1. 80
  1.  

  2. 23

    Seems like a good argument against using BSD licenses.

    1. 7

      Why? I have more faith in management engine knowing it is minix than some shit that intel wrote themselves.

      1. 20

        I suppose the section “Powerful, Reliable Software Can Be Bad” of https://www.gnu.org/philosophy/open-source-misses-the-point.en.html is relevant here :)

        1. 10

          If anything, we’d be better off if we found that Intel’s ME was total garbage. It lets an alternative supplier differentiate on more secure software to get some sales. Then, Intel will either try to get people to ignore them with their other advantages, improve the security of their software, or buy the competitor to get their solution. Currently, as license allows, Intel just freeloaded off a bunch of work taxpayers in Europe paid for with some free labor by Tannenbaum et al to solve their problem. The ME stack is still garbage per recent threads.

          Alternatively, they could’ve just paid a RTOS vendor for a stack. The going rate for those targeting robustness with networking and filesystems was $50,000 OEM last I checked. After they acquired Wind River, they’d have access to highly-reliable OS that’s been used in all kinds of things. Also, a separation kernel (VxWorks MILS) with carefully-crafted networking plus NSA pentesting. So, they do have both paid and free alternatives that are better than Minix 3 if they didn’t prefer freeloading off others’ work to save fifty grand or so on a project that nets them billions. I’m starting to lean back toward GPLing or AGPLing everything with dual-licensing to reduce this. They can pay to remove the copyleft.

          Edited to change “ripping off” to “freeloading off” as dxtr noted.

          1. 4

            If I create something and then give it to you - no strings attached - are you then ripping me off?

            1. 5

              Not really. I should’ve said freeloading like parasites. I wonder, though, about what motivates people to freely work for companies under a license that insures mainly the companies benefit versus one where they contribute something back. I originally liked the BSD licenses to increase the amount of high-quality code the companies might be using to make stuff better in general. I’m not so sure we should do that now seeing how (a) that creates bad incentives for the companies to constantly freeload versus GPL/APGL projects and (b) they keep modifying that stuff into insecure or seemingly-malicious software like Intel did.

              The folks aren’t doing anything great by giving them the code. They’re just helping monopolists and oligopolists further ensure the status quo that damages users, developers, and hobbyists while minimizing their operational costs for benefit of owners or shareholders. They also use their fortunes to pay lobbyists to reduce our rights in areas such as copyright and patent law. That phrasing depicts what actually goes on versus the public good people sold me on long ago with BSD/MIT licenses. I wonder how many BSD/MIT contributors that wanted corporate uptake would stick to it if they saw that as the ultimate goal of their contributions. Also, were told the companies often change the code to defeat its flexibility, reliability, or security benefits.

              I’m sure plenty would stay in the game but I am curious how many would switch licenses. Also, which would they prefer switching to for balancing widespread uptake and maximizing contributions.

              1. 4

                People use BSD-alikes because their goal isn’t to coerce people into opening their sources, their goal is to make using their software as easy a possible. They’re not working for rewards from future would-be customers, they’re working because they feel some software which does not exist, should.

                1. 2

                  “they’re working because they feel some software which does not exist, should.”

                  I imagine most building open-source software fit that category. It can be done with copyleft licenses, though, with little impact to most users.

                  1. 3

                    Sure, and a subset of those people are interested in keeping their work from people who don’t “deserve it”, but not everybody is - and those who aren’t, usually choose a non-viral license because they want more people using their stuff.

                    1. 1

                      That’s true. A good point to make.

            2. 2

              If anything, we’d be better off if we found that Intel’s ME was total garbage.

              Are you implying it’s not?

              Don’t know about you, but I don’t need an unmodifiable, unremovable, totally compromised operating system running an HTTP server inside my CPU.

              Never asked for this, wasn’t told by Apple that they were selling me this, and have no plans to buy another computer with it.

              1. 2

                Good luck finding one without it.

                1. 1

                  Possibly can but will be performance hit:

                  https://news.ycombinator.com/item?id=15646175

                2. 1

                  It’s definitely garbage. I’m setting up something broader than just Intel where I want them to show what their proprietary stuff is worth, users to find out, and a better alternative to potentially show up. Those can be vetted proprietary (eg shared-source) or FOSS.

                  I could be really wrong but I think AMD is missing a golden opportunity to differentiate on security or trustworthiness of CPU’s like Blackberry and then Apple tried to do in smartphones. Two lines of products, one without management and one with enterprise-controllable version, might push those losses back a little bit esp from foreign sales. They could let third parties of different jurisdictions inspect the management code or its loader since high-performance, legacy-compatible x86 is a patent minefield for competitors anyway. My hypothetical alternatives would have to make some kind of sacrifice in performance, cost, or both. AMD could charge right in.

                  1. 1

                    I could be really wrong but I think AMD is missing a golden opportunity to differentiate on security or trustworthiness of CPU

                    I doubt AMD has a choice in the matter. It really doesn’t make sense for Intel to have it in all their CPUs; in the consumer CPUs where no user will ever use the management engine, it’s just a bunch of extra hardware on the die, wasting space and increasing complexity and cost. The only reason I can think of would be that someone forced their hand, and I can imagine the NSA wouldn’t hate having a backdoor into every single Intel (or AMD) CPU in the world with ring -3 access.

                    1. 1

                      They have several, possible benefits to having that enterprise technology in their chips:

                      1. The functionality for providing security enhancements is the same in each. Enterprise and repair shops also wanted management benefits.

                      2. The DRM capabilities the entertainment industry wanted and might have paid for.

                      3. The backdoors the NSA might have demanded or paid for.

                      4. The common technique for saving on mask costs (millions) by merging I.P. from several use cases into fewer mask layers.

                      Ok. The original release on Intel’s side was vPro which had all kinds of benefits for enterprises, esp security. The Trusted Computing Group, of which Intel was part, also wanted to use that stuff for DRM for movies and MP3’s. They probably had financial incentives which might likewise be used to make them go more private again. The NSA is an unknown here where they might have promised them something for money or defense contracts. I know the ME’s weren’t mandatory because not all chip vendors that were in the U.S. were building management engines into their CPU’s. They could possibly put their foot down saying they’d take money to 0-day the firmware instead which would let us put in better firmware but NSA still hits most targets.

                      The last thing on my list is an industry practice to get development costs down. The best example was the hard disks which showed different amounts of storage but had same platters with same amount of space. The platters and components for writing them had a fixed cost. So, they used firmware deception to tier the pricing. Another example in an ASIC from a friend in hardware was him discovering a cellular radio in an embedded peripheral that wasn’t supposed to connect to anything. He said it wasn’t malicious: the company just reused a mobile SoC they sell for a different purpose with different packaging to squeeze more ROI out of existing chip. Aside from these oddities, the main form of reuse is just doing pre-proven blocks of hardware in a certain process node on new projects. Once they wire the first CPU instance to a ME, it was possibly cheaper to just reuse that on each iteration of that instance esp given ME’s were originally small (ARC cores).

                      So, there’s the overall analysis of what parties and concerns are involved. The amounts they’re currently losing are much bigger than anything Hollywood or NSA paid them. Highest payout I saw for NSA was around $100 million per telecom for access to their national networks. That was something they could use constantly whereas this they’d have to use sparingly. Couldn’t be much more. The trick is, like with Raptor Workstation, how many people would actually pay for a computer without the backdoor, how much extra, and what total revenues to project for AMD? I’m less confident in demand side than I am in supply side.

              2. 2

                Technically, we don’t really know what is in it, since the final result is closed source. Maybe they added a bunch of “shit that Intel wrote themselves”.

                1. 1

                  Just from a personal point of view. I don’t want my software to be used to spy on users without me even being asked about it.

                2. 2

                  Then they would have just used a different OS. MacOS has slowly been ripping all the GPLv3 code out of their OS. That’s why they use an ancient version of GPLv2 bash and manually backport all the security fixes.

                  1. 1

                    On the contrary - it shows that anyone can use such software without all the bull$%^& which surrounds, i.e. the GPL. All that he is asking for is simple: Hi, We’re using your software. Cheers, Bye!

                    1. 11

                      He spends 1/3rd of the letter asking talking about the fact that someone benefitted from his hard work and he didn’t get any acknowledgement of it. Then he goes and says something like: “I don’t mind, of course, and was not expecting any kind of payment since that is not required.” The whole thing feels and reads regretful to me. I don’t know AST, so don’t really know his personality, or anything, but if I spent 1/3rd of the letter talking like that, I know it’d be because I felt I missed a big opportunity and I’m trying to convince myself that it was fine.

                      1. 1

                        If there’s anything that AST might regret is the fact that MINIX hasn’t been released under a permissive license earlier and the fact that Linux and the *BSDs got themselves firmly established.

                        Him regretting not getting anything back out of it after fighting with the publisher to get the code released under a permissive license? Seriously? ;^)

                        The way I read the letter is him setting the scene before mentioning that letting him know would have been a polite thing to have done - mentioning that without said background information would have looked a bit weird.

                        Anyway, if I were the author of said code, I’d merely like to know.

                      2. 1

                        Yes, and that’s what I wouldn’t want to happen to my software.

                    2. 6

                      I love how in the end he says the BSD license brings maximum freedom to users. As far as I know, the code isn’t published anywhere that’s inside the chip. As a user of Intel, this isn’t exactly “more freedom”. Great example why we need the GPL.

                      1. 1

                        The user here is Intel, and BSD indeed is more free in this regard. If it weren’t this it would just have likely been some embedded os they bought. The GPL wouldn’t have improved anything in this regard.

                        1. 2

                          You are wrong that the user of the software is intel. Intel is the “reader” of the source code and we are the “users” of the software the model generates. The same way a book doesn’t have “user” but a “reader”, software only has a “user” when it is running on hardware.

                          Why is the alternative buying an embedded OS? Let’s pretend MINIX was GPL. What if the economics were better to just release the source of a modified MINIX vs buy an embedded OS. I don’t buy the “If it’s not BSD, it’s proprietary” argument.

                          1. 1

                            You are wrong that the user of the software is intel. Intel is the “reader” of the source code and we are the “users” of the software the model generates.

                            No the users of intel are the component buyers generally. Individual developer/power users aren’t significant enough to matter economically. You’re conflating your use of intel devices as being the user of the intel device itself. This is no different than a car, you aren’t the user of the bosch speed controller in say a volkswagen, that was volkswagen and bosch that had a business relationship. Directly all you have control over is the overall package.

                            Why is the alternative buying an embedded OS?

                            Ref tivo and the wrt situation. Even if a gpl os was used, and source released, it will inexorably end up useless in that there will be no reasonable way to update or install updates on the devices in question. In many regards GPL os’s will only encourage this happening more.

                            And as a BSD license fan, I encourage it. The goal is to make good code available, not push an agenda on how my code be used or renumerated.

                            1. 1

                              Your example is flawed since the firmware can be updated on these Intel chips including the ME stuff. If the Bosch controller can be changed, then I am certainly a user.

                              It’s kind of like the repair/hacker movement in hardware too. Make shit that can be changed by the people using said shit. iFixit should rate electronics not just on physical repair-ability, but software repair-ability too.

                              1. 1

                                Not all embedded devices are designed nor intended to be updated however. Take the case where a one time write flash chip is used.

                                That Bosch controller just may not be changed without changing other things. In these scenarios we are third party users not first.

                      2. 9

                        Hah, I was actually curious whether AST will make a move. Good to see he did.

                        Still, it’s sad that he doesn’t seem to care about ME.

                        1. 7

                          Whether he cares about ME is irrelevant here. By releasing the software under most (all?) free software and open source licenses, you forfeit the right to object even if the code is being used to trigger a WMD - with non-copyleft licenses you agree not to even see the changes to the code. That’s the beauty of liberal software licenses :^)

                          All that he had asked for is a bit of courtesy.

                          1. 4

                            AFAIK, this courtesy is actually required by BSD license, so it’s even worse, as Intel loses here on legal ground as well.

                            1. 5

                              No, it is not - hence the open letter. You are most likely confused by the original BSD License which contained the so called, advertising clause.

                              1. 5

                                Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

                                http://git.minix3.org/index.cgi?p=minix.git;a=blob;f=LICENSE;h=a119efa5f44dc93086bc34e7c95f10ed55b6401f;hb=HEAD

                                1. 9

                                  Correct. The license requires Intel to reproduce what’s mentioned in the parent comment. The distribution of Minix as part of the IME is a “redistribution in binary form” (i.e., compiled code). Intel could have placed the parts mentioned in the license into those small paper booklets that usually accompany hardware, but as far as I can see, they haven’t done so. That is, Intel is breaching the BSD license Minix is distributed under.

                                  There’s no clause in the BSD license to inform Mr. Tanenbaum about the use of the software, though. That’s something he may complain about as lack of courtesy, but it’s not a legal requirement.

                                  What’s the consequence of the license breach? I can only speak for German law, but the BSD license does not include an auto-termination clause like the GPL does, so the license grant remains in place for the moment. The copyright holder (according to the link above, this is Vrije Universiteit, Amsterdam) may demand compensation or acknowledgment (i.e. fulfillment of the contract). Given the scale of the breach (it’s used in countless units of Intel’s hardware, distributed all over the globe by now), he might even be able to revoke the license grant, effectively stopping Intel from selling any processor containing the then unlicensed Minix. So, if you ever felt like the IME should be removed from this world, talk to the Amsterdam University and convince them to sue Intel over BSD license breach.

                                  That’s just my understanding of the things, but I’m pretty confident it’s correct (I’m a law student).

                                  1. 3

                                    It takes special skill to break a BSD license, congrats Intel.

                                    1. 5

                                      Actually, they may have a secret contract with the University of Amsterdam that has different conditions. But that we don’t know.

                                      1. 2

                                        Judging from the text, doesn’t seem AST is aware of it.

                                        1. 2

                                          University of Amsterdam (UvA) is not the Vrije University Amsterdam (VU). AST is a professor at VU.

                                    2. 1

                                      I’ve read the license - thanks! :^)

                                      The software’s on their chip and they distribute the hardware so I’m not sure that actually applies - I’m not a lawyer, though.

                                      1. 5

                                        Are you saying that if you ship the product in hardware form, you don’t distribute software that it runs? I wonder why all those PC vendors were paying fees to Microsoft for so long.

                                        1. 2

                                          For the license - not the software

                                          1. 3

                                            Yes, software is licensed. It doesn’t mean that if you sell hardware running software, you can violate that software’s license.

                                        2. 3

                                          So, they distribute a binary form of the OS.

                                          1. 4

                                            This is the “tivoization” situation that the GPLv3 was specifically created to address (and the BSD licence was not specifically updated to address).

                                            1. 2

                                              No, it was created to address not being able to modify the version they ship. Hardware vendors shipping GPLv2 software still have to follow the license terms and release source code. It’s right in the article you linked to.

                                              BSD license says that binary distribution requires mentioning copyright license terms in the documentation, so Intel should follow it.

                                              1. 3

                                                Documentation or other materials. Does including a CREDITS file in the firmware count? (For that matter, Intel only sells the chipset to other vendors, not end users, so maybe it’s in the manufacturer docs? Maybe they’re to blame for not providing notice?)

                                                1. 3

                                                  You have a point with the manufacturers being in-between Intel and the end users that I didn’t see in my above comment, but the outcome is similar. Intel redistributes Minix to the manufacturers, which then redistribute it to the end-users. Assuming Intel properly acknowledges things in the manufacturer’s docs, it’d then be the manufacturers that were in breach of the BSD license. Makes suing more work because you need to sue all the manufacturers, but it’s still illegal to not include the acknowledgements the BSD license demands.

                                                  Edit:

                                                  Does including a CREDITS file in the firmware count?

                                                  No. “Acknowledging” is something that needs to be done in a way the person that receives the software can actually take notice of.

                                                  1. 2

                                                    The minix license doesn’t use the word “acknowledging” so that’s not relevant.

                                                    1. 2

                                                      You’re correct, my bad. But “reproduce the above copyright notice” etc. aims at the same. Any sensible interpretation of the BSD license’s wording has to come to the result that the receivers of the source code must be able to view those parts of the license text mentioned, because otherwise the clause would be worthless.

                                            2. 1

                                              If they don’t distribute that copyright notice (I can’t remember last seeing any documentation coming directly from Intel as I always buy pre-assembled hardware) and your reasoning is correct, then they ought to fix it and include it somewhere.

                                              However, the sub-thread started by @pkubaj is about being courteous, i.e. informing the original author about the fact that you are using their software - MINIX’s license does not have that requirement.

                                  2. 7

                                    I think he is just happy he has a large company using minix.

                                    1. 5

                                      Still, it’s sad that he doesn’t seem to care about ME.

                                      Or just refrains from fighting a losing battle? It’s not like governments would give up on spying on and controlling us all.

                                      1. 6

                                        Do you have a cohesive argument behind that or are you just being negative?

                                        First off, governments aren’t using IME for dragnet surveillance. They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me. They pose a giant risk to us because they’ll eventually be used in general-purpose malware, but the government wouldn’t actually fight much (or maybe at all, publicly) to keep IME.

                                        Second off, security engineering is a sub-branch of economics. Arguments of the form “the government can hack anyone, just give up” are worthless. Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. We’re not even close to any diminishing returns falloff when it comes to security expenditures. While it’s technically true that the government (or any other well-funded attacker) could probably own any given consumer device that exists right now, it might cost them millions of dollars to do it (and then they have only a few days/weeks to keep using the exploit).

                                        By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources. This is the primary goal for now. An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored.

                                        1. 2

                                          Do you have a cohesive argument behind that or are you just being negative?

                                          Behind what? The idea that governments won’t give up on spying on us? Well, it’s quite simple. Police states have happened all throughout history, governments really really want absolute power over us, and they’re free to work towards it in any way they can.. so they will.

                                          They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me.

                                          Sure, but do they even need 0days if they have everyone ME’d?

                                          They pose a giant risk to us because they’ll eventually be used in general-purpose malware

                                          Yeah, that’s a problem too!

                                          Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. [..] An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored

                                          If you mean using completely “libre” hardware and software, that’s just not feasible for anyone who wants to get shit done in the real world. You need the best tools for your job, and you need things to Just Work.

                                          By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources.

                                          “Just”? :) I’m not saying we should all give up, but it’s an uphill battle.

                                          For example, the blind masses are eagerly adopting Face ID, and pretty soon you won’t be able to get a high-end mobile phone without something like it.

                                          People are still happily adopting Google Fiber, without thinking about why a company like Google might want to enter the ISP business.

                                          And maybe most disgustingly and bafflingly of all, vast hordes of Useful Idiots are working hard to prevent the truth from spreading - either as a fun little hobby, or a full-time job.

                                        2. 4

                                          It reads to me like he just doesn’t want to admit that he’s wrong about the BSD license “providing the maximum amount of freedom to potential users”. Having a secret un-auditable, un-modifiable OS running at a deeper level than the OS you actually choose to run is the opposite of user freedom; it’s delusional to think this is a good thing from the perspective of the users.

                                          1. 2

                                            And the BSD code supported that by making their secret box more reliable and cheaper to develop.

                                          2. 3

                                            Oh, it’s still not lost. ME_cleaner is getting better, Google is getting into it with NERF, Coreboot works pretty well on many newish boards and on top of that, there’s Talos.

                                          3. 2

                                            He posted an update in which he says he doesn’t like IME.

                                          4. 5

                                            I rather enjoyed this. He’s not objecting, he’s not demanding, he’s saying “Gee, glad I chose BSD. Glad it was able to be used in this way. Oh, and also, letting me know would have been a nice touch”.

                                            Such courtesy and humility are refreshingly rare in this business.

                                            1. 5

                                              I thought this was going to be about how Intel has destroyed world’s computational security, giving random hackers the ability to hack any computer running an Intel processor. Odd that’s not mentioned.

                                              1. 3

                                                I’m not sure why this exists; I read it expecting to see at least some nod towards “hey I know it’s legal but you’re using my shit to do evil, maybe do less evil” but it was just “you guys don’t have to acknowledge my work but it would have been nice” which is…. already the terms of the licence.

                                                1. 2

                                                  MIT like licence are sooo cool, Multi billionaire companies have work for free, when esclavagism was abolist last time ?

                                                  1. 6

                                                    Since you don’t seem to have any idea what slavery means, I can assure you they are not forcing anyone to do work. Btw, not only “multi billion” but also small startups with a handful of people can put out source code and get contributions or even use other’s people work.

                                                    1. 3

                                                      Also, slavery as a concept isn’t really grounded in “forced labour”, it’s “human as property”. The forced labour part is simply the main reason one would happen to own slaves.

                                                    2. 4

                                                      Intel using it doesn’t take away from anyone else, it probably helps other people. I don’t see why people would be bitter about the license. Intel would do that crap with or without a micro kernel.

                                                      Even if intel released all the code modifications, how would that change anything? Its still there running… Or are you also against GPL too?

                                                      1. 1

                                                        Even if intel released all the code modifications, how would that change anything

                                                        Yeah, exactly — all the GPL compliance dumps we’ve seen rarely contained interesting stuff, the “secret sauce” on embedded Linux devices remained secret.

                                                      2. 1

                                                        *slavery

                                                      3. 1

                                                        The news headlines should read “Tanenbaum allows Intel to hack NSA backdoors into Intel chips for free!”.

                                                        1. -1

                                                          Ooooh, burn! Your move, Intel!