Why does no insider disclose the non libre computer software?

19 replies [Last post]
tonlee
Offline
Joined: 09/08/2014

How do chip manufacturers accomplish to keep the pieces of software that runs their hardware secret?
Who, how and how many guard the secret parts of software on hardware? Do we know how it is organized? How do the companies manage to keep their secrets? Do very few have the source code? Are they highly paid, which make them loyal? Are there any articles on the subject? I have not heard about one piece of windows source software being leaked.
I asked the free software foundation these questions and got no answer. What do you know?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

In medieval cities, craftsmen tended to form associations based on their trades, confraternities of textile workers, masons, carpenters, carvers, glass workers, each of whom controlled secrets of traditionally imparted technology, the "arts" or "mysteries" of their crafts.
...
The guild was made up by experienced and confirmed experts in their field of handicraft. They were called master craftsmen. Before a new employee could rise to the level of mastery, he had to go through a schooling period during which he was first called an apprentice. After this period he could rise to the level of journeyman. Apprentices would typically not learn more than the most basic techniques until they were trusted by their peers to keep the guild's or company's secrets.

jxself
Offline
Joined: 09/13/2010

"Why does no insider disclose..."

Because the insider will lose their job. And get sued for any number of things: copyright violations, trade secret violations, violating the non-disclosure agreement they signed when they started working there... Maybe charge them with industrial espionage too. The company would probably try to throw on as many charges as they possibly could in an attempt to see what they could make stick.

loldier
Offline
Joined: 02/17/2016

I have not heard about one piece of windows source software being leaked.

If they ever do, they should promptly translate it to make it unintelligible for the most of us. Unless they do, this will happen:

https://youtu.be/WwbnvkMRPKM

---------------
Because the insider will lose their job.

Sometimes a leak is retaliation to a job loss or a poor performance report. I'd think that leaking activation secrets would do the most harm if one were inclined to do so.

http://www.pcworld.com/article/2109946/ex-microsoft-employee-charged-with-leaking-windows-rt-activation-server-code.html

https://www.theguardian.com/technology/2014/mar/20/former-microsoft-employee-arrested-over-windows-8-leaks

It's surprising they still guard the code like crown jewels. It's about time to make it public. Nobody can use it anyway -- legally that is -- and revealing the code could make it better in the long run.

Being exposed to it is lethal Bury it deep in Berkshire
tonlee
Offline
Joined: 09/08/2014

Your answers confirm to me, that we do not know how they manage their secrets. We do not how many people has the intel me and amd psp source software, their respective encryption keys and what else relevant software in terms of a libre software computer. Likely it is a system of need to know and maybe their registration system on who made what, enables them to narrow it much down regarding who did the leaking, should there be a leaker. Although I would suspect hundreds of persons would have access to the relevant intel and amd source software. Maybe they do not see any reason for a libre software computer and disclosing anything would be against their financial interests.
I would also like to know if there have been any hacking attempts to get the intel and amd non free software? By governments, anynomous or other actors? Unless countries like russia and china have their own brand of computers, it must be unacceptable for them.

Soon.to.be.Free
Offline
Joined: 07/03/2016

>Your answers confirm to me, that we do not know how they >manage their secrets.

We do know the basic details. As others have outlined above, a combination of legal obligations and careful access management keep the risk of disclosure low. Specifics might not be public, though.

>We do not how many people has the intel me and amd psp >source software, their respective encryption keys and what >else relevant software in terms of a libre software computer.

Why would we want to though? Please do inform me if you have something else in mind, but the only use I can see for such information is to launch a targeted attack to squeeze the details out of relevant individuals. As Ignacio.Agullo pointed out, this would be of little gain to the free software community. Though it may be harder, it would be better to petition the company or simply switch in the name of libre software.

>Likely it is a system of need to know and maybe their >registration system on who made what, enables them to >narrow it much down regarding who did the leaking, should >there be a leaker.

There is- with such a large piece of software as MS Windows, for example, there are many different individual programs which combine to form the whole. Programmers are allocated to only one (maybe a few?) of these at a time, and consequently only a certain group of people have access to the code for a given part at any set moment. On top of that, any leaker trying to prove their authenticity would likely need to reveal more details- that limits even further who it could be.

>Maybe they do not see any reason for a libre software >computer and disclosing anything would be against their >financial interests.

To a degree, that's probably a fair assessment; however, saying they see no reason at all is likely excessive, and there's more to it than finances. It's like with the environmental movement- although support is widespread, only a tiny portion of people are sufficiently motivated and reckless to perform dangerous/illegal acts for the cause. Similarly, expecting a Snowden in every company is excessive.

>I would also like to know if there have been any hacking >attempts to get the intel and amd non free software?

Not that have been disclosed, to the best of my knowledge. There was the 2006 discovery of documents discussing the ME on a public FTP server by Igor Skochinsky. but Intel had put them there (through carelessness). I'm not sure they had source in them either. Furthermore, there is a rumor that ME source is traded on the dark web, but it doesn't seem to be supported by evidence. In any case, the PSP doesn't seem to come at all in such 'attacks'.

>Unless countries like russia and china have their own >brand of computers, it must be unacceptable for them.

Without any confirmed exploits, the perceived threat from these chips likely pales in comparison to that posed by the OS and other higher-level components. Furthermore, I'm quite certain these countries do have their own computers- if not, switching to ARM-based devices would hardly be difficult.

Ignacio.Agullo
Offline
Joined: 09/29/2009

"Why does no insider disclose the non libre computer software?"
"Who, how and how many guard the secret parts of software on hardware?"

1. If there's something illegal in the *ware : The insider must disclose it. It is a duty, both ethical and legal, to dennounce the violations of people's rights. Otherwise the insider becomes a collaborator for the ongoing crime, and will be punished for it should it be discovered.

2. If there's nothing illegal in the *ware: The insider mustn't disclose it. We are not copyright infringers here. We want free *ware, not *ware for free. That means legally free *ware, and the way to get legal alternatives to non-free *ware is called "the clean room". Team A studies the non-free *ware and makes a detailed list of features. Team B programs new *ware from scratch to implement all the features without knowing at all how the non-free *ware implements them. That way the new *ware is original, and legally free. A disclosure of the non-free source would only get in the way - not only there's no need for it, it could even provide a legal base to compromise the free *ware legitimacy.

Soon.to.be.Free
Offline
Joined: 07/03/2016

I fully agree with your second point- better do it legitimately than have a project constantly bear the threat of legal action, subsequently deterring newcomers from our community out of doubt about legality.

Your first point is also fairly reasonable, but it unfortunately seems that financial security and/or loyalty can keep illegal projects hidden quite well- it did with Volkswagen, at least.

J.B. Nicholson-Owens
Offline
Joined: 06/09/2014

name at domain wrote:
> How do chip manufacturers accomplish to keep the pieces of software that
> runs their hardware secret?

This assumes something we don't know to be true. The private key for
Intel's backdoor "Management Engine", for instance, might be shared among
some people. Just because that key isn't common knowledge doesn't mean it's
an effectively well-kept secret either. Absent clear indication to the
contrary (such as: a leaked key confirmed to be the correct key, a copy of
a document from Intel or one of Intel's partners indicating the author has
a copy of the key) I'd probably consider what anyone claims to be speculation.

tonlee
Offline
Joined: 09/08/2014

My questions are about the organizational part of keeping the intel me and amd psp software closed. And what actions have been made, if any, to get the source code. I asked on this forum because maybe somebody here had knowledge about the companies or knew a paper or article on the subject. The legality aspect on getting the source software in question public was not part of my questions.

I will say that regarding eu law what Ignacio writes about legality is likely not correct. My understanding is, you have a right to modify any software on your computers should you be able to do so. Now of course you may not modify software such that is does not apply to environmental and safety regulations.

onpon4
Offline
Joined: 05/30/2012

> The legality aspect on getting the source software in question public was not part of my questions.

But it is. The legality is exactly why no one on the inside leaks proprietary source code. It really is that simple.

I suppose you have a preconception that these companies must have some sort of complicated mechanism to ensure that their secrets don't get out. But they don't. It's very simple: the only people who are in a position to do so are highly paid and treated very well, there are very few of them, they almost always have no objection whatsoever to proprietary software, and even if they did, they would know that leaking the source code is just going to make things worse.

Or to put it more simply, it's a conspiracy with a very small number of conspirators who have no basis to want to go against it, and the threat of law on its side. Therefore, it is incredibly easy to enforce. That's it.

In fact, every once in a while, source code does get leaked. It happened with some sort of PowerVR driver or something like that at one time, for example. When it does happen, though, no knowledgeable person with any sort of intelligence is going to spread it, because it's illegal and that's harmful to everyone involved. In the case of the PowerVR driver, for example, having illegally leaked source code floating around the Internet just makes it more difficult to develop a libre PowerVR driver, because now you have to worry about proving that you didn't base your work on the leaked code.

> My understanding is, you have a right to modify any software on your computers should you be able to do so.

That's not the point, now is it? Regardless of whether or not you're free to incorporate copyrighted software you don't have permission to distribute, containing trade secrets you aren't supposed to know, into software you never distribute, it is illegal to distribute it to anyone. Having to develop your own drivers from scratch is not exactly helpful.

tonlee
Offline
Joined: 09/08/2014

>The legality aspect
I was referring to Ignacio's pieces of information saying that any source software obtained on the basis of illegal actions would result in computer users not being able to make use of the provided source software legally.

> It really is that simple
I am not going to say you are not right about that.
Considering what else data gets leaked or obtained by attacks, I find it impressive that about one computer after the next, the source code does not get out. I believe the companies must run a strict setup.

>That's not the point, now is it?
Should the encryption keys and source code about intel me and amd psp become available based on illegally activities, I think you would have to distinguish between 2 scenarios. Lets say the result of an investigation is, that the intel me software does nothing unacceptable to you. Then all you would have to do, is to verify, that the software on your computer is the source software, that has been audited. I do not know if or how that can be done. Because the available source software is identical to the software on the computer, you would be allowed to flash it on the computer. Lets say the result of an investigation would show, that intel me contains unacceptable functions. Because the source software got provided because of illegal activities, maybe you would not be allowed to modify the source software to your requests and flash it. I know of no court that has made a ruling on this. What I think would happen is, some entity would take the source software, remove unwanted functions. Then put the modified source software online. I cannot see intel doing anything against that. You would then have to decide about flashing the modified source software.

I have tried to read Rutkowska's papers on intel computer software. They were to difficult for me. Am I correct that there are 2 obstacles? One is the encryption keys? The second is the source software? Even if you had the encryption keys, enabling you to flash any piece of software on the computer, if you do not have the source software, you would have to do reverse engineering, which is impossible or difficult?

Soon.to.be.Free
Offline
Joined: 07/03/2016

>I will say that regarding eu law what Ignacio writes about >legality is likely not correct

I'm no expert in EU law, and so I'm likely wrong here, but it may very well be illegal. The issue is that, even if copyright law does not prevent use of leaked source code, it is also a trade secret. I don't know exactly how that would affect an end user, but it could still be an issue.

>Considering what else data gets leaked or obtained by >attacks, I find it impressive that about one computer after >the next, the source code does not get out. I believe the >companies must run a strict setup.

They almost certainly do have a *strict* setup, but that doesn't mean it's complex. Carefully managed access means the company can easily find a leaker: once it's known you did it, you've got lawsuits and a lifetime ban from related projects. For anyone reasonably accepting of proprietary software, there's no reason to leak.

>Even if you had the encryption keys, enabling you to flash >any piece of software on the computer, if you do not have >the source software, you would have to do reverse >engineering, which is impossible or difficult?

Your outline of the issues sounds perfect to me. In practice, I'm not quite sure how difficult reverse engineering is: it's definitely not impossible, but it certainly isn't as easy as writing software with a public specification.

jxself
Offline
Joined: 09/13/2010

"I'm no expert in EU law, and so I'm likely wrong here, but it may very well be illegal."

Thanks to things like the Berne Convention, copyright is recognized in almost every country of the world. And so the distribution of a program without the permission of the copyright holder (the company in this case) would mostly certainly run afoul of copyright law, creating problems for the people doing the sharing (even if they didn't work for the company.)

And of course copyright applies here - the GPL relies on it in order to have teeth (i.e., your rights terminated if you don't comply with the license and so if you're still distributing after the license has terminated it's basically just your normal case of copyright infringement because the person is distributing copyrighted stuff without permission (no license - because it terminated.)

It seems the better question might be: How to work on getting the company to release its software as free software? Then all of these issues are gone.

Because what the original poster is proposing in this thread (leaking the source code of proprietary programs) would not be free software. Free software is about being able to *legally* modify and share things (copyright governs both modifying and sharing, which is why the GPL works.)

So why does this thread even exist? Hoping for software to be leaked that we'd never be able to legally modify and share anyway? I don't want to go to jail for sharing things. That's why I use free software: So I can legally share with my friends, and not have to feel bad for doing it.

tonlee
Offline
Joined: 09/08/2014

>why does this thread even exist?
Because I want to know.

>is proposing in this thread (leaking the source code of proprietary programs)
No, I have not.

>that we'd never be able to legally modify
I have heard of no eu court ruling modifying not legal.

> share
That may be illegal. When I wrote an entity likely would rewrite the source software and put it online, I meant it could be any capable group. Paid or unpaid. Again it would be up to you, if you would flash the rewritten software.

>proprietary programs) would not be free software
That is correct. Because no legal x86 option is available, I think many would flash the software.

jxself
Offline
Joined: 09/13/2010

"I have heard of no eu court ruling modifying not legal."

Of course there are laws in the EU covering modification. I'll just point at https://en.wikipedia.org/wiki/Computer_Programs_Directive where it mentions "the translation, adaptation or other alteration to the program" as being the exclusive right of the copyright holder. Then there's Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of "intellectual property rights".

I'll also point back to the GPL again and how it relies on laws like this in order to be able to function. So look, for example, at the GPL enforcements actions that Harald Welte brought in the EU and you'll find courts siding with him that these things can't be done with the permission of the copyright holder. In fact, if modification were not the exclusive right of the copyright holder then this aspect of the GPL could not be enforced and Harald Welte would not have been as successful as he was. So it is good for us in the free world that it is. The stronger these laws get the stronger copyleft gets. :)

tonlee
Offline
Joined: 09/08/2014

I have now read the wiki and the links to the laws in my country. I say you are wrong.
You have to differentiate between, you make modifications and make them public. This is illegal.
You make modifications for testing. That is legal if the software still performs the same task on the computer.
You rewrite the software for better interoperability with what else software you have on the computer. This is legal if the software still performs the same task on the computer.

Lets say the copyright owner in front of a court claims, that you are not testing a modified software version. How does the copyright owner prove that? I want to see a court ruling saying that you cannot make modifications for testing.

If you have 2 pieces of software and one of them will only work if you make modifications to the other, you may do that. And you decide which and how you want to modify the other piece of software.

I do not know what the gpl says. I have heard Stallman say, take the libre software and do with it what you want to. That includes making it all or partly non free. If you want to distribute what you have altered about the libre piece of software, it also has to be libre software.

jxself
Offline
Joined: 09/13/2010

I notice your argument changes slightly to be about interoperability, which is the first time you've raised that particular point and is different from modifications in general. I imagine it's because of what you've been reading.

The answers you seem to be looking for (now, at least) are local, but earlier seemed more global. Yes, some places of the world have rules regarding interoperability specifically, which I imagine you now know from what you've been reading. So it is really going to come down to where the person is, what their own laws are, and perhaps most importantly - what they are doing and why. But regardless, the program in question remains non-free and the abilities you refer to rely on local laws to make legal. It also raises the issue in https://www.gnu.org/philosophy/is-ever-good-use-nonfree-program.en.html which, again, all point to it depending on specifics, like if someone is working to make a free replacement for a program. But otherwise it says it's not good to be using proprietary software. Please don't use proprietary software. Regardless of whether the software and its source code were obtained via legal or illegal means. For your freedom's sake.

"I do not know what the gpl says."
Read it. It is no secret. It is available for everyone to see and know.

tonlee
Offline
Joined: 09/08/2014

You are probably looking for inaccuracies in my posts in order to undermine my position, saying there are legal means to modify a piece of software on your own computer, no matter what the license says.
What I initial wrote about modifying legally in a response to ignacio was not a legal opinion. I was writing from my recollection. I have investigated this matter before and then I came to the conclusion that often you would be able to make modifications and a court would not rule them illegal.
The law on this matter has not changed. That is why I am asking you for court rulings telling me differently.

Your own writing contains inaccuracies and non documented claims.
>is proposing in this thread
An undocumented claim.

>The answers you seem to be looking for (now, at least) are local, but earlier seemed more global.
Reading my previous posts you should have been able to get to know, that I wanted to tell people that modifications made by you on your own computer would be legal. Distributing them maybe not.

>Yes, some places of the world have rules
>what their own laws are, and perhaps most importantly - what they are doing and why.
>abilities you refer to rely on local laws to make legal.
What you write shows a lack of knowledge about the eu law procedure. The law in question stems from eu. For constitutionally reasons each country then makes the eu law in question part of their own law system. In doing so each country is not allowed to modify the eu law in question. Calling a law which applies to all eu countries local is inaccurate.

>I notice your argument changes slightly to be about interoperability, which is the first time you've raised that particular point and is different from modifications in general. I imagine it's because of what you've been reading.
I think you wrote that because you want to insinuate that I do not know about this matter. I am not ignorant. And you have not rebutted my main claim.

>rules regarding interoperability
You insinuate that the law sets firm limits on when you can modify a piece of software. Sometimes a law contains an exception. Sometimes the exception becomes the main feature about a law. Regarding this law, I think, on the matter of legal modifications, the exception provides a broad option to make software modifications legally. The law lists a number of legal arguments for modifying a piece of software. Should you want to make modifications about a piece of software, you would try to make them such that they would be covered by the listed arguments.

In result, often you will be able to make legal modifications about a piece of software no matter what the license says and put it on your computer.

I guess your goal was to demonstrate my view on legal software modifications is wrong. That you did not manage. It is important to tell other readers that there are ways to legally modify non libre software.

>GPL again and how it relies on laws like this in order to be able to function. So look, for example, at the GPL enforcements actions that Harald Welte brought in the EU and you'll find courts siding with him that these things can't be done with the permission of the copyright holder. In fact, if modification were not the exclusive right of the copyright holder then this aspect of the GPL could not be enforced and Harald Welte would not have been as successful as he was. So it is good for us in the free world that it is. The stronger these laws get the stronger copyleft gets. :)
Regarding your software on your computer this part is blether.
The fact that a given law grants you options to modify non libre software legally, in no way affects gpl.

It seems your second aim about your posts, is making libre software the only solution. I have explained there are options regarding modifying non libre software. I do not encourage them because I do not encourage non libre software on this forum. You could argue, that the modifications could be made libre software and therefore be distributed legally. I know of no court rulings about that. The non modified part of the non libre software would still be non libre. I add, that in an email to me fsf wrote, you decide if you want to install non libre software on your computer. Fsf does not intend to limit that right.

https://www.youtube.com/watch?v=ysOO33Nv3bI
At 41.40.
I think here Stallman refers to the procedure of reverse engineering. Followed by making a libre piece of software. Apparently in usa that has to be done by different persons for legal reasons. I do not know if this procedure is legal in eu.
In the video Stallman mentions, that people may turn over the specifications anonymously. Why that other than it is a matter of illegal leaking? Reverse engineering is legal?
I presume, that you cannot make libre software stemming from illegally leaked software. I know of no court rulings on that.

jxself
Offline
Joined: 09/13/2010

"You are probably looking for inaccuracies in my posts in order to undermine my position, "
Not at all; I was only pointing out changes that I perceived. For example:

"Calling a law which applies to all eu countries local is inaccurate."
In your very first post you were not indicating any region/jurisdiction-specific stuff. That didn't come in until later. That's why I was mentioning the change from global to local. Mentioning this change is important because I'm most familiar with stuff in the U.S., which is where I live. And it is local because the EU is not the only region/jurisdiction in the world.

And also when I said "some places of the world have rules regarding interoperability", EU law procedure was not relevant because I was not talking of the EU, although that statement may be true there too, but of the world in general. Once again, the EU is not the only region/jurisdiction in the world. I was still trying to keep the conversation more global but it seems that won't be happening, so:

"Apparently in usa that has to be done by different persons for legal reasons."
Reverse engineering doesn't necessarily have to be done by different people, but it is the safest option.
Imagine if the person has access to a proprietary source code, studies it to learn about the program, and then goes to make their own version of the program. There is always the potential for similiarities between the programs for various reasons. The person that did the reverse engineering may claim that they are merely accidental; that the similiarites exist because there aren't many ways for that functionality to exist. The developer of the proprietary program may claim that the person merely copied the source code - after they had access to the source code they'd claim.

If you can instead show that a process was in place that made copying of source code impossible, because the person that wrote the new free code worked only from documentation of how the program should work and/or from a specification written by someone else that had seen the source code, but the person doing the coding never saw the original source code, then any similiarites that exist are very likely to be because there are very few ways to implement that part and it's likely not copyrightable and makes for a stronger defense in case the matter goes to court.

"In the video Stallman mentions, that people may turn over the specifications anonymously. Why that other than it is a matter of illegal leaking?"

I don't think I understand the question here, but yes - there is the potential for whoever is turning over the specifications to get into trouble, as discussed earlier in the thread. An example situation might be someone that works at a company that leaks the documentation to someone outside the company. If the company were to learn that the leak happened they might then try to find out how it happened. If they were able to find out who leaked the information that person could then face charges.

"Reverse engineering is legal?"
It depends on the specific details of a situation. Some proprietary software EULAs with terms saying you can't.

The EULA for Adbobe Flash said this, for example (or did; I don't know if it still does or not but that's not relevant at this time.) The people that originally started working on Gnash, for example, were looking for people that had never used Adobe's Flash in order to avoid potential legal problems stemming from this. If they'd never used the software they could never have agreed to such terms. This is mentioned here - https://en.wikipedia.org/wiki/Gnash_(software)#Adobe_Flash_Player_End-User_License_Agreement

Of course, the next paragraph talks about whether such stuff is legal or not in the EU. But the people that were working on Gnash, like Rob Savoye, were in the U.S. and so U.S. law would have applied to them. What other laws might have applied to them in some other theoretical alternate universe where they lived in another country seems a tangential point. (And of course everything I'm saying, like on the topic of reverse engineering, has a U.S. perspective on it because that's where I live. You'll likely find differences in other regions of the world; that doesn't mean what I'm saying is wrong.)