Is Free Software more securing?

Posted on by

While Microsoft is going to launch in a flood of propaganda advertisement its new operating system – Windows 7, an important security hole seems to have been quietly ignored. Microsoft has to make itself a better image towards users, after the more than mixed success of Windows Vista, which still has difficulty to replace the old Windows XP. So it’s not difficult to understand that the monopolist takes more care of packaging than it takes care of security.

Free as in Freedom operating systems are not perfect, however I think we have the right to say Free Software is more securing. Here’s why. First, the source code is open, which allows any pertinent entity (be it a developer, an IT security agency, or a competing company…) to identify holes – and to fix them. Second, Free Software does not create monopolies, it participates on the contrary to a better repartition of tasks. i.e., there are several versions of Linux, several operating systems based on GNU and Linux, several vendors or communities and several shippers. And this collaborative development needs transparency. All these different actors ensure that every single level of development of the system is under control.

This is a major difference with development model typical for proprietary systems where the repartition of tasks is possible, but where there is no diffusion of responsibility or power. Every actor keeps the exclusive control over its software and thus over probable security holes. This results in really important issues, especially when one company holds a monopoly and abuses its position over such an important market as desktop software. Every single user of Microsoft products are strongly dependents on it. Resolving problems can only be done if Microsoft wants to. Unhappily, in such an overwhelming structure as Microsoft, if marketing is considered more important than security, it is the user who will pay.

So here are some incidents due to security issues with Microsoft softwares, that were mentioned since October 1.

It does not only concern operating systems and big infrastructure, but also basic software as web browser, which are used everyday by billions of people. Here again, Microsoft takes its time.

About the subject

I am not the first one to talk about this issue of course. If one wants deeper explanations, he should find details in this article: Why Free Software? Look at the numbers! or also, Computer viruses are caused by Proprietary Software.

Anyway, what’s important before security or technical issue, is trust and control.

It’s our duty to take care of our own security

Finally, I’ll say that Free Software is not more secured itself. But by giving the freedom to study the source code, to improve and to share modifications, Free Software gives its users the power to take care of their own security instead of giving it up to someone else.

It’s not a coincidence if Free operating systems have excellent tools to grant users privacy and intimacy, like GnuPG or OpenSSH.

OOXML, ODF, standards and innovation: Steve Ballmer

Posted on by

Here is an interesting video from a conference Steve Ballmer (Microsoft) gave at Sciences Po, my university, in October 2007. My friend Pierre Slamich, who is also responsible for our association “Digital Freedom” asked Steve Ballmer about the future of OOXML since its failure to be accepted as an international standard in the first place.

You can download the video in Ogg/Theora.

Pierre: “Microsoft-Office”Open”XML (MS-OOXML)* was recently dismissed as an international standard, so what will Microsoft do about this? Will you merge it with the OpenDocument Format(ODF) standard or maintain two standards on the market place?”

Steve Ballmer: “Well, MS-OOXML is an international standard, it is an European standard actually […] The truth is, We don’t control MS-OOXML anymore, it is now controlled by the European Computer Manufacturer Association (ECMA) so whether it gets merged will be largely in function of how the standardisation organizations want to move forward. […] [ODF and MS-OOXML] do interoperate at some level of fidelity. We are encouraging people to take a pluralistic view of this.

Otherwise what will happen is: we don’t want standards to be the enemy of innovation.”

* funny to see how Pierre has troubles to say Office “Open”…because MS-OOXML is all but an open standard! For some more information about how Microsoft standard is “open” you can see this comparison with ODF.

I always like it when Microsoft talks about “innovation.” See this article from Georg Greve, Microsoft, Antitrust and innovation on Groklaw.

Re: Paris Court of Appeals condemns Edu4 for violating the GNU General Public License

Posted on by

Tuesday, FSF France published an article which led to several enthusiastic reactions among specialized websites. And the news is indeed interesting since Paris Court of Appeals condemned Edu4 for violating the GNU General Public License, giving it therefore a legal value. Until then however, nothing new: Free Software most used licence has already been enforced in court in several countries such as,

  • The United States, in Jacobsen v. Katzer case which said GPL was enforceable as Copyright condition;
  • or in Wallace lawsuit which opposed him against FSF, IBM, Novell and Red Hat, during which the judge said regarding competition issues:

    The GPL encourages, rather than discourages, free competition and the distribution of computer operating systems, the benefits of which directly pass to consumers. These benefits include lower prices, better access and more innovation.

  • In Germany when Harald Welte won against Skype which used Linux without meeting GPL conditions (Harald Welte is also part of the French ISP Free case).
  • And also in France in 2002, during a case between University of Grenoble and company Educaffix about a software which was derivative from another licensed with GPL.

Well, everything becomes interesting in this new case comparing to those mentioned below, because AFPA and EDU4  are not arguing as copyright holders over a copyright or licence issue: it’s about an end user (AFPA) and a service company (EDU4).

But we better have to be careful and avoid hasty conclusions. Let’s go back to where it begins.

In 2004, AFPA was convicted to a €900,000 fee for EDU4, when the court considered that unilateral contract rupture from AFPA was not justified. The contract in question is a public tender from 2000, won by EDU4. But in 2001, AFPA discovers EDU4 used Free Software VNC in its product and therefore argues it is not conform to the contract, which AFPA breaks.

But EDU4 appealed and AFPA asks for an additional expert in 2006. This expert report includes overwhelming conclusions: EDU4 has hidden the usage of VNC by removing original copyrights and GPL text (thus disabling its mechanism). Besides, modifications made to VNC had disastrous consequences on IT security and personal data protection.

It is based on those reasons AFPA had the right to break the contract, since there was obviously counterfeiting, lack of sincerity from EDU4 and furthermore high risks for IT security (with a backdoor). This is why the Court of Appeals condemned EDU4.

As a matter of fact I see no reason to consider that it would have been different with any other software licence than the GPL. Which leads me to think that matters of source code distribution, and moreover copyleft protection, were not considered pertinent to the Court’s ruling.

It is true that the ruling mentions a few times the issue of source code distribution, but it was never directly taken into account, but only to show as an evidence EDU4 lack of sincerity in the procedure (copyrights removal and confusion about the software legal nature.)

Furthermore, I would even argue that EDU4 did not have the right to distribute the modified software source code, since they broke GPL when conveying a modified version of the Software without AT&T copyrights or the GPL text. By failing to respect GPL, they did not have the right to use, share, modify the Software anymore.

In short, EDU4 is accused of software counterfeiting by changing copyrights mentions to put their own, and having sold a product which was not compatible with the original mission given by the public tender, because of security issues for AFPA.

So it seems to me that there are little, if none, implications for us because copyleft mechanisms of the GPL were not analysed in the process of condemning EDU4, simply because those mechanisms did not involve AFPA. They only involved EDU4 and VNC authors.

Who has the power to enforce GPL? Since the GPL is a copyright license, the copyright holders of the software are the ones who have the power to enforce the GPL. If you see a violation of the GPL, you should inform the developers of the GPL-covered software involved. They either are the copyright holders, or are connected with the copyright holders.

Weekly Digest 09/04 to 09/10

Posted on by

The thing that shocked me the most this week is without any doubt this article in Tech Crunch about a future device called “Life Recorder” (I already imagine the Apple iLife advertisement campaign). Inspired by a Microsoft Research product called Sensecam, the camera would be attached to our body and record everything we do, and synchronizing it online.

“Imagine an entire lifetime recorded and searchable. Imagine if you could scroll and search through the lives of your ancestors.”

I have to admit, I first thought it was a hoax. My surprise was that it was real… and that actually, people would like it! Comments were far more frightening…

“It would be boring as I spend a great deal of my life on the computer, but regardless I would see no problem in its ‘invasion of privacy’. I rarely do anything I need to keep secret and as such dont care. However, I do forget things very often and would love such a device for that reason. I am also a social networking addict and update my status/location all the time along with pictures if I am able.”

See the discussion going on… and certainly a blog post about that where I’ll give you my point of view about that!

Continue reading