Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

You can not reverse-engineer our GPL-violations...

phorm (591458) writes | more than 7 years ago

GNU is Not Unix 6

phorm writes "If appears that Monsoon Technology, the makers of the Hava media-transmission systems, don't quite understand the GPL. As some users pointed out in their forums, their systems appear to be based on Linux and various GPL'ed software, with the output of "strings" and other tests showing signs of running busybox and others. A monsoon spokesperson on the forum has indicated that they are aware it uses GPL'ed software, and are "working" on making source available, but at the same time are dropping various threats against supposed reverse-engineering of the software by those that determined the GPL violations.

A few snippets from the Monsoon rep include: I have a little secret to let you in on — HAVA runs Linux! Yes, much of the source is GPL and we should publish those sections which we have modified per the terms of GPL. A project is underway to pull this together. A couple of observations — some of you appear to be violating the terms of the End User License Agreement

You recognize and agree that the HAVA Software including its structure, source code and the design and structure of modules or programs, constitute valuable trade secrets owned by Snappymultimedia or its licensors. You will not copy or use the HAVA Software except as expressly permitted by this EULA and, specifically, you will not ...

(b) yourself or through any third party modify, reverse engineer, disassemble or decompile the HAVA Software in whole or part, except to the extent expressly permitted by applicable law, and then only after you have notified Snappymultimedia in writing of your intended activities; Seems to me that some of you have just come out blatantly admitting you are reverse engineering the firmware — or trying to. How should we handle this? As responses have indicated, the methods used to determine the violation do not seem to constitute reverse-engineering. Moreover, the initial friendliness of the rep is severely marred by the apparent hostility of the later message, as forum members have indicated. The overall message seems to be "we have not lived up to our obligations under the license of the software which we are using, but we'll get to it... sometime. Meanwhile, do not attempt to poke around our code yourself or things will get ugly."

The owners of BusyBox have been notified of this violation, however the response is still troubling. Is this the response we should come to expect as more and more commercial software uses and misuses GPL'ed components?"

cancel ×

6 comments

Sorry! There are no comments related to the filter you selected.

As usual, online irony fails to come across. (1)

Digital Larry (1152563) | more than 7 years ago | (#20488971)

OK, and I just had my teeth cleaned so I was a bit grouchy when I got on the Forum today. I hereby apologize. We will comply with the GPL. Regarding WHEN we do this, the project is initiated now and I just need to check with the engineering team regarding when it can get completed.

I am struck that one of the people giving me the most grief about the GPL code doesn't even own our product. Apparently he learned what he knows by downloading the software, inspecting the binaries, and since he didn't actually ever install the software, he didn't have to view/accept the EULA or feel bound by its terms. Interesting. Is there an official slashdot stance on that?

Thanks for letting me express my side.

gary-mm

Monsoon Multimedia erstwhile Forum guy and occasional grouch

'tis the way of the internet (1)

phorm (591458) | more than 7 years ago | (#20491595)

Well, I had modded you up on this, but unfortunately I cannot add a comment as an anonymous user to a firehose entry. Go figure. So that moderation will likely be undone (but hopefully somebody else will likewise mod you up to keep your comment visible).

I suppose everyone has a bad day, and unfortunately since bad days often can be "contagious," that often makes the internet a bit of a Typhoid Mary. It's both your luck and to some extent a testament to your diligence that you're the first to comment on this entry. I think the official slashdot stance on GPL-related issues depends greatly on how the vendors react to being notified of a violation or issue. Now, as far as the issue of inspecting the binaries goes, I don't think anyone here is going to be happy if an EULA or any other such manner prohibits them from taking a legitimate peek at the software. If somebody is trying to reverse-engineer it for malicious purposes (say, making a copycat product), my own stance would be that this should be frowned upon. But by the same token inspecting the software to determine that it's doing something it shouldn't, or using something it shouldn't, then it's hard to look down upon that.

Certainly if your company found pieces of your product in somebody else's code, many here would be looking more askance at the person using unauthorized code as opposed to whatever methods (within reason) were used to determine the violation.

Now, when the GPL comes into play, there's also the aspect of whether or not that code could be legitimately prevented from being seen, or even used elsewhere in the first place. An EULA that prevents you from viewing the source could be held as of no effect if it was, in fact, overruled by the GPL's effect upon your own license. You cannot relicense or EULA your software to overrule the GPL. The catch in this case is, of course, that if you use GPL code, release your source, and somebody else takes said source and doesn't distribute their own, then they are the ones violating the license, and the ones likely to catch crap on slashdot.

I myself am pretty careful when it comes to the whole GPL issue. I use both GPL and code from other licenses. And yes, sometimes it's a real bugger to make sure that you aren't violating somebody else's license. Then again though, even with a non-GPL license it's still a bugger, with the end result of either being that you risk being sued by the license-holder of whatever code you've incorporated into your product. Overall the licensing makes it easier by providing you with a nice strong codebase to build you own product on, but harder in the aspect that you have to make your product sellable over others that might be inclined to produce similar products.

In the end I'd say that if anything, this may end up being a bit of both positive and negative publicity for your product. If the source goes up for viewing fairly quickly, you've got a nice product that may end up being very hackable for added functionality. You've also got a site full of geeks who drool at the concept of such things, and might very well be willing to shell out some cash for the chance at playing with your product, and others who might be able to contribute back useful fixes or additions. At the moment it definitely hit some negative aspects, in both the issues with the GPL and the feeling of a threat in regards to the "reverse engineering" or otherwise hacking of the available downloads. There have been plenty of companies who have misused GPL code, denied doing so (which you didn't do in this case), and then threatened litigation against those that exposed the violation. People around here don't react all that well to such things, but will no doubt show a positive face and forget about it when the code comes out. As I said, it might even net you a few sales, and possibly some extra development support from the community (particular in the cross-platform arena). I know I'd be happy to see a Linux-compatible version. I've already been called a troll on the forums (again, by a customer, not a rep it appears, so "Hi Patrick S").

Again, I'm not looking to smash your product, or drown you in bad PR, but I would definitely like to see the environment surrounding these sort of issues be a little clearer for people in the future. Hopefully you, your company, and the GPL (and thus hopefully your users / the community) will have a happy relationship in the future.

Re:'tis the way of the internet (1)

Digital Larry (1152563) | more than 7 years ago | (#20495871)

Thank you for your remarks.

There are several aspects of the situation that appear clearer upon reflection.

#1 it is quite likely that the guy "Hugh" downloaded a firmware image directly, and in such cases we do not have any sort of owner registration required to access the download area, nor any EULA speed bump to download anything. You only see the EULA if you download the full installer and run it. This is our problem and I will deal with it.

#2 Another concern I have about people inspecting the code is that someone is going to feel compelled to pull it apart, as already evidenced, and while sections of it are certainly GPL, sections are also Monsoon IP. Also, some of the algorithms and binaries are actually IP of our silicon vendors - they are the drivers and covered by NDA to companies with greater legal resources than Monsoon.

#3 Do you consider the previous statement a threat? It is not a threat from me to you or any of the string readers. I don't have time or motivation to attempt to cause problems for any of you. It is just part of the larger picture. It represents more of a threat to us from our vendors and also a legitimate cause for concern.

#4 I can understand "legitimate" inspection of binaries if you would point me to a "legitimate" web site that clearly defines what this means. If there is an official definition of GPL policy enforcement and acceptable activities to undertake in the quest, that would be ideal. I got no beef with that.

#5 I find claims that using a string scanner is not "reverse engineering" the binary to be disingenuous. A person has used indirect means to deduce (some or all of) the internal structure of a system that they had no prior knowledge of. Clarifying the intent only goes so far as to lend legitimacy to the activity, but it does not change what it is. I have reverse engineered stuff too (oops, statute of limitations y'know). It's actually pretty fun (for geeks with spare time anyway).

#6 I am going to see if we can put the EULA into the binary, just so nobody can claim they never saw it.

#7 Anyone hoping for the next WRT54g or NSLU2 or Kurobox from HAVA is probably going to be disappointed in the short term, even after the GPL code is published.

Thanks again.

Re:'tis the way of the internet (1)

phorm (591458) | more than 7 years ago | (#20497231)

#2 Another concern I have about people inspecting the code is that someone is going to feel compelled to pull it apart, as already evidenced, and while sections of it are certainly GPL, sections are also Monsoon IP. Also, some of the algorithms and binaries are actually IP of our silicon vendors - they are the drivers and covered by NDA to companies with greater legal resources than Monsoon.

Do you understand how the GPL works? If you base your code upon GPL'ed work then you must thus apply the GPL to your own derived code. See here [gnu.org] , here [gnu.org] , and here [gnu.org] . If you also use restricted IP in the derived-code... then that's going to be a problem but it should have be figured out beforehand. So where specifically the GPL applies I don't know, because I haven't seen the code.

#3 Do you consider the previous statement a threat? It is not a threat from me to you or any of the string readers. I don't have time or motivation to attempt to cause problems for any of you. It is just part of the larger picture. It represents more of a threat to us from our vendors and also a legitimate cause for concern.

These comments (from the forums) seems to be hedging on a threat:
A couple of observations - some of you appear to be violating the terms of the End User License Agreement, specifically: (sections)
Seems to me that some of you have just come out blatantly admitting you are reverse engineering the firmware - or trying to. How should we handle this?


#4 I can understand "legitimate" inspection of binaries if you would point me to a "legitimate" web site that clearly defines what this means. If there is an official definition of GPL policy enforcement and acceptable activities to undertake in the quest, that would be ideal. I got no beef with that.
A Good place [gnu.org] to start. See also here [busybox.net] as the product appears to use BusyBox code.

#5 I find claims that using a string scanner is not "reverse engineering" the binary to be disingenuous. A person has used indirect means to deduce (some or all of) the internal structure of a system that they had no prior knowledge of. Clarifying the intent only goes so far as to lend legitimacy to the activity, but it does not change what it is. I have reverse engineered stuff too (oops, statute of limitations y'know). It's actually pretty fun (for geeks with spare time anyway).
For lack of better references, see here [webopedia.com] and here [wikipedia.org] . Also, on strings [about.com] , which is not reverse-engineering. It is not a tool used to determine how a product functions, or otherwise offer insite into how. It is a tool used to determine if particular blobs of text, etc turn up inside a program, which could then be used in some cases to determine whether or not a particular piece of licensed code or text is found inside the binary.

#6 I am going to see if we can put the EULA into the binary, just so nobody can claim they never saw it.

Your choice. Just make sure the ELUA is valid in light of the applicable code/licensing. I'm not sure it would show up anyways in many cases. A better idea might be to put it before the download (or right on the download page of yourself website.

#7 Anyone hoping for the next WRT54g or NSLU2 or Kurobox from HAVA is probably going to be disappointed in the short term, even after the GPL code is published.

That may be so, but this is not the fault of the GPL, nor those that seem the rights which it represents.

Re:'tis the way of the internet (1)

Digital Larry (1152563) | more than 7 years ago | (#20498393)

#5 I find claims that using a string scanner is not "reverse engineering" the binary to be disingenuous. [...]

For lack of better references, see here [webopedia.com] and here [wikipedia.org]. Also, on strings [about.com], which is not reverse-engineering. It is not a tool used to determine how a product functions, or otherwise offer insite into how. It is a tool used to determine if particular blobs of text, etc turn up inside a program, which could then be used in some cases to determine whether or not a particular piece of licensed code or text is found inside the binary.

----

Thanks for the info.

Well, I read all of your references and whether or not using "strings" on a binary consitutes reverse engineering is still up in the air. It is a tool that allows one to scan for strings inside an otherwise unreadable binary file. In this case, it was used for the purpose you describe, but along the way, oh we have discovered that the device runs Linux! I'll admit there's not MUCH you can do with this information, and it's far from a thorough job of reverse engineering. It's like arguing that a hammer isn't a murder weapon because that's not what it was made for. Yeah, I probably watch too many courtroom dramas. I still have not found the specific reference on gnu.org indicating what activities (such as string searching binaries) are acceptably inline with the pursuit of justice in the GPL world. Because if I can find them, I would put them in the EULA to avoid ambiguity.

Thx!

Re:As usual, online irony fails to come across. (1)

HTH NE1 (675604) | more than 7 years ago | (#20494669)

Firehose comments aren't generally carried over to the front-page version of a story unless somehow incorporated into the story. When this goes front-page (it's red on the hose now), you'll likely want to reprint your comment there.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?