back to article Security tool bod's hell: People think I wrote code for Hacking Team!

A respected security researcher has denied any involvement with Hacking Team after open-source code he wrote was found in smartphone spyware sold by the surveillance-ware maker. Collin Mulliner works in SecLab at Northeastern University in Massachusetts, US, and is a regular at hacking conferences. He told The Register he's …

  1. Ilgaz

    not possible

    You can't discriminate any particular group, it is like free speech, you know some people should really shut up but you better fight for their right to speech.

    Open source is being used for both good and evil since the beginning.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: not possible

      Downvoted for stating facts? This is El Reg comment section.

      by definition

      The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

      There may be a "non-snooping source license" but it WILL NOT be "open".

      1. FrankAlphaXII

        Re: not possible

        Creative Commons has something like this. CC-BY-NC.

        You spend a lot of time here, Destroy All Monsters, so you surely know about xkcd, whether you like Randall's artwork or not. He licenses his stuff under it, and his description of it is pretty good, you're free to use it and share it, but not sell it.

        Since Hacking Team were selling this guy's product, which they're free to do as long as they follow the terms of the GPL and include the source, he could license it under CC-BY-NC to prevent anyone from selling it. It might dissuade people from wanting to use your software in other projects, but it does prevent someone fucked up from selling your code at least.

      2. Vic

        Re: not possible

        There may be a "non-snooping source license" but it WILL NOT be "open".

        More particularly, it will not be GPL-compatible. That precludes software so-licenced form being redistributed as part of a GPL-derived work.

        Vic.

    2. Flat Phillip

      Re: not possible

      During the times of creating the Debian Free Software Guidelines (DFSG) there was a lot of heated discussion around Fields of Endeavour. People were a little uncomfortable with Debian being used on.. certain things. The problem was those "certain things" varied from person to person. For some it could be genetic research, others it was military while there used to be licenses prohibiting software for CB radio (yes this last one actually existed).

      In the end, there seemed to be no sensible way of a) working out and agreeing what was universally the "bad thing" and b) having a sensible way of limiting it that could go into a license or the DFSG. Debian now has item #6 as a result.

      1. Sir Runcible Spoon

        Re: not possible

        Could he put in a clause that says that any use of the code for profit making ventures needs to obtain permission from the author, subject to being sued?

        1. Raumkraut

          Re: not possible

          Could he put in a clause that says that any use of the code for profit making ventures needs to obtain permission from the author, subject to being sued?

          No. The GPL does not allow for any additional restrictions to be placed on the use of the software.

          This is the reason why GPL software is incompatible with the iOS app store - IIRC Apple limits the number of devices you can install on, etc. (yes, there is some otherwise GPL'd software on iOS, but they are generally using proprietary relicensing - ie. the version for iOS is not GPL'd).

  2. Anonymous Coward
    Anonymous Coward

    Easy...

    IAAL :-)

    A software licence (or any licence), can say whatever the licensor wants it to say (subject only to limited exceptions). So, by all means say, "I grant this licence under GPL [whatever version], but I expressly prohibit its use for any purposes related to surveillance by state or corporate bodies"...

    Alternatively, write your own license, describing in plain English what you do, and what you do not, allow and making your demands, e.g. proper credits, non-commercial use, payment of fees etc etc.

    1. Old Handle

      Re: Easy...

      You could, but than it wouldn't be "free software" and open source projects might not want to use it. So there's a definite down side.

    2. Destroy All Monsters Silver badge
      Thumb Down

      Re: Easy...

      I grant this licence under GPL [whatever version], but

      FALSE derived from premises. End of line.

    3. Vic

      Re: Easy...

      IAAL :-)

      Oh dear.

      So, by all means say, "I grant this licence under GPL [whatever version], but I expressly prohibit its use for any purposes related to surveillance by state or corporate bodies"...

      This is explicitly prohibited by the GPL; to do so would mean that the software is not GPL-compatible, meaning that it cannot be legally redistributed as part of a GPL-derived work. IOW, mentioning the GPL in such a work should be considered deliberately misleading.

      Vic.

  3. Anonymous Coward
    Anonymous Coward

    Enforcement?

    I'm sure it's easy enough to write a license (as the anon. lawyer above attests). But how in the hell do you enforce something like that?

    1. Mark 85

      Re: Enforcement?

      If you release any source code into the wild, how do you enforce usage and payment? How do you know? The answer is "you don't". You're relying on the integrity of those who use the code.

      Remember "shareware"? Great idea, great concept, but humans killed it because they didn't live up to the concept. Very few people, if any ever paid anything to an author.

      1. Michael Wojcik Silver badge

        Re: Enforcement?

        Very few people, if any ever paid anything to an author.

        A gross exaggeration. Quite a number of people have paid for shareware. I've paid for a number of packages myself, and I know others who have also done so. And shareware still exists, so it's hardly been "killed".

  4. Anonymous Coward
    Anonymous Coward

    if they used GPL code in their products...

    .. their products became GPL ones as well, thereby code should have been open sourced... oh well, it eventually happened...

    1. Captain DaFt

      Re: if they used GPL code in their products...

      Uh, nope. Only the GPL parts remain GPL. All the stuff they write themselves is under whatever license they want.

      If they made changes to the GPL parts, that they'd have to release.

      "The company acknowledges in its documentation that it is using his copyrighted software, includes his name and email address, and links to his website where the source code can be found."

      And this implies that they used the GPL'd code -as is-, and actually followed the GPL. Go figure.

      1. Anonymous Coward
        Anonymous Coward

        Re: if they used GPL code in their products...

        I suggest you to read at least once the original text of the GPL fully - and try to understand it really and fully.

        GPL doesn't enforce copyright only - especially since its aim is copyleft instead - the aim if GPL is turning as much code as it can into GPL one - it's not the MPL.

        I know there are many developers who happily exploit GPL code in their non-GPL code, ignoring the GPL requirements. Only the LGPL, or an "aggregate", are exempt.

        So, if you're using GPL code in your non GPL code, there a big probability you're violating the license if you distribute it.

      2. Lyndon Hills 1

        Re: if they used GPL code in their products...

        I hope it was made clear to all the 'end-users' of their spyware,that if they wished to see the source code of the programs that were 'bugging' them, they need to visit the url below etc, etc.

        I believe this is normally a requirement if you distribute software containing GPL code. Quite a few consumer routers, for example, use GPL software and this is often referred to in the documentation, with a copy of the GPL on the accompanying CD.

      3. Vic

        Re: if they used GPL code in their products...

        If they made changes to the GPL parts, that they'd have to release.

        Insufficient. If they made use of GPL software, they are obliged to release source on demand to all derived works - whether they modified it or not.

        Vic.

    2. Destroy All Monsters Silver badge

      Re: if they used GPL code in their products...

      ...only if they are used towards customers. There is no requirement to open-source code used in-house only.

      1. Anonymous Coward
        Anonymous Coward

        Re: if they used GPL code in their products...

        Actually the boundary is "distribute or publish" - customers or not. Of course in-house use is not distributing or publishing. The matter is if HT used it internally only, or made available externally any work based on the GPL code.

    3. Flocke Kroes Silver badge

      Re: if they used GPL code in their products...

      The magic word is 'linked' not 'used'. This is clearest for compiled languages. Compile various C source files to object files and link them. If any of the source files is GPL, then all of them must be GPL (or multiple licenses including GPL) in order for the reseult to be distributable. The same goes for linking (dynamic or static) to a GPL library.

      There are ways to use GPL and closed source software together. Ubuntu is an aggregation of GPL and code with other licenses. Simply distributing two programs on the same DVD does not prevent GPL and closed source from being sold at the same time. Communication via file descriptors is not linking. Although kernel modules and dynamic linking have much in common, closed source kernel modules are explicitly permitted (but sufficient reason for many penguins to buy something else rather than hardware that requires a closed source kernel module for its driver).

      1. Anonymous Coward
        Anonymous Coward

        Re: if they used GPL code in their products...

        Even if you manually copy portions of it - and you can, under the GPL - into your code you're still bound by the GPL terms. That's why I wrote "used" - there are many ways to use code.

        The GPL (v2) simply says "a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language". V3 is even more generic: "A “covered work” means either the unmodified Program or a work based on the Program."

      2. SImon Hobson Bronze badge

        Re: if they used GPL code in their products...

        > The same goes for linking (dynamic or static) to a GPL library.

        Wrong again, there sure is a lot of FUD around the GPL.

        Statically linking a library into your binary blob does mean that your whole blob must be under the GPL is any of the libraries is. That's not the case where they are dynamically linked (especially since most libraries are under the LGPL which specifically covers this).

        If you couldn't dynamically use a (L)GPL library without making your own code GPL then things would be incredibly restrictive - but they aren't.

        1. Anonymous Coward
          Anonymous Coward

          Re: if they used GPL code in their products...

          Statically linking a library into your binary blob does mean that your whole blob must be under the GPL is any of the libraries is. That's not the case where they are dynamically linked

          Incorrect. If you link to a GPL'd library, either statically or dynamically, the combined work becomes subject to the GPL.

          If cross-license dynamic linking was permitted by the base GPL, then there would be absolutely no reason for the LGPL to exist, since the dynamic linking exception is pretty much the only difference.

          1. Anonymous Coward
            Anonymous Coward

            Re: if they used GPL code in their products...

            Also you could turn most GPL code into a DLL/shared object and use it without being bound by the GPL...

            I wonder how many people are using GPL code happily violating the licenses, consciously, or because plain ignorance of what the GPL actually is and requires...

        2. Vic

          Re: if they used GPL code in their products...

          Statically linking a library into your binary blob does mean that your whole blob must be under the GPL is any of the libraries is

          Yes.

          That's not the case where they are dynamically linked

          Yes it is. From the GPL FAQ:

          Does the GPL have different requirements for statically vs dynamically linked modules with a covered work?

          No. Linking a GPL covered work statically or dynamically with other modules is making a combined work based on the GPL covered work. Thus, the terms and conditions of the GNU General Public License cover the whole combination.

          LGPL, obviously, has an explicit allowance for such linking.

          Vic.

    4. Vic

      Re: if they used GPL code in their products...

      .. their products became GPL ones as well

      Only derived works. "Mere aggregations" are not covered.

      Vic.

  5. Nick Kew

    Free is Free

    Whoa! Just two weeks after posting this anecdote to El Reg[1], it seems I need to re-post the story of how I got associated with something unattractive, that I believe cost me dearly in terms of failing to get my business off the ground when Yahoo (the dominant gateway to the web by mindshare at the time) refused to list me.

    If you release something open source, you accept that anyone can use it. Including people you don't like. Is there an Islamic State website? If so then it surely uses someone's software, probably perfectly legally.

    I first released Open Source web software in the mid-90s. Keeping an eye on Infoseek and Altavista (this being before Google existed), I found my first user to mention the name (and hence show up in results) was the British National Party's website. Not something I'd have wished, but they had every right to use it: that's what being open source is all about. And indeed free speech, though I didn't check up on what contents might have been accessed through the software, nor indeed whether they moderated or otherwise censored public comment.

    [1] http://forums.theregister.co.uk/forum/1/2015/07/08/evil_nsa_runs_on_saintly_red_hat_enterprise_linux_apache/

  6. FrankAlphaXII

    It may sound stupid but...

    CC BY-NC would work for what he's after, it allows the source to be used freely, but with attribution and not at all in a commercial product. Since I don't think he's selling the code, it would stop for-profits from taking his code and selling it. CC was mostly designed for artwork, but there's no reason you couldn't use it for software that I can see anyway.

    I don't think FSF would think too highly of it, but really, who gives a shit about them if you're really that concerned and outraged about a for-profit that does some unethical shit using your tools in their software to make money.

    1. Vic

      Re: It may sound stupid but...

      CC BY-NC would work for what he's after, it allows the source to be used freely, but with attribution and not at all in a commercial product.

      I don't think so. I didn't see any issues with it being in a commercial product - just a big deal about it being used in a snooping product.

      This is the thing with software freedom - you're free to use it for whatever you want, so long as you abide by the licence conditions. As soon as you start trying to define usage scopes, you're narrowing that freedom, and with the amount of inter-linked code currently available, you'd end up with an exclusion on pretty much everything. So we have the situation in force today: you cannot define usage scopes and remain GPL-compliant. And that's a good thing, even if there are certain groups I'd like to see having no access to any of this code - but they probably feel the same way about me.

      Vic.

  7. Pliny the Whiner

    Regrets, he's had a few

    Okay, Collin Mullinard, try this: "This software may not be used to violate the privacy of any person."

    Speaking of up-and-coming regrets, there's an 18-year-old dumbass named Austin Haughwout in Clinton, Connecticut. Yeah, kind of close to "Hogwart." In one of the original colonies, no less. Anyway, he designed an experimental drone that can fire what looks like a .22 caliber semiautomatic. I think it's fair to say that this Austin fellow is going to have regrets a lot sooner than Collin ever did.

    1. Donkey Molestor X

      Re: Regrets, he's had a few

      Why should he have regrets? He hasn't killed anybody with it. The CIA DOES kill people with drones and they don't regret it :)

  8. david 12 Silver badge

    I don't publish my actual name here...

    ...And for the last 15 years I haven't put my actual name on the credits of open source software either.

    1. Sir Runcible Spoon
      Coat

      Re: I don't publish my actual name here...

      You're only saying that because you don't want people to look to closely at what happened to the other 11 !

  9. Vic

    Did the code author really say that?

    Hacking Team eventually used his tools and libraries in production, and are complying with the license, Mulliner said. The company acknowledges in its documentation that it is using his copyrighted software, includes his name and email address, and links to his website where the source code can be found.

    This is not GPL compliance!

    You can point at the upstream website for non-commercial distribution only. That's 3(c) in GPLv2. For commercial distribution, you're releasing under 3(a) or 3(b), and you need to supply your own copies.

    Vic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like