LWN.net Weekly Edition for August 28, 2003 [LWN.net]

Legislative fun in Europe

While the legal situation in the United States has been dominated by the SCO case, many community members in Europe are more concerned by what is happening on the legislative front. A couple of initiatives underway in the European Parliament's Committee on Legal Affairs and the Internal Market are worthy of attention - and activism.

The first of these, of course, is software patents. The Committee now looks set to adopt the directive on software patents on September 1. Opponents of software patents in Europe have been working hard to raise awareness on the issue; protests on the net and in Brussels happened on August 27. There is still time to be heard on this issue and, perhaps, influence the outcome. It is worth the effort; software patents are one American export that Europe can do without.

Patents are just the beginning, however. Starting, seemingly, on September 11, the Committee will begin discussing a directive "on measures and procedures to ensure the enforcement of intellectual property rights." The full (54-page) text of the directive can be downloaded from this EU page. Two parts of this directive are cause for concern:

Article 9 requires identification of anybody who, in the view of a copyright holder, is "thought to infringe upon an intellectual property right". This article, it is expected, will lead to the same sort of "subpoena storm" currently being engaged in by the recording industry in the U.S.
Article 21 includes a (criminal) prohibition of "illegal technical devices." This is, of course, a DMCA-style anti-circumvention law, which will lead to DMCA-style problems.

For a much more detailed look at the draft directive, see this analysis by the Foundation for Information Policy Research. This analysis also notes that there is, apparently, still time to bring about major changes to this draft. With luck - and suitable pressure on members of the European Parliament - the worst features of this directive can be eliminated before it ever comes to a serious vote.

Comments (2 posted)

Who won the latest DeCSS skirmish?

[This article was contributed by Joe 'Zonker' Brockmeier]

The decision handed down by the California Supreme Court on Monday in the DVD Copy Control Association v. Bunner case is being hailed by many as a victory for the entertainment industry. In fact, the ruling is far from a major victory for the DVD Copy Control Association. The California Supreme Court has remanded the case back to the Court of Appeal to "determine whether the evidence in the record supports the factual findings necessary to establish that the preliminary injunction was warranted under California's trade secret law."

For those not familiar with the case, the DVDCCA sued Andrew Bunner for posting the DeCSS code posted by Jon Johansen. Johansen and others reverse-engineered software created by Xing Technology corporation to create the DeCSS package, which can decrypt DVDs for viewing. (Despite the DVDCCA's repeated assertions that DeCSS is used for copying DVDs, the software is not necessary to copy a DVD -- only to view it.) The trial court sided with the DVDCCA and issued a preliminary injunction against Bunner, which was later overturned by the Court of Appeals. Interestingly, Bunner's case is still winding through the American court system while Johansen has already been acquitted in Norway of charges of using DeCSS for illegal purposes.

The California high court's ruling had very little to do with the specifics of the DeCSS code or whether CSS is a legitimate trade secret. The court simply accepted the trial court's findings that CSS is a trade secret, and ruled on the question of whether it is a violation of the First Amendment to issue a preliminary injunction in the interests of protecting a trade secret. The Court of Appeals had ruled that trade secrets were not as important as First Amendment protections and lifted the injunction against Andrew Bunner posting the DeCSS source code. The California Supreme Court, however, disagreed that First Amendment considerations trump the protection of trade secrets:

Our decision today is quite limited. We merely hold that the preliminary injunction does not violate the free speech clauses of the United States and California Constitutions, assuming the trial court properly issued the injunction under California's trade secret law. On remand, the Court of Appeal should determine the validity of this assumption.

So, the fight over DeCSS is far from over, which is good news. The bad news is that the California Supreme Court doesn't see any value in the DeCSS code in the continuing debate over the entertainment industry's use of encryption. From page 22 of the decision:

Disclosure of this highly technical information adds nothing to the public debate over the use of encryption software or the DVD industry's efforts to limit unauthorized copying of movies on DVD's. And the injunction does not hamper Bunner's ability to "discuss and debate" these issues as he has in the past in both an educational, scientific, philosophical and political context. Bunner does not explain, and we do not see, how any speech addressing a matter of public concern is inextricably intertwined with and somehow necessitates disclosure of DVD CCA's trade secrets.

Many in the open source community would disagree that the disclosure of the code "adds nothing to the public debate." Ed Felten writes that access to the code is important factor in the debate over CSS:

CSS is a controversial technology, and information about how it works is directly relevant to the debate about it. True, many people who are interested in the debate will have to rely on experts to explain the relevant parts of DeCSS to them; but the same is true of Enron's accounting or the Shuttle's engineering.

Certainly the fact that CSS was so easily defeated is of public interest when debating whether CSS qualifies as a "trade secret" or simply a veiled attempt to rob users of their fair use rights over copyrighted materials they've legally purchased. The code should also be of some interest to those who wish to disprove the DVDCCA's continual claims that DeCSS exists primarily for copying DVDs, rather than watching them.

Whether Bunner is legally permitted to post DeCSS or not, the cat is out of the bag. For all practical purposes, anyone who wants to get access to the DeCSS code is able to do so. However, the case will set precedents that no doubt be revisited as the entertainment industry rolls out new media formats, and new encryption schemes.

Comments (4 posted)

This week's SCO fun

It may have seemed like a relatively quiet week on the SCO front - to the relief of many - but a number of things have been happening. It's time to get caught up in the latest developments in this case.

People have continued to look at the code samples presented by SCO in Las Vegas. Eric Raymond posted his own analysis which included a comparison of the Linux atealloc() code with the SYSV malloc() implementation - something that Eric evidently has sitting around somewhere. Eric's conclusion was that the Linux code derives from the ancient malloc() implementation found in 32V Unix. LWN, looking at Eric's diff, came to a different conclusion; the Linux code appears to have been taken from (proprietary) SYSV Unix. See this article for a full description of our reasoning. Since then, FreeBSD kernel hacker Greg Lehey has posted his analysis, which also points to a SYSV derivation.

The sad fact is that this particular piece of code is problematic no matter how you look at it. The alternatives are:

The code was lifted from SYSV Unix, which makes it a direct infringement of SCO's copyrights.
The code actually derives from the ancient 32V Unix release. SCO, back when it was called Caldera, released 32V under an older, four-term BSD license; this license is incompatible with the GPL, due to its advertising requirement. The code in Linux also lacked the requisite copyright headers. In this scenario, the inclusion of this code infringes SCO's copyrights (due to the missing copyright headers) and also those of the other Linux kernel contributors (due to the GPL incompatibility).
There are other opinions on how 32V is really licensed. SCO has started making noises to the effect that 32V was really only released for 16-bit, non-commercial use, though the license letter that went around (and, indeed, was sent to us anew by SCO PR person Blake Stowell) says otherwise. Any attempt by SCO to "call back" this release is likely to fail at this point.
Then, there is the assertion that 32V is actually public domain. This conclusion comes from the March 3, 1993 ruling in the USL case, which reads: "...I find that Plaintiff has failed to demonstrate a likelihood that it can successfully defend its copyright in 32V. Plaintiff's claims of copyright violations are not a basis for injunctive relief." But saying that USL lacks evidence strong enough to justify a preliminary injunction is different from a true finding that the 32V code has gone into the public domain. Given the rather friendly stance the courts have taken toward copyright holders in modern times, relying on this preliminary ruling to hold in a new court case seems risky at best.

It is thus hard to conclude that this code belongs in Linux. And, in fact, it has already been removed from the 2.4 and 2.6-test branches. In any case, it is a tiny piece of ancient code performing a trivial task; it is not the basis of a $3 billion lawsuit. If this is the best that SCO has, its case will not go that far.

SCO's other code sample, of course, was the Linux implementation of the Berkeley Packet Filter (BPF) library. There appears to be no way that SCO can claim ownership of this code; indeed, Greg Lehey's analysis suggests that, perhaps, SCO has stripped the copyright headers from its copy of that code, in violation of its (BSD) license. SCO would seem to have figured out that it is on especially thin ice here; a recent InfoWorld article quotes SCOSource VP Chris Sontag as follows:

But Sontag said the BPF routines were not intended to be an example of stolen code, but rather a demonstration of how SCO was able to detect 'obfuscated' code, or code that had been altered slightly to disguise its origins. The slide displaying the code should have been written differently to reflect that intention, he said.

Given that the slide in question reads "Obfuscated System V code has been copied into Linux kernel releases 2.4x and 2.5x," one might well agree that it should have been "written differently." One might well ask what other parts of the company's recent output should be written differently.

Meanwhile, SCO lawyer Mark Heise is still taking potshots at the GPL; his latest assertion (from this ZDNet interview) is that Section 301 of the U.S. Copyright Act preempts the GPL. Now, one of the advantages of having an Internet around is that one can go and check these things directly; the first part of Chapter 3 of the Copyright Act reads:

§ 301. Preemption with respect to other laws

(a) On and after January 1, 1978, all legal or equitable rights that are equivalent to any of the exclusive rights within the general scope of copyright as specified by section 106 in works of authorship that are fixed in a tangible medium of expression and come within the subject matter of copyright as specified by sections 102 and 103, whether created before or after that date and whether published or unpublished, are governed exclusively by this title. Thereafter, no person is entitled to any such right or equivalent right in any such work under the common law or statutes of any State.

Those of us who are unused to reading legalese will probably have to go over this paragraph two or three times, but, in the end, the title sums it up pretty well: this part of the copyright law states that it preempts other laws at the state level. Since very few states have enacted the GPL into law, the §301 preemption really is not relevant. The GPL is a license in which the copyright holder waives certain rights under certain conditions, as is allowed by the rest of the copyright law. If §301 preempts the GPL, it preempts every other software license as well. So Mr. Heise's reasoning remains unconvincing, to say the least. However, he appears to be in charge of this case at this point; David Boies would seem to have found more pressing engagements elsewhere.

Then, there is SCO CEO Darl McBride's amusing and paranoiac assertion (as reported in InfoWorld) that IBM is behind the attacks on his company. No further comment seems necessary there.

SCO's web site was evidently the target of a denial of service attack over the weekend of August 23. The Linux community should have nothing to do with such attacks. They do not help us in any way, and they go strongly against the principles of openness and freedom upon which the community is based. This sort of attack also gives SCO a great opportunity to portray the community as a bunch of criminals. Taking down SCO's site is wrong; it is a big mistake. Let us hope that it does not happen again.

Finally, Rob Landley and Eric Raymond have put together a response to SCO's amended complaint in the IBM case. Think of it as the "Mystery Science Theater 3000" version of the complaint; SCO's text is presented with Rob and Eric ruthlessly heckling each paragraph as it comes. It is a good resource for those wanting to put SCO's actual allegations in the IBM case into perspective.

Comments (6 posted)

The Great Expiration

The September 26, 2002 LWN Weekly Edition was the beginning of a major change for this publication. Therein, we said:

We will now try to transition LWN into a subscription-based publication, supported by the readers that benefit from it. If LWN is valuable enough to its readers to earn that support, we will continue to produce it - and try to make it better. If not, well, then we will search for some other way to use our skills in the free software community.

At the time, we concluded that we needed about 4000 subscribers to begin to see LWN as a stable enterprise. We're still a bit short of that - there's just under 3000 individual subscribers, currently - but we're still here. Things seem to be headed in the right direction.

Much depends on what happens in the next month or so, however. Many of you went for one-year subscriptions when they first became available. That money has sustained us over the last year, and we are more than grateful for that. But those subscriptions are now about to expire. Over the next month or so, almost one third of our subscriptions will come to an end. If the renewal rate is high enough, we should get a cash infusion that will prove most helpful in taking LWN to the next level, and we can continue our march toward 4000 subscribers (and beyond). If it's not, well...

We're optimistic. We came out of the "mini expiration" last spring (when the first set of six-month subscriptions ran out) with as many subscribers as we had going in. With luck, the same will hold true this time.

Please note that, if you signed up for an automatic monthly subscription, you, too, will have to renew it. Some businesses, once they get your credit card, feel entitled to keep charging to it until you show up on the premises with a baseball bat and make them stop. We've never felt we had that right, so automatic subscriptions include a maximum number of authorized charges. That maximum was capped at twelve months (we've since raised it to 24), and will be running out for those of you who subscribed a year ago. Many of you will have already received the "last charge" message we send when the authorized payments run out. Renewing is just a matter of going to the My Account page and enabling more charges.

The rest of you will not get mail from us until your subscription actually ends and the grace period begins.

Many of you, however, will not get mail from us at all. We have never made any attempt to force people to give us a real email address when they set up an account; if you really don't want us to have it, we can live with that. But, if we do not have your email address, we cannot communicate with you regarding subscription expiration. Some of you may also lose our email because your mailboxes are full of SoBig output; we also simply do not have the time to be feeding cookies to challenge/response systems. If any of the above situations apply to you, please keep an eye out for the "renew your subscription" link that will show up in the left column. Or just head over the the "My Account" page and top up your subscription ahead of time.

Finally, please note that we will soon stop offering automatic monthly subscriptions at the "starving hacker" level. When we make credit card charges that small, the processing fees eat up a substantial amount of the money we get. Honestly, we'd rather that subscriber money (your money!) went to us, rather than credit card processing companies. The "starving hacker" level will continue to exist, but subscriptions will need to be prepaid at least three months at a time. Existing monthly subscriptions at that level will not be affected as long as they are maintained.

Once again, please accept our thanks for supporting LWN so strongly over the last year. We will continue to try to show our appreciation by making LWN the best resource that it can be.

Comments (30 posted)

Page editor: Jonathan Corbet

Security

Brief items

The police tap JAP

The Java Anonymous Proxy project is developing a proxy system which enables users to access web sites in an anonymous manner. The JAP code is distributed under a BSD-like license. The JAP project also runs a set of servers which provide the actual anonymous web access.

It turns out, however, that access is not always anonymous; the JAP system went down for a few days in mid-August for the addition of new "security features." Those features, it seems, include a means by which the German police can determine the real originating IP address for accesses to a destination site of their choice. This access requires the usual formalities - court orders and such - but it does, regardless, violate the spirit of an anonymous proxy system. This is the sort of thing that users of an anonymous proxy are trying to get away from.

Since JAP is free software, people who were paying attention were able to see the new "security features" as they were checked in to the CVS repository. This transparency is, of course, one of the reasons why we like free software in the first place. We should remember, however, that there was nothing forcing the JAP developers to commit their changes to a public repository, and there is still no assurance that the JAP servers are running the same software as that found in the repository or on the download site. Entrusting your privacy to a remote system over which you have no control remains a risky thing to do.

See the JAP project's press release for more information on this incident.

Comments (5 posted)

The most over- and under-rated vulnerabilities

ITSecurity.com has published a look at the most over- and under-rated vulnerabilities, as determined by Harris Corporation. The list is worth a look; it is an attempt to clarify where the real risks lie. Besides, a couple of the entries are rather amusing.

So what are the overrated vulnerabilities? A few selections from the list include:

PGP vulnerabilities. As the authors assert, there is no known case of somebody having actually broken PGP's encryption.
SNMP; "As long as the default community strings have been changed, SNMP should be fairly safe. Actual exploitation using SNMP has been rare."
Cross-site scripting. Actual cross-site scripting exploits are rare; there is usually a more direct route to what the crackers want.
Gopher vulnerabilities. Evidently some people are still concerned about Gopher holes.

So, rather than running out to patch that Gopher server, what should you really be worried about? The list includes:

Remote procedure call vulnerabilities. RPC remains dangerous, and certainly should not be exposed to the internet.
Wireless networks which are easy to find and penetrate, and which often live inside firewalls.
Keystroke loggers and spyware.
WebDAV servers. This one makes the list mostly due to the potential of compromising the web server, and (on Windows, at least) thus the whole machine.

Interestingly, virus-susceptible email systems do not make the list, despite the fact that this type of vulnerability has probably created more in the way of security costs - especially recently - than any other. Clearly this vulnerability is underrated, given that it remains unclosed after all these years. Risk, evidently, is still in the eye of the beholder.

Comments (2 posted)

New vulnerabilities

GDM allows local user to read any file

Package(s):

GDM, XDMCP

CVE #(s):

CAN-2003-0547 CAN-2003-0548 CAN-2003-0549

Created:

August 21, 2003

Updated:

August 29, 2003

Description:

GDM is the GNOME Display Manager for X.

Versions of GDM prior to 2.4.1.6 contain a bug where GDM will run as root when examining the ~/.xsession-errors file when using the "examine session errors" feature, allowing local users the ability to read any text file on the system by creating a symlink. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0547 to this issue.

Additional problems may be found in the X Display Manager Control Protocol (XDMCP) which allow a denial of service attack (DoS) by crashing the gdm daemon. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0548 and CAN-2003-0549 to these issues.

Alerts:

Conectiva	CLA-2003:729	2003-08-29
Slackware	SSA:2003-236-01	2003-08-24
Mandrake	MDKSA-2003:085	2003-08-21
Red Hat	RHSA-2003:258-01	2003-08-21

LWN.net Weekly Edition for August 28, 2003

GDM allows local user to read any file

libpam-smb: exploitable buffer overflow

sendmail: bad DNS reply causes crash

vmware-workstation: vulnerability allows full host access

2.4 kernel - several vulnerabilities

apache: multiple vulnerabilities in Apache HTTP server

atari800: buffer overflows

autorespond: buffer overflow

bind buffer overflow vulnerability in DNS resolver libraries

Canna server: exploitable buffer overrun

eroaster: insecure temporary file

ethereal: security problems in Ethereal 0.9.12

Filename disclosure vulnerability in fam

fdclone: insecure temporary directory

fetchmail: buffer overflow

gallery: cross-site scripting

glibc: DNS stub resolvers contain buffer overflow vulnerability

gnupg: key validation

gtkhtml: malformed messages cause crash

kernel-utils: setuid vulnerability

libpng, libpng3: buffer overflow

lynx: CRLF injection vulnerability

perl-MailTools: remote command execution

mikmod: buffer overflow

mpg123 - buffer overflow

Nessus NASL scripting engine security issues

netris: buffer overflow

net-snmp: denial of service vulnerability

nfs-utils xlog() off-by-one bug

openslp: temporary file creation vulnerability

openssh: timing attack leads to information disclosure

pam-pgsql: format string vulnerability

perl: cross site scripting vulnerability in CGI.pm module

PHP: vulnerability in mail function

phpgroupware - cross-site scripting and other exploits

postfix: denial of service vulnerabilities

PostgreSQL - more buffer overflows

Local arbitrary code execution vulnerability in Python

Multiple-use vulnerability in Safe.pm

semi: insecure temporary file

stunnel: signal handler reentrancy DoS

sup: insecure temporary file

File overwrite vulnerability in tar and unzip

teapop: SQL injection

Multiple vendor telnetd vulnerability

unzip: directory traversal vulnerability

vim - modeline vulnerability

vixie-cron: Local vulnerability

webmin: session ID spoofing

wget:directory traversal bug

wget: buffer overflow

wu-ftpd: off-by-one bug

Wwwoffle remote privilege escalation vulnerability

xinetd: Memory leak in xinetd 2.3.10

zblast: buffer overflow