OWASP Podcast/Transcripts/021

De OWASP
Saltar a: navegación, buscar

Jim Manico

Richard is the founder of the free software movement, GNU Project and the Free Software Foundation. Richard is also a renowned hacker whose major accomplishments include GNU Emacs, the GNU C compiler, and the GNU debugger. He is also the author of the GNU General Public License, which is the most widely used free software license, which also pioneered the concept of Copyleft. Richard, can you start by taking us back in time to when you were at MIT and first began to feel that there was an ethical problem with proprietary software?

Richard Stallman

Well, first I should explain that what MIT did that was most important was teach me to appreciate free software, because when I worked at the AI lab, my job was to improve the free operating system that we used. I was not the only one doing this. I was part of a group which had previously developed the system, and we were making it better, so I got to experience a way of life in which people were free to share and change software. I had the experience, for instance, of meeting a cross assembler for the PDP-11, and I found one, but it was written to run on a different PDP time-sharing system, so it wouldn't run on our machine, so I had to adapt it so it would run, and I added more features to it, too. Then, somebody else wanted to borrow it and use it on a different PDP-10 time-sharing system, so he got it from me, and he adapted it and added more features. Then, we merged the two versions back together so we would maintain all of the features. This is how people did things the natural cooperating way, but then during this period of the 1970s, free software was disappearing in most of the world. By the end of the 70s, almost all software was proprietary, but we were an island of freedom and cooperation within that world of unkindness and subjugation. Then, Xerox gave MIT a laser printer called the Dover. Although in some ways it was a nice printer, it frequently got paper jams. When it was jammed, it would stay jammed for quite a while, because nobody worked near the printer, so it might stay jammed for a while without anybody noticing it. As we got used to the idea that it would take a long time to print your job because it was probably jammed for a long time, we would just wait longer and longer before going to look for our jobs, except we would then find it jammed and then we would fix it. It was just ridiculous. Now with our previous printer, which also got jammed but was much slower, I had implemented a couple of features that helped us cope with the limitations of the physical printer itself. For instance, when it finished your print job, it would display a message on your screen saying your job is finished. Now, this is not easy, because it required cooperation between the PDP-11 that ran the printer and the PDP-10, but both of those were free software, and I was able to change them both. Then there was another feature. When the printer got jammed, ran out of paper, or had any trouble, it signaled the PDP-10, which would display a message on the screen of each person waiting for printing. Those were exactly the people who would have a strong motivation to go immediately and fix it. As a result, it still got jammed, but it didn't stay jammed for very long. When I saw that the new printer also had problems with jams, I wanted to implement the same feature, but I couldn't. The reason is because the program that ran the new printer was proprietary. We did not have a source code, and we could not change it at all. There was nothing to do but suffer. Then, sometime later, I was visiting Pittsburgh, and I had heard that somebody at Carnegie Mellon had a copy of that source code, so I went to his office and asked him to give me a copy, expecting that per the customs of our community he would share it with me, but he refused and said he had promised not to give me a copy. I was stunned. I didn't know what to say, so I just turned around and walked away. It rankled, so I kept thinking about it. I realized that he had betrayed us at MIT, according to the principles of our community. Then I realized that he had not just done that to us, he had done it to you also. In fact, he had done it to everybody, everyone in the world. He had betrayed the whole world. That reminded me of the evil emperor Cao Cao in a famous Chinese novel, which I had read in translation a couple of years before, whose most famous saying was 'I would rather betray the whole world than have the whole world betray me.' Whereas Cao Cao had only spoken of that possibility, that man had actually done it. This is what showed me that I was dealing with an ethical issue here. I had already learned to appreciate cooperation and sharing and to practice it. I had already realized that not sharing was not nice, but here I realized that by signing that nondisclosure agreement, he did wrong to me and to everyone else in the world he was promising not to share with.

Jim Manico

Richard, the OWASP community, although we are not purist in terms of free software, we do a lot that is in sync with free software philosophy. In particular, we release a great number of free tools and software for the community. Because of the nature of how open OWASP is, there are some rather famous folks in the industry who have called us a bunch of communists and hippies.

Richard Stallman

Well, they are showing what they want. What they want is to subjugate other people, and they are going to call you nasty names if you give people freedom, so take it as a badge of success. I do want to ask you to do something. It is very important not to steer people towards non-free software. I suspect that you are trying to serve a large community of users, some of whom do use non-free software or don't care about their own freedom and they are inclined to use non-free software. Well, you can't control what they do, but you do control what you do and what you say. I would like to ask you to please not, even if you recognize that some people are going to use non-free software, please don't grant legitimacy to that practice in what you say. In the GNU Project, many of our programs are designed to run on non-free systems, as well as free systems. A lot of our programs will run on Windows and Macintosh, for instance, which are both very nasty proprietary systems that have back doors. Microsoft can change the software in Windows any way it wishes at any time. Apple can change the software in Mac anyway it wishes at any time. You couldn't imagine a more gaping and dangerous back door, but we do not refuse to let our software run on those systems, and it seems to be overall a good thing that our software does run on them. It gives people a taste of freedom and then they may want more, so it is perfectly natural if you also want to distribute software that can run on a lot of platforms, including non-free ones, but what I hope you will not do is suggest that people install a non-free program. You can't stop them. It's not your responsibility to try and stop them, but you shouldn't encourage them.

Jim Manico

Richard, free software is distinct from open source, and a lot of authors get this wrong. Would you mind discussing for us the clear distinction and difference between free software and the open source movement?

Richard Stallman

Well, I first should explain what free software means. Free software means software that respects the person’s freedom and the social solidarity of the user's community, so it means that you have freedom as the user of the program, so it is free as in freedom. It does not mean zero price. We are not talking about gratis software. We are not saying that you should give copies away. What we are against is not selling. It is not a matter of price at all. Price is a side issue, a detail. It is an issue of respecting the user's freedom. There are four particular freedoms that are essential and that define free software, if you, the user, have these four freedoms. Freedom 0 is the freedom to run the program as you wish. Freedom 1 is to study the source code and change it to make the program do what you wish. Freedom 2 is the freedom to help your neighbor, which is the freedom to redistribute exact copies when you wish. Freedom 3 is the freedom to contribute to your community, which is the freedom to distribute copies of your modified versions, supposing you have made some, when you wish. With these four freedoms the users have control over the software, both individually and collectively, and they are free to cooperate, so the idea of the free software movement is that users deserve these freedoms. As a developer, it is your ethical imperative to respect these freedoms. As a user, you should reject any program that would deny you these freedoms for the sake of your own freedom. Also, if you are required to agree not to share the program, then you are doing wrong to others as well. Now, these are the ideas of the free software movement, which I founded in 1983 when I announced that I was going to do the GNU Operating System. The GNU Operating System was completed when Linux the colonel was released as free software in 1992. Linux was first developed in 1991, but it was not free software in 1991. Its developer made it free in 1992 and at that point, it filled that last gap in the GNU system, which was already almost finished. Then we had a complete operating system, which is the GNU/Linux system. It started to catch on, so during the 90s, more and more people were using it. There was a political and philosophical disagreement within the community between those of us who said that freedom and cooperation are the most important things and people who said that they mainly wanted powerful, reliable, efficient software. Of course, both could use the same software and both could cooperate in developing the same programs, but these are two fundamentally different ideas of what it is all about, so by the mid-90s, this disagreement was very strong and in 1998, the people in the second group, those who did not see the difference between free and non-free software chose the term open source instead. By using a different term, they were able to leave out certain ideas of the free software movement by simply never mentioning it. That is what they did. They chose to present the matter as purely one of practical convenience and not to say anything more important than practical convenience is at stake, so that's the big disagreement at the lowest level. It's a disagreement about values.

Jim Manico

Can you live with the term FOSS, Free Open Source Software?

Richard Stallman

I would rather we use the term FLOSS, which is Free/Libre Open Source Software. The reason I prefer it is that it gives sort of equal weight to the Free/Libre and the open source, so it is fairer to us, but basically those two terms represent an attempt to cite both of these two philosophical camps. Now,sometimes that is a sensible thing to do. For instance, there are people who are studying the practices of development teams. They are not concerned with the question of why do you do this and what are the values, so for them to use this term such as FLOSS and mention both camps without taking a side, it makes sense in what they are doing. I do not object to that, butI do not talk about what I am doing as FLOSS or FOSS. I say that I am an activist in the free software movement because what I want is freedom, not just mine, but yours as well.

Jim Manico

I think one place where the rubber hits the road in that area is the difference between GPL and LGPL. Can you talk to us about LGPL, and when is the only appropriate time to use it and still be in line?

Richard Stallman

Well, actually I better start by talking about the GNU general public license or GPL, because that is what we would contrast the LGPL with. The GNU GPL is the license that I wrote. It is a free software license, but it is not the only one. There are many free software licenses. Any license that gives you the four freedoms is a free software license, but I wrote the GNU GPL to try to do more than that. I wanted to do the most I possibly could to establish freedom for all computer users. Particularly, when I wrote a program and made it free, I wanted to make sure that every user who got the program would get the four freedoms. Now, there are other free license distributors, for instance the X11 license and the two BSD licenses, which permit non-free modified versions. That means that person A can release a free program and person B gets a copy with the four freedoms and then either modifies it or just compiles it and distributes copies as proprietary software, so if person C gets a copy of that, then person C does not have the four freedoms. Now I looked at that. I have seen that happen already. I realized that for the goals of the free software movement, that would be failure because we would make a nice program that person B would get the benefit of freedom, but then person C, D, E and maybe a million people would not get freedom. Thus, we would mostly have failed, so I designed a license to prevent that from happening. The GNU GPL says yes you are free to redistribute exact copies or redistribute modified versions, but when you do, you must respect the freedom of the people you redistribute to. You have to pass the freedom on to them as well. Thus, we make sure that everybody who gets any version of the program gets freedom also, so that is what is special about the GNU GPL. It is called Copyleft. Legally, it is implemented using copyright law because copyright law exists, but it uses copyright law to achieve a rather unusual purpose, which is not what it is typically used for.

Jim Manico

So you are using copyright law to subvert copyright law?

Richard Stallman

Well, yes and no. Remember that there are many different methods that are used to make a method proprietary. Copyright is one of them, but contracts are also used. I am sure you have heard of user license agreements. Those are contracts and they are also being used to make software proprietary. Another method is simply not releasing the source code. Now if the users do not have the source code, they might have Freedoms 0 and 2 to run the program and redistribute exact copies, but they do not have Freedom 1 to study and change the source code, which means that it is almost impossible for them to make modified versions, so they do not have Freedom 3, which is the freedom to redistribute those modified versions, so I have to try to prevent all of these methods of making a program proprietary. The only thing I could use to do it was copyright law. Nowadays, there is another method of making programs non-free, and that is tivoization, which is the practice of delivering a program preinstalled in a device and building a device so that if a user installs a modified program, the device refuses to run it at all. This is a way of practically speaking, eliminating Freedom number 1. In any case, I developed the GNU GPL to make sure all of the users would have these freedoms, but then a few years later, the free software foundation was developing the GNU C library at the end of the 80s. I had to think about how to release it. I realized that if we released the GNU C library under the GNU GPL, then you would only be allowed to link it into free programs. The result would be that non-free programs just would not run on the GNU System at all. It would be illegal to link them to the GNU System. It occurred to me that if we pushed against that particular wall, the main effect would be to push us backward rather than push the wall back, so I decided as a tactical decision to give permission to link the GNU C library into proprietary programs, not that those proprietary programs are ethically legitimate, but the conclusion was it would be self-defeating to try to prohibit them from being run on top of the GNU C library. Not only that, but there are free programs under other licenses, and if you were running them on the GNU System, you would need to link them with the GNU C library also, so this is why I made the decision to write and use the GNU LGPL, which is now called the GNU Lesser GPL, but originally it was called the GNU Library GPL. I changed the name when I realized that the old name was giving people the wrong idea. They saw a library GPL…Well, I am writing a library. That means I should use this license. I do not think that you should always use the lesser GPL for every library. You should make a tactical decision, because it is goods. Sometimes it is better if the library is under the ordinary GPL and is only available for use in free programs. That gives free programs an advantage, and I need every advantage I can get, but then there are some certain circumstances where it is tactically better to release something under a permissive license. For instance, one of the big battles that we are fighting is to convince society to invite OG formats, which are non-patented formats for audio and video. Most of the formats typically used are patented and in many cases secret, which is a big problem for free software. Well, if we want people to distribute in OG formats their audio and video, we want to make it as easy as possible for people to play those formats. That means that we want to encourage everybody that is making a player to install the support for OG, which means we better take away any obstacles. The player code was originally released under the GNU GPL, and someone suggested to the developers that it would better to switch to a simple permissive license, and I agreed that was a good idea for tactical reasons, so in fact the choice between GPL or LGPL or a lax permissive license, like the X11 license. This is not the same thing as choosing between free software and open source. All those licenses are free software licenses, and they are all also open source licenses, so the difference between free software and open source is a matter of your values.

Jim Manico

Richard, those of us in the web world are huge users of Apache software, and I saw that the Apache 2.0 License and GPL3 are compatible.

Richard Stallman

Yeah, I worked on that. It was not exactly easy, but we managed to implement that compatibility, and the reason is that it is practically convenient to merge code from a GPL covered program and an Apache license covered program, so now if the first program is under GPL Version 3 or if it is GPL Version 2 or later, which allows you to use it under GPL Version 3, then you can merge them.

Jim Manico

On a similar note, I used the jQuery JavaScript Library quite extensively in my own projects, and this is licensed with both GPL2 and the original MIT license. How can I build rich JavaScript functionality into my JavaScript applications without being pressed or pressing my users into it?

Richard Stallman

Well, let me explain. First of all, that combination of licenses is a little bit silly. When you say MIT license, I think you mean the X11 license. Now,that is a totally permissive license. In fact, that is so permissive that you could just put that in a GPL covered program, so they do not need to release it under the GPL because they already went further than that by releasing it under the X11 license. There is no problem. It is just that they could have presented things a little bit more simply and got the same result. In any case, there is no reason why you should not use that program. It is free software. I have never written even one line of JavaScript, so I cannot give you any specific recommendations, but I can warn you that a lot of websites distribute non-free JavaScript programs to their users. Because it gets downloaded silently into the browser, you do not even know if it is happening. As I see it, getting a non-free JavaScript program loaded into your browser is just as bad as having a non-free C program installed through your package manager. The main difference is that you would notice the installation of a package through your package manager. Programs are not normally doing that. Typically you have to be rude to install a package and most of your programs do not run as root, so nobody tries to just quietly on the sly install packages, but they do write websites to send you JavaScript programs that get silently installed into your machine, so we need to make sure our freedom is respected there also. Part of that is just that the source code of the JavaScript programs need to be available and released under a free software license, but there is another issue too. Suppose somebody releases a free JavaScript program, and you decide to change it and decide you want to use your version. Well, you need to be able to make sure to run your version instead of what comes in the webpage, so we need browser features that allow you to say, when I visit such and such page and it comes with this JavaScript program, do not run it, run this other program instead, or patch it in this way and run the patched version. Greasemonkey almost does it, but not quite. The reason it falls short is that it does not guarantee to patch the JavaScript before it gets to run, so the script that is in the page will actually run before Greasemonkey gets a chance to do anything, but something sort of similar which did not have that particular problem would do the job.

Jim Manico

Richard, could you take the basic concepts of free software and apply them to other works, such as music or books?

Richard Stallman

It seems to me that we should divide books into three broad categories based on what kind of contribution they make to society. They first category is the works of practical use, the works that you use to do a job. The second category is works whose contribution to society is to say what certain people think. The third category is works of art and entertainment, whose contribution to society is in what it feels like to enjoy the work and the impact of the work, so these are three different ways of contributing and each one leads me to different conclusions about what freedom we must have in using these works. The first category, the works that you use to do a job, would include software programs, recipes for cooking, educational works, reference works, text fonts, and various other things that you could think of. I believe that those all must be free. The same four freedoms apply because you are using those works to do a job and that means that you need to be in control of the work. You need to be free to change it to do the job that you want to do and do it the way you want. Once you change it, you need to be free to publish your version so the other people whose needs are like yours can get the benefit of what you have done. It turns out that it is absurd to try to forbid redistribution of exact copies when you permit distribution of modified version, so my conclusion is that these works have to be free. I do not reach the same conclusion about the other categories. For instance, category two is the works whose contribution is to say what certain people think. To publish a modified version of that is to misrepresent those people and that is not a contribution. That is not useful, so there is no reason to insist that people be free to do that. Thus, I suggest a reduced copyright system, which is mostly the same as the present one with one difference. Everybody must be free to non-commercially redistribute exact copies. In other words, we must have the freedom to share, so I do not say that these works have to be free, but I do say they must be sharable, which is a weaker criterion. It does not mean that you get the full four freedoms. It means that you get Freedom 0, the freedom to use the work yourself as you wish, and part of Freedom 2. That is the non-commercial part of Freedom 2, because Freedom 2 is the freedom to redistribute exact copies, and that could mean commercially or non-commercially. For these works, I think non-commercial distribution is freedom enough. Now this freedom, this minimum freedom to non-commercially share, is the freedom we must all have for published works, because the only way to take this away from people, given that people find sharing so useful and so important, is with absurd, cruel, Draconian laws. What we see the RIAA doing and similar efforts in many other countries is the war on sharing, and it is evil. We must legalize sharing, but that does not mean going all the way to giving the four freedoms. I don't think those are necessary for these works whose purpose is to say what certain people think. The last category is works of art and entertainment. For these, modification can be useful, because a modified version of a work of art can be a contribution to art. In fact, apropo of this, I was just watching Sita Sings the Blues, which is an interesting example of reusing songs that were sung a few decades ago. It is a very good way of reusing them, so I think that people must be free to do that, but they don't have to be able to do that immediately, so I propose that copyrights should last for ten years and during those ten years, everybody should be free to non-commercially share, because that minimum freedom must be there for any published work. Anything else could require, such as commercial use or modification, would require permission. Then, after ten years, the copyright should expire and then people should be free to reuse that in other works of art and so on.

Jim Manico

Richard, I recently bootlegged a copy of Revolution OS for my personal use only in compatibility with their license, and I see that you talked about stories early on in your career where you were trying to encourage users of a system to have a blank password, and those who didn't, you encouraged to change their password to a blank password. From OWASP perspective, we think a lack of a password policy is a major critical vulnerability. Would you care to talk to us about the relation of free software and security and web application security in any way, sir?

Richard Stallman

Well, they are not the same issue, and so the relationships are indirect. I'm not sure how many of you have experienced what it is like to do your work on a shared computer with security. It is basically living in a police state. You see, the administrators must maintain control, so they make the rule that anything that threatens our control, anything that looks like it is trying to escape from our control means you are subversive, and we will punish you. It is the same path that any other tyranny follows. The administrators can watch what you do. You can't watch what they do. They control you, you can't control them. It is nasty. Well, I had the good fortune to experience using a shared computer without security. There was no security on the incompatible time sharing system in the 1970s. What we did to keep the system working okay was we all looked around and we had a society, so what mostly kept people from destroying things of each other was that we were part of a community, and we all did not want to destroy things for each other. Now once in a while somebody would show up from the net who was inclined to make trouble, usually just because he wanted attention or was feeling miserable or something, but what happened was that when they saw that it wasn't hard, that there was no challenge to it, most of them would decide it was not fun anymore, because anybody could give the command to tell the system to shut down in five minutes, but somebody else could cancel the shutdown. People could not believe that they could really give this command, but they could. Once they gave the command and saw that they really could do it, somebody else who was using the machine and didn't want it to shut down would cancel the shut down. Then they did not have to do it anymore, so I experienced what it was like in a computer where the way we solved the same problem was not by maintaining rigid police control over everybody, but instead by integrating them into society, so that they became decent members of society and didn't damage other people. It happened regularly. In fact, I know of at least one person who is a professor at MIT now, but his first connection with us was as a tourist, basically logging in on our computers over the net with no other connection with us, but we didn't have any passwords, so there was nothing to stop people from doing that. Well, one of the several labs that was running the incompatible time-sharing system decided to put in passwords from sheer orneriness as far as I can tell, because they didn't actually need them anymore than we did, but they did, and I found that so ludicrous that I studied their password encrypting code, and I worked out how to decrypt the passwords. In fact, I wrote a list program to do it, so I just looked at everybody’s password and decrypted it, and then I sent them a message saying I see you chose the password such and such. Why do not you join me in having a null password? That would support the principle that there should not be passwords. Of course, when a person got this message, he realized that there was really no security anyway and that the whole thing was silly, so I got one fifth of the users to use the null string as their password. They were doing it, all of them, as aware of the meaning, which was rejection of the idea of having passwords on the machine. Now, it is somewhat different with a personal computer. It is not common nowadays to have lots of people sharing one big computer, because nowadays it is so easy to get…well actually it is a much more powerful computer, but everybody has his own. That computer was much less powerful than any machine you could buy to actually use as a computer today. It had I think two megabytes of memory for us to share at its maximum extension, so you can see what I mean, but back then computers were so expensive that the AI lab could only afford to have one, and we all had to share it, and there were two choices for how we could get along with each other. One was to have a policeman standing around with their guns watching everything, ready to shoot you if they saw you doing anything that looked like they were trying to escape from their control. The other was to say let's get to know each other, let's be a community, let's treat each other decently because we want to treat each other decently and not because there is a cop watching every minute. This is a fight for freedom. I would like to suggest that people take a look at GNU.org for more information about GNU and the free software movement. Also, take a look at FSF.org. At FSF.org, you can find the resource pages which tell you about almost 6000 useful free software packages that run on GNU/Linux. Also, they tell you hardware the works with free software and recommended configurations and other such things, so if you want to live in freedom, that information will help you do it. You can also through FSF.org join the free software foundation. I am a full-time volunteer. The FSF does not pay me, but it has other staff that are supported mainly through members dues.

Jim Manico

I think we got it. I think we are done, Richard.

Richard Stallman

Well, thank you, sir. It has been a pleasure.

Jim Manico

This is absolutely fantastic. I want to reiterate that I am only going to release in the OGG format.

Richard Stallman

By releasing also in OGG formats, you take away the pressure for people to use the patented MP3 format. A priori, I've got nothing against MP3, the problem is…in fact, there even is free software to play MP3, and there is free software to generate MP3, but some distributors are afraid to include it in their GNU/Linux systems because it is patented, and they are afraid that they will get sued, so we need to stop using it, so if you release also in OGG formats, at least that means you are not discouraging the OGG format.