If you want to know how a little firmware for a little router can become a very big issue, read on. I'll tell you all about it.
First, though, I'll skip to the good part. James Ewing (of Sveasoft), developer of the now famous Linksys WRT54G firmware fork, is engaging in seriously bad acts, of importance to everyone.
As part of a novel scheme to violate the GPL, and to profit from those violations, he lies and threatens people (in a very simple, scary way) so that they will either not understand, or be afraid to exercise, the provisions of the Gnu Public License.
I say it's a novel scheme, although really, it's not especially clever. He's just the first person (that we know of) to have the technical and social skills to pull it off, and yet lack the ordinary moral and emotional health to stop himself.
Here are a set of links with more information, and with copies of "his" GPL firmware. Because of his ongoing efforts to suppress the spread of "his" fork of Linux, these links will frequently change, and may be broken. Please comment if you find a broken link.
- Slashdot journal page by one of James' victims (Let him try to scare Slashdot into taking it down!)
- Forum run by TheIndividual
- Direct link to his site, with a detailed account of his experience!
James Ewing has unfortunately been surprisingly successful, both at profiting (it is apparent from his price and his number of "subscribers" that he has made real money at this), and (thus far) at staying beneath the radar of the community, despite a growing sense of unease, concern, and a number of inquiries from various parties in the community (the FSF, Slashdot, etc).
I am, by the best definition, nobody - just a one-time Linksys user (who was disappointed enough to return the hardware and buy a D-Link, btw) who happened to learn early about what was really happening by watching the strange failure of the GPL source code to propagate, and finally finding the websites of James' victims.
You can't know much about the open source/free software community and not be moved to outrage over the behavior of people like James Ewing, both for his illegal and immoral affront to the generous hackers whose work he is illegally profiting from, and of the people he victimizes. Being threatened in the way James threatens people is extremely unpleasant, as you can see for yourself. No one should ever have to suffer such evil, vicious behavior.
Now, here is the story in detail.
A few months ago I was experimenting with wireless networks. Linksys, the ubiquitous network hardware maker, had just released their wireless router's Linux-based firmware, source code and all, finally complying with the Free Software (GPL) license of the code they had used to make it.
Cringley had just written a long piece about one of the new forks of that open-source firmware - that it was great, and powerful, and possibly a big deal. The developer running the fork was James Ewing. His "company," Sveasoft.
James, after weathering the incredible surge of traffic and interest from Cringley's favorable coverage of him, and the subsequent Slashdot stories, must have seen dollar signs.
It's really so simple, if you think about it. If he could just manage to charge all these "freeloading" downloaders a little money for each download, he could be rich. He watched that download counter running, and fantasized about how many hundreds of thousands of dollars he would be making if every downloader paid his fee.
The only problem was that his company's "product" is free software - a monumental, towering achievement, the work of tens of thousands of strangers, who all agreed that their software, and everything based on it, should grow by cooperation, and to do that, it should always be free.
Sveasoft's firmware is just a tiny customization of Linux: a free OS kernel, and the mountain of free software components built on top of it.
His "collaborators" don't charge a nickel for it, and neither can he - that is, without breaking the law.
The magnitude of the Free Software world's practical, intelligent generosity is difficult to understand. It is a tremendous, and important thing, and it is hard to appreciate how many problems were solved, how many new opportunities created, how many basic things we rely on every day spring from this community - let alone how all these incredible people share the work and do it "for nothing" - so that we all can benefit.
James Ewing, for some reason, finds it very easy to piss on this system - to dismiss its rules, deceive its architects, and threaten its users - in order to profit. His actions cheat every participant in Free Software, from a developer who sent a 1-line patch, all the way to Linus and Stallman.
By the time I heard about Sveasoft, he was already charging $20 "subscriptions" just to see the source for his GPL firmware.
I once studied this aspect of the GPL, and I immediately thought I understood what he was trying to do. It's subtle, and I apologize if this appears complicated. There are two main things to remember about the GPL: that "distribution isn't required, but freedom is," and "that distribution isn't free, but it needn't cost anything."
James is very smart, and at first blush, it only appears that he's managed to thread these needles.
First of all, anyone can take GPL code and modify it. That's essential to the whole process. And you're not required to share changes you make. The only caveat is, if you do ever share your new work, you have to share the source, and it stays GPL (so anyone you share it with can in turn change it and share it with anyone they like, and so on).
Second of all, when you share your new work (with source code), you actually don't have to do it for free.
It's true! Nowadays, that distribution almost always is free. But, you have to remember that the GPL predates the modern, ubiquitous Internet, where distributing data is so cheap it effectively costs nothing, even for the $20 a month crowd. As a result, the GPL has an ingenious aspect to its design: it creates a market for distribution of free software.
I, too, can charge $20 (or any reasonable fee) for a copy of Linux. Anyone I give "my" code to, however, can also distribute. And they can charge whatever they like. Usually, that's "zero dollars." This ensures that the "market price" of distributing GPL code approaches the actual cost of doing it. Almost always, that cost is effectively "zero."
Unless you rig the market.
Sveasoft still provides an uninteresting, basically useless, very early version of their firmware for nothing. For $20, you "subscribe" and can get access to the current, "interesting" versions. Now, remember: nothing in the GPL stops Sveasoft from doing this. But, unlike other "ordinary" businesses, Sveasoft can't enforce the "rules." The $20 fee is effectively optional, because any "subscriber" has the right to release what they "bought" to the world for free, themselves, thereby taking the "market price" of code distribution from $20 to $0.
As the apparent coup de gras, James promised he would cancel the subscriptions of anyone who did this. He called it "forking" his current firmware versions. His "customers" could indeed exercise their GPL rights, he claimed. But if they did, they wouldn't be getting any more code from him. He had no obligation to continue to distribute to them (directly!) in the future.
Well, that was fine. It only takes one $20 subscriber to leak the code each time, and worse, there's no way he can necessarily tell who "leaked" - without violating the GPL, that is. It's tough to "tag" source code.
This interesting setup was raised and debated in the halls of the FSF, and won their stamp of approval. Technically, it complies with the license. James Ewing officially became the man standing the farthest out on the knife's edge of legality. Slashdot ran through a similar debate. But already, there were bad signs. If you listened, you could hear the monster lumbering underneath.
I could appreciate James Ewing's rather pushy way of raising money, but I knew that, because of the GPL and the constant, reliable nature of people and markets, the $20 is "opt-in." I went to google, hunting for other sites that mirrored the Sveasoft firmware. I didn't need even cheap customer support, and I had no obligation to pay anyone for Linux, whatever fairy dust James Ewing had sprinkled on it.
But there were no mirrors. Anywhere.
That was scary. Right away, I knew something was up.
Going to the P2P networks was scarier. I found a large number of fake files, named as if they were firmware releases... evidence of a ("relatively" sophisticated, though unsuccessful) campaign to poison P2P sharing of the firmware. But I also found a smoking gun. I found, in one of the fake files, some startling propaganda.
This propaganda was intended to deceive readers about their rights under the GPL - and to scare them into "buying" James Ewing's version of Linux (remember, his firmware is just a little Linux distro for Linksys routers). If they didn't, they were warned, they'd be "pirates," and they might find that their "stolen" firmware had been back-doored, or worse.
Only you can't "pirate" GPL source code.
Finally, down near the bottom of a Slashdot story, I found a post linking to a struggling website run by a lone, brave soul who was trying to mirror "Sveasoft's" Linksys Linux. It told the story that I had begun to expect, with a terrible sense of foreboding, from the moment google first came up empty. Only it was far worse than I suspected.
James Ewing was applying the same propaganda and lies directly to unknowing Sveasoft subscribers, web hosts, and (I suspect) search engines, to frighten people out of the mirror market.
James Ewing was making sure only he could distribute that firmware, and only at the price he wanted.
And he wasn't just using libel and deceit to scare people off. When that didn't work, he got personal. He actually tried to make GPL users afraid for their safety.
"You really should do some background research on who you are fucking with. I will eventually find out exactly who you are and where you live and then we're gonna have some real fun."
"Well then if I were you I would scamper off and remove any copies of my firmware right quick now."
"I enjoy tracking down scumbags and giving them what they deserve. I used to get paid for it before I changed careers and started a family."
The important thing for James right now is results. If he can make it hard enough to find mirrors of that firmware, it puts money in his pocket every day. All he has to do is keep you from exercising your rights under the GPL, by whatever means necessary - lies to you, lies to your service provider, or, if you don't cave, a few threats. It'll probably work, and he can always deny he did it later. So what if he has to get a little tough on somebody in the morning. It pays off by the afternoon.
He is fast - probably aggressively searching the web looking for new mirrors 24/7, and reacting within days or even hours. Most hosts will drop a free or a cheap hosting customer like a hot rock at the first hint of copyright violations; no warnings, no questions asked, no appeals. Most search engines have automatic or streamlined takedown provisions for "illegal" results. Few in the larger community understand the intricacies of the GPL, or have the time and energy to verify James' claims. They see a software "vendor" and "pirated" binaries, and that's all they need to see. Because of the odious DMCA, in the U.S., just taking the time to investigate and handle such a claim properly can subject you to massive liability.
For those few who don't just give up and move on to more rewarding pursuits than fighting with James, "he makes them his new full time hobby."
In a sense, though, all GPL users are James' new full time hobby. He believes he's discovered a way to violate the GPL, selling the work others did for free, and get away with it. And until we stop him, he has.
It's a clever enough scam, I suppose. All he has to do is keep the "market value" for distributions of his firmware artificially high for a while. He'd make most of his money quickly, while there's still a buzz about the product. Even if the Free Software community later found out, organized and fought back, he'd have made a sweet chunk of cash. Just 4000 subscribers paying $20 each adds up to $80,000. Oh, this scam hasn't made him rich, but it's not chump change, either. Right now he's having a nice hearty laugh at us, all the way to the bank.
This is a long story, but the ending should be obvious.
James Ewing should be:
- Investigated, and if necessary, prosecuted, by law enforcement in his nation of residence for his frightening, threatening behavior towards others.
- Sued in civil courts around the world. I'm not an attorney, but at the very least, his violations of the GPL, and his libels against members of the community (as he gets mirror sites shut down again and again for "pirating" Linux) seem clearly actionable.
If it becomes clear that anyone can easily profit from abusing the Free Software community as James Ewing has, then we are in for some dark times ahead.
The only happy ending to this is if James Ewing loses all his ill-gotten gains, and faces the music for his threatening behavior towards others.
If Free Software were a corporation, he would have heard from our lawyers a week into his scam. But since we are a community, we have to take action like one - rallied by our spokesmen and standard-bearers, and powered by the many small actions of the great, well-meaning crowd that we are.
I call upon those with legal and financial resources: The Free Software Foundation, Linus Torvalds, IBM, and Linksys, among others, to investigate James Ewing's practices, discover for yourselves what's really been going on, and help us take swift, firm, and fair actions to protect the community and the GPL.
- We think the GPL is pretty good, but regardless of what happens to James Ewing, the FSF should seriously consider any possible ways it can amend the GPL in order to make abuses more difficult.
- In order to frighten people into believing there may be backdoors in binary releases other than his own, James has a problem: he has to stop checksums. Any one of his users may checksum their "legitimate" firmware, and that checksum can be used to determine the authenticity of other firmware files - eliminating one of his sources of fear and doubt about other mirrors. His efforts to stamp out checksumming are straightforward: cut off the subscriptions of any user who posts a checksum. Unfortunately for James, while he must feel compelled to do it, such actions are prima-facie evidence of his conspiracy. Read about one Sveasoft user's experience here.
It would also be interesting to see about James's small-claims liability for arbitrarily canceling the subscriptions of those who post checksums or criticism...
Regardless, relatively soon after this mess started, James decided to try a new tactic to beat both checksummers and subscribers careful enough to conceal their identity when crossing him: binary tagging...
- In order to more reliably catch subscribers who distribute the firmware, James has begun uniquely tagging binaries for each user. Of course, this is only effective unless he also stops people from getting the source code. So, he split up his binaries and source releases - and has reportedly taken various measures to prevent or discourage his users from getting the source at all (i.e. refusing electronic distribution, charging exhorbitant fees, and who knows what else). To the extent that the source is not readily available, or that a binary release differs from the source, this appears to be a direct GPL violation.
Undaunted, James Ewing has spiced up this illegal behavior with a bold new justification. Perhaps the boldest possible, given all the foregoing. Are you ready?
According to him, the GPL now no longer applies to his firmware.
- I know, it sounds amazing, but it's true - as you can see here, in his own words. The GPL is the only reason he had source code to start his little business with in the first place, but now, according to James, it doesn't really apply after all.
This should come as a surprise to people on Slashdot and at the FSF, where he just previously tried to justify his behavior as GPL-compliant.
He now appers to be claiming that because he put proprietary, non-GPL code in the firmware's "user space" (interesting concept for a firmware), the whole firmware is poisoned, and is no longer free and open.
(Still no word on how this new idea affects his source releases.)
Of course, none of this would have happened if that argument were really true; Linksys would (probably did) claim the same thing during their fight with the FSF, and all the sources James Ewing used never would have been released in the first place.
Linksys had to follow the rules, but for some reason, he thinks he doesn't. The mind boggles.
All of this is really academic. The whole Sveasoft firmware ("user space" and all) was GPL and on his website just a little while ago. And now some of it is not anymore?
Odds are extremely good that his newly proprietary "user space" (wland, web pages, etc.) are those same GPL materials with a few changes and a new license stampted on top.