Code Audit of OpenSSL
On March 9th, 2015 Cryptography Services announced that it will be performing a cryptographic security audit of portions of the OpenSSL code base. OpenSSL is a widely used open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The software came under scrutiny in 2014 with the discovery of security vulnerability CVE-2014-0160, also known as “heartbleed”. Although patches to the heartbleed vulnerability were made available swiftly, heartbleed and other vulnerabilities have called attention to the depth of global network reliance on free and open source software.
The Linux Foundation’s Core Infrastructure Initiative in cooperation with the Open Crypto Audit Project have hired Cryptography Services to review the software to ensure its security. Cryptography Services is a dedicated team of consultants from iSEC Partners, Matasano, Intrepidus Group, and NCC Group focused on cryptographic security assessments. Commenting on the OpenSSL audit, Cryptography Services stated “We know that with what may be the highest profile audit conducted on an open source piece of software, the Internet is watching. The audit’s primary focus is on the TLS stacks, covering protocol flow, state transitions, and memory management. We’ll also be looking at the BIOs, most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. While the audit won’t cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL’s engineering and security. This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the Summer after we coordinate with the OpenSSL team”.
This audit of what Cryptography Services describes as “one of the most widely deployed pieces of software in the world” is a much welcome development for the security of the Internet as a whole and the future of FOSS security tools.
Microsoft Sues Kyocera on Handset Patents
On March 6th 2015 Microsoft filed a lawsuit in United States Federal Court alleging that a variety of handsets manufactured by Kyocera infringe a multiple Microsoft patents. Microsoft is well-known for its aggressive stance on patent licensing for android-based mobile phones. Most major android handset makers are known to pay a significant per-device patent royalty to Microsoft with the most notorious holdout being the formerly Google-owned Motorola.
Microsoft is seeking damages and a permanent injunction prohibiting Kyocera from using, selling, or importing any infringing products in or into the United States. The seven patents Microsoft is asserting in its case against Kyocera are listed below:
RE 40,989 — Atomic operations on data structures
7,137,117 — Dynamically variable idle time thread scheduling
7,289,102 — Method and apparatus using multiple sensors in a device with a display
6,349,344 — Combining multiple java class files into a run-time image
7,062,274 — Increasing the level of automation when establishing and managing network connections
7,062,715 — Supplying notifications related to supply and consumption of user context data
7,050,408 — Communicating multi-part messages between cellular devices using a standardized interface
ACLU Sues NSA
On March 10th, 2015 the American Civil Liberties Union (ACLU) filed a lawsuit against the United Stated National Security Agency (NSA) and Department of Justice (DOJ) challenging the United States government’s pervasive interception of the international Internet communications of Americans. ACLU is representing a wide coalition of plaintiff organizations: the Wikimedia Foundation, the National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation magazine, the Rutherford Institute, and Washington Office on Latin America.
This case challenges the NSA’s “upstream” dragnet surveillance through which it captures vast amounts of raw Internet traffic by monitoring points in the Internet “backbone”, i.e. the high capacity cables and networking equipment infrastructure run by companies such as Verizon and AT&T.
The government claims that this surveillance activity is authorized by the the Foreign Intelligence Surveillance Act Amendments Act of 2008 (FAA) while the ACLU argues that it violates the United States Constitution. ACLU brought a previous case, Clapper v. Amnesty challenging surveillance conducted under the FAA in 2008. However, that case was ultimately dismissed by the United States Supreme Court in February of 2013 on the ground that the plaintiffs lacked “standing”, or in practical terms, that they could not prove that the government had intercepted their communications.
In the time since the dismissal of Clapper v. Amnesty a tremendous amount of information regarding U.S. Government surveillance has been gleaned from the information disclosed by Mr. Edward Snowden amongst others. Some see this new case as a continuation of the challenge to bulk surveillance raised by Clapper v. Amnesty. The involvement of Wikimedia Foundation, the organization responsible for Wikipedia, in this case may prove to be helpful in establishing standing due to a leaked NSA document which references surveillance of Wikipedia traffic in particular.
In a relevant portion of its complaint ACLU argues that:
The NSA has expressed interest in surveilling Wikimedia’s communications. An NSA slide disclosed by the media asks, “Why are we interested in HTTP?” It then answers its own question: “Because nearly everything a typical user does on the Internet uses HTTP.” This statement is surrounded by the logos of major internet companies and websites, including Facebook, Yahoo, Twitter, CNN.com, and Wikipedia. The slide indicates that, by monitoring HTTP communications, the NSA can observe “nearly everything a typical user does” online — including individuals’ online reading habits and other internet activities. This information is queried and reviewed by analysts using a search tool that allows NSA analysts to examine data intercepted pursuant to the FAA and other authorities.
This lawsuit seeks to argue that surveillance of Wikipedia’s and the other human rights, legal, media, and information organizations groups’ communications interferes with their ability to effectively operate and that the kind of upstream surveillance allegedly conducted by the NSA is incompatible with the Fourth and First Ammendments to the United States Consitution and more generally with the requirments of a functioning democracy.
GPL Violation Lawsuit Filed Against VMware
On March 5th, 2015 the Software Freedom Conservancy announced that it had issued a grant to Linux Kernel developer Christopher Hellwig for the purposes of funding a lawsuit against VMware in Germany in which he alleges violations of the GPL license on Linux. Software Freedom Conservancy’s grant to Mr. Hellwig is made pursuant its GPL Compliance Project for Linux Developers.
As of Linux Kernel 3.19 Mr. Hellwig is believed to have contributed close to three hundred thousand lines of software programming code to the Linux Kernel’s development. He is reported to be the twentieth most prodigious contributor out of the over one thousand developers who collaborated on that particular release.
The court documents were filed on Mr. Hellwig’s behalf by experienced FOSS lawyer Till Jaeger. Mr. Jaegar is well known for his work representing gpl-violations.org in several GPL enforcement actions. Unfortunately court documents for the case are not publicly available. The complaint is not available and we have not had a chance to look at it. However, reports indicate that the dispute centers around VMware’s proprietary ESXi hypervisor software. The VMware ESXi hypervisor is a proprietary software program that runs directly on bare metal and allows virtualized systems to be loaded on top of it.
VMware released a statement confirming the lawsuit and expressing its position that Mr Hellwig’s case is without merit. Describing is view of the technology and law underlying the dispute VMware states: As with many other common operating systems, ESXi’s vmkernel has a stable, general-purpose API called “VMK API” that enables device drivers and other loadable modules to perform specialized functions.
Third parties can write drivers and modules that interact directly with the vmkernel utilizing the VMK API. And while these drivers do not need to be Linux drivers, when they are, we offer a compatibility alternative through a loadable kernel module called “vmklinux”, which in association with any Linux drivers, is loaded by the vmkernel and interfaces with the vmkernel through VMK API.
VMware offers vmklinux to third parties under the GPL and makes this source code available. For the reasons we’ve outlined above we are confident that our operating system is not a derivative work of Linux code and that we comply with our obligations under the GPL.
The free and open source software community will likely be keeping a close eye as more information on the case is released.