Tonnerre Lombard

Archive for May, 2009

Preliminary injunction against Microsoft contract

Saturday, May 30th, 2009

The contract granted by the Federal Department of Construction and Logistics to Microsoft has been put on hold by the Federal Administration Court due to a pending case. The injunction explicitly excludes «all licenses required for vital operation of the federal infrastructure».

The reason for the injunction is the court case of other potential competitors against the department which had granted the contract to Microsoft without a tender, violating the federal law on acquisition.

See also:

Berner Zeitung on a slander campaign against the Canton Solothurn

Tuesday, May 19th, 2009

The Berner Zeitung currently appears to be on some sort of crusade against the Office for Informatics and Organization (AIO) of the Canton Solothurn. The subject is the Linux strategy of said canton.

(Please note that not all comments in the referenced articles are referenced below since there are so many of them, and most of them already falsify themselves.)


Back in 2001, the Canton Solothurn decided to migrate their entire IT infrastructure to a Linux desktop and Linux servers. Nowadays, most of the migration is complete and the old Windows NT terminal server farm exist in downsized form for legacy reasons.

Some applications still aren’t migrated, as evidently specialized applicatons aren’t always available initially for Linux.

A crusade against the strategy

The Berner Zeitung, however, is attempting to draw an entirely different picture of the migration. They recently published articles like «Kritik an der Pinguin-Strategie», «Wieder Ärger mit dem Pinguin» and others, all bashing the Linux strategy of the canton. Most of the articles mention complaints of users of the platform that they cannot do their work reasonably with the new platform.

One problem mentioned in such an article was, for example, that the office of justice received a PowerPoint presentation for some event and had to lend a laptop from the cantonal police to display it. This story is quite evidently nonsense, since the document could easily have been opened with OpenOffice. The other stories aren’t any better though.

Anonymous astroturfing site

The articles frequently cite a web site named Linux Windows, whose URL is not being linked to here in order to not affect the page rank. It is hosted at npage dot ch, which should help people to find it for reference.

This site is of really questionable quality. It is hosted with a hoster who refuses to provide any information about the people hosting sites using their services, and the site does not give any hint about the identity of the operator, who describes himself as a government employee.

The welcome site states explicitly that everybody who has something to contribute to the web site is allowed to publish to the guest book. However, all of the more insightful comments submitted in favor of the strategy, correcting statements about prior postings et cetera are never passed while some of the more superficial ones are permitted to simulate openness.

The entries posted to this site are then alltogether terrible. The issues mentioned are mostly minor temporary issues or general comments deprived of any basis. One comment claims for example that Open Source per se was bad because hackers have built backdoors into it, an argument which can be falsified easily by browsing through the FSF web sites or typing the claim into Google. Also, it neglects the fact that initially, all software was free software.

Instead, the owner of this site could have provided something constructive like a bug tracker, where fixed issues could be marked as such. This would have allowed constructive cooperation between the cantonal employees and the AIO.

Official «media management» by UDC

The conservative party UDC also published an article on the news site mentioning the debate and taking sides heavily against the Linux strategy. The article states that the canton is facing expenses of several hundred million swiss franks ­ — mentioning farther down that these expenses occur in the event that the strategy is changed and new Windows and Office licenses would have to be purchased. Under these circumstances it appears to be a good argument for keeping the strategy.

Another argument mentioned is that «the canton is sending out documents that its citizens cannot read». Were this the case, then at least there is a way out for the citizens which is free of charge: the installation of the OpenOffice suite, which can be done in only a couple of clicks.

However, the comment completely ignores that starting from Office 2007, Microsoft Office users have been sending out documents in the new OOXML .docx format by default. Reading these files requires a current version of MS Office, which has to be purchased. But even without this, reading newer Office files with older Office versions has always been a problem.

Official response

Mr. Bader from the AIO has been interviewed by various newspapers about the raised issues; his comment was that no such deterring problems are currently known to them. Most of the cantonal employees I’ve been in contact with also confirm that there are only occasional issues with the system which are usually fixed quickly. (This would probably also be the case with a Windows environment.)

It seems not to be a coincidence that these articles all appeared after the appeal to the decision of the Federal Office of Construction to grant a CHF 42 Mio contract to Microsoft without a tender, because the Canton Solothurn has been mentioned in the reasoning of the appeal as an example that alternatives to the Microsoft solutions exist. It is not known who is directing this slander campaign against the canton, but either way this person is mostly raising the ridicule of the community, rather than having a real effect.

Other renowned newspapers are already reporting that the Canton Aargau is considering to follow the good example of Solothurn and to migrate their IT to open source software. This makes it pretty clear that Open Source is indeed a viable alternative.

As a closing note, it should also be mentioned that our company is working with an exclusive Open Source environment and has been doing so since its early days in 2000. We have yet to encounter serious difficulties.


EU commission takes another shot at software patents

Wednesday, May 13th, 2009

After their failure to introduce software patents in Europe directly through two directives, then through the community patent and then finally through the «European Patent Litigation Agreement» (EPLA), the European Commission has come up with a new way to legalize software patents: the «United Patent Litigation System» (UPLS).

The proposal displays a vast amount of similarity with the EPLA, except that the highest instance is moved to a specialized patent court. Instead of judges, this court is run by «patent judges», who, just like in the EPLA, do not have a legal degree but are only trained by the European Patent Office. The European Court of Justice (ECJ) has no role to play in this and no right to review the decisions of the patent court.

This is another attempt of the patent system to move all control over patents and their applicability to the participants.

Why software should not be patentable

The big problem with regard to software patents is the question of invested effort. The whole debate about software patents usually evolves around the question whether or not copyright is a sufficient protection for software. In my opinion it is, which can be shown very easily:

  1. First you have an idea. This costs you nothing.
  2. Then you sit down and invest work in an implementation of your idea. This implementation is fully covered by copyright, and is your first real investment into the idea.

Surely, anybody could look at your product and clone it, but that requires that person to start at step 2 and re-do your entire investment in implementing the idea. Thus, this person has no competitive advantage of taking your idea. The investment software patents protect is essentially zero. This is a large difference from developing e.g. a machine, where a lot of material is usually invested into prototypes.

At the same time, the impact is not: software patents would forbid the competitor to implement his own variant of your idea. The idea is essentially monopolized, and the cost is carried by the community.


Federal government grants 42 million franks contract to Microsoft — without tender

Wednesday, May 6th, 2009

The Swiss federal government published in the Swiss Official Gazette of Commerce that it has granted a maintenance contract over CHF 42 million to Microsoft — however, without a prior tender. The monopolist apparently had been granted the contract under exclusion of any potential competition.

The Federal Office of Construction and Logistics (BBL) apparently signed the maintenance contract over Windows and Office licenses, SharePoint et cetera in February already. A tender had never been held, so competitors had never been given a chance to demonstrate their own products. This, however, is clearly against the official regulations for acquisition of resources. A speaker of the Open Source corporation group /ch/open announced that the decision would be contested in front of the Federal Court which, incidentally, is a known user of the suite.

In a television interview on the popular Swiss talk show «10vor10», the responsible official defended the decision with the rather bogus words «We cannot be expected to migrate everything to Open Source software over night.»

In the meanwhile, the decision has caused a lot of press echo. Not only IT newspapers such as ProLinux, Inside-IT and IT Reseller Online have published articles detailing the deal, there were also articles in the Neue Züricher Zeitung (NZZ), 20 Minuten (print version only) and Infoweek as well as the aforementioned emission of the popular talk show «10vor10».

Not to be outdone, some parliamentarians announced shortly after the SHAB article that they created the «working group digital sustainability» which is pushing for more use of Open Source software in the federal government. Enough precedence cases exist already, with the canton Solothurn using the Linux operating system on the desktop, and other cantons introducing a variety of Open Source tools. But surely, it won’t happen over night.

An attempt at forbidding «hacker tools» in Switzerland

Wednesday, May 6th, 2009

The Federal Department of Justice and Police recently proposed to introduce legislation illegalizing so-called «hacker tools» in Switzerland as well. However, the proposed paragraph deviates massively from the original European cybercrime convention which it attempts to implement. Consequently, the legislation would not only outlaw «hacker tools» which can be used only by evildoers breaking into other people’s machines without permission, but in fact any type of tool used to test or ensure system security (such as Nessus, Metasploit, or even simple administrative tools used for network debugging, such as tcpdump, snoop or wireshark).

The currently proposed version introduces an article simply stating that «Whoever publishes programs or other data or makes them available in spite of having to assume that they will be used for any purpose mentioned in article 1 [i.e. breaking into systems], shall be punished with prison for up to three years or with a fine.» This article appears to be based on the false assumption that software which can be used to break into systems is per se evil, and that no dual use exists. However, with the possible exception of combined attacking and spam software (e.g. botnet software), every system and network security tool is basically a dual use tool. This is due to the very nature of network security. IT security companies are basically just hackers who are getting paid to break into the customer’s systems in order to discover and verify existing security problems. Surely, a tool used in such a so-called «penetration test» could be used in the very same way without the target’s prior consent. An IT security tool cannot determine if consent of the target has been granted, the difference is purely administrative.

Moreover, for companies such as Internet service providers, network traffic monitoring tools are a very crucial element in determining connectivity problems. Of course, however, the same tools could be used to read passwords transmitted over the line, thus making it usable as a tool in a «hacking» attack. However, without the network traffic monitoring tools, debugging network problems becomes an insurmountable task for network administrators.

The current proposal can thus be considered as totally inappropriate, and will need a complete makeover. In order to convince the federal council and EJPD of this, everybody is invited to submit a response to the currently running hearing on the proposal to the EJPD.


German petition against Internet censorship attracts attention

Wednesday, May 6th, 2009

A petition against Internet censorship launched on the petition web site of the German parliament has recently gained a lot of attention, and consequently, a lot of signatures.

The subject of the petition is a proposal of the German federal police, which aims to introduce an infrastructure using which the government can block arbitrary sites on the infrastructure of all ISPs in Germany. The basic idea is that if cases of child pornography or similar are brought to the attention of the federal police, the sites are added to a blacklist. This blacklist is then distributed to all ISPs in Germany, which consequently have to redirect the users to a server of the federal government using DNS spoofing. This server will then record the IP address of the person visiting the site as a suspected consumer of pornographic material involving minors.

Ineffective measures

The Chaos Computer Club, as well as a lot of other organizations and computer magazines such as c’t, have already protested against the proposal, calling it ineffective — which is indeed the case. Any potential consumer of child pornography can simply configure their own  name server or set one of a server hosted by a friend or not located in Germany, thus escaping the measure. Also, the whole material remains on the Internet, for everybody not living in Germany to see. In order to stop the abuse of the children in question, the only effective measure would be to ask the content provider, which means the company providing hosting or housing to the web site owner, to take down the web site. Experience shows that in the vast majority of cases, this happens immediately.

Moreover, the proposal will simply not work, for a very simple reason. What the German government wants to impose here is simple basic DNS spoofing, just like the DNS spoofing attack presented by Dan Kaminsky. Since susceptibility to DNS spoofing is a serious security issue, measures have been proposed and built into major DNS servers and clients now. The principle, nowadays known as DNSSEC, is a simple public key infrastructure by the means of which every DNS zone owner (i.e. every person hosting host name records for a domain) signs their zone digitally using a so-called zone key. The public part of this key is then published to a special, cryptographically secured, service which can then subsequently be queried for such keys. If the presence of the DNS Security extension is detected on a domain, the client host will then request the public key and verify the signature of the queried data.

Since there is no way the federal police could forge such a signature, the modified DNS data would be noticed immediately and cause an error to be displayed to the user. But not only will this ruin the use case of finding people visiting child pornography sites, it will also potentially affect other data in the same zone, thus having a serious effect on the end user experience.

Creating terrorists

Another case which could be brought against these measures is that they enable an arbitrary attacker to generate terrorists. The procedure is very easy to implement, hard to notice and can be used by any random home page owner. The only thing one needs to do is to include a small iframe or image on one’s home page which leads to a server on the child pornography block list. This will get every visitor of the web site onto the list of suspected consumers of child pornographic material.

If this appears too offensive, it is possible to have a server side include or CGI script which only includes the iframe or image every once in a while. This will make the mechanism very hard to detect.

Another method would be to include an URL to the site in a banner exchange facility. This would mark a small fraction of the visitors of every web site which is a member of the banner exchange as a suspected consumer of child pornographic material.

As a summary, the mechanisms are very easy to overcome and carry a massive inherent potential for abuse. (The government could for example block the web sites of political activists, automatically, and nobody would be able to tell.) The fact that the governmental agencies threatened to sue everybody who receives, owns or publishes a copy of the list does not really help to establish the trust that this list will not be abused for somebody’s agenda.


If you want to help fighting this, here are some links:

New «OSS Jam» with a lecture from my part

Saturday, May 2nd, 2009

On May 7th of 2009, a new OSS Jam is going to take place at the Google Zurich office. While this seems like nothing unusual as OSS Jams tend to take place about once per month, it is slightly special for me, as I’m going to give a small lecture there.

Monitoring Systems lecture

The topic is going to be monitoring systems, as the most popular monitoring system Nagios recently added a PHP dependency for its web interface. Since a monitoring server is supposed to be a hardened setup as it needs to work reliably rather than sending out SPAM into the wide world, this means that for everyone at least half a bit into security related matters, Nagios just turned into a no-go.

The Hobbit Monitor provides a nice alternative to Nagios, but while its notification system is way more configurable, its plain text checks are easy to define and while it performs a great lot better than Nagios, unfortunately it lacks some features which might be necessary for larger setups. Also, better performance doesn’t mean good performance — with a few thousand hosts, the Hobbit Monitor also puts a rather large load on the monitoring server.

Finally, as always, the conclusion tends towards a Kästnerian «Do it yourself». Thus, I’m introducing a new monitoring system I’m going to develop in the closer future, entirely in C with a nice templating system, and decent performance.

Binary patches

As I’m currently implementing a binary patch management system for the NetBSD Foundation, I’m also going to talk a bit about requirements of binary patch systems and how my system meets them. Since I only have a working prototype with basic functionality so far, people are also welcome to join this effort.