 jmc67
join:2000-08-07
Wappingers Falls, NY | reply to linksysOLD
Re: Sveasoft defamation
-------------------------
FYI James does not read these forums any longer
----------------------
linksysinfo
Is James paying you to be his Spokesperson?
It seems he is running away and not facing these issues.
Too Bad....
--
War doesn't determine who's right, just who's left...."To steal ideas from one person is plagiarism; to steal from many is research." |
|
| reply to Sveasoft6
quote:
Frankly I think exiting the open source development world is
the next step. I have been a developer for about 25 years and I do remember Bill Gates screaming in 1979 when someone stole and copied MS BASIC. So this kind of activity has been going on for many years.
I had stumbled in the Linux world last November and it is an
absolute free-for-all. No wonder companies are exiting in droves, 99.99% of GPL projects sit fallow after 1-2 releases, and the Linux desktop looks like GEM OS from the year 1987.
I do not see a fix for this problem. Perhaps the new
sourceforge project with my code will be your next stop?
Hmm, for having 170 IQ this guy sure has got the wrong end of the stick on this one. Companies exiting in droves? What planet is he on?
Sure lots' of gpl projects go fallow, only because they are hobby supported and their creators move on or don't really get it off the ground in the first place. If something has a user base normally someone else picks it up. But there are countless others that succeed beyond their creators wildest imaginations.
Open Source and Linux have a long life ahead of them. So does proprietary software. But this guy has no clue.
I had considered subscribing, but after this thread I'll refrain.
--
»www.moveon.org |
|
 harwoodrPornographic MemoryPremium
join:2002-09-05
Hamilton, ON | reply to Sveasoft6
I've submitted the following to Slashdot:
quote:
First, Linksys was violating the GPL by not releasing their source for their linux implentation on the WRT54G wireless router and WAP54G access point. When this was rectified, third party firmware started showing up. Well, now it looks like Sveasoft (one of the third party developers) has decided to restrict access to their modified source code to subscribers - that also will need to pay $49 for a CD rather than being able to download it. There is some evidence that the binary firmware may be tagged to track who downloaded it (subscriptions will be terminated for distributing "pre-release" binaries or source code) - subscribers who've posted their MD5 checksums have found their subscriptions terminated without notice.
--
Become a Browncoat! |
|
|
|
| Due to the email above, but more importantly the $50 for source code via snail mail, I am going to ask for a refund. I do not support this kind of action when it is supposedly under the GPL.
James, I wasn't really against you before. Sure I wasn't pleased, but it was acceptable. The source code issue is the last straw though.
You have done great work up to this point and I thank you for it. If you change these draconian policies, then I may resubscribe. I will be emailling you shortly.
--
My Mac Commentary | Morph3ous.net | Bustin, Inc. |
|
| reply to harwoodr
I tried posting this story to Slashdot yesterday, and got rejected. It has become more serious since then ($50 for the source code??), so I sure hope *one* of the major news sites picks this up. |
|
| reply to linksysOLD
linksysinfo wrote:
quote:
FYI James does not read these forums any longer.
btw on a lighter note.
any more rumours? lol
I'm not sure to which rumors you are referring. It is a *fact* that the pre-release firmware is tagged/altered upon download from Sveasoft. You can verify this yourself if you don't believe what I described in my posts above. Now, it *is* just rumor that this firmware "phones home," and I have no knowledge one way or the other on that. It is concerning, however, because the firmware is definitely being altered beyond mere compilation of the available source code. Thus, it could be doing literally anything.
So, I am far less concerned about the GPL implications of this practice than I am about the security implications. Since you say Sveasoft is no longer reading this thread, perhaps you could ask him to explain (in at least general terms) what is included in this tagged portion of the firmware. If not, can you please explain it yourself? |
|
approval from:
Corvus 
| reply to Sveasoft6
Analysis of the Alchemy 5.1 binaries FYI:
I have analyzed the three binaries of Alchemy 5.1 which I have obtained from three different sources.
The kernel is identical in all three firmware binaries.
The filesystem image (squashfs) is different in each version. In each filesystem, all files have the same creation timestamp, but different timestamps across firmware binaries. Each filesystem contains 500 files. 498 of these files are identical across all three binaries. The same two files are different in each version: hmanagement.asp and ui_cisco.gif.
A couple of lines in hmanagement.asp have superfluous whitespace before the end-of-line. Each of the binaries has a different combination of spaces and tabs in this file.
The gif is visually identical across all three firmware binaries, but uses a differently permutated color map in each binary.
The source code which has been made available by one subscriber contains a fourth variation of these files. The asp file in the source package contains almost no superfluous whitespace before the end-of-lines. The gif in the Alchemy 5.1 source package is identical to the one in the publically released Satori 4.0 source package but different from the files in each of the three Alchemy 5.1 binaries.
The mksquashfs program (GPL software by Phillip Lougher) which the build process uses to pack the filesystem before it is attached to the kernel is distributed as binary-only. Its source is absent in both the Alchemy 5.1 and the Satori 4.0 source package.
Make your own mind up about these findings. |
|
| reply to Sveasoft6
Re: Sveasoft defamation On reading this whole thread(yes it took some time, i can't believe the amount of BS that is being said here from one person or another. do you guys have nothing else to do?
the amount of text typed here could have made a firmware from scratch.
guys get a life please:) if gpl is being violation then let GPL authorites deal with it.
my god your like the EU Parliment. ALL TALK and no action. |
|
| reply to Arno Nym
Re: Analysis of the Alchemy 5.1 binaries Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information. |
|
tdb
join:2002-05-30
Concord, NC | said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.
Somebody might want to notify the author of snow, since it appears that it is not free for commercial use.
--
Linux, it's what's for dinner. |
|
 TLS2000Crazy CanuckPremium
join:2004-02-24
Mississauga, ON
1 edit | reply to Arno Nym
After talking with one of the mods here I feel I must retract part of one of my previous posts.
In a previous post, I accused the mods, or Sveasoft, of editing my post to remove an MD5 checksum.
It has been proven to me that it was not possible for either the mods, or Sveasoft to have edited my post. While I will not take back anything else I have said in this thread, I feel like I made an accusation without basis in fact. I apologise to both the Mods on this forum, as well as Sveasoft for that action in particular.
I am hosting the firmware, and will soon be hosting the source for Alchemy 5.1. I will also be hosting any future versions of the source and binaries that I get a hold of. This direct action is being taken because Sveasoft has revoked my subscription. It was revoked not because I redistributed, but because I had the nerve to post an MD5 chechsum of my copy of the binary obtained from Sveasoft's download site.
I will not post links on this board for it, due to a public statement by the moderators on this board.
In order to keep this post alive, we should all try to prevent from making unfound accusations. We should also try to avoid a flame war.
Again, Sveasoft6 , sortofageek , I apologise.
--
Tom Murdoch |
|
1 edit | reply to Arno Nym
said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.
"The snow source code and the algorithms contained within it are free for non-commercial use"
I'm wondering if James has paid a license for this...   |
|
| Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries. |
|
pandoraPremium
join:2001-06-01
Outland
kudos:1 Reviews:
 ·ooma
·Google Voice
·Future Nine Corp..
 ·Comcast
| said by Arno Nym:
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.
Is the message encoded or just hidden, is decryption or exposure possible with a tool? Even if we could determine the size of the encryption we'd be able to guess what's stored... userid... date... time??
Can anyone who can download a binary indicate if they download 2 binaries on 2 days (of the same binary from Sveasoft) are they identical... this would help determine if there is a date/time stamp. If they're identical across time... then likely it's encrypting userid... someone with a copy may be able to test then by encrypting the userid into the "stripped" file to see if they get similar results. At least then the "mystery" of the checksum would be solved  |
|
| reply to Sveasoft6
Re: Sveasoft defamation I think this thread is long enough that I should post a summary of the events so far. Please feel free to correct me if I am wrong. I will only try to post facts, not my personal opinions, as to not continue this flame war. I will edit this with corrections if need be, and will clearly state if it's editted or not.
1) This all started when TheIndividual posted e-mails from Sveasoft (as of yet unverified, but commensurate with Sveasoft's other communications with members of this forum) onto an anonymous website, along with a binary of the pre-release Alchemy pre5.1 firmware that he got from someone else. Sveasoft started this thread accusing TheIndividual of violating the GPL and defaming Sveasoft.
2) It is clear that the firmware (pre-release or not) is distributed under the GPL, which allows for the free redistribution of both binaries (w/source) and source code. Sveasoft explicitly allows this redistribution of pre-release firmwares as posted in their FAQ here: »www.sveasoft.com/modules/phpBB2/···96f84eaa
3) Sveasoft also states that if a subscriber redistributes pre-release firmwares, they will lose their subscription. Some people have argued that this goes against the GPL, but the FSF has decided this is *not* a violation.
4) Sveasoft can track the subscribers who redistribute their binaries by attaching some kind of tag to each firmware binary (as demonstrated by the different MD5 sums found so far). This makes sense, considering Sveasoft thought TheIndividual was someone else at first. Arno Nym has done some work to try to find what the unique identifier is. It is unknown wether this is allowed under the GPL.
5) Neither subscribers nor non-subscribers have any right to future code Sveasoft has not yet released. It is "his" code, and he can choose not to distribute it. But once he does distribute it, wether publicly or privately to his subscribers, it is under the GPL and is free for *anyone* to redistribute.
6) Sveasoft has changed their minds about offering the source code as a free download, and now only offers it on a CD sent through the mail for a price of $50. This seems to be a violation of the GPL, but we need to hear back from the FSF about that.
The main problems people in this forum have with Sveasoft is *not* that they charge $20 for a subscription. It's because of the following:
Sveasoft has accused several people of "pirating" the Sveasoft pre-release firmware and posting it online illegally, and has had websites shut down because of this. This is unbelievable considering Sveasoft says they allow this (see above).
Sveasoft is also ending the subscriptions (but refunding their money) of people who have posted their MD5 sums of the binaries. It says nowhere in the subscriber contract that they can't do this.
There have been a couple of nasty e-mail exchanges between forum members (TheIndividual, joakimsen) and Sveasoft. Sveasoft acts almost holier-than-thou (IQ 170) and seems to think the GPL doesn't apply to him [disclaimer: my personal opinion].
Sveasoft is now charging $50 for the source code, which is just rediculous considering it costs almost nothing to distribute it over the internet. |
|
1 edit | reply to pandora
Re: Analysis of the Alchemy 5.1 binaries Arno Nym:
I have to admit that I am not that familiar with the firmware structure. Congratulations on your findings, I'm just curious how you did it. Did you strip the squashfs from the binary or did you actually upload it to your router and compare those files? I guess the former, so I would like to know how exactly one can do that and if it would be possible to re-compress a tag-free version?
Sveasoft obviously must be keeping all the different binaries available for possible later downloads, so they do know which file with which md5sum got transfered to who.
Anyways it's nice to know that there are no code differences in all versions, I never really believed in any backdoor and such on P2P versions. |
|
| reply to maaaac
Re: Sveasoft defamation quote:
Sveasoft is now charging $50 for the source code, which is just rediculous considering it costs almost nothing to distribute it over the internet.
So you never pay for bandwidth then? thats a first. anyone that downloads from a website eats up bandwidth. to host a domian you pay for bandwidth.
"You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee."
tranfering a copy could mean download
»www.gnu.org/copyleft/gpl.html
"When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things."
|
|
| reply to TheIndividual
Re: Analysis of the Alchemy 5.1 binaries A backdoor or phone home function is still possible if it is in every firmware binary. I only checked for differences. I have yet to compile my own binary. Sifting through the whole source for trojan code would take a long time.
The squash filesystem has a magic number. Open the firmware image with a hexeditor and look for hsqs (0x68 0x73 0x71 0x73) or shsq (0x73 0x68 0x73 0x71). In the Alchemy 5.1 binaries, this signature is found at offset 0xB84A0. Copy everything from that point on into a new file. This file can be mounted on a system with a matching squashfs driver (mount -o loop -t squashfs image.sqfs /mnt). The squashfs 2.0 final driver does not recognize the filesystem images from Alchemy 5.1, but the squashfs source from the Alchemy source package can be compiled on an i386 as well. To create a new squashfs image, you would have to use the binary only mksquashfs from the Alchemy source package, concatenate the resulting image file with a header and a kernel and adjust the checksum in the header. This could be the point where the tag is created, so check the resulting filesystem image. You could also try using the newer mksquashfs directly from the author, but to avoid bricking your router, you should first verify that you can mount the filesystem image with a kernel which has been patched with the squashfs code from Alchemy.
It should be noted that the tagging need not be this obvious and it is absolutely possible to create tags in a way which permits exact identification of the group of files which has been compared in order to eliminate the tag. Detagging could thus get all subscribers kicked who offer their downloaded firmware for comparison. You would be better off sacrificing one subscription per release. |
|
| reply to mcmail
Re: Sveasoft defamation So you never pay for bandwidth then? Don't be silly. He said "almost nothing". 35MB of transfer volume costs 7 cents if your webhoster rips you off and you pay $2 per GByte. The people who could download this file had paid $20, remember? |
|
 sargeeldSgm RetiredPremium
join:2002-12-16
Raeford, NC | reply to mcmail
said by mcmail:
So you never pay for bandwidth then? thats a first. anyone that downloads from a website eats up bandwidth. to host a domian you pay for bandwidth.
Hmmm, I get 20Gigs of bandwidth per month for $4.95. If I charge $50 per 35 meg download I start making profit with the first download...... If all 20 Gigs are used for downloads that comes to $28,550.00. Minus the $4.95, that leaves $28,545.05 in profit. I see what you mean mcmail!! 
--
Help Team Starfire get into fifth place... Join Team Starfire today!! |
|
