Hardened Linux stalwarts Grsecurity pull the pin after legal fight The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing free support for their stable offering. In future, only paying sponsors will get stable patches to shore up their kernels' defenses. The public stable patches will not be distributed beyond the next two weeks in response to …
The aforementioned company has been using the grsecurity name all over its marketing material and blog posts
If that is the case, the why, when I search for "grsecurity", do I only find sites that discuss a version of the product, or its merits, and no sites that say that they're using it in a product ? Or even a marketing page mentioning it ?
Patches will be ceased in the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its trademark.Grsecurity man Brad Spengler says he has “had enough” of the embedded device industry ripping its technology and not donating “a single dime”.
“We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity [and] we will cease the public dissemination of the stable series and will make it available to sponsors only,”
I'm having trouble reconciling how a trademark attack from Oracle (presumably) can be connected with "the embedded device industry ripping its technology" and necessitate complete implosion.. ?
I get the feeling that other (smaller, lower profile) vendors are doing the same thing, but weren't worth the effort to chase since they don't have the same level of exposure to discrediting their brand-name.
However, a large corporation using their kernel in an unsupported manner, yet implying that it is (i.e. without providing any caveats in the marketing blurb) is a serious matter for any company.
Basically if this cobbled together product is shown to be insecure, then it tarnishes the Grsecurity brand through no fault of their own.
I can't say I blame them, unfortunately if you give some people an inch, they give you the shaft.
I get them being upset about their brand being attached to what they consider an inferior product, but this sounds a lot like they jumped on one business model and are pissed off that another business decided to take advantage of a perfectly legal, though different, way of doing business. If it is a trademark issue, then fine, take them to court. Even if it fails to gain any funds for the company, the best way to lose a trademark in the US is to fail to defend it. If it is a matter of use of their product, as long as no laws were broken, then there is nothing that can be done, even if it is a bitter pill to swallow.
I view this action as an admission that the Grsecurity business model did not work and hope the change works out well for them.
grsecurity trademark has already been registered and from the grsecurity announce, seems the unnamed multi-billion company *cough*Intel*cough*wind river*cough* doesn't care squat about others' trademarks
http://tess2.uspto.gov/
Word Mark GRSECURITY
Goods and Services IC 009. US 021 023 026 036 038. G & S: Computer application software for laptop computers, mobile phones, desktop computers, servers, and mainframes for use in auditing computer users' activity, controlling access to software applications and file, network, and credential services provided by the computer's operating system, and preventing breaches of computer security. FIRST USE: 20011001. FIRST USE IN COMMERCE: 20011001
Standard Characters Claimed
Mark Drawing Code (4) STANDARD CHARACTER MARK
Serial Number 85506017
Filing Date December 29, 2011
Current Basis 1A
Original Filing Basis 1A
Published for Opposition July 10, 2012
Registration Number 4213087
Registration Date September 25, 2012
Owner (REGISTRANT) Open Source Security, Inc. CORPORATION VIRGINIA 2437 Raleigh Dr Lancaster PENNSYLVANIA 17601
This post has been deleted by its author
they didn't lose.. they did not even get in front of a judge/court.... they can't afford to sue as they do not have the money to afford suing.
quote from their announcement:
so I reached out to the community at the time with a brief explanation of the problem to see if anyone knew of a trademark litigation attorney that would be interested in taking the case on a contingent fee basis. There were no replies, and our own lawyer's efforts at finding a trademark expert only resulted in finding someone who would analyze the case at a cost well above everything we had already spent: money we don't have, and money that could be better spent on development and research.
/quote
tl;dr version: "How much justice can you afford to buy?"
/sarcasm
I've always held that a Patent, Copyright, or Trademark was worth the amount of money you have to LITIGATE an infraction. You might get someone in a law firm to salute a contingency deal if it's bad enough like the busybox/Verizon/Actiontec fubar. If it's like this kerfluffle? How many tens of thousands of dollars do you have to waste?
> billion dollar company.
Irrelevant. Trademark litigation is not exactly an open-ended "he said/she said" affair.
"We want them to stop using this"
"Is it a registered trade mark in the economic area described in the filing" YES
"Is in the same domain of application" YES
"Ok, stop using it"
Look,
Its not that simple and its costs money to sue.
People get this idea that there's going to be some lawyer willing to take on a big company like an Oracle, Intel, IBM, etc ... on a contingency fee.
Lawyers work on a per hour basis and unless they see a big enough payday or are willing to make the investment, contingency doesn't pay the bills.
The kickstart something.
The model of "doing OSS in spare time" is dangerous in any case and bound to de-cliff at a moment's notice. Because too personal.
Intel is generally not too unfriendly irt OSS though. What's going on here?
I don't know that Intel is really interested in spending money on Windriver court cases.
Intel bought them to help sell chips in the embedded market, not to syphon money to layers.
If anything the converse is true, there's no money to be made by a Giant into suing a small company. They don't compete with Intel, so even pushing them into bankruptcy would be moot and Intel customers need to know that GPS licenses are safe before they buy Linux derivatives anyway.
The PROBLEM there is that you lack understanding about this. It goes that way- but in order to collect damages, you must PROVE that they damaged you...and you will burn tens if not hundreds of thousands of dollars to GET there on a trademark...IF you can even get a court to salute your legal theory (Don't bet on it...)
So...getting someone like Intel to quit doing it...heh...best o' luck. You'll need it along with those thousands upon thousands of dollars, pounds, euros, etc. to GET a whiff of what you just described.
If no lawyer is willing to take up the case, there's probably a reason.
If no lawyer is willing to charge a price you can afford, there's probably a reason.
Additionally, if this is simply a trademark / passing off case, it's quite difficult to assert that they aren't using "grsecurity" code, or that they are somehow misrepresenting them. The GPL presumably applies to the code, so throwing your toys out of the pram for people using part of the code is really something that you should have accounted for when you started. Of course, people will take the code, tweak it, even reissue it under different names. You're providing them code under a licence that allows (and in some cases demands) that. The v2 licence of the kernel doesn't mention trademarks to my knowledge.
To say they are then misusing the trademark by saying it includes grsecurity code, and asking a court to do something about it... well, it does seem to be rather a complex and difficult thing to do. Is this any different to saying the code is "compatible with Microsoft Windows", "includes PhysX technology", etc.? There's a reason that places like that can't stop you saying that, or make you sign specific contracts before you CAN use their technology legally anyway.
What's the demand here? Are you after use of the trademark meaning you must update to the latest version of grsecurity with every product you use immediately upon release? Nobody would want to touch your trademark in that case anyway. They'd just take your code, rename it, sell it as their own, with no mention. Are they claiming to BE grsecurity? It doesn't seem like it. They're saying it's code grsecurity code in it and/or is based off grsecurity. Which appears to be true.
I think there's a reason no lawyer will touch it, even a law student or similar. Except without payment. They know they're going to lose or the "win" will be so minor as to be worthless.
I've had a couple of rows with this guy (I believe he goes by PaXTeam) on LWN.net too. His views are contrary to common-sense in just about everything and he has a way of rubbing everyone up the wrong way by "knowing better" than everyone else about... well... everything. It's a great product, and he's obviously a skilled coder, but the guy has no idea how to discuss things sensibly. I see this as an extension of his normal way of dealing with people - unreasonable demands and blown-out-of-proportion incidents focused around his unrealistic expectations.
http://forums.grsecurity.net/viewtopic.php?f=3&t=3713
Which is a pretty nice post on this subject.
Google cache just in case: http://webcache.googleusercontent.com/search?q=cache:wudElb9NPTYJ:forums.grsecurity.net/viewtopic.php%3Ff%3D3%26t%3D3713+&cd=3&hl=en&ct=clnk&gl=us
Problem is clear:
The post is from august 2013 asking for help in resolving a problem with a versiob of GrSecurity from August 2012 - out of date software. The post is asking for help in porting a fix from the current version back to the older one. The post is from Wind River (subsidiary of Intel.)
That fits all the known facts. Using an old version of GRsecurity in an embedded Linux kernel and backporting changes from newer version, multi billion dollar company.
I think everyone is forgetting that the Linux kernel is GPL code.
If GrSecurity sells or gives any code to anyone outside of GrSecurity, they are required to make that code available to everyone, regardless of whether they paid for it or not. That is the distribution requirement of the GPL. If GrSecurity attempts to withhold patches from the public that they are giving out to select individuals, they are violating the GPL, and subject to a lawsuit for breach of contract by the FSF. No one is "ripping" GrSecurity off if they use the code. They have that right. GrSeecuity has no right to tell anyone how they can use or not use GPL licensed code. It does not matter of they wrote it or not.
While it has nothing to do with the GPL, if they put the name "GrSecurity" in the kernel code as a name on a menu, they are implicitly giving people the right to use that, and to say "Yes, we are using GrSecurity code."
If
That's not how it works. They are required to give the source when they distribute the kernel. If someone asks them for the source, they should say "Get it from the same place you got the binary from."
When a consumer buys an embedded device, they don't usually get the source either. I certainly didn't get any source with that Samsung phone.
No problem. I don't buy Intel and will watch out for their farting up the Wind River area. Clearly if they can't cook up a usable security solution for their products in-house they are not so mighty, are they? Weak security means John Q. Pubic will empty the shelves of these toys and prop up an inviting env for me to go wandering about it.
IoT is going to be a giant field day for casual hacking of wireless conveniences. Let the games commence!!1! Thank you, Intel and Wind Ripper, or whatever the hell you are.
Yeah but they want free support also.
https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=13940#p13940
Hi,
Sorry, we don't provide free support to a multi-billion dollar company that sells devices using grsecurity while violating the license of its GPL license and that of all other GPL code on the devices. Your MX900 and Petro series of products don't ship with the associated source code, nor is any written offer provided for the source code. Purchasers of these products have no idea at all that they use GPL-licensed software or that they have a right to its modified source code. It's fitting that a company profiting off the exploitation of open-source developers that license under the GPL (and not BSD) for a reason would come here for free support. Fitting, but incredibly rude.
-Brad
Or you know you can skip all the patches and mitigation bloat and get better security out of the box with OpenBSD. Its base as been audited much more thoroughly plus as an added bonus you get yourself a real POSIX OS. If your OS ships with the hairball bash by default (and as the default shell) then you probably don't care about all that much about security.
And before someone says it f__k RBAC (OpenBSD already has alot of other things by default of grsecurity like stack smashing protection, ASLR, etc) and the closing the stable door after the horse has bolted aspect to it.
> 1. Why doesn't OpenBSD have something like RBAC?
RBAC has a lot more knobs to tweak, so you can always go back after a security incident and say "aha! I need to tweak *that* knob to prevent this next time!" But it has a steep learning curve, and everything you don't know about how your RBAC is configured is as much a problem as everything you got wrong. Most people use RBAC on Linux by turning it off.
OpenBSD permissions are fairly simple, thoroughly considered, and set up with sane defaults. Most people continue to rely on just these basic controls, on OpenBSD *and* on systems with RBAC.
With Linux RBAC the odds of an admin borking at least one system wide program by getting the permissions wrong or them changing on an upgrade are a million times more likely than RBAC being stout enough to actually stop a determined user who has already compromised a system.
Indeed, although truth be told the same might be said about any other MAC system (except of course in case of at least some of the others you can get a lot of policies configured for you upstream). RBAC is the one component of GRSecurity that I keep off. There is a lot of other valuable stuff in there though so the end of public distribution of stable patches is sad news.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
