Gilles Gravier's Weblog
Gilles Gravier's rants about things in general... security, open source, privacy, java, music... in particular.
Microsoft's unremovable add-on to Firefox
See, this is why I think we should all be extremely careful when it comes to using Microsoft software.
Recently, one of the Windows updates resulted in an add-on being, well, added, to Firefox. This happened with the Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009.
First, I'm really upset that this didn't ask my permission to add the Firefox add-on. That alone is enough to break whatever confidence I had left in that company's way of dealing with user's property.
Second, when I realized what was going on, and that there was a significant security risk to that add-on, I decided to remove it. Unfortunately, Microsoft decided that I'm not supposed to remove that add-on. Maybe they think they know better than me. As a result, the add-on's uninstall button is greyed out. The only way I found to remove it was to follow the instructions on Annoyances.org.
Just to make sure this is really clear, I'll repeat those instructions here :
- Open Registry Editor (type regedit in the Start menu Search box in Vista/Windows 7, or in XP's Run window).
- Expand the branches to the following key:
- On 32-bit systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \ Extensions
- On x64 systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Mozilla \ Firefox \ Extensions
- Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from the right pane.
- Close the Registry Editor when you're done.
- Open a new Firefox window, and in the address bar, type about:config and press Enter.
- Type microsoftdotnet in the Filter field to quickly find the general.useragent.extra.microsoftdotnet setting.
- Right-click general.useragent.extra.microsoftdotnet and select Reset.
- Quit Firefox (or else step 10 won't work)
- Open Windows Explorer, and navigate to %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation.
- Delete the DotNetAssistantExtension folder entirely.
- Restart Firefox
- Open the Add-ons window in Firefox to confirm that the Microsoft .NET Framework Assistant extension has been removed.
Now repeat after me : "I don't trust Microsoft to want the best for my PC... ever. I am convinced that many more times in the future, they will resort to this kind of behavior and install code that poses a risk to my machine without asking me and making very sure I can't remove it easily".
If you have to use Microsoft software for specific tasks (I have to), be extremely careful with what they install on your machine without telling you.
If you want to be able to trust your machine, use an open source operating system such as OpenSolaris or one of the Linux variants (I like Ubuntu). But don't even start thinking you can trust Microsoft with your machine. They just proved to the world it's a trust incorrectly placed.
And while you're at it, ditch MS Office... go for OpenOffice.org. You're better off from a security perspective... and already all set to send and work with documents that all major governments are starting to define as their standard format.
Posted at 09:16PM Jun 08, 2009 by gravax in Security | Comments[0]
HADOPI - Maintenant on fait quoi?
Bien sur, on continue a luter!
D'abord, le processus n'est pas encore fini... et il reste de nombreuses etapes. C'est clair que cette loi est mauvaise. Elle ignore une bonne partie des mecanismes existants de telechargements et de partages. Elle oublie, de plus, que la plus part des outils P2P modernes sont en train de recevoir (ou ont deja recu) des fonctionallites de dissimulation (cryptographie) et d'anomymisation (Tor, ou IP2)...
De plus, elle stigmatise un protocole (BitTorrent) qui a des utilisations tout a fait legitimes par l'industrie (Sun Microsystems met a disposition ses logiciels OpenSolaris, OpenOffice.org via BitTorrent pour realiser des economies majeures de bande passante).
Enfin, elle place la France en porte-a-faux avec la legislation europeenne. A ce sujet, je me demande si il ne serait pas possible a une association, disons, par exemple, l'APRIL (Frederic, tu lis ceci?) de mettre en place une structure (des avocats, du conseil, peut-etre meme du financement) pour qu'un internaute "puni" par l'HADOPI puisse simplement remplir un formulaire et se voir mis a disposition une assistance et une procedure simplifiee pour porter sa plainte directement aux autorites europeennes...
Alors? Quelle sera la prochaine etape pour combattre cette loi inutile, retrograde, archaique, et injuste? 
Posted at 04:21PM May 13, 2009 by gravax in Music | Comments[0]
Why closed, proprietary platforms are to be avoided... whenever possible!
Those who know me know I am very much against Apple's commercial behavior. With the iPod, they sell a closed, proprietary platform, which is bad enough, but they also completely control what you can put on it.
The following article explains what happened to an author who wrote a nice application, and, after some updates of it, saw it banned from the Apple Store.
Apple basically has right of life or death on the software you write for their platform. Even if they don't really understand what it does (the article explains why this is the case)...
Of course, you can always jailbreak your phone (which I recommend anybody stuck with an iPhone do as soon as they can) but this voids guaranty, and some may not like it...
I chose a phone with a truly open platform : Symbian OS. Open Source. Easy to write code to. And anybody can install what they want on the phone. And it's stable! Ditch your closed phone platform. Get one that is desgined with 21st century principles!
Posted at 09:07PM May 12, 2009 by gravax in Opensource | Comments[6]
Building aMSN with audio and video on OpenSolaris - piece of cake!
I got tired of not being able to use webcam and audio with my friends on OpenSolaris... so I decided to tackle the problem. Blastwave's version of aMSN was very old... so there was no other option... get it myself and build it.
Turned out to be trivial...
Get the sources from : http://www.amsn-project.net/ and then ./configure, then gmake, then pfexec gmake install (my OpenSolaris box has already GCC and the GNU compiler suite installed). Simpler for all GNU / Linux source codes available out there.
First thing that happens when you run it is that it tells you it wants TLS to log in... so you install the SUNWtcltls package form the OpenSolaris repository with Package Manager... and in the advance preferences tab, specify that TLS is at : /usr/lib/tcl8.4/tls1.6 ... and voila... you can log in.
Of course, next thing is that there is no audio... so you figure out it wants Snack, the audio library for TCL... well, that too is available from the OpenSolaris repository through Package Manager. Just install SUNWsnack and restart aMSN. Then you can configure audio (preferences -> advanced) to use Snack...
For the webcam, it's even simpler. OpenSolaris includes USB-VC drivers for Video4Linux2, so plug in a high-end USB-VC webcam and aMSN directly supports it! Just go to the preferences->others menu in aMSN and edit the audio and video settings!
I love it when things just work!
Posted at 11:50PM Apr 26, 2009 by gravax in Opensource | Comments[0]
My first conference call with OpenSolaris's VoIP application!
Today I was scheduled to be on a conference call. I decided to be a geek and try Ekiga on OpenSolaris. It ships by default. Well, you have to install it from the default repository. It's just not called Ekiga, but Video Conference...
I started it. Gave it my Ekiga and FreePhonie account details (FreePhonie comes from my ISP and gives me SIP telephony for free to land lines all over Europe and other major countries around the planet). Once the details entered, I dialed the toll free number form Ekiga and voila!
Speaker sound was perfect. Microphone sucks on my Toshiba Tecra M2. Next time I'll test the fancy Logitech USB headset!
I love it when "technology-just-works"!
Posted at 05:00PM Apr 14, 2009 by gravax in Opensource | Comments[0]
15 minutes vs 90 minutes?
Hello!
Today we're not comparing lover performances around the globe... and certainly not from a Frenchman's perspective.
90 minutes is the average time spent per day by a smoker during an 8H work shift (as presented here).
15 minutes is the average time spent per day by a Facebook user. (Just heard this today listening to France Info, the French information radio, while driving to work.)
Now the strange thing is that some companies (definitely anchored in the long gone 20th century) block access to some social networking sites... but still let people take a walk out of the office to smoke a cig. Now while I don't smoke, I'm not suggesting companies stop letting their employees take a lung-destructive break... I'm more looking at it the other way.
Social networks (like Facebook) are becoming a part of life. Heck, they're becoming a part of work too! Here at Sun, we encourage our employees to use Facebook. We even use it professionally to communicate with our developer communities, and our customer communities.
What the retrograde companies are failing to see is that a whole bunch of brilliant students are coming out of university. And they've been used to stay in touch with their colleagues and peer bright minds through these networks. They won't give up that link easily. They will look for companies that let them stay in touch with their fellow alumni. Employers who fail to realize that will be missing out on the brightest minds, and their competitiveness will be lessened.
It's time to shift to the 21st century, people! Social networks are a fact! Your employees use them. They will spend some time on them. And it will make them more connected, more productive, more efficient. Don't fight it. Embrace it. In the end, digging your heels in the ground won't help. It will slow you down... your competition isn't slowing down.
Posted at 10:50AM Mar 11, 2009 by gravax in General | Comments[1]
Sun and appGATE in Government Webminar on March 12th!
We're going to be doing a webminar with our partner appGATE!
If you are interested in securing remote accesses to applications and data in government, read below... and plan to attend!
The world is changing and so is how we work. Technology has provided great opportunities to take traditional desk jobs into the field to be more efficient and effective. The challenge lies in how to develop a secure, unified approach to managing an IT infrastructure with so many access points.
 |
Today's Government agencies need to provide secure communication between different regions. Information of all government agencies, civilian, intelligence and defense, must be absolutely protected. But implementing it may be harder than it seems.
Join industry leaders from The 451 Group, Sun Microsystems, and AppGate Network Security for this informative web event and you will learn:
|
| • | The driving factors behind a growing mobile workforce in government
|
|
| • | The benefits - and pitfalls - of solutions on the market today
|
|
| • | Successful methods of protecting government services from unauthorized access, regardless of device |
|
March 12 at 8:00am PT
|
|
If you have any questions or feedback, please send a message to GEH-webrequests@sun.com.
Posted at 12:15PM Feb 25, 2009 by gravax in General | Comments[0]
appGATE Free Edition is out!
Finally it's there! appGATE has just released their new Free Edition of their Security Server. The general idea is that you can download a virtualized version of it, run it in VMware (hopefully soon VirtualBox). You just need to go to appGATE's web site, apply for a free license, download the image, and off you go.
While this isn't open source... it's using a similar business model. You get the basic for free... you can then decide if you want / need (paying) support. Of course there is a limitation in terms of number of users... but, should you need more, you probably will want a fully scalable appliance version of the product, in which case you'll be happy to purchase it pre-bundled and configured for you. That's added value that you'll appreciate.
appGATE is doing the right thing. In these times of economical difficulties, they are making their product available for free to small enterprises as well as anybody who wants to do a small pilot... and that will let people discover the benefits of remotely accessing corporate data and applications.
You know what's even nicer about all this? It's based on OpenSolaris, our very own open source operating system. And, I think, the worlds most secure general purpose operating system. You can, of course, if you want something a bit less bleeding edge, and you need the certification, get the appliance on Solaris 10 which has undergone IT-SEC EAL4+ certification. And since the actual appGATE security server is EAL2+ certified, you get pretty much state of the art security, with certifications to prove it.
Way to go!
Posted at 12:09PM Feb 23, 2009 by gravax in Security | Comments[1]
Solving the governmental secure SOA jigsaw puzzle with soda...
With the growing requirements for more and more complex services to be offered to citizens, and also the ever increasing requirements for integrated internal processes (like integrated tax systems, for example), governments around the world are being faced with what I call the secure SOA jigsaw puzzle syndrome. (That is, of course, if one believes that SOA is still a relevant terms... It seems some people, and not the least, think we need to shift away from the SOA terminology...
How do you mash up multiple services that have been provided by different vendors? How do you ensure that this mashup remains secure. You might trust one of the vendors more than another. How do you prevent the code running on one of the services from turning rogue and doing a bit more than you expected on your network? How do you ensure that there is no data leak between services, either through the services infrastructure itself, or at the user point of view?
Your typical solution to the problem becomes very complicated as you have to go through all kinds of network topology hoops to separate your different service providers, and even doing that, at the point of user interaction, it still is very hard to prevent a state revenue service worker from accessing a citizen's tax records and then copy/pasting it to a web-mail connected to the internet.
I'm currently designing an architecture that is aimed at solving these issues in a very elegant way. We call it SODA, or, to be precise, S3ODA for Secure Shared Services Open Delivery Architecture.
The idea is very simple. Solaris 10 and OpenSolaris both share a common feature called Trusted Extensions (TX, as we call them, between friends). By using TX you can assign a label (you can think in military terms, with labels like Confidential, Secret, Top Secret... but also without hiearchy, you can think labels in terms of names of services like ServiceA, ServiceB, ServiceC).
You basically assign a label to each service component you are going to plug into your services architecture. Either you are running the service on a Solaris system, in which case you enable TX on that system and run the service inside the corresponding label, or, if the service isn't running on Solaris, you proxy it behind a Solaris + TX server which enforces the labeling, or using a network environment supporting CIPSO labels and map your service to the corresponding label.
On the service switch side, the magic resides in implementing your ESB stacked inside a multi-label Solaris system. You create one label per service, and you have one instance of the ESB per label running on the Solaris machine. And behind that, you implement, as part of your policy engine, the rules than enable the different labels to communicate only when the application workflow mandates it.
That way, service A
components can only talk to service B components when they are allowed
to. At any other time, since they are running at different labels, both
the network infrastructure (CIPSO or Solaris TX servers) do not allow
different labels to intercommunicate, and the ESBs can't communicate
between each other unless it's time in the application workflow and the
Solaris TX switch server opens up the communication for that specific
task. This takes care of the information leaks from the services infrastructure side of things...
Now how do you handle the prevention of data leaks at the user point of interaction? Sun has been developing (initially for defense customers, but it's really usable by everybody) an environment called SNAP for Secure Network Access Platform. The general idea behind SNAP is that you implement a Sun Ray server on top of Solaris and Trusted Extensions. Sun Ray clients are very slick devices. They are thin clients, with absolutely zero state, no hard disk, and minimal information in FLASH (basically just enough to boot using BOOT/DHCP on a network and then figure out from there how to load their software and start being useful). The advantage is that since there is no local storage, theft of a device brings no data theft... and is also useless as a Sun Ray without the Sun Ray server behind it is pretty much a paper weight. Now once you have the proper server infrastructure, they are very very useful. And if you use SNAP, what happens is that on your terminal, each window you see on the screen operates at a specific security label. Yes, the same as the ones on the network and services switch. What happens then is that it is not possible to copy/paste between windows that don't share the same label (or, in defense environments, you can't paste from a high security level to a low one - you can't declassify). So here is what you do. Your tax worker can be accessing tax records of celebrities, but that person has no possibility to copy from the tax application window to, say, a web browser that might be open elsewhere to enable him to do background checks... impossible to take the the tax data and paste it in the browser. But the system may have a rule in place enabling pasting from the browser to the tax application in order to keep a track of things like pictures of expensive houses used to justify that tax was maybe under declared by the celebrity...
Do you want to know more about this architecture? Send an e-mail!
Posted at 11:33AM Feb 23, 2009 by gravax in Government | Comments[0]
Jet lag and appGATE
I arrived yesterday in the SF Bay Area for a week of meetings and this is the first night. Jet lag just hit at its strongest and weirdest as I woke up at 2:15 this morning fresh out of a dream that (since I woke up during it) I remember in every vivid (and strange) detail.
So in my dream, I was with a friend who is the IT director from the Grande Chartreuse monastry in France, a beautiful place near Grenoble where they make one of my all (adult) time favorite drinks : La Chartreuse. Now this is strange as I have no friend who works in, or for, a monastry... But if I had, it would probably be one working right there.
So what was I doing in my dream, well, we were home, and he was asking me (thus adhering to the oh-so-common tradition around me : "Hey, Gilles, you work in computer security, can you give me some ideas about what I'm trying to do?"
how to enable the monks in the monastry who are travelling around the globe (I don't even know if the Carthusian monks actually do so) could securely access their internal network.
And so, in my dream, I had brough him up to my work room and was explaining, using drawings on the big whiteboard, how appGATE Security Server enables roaming users to identify themselves, have their role and its current implications in term of access to applications and data checked by Sun's Identity Management suite so that the system knows that, while they are travelling, they are currently in service, so have access to all their applications (albeit in a potentially limited fashion do the the remote location or constrained device), or maybe that they are travelling and not in service, so only have access to a subset of features (like, just e-mail). I was showing how only one port needs to be open on the appGATE security server (usually port 22 for SSH), and that there is never direct contact from the outside of the network to the inside, but rather that the security server offers a relay to a view on what specific tasks and resources are allowed given the user's current context.
I had also told him that this was secure enough to be used by defense, government, banks and other very sensitive customers worldwide and that this was a very cool company as their stuff was running on Sun hardware, and about how the roaming features allowed the underlying network variations to be abstracted from the applications by the appGATE client on the device.
And then I woke up. 2:15 AM, in my usual hotel in Newark... So here I am writing about this. Yes, there would have been many more things to say about the Sun / appGATE partnership, about how appGATE's solutions perfectly complement Sun's own Secure Global Desktop offering when roaming is key and how appGATE is packaged through Sun's CRS service in the form of easy to order, and use, appliances... but it was just a dream, so limited in time and scope.
And talking about time... it's about time I got back to bed and tried to get back on track to California time. This week will be a long week, and unfortunately, I don't know if, or where, I'll be able to sip a glass of delicious Chartreuse. One more thing to look forward to when I get back home to my lovely family.
Posted at 12:01PM Feb 01, 2009 by gravax in Security | Comments[0]
Remotely connecting to a Solaris machine... with security, minimal fuss and stuff!
I figured (OK... it was suggested to me by Karim Berrah who runs the CHOSUG Wiki) that others might be interested in knowing how I remotely connect to my favorite OpenSolaris machines.
It's actually very simple... all the tools are there for you!
The basic protocol that we will be using is called VNC. OpenSolaris comes with 2 different VNC servers.
The first one is the traditional "vncserver" process, which you can start manually, specifying resolution "-geometry XxY" and a number of virtual display to use ":X". E.g. "vncserver -geometry 1024x768 :2". The first time you use vncserver it will ask you to specify a password to protect the conenction to your system. (You can change it later with "vncpasswd".) If you don't do anything special, the session starts with twm as the window manager. You can edit the .vnc/xstartup file and change the "twm &" line to start some other window manager if you want. But twm is very lightweight. You can kill the vnc server by using "vncserver -kill :X" where X is the same you used to start the server. You can run multiple vncservers...
The second means comes bundled with GNOME, and is done using vino, which is the GNOME vnc server. It is embedded with GNOME and starts when you start your session. You first configure and enable it with the command vino-preferences (or through the menus System->Preferences->Desktop Sharing). Allow users to view and control your desktop... and very important, set a password! Current build of OpenSolaris has an "Advanced" tab there that offers additional options. Have a look. Note that since vino is sharing your GNOME display it is automatically set to number :0.
To connect to your machine from remote, there are 2 ways. The "fat" way by using the native VNC client "vncviewer :X" where X is the number you defined when starting vncserver or, for vino, :0.
You will be prompted for the password you specified.
Vino is interesting as, since it's integrated with GNOME, it offers full DBus integration... but has the drawback of being fixed to :0 ... and requiring the GNOME session to be started on the machine by loging in... where vncserver can be remotely started from a shell and doesn't require the user to be logged in, but doesn't offer that full GNOME integration.
VNC traditionally uses 2 ports to work.
One is the normal VNC protocol port and is 5900+X (where X is the number you chose when launching vncserver)... so 5900 for vino and (in my example when I used :2) 5902. This needs to be tunneled if you are going to go through a NAT router.
The second port is 5800+X (same rules for X)... and that's the Java client for VNC. This is the light way of accessing it. If your server is, say, :0 (case of vino) just open a browser to http://yourhost:5800/ and it will start a Java vncviewer directly to port 5900. VINO comes with the Java client by default. vncserver doesn't (you have to manually add -httpd to the vncserver command - i.e. vncserver -httpd -geometry 800x600 :2). This Java solution is nice as it doesn't require a local vncviewer client... can be run from any modern browser with a Java VM installed.
Here is an added bit of magic... I don't like to run vnc over a cleartext network connection. VINO supports encryption, but not all clients. So what I do is that I don't open 5800+X and 5900+X on my NAT router. Instead I open port 22 and SSH to my server, and there, through SSH I tunnel ports 5800+X and 5900+X. And from my client machine I "vncviewer localhost:5900+X". This is now tunneled through SSH from my client machine to the actual server.
My favorite application to do this SSH magic is AppGate's MindTerm. It's a free (for personal and small business) Java SSH client. It's a jar file that can be run as an application or hosted as a Java applet (I have the application on my OpenSolaris laptop, but the applet served from the web server on my home network so that it's always available to me wherever I am comming from). When you launch it, you specify which machine you want to connect to. You do the login... and then Tunnels->Setup and select "Add". Since I have vino on my local laptop, I can't use local port 5900... so I forward 5901 to the remote "localhost" 5900 (since the remote server is also running vino on :0). This is done by selecting
- Type : local
- Bind address : localhost
- Bind port : 5901
- Dest address : localhost
- Dest port : 5900
And then clicking OK. Voila. You can then run "vncviewer :1" from a terminal and it will connect to vino (:0) on the remote machine, tunneled through SSH.
Have fun!
Gilles.
Posted at 11:38AM Dec 10, 2008 by gravax in Security | Comments[0]
Rockbandism... is it for Sun?
My friend Henriette Weber Andersen (she runs Toothless Tiger - if you're looking for a different kind of marketing, she's just what your company might need) just started a new idea. It's called Rockbandism (she puts an apostrophe in there - I prefer without). A new way to look at your company.
In these extremely hectic times ( the Chinese would say "interesting times" ) ... it's no more business as usual. It's time for changing the cards, turning the company around... 405 degrees. (the first 360 to confuse the competition, the next 45 so that you stay aligned with your corporate goals, but are ready to get there by taking angles).
Have a look at her blog entry on 24ways.org. 10 steps to move your company towards Rockband status.
You know what... maybe Sun should do more of that. Get today's startups hooked on OpenSolaris, JavaFX, OpenStorage, MySQL (OK, they're already hooked on that one), Glassfish... using means of communication that they relate to (like blogging - oh wait, we already do that) and turning them in ways that really appeals to them (i.e. not using blogs like institutional PR tools - ah, yeah... we seem to do that a lot these days).
Read Henriette's eBook at Toothless Tiger Press and make your own idea... and tell me what you think. Does that lady rock?
Posted at 12:24PM Dec 08, 2008 by gravax in General | Comments[0]
Chosing the right license in the open source world
So you are now ready to start creating a product. This product will contain software. Software you will write, or have already written, but possibly also third party software that you will bundle with your own code, and maybe some hardware.
You need to start thinking, very early on, about a crucial element when using software.
Licensing.
You may already have made the decision on whether your software will be commercial or free, closed source, or open source... but you need to look at licensing issues in at least 2 very important places, in particular if you plan to include open source software.
- How do you plan to license your own software within your product
- What license applies to the third party software you are bundling and how does it interact with, or impact your own software
Many people tend to associate open source with only the freedom aspect it brings. But it also comes with a serious amount of obligations and responsibilities.
Selecting the right license is the work of licensing experts and lawyers. But I'll try to give some ideas on how to go about making reasonably good choices in this area.
First things first. The Open Source Initiative has a definition of what an open source license is. This definition is available at : http://www.opensource.org/docs/osd/. They also do the complex task of reviewing popular open source licenses and listing the ones that match the definition. This list is at : http://www.opensource.org/licenses/. It provides a basis for selecting licenses from, at least, a limited list.
So what is that makes an open source license. Let me start by quoting the 10 points of the Open Source Definition mentioned above :
---
As you can see, that's a pretty strong definition. Lots of things that must be done, and lots that can't be done, if a license is to merit the qualification of open source.
Not everything can be called open source. Good thing there is a definition.
So. How do you pick the right license for you? What are the implications?
Well, there are 3 main types of licenses available to pick from.
- Type A : Unrestrictive licenses
- Type B : File-based licenses
- Type C : Project-based licenses
Type A licenses, also refered to as “attribution licenses” are the ones with the fewest requirements. They allow unrestricted development of derived works. You can typically use type A licensed code in any way you like, embedding it into other applications with almost no constraints. Example type A licenses include the popular Apache or, the very simple, yet effective BSD (example from the FreeBSD project) license. One of my favorite ones (which I have yet to see used in common software is the WTFPL “Do What The Fuck You Want To Public License”.
One of the aspects that I've noticed about type A licensed projects is that despite the fact that the license doesn't mandate that derived works should be submitted back to the original project, they tend to generate a strong community feeling in the user / developer community and people still do contribute back to the original source commons. Which goes to show that you don't have to force people to contribute for them to do so.
Type B licenses are the ones that are normally considered as community fostering licenses. The point of these licenses is that when you take code from such a project, you have to contribute back to the project any chance you make to files from the project. You are free to add any new file covered by any license you want (as long as that license of yours doesn't conflict with the normal licensing of the original project files), but any existing file that you change needs to be contributed back to the project if required. Example type B licenses include Sun's own Common Development and Distribution License (CDDL) which covers OpenSolaris.
Many developers use type B licenses when they want to embed some open source project (say, an operating system) into a bundle (could be an appliance) which is licensed differently. Doing so, they have to keep the original open source project with its license, and thus, with source code available, even if they do modifications in the project files. But they can add their own files, drivers, applications, glue and keep those licensed as they want (even, possibly, commercially licensed).
Finally, type C licenses which tend to be project fostering licenses, are such that like type B, any file you modify from the original source commons keeps the original license, but also, any file you add to the project inherits that project's license. These license inherently seek to propagate open source by, in a way, contaminating what they touch. They are often qualified as viral licenses. Should you bundle your own software with a type-B licensed project, your own software automatically gets contaminated and turned into a type-B licensed code for which you also will have to publish source code as defined in the original project's license. This is great when you want the project community to benefit from any derived works built upon that project. But it can also have the side effect that people using code from these projects are forced into publishing their own intellectual property. Examples of type C licenses include the universally known GNU General Public License (GPL) which is used for example for the Linux kernel. Anything tightly bundled with a Linux kernel has to be licensed under the GPL as well.
In order to make this contamination aspect less constraining, there is a derived licensed based on the GPL called the GNU Lesser General Public License (LGPL). It is possible to link through specific means software to an LGPL licensed project without that software being contaminated by the original license. This enables one to bundle an LGPL project with non LGPL code and keep the licenses different for each part of the bundle. OpenOffice.org is licensed under the LGPL, enabling one to plug pieces of code into proper APIs in OpenOffice.org and keeping these plugins licensed the way initially planned.
A typical example of unplanned contamination would be an appliance vendor that makes small consumer devices that sell in hundreds of thousands of units. In order to limit costs, they elect to use a standard chip set that provides the basic functionality directly, then they pick the operating environment to put on it. For costs and simplicity, they pick en embedded Linux platform. Then they develop their own code and glue. They write device drivers for custom hardware, they write a complete GUI that directly plugs into deeply embedded aspects of the operating system, and device configuration, and they sell the whole thing as a consumer appliance. The problem is when somebody figures out that it's Linux inside... and since Linux is covered by GPL, that means that all the software that is deeply linked to the OS is also, necessarily, made GPL. First of all, they have to make the whole source code available (as per GPL, and any other open source license)... but worse, if they embedded other third party code, they can get into legal issues because that third party tool probably also must be made available under the GPL. It can get nasty. Because they didn't consider the implications in advance.
On the other side, sometimes, you WANT to use a viral license like the GPL. Sun has published the OpenSPARC processor under the GPL exactly with that viral aspect in mind. We want other companies to build fancy, successful, commercial products based on the OpenSPARC processor. We want them to not only benefit from the R&D we did to come up with the OpenSPARC processors, but also, we want them to bring their own enhancements, and contribute back to us the good work they throw into the processor. We want the next hot microcontroler based on OpenSPARC to benefit the whole OpenSPARC development efforts.
So as you can see, there are several types of licenses, each with very distinct characteristics. Choosing one isn't something you do lightly.
In order to choose the right license for you, you must first decide what you want to do with your own project. Deciding if you want to make it commercial, or not. Closed, or open source. You need also think about how you expect your users, and possible developers down the line might want to use or reuse your code into their own projects.
Then, if you are going to bundle your code with third party code, you must carefully examine the license you want for your code, and the available third party projects that fit your requirements and their own licenses. Make sure the one you pick has a license that is compatible with your selected license to avoid legal issues down the line.
As you see, choosing proper open source licenses (in products you will use, as well as in products you will develop) is not necessarily an easy task. Following the above guidelines will help you get a general idea. But probably the best single advice to give is to talk to a lawyer specialized in software licensing. They will help you pick the right license that is best for the model you have in mind for your product. Also, people like the FSF organize licensing workshops. For example, the FSF Europe is running a 'Licensing questions and other legal issues' workshop in Zurich, Switzerland on October 17th, 2008. There may be others in your region to chose from.
Posted at 07:03PM Jul 23, 2008 by gravax in Opensource | Comments[1]
Why high definition DVDs are good for privacy and security...
So here's the situation... nowadays, when crossing border control, and in particular when entering the US of A, you may be asked to turn over your laptop, and other electronic devices to border control who, fearful of terrorists crossing their border, will want to search your corporate data for any kind of document that my prove you are on your way to planning something nasty.
Bruce Schneier has commented many times on how you should prepare your laptops, cell phones, and other devices so that when seized, nothing bad happens.
There is one additional option that he doesn't mention (yet), but that I think will become more and more feasible given where the media industry is taking us.
Take a movie. Yes, one that you rightfully own, of course. Convert it into a Divx (you bought the movie, you should be able to view it on the player of your choice). Actually, my friend Darren Moffat suggests even better, take a personal home movie that you made with your own camcorder, so that there are no issues whatsoever about fair use or alternate formats... you made the movie, it's yourse to do what you want with it. If it's a normal movie, you get an 800MB file... that's small... but if you take an average HD-DVD (R.I.P.) or BluRay movie, then you get a multi gigabyte file. That's much better...
What can one do with a multi-GB file of seemingly random bytes. Well, you can tweak lower order bits to hide data inside it. That's called steganography. And with multi gigabytes of storage to start with, you can store a whole lot of useful information.
Suddenly, that 32 GB SDHC card you just bought can be used to watch a movie on the plane all while carrying your sentitive personal or corporate data. And all in perfect deniability. "Mr Officer, this is just a Divx which I've been watching on the plane during the flight where they had very boring movies scheduled. Here let me show you that movie." and you go on to play it in your favorite (open source) media player to prove your case.
I love technology!
Posted at 10:59AM Jun 17, 2008 by gravax in Security | Comments[0]
OpenJDK 6 in Ubuntu Hardy!
So yesterday I had a very nice surprise. I moved my old home server from NetBSD (had been running that OS faithfully for the past 7 years - through a few hardware updates - but I've been bitten too many times by pkgsrc updates that broke most of GNOME and required heavy sessions of recompiling individual stuff to fix for my own comfort) to Ubuntu Hardy (I've been using Ubuntu on other laptops for quite some time, since version 6.04).
Basically, I first copied the 550GB of data from the 750GB disk of the NetBSD machine (since Ubuntu can't read the NetBSD filesystem natively) through the network to a new 750GB disk plugged into a Ubuntu machine... That took over 24H... Yech. Then I installed Ubuntu on a 200GB SATA disk and the new 750 GB disk in the small server that had previously been running NetBSD.
My first two steps were installing SqueezeCenter (for my Logitech Squeezeboxen music streamers) and SwissCenter (for my Pinnacle Systems ShowCenter 200 media streamer) which required some fiddling around because of Hardy's new AppArmor security scheme which messed up PHPMySQL... and Apache 2 who is new to me (the old NetBSD machine was running Apache 1.3)... I now have multimedia again at home. accessing
Then I prepared the P2P downloading stuff... aMule and Azureus... And that's where the cool thing happened. First, Azureus is directly in the Ubuntu repositories... which is nice. Second, when I installed Azureus, it naturally added the dependencies, which, to my big surprise, include... OpenJDK 6! Very nicely done! Completely transparent.
(As a note to Azureus authors : Because Azureus uses Eclipse's binary SWT for GUI, it is
not platform independent - which is stupid as it breaks one of the main
interests of using Java... so it wasn't available on NetBSD... which
is why I got used to using the excellent (and lightweight) Transmission BitTorrent GTK+ client. And as such, I guess I will, finally, stick with Transmission also on Ubuntu...)
So automatically, now, on Ubuntu, when needed, OpenJDK 6 gets installed... I'm curious to see how the updates will take place through the Ubuntu update manager. And with what delay compared to the official updates to JDK 6 from Sun. But this is very very good news for the Ubuntu users community, and for the Java world in general. From now on, one can assume that the official JDK will be available in Linux... transparently... just like that, when needed.
Java. There, for you, when, and where you need it!
My next steps include getting Apache 2 fully working with all the relevant virtual domains that I used to host... and also getting the SAMBA file server up and running for the family users on the home LAN. A few more nights of hacking fun in perspective and I'm all set!
Again... thanks Sun and Ubuntu for having made OpenJDK 6 directly available, no hassle, in Ubuntu Linux (and others, as I understand)! A beginning of a new era... Microsoft won't ship Java by default in Windows... fine. Linux will. Guess who wins?
Posted at 03:26PM Apr 30, 2008 by gravax in Opensource | Comments[8]
Today's Page Hits: 322