| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for July 15, 2004Oracle's CMS patent Patent 6,745,238, assigned to Oracle, is entitled "self service system for web site publishing." The abstract for this patent makes it clear that its scope is broad:
The web site system permits a site administrator to construct the
overall structure, design and style of the web site. This allows
for a comprehensive design as well as a common look and feel for
the web site. The web site system permits content for the web site
to originate from multiple content contributors. The publication of
content is controlled by content owners. This permits assignment of
content control to those persons familiar with the content.
The patent application ws filed in March, 2000; it was granted on June 1 of this year. Offhand, it would appear that Oracle has patented the content management system. Such systems form the core of many thousands of web sites, so the potential impact of this patent is large. It is worth a deeper look. The "claims" section of the patent is even more impenetrable than usual:
A method for displaying content, comprising: receiving input that
defines a set of perspectives, wherein each perspective in the set
of perspectives is a cross category grouping of one or more content
items, and wherein said one or more content items is in a plurality
of content items; storing, in a database, the plurality of content
items, wherein each of the plurality of content items belongs to
one or more categories; receiving user input that associates
subsets of said set of perspectives with each of said plurality of
content items; and in response to a request to display a web page
that contains one of said plurality of content items, displaying on
said web page a selectable control for each perspective in the
subset of said set of perspectives that is associated with said one
of said plurality of content items.
Translated into English, this claim would appear to be describing a database-backed web site which allows the display of articles with category metadata and comments attached. Further claims add search capabilities, a form interface, etc. All pretty standard stuff. The "description" section is more readable, fortunately. It sets the stage with a summary of the Bad Old Days, when anybody who wanted to put content on the web had to hand it over to a site administrator who knew the right incantations. The administrator becomes a bottleneck which slows the process of getting content onto the net. Thus, says the patent:
Accordingly, it is desirable to generate a web site creation and
maintenance tool that permits non-technical people to publish
content on a web site. It is also desirable to generate a web site
creation and maintenance tool that apportions responsibility for
web site creation and maintenance task to the most appropriate
individuals.
One wonders why nobody else ever noticed this problem. But it seems that nobody did:
In the prior art, content contributors must go through the
information technology department in order to publish content. This
prior art methodology places content publication and maintenance on
a single source. In contrast, the web site paradigm of the present
invention provides for distributed control by, allowing the folder
owners ... to control content for a portion of the web site.
As an added bonus, Oracle's "invention" throws in web-based administration of the site, a "quick picks" navigation bar for the most-used content, a news box, etc. This patent clearly covers no end of free content management systems - and numerous proprietary offerings as well. There is no way that this particular patent could have been filed for in good faith; 2000, remember, was the end of the dotcom boom and content management systems were not exactly hard to find. The authors knew they were patenting widely-used technology which had been invented elsewhere. Oracle, after all, has not made its name through innovation in the web publishing arena. If Oracle were to attempt to enforce this patent, it could create trouble for anybody producing or using an allegedly infringing system: Linux distributors, web publishers, proprietary software houses, etc. With a determined effort, this patent could almost certainly be invalidated. But if you are a small publisher facing demands from Oracle's fearsome lawyers, invalidating the patent will look like a distant, difficult, and risky goal. For the time being, the threat seems low; Oracle seems more interested in acquisitions than patent shakedowns and litigation. In the future, however, when Oracle's core business has been gutted by free database management systems, the company might just take a new interest in enforcing its "valuable intellectual property."
DMCA fun from StorageTek The latest effort to use the Digital Millennium Copyright Act (DMCA) as an obstacle to competition is courtesy of StorageTek. StorageTek, a company that sells a number of storage devices and data management software, is suing Custom Hardware Engineering & Consulting (CHE Consulting) for circumventing its GetKey algorithm to gain access to StorageTek tape library maintenance codes. So far, so good for StorageTek, which has received an injunction (PDF of the decision and the injunction) against CHE Consulting, essentially preventing the company from doing any maintenance on StorageTek tape libraries that requires access to the libraries' event messages. For the moment, an appeals court has put a stay on the injunction, but that stay could be withdrawn at any time.Reading through the decision issued by U.S. District Judge Rya Zobel, it seems clear that Zobel has been firmly convinced of StorageTek's case. From page 10 of the decision:
The balance of harm to plaintiff from the denial of the injunction
against that to defendant from the grant thereof tilts heavily to plantiff,
given its financial losses and damage to customer relations from
defendants' deliberate and calculated misconduct and theft.
It seems that StorageTek has managed to convince Zobel that CHE Consulting has violated the DMCA by going around the GetKey algorithm and that CHE has misappropriated StorageTek's trade secrets by gaining access to event messages on StorageTek equipment. CHE Consulting argued that Section 117 of the Copyright Act was designed to allow third-parties to perform maintenance or repair, but that did not convince Zobel.
Defendants copy the Code by turning on the machine; however, they do so not
just for repair, but also for the express purpose of circumventing
plaintiff's security measures, modifying the Maintenance Level, and
intercepting plaintiff's Event Messages.
What Zobel overlooks, of course, is that the only purpose to intercept the event messages is to allow CHE Consulting to perform maintenance on the equipment in question -- exactly what Section 117 of the Copyright Act was intended to allow. There is no benefit to CHE aside from being able to perform maintenance. In order to get additional background and both sides of the story, we spoke to StorageTek spokesperson Joe Fuentes and CHE Consulting's president, David York. According to York, this case has actually been going on for some time. He noted that CHE Consulting had purchased software to access the error codes from 1997 through the first quarter of 2001, when StorageTek sent a letter to CHE Consulting alleging that the company was infringing on StorageTek's intellectual property rights. York said that CHE Consulting provided documentation that they were buying the software and then they didn't hear from StorageTek again until October of 2002 when the suit was filed. He also noted that StorageTek stopped selling the maintenance code to CHE Consulting in 2001. When we spoke to Fuentes about the case, he was largely unable to answer most of our questions, as he said that he was not technical enough to respond to questions about the nature of the diagnostic tools and what would be required for a third-party maintenance provider to work on a StorageTek tape library without access to the maintenance code. Fuentes was also unable to provide access to a StorageTek spokesperson or employee who was knowledgeable enough about the case or the equipment to provide answers to our questions. Fuentes did provide a statement about the case:
We believe that CHE was using our intellectual property without
permission. Our job is to defend that intellectual property. I can't get
any more specific than that... I think what the court is saying kind of
confirms the value of our exclusive maintenance microcode. It's a
competitive business, and we use our developed codes to provide superior
services to enterprises.
We also asked Fuentes how StorageTek's customers would benefit from this action. According to Fuentes, "we value our relationships with our customers and want to make sure they get the best possible service. I have to stop there." While talking about StorageTek's services group, Fuentes also noted that the company serviced equipment produced by EMC, HP and other providers. Fuentes could not answer whether or not StorageTek used event messages generated by other manufacturers' equipment when providing service. Fuentes also said that StorageTek's position was that third-parties could provide service for the equipment if they "invest and develop their own diagnostic tools to work on our equipment." We asked York if it were possible for a third-party vendor to develop their own diagnostic tools. According to York, CHE Consulting has done so:
We've been providing this [service for StorageTek equipment] for seven
years, all we're accessing is their data. We're not accessing anything that
could be deemed to be actual diagnostics, we have developed our own
exercise routines [for the equipment] on our own... we're talking about
error data, data from the physical device. The error data is what they're
claiming to own a copyright on.
We then asked York if it were possible for a third-party vendor to develop tools, as Fuentes suggested, that would allow them to generate their own codes. "Is it technically possible? We could debate that for a long time." When asked if it were reasonable to suggest that a vendor should develop that functionality on their own, he was more firm. "No, it is not."
We are still in litigation and we are feeling this decision. CHE has worked
hard, its team members have worked hard. We believe we have a right to
compete, we believe we have a right to exist, and we don't believe we have
infringed upon anybody's rights here. We believe we're just some
hard-working people. Based upon the fact that we're using the software with
the customer's permission as it was designed is mind-boggling to me.
Zobel decided that "defendants' conduct has caused it [StorageTek] irreparable harm." However, Zobel doesn't seem inclined to consider the effects of the ruling on CHE Consulting. If StorageTek is successful in preventing CHE Consulting from maintaining their equipment, it is likely to be fairly catastrophic for CHE. York estimated that about half of their business consists of maintaining equipment that is now essentially off-limits to their company, unless they are successful in fighting the case. York says that CHE Consulting has filed a request for an appeal and stay of the order as of Monday, July 12. We also asked York whether he was concerned about other vendors using the DMCA to prevent third parties from servicing their equipment:
I'm certainly concerned, but I can't say what another company might do. We
service IBM equipment, even though we're partnered with them. For us to be
able to provide service, IBM sells diagnostic code, manuals,
parts... having said that, IBM, it appears, welcomes competition. If there
is competition, IBM makes the most of it by saying, "Okay, we can sell some
things, we win, independent organization wins, and most of all the customer
wins."
Meanwhile, StorageTek's customers lose, and so does CHE. There would be little incentive for CHE to access event codes if some of StorageTek's customers had not decided that they wanted to have their equipment serviced by another organization. StorageTek is not the first company to attempt to use the DMCA to lock competitors out of their business, nor are they likely to be the last. Until such a time as the DMCA is reformed, we will continue to see this sort of case. As this case illustrates, it's simply not enough to count on the courts to prevent abuse of the DMCA, nor is it enough to depend on the goodwill of corporations to protect the rights of their customers or act in their best interests.
SCO update There has been some movement in a few of SCO's legal cases, so it's time for an update.Our last episode in the Novell case ended with Judge Kimball dismissing SCO's suit because SCO did not make a claim of actual specific damages. SCO was given 30 days to refile the suit with that little oversight taken care of. SCO's new filing is available in PDF format; it's not clear that the company will get much further this time. The specific damages alleged include:
That is about it. This discussion may be enough to keep the suit alive for now; it depends on what the judge thinks. Said judge, who, in his previous ruling, said that there was considerable uncertainty in just what the asset purchase agreement transfered, may not be amused by the repeated reference to the "clear and unambiguous terms" that are alleged to have transferred the copyrights to SCO. The AutoZone case has been put on hold, pending the outcome of the IBM and Novell cases. AutoZone successfully argued that, until the issues in those other cases are decided, there is no point in going forward. This decision makes AutoZone's attempt to move the case to Tennessee moot for now; that motion may be reconsidered at a later time. SCO was given the opportunity to move for a preliminary injunction, however, if it can show "irreparable" harm which could be mitigated that way. It remains to be seen whether SCO will avail itself of this opportunity. In the mean time, SCO's one attempt to shake down an actual Linux user is stalled. Though, as described in this Groklaw article, the case SCO presented in Nevada centers around its OpenServer libraries, and has little to do with Linux. In the IBM case, things are heading toward the crucial August 4 hearing on IBM's motion for a partial summary judgment that its Linux activities do not infringe on SCO's copyrights. IBM's position is, essentially, that (1) SCO has certified that its response to IBM's discovery questions regarding allegedly infringing code is complete, and (2) that response contains no examples of infringing code. Thus, IBM says, there are no disputed questions of fact and the judgment can be rendered. Or, alternatively, if SCO now comes forward with some sort of evidence, it should be sanctioned for failing to comply with discovery while falsely certifying that its response was complete. SCO fears this hearing, even though it has never claimed (in court) that IBM has engaged in direct copyright infringement through its contributions to Linux. An IBM victory would make it impossible for SCO to make such claims in the future, and would go a long way toward establishing the cleanness of Linux in general. So SCO has moved for a dismissal of IBM's motion, or, at the minimum, yet another delay. SCO's motion has been accompanied by a massive tome of a memorandum in support (available in PDF format); the company had to ask for special permission to submit a memo of this length. With all those words, SCO tries to establish that it didn't really certify that its discovery response was complete, that it needs more time to dig through more of IBM's code (and IBM has been stonewalling), that it has not alleged copyright infringement resulting from IBM's Linux activities, and so on. There are also a few "examples" of copyright infringement included; these include the ELF code, read-copy-update (which SCO, it seems, now claims directly), the header files, etc. Here's one new example:
The Linux kernel, for example, uses a ULS [user-level
synchronization] routine to block and unblock access to shared
data. The Linux ULS routine is substantially similar to a ULS
routine in UNIX. A Mr. Russel [sic] of IBM helped a Mr. Jamie
Lokier contribute the UNIX ULS code into Linux. If SCO had access
to IBM's CMVC, then SCO might have discovered that Mr. Russel
worked on ULS for IBM, and could have deposed Mr. Russel to
determine what specific help he provided in the contribution of ULS
to Linux and to whom he provided that help.
SCO is talking about the FUTEX code, which was refined and fed into the kernel by Rusty Russell. It is highly unlikely that Rusty has been anywhere near the AIX code. In any case, the FUTEX code was developed in a very public mode over several months; every step in the process was posted to and discussed on the linux-kernel list. If SCO wishes to press a claim to any piece of the FUTEX code, it should have no trouble pointing out exactly which code and saying when, and by whom, it was contributed. SCO has also filed a renewed motion to compel discovery, claiming that IBM has not lived up to its obligations. SCO is requesting full access to IBM's revision control system. The company is also trying harder to turn up a "smoking gun" email from one of IBM's executives; the motion memo claims that IBM is being dishonest when it says that these messages do not exist. The Red Hat case, remember, is currently on hold. The judge in that case had ordered both parties to file a letter every 90 days describing how things are progressing. The first set of letters is now available. SCO's letter seems motivated by fear of an unfriendly ruling in the IBM case. The company is now backpedaling somewhat on its claims that the IBM case covers "most, if not all" of the copyright issues brought up by Red Hat.
At the same time, since September 2003, SCO has obviously had the
opportunity to conduct further investigation of improper
contributions to Linux by parties other than IBM. Through that
investigation, SCO has discovered significant instances of
line-for-line and "substantially similar" copying of code from Unix
System V into Linux. That non-IBM conduct is conduct that SCO's
complaint in Utah -- by its express terms -- does not challenge or
encompass.
SCO has found itself in a bit of a difficult position here. If the IBM case addresses all of the copyright issues, and IBM wins its summary judgment, then the outcome of the Red Hat case (which Red Hat filed to establish its claim that its Linux distributions do not infringe on SCO's copyrights) is clear. If, instead, the IBM case is not so all-encompassing after all, the Red Hat case may be taken off hold and moved forward - and that is not something that SCO wants. Red Hat's letter responds directly to SCO's, and does not mince words.
SCO's June 17 effort to explain away the numerous inconsistent
statements it has made to this Court and to other federal courts
around the country again make plain SCO's litigation
strategy. SCO's ultimate objective is to delay for as long as
possible resolution of the copyright claims that are at the heart
of each of the pending lawsuits. By avoiding final adjudication of
its copyright claims, SCO can continue to foster fear, uncertainty,
and doubt in the marketplace about the long-term viability of
Linux.
Red Hat points out that SCO wants the AutoZone case to go forward. If, says Red Hat, the AutoZone case presents sufficiently interesting issues that it should be heard now, Red Hat's case should go forward as well. Whether the judge agrees remains to be seen; given the history of this case, the likelihood of any near-term movement is small. Finally, for those of you who have not had enough SCO fun, remember that SCO Forum 2004 is happening in Las Vegas, starting on August 1. This will be your chance to attend no end of fascinating sessions, including a keynote speech by "analyst" Rob Enderle. Don't you wish you could be there?
Page editor: Jonathan Corbet Security Mozilla and security It looks like yet another in a series of bad weeks for Internet Explorer; exploitable bugs seem to come out more quickly than security firms can write up advisories about them. The web browser is an important piece of software from a security perspective; it has direct contact with random, external sites, some of which are almost certainly hostile. Web browsers are also large, complex programs, and thus hard to audit in any sort of thorough way. So it is not surprising that problems are found and exploited.Linux users, as usual, sit back and feel smug. We don't run Internet Explorer, and our browsers, being free software and thus inherently more secure, will not present us with this sort of unpleasant surprise. Right? As free browsers continue to grow in popularity, they will also attract more attention from the inhabitants of the darker side of the net. So it is worth looking at how Mozilla, which is the core of many free browsers, deals with security incidents. Linux users may well have missed this security advisory that went out on July 7, because only Windows users are affected. For those users, however, the impact of this bug could be large. Essentially, Mozilla-based browsers (including Firefox and Thunderbird) pass "shell:" URIs directly to the operating system, which happily runs the command included in the URI. It is a direct path to a command interpreter on the local system; all it requires is getting the user to click on the wrong link. Some commenters have said that this is really a Windows bug; Mozilla is just passing on the URI and Windows decides how to deal with it. But that is an evasive answer; a security-conscious application must sanitize any externally-supplied data that it passes on to the system. This vulnerability is a Mozilla bug; it was closed by having Mozilla do the checking it should have done in the first place. Others have complimented Mozilla for its quick response: a patch was available about one day after the vulnerability was posted. This response time has been favorably compared with the rather slower pace characteristic of Internet Explorer fixes. The only problem with this point of view is that the Mozilla developers have known about this issue since 2002; Mozilla bug 163767 suggested the addition of a preference which would disable the use of external protocol handlers. The bug remained open for almost two years, however, until the project had no alternative to fixing it. It seems that developers of free software are entirely capable of sitting on a vulnerability in the absence of an immediate exploit threat. The point here is not to flame the Mozilla project for shipping code with a vulnerability, or even for not realizing the importance of a known hole. These things happen, and Mozilla's record is better than that of many other projects. The point is that we cannot assume that, by accessing the web with a free browser, we are immune from exploits. Vulnerabilities are a fact of life, and the incentives for finding and exploiting vulnerabilities in free browsers are growing. In that context, it is encouraging to see this MozillaZine article which talks about some recent changes made by the Mozilla hackers. The Mozilla extension mechanism is a powerful way of adding new capabilities to the browser, but it could also become a mechanism by which attackers load hostile code directly into target systems. It should, thus, be hard to add an extension; it shouldn't happen automatically. The Mozilla hackers have noticed an increase in attempts to load unwanted extensions, and have responded with some new mechanisms designed to block those attempts. These include a whitelist of sites allowed to propose the addition of extensions. One should also note this vulnerability which could be of use to the perpetrators of the increasing number of "phishing" attacks out there. Through the use of some Javascript and frames trickery, an attacker can falsify somebody else's page while having the location bar show a legitimate URL. Internet Explorer is vulnerable, but so is Mozilla. (Thanks to Chester Young for the pointer). With luck, the Mozilla hackers (and khtml hackers too) will increasingly keep security in mind as they write their code. And we know they will fix problems quickly when they become apparent. But we cannot assume that our free browsers are immune from security problems; the world is, sooner or later, going to prove otherwise.
New vulnerabilities Ethereal: Multiple security problems
MoinMoin Group ACL Bypass
php: remotely exploitable memory errors
wv: buffer overflow
Updated vulnerabilities Apache mod_proxy: denial of service
apache2: stack-based buffer overflow in ssl_util.c
Apache: denial of service
aspell: bounds checking problem
dhcp: buffer overflows
Filename disclosure vulnerability in fam
flim: insecure file creation
FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling
gtkhtml: malformed messages cause crash
Horde-IMP: improper input validation
iproute: local denial of service
racoon: failure to verify signatures
racoon: denial of service vulnerability
kdelibs: cookie disclosure
kernel: symlink overflow in the iso9660 filessytem
kernel allows unauthorized changes to the group ID
kernel: netfilter denial of service
kernel-utils: setuid vulnerability
libpng, libpng3: buffer overflow
libxml2 - arbitrary code execution
logcheck: symlink vulnerability
mailman: password disclosure
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla: multiple vulnerabilties
mpg321: format string vulnerability
MySQL: temporary file vulnerabilities
neon: buffer overflow
Nessus NASL scripting engine security issues
netpbm: insecure temporary files
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
postgresql buffer overflow in ODBC driver
python: buffer overflow
rsync remote file write attack
squid: buffer overflow
SquirrelMail cross site scripting vulnerabilities
Subversion: Remote heap overflow
sysstat: temporary file vulnerability
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||