Feeds

Bill Gates' letter to hobbyists (en Français, 2006)

Plus ça change

Protecting users from Firesheep and other Sidejacking attacks with SSL

The mere fact that a free software project has rejected source code might surprise some, but only until you see the strings attached. And they're more shackles than strings.

"The license proposal forbids you to run any binary that's based on the source code," Samba developer Volker Lendecke says.

As the Samba submission to the commission pointed out, code that was potentially encumbered with patents would have required the Samba team to set up a clean room.

"So having the ability to run source code, the complications rise tenfold. Really a bunch of new different problems," Lendecke says.

So there's the issue of practicality. In 50m lines of source code, it's hard enough tell what's going on, let alone what patents might be lurking. Back in 2001 the dissenting states suggested forcing Microsoft to disclose its Windows source code to rivals - and we can understand why that idea found no interest.

There's also another reason why a source code offer isn't all that it seems.

In his 1984 paper "Reflections On Trusting Trust", the co-author of Unix Ken Thompson described a theoretical Trojan which could be salted away inside the compiler. It's a work of subtle beauty that deals with the transmission of knowledge without the transmitter being aware of the payload. That's something we're all experts on, whether we think very much about it or not.

"No amount of source-level verification or scrutiny will protect you from using untrusted code," concludes Thompson. The relevance of "Reflections..." to this week's hearings is not to suggest that Microsoft has been so fiendishly clever that it may have rigged its compilers with an unknown payload - a feat which would require a level of foresight unknown at Redmond. But its to reinforce the general point that disclosure of the source code isn't the full story. Source code is not a holy grail of authenticity, but merely a set of instructions for other mechanisms to obey. The map is not the territory.

In fact, all the Samba team want, according to Andrew Tridgell's testimony this week, is a floppy disk's worth of Interface Definition Language descriptions.

Another comment of Cooke's met with astonishment during calls to parties with an interest in the outcome of the case on Thursday afternoon. Cooke expressed skepticism that Microsoft's buy out of AT&T's AS/U, its Windows services for Unix, represented a "disruption of supply". AT&T had licensed the code to 11 vendors, including HP and Sun, to permit them to build Windows interoperability into their server offerings. (We can't stress enough that the European anti-trust case specifies a server-to-server remedy beyond the client-server remedy the US settlement outlined).

The proof is surely in the consequences of this action. After Microsoft's cash settlement with AT&T, derivatives of AS/U such as Sun's PC NetLink withered on the vine. The only Windows interoperability project to gain any widespread industry momentum since its demise has been Samba, which is handicapped on several fronts. Did AS/U licensees - some of the biggest names in the industry - rationally decide that what their customers really wanted was worse Windows interoperability? Cooke seems to invite us to draw this conclusion. One must hope the other judges find this far-fetched.

Asked what Samba really wants, the team told us

"A fully specified protocol to the level of detail of an internet RFC, much like Sun's NFS v4 - that would be perfect."

There you have it. Not such an intellectual property giveaway after all, is it? ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.