Clarification:
The following article states, "Open source licenses, particularly the
GPL from the Free Software Foundation, reverse the established
doctrine of copyright. They give away the right to use code...." At
the recent World Science Fiction convention in Denver, Laura Majerus
was a member of the "Privacy, Free Speech, and Copy Protection" panel
in which she mentioned that "the reason Open Source works is because
the original author retains all copyright. That's why Open Source
[licencing] works. Others are allowed to use the code as part of that
copyright." No rights are "given away"...
Laura Majerus, In-house counsel at Google. Formerly a partner in the
intellectual property group of Fenwick & West.
Expertise
Laura Majerus' practice concentrates on intellectual property
protection and patent counseling in the areas of software, electrical
and computer systems. She also counsels clients on Open Source
licensing issues. Ms. Majerus is currently serving as the pro bono
Director of Legal Affairs for the Open Source Initiative. She obtained
her J.D. from the University of Iowa, with distinction, in 1987. She
was awarded an MS, also from the University of Iowa in 1987 jointly
with her law degree. She also has a B.S. in computer science form the
same school. She is admitted to practice in California, Iowa and the
District of Columbia.
= - = - = - = - = - = - =
...from:
http://www.informationweek.com/news/software/open_source/showArticle.jhtml?…
Open Source Code On Firmer Ground [in USA] After Jacobsen Ruling
Before the decision, it wasn't clear whether a court of law would
regard an open source license as being capable of imposing enforceable
copyright restrictions on the use of computer code.
By Charles Babcock
InformationWeek
August 14, 2008 07:00 PM
A U.S. Circuit Court of Appeals decision has upheld the binding
provisions of open source licenses, saying to fail to abide by their
terms makes the user an infringer of their inherent copyright
protections.
Until the decision in Jacobsen vs. Katzer was issued Wednesday, it
wasn't clear whether a court of law would regard an open source
license as being capable of imposing enforceable copyright
restrictions on the use of computer code.
The Circuit Court of Appeals cited Stanford professor Lawrence
Lessig's Creative Commons license and as well as Jacobsen's use of the
Artistic License in saying that their provisions constitute a form of
copyright.
"It's a fantastic win. Bob Jacobsen and I are very pleased with this
result," declared Victoria Hall in an e-mail toInformationWeek. Hall
represented Jacobsen in the case. "For non-geeks, this won't seem
important. But trust me, this is huge," wrote Lessig on his blog
Wednesday.
Open source licenses, particularly the GPL from the Free Software
Foundation, reverse the established doctrine of copyright. They give
away the right to use code, provided you abide by their provisions to
make any changes available to other users. The opposite case, where
you do not have the right to use material without paying for it, has a
rich body of copyright case law. The open source licenses do not, and
it has not been clear how the courts would decide the issue once it
came before them.
The first decision in U.S. District Court for Northern California last
Aug. 17 went against open source advocates. Jacobsen, a creator of
open source model railroad control software, had been billed by
Matthew Katzer, a commercial seller of similar code, for each free
download that Jacobsen's project had allowed. The bill came to
$203,000. Jacobsen, sued for a declaratory judgment that his open
source code did not infringe Katzer's company's code.
The lower court ruled that the provisions of the Artistic License
didn't protect Jacobsen. It was a stunning setback for all open source
licenses and opened other projects to potential challenge. The Circuit
Court of Appeals reversed that decision Wednesday and sent it back to
the district court.
...from:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395…
Researchers use browser to elude Vista memory protections
By Dennis Fisher, Executive Editor
07 Aug 2008 | SearchSecurity.com
LAS VEGAS -- Two security researchers have developed new techniques
that bypass the memory protection safeguards in the Windows Vista
operating system through the use of browser exploits.
In a presentation at the Black Hat briefings, Mark Dowd and Alexander
Sotirov demonstrated the new methods they've found to get around Vista
protections such as Address Space Layout Randomization(ASLR), Data
Execution Prevention (DEP) and others by using Java, ActiveX controls
and .NET objects to load arbitrary content into Web browsers.
By taking advantage of the way that browsers, specifically Internet
Explorer, handle active scripting and .NET objects, the pair have been
able to load essentially whatever content they want into a location of
their choice on a user's machine. The attacks themselves are not based
on any new vulnerabilities in IE or Vista, but instead take advantage
of Vista's fundamental architecture and the ways in which Microsoft
chose to protect it.
In their presentation at Black Hat., Dowd and Sotirov stressed that
despite their advances in getting around the Vista memory protections,
there are still a number of security mechanisms in place in the
operating system to mitigate attacks. Internet Explorer running in
Protected Mode, for example, can protect against attacks that
overwrite some files. Also, some of the pair's attacks will be
addressed in future versions of third-party software, including Flash,
which will opt into ASLR in its next release.
The message that emerged from Dowd and Sotirov's presentation is that
although Microsoft, of Redmond, Wash., went to great lengths to
upgrade the security of Vista over that of Windows XP, there are still
ways in. "The protection mechanisms in Windows Vista are not very
effective at preventing browser exploits," Sotirov said in the
presentation. "The game has changed and browsers are now the major
threat. Even on Vista where ASLR is enabled, we're able to put our
data where we want."
"The genius of this is that it's completely reusable," said Dino Dai
Zovi, a well-known security researcher and author. "They have attacks
that let them load chosen content to a chosen location with chosen
permissions. That's completely game over. What this means is that
almost any vulnerability in the browser is trivially exploitable."
Many of the defenses that Microsoft added to Vista and Windows Server
2008 are designed to stop host-based attacks. ASLR, for example, is
meant to prevent attackers from predicting target memory addresses by
randomly moving things such as a process's stack, heap and libraries.
That technique is useful against memory-corruption attacks, but Dai
Zovi said that against Dowd's and Sotirov's methods, it would be of no
use.
"This stuff just takes a knife to a large part of the security mesh
Microsoft built into Vista," Dai Zovi said. "If you think about the
fact that .NET loads DLLs into the browser itself and then Microsoft
assumes they're safe because they're .NET objects, you see that
Microsoft didn't think about the idea that these could be used as
stepping stones for other attacks. This is a real tour de force."
In the paper on which their presentation was based, Dowd and Sotirov
say that while their attacks may give attackers the upper hand right
now, they expect Microsoft and other vendors to respond quickly.
"In this paper we demonstrated that the memory protection mechanisms
available in the latest versions of Windows are not always effective
when it comes to preventing the exploitation of memory corruption
vulnerabilities in browsers. They raise the bar, but the attacker
still has a good chance of being able to bypass them. Two factors
contribute to this problem: the degree to which the browser state is
controlled by the attacker; and the extensible plugin architecture of
modern browsers. The authors expect these problems to be addressed in
future releases of Windows and browser plugins shipped by third
parties," they say in their conclusion.
"This is not insanely technical. These two guys are capable of the
really low-level technical attacks, but this is simple and reusable,"
Dai Zovi said. "I definitely think this will get reused soon, sort of
like heap spraying was."
This story was updated and corrected to include more accurate
information on Dowd and Sotirov's attacks from their paper and their
session at Black Hat.
The research paper on this can be downloaded at:
http://taossa.com/archive/bh08sotirovdowd.pdf
