Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Intel

Intel's ME May Be Massively Infringing on Minix3's Free Software License (ipwatchdog.com) 251

Software engineer (and IP Watchdog contributor) Fredrik Ohrstrom (a.k.a. Slashdot reader anjara) writes: Almost all Free Software licenses (BSD, MIT, GPL...) require some sort of legal notice (legal attribution) given to the recipient of the software, both when the software is distributed in source and in binary forms. The legal notice usually contains the copyright holder's name and the license text. This means that it's not possible to hide and keep secret the existence of Free Software that you have stuck into your product that you distribute. If you do so, then you are not complying with the Free Software license and you are committing a copyright infringement!

This is exactly what Intel seems to have done with the Intel ME. The Minix3 operating system license requires a legal notice, but so far it seems like Intel has not given the necessary legal notices. (Probably because they want to keep the inside of the ME secret.) Thus not only is Minix3 the most installed OS on our recent x86 CPUs -- but it might also the most pirated OS on our recent x86 CPUs!

This discussion has been archived. No new comments can be posted.

Intel's ME May Be Massively Infringing on Minix3's Free Software License

Comments Filter:
  • by Anonymous Coward on Sunday December 10, 2017 @12:36AM (#55709361)

    They're a corporation.

    Lol.

    • by NoNonAlphaCharsHere ( 2201864 ) on Sunday December 10, 2017 @12:39AM (#55709369)
      Corporationsare people, too, my friend. Thieving, evil, soulless people.
      • by gweihir ( 88907 ) on Sunday December 10, 2017 @12:45AM (#55709379)

        So jail them all? Not that I would be opposed...

        • by Z00L00K ( 682162 ) on Sunday December 10, 2017 @12:58AM (#55709413) Homepage Journal

          No, just force them to give everyone access to the ME and also how to disable it.

          • by AmiMoJo ( 196126 ) on Sunday December 10, 2017 @05:13AM (#55709767) Homepage Journal

            There isn't actually all that much they can do other than demand that every Intel CPU owner gets a copy of the copyright message. Minix was released under a BSD licence so Intel don't have to publish any changes or give up any access, the only requirement being that the acknowledge the original authors and their copyright with every copy they ship.

            At best they could force Intel to waste some money notifying people. Since Intel can't know the details of everyone who bought an Intel CPU (I hope) they would probably have to take out adverts all over the world. That could actually be good though, because it will create more negative publicity about the ME.

            • Re: (Score:2, Insightful)

              by Anonymous Coward

              This is copyright infringement on a massive scale that they've allegedly committed, not exactly something that a "Here's the notice I was required to show you." will fix.

              If giving notice is all that needs to be done, then I guess the MPAA should drop all of their lawsuits if the people that are allegedly sharing movies would just delete them. See how that just doesn't work?

            • That could actually be good though, because it will create more free advertising about the ME.

              FTFY. People don't care about the negative parts of it. They sure as hell wouldn't care about some copyright violation.

        • Fine Intel 2 shares of Intel stock per instance of infringement, or the cash equivalent, payable to the developers of Minix. That would put ownership of Intel into the hands of the Minix developers, or bankrupt Intel, or both.
        • by TheReaperD ( 937405 ) on Sunday December 10, 2017 @07:49AM (#55710137)

          I favor the corporate death penalty [nyupress.org]. And I'm not being facetious, in general. I actually advocate for a corporate death penalty. Equifax and Wells Fargo are perfect examples of why it is needed.

          • Most corporations could be expected to plead "Not guilty by reason of insanity" - as a juror, I would be tempted to accept the plea from many of them, including Equifax - provided the penalty is all directors being sent to the loony bin for life.
          • I generally favour not reducing a oligopoly to a monopoly. Corporate death penalties are usually worse on the market, consumers, workers, and people who own any kind of investments including retirement savings than they are on any of the people involved in the decisions for which you are demanding justice.

          • by gweihir ( 88907 )

            Make that not a "penalty", but a safety-measure to protect society and I am on board. I think there just needs to be a limit of how much damage to society a corporation is allowed to do before it gets dismantled.

        • So jail them all? Not that I would be opposed...

          To be clear, you wouldn't be opposed to the Government shutting down one of the two remaining PC chip manufacturers and granting a monopoly to the manufacturer who produces core computer parts all over the world?

          I think you didn't think this through.

      • by thsths ( 31372 ) on Sunday December 10, 2017 @04:32AM (#55709707)

        No, corporate employees are not usually evil. The secret of a commercial organisation is to diffuse responsibility, so that you can perform evil actions with non-evil employees. Everybody things they are doing the right thing, just following procedures etc, but the end result is often evil.

  • No (Score:4, Informative)

    by Anonymous Coward on Sunday December 10, 2017 @01:10AM (#55709431)

    "Intel's ME **May** Be Massively Infringing on Minix3's Free Software License "
    [Emphasis mine].

    No. They aren't Even the author of Minix thinks it's fine. He thinks it's rude they didn't even tell him. But but didn't have to.

    http://www.cs.vu.nl/~ast/intel/

    • by Z00L00K ( 682162 )

      Rude and flattering, but I think that the unwillingness to tell that Minix was used is due to the "security due to obscurity" reason.

      But now when the genie is let loose then it's more a question of when the ME will be hacked.

    • by raymorris ( 2726007 ) on Sunday December 10, 2017 @01:52AM (#55709495) Journal

      The Minix3 standard license is four sentences:
      http://git.minix3.org/index.cg... [minix3.org]

      The second clause / sentence of the license is:

      --
            * Redistributions in binary form must reproduce the above copyright
              notice, this list of conditions and the following disclaimer in the
              documentation and/or other materials provided with the distribution.
      --

      Intel did not comply with that. Intel violated the license. That's a fact. Tanenbaum isn't too mad about it, and that's fine. If he chooses not to sue them that's all well and good, but it doesn't change the fact that they did not comply with the license. Note Minix can ALSO be licensed under other terms - a company can contact the copyright holders to negotiate a different license, which may include payment. Intel didn't do that.

      They had no right to make and sell copies of Minix as part of their CPU, since they didn't do so under the normal license.

      Many years ago, Minix wasn't open source. It was sold for $69 / copy. After inflation that's about $150 in 2017 dollars. If Intel has unlawfully sold 500 million copies which they'd now need to pay Tanenbaum for - well he could be a very rich man if he chose to. Even at $1 per copy that's $500 million that Intel owes him.

      • by Waffle Iron ( 339739 ) on Sunday December 10, 2017 @02:22AM (#55709527)

        Maybe they *did* reproduce the copyright notice. For all we know, it might be etched somewhere on the CPU die in 100nm-tall characters.

        • by Megane ( 129182 )

          in the documentation and/or other materials provided with the distribution.

          Etching it on the CPU die, or even "it's in the binary somewhere!" is specifically not good enough. The ME's use of Minix being a surprise to everyone indicates that they in fact did not follow this term of the license.

      • by AmiMoJo ( 196126 )

        Even if he personally doesn't want to get rich off it, perhaps any settlement money could be invested in reverse engineering enough of the ME to replace the only currently unremovable bits, i.e. the early boot stuff.

        Or better still do the same for AMD parts, so that people who care about security and privacy aren't motivated to give Intel more money.

      • I think the big win here is that Intel is distributing license violating code in an encrypted form and now the question is what other violations are there. Since the only way to determine that is to give access to the decryption mechanism to actually be able to look at it ....you see where I'm going with this.
  • Nothing to see here (Score:3, Interesting)

    by Sephr ( 1356341 ) on Sunday December 10, 2017 @01:38AM (#55709463)
    Intel paid for a license and the parties involved are under an NDA.
    • Note that Intel doesn't violate IP, it licenses it. The idea that Intel could violate an IP law is ludicrous.

      • Re:SoSuMi (Score:4, Informative)

        by Bruce Perens ( 3872 ) <bruce@perens.com> on Sunday December 10, 2017 @02:40AM (#55709553) Homepage Journal

        The idea that Intel could violate an IP law is ludicrous.

        Ha ha ha ha ha he he. Haw. Snort.

        First, you can look at the number of patent infringement lawsuits against them, some of which they lost.

        Then, you can consider that any company, regardless of its size, can have a failure of due diligence.

        I get paid to fix them all day long.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I don't think there was money involved, and i don't think there was an NDA.
      http://www.cs.vu.nl/~ast/intel... [cs.vu.nl]

      But they had a license :)

      • "If nothing else, this bit of news reaffirms my view that the Berkeley license provides the maximum amount of freedom to potential users."

        In this case, clearly the maximum freedom for the distributor-user to remove the freedom of the end user has been achieved.

      • Slasdotted as cs.vu.nl appears, do we have a mirror?
      • by Megol ( 3135005 )

        Where did you see that they were exempt from the documentation part of the license? I also think that it is fine not documenting the use for this case but being interested in the development doesn't give a copyright/license exemption.

      • They had a license, but they didn't use it. They violated the terms so the license is null and void in this case. Tanenbaum is wrong when he says it is proof the license confers maximum benefit, since again, they didn't adhere to the terms of the license.
    • The author of MINIX, Andrew Tannenbaum, wrote a public letter about hearing that MINIX was in the Management Engine. He did not indicate that Intel had any form of special license or had even informed him that MINIX was in the management engine.

      He might not care that he's being infringed, he might not even have figured that out. But it really does look like he's being infringed.

    • Not sure. At least for a modern free software project, this would not be viable because there are too many contributors: you have to contact everyone who submitted a patch and get their agreement if you want to relicense their code.
  • by Anonymous Coward

    But honestly I think we still need to focus on developing CPUs and SoC for which the end-users have complete control over every aspect if we want to inevitably gain control over our devices. We also need a complete set of source code for other chipsets. From wifi an GSM modem chips to graphics and keyboard controllers. It seems that right now the only real project with any progress aiming to do that is EOMA68. Unfortunately this stuff take YEARs and we still don't ultimately have a card or standard complian

  • by williamyf ( 227051 ) on Sunday December 10, 2017 @01:46AM (#55709481)

    ... For now.

    1.) AST published an open letter, and the fact that the disclaimers are not posted does not seem to bother him much.
    See here: http://www.cs.vu.nl/~ast/intel... [cs.vu.nl]

    2.) Minix3 License, states that, when distributed in Binary form, the DOCUMENTATION has to reproduce the copyright notice and, well, there is no documentation whatsoever abut the ME.
    See here: https://github.com/Stichting-M... [github.com]

    Having said that, security through obscurity is not a sensible policy, and AST's courtesy is not enough. If intel is using minix, they should say so and print the license.

    • The license actuall says documentation and/or other materials provided with the distribution.

      So, your legal theory doesn't fly, sorry.

      • The license actuall says documentation and/or other materials provided with the distribution.

        So, your legal theory doesn't fly, sorry.

        I know #2 does not fly.

        But, who is going to sue intel for infringment?

        The copyright holder is AST, and he is quite ok with the current state of affaires.

        The other Option is Vrije Universiteit, and considering the amount of graduates that go work for ASML/Intel, I seriously doubt it...

      • I came back to add an addendum:

        My reply was don with all due respect. I was almost certain that #2 was not valid, as IANL. Far from me to catch an online fight with Bruce Perens. A fight which I am certain to lose.

        You being a prominent guy in FOSS, probably have more chances of making AST or the Vrije Universiteit to reconsider their stance and either request compliance, or sue Intel for infringement.

        In the meantime, again, only AST or Vrije Universiteit can demand intel to comply or sue them, and so far, t

    • For casual readers who don't know who "AST" is, that letter at http://www.cs.vu.nl/~ast/intel... [cs.vu.nl] is from Andrew S. Tannenbaum, the primary author of Minix. In the letter, he accepts Intel's current behavior quite explicitly. Andrew also complains, in a postrscript, about the use of ME as a spy engine. If Minix were published under a GPL, instead of a BSD license, Minix developers could demand that ME publish the source code for their modifications used to create the spyware. It is precisely that kind of sec

      • by tlhIngan ( 30335 )

        If Minix were published under a GPL, instead of a BSD license, Minix developers could demand that ME publish the source code for their modifications used to create the spyware. It is precisely that kind of secretive and abusive misuse of open source work that free software and the GPL licenses was designed to prevent.

        Nope, GPL wouldn't help you there, either. If Intel chose to use Linux instead, the spyware wouldn't be covered under the GPL. (And there's far more case history for this example than Minix -

    • Are the management engine binaries stored in the CPU or are they loaded from the motherboard? If the latter, the CPU doesn't ship with Minix and the notices should come with the motherboard, right?

    • by Megol ( 3135005 )

      And here I pop up again and point out that security through obscurity _IS_ added security and _IS_ a valid choice in a system otherwise designed for security.

      • by Nite_Hawk ( 1304 )

        What makes you think that? Security through obscurity just means that it will take longer for the majority of the world (including yourself) to find out about the flaws. All it really does is grant the people with resources to find those flaws a bigger window of time to operate on them before being caught.

        The ramifications are huge too. It's one thing to get hacked, it's another thing to get hacked and never find out (or never be able to plausibly claim that's what happened).

    • well, there is no documentation whatsoever abut the ME.

      You've never been to Intel's website have you? There is a fuckton of documentation on the ME. There is with pretty much everything that gets used for corporate resource management and that is one of the primary selling points of ME.

  • For those who wanted to know.

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Sunday December 10, 2017 @02:25AM (#55709529) Homepage Journal

    . Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

    This does indeed require that something shipped with the hardware should say that MINIX is in there. Even if there is no documentation provided.

    The BSD license is the most infringed. Most companies get this wrong. Many of them can tell you why they don't use GPL, and then they infringe on the BSD license, putting themselves in exactly the same place (being a copyright infringer) as if they had used GPL.

    • by eddeye ( 85134 )

      This does indeed require that something shipped with the hardware should say that MINIX is in there. Even if there is no documentation provided.

      Not necessarily. The "and/or" conjunction is a bit sloppy. It indicates flexible interpretation, which can include that notice is only required if at least one of those things is provided (documentation, other materials). If neither are provided with the product, the BSD clause may not be triggered - at least under one reasonable interpretation of the languag

  • by Antique Geekmeister ( 740220 ) on Sunday December 10, 2017 @03:56AM (#55709643)

    You're quite correct. The Minix license is visible at https://github.com/minix3/mini... [github.com] .

    I'm not convinced BSD is the most infringed license, but you seem correct that infringing it is common place. One reason difficulty is that the BSD license does not have the clear consequences that GPL violation does, that violation loses access to all other GPL licenses from the same copyright owner. The Free Software Foundation has been using this successfully to enforce GPL compliance.

    • by AmiMoJo ( 196126 )

      I always thought it would be even better if the GPL cancelled the violator's right to ALL other GPL software, but I guess there probably isn't an international legal basis for that.

      • There's a common sense basis for that. The GPL isn't an organization or a collective. It's just a licence. A licence, regardless of which country's laws, or international law, cannot forbid the use of other things having the same licence. That would be a ridiculous ability for a licence to have.

        Such a thing would also work against the GPL more than help it. What if someone was infringing on one GPL project, but then was a very good contributor to another unrelated project? That other GPL project would su
        • by Kjella ( 173770 )

          A licence, regardless of which country's laws, or international law, cannot forbid the use of other things having the same licence. That would be a ridiculous ability for a licence to have.

          A license can obviously only retract rights to the same work it grants rights for. But the conditions for that can very well be external to the work, for example you can look at the patent retaliation clause in the Apache license which pretty much says if you sue anyone for violating any other patent infringed by this work, then all your patent licenses are terminated. As such it would be entirely possible to write a license where any other GPL violation would terminate this license. Now if that was a stand

        • Organizations with large suites of GPL licenses, such as the Free Software Foundation, are in a similar position to companies with large suites of software patents. If the licenses on one tool are violated outrageously, then the license for all components owned by that copyright holder can be withdrawn en masse. That would be a deliberate choice by the FSF. I will note that the FSF has always been _very_ careful about enforcing the GPL judiciously. Violators get every opportunity to comply voluntarily long

  • Intel do have lawyers, and free software folk that understand licensing.

    I'm sure they are capable of working out that all they need to do to be in compliance is to include the copyright notice somewhere in the binary blob that is ME.

    Has anyone actually been in a position to check if they did that or not?

    If not, I suspect that this is a non-story.

    Also, even if AST were upset enough to sue (which does not appear to be the case), I don't suppose it would cost much to shut him up.

    Are there any other copyright h

  • Comment removed based on user account deletion
  • I wonder if the folks that determine MInix was in it could face federal prosecution for DMCA.

    Sometimes it's not about right or wrong, but about how deep the pockets go.
  • Intel isn't often this stupid. I propose an alternate explanation - NSL by the TLA's demanded they add this backdoor. And can't talk about it. We know this happens to other firms. Occam's razor.
  • by cas2000 ( 148703 ) on Sunday December 10, 2017 @10:02PM (#55713509)

    copyright laws are for people to obey, not for corporations.

    copyright laws are for corporations to wield, not for people.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...