1. 1

    Even though there’s no ‘ops’ or ‘sysadmin’ tags, this isn’t entirely off-topic for Lobsters.

    I’m sure that at least some will find this info useful - those who have to manage Apple kit or simply macOS (and MS Office) users who like to automate everything.

    1. 4

      I know it’s easy to be in a constant state of rage at Uber, and this news makes it extremely easy to pile on. An innocent person died here, at the fault of a team of engineers attempting to something incredibly difficult. I know for sure that this will bring up (and has already, I’m sure) talking head discussions on ethics of AI, who will be charged (why/why not), and tons more litigation and law suits. But, let’s not forget to sympathize with the engineering team here, as well. This has to be the worst feeling ever, and it could have happened to any of us—it had to happen to someone.

      My condolences to the innocent pedestrian’s family and friends. Also, my condolences to the team who will carry this loss on their sleeve for the rest of their lives.

      1. 2

        It seems like you haven’t read the article very carefully.

        1. You completely forgot to mention the operator behind the wheel - If anyone, that person will most likely be charged and, regardless of the verdict, carry it for the rest of their life.

        2. From https://www.sfchronicle.com/business/article/Exclusive-Tempe-police-chief-says-early-probe-12765481.php:

        … it’s very clear it would have been difficult to avoid this collision in any kind of mode (autonomous or human-driven) based on how she came from the shadows right into the roadway, …

        … I suspect preliminarily it appears that the Uber would likely not be at fault in this accident, either, …

        Sylvia Moir, police chief in Tempe, Arizona

        1. 9

          Two things.

          First, the operator is the one person that can hardly be blamed. The idea that a car can drive itself and someone will step in when something goes wrong is fundamentally flawed. Engineers have known about the fact that this doesn’t work for many decades. Understanding what happens at the point of handoff and how long it takes is a fundamental part of aircraft safety and CRM. It takes humans time to asses a situation and step in to take control.

          Second, police often blame victims in car crashes. That’s in part why so few ever get prosecuted and the situation doesn’t change. I’ll believe it when Uber releases video of what happened.

          1. 1
            1. You completely forgot to mention the operator behind the wheel - If anyone, that person will most likely be charged and, regardless of the verdict, carry it for the rest of their life.

            Presumably the operator is part of the engineering team, no? I’m not a District Attorney, or an attorney, or even a law enforcement officer. Therefore, I’m unable to comment on whether or not the operator will be charged, if it makes sense to charge this person, or if we’ll find that Uber put on the road a car that was not street legal, which contributed to it.

            Please don’t assume I didn’t read carefully. I tried to choose my words carefully in order to not speculate on the details of an on-going investigation.

            1. … it’s very clear it would have been difficult to avoid this collision in any kind of mode (autonomous or human-driven) based on how she came from the shadows right into the roadway, …

            Exactly. This makes the investigation all that more important. Maybe no one will be charged because investigators will rule it an accident based purely on the fact that, autonomous or not, it was unavoidable based on the pedestrian’s actions.

            1. 1

              I think your second point raises an interesting issue. It may have been difficult for a human driver to see this person, but from the information given and all the pictures I’ve seen, it shouldn’t have been difficult for an autonomous driver to see them using different sensors (like depth or IR).

              It shouldn’t have been speeding and it should have slowed down further or changed lanes when it saw that it was coming up on a pedestrian in the median.

              This is the second incident I know of where an autonomous car has got into trouble, in part, by mimicking stupid human behavior. We have the technology to avoid things like this, and the standard for computer drivers need to be significantly higher than the standard for humans. The NTSB needs to get these things off the road until they’re properly tested.

            2. 1

              The fault is actually in the driver, who was instructed to be alert and keep both hands at the wheel at all times. Uber should not have released this obviously and they should get shit for it but I think until there’s nobody behind the wheel the responsibility of any accident falls on the driver, just as it does with planes presently.

              1. 7

                The fault lies with the people that put the driver there. It’s beyond comprehension that they would rely on a safety driver. We’ve known for decades that humans cannot effectively monitor a system that’s mostly reliable. The fact that this cannot be done goes back to Kibler (1965), was already understood by Bainbridge (1983), and by Molly & Parasuraman (1995) there was extensive research digging deep into why people are unable to do this and how to design environments where they can.

                It is irresponsible of Uber/Waymo/GM and all of the manufacturers to put people in an impossible situation.

                1. 1

                  Apparently according to reports it required intervention roughly every mile. I do agree there should be laws against putting such a weak system on the road. It should be able to drive unassisted at least as well as a human driver before we put humans behind the wheel, but after that point the driver should be culpable for failing to pay attention. Especially if the driver were for example watching a feature length film in the drivers seat.

                  1. 2

                    If a company knowingly puts you in an impossible situation where you cannot possibly do a task safely without injuring yourself or others they are generally liable, not you. Unless for example, you’re a professional engineer in which case you have a certain responsibility to inform yourself and say no. Those poor drivers don’t know the research behind visual attention, automation, and fatigue. It feels very unfair to prosecute them for doing their jobs, that they have been told they can do, to the best of their abilities, when they’ve been set up for failure.

                    1. 1

                      I completely agree with what you said here.

                      Now, in retrospect, don’t you think that without such an antropomophic language selling “intellingense” and “learning” of machines, Uber (and Google, and Tesla) would have had an harder time to put such cars on the road?

                      This language is dangerous for each person who do not understand the math and inner working of them: they can be manipulated too easily.

                2. 1

                  … it’s very clear it would have been difficult to avoid this collision in any kind of mode (autonomous or human-driven) based on how she came from the shadows right into the roadway, …

                  It sounds plausible that autonomous or not, this may have happened. I don’t want to get into an argument over an investigation that I don’t have any insight into – I’d only be able to speculate, as would you.

                1. 5

                  Is there any work going on that would allow one to upgrade OpenBSD without booting into the special upgrade kernel? Something more or less like freebsd-update(8)? Let’s call this in-situ upgrade.

                  The problem is that IaaS providers like AWS really expect you to run images, they don’t make it easy to boot some other kernel, and even if you hack your way through there’s no emulated serial console to run the upgrade process, unless you go full auto.

                  I really want to run OpenBSD instead of FreeBSD on AWS (and everywhere else), but this thing is holding me back.

                  1. 3

                    Apart from automating the whole procedure, this is the closest thing you can do.

                    1. 1

                      Huh, I was not aware of these instructions. Thanks!

                  1. 2

                    Well, I’m not sure it is all that black and white. I haven’t done much searching but it doesn’t seem like Patrick actively worked on his fork being included as XChat’s replacement. Sure, he reported a bug in Fedora but it doesn’t seem like followed-up on it.

                    Also, despite the fact that XChat isn’t being actively developed, the original author doesn’t want it to die and to give the domain name up - he renewed it.

                    … Just sayin’.

                    1. 4

                      How about not using spaces in filenames in the first place?

                      1. 6

                        I get this on Unix, where the pissweak tooling is a disaster, but as a user, I own the file name. If I can’t use every character I want to, that’s a total fail on the part of the platform.

                        1. 5

                          I agree that you own the filename and should be able to use any characters you want, but there has to be some trade off regarding what filenames you can use in a comfortable manner and which require some form of escaping/quoting.

                          Another weird character would be the tilde (~). Technically a valid character in a filename, but whenever I see one I begin to fear that I might delete or mess with my home folder.

                          1. 5

                            The tilde is a perfectly fine character to use in a filename, it’s just the shell that does the expansion to your home directory if you give “~ “ (or “ ~ /” at the start of a path). My preferred editor marks the backup file with “~” (at the end of the filename).

                            Edit: ~ is a “special” Markdown character. No comment on that.

                            1. 2

                              I mean, I don’t use spaces, or tildes, or dollar signs (or colons, for HFS+) in any files that I create or expect to manipulate on the command line, but that doesn’t mean it’s OK. I want the compromises that my computer and I make to live with one another to be largely the province of the computer.

                              1. 1

                                You can say that about other characters, too - *, ;, ?, etc. not just ~.

                                If in doubt, quote or escape :^)

                              2. 2

                                Unlike on other operating systems (well, file systems to be precise), you actually can use any character - even newline or NULL if you so wish. The problem is that you also have to use something as a separator - it so happens that a blank is a natural way to split words apart :^)

                                So yes, you have to escape or quote blanks and other characters which are extra special ;^)

                                1. 1

                                  Obviously not Null :^P - I was thinking of Null as used by find ... -print0 and xargs -0. I should probably get some sleep ;^)

                              3. 1

                                Or just use spaces and escape them? It’s not hard, and escaping occurs literally everywhere strings are used.

                                zsh tab completion auto-escapes. GUI programs don’t need to worry about it. I have plenty of filenames with spaces in them, and they don’t cause problems for me.

                              1. 2

                                There is very little difficult with spaces in filenames. Learn to quote. Learn to escape. Then everything is very easy.

                                1. 1

                                  It seems like you either didn’t read the linked post or didn’t understand it.

                                  The issue there was with make not being able to handle spaces in file names - neither quoted nor escaped.

                                  1. 1

                                    In that case:

                                    1. The title is incorrect.

                                    2. Still nothing difficult.

                                      make ‘hello world’ g++ “hello world.cpp” -o “hello world”

                                    With a Makefile:

                                    hello\ world: hello\ world.cpp
                                            echo match
                                            $(CXX) $(CXXFLAGS) "$^" -o "$@"
                                    

                                    Maybe the OP was making a joke about using UTF8 NBSP and I just didn’t get it.

                                1. 6

                                  Somebody is lying, I wonder who?

                                  https://www.trustico.co.nz/news/2018/symantec-revocation/certificate-replacement.php

                                  Further, Jeremy Rowley of DigiCert sent an e-mail to us requesting the following :

                                  “Can you please send a listing of the certificate serial numbers along with their private keys? Once we get that list, we’ll confirm the private key and revoke the certs as requested. Thanks!”

                                  Trustico® followed the requests of DigiCert by initially recovering Private Keys from cold storage and subsequently e-mailing the associated order number and Private Keys to DigiCert in a ZIP file. The file did not contain any other type of data.

                                  Trustico® allows customers to generate a Certificate Signing Request and Private Key during the ordering process. These Private Keys are stored in cold storage, for the purpose of revocation.

                                  By Djikstra’s Whiskers, this all gets weirder and stupider the more I read.

                                  1. 3

                                    Looks like a long email thread has some more info.

                                    What appears to be a reasonable summary, from one of the emails in the thread:

                                    From what I’ve read, it appears the situation here is that Trustico wanted to revoke all their customer certs from Digicert so they could do a mass migration to another CA (which is not a proper reason to revoke). When asked for proof by Digicert that the certificates were compromised and needed to be revoked, Trustico sent Digicert 23,000(!) private keys that they had stored due to the fact that they were generated by their web-based system in order to effectively make them compromised.

                                    1. 3

                                      DigiCert is the only CA I know that hasn’t fucked up badly and has a good process in place.

                                      1. 1

                                        Does anyone have the above-linked trustico link cached? Firefox is rejecting its SSL/TLS cert for me.

                                        1. 2

                                          I used a website to take an image capture of it: https://imgur.com/a/wmiYA

                                          1. 1

                                            It’s Dijkstra’s Whiskers :^)

                                          1. 3

                                            Not having their five pairs of legs properly represented is one thing, but always being shown as a dead lobster is something else entirely!

                                            I’d like the lobster to be very much alive, please!

                                            1. 1

                                              But then you have to pick if it should be grey, brown, blue, yellow, green or probably even other colours!

                                              1. 2

                                                Human emoji have different colors now, why not lobsters? #dontboilmebro

                                                1. 1

                                                  #zoidberg

                                            1. 2

                                              I’ve been using FreeDNS - a fork of XName - for the past ~15 years.

                                              1. 1

                                                This looks horrendously unreadable.

                                                1. 2

                                                  It’s actually interactive. You can click a button like ‘m’ (or hit m on the keyboard) and see shortcuts available when you’re composing a new message. If you are actually using mutt this makes more sense than a huge list of modes & hotkeys in groupings.

                                                  1. 1

                                                    Aha, that explains it. I was viewing the page via my iPhone.

                                                  2. 1

                                                    I agree - different colours could have been chosen.

                                                  1. 5

                                                    “Lauren Ipsum” was pretty good: https://www.amazon.co.uk/Lauren-Ipsum-Carlos-Bueno/dp/1461178185

                                                    Sort of Alice in Wonderland for computing.

                                                    1. 3

                                                      I bought it from no starch press in their recent sale - arrived on Friday :^)

                                                      I’d add Electronics for Kids to the list.

                                                    1. 2

                                                      I’ve had a gapps less cyanogenmod set up on myold nexus for over 1½ years (and am waiting for a stable ROM for my current device), and it’s interesting to see that people pretty much eventually end up with the same solutions. I’d just add that if you’re euthusiastic about free software, one should use IceWeasel and if one wants a good FOSS twitter/mastodon experience, I can only recommend Twidere.

                                                      Also, why use AnySoft if you can use the AOSP one. I’m currently struggling with the counter-intuitive nature of AnySoft, but can’t find a AOSP .apk :(

                                                      1. 4

                                                        IceWeasel? You mean the rebranded Firefox for Debian of yesteryear? It no longer exists.

                                                        1. 2

                                                          It still does on Parabola.

                                                          1. 2

                                                            @zge most likely meant IceCat - IceWeasel’s new name. IceCatMobile to be precise.

                                                            1. 1

                                                              Yeah, my bad. I always mix those two up.

                                                        1. 1

                                                          What does “malware served” in every section mean?

                                                          1. 2

                                                            You see at the top where it says he remembers the internet before google?

                                                            He goes on to name the malware products: gmail, search, and adwords+related products.

                                                            His point is that all of those things were better before Google took them over. Their replacements are malware. I couldn’t agree more.

                                                            1. 2

                                                              /me adds malware to the list of words that no longer have meaning.

                                                              1. 4

                                                                Would ‘scamware’ have worked better? ‘Spyware’ certainly applies, as does ‘adware’.

                                                                I’m personally responsible for bringing dozens of users and three small businesses to Google. Before that, I brought a couple of users to Altavista.

                                                                I argued that people shouldn’t ban Google’s spider bot from their web servers. I convinced people that having all their email in one searchable place for free forever was life changing and they should sign up post-haste.

                                                                I stopped people on the street when they were carrying Mapquest printouts and told them about Maps.

                                                                I imported my own email archives from pre-Gmail into Gmail. I reported bugs.

                                                                I told people they could trust Google and that economies of scale meant that Gmail would always be faster and better than their own mail servers.

                                                                I argued against the first (and second, and third) waves of anti-Google sentiment. I apologize… I thought they were Luddites that just didn’t get it, didn’t see the future. Well, actually, they saw it more clearly than I.

                                                                Anyway, I know how the author of the piece feels and I think it’s on-topic for lobste.rs. In that it sets the stage for discussion!

                                                                1. 3

                                                                  A coercive unpleasant experience designed to induce behavior in the target? That’s torture. You could say the Facebook timeline is literally torture, and I’d object to the hyperbole, but I don’t think you’d be entirely wrong.

                                                                  Manipulationware is a little long. Grindware? You’re on a treadmill trying to get ahead, but you’re just running in place.

                                                                  Honesty though, I’m not a fan of the ware suffix generally. I think there’s a strong connotation of local client software. To that end, malservice would be a good term.

                                                                  1. -2

                                                                    webshit

                                                                2. 1

                                                                  Completely off-topic, but I get an ‘unknown issuer’ error when I try to visit your website.

                                                                  1. 2

                                                                    New one here, eh? :^)

                                                                    Have a read, why don’t you!?

                                                              2. 1

                                                                I was wondering the same thing. Googling “Facebook malware” reveals a few instances where some Facebook features served malware ads, maybe that?

                                                                1. 3

                                                                  The Facebook malware is “Mandatory non-linear curation of user contributed content”.

                                                                  He’s saying that sharing was better before Facebook. I couldn’t agree more.

                                                              1. 23

                                                                Seems like a good argument against using BSD licenses.

                                                                1. 7

                                                                  Why? I have more faith in management engine knowing it is minix than some shit that intel wrote themselves.

                                                                  1. 20

                                                                    I suppose the section “Powerful, Reliable Software Can Be Bad” of https://www.gnu.org/philosophy/open-source-misses-the-point.en.html is relevant here :)

                                                                    1. 10

                                                                      If anything, we’d be better off if we found that Intel’s ME was total garbage. It lets an alternative supplier differentiate on more secure software to get some sales. Then, Intel will either try to get people to ignore them with their other advantages, improve the security of their software, or buy the competitor to get their solution. Currently, as license allows, Intel just freeloaded off a bunch of work taxpayers in Europe paid for with some free labor by Tannenbaum et al to solve their problem. The ME stack is still garbage per recent threads.

                                                                      Alternatively, they could’ve just paid a RTOS vendor for a stack. The going rate for those targeting robustness with networking and filesystems was $50,000 OEM last I checked. After they acquired Wind River, they’d have access to highly-reliable OS that’s been used in all kinds of things. Also, a separation kernel (VxWorks MILS) with carefully-crafted networking plus NSA pentesting. So, they do have both paid and free alternatives that are better than Minix 3 if they didn’t prefer freeloading off others’ work to save fifty grand or so on a project that nets them billions. I’m starting to lean back toward GPLing or AGPLing everything with dual-licensing to reduce this. They can pay to remove the copyleft.

                                                                      Edited to change “ripping off” to “freeloading off” as dxtr noted.

                                                                      1. 4

                                                                        If I create something and then give it to you - no strings attached - are you then ripping me off?

                                                                        1. 5

                                                                          Not really. I should’ve said freeloading like parasites. I wonder, though, about what motivates people to freely work for companies under a license that insures mainly the companies benefit versus one where they contribute something back. I originally liked the BSD licenses to increase the amount of high-quality code the companies might be using to make stuff better in general. I’m not so sure we should do that now seeing how (a) that creates bad incentives for the companies to constantly freeload versus GPL/APGL projects and (b) they keep modifying that stuff into insecure or seemingly-malicious software like Intel did.

                                                                          The folks aren’t doing anything great by giving them the code. They’re just helping monopolists and oligopolists further ensure the status quo that damages users, developers, and hobbyists while minimizing their operational costs for benefit of owners or shareholders. They also use their fortunes to pay lobbyists to reduce our rights in areas such as copyright and patent law. That phrasing depicts what actually goes on versus the public good people sold me on long ago with BSD/MIT licenses. I wonder how many BSD/MIT contributors that wanted corporate uptake would stick to it if they saw that as the ultimate goal of their contributions. Also, were told the companies often change the code to defeat its flexibility, reliability, or security benefits.

                                                                          I’m sure plenty would stay in the game but I am curious how many would switch licenses. Also, which would they prefer switching to for balancing widespread uptake and maximizing contributions.

                                                                          1. 4

                                                                            People use BSD-alikes because their goal isn’t to coerce people into opening their sources, their goal is to make using their software as easy a possible. They’re not working for rewards from future would-be customers, they’re working because they feel some software which does not exist, should.

                                                                            1. 2

                                                                              “they’re working because they feel some software which does not exist, should.”

                                                                              I imagine most building open-source software fit that category. It can be done with copyleft licenses, though, with little impact to most users.

                                                                              1. 3

                                                                                Sure, and a subset of those people are interested in keeping their work from people who don’t “deserve it”, but not everybody is - and those who aren’t, usually choose a non-viral license because they want more people using their stuff.

                                                                                1. 1

                                                                                  That’s true. A good point to make.

                                                                        2. 2

                                                                          If anything, we’d be better off if we found that Intel’s ME was total garbage.

                                                                          Are you implying it’s not?

                                                                          Don’t know about you, but I don’t need an unmodifiable, unremovable, totally compromised operating system running an HTTP server inside my CPU.

                                                                          Never asked for this, wasn’t told by Apple that they were selling me this, and have no plans to buy another computer with it.

                                                                          1. 2

                                                                            Good luck finding one without it.

                                                                            1. 1

                                                                              Possibly can but will be performance hit:

                                                                              https://news.ycombinator.com/item?id=15646175

                                                                            2. 1

                                                                              It’s definitely garbage. I’m setting up something broader than just Intel where I want them to show what their proprietary stuff is worth, users to find out, and a better alternative to potentially show up. Those can be vetted proprietary (eg shared-source) or FOSS.

                                                                              I could be really wrong but I think AMD is missing a golden opportunity to differentiate on security or trustworthiness of CPU’s like Blackberry and then Apple tried to do in smartphones. Two lines of products, one without management and one with enterprise-controllable version, might push those losses back a little bit esp from foreign sales. They could let third parties of different jurisdictions inspect the management code or its loader since high-performance, legacy-compatible x86 is a patent minefield for competitors anyway. My hypothetical alternatives would have to make some kind of sacrifice in performance, cost, or both. AMD could charge right in.

                                                                              1. 1

                                                                                I could be really wrong but I think AMD is missing a golden opportunity to differentiate on security or trustworthiness of CPU

                                                                                I doubt AMD has a choice in the matter. It really doesn’t make sense for Intel to have it in all their CPUs; in the consumer CPUs where no user will ever use the management engine, it’s just a bunch of extra hardware on the die, wasting space and increasing complexity and cost. The only reason I can think of would be that someone forced their hand, and I can imagine the NSA wouldn’t hate having a backdoor into every single Intel (or AMD) CPU in the world with ring -3 access.

                                                                                1. 1

                                                                                  They have several, possible benefits to having that enterprise technology in their chips:

                                                                                  1. The functionality for providing security enhancements is the same in each. Enterprise and repair shops also wanted management benefits.

                                                                                  2. The DRM capabilities the entertainment industry wanted and might have paid for.

                                                                                  3. The backdoors the NSA might have demanded or paid for.

                                                                                  4. The common technique for saving on mask costs (millions) by merging I.P. from several use cases into fewer mask layers.

                                                                                  Ok. The original release on Intel’s side was vPro which had all kinds of benefits for enterprises, esp security. The Trusted Computing Group, of which Intel was part, also wanted to use that stuff for DRM for movies and MP3’s. They probably had financial incentives which might likewise be used to make them go more private again. The NSA is an unknown here where they might have promised them something for money or defense contracts. I know the ME’s weren’t mandatory because not all chip vendors that were in the U.S. were building management engines into their CPU’s. They could possibly put their foot down saying they’d take money to 0-day the firmware instead which would let us put in better firmware but NSA still hits most targets.

                                                                                  The last thing on my list is an industry practice to get development costs down. The best example was the hard disks which showed different amounts of storage but had same platters with same amount of space. The platters and components for writing them had a fixed cost. So, they used firmware deception to tier the pricing. Another example in an ASIC from a friend in hardware was him discovering a cellular radio in an embedded peripheral that wasn’t supposed to connect to anything. He said it wasn’t malicious: the company just reused a mobile SoC they sell for a different purpose with different packaging to squeeze more ROI out of existing chip. Aside from these oddities, the main form of reuse is just doing pre-proven blocks of hardware in a certain process node on new projects. Once they wire the first CPU instance to a ME, it was possibly cheaper to just reuse that on each iteration of that instance esp given ME’s were originally small (ARC cores).

                                                                                  So, there’s the overall analysis of what parties and concerns are involved. The amounts they’re currently losing are much bigger than anything Hollywood or NSA paid them. Highest payout I saw for NSA was around $100 million per telecom for access to their national networks. That was something they could use constantly whereas this they’d have to use sparingly. Couldn’t be much more. The trick is, like with Raptor Workstation, how many people would actually pay for a computer without the backdoor, how much extra, and what total revenues to project for AMD? I’m less confident in demand side than I am in supply side.

                                                                          2. 2

                                                                            Technically, we don’t really know what is in it, since the final result is closed source. Maybe they added a bunch of “shit that Intel wrote themselves”.

                                                                            1. 1

                                                                              Just from a personal point of view. I don’t want my software to be used to spy on users without me even being asked about it.

                                                                            2. 2

                                                                              Then they would have just used a different OS. MacOS has slowly been ripping all the GPLv3 code out of their OS. That’s why they use an ancient version of GPLv2 bash and manually backport all the security fixes.

                                                                              1. 1

                                                                                On the contrary - it shows that anyone can use such software without all the bull$%^& which surrounds, i.e. the GPL. All that he is asking for is simple: Hi, We’re using your software. Cheers, Bye!

                                                                                1. 11

                                                                                  He spends 1/3rd of the letter asking talking about the fact that someone benefitted from his hard work and he didn’t get any acknowledgement of it. Then he goes and says something like: “I don’t mind, of course, and was not expecting any kind of payment since that is not required.” The whole thing feels and reads regretful to me. I don’t know AST, so don’t really know his personality, or anything, but if I spent 1/3rd of the letter talking like that, I know it’d be because I felt I missed a big opportunity and I’m trying to convince myself that it was fine.

                                                                                  1. 1

                                                                                    If there’s anything that AST might regret is the fact that MINIX hasn’t been released under a permissive license earlier and the fact that Linux and the *BSDs got themselves firmly established.

                                                                                    Him regretting not getting anything back out of it after fighting with the publisher to get the code released under a permissive license? Seriously? ;^)

                                                                                    The way I read the letter is him setting the scene before mentioning that letting him know would have been a polite thing to have done - mentioning that without said background information would have looked a bit weird.

                                                                                    Anyway, if I were the author of said code, I’d merely like to know.

                                                                                  2. 1

                                                                                    Yes, and that’s what I wouldn’t want to happen to my software.

                                                                                1. 0

                                                                                  MIT licence is sooo cool, multi billionaires company have work for free

                                                                                  1. 2

                                                                                    You have made variations of this comment several times, now. What is your solution? A license that says “If you have over x American dollars, you must pay y to use this software?

                                                                                    1. 1

                                                                                      There’s always dual licensing with the GPL and a commercial license.

                                                                                      1. 2

                                                                                        If it’s dual-licensed under GPL and commercial (whatever that means) then one can always use the former. GPL does not forbid, but actually encourages, charging money for the software and the end product being commercial.

                                                                                        1. 1

                                                                                          If they change it and distribute the changes, they have to release the source to the changes. Or pay for right not to. Project maintainers might get something useful out of it. They won’t if it’s permissively licensed in vast majority of cases where a change is made and distributed.

                                                                                          1. 2

                                                                                            Here, however, no one cares about getting anything useful or anything at all for that matter. People who permissively license their software actually care about the software being useful to everyone.

                                                                                            In either case, money has nothing to do with it.

                                                                                            1. 1

                                                                                              Good point. Yeah, that be the case here.

                                                                                      2. 1

                                                                                        Solution to what? What is the problem here?

                                                                                      3. 2

                                                                                        It’s BSD license to be precise. It’s also great that you can incorporate code covered by such a license in a proprietary or copyleft-licensed software - the reverse is not true.

                                                                                        As an author you have the freedom to chose a license that suits you and the project :^)

                                                                                      1. 9

                                                                                        Hah, I was actually curious whether AST will make a move. Good to see he did.

                                                                                        Still, it’s sad that he doesn’t seem to care about ME.

                                                                                        1. 7

                                                                                          Whether he cares about ME is irrelevant here. By releasing the software under most (all?) free software and open source licenses, you forfeit the right to object even if the code is being used to trigger a WMD - with non-copyleft licenses you agree not to even see the changes to the code. That’s the beauty of liberal software licenses :^)

                                                                                          All that he had asked for is a bit of courtesy.

                                                                                          1. 4

                                                                                            AFAIK, this courtesy is actually required by BSD license, so it’s even worse, as Intel loses here on legal ground as well.

                                                                                            1. 5

                                                                                              No, it is not - hence the open letter. You are most likely confused by the original BSD License which contained the so called, advertising clause.

                                                                                              1. 5

                                                                                                Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

                                                                                                http://git.minix3.org/index.cgi?p=minix.git;a=blob;f=LICENSE;h=a119efa5f44dc93086bc34e7c95f10ed55b6401f;hb=HEAD

                                                                                                1. 9

                                                                                                  Correct. The license requires Intel to reproduce what’s mentioned in the parent comment. The distribution of Minix as part of the IME is a “redistribution in binary form” (i.e., compiled code). Intel could have placed the parts mentioned in the license into those small paper booklets that usually accompany hardware, but as far as I can see, they haven’t done so. That is, Intel is breaching the BSD license Minix is distributed under.

                                                                                                  There’s no clause in the BSD license to inform Mr. Tanenbaum about the use of the software, though. That’s something he may complain about as lack of courtesy, but it’s not a legal requirement.

                                                                                                  What’s the consequence of the license breach? I can only speak for German law, but the BSD license does not include an auto-termination clause like the GPL does, so the license grant remains in place for the moment. The copyright holder (according to the link above, this is Vrije Universiteit, Amsterdam) may demand compensation or acknowledgment (i.e. fulfillment of the contract). Given the scale of the breach (it’s used in countless units of Intel’s hardware, distributed all over the globe by now), he might even be able to revoke the license grant, effectively stopping Intel from selling any processor containing the then unlicensed Minix. So, if you ever felt like the IME should be removed from this world, talk to the Amsterdam University and convince them to sue Intel over BSD license breach.

                                                                                                  That’s just my understanding of the things, but I’m pretty confident it’s correct (I’m a law student).

                                                                                                  1. 3

                                                                                                    It takes special skill to break a BSD license, congrats Intel.

                                                                                                    1. 5

                                                                                                      Actually, they may have a secret contract with the University of Amsterdam that has different conditions. But that we don’t know.

                                                                                                      1. 2

                                                                                                        Judging from the text, doesn’t seem AST is aware of it.

                                                                                                        1. 2

                                                                                                          University of Amsterdam (UvA) is not the Vrije University Amsterdam (VU). AST is a professor at VU.

                                                                                                    2. 1

                                                                                                      I’ve read the license - thanks! :^)

                                                                                                      The software’s on their chip and they distribute the hardware so I’m not sure that actually applies - I’m not a lawyer, though.

                                                                                                      1. 5

                                                                                                        Are you saying that if you ship the product in hardware form, you don’t distribute software that it runs? I wonder why all those PC vendors were paying fees to Microsoft for so long.

                                                                                                        1. 2

                                                                                                          For the license - not the software

                                                                                                          1. 3

                                                                                                            Yes, software is licensed. It doesn’t mean that if you sell hardware running software, you can violate that software’s license.

                                                                                                        2. 3

                                                                                                          So, they distribute a binary form of the OS.

                                                                                                          1. 4

                                                                                                            This is the “tivoization” situation that the GPLv3 was specifically created to address (and the BSD licence was not specifically updated to address).

                                                                                                            1. 2

                                                                                                              No, it was created to address not being able to modify the version they ship. Hardware vendors shipping GPLv2 software still have to follow the license terms and release source code. It’s right in the article you linked to.

                                                                                                              BSD license says that binary distribution requires mentioning copyright license terms in the documentation, so Intel should follow it.

                                                                                                              1. 3

                                                                                                                Documentation or other materials. Does including a CREDITS file in the firmware count? (For that matter, Intel only sells the chipset to other vendors, not end users, so maybe it’s in the manufacturer docs? Maybe they’re to blame for not providing notice?)

                                                                                                                1. 3

                                                                                                                  You have a point with the manufacturers being in-between Intel and the end users that I didn’t see in my above comment, but the outcome is similar. Intel redistributes Minix to the manufacturers, which then redistribute it to the end-users. Assuming Intel properly acknowledges things in the manufacturer’s docs, it’d then be the manufacturers that were in breach of the BSD license. Makes suing more work because you need to sue all the manufacturers, but it’s still illegal to not include the acknowledgements the BSD license demands.

                                                                                                                  Edit:

                                                                                                                  Does including a CREDITS file in the firmware count?

                                                                                                                  No. “Acknowledging” is something that needs to be done in a way the person that receives the software can actually take notice of.

                                                                                                                  1. 2

                                                                                                                    The minix license doesn’t use the word “acknowledging” so that’s not relevant.

                                                                                                                    1. 2

                                                                                                                      You’re correct, my bad. But “reproduce the above copyright notice” etc. aims at the same. Any sensible interpretation of the BSD license’s wording has to come to the result that the receivers of the source code must be able to view those parts of the license text mentioned, because otherwise the clause would be worthless.

                                                                                                            2. 1

                                                                                                              If they don’t distribute that copyright notice (I can’t remember last seeing any documentation coming directly from Intel as I always buy pre-assembled hardware) and your reasoning is correct, then they ought to fix it and include it somewhere.

                                                                                                              However, the sub-thread started by @pkubaj is about being courteous, i.e. informing the original author about the fact that you are using their software - MINIX’s license does not have that requirement.

                                                                                                  2. 7

                                                                                                    I think he is just happy he has a large company using minix.

                                                                                                    1. 5

                                                                                                      Still, it’s sad that he doesn’t seem to care about ME.

                                                                                                      Or just refrains from fighting a losing battle? It’s not like governments would give up on spying on and controlling us all.

                                                                                                      1. 6

                                                                                                        Do you have a cohesive argument behind that or are you just being negative?

                                                                                                        First off, governments aren’t using IME for dragnet surveillance. They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me. They pose a giant risk to us because they’ll eventually be used in general-purpose malware, but the government wouldn’t actually fight much (or maybe at all, publicly) to keep IME.

                                                                                                        Second off, security engineering is a sub-branch of economics. Arguments of the form “the government can hack anyone, just give up” are worthless. Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. We’re not even close to any diminishing returns falloff when it comes to security expenditures. While it’s technically true that the government (or any other well-funded attacker) could probably own any given consumer device that exists right now, it might cost them millions of dollars to do it (and then they have only a few days/weeks to keep using the exploit).

                                                                                                        By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources. This is the primary goal for now. An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored.

                                                                                                        1. 2

                                                                                                          Do you have a cohesive argument behind that or are you just being negative?

                                                                                                          Behind what? The idea that governments won’t give up on spying on us? Well, it’s quite simple. Police states have happened all throughout history, governments really really want absolute power over us, and they’re free to work towards it in any way they can.. so they will.

                                                                                                          They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me.

                                                                                                          Sure, but do they even need 0days if they have everyone ME’d?

                                                                                                          They pose a giant risk to us because they’ll eventually be used in general-purpose malware

                                                                                                          Yeah, that’s a problem too!

                                                                                                          Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. [..] An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored

                                                                                                          If you mean using completely “libre” hardware and software, that’s just not feasible for anyone who wants to get shit done in the real world. You need the best tools for your job, and you need things to Just Work.

                                                                                                          By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources.

                                                                                                          “Just”? :) I’m not saying we should all give up, but it’s an uphill battle.

                                                                                                          For example, the blind masses are eagerly adopting Face ID, and pretty soon you won’t be able to get a high-end mobile phone without something like it.

                                                                                                          People are still happily adopting Google Fiber, without thinking about why a company like Google might want to enter the ISP business.

                                                                                                          And maybe most disgustingly and bafflingly of all, vast hordes of Useful Idiots are working hard to prevent the truth from spreading - either as a fun little hobby, or a full-time job.

                                                                                                        2. 4

                                                                                                          It reads to me like he just doesn’t want to admit that he’s wrong about the BSD license “providing the maximum amount of freedom to potential users”. Having a secret un-auditable, un-modifiable OS running at a deeper level than the OS you actually choose to run is the opposite of user freedom; it’s delusional to think this is a good thing from the perspective of the users.

                                                                                                          1. 2

                                                                                                            And the BSD code supported that by making their secret box more reliable and cheaper to develop.

                                                                                                          2. 3

                                                                                                            Oh, it’s still not lost. ME_cleaner is getting better, Google is getting into it with NERF, Coreboot works pretty well on many newish boards and on top of that, there’s Talos.

                                                                                                          3. 2

                                                                                                            He posted an update in which he says he doesn’t like IME.

                                                                                                          1. 1

                                                                                                            The description is non-free?

                                                                                                            1. 1

                                                                                                              Not freely redistributeable?

                                                                                                            1. 3

                                                                                                              Any chance you could edit the title to read …GNU AWK…, please?

                                                                                                              1. 1

                                                                                                                Done! :)

                                                                                                                1. 1

                                                                                                                  Thank you! :^)

                                                                                                              1. 1

                                                                                                                You may also want to update all the relevant links to https://.