Good-bye Bandits, Hello Security

Don Marti

Issue #78, October 2000

Don writes about the expiration of the RSA patent and the impact it will have on the Linux community.

This magazine should be coming out in September, right about the time that RSA Inc.'s US Patent number 4,405,829 expires. If you get this before September 20, be sure to visit the “RSA Freedom Clock” web site (see Resources) where you can count down the days, hours, minutes and seconds. (There's no legal precedent saying exactly what time a patent expires, so wait a day or two after the clock runs down so you don't risk infringing it.)

What does the RSA patent cover? A lot of securitysensitive software that uses public-key encryption, including both the Secure Socket Layer implementations in commonly used web browsers and servers, and version 1 of the SSH protocol, as commonly used for secure remote administration. As I write this, Linux distributions still can't legally distribute a lot of useful, interoperable security software. That will change when the patent expires, and my friends and I are going to have a big party somewhere in the Silicon Valley area to celebrate. Check your local Linux user group for the patent expiration party in your area.

Over the last year or so, we've heard a lot about how software patents, which became legal in the U.S. in 1981, stifle innovation. James Bessen and Eric Maskin conducted a study showing that “far from unleashing a flurry of new innovative activity, these stronger property rights ushered in a period of stagnant, if not declining R&D among those industries and firms that patented most”. And a legal minefield of intersecting patents threatens all software development, free or proprietary. Where the software patent mess intersects with important basic security work such as encryption, software patents interfere with the spread of best practices and can be a major security problem.

Software patents hurt their holders, too, by skewing their view of reality. Somehow, these patent holders assume that just because people are giving them money, those people must like them. Imagine a group of bandits who camp around a well in a desert and begin charging travelers for water. Real bandits would keep their weapons close by at night. But today's patent bandits seem to think that people want to do business with them.

Unisys, for example, owns a software patent on a compression algorithm called LZW, which is used in the Web's obsolete but common GIF file format. Unisys's web site carries the preposterous claim that “demand for LZW-related technology by web developers continues to grow”, when web developers are simply using GIF for compatibility with old browsers that don't support free formats such as PNG. There's no love for Unisys here. Like the bandits around the well, Unisys is getting paid because the travelers have no choice for now. But unlike the bandits, Unisys seems to think that the travelers are coming to them because they want to. When enough of the browser-installed base supports PNG, Unisys can say good-bye to their royalties, and the Web can say good riddance to a pretty dumb bunch of bandits.

RSA Security, Inc. is another set of bandits who are going to get a surprise right about now. Behind all their fluffy talk of “partners” and “solutions”, they're just charging people to draw from a well that U.S. taxpayers helped dig when we funded crypto research at MIT. As a nation, we give educational institutions special tax treatment. This isn't just because they grade our papers and answer our questions during office hours. Educational insitutions are about research, too, about extending the scope of useful human knowledge. Doing research as a non-profit and patenting the good parts for profit is a big ripoff any way you look at it. When the IRS finally starts raiding the big research “universities” such as MIT and google.com's little tax shelter, Stanford, I'll throw another party.

With a little scrutiny, and hopefully some long-awaited software patent reform, patent bandits will start to fade away as a security threat. The U.S. government's National Institute for Standards and Technology is selecting an algorithm as the new national Advanced Encryption Standard, and they're alert enough to not let the next RSA or Unisys seize control of the well. The AES web site says, “NIST hereby gives public notice that it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information”. Which is basically bureaucrat-speak for “try to run a patent burn on us, and we will go John Woo on your sorry ass”.

Thank you, NIST. But the next great threat to Linux security comes not from corporate software patenteers or government agencies seeking “IP Wiretaps Everywhere”. Since earlier this year, the bad old U.S. crypto export regulations are effectively gone if you make your source freely available. The threat comes from within. If you do a Linux distribution, pay attention. After this month, there is no excuse not to supply the best industrial-strength crypto available. So there's no excuse not to make security a design consideration instead of a sheepish warning after a distribution ships with a hole. Free clue with the purchase of every magazine: read the OpenBSD security page, and do that. If you can't afford to be in the security business, you can't afford to be in the Linux business.

At Linux Journal, we expect to see OpenSSL and OpenSSH well-integrated into the distributions. That's the easy part. Here's the hard part: don't load users up with potentially exploitable services. Please, don't let Marketing talk you into shipping Linux with a loaded gun duct-taped to the user's foot, just so you can put one more checklist feature on the package. The person who wants to install Linux at his or her company gets set back in the struggle every time someone publishes a security flaw in SquirrelTech Linux's network acorn-balancing d<\#230>mon. I don't care what all nifty-keen new software you offer—any user who wants his box to be a virtual food court of services should ask for it. The Bastille Linux project is an important step in the right direction, but its very existence shows that the mainstream Linux distributions are thinking about security about as much as a hog thinks about Feynman diagrams. The users who need security most—the beginners—aren't getting it right out of the box.

The world needs security-aware network administrators now more than ever. But a user shouldn't have to be one just to run Linux. If you ship a distribution with an installation designed for Joe Six-Pack, and a security posture so wide open that you need to be Rick Moen to lock down, then something is terribly, terribly wrong. And you don't have an excuse any more. “We can't ship crypto.” Wrong. See above. “Users expect standard services.” Wrong. Maybe UNIX-using graduate students do; regular people expect security. “Don't worry, it'll be behind the firewall.” Wrong. It's hanging out buck naked on a DSL connection. Or maybe it is the firewall. “If we change it, it'll be harder to support.” Wrong. How easy is it to “support” a root compromise? Thanks to the RSA patent's expiration, the time for security excuses is over. Don't let marketing weenies make security policy, and you'll be issuing a lot fewer security advisories.

Resources

Don Marti is the technical editor for Linux Journal. He can be reached at info@linuxjournal.com.