At the end of last year, there were rumours that the IT system of Latvia’s Internal Revenue System was ‘hacked’ and millions of documents had been downloaded by multiple organizations. Shortly thereafter more details on the glaring security hole became public (after it was closed).

There is a full electronic interface to give all reports to the IRS electronically (at http://eds.vid.gov.lv) and as part of that system you could also view and export monthly report summaries about your organization into XML and PDF files. After the system checked that you are authorized to access the report, you were redirected to the URL to actually download the report by report ID (as a single param in a GET request). Unfortunately, report IDs were predicable and the script that gave the reports for download did not check if you were authorized to get that report. It did not even check if were logged into the system.

There were suspicions that the authorization was disabled on purpose to allow to leak data on purpose, but apparently it was an error of forgetting to disable debug code in production environment.

The error was discovered only because the firewall administrator noticed an unexplained stable increase of traffic, especially during night hours when typically the traffic fully stopped. Apparently a single hacker (who later identified himself as ‘Neo’ to the press) discovered the flaw and wrote a script to just try all possible report ids and get as much data out as possible. This had been going on for months, before someone noticed.

After the flaw was discovered and a bit of time passed, Neo made his first move – he published the list of top salaries in a governmental company, that clearly showed that the top leadership of this company failed to cut their salary by 40%, like everyone elses during harsh budget cuts of 2009. He stripped the names and ids of the specific employees, but named the company which made it pretty easy to figure out who was who.

The society was outraged that the top managers in a government owned company failed to comply with the strict pay cut that everyone else in government had to endure. But after a few weeks the outrage subsided and no action followed from the government or law enforcement.

Neo continued to release documents detailing salaries of top managers in different Latvian government companies. And each time after short outrage, nothing happened. Neo gave an interview where he said that he was disappointed in the passivity of the Latvian people in face of such blatant injustices.

After a few month Neo went silent, promising to return before parliamentary elections this fall.

However, this week a new development shocked everyone – in the middle of the night two police SWAT teams went into action: one detained Ilmārs Poikāns, a researcher in artificial intelligence at the University of Latvia’s Computer Science department and another raided the home of a Latvian TV journalist Ilze Nagle who interviewed Neo. Poikāns confessed of being Neo the next day and was released (with travel restrictions, pending trial) today.

Politicians reacted immediately – opposition demanded the resignation of the Interior Minister over ‘such blatant disregard of freedom of press’ and another politician (who is also a famous lawyer) Aleksejs Loskutovs volunteered to defend Neo pro-bono (on Twitter, no less). Almost all Latvian online media have the arrest of Neo and the raid on the home of a journalist as main stories of the day.

As a legal titbit, we also know that Neo is being charged with breaking statutes 145 and and 244p2 of the criminal law. Statute 145 is hard to find applicable in this situation as talks about actions done by ‘people authorized (..) to access [private] information’. Statute 244p2 will also be hard to pin down as it mentions ‘influencing system resources of (an IT system)’ and ‘if such action caused severe harm’. It looks like the first part talks about at least a DoS attack (which did not happen in this case) and also there was no measurable harm from these leaks.

Also Neo was careful to strip all personally identifying information (such as names, social security numbers and addresses of the employees in question), so it will be hard to pin him on that. Also no actual breaking or other modification of an IT system occurred. And no ‘specialized software’ was used beyond a trivial script such as :

for i in range(0,7000000):
    wget('https://eds.vid.gov.lv/getRep.aspx?id='+str(i))

A lot of commentators on the Internet likened the situation to walking trough an unlocked door and stealing something. I think that analogy is very incorrect – there was no door, and nothing went missing after the action.

I came up with a different analogy – there was this corridor with a lot of doors in IRS, locked steel doors. You were instructed to go to a room with a specified number and given a key to that room to unlock it and see your secret info. However, that corridor opened out to the street on one end, oh and also the walls of the rooms with all the secrets were transparent. So Neo walked into the corridor, looked at some of the secrets, wrote them down (to remember them better) and then went out and discussed the worst examples abuses of power he saw.

In the end IRS had to learn their lesson – if you have to put naked photos of yourself on the Internet (or something equally embarrassing), then make damn sure you password protect that, but if you don’t then don’t cry that someone ‘hacked’ you and ‘stole’ you pictures.

What other people think:
http://freespeechlatvia.blogspot.com/2010/05/neo-released-under-restrictions.html

We’ll see how the story develops soon.

I used to use Eclipse in UK and recommended it to others, but they are now involved in this censorship scandal. Unacceptable.

Copyright infringement is not piracy – gunmen on seas killing people, looting ships and holding hostages is piracy.

Copyright infringement is not theft. When my bike was stolen, I no longer had it. Stealing a bicycle is theft.

Copyright infringement is more like sneaking into a concert. You enjoy the show, but did not pay for it. If the concert is held in a small venue then it is easy to spot someone who gets in without paying, but if you hold a concert in an open field, then expecting everyone in the surrounding area to be forced to pay you is rather absurd. If you have a concert in a field with a fence around it and someone makes a hole in that fence (posts a a recording to a P2P site), then the one making the hole might be punishable (property damage), but can any person that enters that hole really be prosecuted for theft, property damage and enabling further theft by not closing the hole (uploading that is inherent in the P2P protocols) ? I do not think so.

A similar analogy is using public transport without a ticket. If there is a bus that goes from A to B and I get on it without buying a ticket from the driver, then in the current copyright enforcement world I would get arrested by the police, prosecuted and get a fine that is tens of thousand times more than the price of the ticket. This has multiple problems – 1. the police has no way of knowing if I have some kind of legal right to use the bus without a ticket (monthly ticket, free ride for seniors, …) before arresting me and bringing me to court, the police has no business wasting their time and taxpayer money until it is 100% certain that a crime has actually occured; 2. if a hacker disables the ticket composters in the bus and removes all signs about prices how am I to know that the bus is not free (like the park and ride buses in many locations); 3. the fines are excessive – I’ve not seen a public transport fine that is much more then 10 times the price of the ticket, and it only applies to one ride – you can not be retroactivelly fined for all free rides you took in the last year; 4. it actually is not possible to be 100% certain who is the person doing the act – you can only trace the IP which can be used by any number of computers and additionally the computers might be infected with a botnet acting as an unwilling proxy zombie. There is no way (except a confession) to prove that a particular person does a particular download.

Now we just need a short and simple word or phrase that describes that. Any ideas?

The dunk-tank scandal ended just like I thought it would. As one could imply from my eternal unstable concept, I do not see making releases as a the main thing that Debian contributes to the society – it is more about the integration and cross-empowerment of all the packages that Debian has. In that context, making a release is a not the most important job in Debian, but it need to be done from time to time. Release management combines technical and social challenges – there is not much of novelty in it (I imagine). So, from this perspective, there is nothing bad in money being paid to do this mundane and hard work, if we really, really need to release in a specific time frame (IMHO the only reason to release Debian in 2006, as opposed to 2008, is the Lars tattoo bet). If we return to “release when its ready” paradigm and aim for about one release every 2-3 years (and I see nothing really wrong with that) then paying release manager will not be needed. Money is about getting things done on a schedule. It does not make things good (or bad). It does not make thing important (or not). It make things go by the schedule (unless you pay by the hour). It is the obvious solution to releasing Debian in December. Now two questions need to be answered – will it work? and do we really want to release in December?

The second thing – in any group of 1000 people anyone can easily find a lot of people that he would not love/not respect/disagree with/disregard/hate and be unable to work with. It is no reason to stop working on Debian, unless one does it only to be universally loved. It is inevitable that we will need to learn to do what we like to do without paying attention to the irritations.

And about the trademarks – in Debconf 5 in Helsinki I was giving a talk at the Debian Day, just after I helped to win the first big fight against software patents in EU, and Branden (who was GPL at the time) asked me what do I think Debian should do about its trademarks. Both then and now I strongly think that trademarks and any other litigation inducing concepts (except enforcement of GPL) have no place whatsoever in free software. I think Debian should lead the way and give up the “Debian” trademark. And Mozilla should follow the lead. So what if there is a pron site “Debian chicks”? You will not solve that with litigation anyway (at least not in a year or two) and why should we really care? So what if some one make a distro and calls it SuperDebian? If someone will really think that it is related to Debian but better (especially despite warnings to the contrary), then that someone will really deserve to get the trojan planted in that distro. And again, against a well prepared criminal, litigation will not help much.

So, did I miss anything?

Everyone who has their flight delayed for more then an hour for whatever reason need simply to sue the airlines and further the UK government according the EU regulations. Each person delayed for just 4 hours can claim as much as 600 euros of compensations. I wonder what compensation must a person delayed 24+ hours get, considering missed meeting, needed hotel bookings and other expenses.

Now if all passengers and all airlines united and sued the government for the compensations (those can be in billions, considering that no sane business person would fly without their mobile and notebook and no mother would want to fly without toys to keep their children happy, so that will cause huge decreese in flying), then the government will think twice before disturbing lives of tens of thousands of people even when all suspects have been arrested.

And we do not even know if there was any terror plot. Last time there was a terror craze in the UK, a road was closed and isolated, a house was raided and then disassembled and a man was shot, but in the end nothing was found.

Who will foot the bill this time? The news say that people will not receive any compensation even if they were insured, because “it was an extreme event”. WTF?! That is what regulations and insurance are for!!! And the minister is saying that they think that most restrictions will stay forever. No carry-on baggage? That is ridiculose.

SUE THE UK GOVERNMENT!

There is a transcript of RMS Turino speech up on Groklaw. So to follow up on my earlier thoughts about GPLv3 I will look at the transcript of RMS’s speech in Turin and write down what I think about it here, so I can refer to it later and maybe so that other people can skip reading that huge piece of text on legal stuff, especially as there is nothing really new there.

First RMS goes on to his now tradition rant about “intellectual property” being a meaningless term that lumps together three completely unrelated laws with different rules. I fully agree on that and I have used the very same argumentation in my speeches for last couple years.

RMS summarises GPLv3 like this:

 And the overall effect of GPL version three will be basically the same as version two, protecting the same four freedoms, but doing it somewhat better, dealing with some problems which we've encountered and adapting better to various different laws around the world. 

It is clearly visible trough the drafts of GPLv3 that it really is intended to protect the same freedoms, but better. People that do not want their freedoms protected, should not be using any version of GPL anyway – BSD or MIT licenses should be good enough for them. However, if we do want to protect our freedoms, then we should that as good as possible without restricting them.

RMS explains the new patent clause – it was implicitly assumed that distributor that distributes a program under a free software license implicitly promises not to sue users of that software for using it. With what is going on in the legal world (especially the SCO case) it is only natural that RMS would want to codify such implicit promises. He also raises a good point on a person having an exclusive patent license distributing GPL software that uses patented technologies that this license grants him the rights to use and distribute, but noone else. That goes very much against the spirit of GPL, so it had to be fixed in some way. I am not sure if the proposed fix by this specific revision of the patent clause is the best way, but that loophole must be closed in one way or another. (And no, eliminating software patents is not a satisfactory option – it is not soon enough and it does not depend on our decision alone)

Another controversial issue that RMS is going into more detail with is the DRM clause. The idea is quite simple – anyone who wishes to use GPL code in a DRM protection measure may do so without any problems, but he has to admit that because any user of his GPL-licensed DRM protection measure has the right (according to the GPL) to modify that protection measure, it is not an effective DRM protection measure and thus he can not use laws like the DMCA to disallow people changing his DRM software for any purpose. There is nothing unfair, draconian or even new about it – with a bit of luck the same thing could be proved in court the first time someone would try to enforce DRM on GPL software via DMCA. However simply clarifying that in the license is a much clearer way to achieve that and it will also save some legal costs along the way.

What I do not really support for 100% is the clause against Tivofication, the hardware key clause. Tivo has Linux inside, but the hardware will not allow you to run modified versions of the kernel. GPLv3 tries to close that loophole by demanding that along with the source of the software the distributor is obliged to also distribute all other components that are needed for modification and successful functionality of that software, for example, a key that would allow the hardware to run our version of the software. While I do not like what Tivo does with crippling the hardware they provide, but at the same time it is quite clear that it is quite within their rights to decide how do they want to provide you their service. The only way in my mind to insure that TC does not bite us in the ass is to make our software so good that no business would by some piece of general purpose computing hardware that would disallow them to run our software. Microsoft is tiny compared to all the companies using computers improve their primary business function. We must make it so that our users are our allies and if someone tries to go against us with TC tools, our users would vote against that with their wallets.

More clarifications followed about optional parts of GPL that were intended for extended compatibility with other software licenses. I think that is a very noble goal, but one must be careful not to make some sub-version of GPL being non-free like it happened with GNU FDL. However it is still not quite clear to me how the legal issues work when sharing code between projects with different compatible licenses and between projects with GPLv3 with different extension enabled. Could someone explain that in more detail with some examples?

In Q&A session RMS went quite a bit overboard with some anti-establishment rhetoric that in my opinion had no place at that event. If you want to praise Chavez, please do that in a private conversation at a cocktail party or rather do not do that at all – it is quite damaging to seriousness of your message and acceptability of it to our major allies in fight from freedom – business users.

On a funny note – a remark from RMS that we will have to replace him at some point got a round of applause

(Now I should really finish up the presentation for tomorrow )