|
|
Friday, July 4, 2003
|
|
| |
What I Would Like to Ask SCO
Is NSA's Security-Enhanced Linux also guilty of using SCO's code or derivatives thereof? If so, what is SCO planning on doing about it? And if Linux is truly a security hazard, because of its international source distribution, wouldn't the NSA have noticed this back in 2001 when it released its own version of Linux? In short, is the NSA guilty of software piracy? Hmm....or, is this all a joke? Or a redefining of the past? What? SCO has tried to portray Linux users as unpatriotic, hippie, music-downloading pirate equivalents, which as a Linux user myself I find offensive, but if it were true, what, then, is the NSA? They not only use it, they helped write it. Does that make them unpatriotic? That is for sure laughable. Pirates? Abusers of others' IP? Puh-lease.
Here is part of what the NSA says about Security-Enhanced Linux on its web site:
"The results of several previous research projects in this area have been incorporated in a security-enhanced Linux system. This version of Linux has a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel. The system provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.
"Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system. Additionally, the integration of these security research results into Linux may encourage additional operating system security research that may lead to additional improvement in system security."
Here is the NSA press release put out on January 2, 2001:
"NATIONAL SECURITY AGENCY SHARES SECURITY ENHANCEMENTS TO LINUX
"Recognizing the critical role of operating system security mechanisms in supporting security for critical and sensitive applications, National Security Agency (NSA) researchers have been investigating an operating system architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments. The NSA is pleased to announce that it has developed, and is making available to the public, a prototype version of a security-enhanced Linux system. The prototype includes enhancements to Linux that provide new, stronger protection against tampering and bypassing of application security mechanisms and greater limits on the damage that can be caused by malicious or flawed applications.
"The security mechanisms implemented in the system provide flexible support for a wide range of security policies. The currently implemented access controls are a combination of type enforcement and role-based access control. The specific policy enforced by the kernel is dictated by security policy configuration files which include type enforcement and role-based access control components. This release includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.
"Both the President's National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism and the President's Information Technology Advisory Committee have recently called for increasing the federal government's role as both user and contributor to open source software. "Open source software plays an increasingly important role in federal IT systems. I'm delighted the NSA's security experts are making this valuable contribution to the open source community," said Jeffery Hunker, Senior Director for Critical Infrastructure at the White House National Security Council.
"Since this system is a prototype, there is still much work to be done to develop a complete security solution. Anyone interested in experimenting with the system or getting more information about it, should visit the project web site at http://www.nsa.gov/selinux. This site contains the source to the system as well as some technical documentation about it.
"NSA is presenting this system under the terms of the GNU General Public License with the intention to work with the Linux community to refine these enhancements for eventual inclusion into Linux. The system is not intended to be a complete security solution for Linux, nor does it correct any flaws that may currently exist in Linux.
"The Information Assurance Research Office of the NSA is responsible for conducting research and advance development of technologies needed to enable the NSA to provide the Solutions, Products, and Services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. The security-enhanced Linux prototype was developed in conjunction with research partners from NAI Labs, Secure Computing Corporation (SCC), and MITRE Corporation. Researchers at the NSA implemented the security architecture in the major subsystems of the Linux kernel with some refinements provided by NAI Labs. SCC, MITRE, and NAI Labs also assisted the NSA in developing application security policies and enhanced utilities for the system."
EEK. It's released under the GPL.Here's what it says on the FAQ page:
"What does your distribution include?
"Security-enhanced Linux includes patches to the Linux kernel and patches to a number of standard tools and utilities. It also includes a number of new utilities, support files, and documentation. By far the easiest way to build and install Security-enhanced Linux currently is to duplicate our source trees (lsm-2.4 and selinux) and follow the instructions in selinux/README. We have provided compressed archives of our source trees, as well as several ways to build it by acquiring only our modifications from our web site ( http://www.nsa.gov/selinux/ ). As time permits, we intend to create or modify the RPM spec files as appropriate and provide SRPM format files.
Can I install Security-enhanced Linux on an existing Linux system?
"Yes. You actually need to have an existing Linux system. The Security-enhanced Linux distribution is source code for a modified Linux kernel and some utilities. You must have the ability to compile a kernel and also have necessary, but unmodified system packages. Our distribution is known to install on the Red Hat distribution, and has not been tested with others."
You can download it here after you read the disclaimers on the page. At least, the NSA page says you can. I assume they know whether their own product is legal or not. I am not advising you personally, because we are now in Alice-in-Wonderland upside-downness, where you can't be sure who is who and what is what any more.
Their "Linux 2.5 Kernel Summit Presentation on SELinux" is available in Postscript or PDF on this page at the bottom of the page. I do believe 2.5 is a version of the kernel SCO claims is in question. So, what is the deal? Is the government itself guilty of misappropriation of SCO IP? Heavens to Betsy! If so, it must mean it's "Off with their heads!"
If the NSA didn't notice a problem, is Linus responsible for not noticing the same alleged problem? And who is the one responsible for policing its own IP in this picture? If SCO, as Caldera, for nearly a decade released under the GPL, wouldn't you think they would have done their own due diligence and noticed a problem back when it allegedly happened? It's not like the code was hidden away. Anyone could read it any time they liked. So, if SCO/Caldera didn't notice back then either, how can they sue others for not noticing?
I admit, my head is about to explode trying to parse out the logic of this mad hatter's tea party argument. But it seemed like these would be appropriate questions to ask on this July 4, 2003.
3:44:01 PM 
|
|
Sayonara, Mr. McBride
McBride is reportedly flying to Japan to meet with some of the 8 Japanese firms that have just formed the CE Linux Forum (CELF). CELF members are Hitachi, Matsushita, NEC, Philips, Samsung, Sharp, Sony and Toshiba.
McBride, according to the EE Times, will show them the allegedly identical code snips. The news of the Japan trip apparently comes from SCO itself, because the article doesn't identify who exactly has agreed to look at the code. SCO says they are lining up in droves, but that is, as usual, SCO-speak, and it could be taken to mean that no specific meetings have yet been set up but discussions are under way, or that lots of companies are already set up, or SCO would rather not be specific as to how many. There is no way to really know from that sentence, and apparently the reporter either didn't ask for clarification or couldn't get it. I feel sure that if it was with all of them, the article would have said so.
Here's something interesting from the article:
"'It shows how entrenched Linux has become,' said Victor Yodaiken, CEO of FSMLabs Inc. (Socorro, N.M.), a maker of real-time software for Linux. 'These companies are not known as adventurers, and they wouldn't do this if they thought there would be legal repercussions. It's an endorsement of how irreplaceable Linux has become for them.'"
Maybe the FUD machine isn't in high gear yet in Japan. The rest of the article is counterpuntal remarks by analysts, the usual suspects, on one side, saying Linux people should be very worried, and CEOs of Linux companies and Jon Hall, on the other, on how SCO isn't stopping Linux from being adopted by major companies, as evidenced by CELF. The poor reporter seems unsure know what to believe. Join the crowd, sir. Still, that's real progress. Confusion is better than flat-out FUD. At least when reporters are confused, they report both sides. That's an improvement over a FUD-spinner calling a reporter and having him or her just type up what they heard without even checking the other side or even if there is one. According to the article, McBride speaks Japanese fluently. Rats.
On his way back, he might want to make a stop in Canada, because the largest provider of property and casualty insurance there, ING Canada, just chose Linux, specifically IBM's eServer zSeries servers running Linux. Then he'd best make a quick hop to check on those pirates in Hollywood. They had the nerve to make the new movie Sinbad entirely on GNU/Linux.
And iT News says SCO will have a news conference on July 9 to announce what it sees as the solution, its next step in its licensing dreams. I can't see why a company would agree to a license before a court establishes whether or not SCO even has a claim, but you can always ask, I suppose. One thing SCO isn't lacking is chutzpah.
As for the German report on the GPL, which we posted on July 2, here is a translation, from mathfox, of the pertinent paragraph, which makes it very clear that what the report actually said is a lot different than what the media said it said. Ah, FUD! mathfox disclaims as follows, "It is from one foreign language to the other and I am not educated in law, so there's plenty of margin for error in the translation." Nevertheless, it's a lot clearer than the computer-generated version, so thank you, mathfox. Here is his translation of the top paragraph of page 21 (pdf page 13):
"On the contrary; one can not conclude to a general rejection of the GPL against unwritten fundamental rules of copyright law form this; because the Open Source movement uses the instruments provided by copyright law, to reach a certain goal. Intellectual property law is used, contrary to its exclusion goals, to achieve the desired distribution. It is partly against the foundation and function of copyrights. Just as the practice of giving away things doesn't invalidate the concept of ownership, using the GPL doesn't invalidate the principles of intellectual property."
1:16:38 PM
|
|
|
|
|
