http://www.golem.de/news/open-source-lizenzen-gegen-den-missbrauch-freier-software-1509- 116210.html Published: 09/10/2015 12:00
When Hacking Team plays an important role Free Software – that makes open source programmers to involuntary accomplice in the development of sniffing software. Thorsten Schröder from the Chaos Computer Club wants to do something about it.
For the development of its sniffer software makes extensive use of Hacking Team Open source software (OSS). Not only development tools such as Ruby and Python are used, some free components end up as part of the spy software on the devices of the victims – much to the annoyance of their developers. They are thus involuntarily complicit of hacking teams, which sells its software worldwide – even on dubious customers. Thorsten Schröder from the Chaos Computer Club (CCC) to OSS developers will therefore provide more rights available, to decide for themselves for what purposes their software may be used. But he is thus the fundamental rules governing the publication of free software in question.
In recent leaked documents of hacking teams find themselves together references to free software. The developers of spyware analyzed and used as the driver for Microsoft’s NTFS file system, which uses the free bootloader Grub. He is to be used in the UEFI-Rootkit of hacking teams that automatically installed the spyware also after reinstalling Windows.
With open source to open source
The espionage software of hacking teams has also been ported to Linux. Naturally, came in the development and free software to use. In the minutes of the company in June 2015 shortly before the leak of the documents, the Linux distribution Tails came on the agenda. For them, a rootkit should also be developed. Furthermore should a third party access to the trimmed on security operating system obtained, the whistleblower Edward Snowden has used according to own data in order to connect to the Tor network, and encrypts to communicate with journalists.
Also, for the versions of its spy software for mobile operating systems Android and BlackBerry had the Hacking Team on open source tools recourse. Especially the developer Collin Mulliner was incensed when he received indications that the hacking team have used the same two of its developments.
Found was the software in the hacking team fundus because the developer retained there in accordance with the GPL requirements, the attribution of the Initial Developer in the Source Code. He had initially need to defend themselves against allegations that he had developed its software on behalf of hacking teams, writes in his blog Mulliner. He wished a license that precludes such an abuse of its software, but have no idea if there is already a give or should look like this.
The unconditional freedom for open source
It is prohibited such use namely not present. On the contrary: Most free licenses – particularly the GNU General Public License, or GPL – provide for the unrestricted use of free software by a third party. This right is one of the four freedoms, the GPL initiator Richard Stallman formulated already 1985th Once software has been circulated, everyone must operate at the source code and modify it yourself, and continue to use. But then he will have also even disclose its source code and mention the original developers. This is precisely the intention of Richard Stallman benefits of GPL. Software should be in under the so-called “four freedoms” : You should inspected by anyone who uses, passed and can be adapted precisely to your own requirements.
Thorsten Schröder from the Chaos Computer Club holds the GPL now for untimely. The rigid requirements of the license restricted the freedoms of the developer when restricting freedoms, he says. Developers should also be able to determine the circumstances under which their software should not be used, such as spyware or military use, where people could come to harm.
The risk unrestricted freedoms
advertises quite openly, for example, the open source provider Red Hat one of its biggest customers: the US Department of Defense. Particularly the system of the US military to locate friends and foes mentioned the company on its website. Blue Force Tracking reads and uses, among other things the Linux kernel. “We marched into Baghdad, with the help of Open Source” , cited Red Hat US General Nicholas Justice, who was responsible for Blue Force Tracking.
The operating systems of the drones the US military based on the Linux kernel, which is licensed under the GPLv2. Basically, the disclosure of the source code writes the GPL before only when the software is redistributed. Anyone who wants to keep his specially enhanced open source software under lock and key, thus does not need to publish the source code.
military and civilian benefits
The philosophy of give and take, which transferred Stallman on software, but also follows the US military. The collaboration between Red Hat and the US government brought forth, among other things, for example, SE Linux, a security platform, which now is used in almost all Linux systems. In Android it is used, together with the Linux kernel. And the military research center Darpa regularly publishes software under free licenses, such as the search engine for the so-called Memex DeepWeb, ie the portions of the Internet, the popular search engines such as Bing, Google or Yahoo does not detect. The planned use of Memex: track criminals on the Internet.
The full transfer of open source software is defined in section 6 of the license. “Every time you pass the Program (or any work based on the Program), the recipient automatically receives from the original licensor to license the program to reproduce under the conditions set here provisions, distribute and change it. You may not make further restrictions on the rights granted herein of the recipient. “ It is the basis of so-called freedom zero, ” The freedom to run the program as you wish, for any purpose. “
Exceptions are not allowed
2006 published developers a Gnutella client called Global Processing Unit (GPU), distributing the computing power on the P2P network to multiple computers can. Given the potential military use of such software developers completed the enclosed GPLv2 to own clause: Your software should not be used to the detriment of people. Only the Free Software Foundation could make changes as administrator of the GPL, was the response, and Stallman said the no longer available website News Forge, nobody had the right to impose restrictions on other users in the use of software. Meanwhile, the passage from the attached license is gone.
The Allegory of pins
Six years later Stallman defended this freedom number 0 again. Just because pens and typewriters are used for evil deeds, could not forbid they. And he would be very unhappy if his friends in the military in Venezuela new versions of software should not be installed on your server, a server, which would potentially protect the country from a military invasion later.
Felix von Leitner from CCC also took up the theme of 2012, when it was announced that the US Navy wanted to change their drone control systems on Linux. The recent incident at the hacking team led Thorsten Schröder from CCC to make this issue again for discussion. Schröder again takes up the idea of a civil clause for free software.
With the exclusion clauses against software misuse
Schröder wants to leave developers more responsibility for their software and their use. Not just the GPL but also other free software licenses such as the GNU Lesser General Public License (LGPL), the BSD license (Berkeley System Distribution) and the Apache license would bring with all a disclaimer, which meant that a the original developer is not could be held accountable for restrictions or consequential damages its software to account.
That’s not going Schröder. He wants to give developers the opportunity to prevent exclusion clauses by a use of their software when it contradicts their ethical stance. He was determined to counter the dogmatism Richard Stallman through a progressive licensing, he says.
Creative Commons for Software
Schroeder’s proposal: to create a collection of disclaimers that the Creative Commons licenses specifically excludes similar purposes. He gives the example of a Non-Military usage clause. Software should be used not for military purposes, nor serve as a basis for military research – and not when the respective government insists on its national security. This is to prevent courts compel a developer to submit to national interests.
Such clauses must, however, be short, clearly. Developers could define as accurately, by whom their software could be used. Some programmers have probably no trouble when their works are used to come to the police or in nuclear power plants, while others also wanted to prevent.
Another option: The original developer requires that the user on whose hardware the software runs later, also agrees. This could be prevented, for example, the use of open source software in sniffing software as a State Trojans. Even for IT security researchers a clause would be interesting, for example when they publish feasibility studies which are not to be abused.
abuse must be punished
This modular licensing called Schröder Coding Commons, in accordance with the Creative Commons licenses. You should not replace conventional licenses, but merely supplement. With the BSD license such disclaimers are already possible, Schroeder said. Others need to be adapted only slightly.
The abuse but should also be punishable. A legal recourse admit it namely, because as already repeatedly and successfully defended in court GPL to the clauses constitute a contract. Opponents of exclusions argue constantly that their implementation leave difficult to control. That may be true, Schröder said, but such clauses are, after all, also a statement.
Public debate as punishment
If one abuses are discovered which would have caught publish the software used in breach of contract. Here Schröder called the hacking team as an example, even if a proof is often hardly be possible. Even a heavy fine proposes Schröder before. You should put off in advance before the illegal use of software. The most effective means against the abuse looks Schröder but in the public debate, which would for example trigger a court hearing.
Schröder wants to gather ideas for such clauses to the Chaos Communication Congress late this year and discuss. Until then, he will also present a first usable license form, the developer can then use this. Who wants to get involved, Schröder achieved via the e-mail address ths@ccc.de. (jt)
Related items:
photo service Flickr allowed public domain images
(31.03.2015 13:54, http://www.golem.de/news/fotodienst-flickr-erlaubt-gemeinfreie-bilder-1503-113261.html)
storytelling tool: Linius and the pitfalls of open source
(17.04.2015 12:04, http://www.golem.de/news/storytelling-werkzeug-linius-und-die-tuecken-von-open-source-1504-113543.html)
Mumblehard: Malware turns Linux servers in spam bots
(30.04.2015 12:04, http://www.golem.de/news/mumblehard-malware-verwandelt-linux-server-in -Spam bots-1504-113827.html)
Chaos Communication Camp 2015: thunderbolts, Cert-divers and Bimmelbahnhacker
(08.18.2015 17:26, http://www.golem.de/news/chaos-communication-camp-2015-donnerschlaege-cert-taucher-und-bimmelbahnhacker-1508-115821.html)
Social Networks: The struggle for hashtags
(08.15.2015 10:13, http://www.golem.de/news/soziale-netzwerke-der-kampf-um-die-hashtags- 1508-115779.html)
No comments:
Post a Comment