dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
71279

jmc67
join:2000-08-07
Wappingers Falls, NY

jmc67 to linksysOLD

Member

to linksysOLD

Re: Sveasoft defamation


-------------------------
FYI James does not read these forums any longer
----------------------

linksysinfo
Is James paying you to be his Spokesperson?
It seems he is running away and not facing these issues.
Too Bad....
ihaddsl
join:2001-12-05
/dev/hda0

ihaddsl to Sveasoft6

Member

to Sveasoft6
quote:

Frankly I think exiting the open source development world is
the next step. I have been a developer for about 25 years and I do remember Bill Gates screaming in 1979 when someone stole and copied MS BASIC. So this kind of activity has been going on for many years.

I had stumbled in the Linux world last November and it is an
absolute free-for-all. No wonder companies are exiting in droves, 99.99% of GPL projects sit fallow after 1-2 releases, and the Linux desktop looks like GEM OS from the year 1987.

I do not see a fix for this problem. Perhaps the new
sourceforge project with my code will be your next stop?

Hmm, for having 170 IQ this guy sure has got the wrong end of the stick on this one. Companies exiting in droves? What planet is he on?

Sure lots' of gpl projects go fallow, only because they are hobby supported and their creators move on or don't really get it off the ground in the first place. If something has a user base normally someone else picks it up. But there are countless others that succeed beyond their creators wildest imaginations.

Open Source and Linux have a long life ahead of them. So does proprietary software. But this guy has no clue.

I had considered subscribing, but after this thread I'll refrain.

harwoodr
Pornographic Memory
Premium Member
join:2002-09-05
Hamilton, ON

1 recommendation

harwoodr to Sveasoft6

Premium Member

to Sveasoft6
I've submitted the following to Slashdot:
quote:

First, Linksys was violating the GPL by not releasing their source for their linux implentation on the WRT54G wireless router and WAP54G access point. When this was rectified, third party firmware started showing up. Well, now it looks like Sveasoft (one of the third party developers) has decided to restrict access to their modified source code to subscribers - that also will need to pay $49 for a CD rather than being able to download it. There is some evidence that the binary firmware may be tagged to track who downloaded it (subscriptions will be terminated for distributing "pre-release" binaries or source code) - subscribers who've posted their MD5 checksums have found their subscriptions terminated without notice.


morph3ous
Premium Member
join:2002-05-16
Emeryville, CA

morph3ous

Premium Member

Due to the email above, but more importantly the $50 for source code via snail mail, I am going to ask for a refund. I do not support this kind of action when it is supposedly under the GPL.

James, I wasn't really against you before. Sure I wasn't pleased, but it was acceptable. The source code issue is the last straw though.

You have done great work up to this point and I thank you for it. If you change these draconian policies, then I may resubscribe. I will be emailling you shortly.
maaaac
join:2004-06-20

maaaac to harwoodr

Member

to harwoodr
I tried posting this story to Slashdot yesterday, and got rejected. It has become more serious since then ($50 for the source code??), so I sure hope *one* of the major news sites picks this up.

crct
@168.143.x.x

crct to linksysOLD

Anon

to linksysOLD
linksysinfo wrote:
quote:

FYI James does not read these forums any longer.

btw on a lighter note.

any more rumours? lol

I'm not sure to which rumors you are referring. It is a *fact* that the pre-release firmware is tagged/altered upon download from Sveasoft. You can verify this yourself if you don't believe what I described in my posts above. Now, it *is* just rumor that this firmware "phones home," and I have no knowledge one way or the other on that. It is concerning, however, because the firmware is definitely being altered beyond mere compilation of the available source code. Thus, it could be doing literally anything.

So, I am far less concerned about the GPL implications of this practice than I am about the security implications. Since you say Sveasoft is no longer reading this thread, perhaps you could ask him to explain (in at least general terms) what is included in this tagged portion of the firmware. If not, can you please explain it yourself?

Arno Nym
@unknown

1 recommendation

Arno Nym to Sveasoft6

Anon

to Sveasoft6

Analysis of the Alchemy 5.1 binaries

FYI:

I have analyzed the three binaries of Alchemy 5.1 which I have obtained from three different sources.

The kernel is identical in all three firmware binaries.

The filesystem image (squashfs) is different in each version. In each filesystem, all files have the same creation timestamp, but different timestamps across firmware binaries. Each filesystem contains 500 files. 498 of these files are identical across all three binaries. The same two files are different in each version: hmanagement.asp and ui_cisco.gif.

A couple of lines in hmanagement.asp have superfluous whitespace before the end-of-line. Each of the binaries has a different combination of spaces and tabs in this file.

The gif is visually identical across all three firmware binaries, but uses a differently permutated color map in each binary.

The source code which has been made available by one subscriber contains a fourth variation of these files. The asp file in the source package contains almost no superfluous whitespace before the end-of-lines. The gif in the Alchemy 5.1 source package is identical to the one in the publically released Satori 4.0 source package but different from the files in each of the three Alchemy 5.1 binaries.

The mksquashfs program (GPL software by Phillip Lougher) which the build process uses to pack the filesystem before it is attached to the kernel is distributed as binary-only. Its source is absent in both the Alchemy 5.1 and the Satori 4.0 source package.

Make your own mind up about these findings.

mcmail
@ntl.com

mcmail to Sveasoft6

Anon

to Sveasoft6

Re: Sveasoft defamation

On reading this whole thread(yes it took some time, i can't believe the amount of BS that is being said here from one person or another. do you guys have nothing else to do?

the amount of text typed here could have made a firmware from scratch.

guys get a life please:) if gpl is being violation then let GPL authorites deal with it.

my god your like the EU Parliment. ALL TALK and no action.

Arno Nym
@unknown

Arno Nym to Arno Nym

Anon

to Arno Nym

Re: Analysis of the Alchemy 5.1 binaries

Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.
tdb
join:2002-05-30
Concord, NC

tdb

Member

said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.

Somebody might want to notify the author of snow, since it appears that it is not free for commercial use.

TLS2000
Premium Member
join:2004-02-24
Elmsdale, NS
Ubiquiti UDM-Pro
Ubiquiti U6-LR
Ubiquiti UniFi UAP-nanoHD

1 edit

1 recommendation

TLS2000 to Arno Nym

Premium Member

to Arno Nym
After talking with one of the mods here I feel I must retract part of one of my previous posts.

In a previous post, I accused the mods, or Sveasoft, of editing my post to remove an MD5 checksum.

It has been proven to me that it was not possible for either the mods, or Sveasoft to have edited my post. While I will not take back anything else I have said in this thread, I feel like I made an accusation without basis in fact. I apologise to both the Mods on this forum, as well as Sveasoft for that action in particular.

I am hosting the firmware, and will soon be hosting the source for Alchemy 5.1. I will also be hosting any future versions of the source and binaries that I get a hold of. This direct action is being taken because Sveasoft has revoked my subscription. It was revoked not because I redistributed, but because I had the nerve to post an MD5 chechsum of my copy of the binary obtained from Sveasoft's download site.

I will not post links on this board for it, due to a public statement by the moderators on this board.

In order to keep this post alive, we should all try to prevent from making unfound accusations. We should also try to avoid a flame war.

Again, Sveasoft6 See Profile, Sunny See Profile, I apologise.
viper54g
join:2004-07-16

1 edit

viper54g to Arno Nym

Member

to Arno Nym
said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.

"The snow source code and the algorithms contained within it are free for non-commercial use"

I'm wondering if James has paid a license for this...

Arno Nym
@unknown

Arno Nym

Anon

Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.
pandora
Premium Member
join:2001-06-01
Outland

pandora

Premium Member

said by Arno Nym:
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.

Is the message encoded or just hidden, is decryption or exposure possible with a tool? Even if we could determine the size of the encryption we'd be able to guess what's stored... userid... date... time??

Can anyone who can download a binary indicate if they download 2 binaries on 2 days (of the same binary from Sveasoft) are they identical... this would help determine if there is a date/time stamp. If they're identical across time... then likely it's encrypting userid... someone with a copy may be able to test then by encrypting the userid into the "stripped" file to see if they get similar results. At least then the "mystery" of the checksum would be solved
maaaac
join:2004-06-20

1 recommendation

maaaac to Sveasoft6

Member

to Sveasoft6

Re: Sveasoft defamation

I think this thread is long enough that I should post a summary of the events so far. Please feel free to correct me if I am wrong. I will only try to post facts, not my personal opinions, as to not continue this flame war. I will edit this with corrections if need be, and will clearly state if it's editted or not.

1) This all started when TheIndividual posted e-mails from Sveasoft (as of yet unverified, but commensurate with Sveasoft's other communications with members of this forum) onto an anonymous website, along with a binary of the pre-release Alchemy pre5.1 firmware that he got from someone else. Sveasoft started this thread accusing TheIndividual of violating the GPL and defaming Sveasoft.

2) It is clear that the firmware (pre-release or not) is distributed under the GPL, which allows for the free redistribution of both binaries (w/source) and source code. Sveasoft explicitly allows this redistribution of pre-release firmwares as posted in their FAQ here: »www.sveasoft.com/modules ··· 96f84eaa

3) Sveasoft also states that if a subscriber redistributes pre-release firmwares, they will lose their subscription. Some people have argued that this goes against the GPL, but the FSF has decided this is *not* a violation.

4) Sveasoft can track the subscribers who redistribute their binaries by attaching some kind of tag to each firmware binary (as demonstrated by the different MD5 sums found so far). This makes sense, considering Sveasoft thought TheIndividual was someone else at first. Arno Nym has done some work to try to find what the unique identifier is. It is unknown wether this is allowed under the GPL.

5) Neither subscribers nor non-subscribers have any right to future code Sveasoft has not yet released. It is "his" code, and he can choose not to distribute it. But once he does distribute it, wether publicly or privately to his subscribers, it is under the GPL and is free for *anyone* to redistribute.

6) Sveasoft has changed their minds about offering the source code as a free download, and now only offers it on a CD sent through the mail for a price of $50. This seems to be a violation of the GPL, but we need to hear back from the FSF about that.

The main problems people in this forum have with Sveasoft is *not* that they charge $20 for a subscription. It's because of the following:

Sveasoft has accused several people of "pirating" the Sveasoft pre-release firmware and posting it online illegally, and has had websites shut down because of this. This is unbelievable considering Sveasoft says they allow this (see above).
Sveasoft is also ending the subscriptions (but refunding their money) of people who have posted their MD5 sums of the binaries. It says nowhere in the subscriber contract that they can't do this.
There have been a couple of nasty e-mail exchanges between forum members (TheIndividual, joakimsen) and Sveasoft. Sveasoft acts almost holier-than-thou (IQ 170) and seems to think the GPL doesn't apply to him [disclaimer: my personal opinion].
Sveasoft is now charging $50 for the source code, which is just rediculous considering it costs almost nothing to distribute it over the internet.

TheIndividual
@anonymizationservice

1 edit

TheIndividual to pandora

Anon

to pandora

Re: Analysis of the Alchemy 5.1 binaries

Arno Nym:
I have to admit that I am not that familiar with the firmware structure. Congratulations on your findings, I'm just curious how you did it. Did you strip the squashfs from the binary or did you actually upload it to your router and compare those files? I guess the former, so I would like to know how exactly one can do that and if it would be possible to re-compress a tag-free version?
Sveasoft obviously must be keeping all the different binaries available for possible later downloads, so they do know which file with which md5sum got transfered to who.

Anyways it's nice to know that there are no code differences in all versions, I never really believed in any backdoor and such on P2P versions.

mcmail
@ntl.com

mcmail to maaaac

Anon

to maaaac

Re: Sveasoft defamation

quote:
Sveasoft is now charging $50 for the source code, which is just rediculous considering it costs almost nothing to distribute it over the internet.
So you never pay for bandwidth then? thats a first. anyone that downloads from a website eats up bandwidth. to host a domian you pay for bandwidth.

"You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee."

tranfering a copy could mean download

»www.gnu.org/copyleft/gpl.html

"When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things."


Arno Nym
@unknown

Arno Nym to TheIndividual

Anon

to TheIndividual

Re: Analysis of the Alchemy 5.1 binaries

A backdoor or phone home function is still possible if it is in every firmware binary. I only checked for differences. I have yet to compile my own binary. Sifting through the whole source for trojan code would take a long time.

The squash filesystem has a magic number. Open the firmware image with a hexeditor and look for hsqs (0x68 0x73 0x71 0x73) or shsq (0x73 0x68 0x73 0x71). In the Alchemy 5.1 binaries, this signature is found at offset 0xB84A0. Copy everything from that point on into a new file. This file can be mounted on a system with a matching squashfs driver (mount -o loop -t squashfs image.sqfs /mnt). The squashfs 2.0 final driver does not recognize the filesystem images from Alchemy 5.1, but the squashfs source from the Alchemy source package can be compiled on an i386 as well. To create a new squashfs image, you would have to use the binary only mksquashfs from the Alchemy source package, concatenate the resulting image file with a header and a kernel and adjust the checksum in the header. This could be the point where the tag is created, so check the resulting filesystem image. You could also try using the newer mksquashfs directly from the author, but to avoid bricking your router, you should first verify that you can mount the filesystem image with a kernel which has been patched with the squashfs code from Alchemy.

It should be noted that the tagging need not be this obvious and it is absolutely possible to create tags in a way which permits exact identification of the group of files which has been compared in order to eliminate the tag. Detagging could thus get all subscribers kicked who offer their downloaded firmware for comparison. You would be better off sacrificing one subscription per release.
Arno Nym

Arno Nym to mcmail

Anon

to mcmail

Re: Sveasoft defamation

So you never pay for bandwidth then?
Don't be silly. He said "almost nothing". 35MB of transfer volume costs 7 cents if your webhoster rips you off and you pay $2 per GByte. The people who could download this file had paid $20, remember?

sargeeld
Sgm Retired
Premium Member
join:2002-12-16
Raeford, NC

sargeeld to mcmail

Premium Member

to mcmail
said by mcmail:

So you never pay for bandwidth then? thats a first. anyone that downloads from a website eats up bandwidth. to host a domian you pay for bandwidth.


Hmmm, I get 20Gigs of bandwidth per month for $4.95. If I charge $50 per 35 meg download I start making profit with the first download...... If all 20 Gigs are used for downloads that comes to $28,550.00. Minus the $4.95, that leaves $28,545.05 in profit. I see what you mean mcmail!!
maaaac
join:2004-06-20

maaaac to mcmail

Member

to mcmail
said by mcmail:
So you never pay for bandwidth then? thats a first. anyone that downloads from a website eats up bandwidth. to host a domian you pay for bandwidth.

If you read closely, I said "it costs almost nothing". I pay $4/mo. for a website with 3GB of bandwidth. That works out to $.0013/MB, so for the 35MB of source code, that would be approximately 4.6 cents. That is "almost nothing" compared to $50.00 for a CD.
north7
join:2003-01-18
Scarsdale, NY

north7 to Sveasoft6

Member

to Sveasoft6
um, newb question here...
How could Sveasoft know that binaries that were tagged with a particular subscribers userid were flashed on routers that were not owned by that user?
I've read the entire thread, and my memory might be a little off, but wasn't someone's subscription revoked because he shared pre-release binaries with some friends who then flashed their routers?
Correct me if I'm wrong...

joako
Premium Member
join:2000-09-07
/dev/null

joako

Premium Member

said by north7:
um, newb question here...
How could Sveasoft know that binaries that were tagged with a particular subscribers userid were flashed on routers that were not owned by that user?
I've read the entire thread, and my memory might be a little off, but wasn't someone's subscription revoked because he shared pre-release binaries with some friends who then flashed their routers?
Correct me if I'm wrong...

That might be me. I was mistaken, my subscription was terminated for posting the MD5sum of the firmware.
tdb
join:2002-05-30
Concord, NC

tdb to north7

Member

to north7
said by north7:
um, newb question here...
How could Sveasoft know that binaries that were tagged with a particular subscribers userid were flashed on routers that were not owned by that user?
I've read the entire thread, and my memory might be a little off, but wasn't someone's subscription revoked because he shared pre-release binaries with some friends who then flashed their routers?
Correct me if I'm wrong...

What happened was that those copies got out onto the p2p networks (primarily) and websites. Sveasoft would simply download the binary from wherever, look at the tag, and can the subscriber who originally downloaded the firmware.

TheIndividual
@anonymizationservice

TheIndividual to north7

Anon

to north7
The "friend" probably passed it on, maybe accidently. Having two routers run on the same subscription is no problem at all so that's not how Sveasoft can determine a leak.
But if you want to make it public, you'll have to risc getting your subscription canceled should Sveasoft get their hand on the firmware or its MD5 sum.
tdb
join:2002-05-30
Concord, NC

tdb

Member

said by Tut Tut:

Sveasoft will still live where he resides now.

Are you seeing the picture clearer now??

Just keep stirring the mud fellas.

And I'm sure James will continue with his anti-"freeloader" tirades, hunting down and harassing his own customers, and being pissed off at the big bad open source meanies out there. I, for one, think that is no way to run a business.

joako
Premium Member
join:2000-09-07
/dev/null

1 edit

joako to TheIndividual

Premium Member

to TheIndividual
said by TheIndividual:
The "friend" probably passed it on, maybe accidently. Having two routers run on the same subscription is no problem at all so that's not how Sveasoft can determine a leak.
But if you want to make it public, you'll have to risc getting your subscription canceled should Sveasoft get their hand on the firmware or its MD5 sum.

In 24 hours? I highly doubt that the firmware would have gone around the internet and back in 24 hours. Besides, doesnt Sveasoft have better things to do than scour the internet for the GPL code he distributes himself? He saw the MD5sum, clicked on my name, saw my email address and connected it with my account on his site.

jig
join:2001-01-05
Hacienda Heights, CA

jig to Sveasoft6

Member

to Sveasoft6

just a couple questions. please link me to the proper posts if i missed them in the thread.

1) what stops the sveasoft firmware from being in perpetual beta? wouldn't this be an end-run of the GPL?

2) isn't his beta distribution model, by subscription, considered a 'public' distribution since anyone with $x can get it? where is 'public distribution' defined in the GPL?

3)how can his 'private' distribution also be considered licensed under the GPL (james seems to say this in the FAQ)? shouldn't he have it licensed under some other license? if the argument is no, because it contains GPL code from other authors, then i guess i get back to question 1.

-jig

TooMuchBS
@168.143.x.x

TooMuchBS to Sveasoft6

Anon

to Sveasoft6
There's free stuff from Sveasoft all over. How come you guys gotta get everything? I mean who cares? They been releasing free stuff for a long time now and everyone is upset about it. Maybe they should stop so all you guys go away and leave it alone.
tdb
join:2002-05-30
Concord, NC

tdb to joako

Member

to joako
said by joako:
Besides, doesnt Sveasoft have better things to do than scour the internet for the GPL code he distributes himself?

Based on what I've seen and heard, somehow I don't think so...