any provision in their platforms for true collaborative development. The final article in this short series will explore how this issue has been addressed by open content projects.
Glyn Moody writes about open source and open content at opendotdotdot.
Page editor: Jonathan Corbet Security A flurry of kernel security fixes Over the last month, there have been eleven separate releases in the 2.6.16 stable kernel series, seven of which were single-patch releases for security related issues. This flurry of security fixes would make one think that there was a concerted effort by an individual or organization to try and find kernel security problems, but that is not the case. It is entirely coincidental that all of these fixes came about at around the same time. A chronological look at each of these fixes gives a nice picture of the diverse places that kernel developers are looking for bugs in general and security bugs in particular. Roughly a week after the original 2.6.16 release, the 2.6.16.1 release contained 19 patches, including one that fixed CVE-2006-1242. Code had been put into the kernel in the 2.4 series to stop leaking information in the form of fragment IDs in TCP packets that did not require them. Packets that have the DF (don't fragment) bit set do not need a fragment ID and eliminating that information is a countermeasure to a technique called idle scanning. Unfortunately when the original change was made, the response to a certain kind of packet (a SYN-ACK packet) was missed and that was discovered in March. The 2.6.16.2 release came out on 7 April and had a quite a few fixes including a change to the sysfs interface covered by LWN two weeks ago. On the 11th and 12th of April, there were 3 releases, each of which included just one security fix. 2.6.16.3 is a fix for a bug that would allow a user to oops the kernel by passing invalid arguments to the keyctl utility (CVE-2006-1522). If the user specified a key as the target for an "add key" operation, rather than a keyring, a invalid dereference in the kernel would result. A call to BUG_ON() in the __group_complete_signal() function (which is part of the RCU signal handling code) "has unknown impact and attack vectors" and was patched as 2.6.16.4. If a user process could cause the condition in the BUG_ON call, it could oops the kernel and lead to a denial of service. (CVE-2006-1523). A difference in the way Intel and AMD 64-bit CPUs handle non-canonical return addresses led to the 2.6.16.5 release. The Intel CPU reports the exception on the SYSRET instruction which causes the kernel exception handler to run using the user stack. (CVE-2006-0744). Kernel processing using a user created stack would seem rife with opportunities for exploitation. The 2.6.16.6 release came out a week later with another long list of patches, two of which have security implications. The m32r architecture had a bug in the get_user and put_user macros that did not check the address passed to them which would allow access outside of the process address space. A more widespread issue was addressed with a patch in this release and then fixed in the 2.6.16.7 release later in the day. The MADV_REMOVE vulnerability (CVE-2006-1524) has been present in kernels since 2.4 and allows local users to potentially bypass the access restrictions on a read-only attachment of shared memory. The user process could call mprotect() and gain write permission on a piece of memory even though the memory was explicitly set to be read-only when shared via the shared memory IPC mechanism. Prior to 2.6.16.8, the kernel was vulnerable to users causing a kernel panic by requesting a route for a multicast IP address (CVE-2006-1525). Using a simple 'ip' command from the shell would cause a null pointer dereference in ip_route_input and panic the kernel. This is another example of a local denial of service vulnerability. 2.6.16.9 patches a problem that affected both Linux and FreeBSD kernels running on AMD processors which would allow a malicious process running on the same CPU to determine portions of the state of floating point instructions in a target process. AMD had some comments on the bug and provided some background information on why they chose to implement the FXRSTOR and FXSAVE instructions differently than they are implemented in Intel processors. Essentially, these two instructions do not save and restore all of the same registers as Intel does and this allows information to leak from one process to another. The patch ensures that the floating point state is constant between context switches on affected processors. (CVE-2006-1056) Last on our tour of kernel security fixes is a patch made in 2.6.16.11 and released on Monday that disallows backslashes in path components unless POSIX paths have been negotiated. This change is for the CIFS (aka Samba) filesystem code; one can only imagine the kinds of havoc one could cause by putting backslashes (the standard Windows path separator) into CIFS paths. This bug is CVE-2006-1863, but the CVE database just shows a placeholder page for that number at the time of this writing. Observant readers will have noticed that we skipped over 2.6.16.10 as it was a release with quite a few patches, none of which were noted as being security related. As this laundry list of issues shows, there are a wide variety of places that kernel bugs can impact security, but the many eyes of kernel developers seem to be finding and fixing them. This process plays out in the open and that can give competitors ammunition to claim that Linux is less secure than certain proprietary systems. Reasonable people would more likely come to the conclusion that Linux developers are much more interested in finding these issues and fixing them. The kernel community has no interest in hiding vulnerabilities or playing games with security patch descriptions to make the OS look more secure. PR considerations just do not seem to be on the radar of the technical contributors and that is just as it should be.
New vulnerabilities abc2ps: buffer overflows
beagle: command line injection
ethereal: multiple vulnerabilities
fbida: insecure temporary file creation
kernel: multiple vulnerabilities
php: several vulnerabilities
ruby1.8: denial of service
xzgv: heap overflow
Updated vulnerabilities apache: cross-site scripting
blender: integer overflow
bsdgames: buffer overflow
bzip2: race condition and infinite loop
ktools: buffer overflow
cpio: arbitrary code execution
crossfire: arbitrary code execution
curl: heap-based buffer overflow
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dia: buffer overflows
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
fcheck: insecure temporary file
fetchmail: multidrop bug
firefox: multiple vulnerabilities
Foomatic: Arbitrary command execution in foomatic-rip
freeradius: authentication bypass
gdb: multiple vulnerabilities
gdm: improper file permissions
gnupg: incorrect signature verification
gzip: arbitrary command execution
ipsec-tools: denial of service
kdebase: local root vulnerability
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
libgadu: memory alignment bug
libgd2: buffer overflows in PNG handling
libpam-ldap: authentication bypass
mailman: denial of service
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||