Alex Hudson

Thoughts on Technology, Product, & Strategy

Category: proprietary

WPA2: Broken with KRACK. What now?

On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name I’m seeing for this is “KRACK”: Key Reinstallation AttaCK. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal.

Read More

Copyright changes ahead for the UK? SAS v WPL goes to Europe

I don’t particularly like talking law on this blog; it’s boring and – for the most part – disinteresting. However, recent developments in SAS Institute Inc v World Programming Limited (as written up here – thanks to Cristian for bringing this up at FFII) deserve to be aired.

The basic story is that the Judge in this case is deeply unsure of the boundary of copyright. For those who don’t know, SAS is a statistical package which is both popular and influential, and to a large extent can be thought of as a programming development environment. WPL, the defendants, wrote software which could interpret SAS programs. There is no direct analogy in the free software world, but LibreOffice Calc interpreting Excel spreadsheets is close enough for the purposes of our discussion.

The Judge, unsure of the boundary, has sent a number of questions to the European Court of Justice (ECJ). The questions are hypothetical, but clearly designed to test the waters and figure out where this line falls. As an example of some of the questions in our Calc vs. Excel example, he’s asking:

  • Does accessing the file format of Excel constitute copyright infringement?
  • Does interpreting Excel-compatible formula constitute copyright infringement?
  • Is it copyright infringement to copy the behaviour (intended or otherwise) of Excel when processing spreadsheets?
  • Does it make a difference you copy functionality from Excel into Calc by reading Excel’s manual versus observing Excel’s behaviour?
  • Does it make a difference if you have a license to Excel?

(Just to be clear, we’re not talking about Calc and Excel, I’m just interpreting J. Arnold’s questions in this context to make them more readily understood)

Now, the armchair lawyers amongst my readership have probably already thrown their arms up at all these questions and exclaimed, “Copyright doesn’t extend that far!”. And to an extent, they would be correct: originality has always been a defence to copyright infringement, and if any of the questions above were to be answered in the affirmative, we would see the start of that changing.

What makes this different, I think, is that we’re really seeing the weakness of copyright law treating software as a literary work. This has always been bunk, really: software is no more literary than a shopping list, and although the case of verbatim copying (with or without transformation) is open-and-shut copyright infringement there have always been “grey areas”. As one example, the FSF’s position on dynamic linking and the GPL: as a derivative work it does seem to fall under the purview of copyright, but it’s obviously a world away from literary copyright.

The WPL case is also one where the copying was explicit, deliberate and planned: they definitely did copy things. They just didn’t literally copy the software code, or decompile the software: they re-created it from the ground-up. So we’re definitely talking about a case of copying here, which it would seem could also be the purview of copyright.

This is going to be a really interesting case, and is going to have a fundamental effect on free software if we get some interesting answers to these questions. On one hand, it casts an immediate dark shadow over a number of projects: Samba being an obvious case in point, which has previously reached legal agreement in Europe about how it can copy Microsoft while still avoiding the patents that Microsoft hold on certain functionality. But while desktop apps which copy Microsoft make the most obvious cases, you could equally see problems for 3D graphics drivers, people implementing compilers, all sorts of areas – particularly where free software is still catching up to proprietary software.

But of course on the other hand, this would also strengthen the copyright position of free software applications. Companies that currently dance around the (L)GPL-style licenses will find themselves on thin ice indeed, and those proprietary implementations of leading free software will start having to be extremely careful.

It’s very unlikely that many of the questions will be answered in such a way that the copyright system becomes like the patent system: for one, it would be such a massive change that it would require primary legislation at a European level to become legally sound. And there are few cases exactly like this one, where the copying is so obvious and blatant.

The precedents being set here will be extremely important, though. Our understanding of copyright will almost certainly change from the outcome in this case, and will necessarily become more nuanced. The idea of “clean-room reverse engineering” may become more nebulous, and the “I wrote it from scratch” defence could become weaker.

If nothing else, this highlights that no law is truly ever settled, and possibly portents to more movement in this area in the future: I’ve described before how the UK Government is making noises about revisiting intellectual property laws, and in our current weak economic state it is extremely tempting for politicians to beef up some of these laws in order to “create wealth”. Cameron, our Prime Minister, is particularly in thrall to Google, as if they set any good example for our businesses. It’s sometimes very easy to just think about patents and lose sight of the bigger picture.

Asay and Tiemann, mano a mano.

Matt Asay has written another entertaining blog piece on his particular theories of open source economics, and Red Hat’s Michael Tiemann and he have engaged in what is superficially a bit of “Is not!” “Is too!“. Looking a bit deeper, though, it’s not really the pragmatics vs. the Stallmanites, even though that’s how Asay frames it.

Fundamentally, Tiemann is right on the money: a simplistic “supply and demand” view of how prices are set in a market place completely ignores the value that Red Hat offers to its customers. “Subscription” versus “box price” is not simply a semantic difference – indeed, that’s essentially labelling their customers as brand tarts unwilling to risk CentOS / Scientific Linux, and reduces the business decision to a simple money figure. That’s not how business works; the difference between “cheapest” and “best value” is huge.

Asay also bizarrely labels Red Hat a “distant second to Canonical” in the purity stakes. This is Canonical with the proprietary server management, proprietary file sharing, proprietary application store, etc.? I don’t even vaguely understand the argument here: either Matt is badly misinformed, or is just being very selective – the only thing I can think that Red Hat withholds is permission for others to use its trade marks. Which Canonical also does.

Then comes the claim that “The bulk of the best, most widely used open source is funded by proprietary dollars.” – followed by a call of thanks for the likes of IBM, HP, Intel. No doubt those companies do contribute a reasonable amount, but to credit them with the bulk of the best: that’s really stretching it. If you look at the actual factual information of who contributes what to projects like Linux, corporate interest is large, but “funded by proprietary dollars” – haha. What Asay is basically implying is “proprietary sales are underwriting the development of open source” – presumably some kind of mass corporate hallucination that has turned these businesses into charities, and pragmatism be damned.

Of course, the reality is these businesses would never underwrite development of software which wouldn’t make the money back, and indeed IBM’s vaunted “$1 billion investment” was apparently recouped in a single year. According to Matt, we should be thanking IBM for doing this: to my mind, IBM should be thanking the community for the contribution that has enabled it to recoup its investment so quickly (since 2002 presumably it has been making good money, too).

What Matt doesn’t seem to get is that this split-personality marketing of “we do all this open stuff, except for this scarce bit we’re charging you for!” is a prize example of a house divided unto itself. You can’t sensibly talk about the benefits of open source without contradicting yourself completely when it comes to the paywall behind which your proprietary software sits: basically you have to fess up that the open source bits are the bait.

What Michael’s post illustrates nicely is not just a clarity of purpose, but a 100% commitment to what they tell their customers: no ifs, no buts, but a single compelling story. Customers understand the value they offer, and that’s why they make money.

[Edit 20:24: just for clarity, my comparison of Canonical to Red Hat is not to denigrate Canonical: merely to illustrate that claiming Red Hat are a ‘distant second’ to Canonical in the purity stakes is utter nonsense. Also, my reference in the comments to “proprietary application store” should be parsed as “a store that hosts proprietary applications”, not “an application store that is proprietary”]

Come on, Facebook – re-instate Tom Brake MP

Now, I’m not a huge one for using web applications as a means civic communication – I tend to believe that communicating with your representatives is much better done in a public space rather than a private one like Facebook. However, this story (on the face of it) is quite disturbing.

Transport for London recently announced the removal of the N213 night bus service between Croydon and Sutton. For many people, particularly young people going out of a night in Croydon, although this service wasn’t overcrowded it was important. A number of people on Facebook started a group to protest this, and took to the streets of Wallington last night.

Our local MP, Tom Brake, has been a Facebook user for years now and has tended to be pretty good about using it intelligently: joining good local causes, using it as another way of letting people know what he’s up to, and that kind of thing. So, he also joined the “Save the N213” group and posted various letters that he’d sent to the Mayor / TFL.

Now, however, Facebook has suspended his account: it’s like he doesn’t exist on the site any more. No comments, no profile, unceremoniously de-listed from the various groups.

Fine upstanding local residents

Fine upstanding local residents

Why has this happened? Well, according to LibDem Voice, “his account was automatically suspended when their system detected an unusually large amount of traffic to and from his account“. That is to say, the protest against the N213 – which Tom was participating in, not really organising – was too successful, and Facebook assumed something bad was happening.

MPs need to be easily accessible by their constituents. On issues like public transport, children and young adults are particularly important because they don’t have the option driving. Representing them effectively means, realistically, being able to contact the local community via Facebook (and services like it) because that’s what these people use in the same way older generations write letters to the local newspaper.

It’s difficult to know what to do about this. It’s difficult to see how a kind of public service obligation could be imposed on something like Facebook; equally, setting up something genuinely public and civic-minded is unlikely to attract the demographic we’re talking about.

Windows Vista lameness (for future reference)

I’ve hit across this problem a couple of times and always end up having to look up the magic incantations, so I’m going to store it here for posterity and in the hopes it may also aid other people.

Problem: Windows Vista / XP machine on a wireless network behaving extremely oddly. You can often browse to Google, for example, but basically nowhere else – it’s like other websites just time out.

Issue: For some reason, the MTU discovery doesn’t seem to work – the OS ends up sending packets which are too big and things stop working. This is probably an issue with one of the wireless routers involved I would imagine, rather than windows itself.

Solution:

You’ll need an Administrator shell. Find the ‘Command Prompt’ in the Start Menu, and right-click to select ‘Run as Administrator’. Then, use this command to find the name of the interfaces on the machine:

netsh interface ipv4 show subinterfaces

Using the name we found above, do:

netsh interface ipv4 set subinterface "Name We Just Found In Quotes" mtu=1400 store=persistent

It’s a complete hack, but it works, and since I use Windows about once a year I really don’t care 😀

Microsoft show off new Office distribution system

Unbeknownst to many, it seems, Microsoft are pushing a new referrals scheme for preinstalled Office 2007s. The “highlights”:

  • OEMs can ship a disabled version of Office 2007 on every computer that they ship;
  • customers can buy a license – potentially online – and put it into their computer, to activate the dormant suite;
  • customers can purchase any version of Office: more basic versions come with the free trial of the full versions, too;
  • OEMs get a referral fee every time a customer of theirs activates Office.

You can see these new types of licences looking at you usual web store or something. You don’t get an install media or anything; you just get a number to type into your PC.

From the point of view of the customer, there are some downsides: in particular, if you lose your original hard drive, it sounds like you’re going to be quite screwed. You’ve lost your pre-install of Office, and presumably you’re going to have to pay for a media from somewhere, or something, assuming you can even reinstall it. Of course, if you’re the usual OEM customer, you’ve lost your entire operating install recovery partition too, so perhaps the loss of the Office suite seems minor in comparison.

From the point of view of free software, this is a worrying development. People often underestimate Microsoft, and the common refrain heard is “How can you compete with a free product?!”. It seems Microsoft have found a solution: you give people financial incentives to spread it around as far as possible.

Not only does it mean that Office will be much easier to install – after all, OpenOffice.org is a 110Mb download, and even in this age of broadband that’s still a fair amount of effort – but it means that OEMs will be doing post-sales work: they can still make money from customers who choose to “upgrade”. That’s going to be very difficult to compete with.

Is this bundling? Technically, I suspect it’s not: it’s just a very attractive offer. In reality though, it’s extremely similar, and the effect is just the same. And a rose by any other name …