LWN.net Weekly Edition for August 14, 2003 [LWN.net]

Bringing free software to voting booths

It has been said many times that the "free" in "free software" should be understood in the sense of freedom, not economy. As has been pointed out by Lawrence Lessig and many others, software code increasingly plays a regulating role in our lives, much like the legal code does. To the extent that we can keep that code free - in view and under our control - our lives as a whole will be more free.

Few acts symbolize freedom more than voting. The image of the popular vote is so strong that even the most despotic of governments feel the need to go through the motions; Kim Jong recently won an election with 100% of the vote. In most of the world, fortunately, elections tend to be just a bit more competitive than that. There is, however, a strong trend toward entrusting elections to black-box, closed-source electronic systems. Many of these systems have no auditing capability, no external record of votes cast, and, often, manufacturers with interests that do not always coincide with fair voting results. These manufacturers have resisted adding important features, such as an independent, voter-verifiable printed paper ballot. With many electronic voting systems, the only record at the end of the day is the data sitting on the system's disk. An unaudited, unbacked-up disk file created by unseen, closed-source software is a frightening way of choosing a leader. History shows that, when an opportunity for mischief presents itself, somebody will eventually take advantage of it.

Perhaps more than any other application, electronic voting cries out for the use of free software. Votes are a public resource which should never be filtered through a black box. As one looks around, however, serious projects aiming to create free election software are rare. Some of them (e.g. GNU.FREE, Voting Systems Toolbox) have gone dormant. Others (GVI) are more interested in exploring alternative voting methods. Then there are some (like the recently announced EVM project) which appear to be headed in the right direction, but which are too young to have released any useful code.

Part of the problem, certainly, is that, unlike many other free software projects, an electronic voting project cannot just put up a tarball on an FTP site and watch its software achieve World Domination. There are certification requirements, which vary across jurisdictions. Proposed standards for voting systems are stringent; see, for example, the IEEE's voting equipment standards draft. Human factors and presentation fairness issues loom big in this area. Then, there is security; activists who are concerned about electronic voting have, generally, recommended that voting systems attain a Common Criteria EAL4 rating, above and beyond the voting-specific requirements. Then there is the little matter of turning free voting software into a real product which can be sold and supported, in large numbers, to agencies in charge of running elections.

In other words, the code is not sufficient. Bringing free software to electronic voting will also require substantial amounts of money. Getting a voting system based on free software to an actual deployment will probably carry a multi-million dollar price tag - for a single jurisdiction. This is an effort which is beyond the capabilities of a group of volunteers with a SourceForge site and a bit of code.

Some free software supporters have called for widespread public funding for free software development. Others are very suspicious of increased public influence in this area. But it would seem that voting would be a natural place for governments to support a project or two. Governments are the only customers, and there is a strong public interest in the creation of voting software which is open, auditable, and worthy of trust. The potential for long-term cost savings should have some appeal as well.

Projects which set out to create a free voting system, but which limit themselves to cranking out code, are unlikely to achieve their goals. If such a project wishes to see its code deployed, it almost certainly needs a sub-group which occupies itself with the writing of funding proposals. Some success in that area could go a long way toward the preservation of freedom on a national scale.

Comments (8 posted)

This week in SCOland

Last week's Edition prompted a complaint or two about too much SCO coverage in LWN. It is our hope to slowly edge SCO off the front page once again, but the company makes that hard. This case is important for Linux and free software, and we need to keep an eye on it.

The big news since last week's Edition, of course, is IBM's response and countersuit, which was filed on August 7. We published a look at IBM's counterclaims on that day; the full text of IBM's filing is also available. IBM's response looks, in many ways, like Red Hat's suit from a few days before, but there are a couple of important differences.

The first is that IBM makes a formal charge of GPL infringement against the SCO Group. Bringing the GPL into the case is not an entirely surprising thing for IBM to do; SCO's violation of that license seem relatively clear. But its presence in IBM's filing sets this case up to be, perhaps, the first true test of the GPL in court. Some of the noises coming out of SCO suggest that the company believes it may be possible to break the GPL in court and would like to do so. We must hope that IBM's lawyers are on top of this part of the case.

The other important difference, of course, is that IBM has alleged four counts of patent infringement. As much as many in the community are pleased with anything that causes discomfort for SCO, the use of software patents is always a cause for concern. A separate article (below) looks at the specifics of IBM's patent allegations and how Linux stands with regard to those patents.

SCO has not skimped on press releases over the last week. The company's response to IBM's counterclaims included an interesting statement:

If IBM were serious about addressing the real problems with Linux, it would offer full customer indemnification and move away from the GPL license.

Exactly how IBM would "move away from the GPL" is not specified. SCO has also claimed the sale of a Linux license to a Fortune 500 company - but, as is usual for SCO, they won't say who the purchaser is or what sort of deal they were offered. Finally, SCO announced the "termination" of Sequent's Unix license.

SCO's System V UNIX contract allowed Sequent to prepare derivative works and modifications of System V software "provided the resulting materials were treated as part of the Original [System V] Software." Restrictions on use of the Original System V Software include the requirement of confidentiality, a prohibition against transfer of ownership, and a restriction against use for the benefit of third parties. Sequent-IBM has nevertheless contributed approximately 148 files of direct Sequent UNIX code to the Linux 2.4 and 2.5 kernels, containing 168,276 lines of code. This Sequent code is critical NUMA and RCU multi-processor code previously lacking in Linux.

This is a reiteration of the core of SCO's claim against IBM: the Unix licenses give SCO rights over any code which has ever touched Unix, regardless of its source or ownership.

The next event in the SCO saga is likely to be the company's third-quarter earnings call, happening 9:00 MST (GMT-6) on Thursday, August 14. Among other things, the company will evidently discuss the substantial amount of insider trading which has occurred since the IBM suit was filed. Stay tuned.

Comments (5 posted)

IBM's patent offensive

[This article was contributed by Joe 'Zonker' Brockmeier]

IBM's response to SCO's suit last week was met with quite a bit of enthusiasm from the Linux community, but with a tinge of concern as well. Many in the Linux community are concerned about IBM's use of patents to strike back at SCO. While IBM's patent claims are not unexpected, and in fact are sound legal strategy for Big Blue, many worry that IBM may someday use its huge patent arsenal against competitors in the Linux marketplace and not simply as a defensive mechanism against legal predators like SCO.

We took a look at IBM's patent claims to see how they might affect the Linux community, and if Linux projects or vendors could be subject to claims by IBM. It seems, at first glance, a little odd that IBM has chosen to only claim infringement on four of their patents. IBM has thousands of patents, it seems very likely that it could claim that SCO infringes on dozens of patents. However, the patents IBM has chosen affect most of SCO's non-Linux products -- namely, UnixWare and Open Server, Reliant HA and SCO Manager. Users looking for SCO Manager on the SCO website will find that it's not linked to their product section anymore -- but using Google Cache it appears that sales have been suspended.

The first patent infringement claimed by IBM is patent 4,814,746: granted March 21, 1989. This patent covers an adaptive method of compression of data for communications between a host and remote terminals. IBM claims that this patent is infringed by both UnixWare and Open Server.

The second patent claim by IBM is patent 4,821,211: granted April 11, 1989. This patent covers "navigating among program menus using a graphical menu tree" using a pointing device, and IBM claims that SCO Manager infringes on the patent. This seems like a rather obvious invention, and the patent could probably be used against a number of programs. According to the patent, it is novel because of:

...the ability to visually display, in graphical form, the menu hierarchy for (a) the program that the user is currently using, (b) other programs on the user's computer, and (c) other programs on other computer systems to which the user has access.

This claim limits the patent from being applied against just any GUI application with a menu, but certainly could be applied against applications that allow access to databases on other machines, GUI front-ends for CVS, and a number of other applications you might find being used on Linux.

IBM's third claim is patent 4,953,209: granted August 28, 1990. According to IBM, SCO is infringing on this patent with the UnixWare product. This patent covers a "self-verifying" technique to show that a user has received a data object, agreed to the conditions of the data object's receipt or use, and has installed in for reading or use. Not just the display of the license, but a method of verifying after the fact that the user has actually taken some action to indicate that they have agreed to the license.

Basically, this patent covers a method of distributing software and having the user agree to a license without the need for the vendor to distribute any physical media. A "clickwrap" license scheme, if you will. While this patent may apply to some products that run on Linux from proprietary vendors, it seems unlikely that this patent poses a serious threat to the open source community in general.

The fourth and final (at least for now) patent claim is patent 5,805,785: granted September 8, 1998. This is the only patent that IBM is using against SCO that doesn't predate Linux. IBM claims that SCO's Reliant HA high-availability clustering solution infringes on this patent. This patent covers monitoring and recovery of systems in a distributed or clustered system, and specifically the "detection of and recovery from open-ended, user defined failure events occurring in interdependent subsystems" as opposed to a set of predefined failure events. It seems likely that IBM could also make a case against several products and projects in the Linux space related to clustering with this patent -- if they chose to do so.

While IBM has an enormous patent warchest to draw on, SCO a/k/a Caldera has only one patent to its name; patent 6,529,784, granted March 4 this year. This patent covers "a method for providing system management services to a customer's network of target computers through a communications network." This patent may be of interest to Linux users, as it seems to specifically deal with package management and software dependencies. We may yet be hearing from SCO on patent matters, in addition to their other nebulous claims.

IBM has not proven eager to emulate Amazon in using its patents to damage competitors, but its hands aren't entirely clean, either. There is, for example, the oft-cited case of IBM demanding $20 million from Sun using the threat of patent litigation. While IBM has not been on the patent warpath of late, there's nothing to stop them from deciding to start using their patents against other Linux vendors or community projects that might compete with IBM for customers.

There is no evidence that IBM is gearing up to use its patents against the Linux community at this time, and it does seem unlikely that the company would be willing to squander the goodwill it has accrued thus far. However, there was a time when it seemed unlikely that SCO (née Caldera) would be attempting full-on legal warfare against Linux and the General Public License.

It might be prudent for the community to begin seeking guarantees from IBM, and other Linux vendors with substantial patent portfolios, that they will not use their patents against open source users, projects or vendors. It would also be advisable that members of the open source community work towards modification of the patent system. It seems very likely that patent threats will be the next major hurdle that Linux and open source face -- if not from IBM, then certainly from companies like Microsoft or Sun that are directly threatened by the continued adoption of Linux and open source.

Comments (7 posted)

A trip to LinuxWorld San Francisco 2003

LinuxWorld in San Francisco is the premiere trade show event of the year for Linux. For many companies it's a good time to announce new products and new alliances, a time of hype and press releases. LinuxWorld is also a place to network and glimpse a wider range of the IT world. LWN editor Rebecca Sobol was there and presents, My trip to San Francisco, LinuxWorld 2003.

This LWN editor has very limited trade show experience. The Linux Business Expo (LBE) at Comdex 1999 and the LBE, Comdex 2000 and a couple of local shows comprise the sum total of my experience. In comparison, LinuxWorld 2003 is a smaller show than the LBEs of the past, though larger than any local show. In 1999 many small companies came to the LBE hoping to be acquired by larger companies who were planning IPOs. LWN and an Australian company called Moreton Bay were among those small companies with booths near the back of the LBE. In 2000 LWN was acquired by Tucows.com and Moreton Bay was acquired by Lineo, and life seemed pretty rosy, for a while. Now, in 2003, LWN is once again independently owned and operated, and so is Moreton Bay, with the new name of SnapGear.

At LinuxWorld 2003 SnapGear joined other survivors of that era and newer companies, with small booths to the east and north. The .org pavilion took up the northwest section, leaving the center floor near the entrance to the larger companies. IBM took up the most space, with a sprawling pavilion and additional crew in partnering booths, like those of Red Hat and SuSE. Other companies with prime real estate include Sun, Microsoft, Dell, Oracle, and Intel.

Microsoft was in a slightly smaller booth near the edge of the main space, close to the .orgs. There happy customers were eager to talk about how well Microsoft products work in their clustering, number crunching, high availability environments. Elsewhere open source and proprietary go hand in hand as applications and appliances use Linux and other open source components to power not-so-open products. A single person from the U.S. Internal Revenue Service had free (as in beer) CDs with tax preparation software for Windows and Mac.

On Monday your editor went for a long walk around the streets of San Francisco, with the old LWN camera. By Monday night it was clear that the old camera has seen better days. There may may or may not be pictures hidden inside, but if they are there they are inaccessible, so unfortunately there will be no photos to brighten this essay.

Tuesday began with Red Hat's press conference announcing the filing of a lawsuit against SCO. At the press conference Red Hat CEO Matthew Szulik also talked about the creation of a Legal Defense Fund for the open source community. Red Hat hopes that other companies who depend on open source software will add to this $1 million fund to help pay for the future legal needs of open source developers.

The next stop on my agenda was with SGI, who shares space in the Intel booth. Ginny Babbitt and the LWN fan club at SGI build multi-processor Altix systems with SGI ProPack software. Irix, SGI's proprietary UNIX, is still used for some jobs, but more and more Linux rules at SGI.

Later, in the meeting rooms Dell Director Reza Rooholamini talked about Dell's high-performance computing clusters (HPCC) with PowerEdge servers. Among Dell's HPCC customers are the National Center for Supercomputing Applications at the University of Illinois, Urbana-Champaign (NCSA). That Dell HPCC cluster runs Red Hat Enterprise Linux and ranks among the fastest supercomputers in the world. Dell can customize any system, whether a supercomputing HPCC or a home PC, with your choice of OS, including several flavors of mainstream Linux. Reza told us that Dell puts Linux on just under 30% of their sales.

Tuesday night at the SnapGear party we celebrated independence and new business models that are more realistic than, 'get acquired and make a killing at the IPO'. SnapGear makes small VPN/router boxes embedded with uClinux and other open source software, so that when you plug the box in, "it just works". They will build custom boxes too, if you want something beyond the standard models, and the boxes all come with source code.

Wednesday morning started very early, with the Linux Professional Institute (LPI) advisory board meeting. Lots of topics were discussed during the course of this not-quite-two-hour meeting. To begin with Evan Leibovitch, President of LPI talked about the the new LPI website, available in thirteen languages; and how they manage to keep all the translations current.

We also learned that many certification organizations from many different disciplines are part of a larger group that addresses some common problems, like cheating on tests. LPI is now a member of the Information Technology Certification Security Council (ITCSC), a membership funded organization, formed "to preserve the security and integrity of certification tests for the benefit of certified professions, their employers, and those companies granting IT certification".

Lintraining.com is now sponsored by LPI, making it easier than ever to find the training people need to become certified.

Another topic was making exams available to everyone, not just those that can easily come up with the fee. In developing countries people are sometimes trapped in a situation where they are unable to afford certification testing, but they also cannot find a job without the certification. The other side of this is that LPI is setting up testing labs where at least a part of the test is done in a hands-on computer lab, making the testing facility more expensive.

Level 3 exams are in the works, but there are questions about the form they will take. LPI strives to create exams are that distribution neutral, but at level 3 there are system administration tasks are done very differently by different Linux vendors.

Sponsorships keep LPI running, and Evan thanked Novell for becoming it's newest sponsor. At the end of the meeting he also mentioned that SCO is still listed among LPI sponsors. Caldera was LPI's first sponsor in 1998, he told us, and many of same people are still at SCO, working in the trenches to do good things, in spite of the actions of a few people in management. So SCO's logo remains on the site to honor those Calderan's who continue to do good things from the trenches.

Later that morning, in the Oracle meeting room, I talked to Wim Coekaerts, Oracle's main kernel hacker. Oracle's customers want Linux, so Oracle has made agreements with the major Linux vendors to provide Linux along with Oracle products and services. Oracle handles all the service calls, working with the distribution vendor when necessary to resolve their customer's problems. Linux is used in-house at Oracle.

The Oracle database, however, will remain proprietary for the foreseeable future. Wim said that when Oracle released it's ClusterFS under the GPL, their customers didn't care. Not a one ever submitted a patch or paid the slightest attention to the source code. It seems that Oracle customers don't have much, if any, IT department. Instead they rely on Oracle to keep their systems running. They like Linux because it's reliable and inexpensive, not because they can see the source code. Oracle provides a total package of software, hardware and support. Open source databases like MySQL and PostgreSGL are no competition, because they really aren't in the same business.

Oracle had a statement prepared August 5, 2003 to respond to any mention of SCO. "Oracle believes that anything that leads to a more rapid resolution of the issues raised by SCO is good for the industry and for the open-source community. Oracle has seen nothing to date that has caused us to question our tremendous commitment to Linux as a customer, promoter, supporter, and developer. We are continuing our deep commitment to Linux and look forward to seeing these issues resolved as quickly as possible. We will continue to work with our close partners such as Red Hat and other Linux distributions to promote continued adoption of Linux."

Booth strolling took up part of Tuesday and Wednesday. Many booths were visited and there were conversations with many people, too numerous to name here. Most people shared a desire for the swift resolution to the SCO mess. Overall, people seemed confident about the future of Linux and of their business.

Comments (12 posted)

Page editor: Jonathan Corbet

Security

Brief items

Bitten by old bugs

Michal Zalewski recently publicized a couple of denial of service problems with the Postfix mailer. Distributors responded quickly; here's a quick look at who released updates and when:

Distributor	Updated versions	Response time (days)
Conectiva	7.0, 8	1
Debian	3.0 (woody)	0
EnGarde	Community 1.0.1, 2 Professional 1.1, 1.2, 1.5	1
MandrakeSoft	8.2, 9.0, Corp. Svr. 2.1 Firewall 8.2	1
Red Hat	7.3, 8.0, 9	1
SuSE	7.2, 7.3, 8.0, 8.1...	1
Trustix	1.2, 1.5	3

(See the LWN vulnerability entry for current information on distributor updates). Here, "response time" is calculated as the number of days between the posting of Michal's advisory and the distributor update. Distributors clearly had a bit of advance notice with which to produce their updates, which is a good thing. There was very little delay before updates were made available to users.

The only problem is that, as Postfix creator Wietse Venema pointed out, both of the vulnerabilities had been fixed a long time ago. One of the problems was fixed in version 1.1.12, released in November, 2002. The other (fixed in 1.1.13) does not exist in Postfix 2.x, which has been available since February. But even relatively modern distributions (such as Red Hat Linux 9) are built with version 1.1.11, which dates back to May, 2002. It is laudable that the distributors were so quick to make updates available. But if they had stayed a little closer to the current release of Postfix, much of this scramble might have been unnecessary, at least for more recent distribution releases.

One can always come up with possible reasons for the shipping of such old software. For most distributions, only a small minority of users run Postfix, so it is probably relatively low on the prioritized list of packages to update. Switching to a new major release (2.0) is always a bit of a scary move; distributors tend not to rush into that sort of change. And, then, there is the little fact that neither fix was marked by the Postfix developers as a security fix. As we have seen in this case, distributors move quickly when a security issue is outstanding, but slowly otherwise.

The fixes were not advertised as being security related for a simple reason: the developers did not know - in either case - that a security bug was being fixed. One fix just sort of happened during a big (2.0) code reorganization, and the other fix looked like just another bug fix at the time. The end result is that, as a result of inaction on the part of both developers and distributors, users have been running vulnerable code for months when a fix was available.

Comments (6 posted)

GNU project FTP server compromised

As described in this statement from the FSF, the GNU FTP server was compromised, and a trojan horse was found there. Interestingly, the compromise appears to have happened last March (via an exploit of the 2.4 ptrace() vulnerability), but it has only come to light now. The project has been going through a detailed effort to compare files against known checksums, and is cautiously concluding that no source code was modified by the crackers.

Comments (20 posted)

New vulnerabilities

ddskk: insecure temporary file

Package(s):

ddskk

CVE #(s):

CAN-2003-0539

Created:

August 11, 2003

Updated:

August 12, 2003

Description:

Daredevil SKK is a simple Kana to Kanji conversion program, an input method of Japanese for Emacs and XEmacs.

ddskk does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and skk. The Common Vulnerabilities and Exposures project (cve.mitre.org) has allocated the name CAN-2003-0539 to this issue.

Alerts:

Red Hat

RHSA-2003:241-01

2003-08-11

LWN.net Weekly Edition for August 14, 2003

ddskk: insecure temporary file

pam-pgsql: format string vulnerability

xpcd: buffer overflow

zblast: buffer overflow

2.4 kernel - several vulnerabilities

apache: multiple vulnerabilities in Apache HTTP server

atari800: buffer overflows

bind buffer overflow vulnerability in DNS resolver libraries

Canna server: exploitable buffer overrun

ethereal: security problems in Ethereal 0.9.12

Filename disclosure vulnerability in fam

fdclone: insecure temporary directory

fetchmail: buffer overflow

gallery: cross-site scripting

glibc: DNS stub resolvers contain buffer overflow vulnerability

gnupg: key validation

gtkhtml: malformed messages cause crash

konqueror: information disclosure vulnerability

kernel-utils: setuid vulnerability

libpng, libpng3: buffer overflow

lynx: CRLF injection vulnerability

perl-MailTools: remote command execution

man-db: buffer overflow, command execution

mikmod: buffer overflow

mpg123 - buffer overflow

Nessus NASL scripting engine security issues

net-snmp: denial of service vulnerability

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

perl: cross site scripting vulnerability in CGI.pm module

PHP: vulnerability in mail function

PHP: Cross site scripting vulnerability

phpgroupware - cross-site scripting and other exploits

postfix: denial of service vulnerabilities

PostgreSQL - more buffer overflows

Local arbitrary code execution vulnerability in Python

Multiple-use vulnerability in Safe.pm

semi: insecure temporary file

stunnel: signal handler reentrancy DoS

sup: insecure temporary file

File overwrite vulnerability in tar and unzip

teapop: SQL injection

Multiple vendor telnetd vulnerability

unzip: directory traversal vulnerability

vim - modeline vulnerability

vixie-cron: Local vulnerability

webmin: session ID spoofing

wget:directory traversal bug

wget: buffer overflow

wu-ftpd: off-by-one bug

Wwwoffle remote privilege escalation vulnerability

xinetd: Memory leak in xinetd 2.3.10

xtokkaetama: buffer overflows