Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Open Source GNU is Not Unix Networking Software

How Ubiquiti Networks Is Creatively Violating the GPL 225

New submitter futuristicrabbit writes: Networking company Ubiquiti Networks violates the GPL, but not in the way you'd expect. Not only did the kernel shipped in their router firmware not correspond to the sources given, but their failure to provide the source led to a vulnerability they created being unpatched long after its disclosure. They're maintaining the appearance of compliance without actually complying with the GPL.
This discussion has been archived. No new comments can be posted.

How Ubiquiti Networks Is Creatively Violating the GPL

Comments Filter:
  • But... (Score:4, Funny)

    by Gription ( 1006467 ) on Tuesday April 07, 2015 @12:48PM (#49423839)
    Isn't outing a manufacturer over product issues more of a Twitter thing?
  • by WillRobinson ( 159226 ) on Tuesday April 07, 2015 @12:54PM (#49423877) Journal

    Interesting, I have been looking at their WISP stuff for awhile, and one thing I liked was they were using lots of COTS and open source software. Funny I would not want to publish my code either, as apparently it was buggy, they would have been lash wipped by Linus!

    • by TheCarp ( 96830 )

      If you are so embarassed by your code as to not want to publish it, might I suggest you SHOULD be too embarassed to sell products based on it or otherwise distribute it in binary form.

    • Funny I would not want to publish my code either, as apparently it was buggy, they would have been lash wipped by Linus!

      Linus will only rant at bad code being submitted to the kernel mailinglist for integration into the mainline kernel. If you publish code on your own website, he's not even going to look at it.

  • by gstoddart ( 321705 ) on Tuesday April 07, 2015 @12:57PM (#49423897) Homepage

    And in what way is this not how I'd expect?

    Sleazy corporation skirts around rules, film at 11.

    • Re:What? (Score:5, Insightful)

      by NoNonAlphaCharsHere ( 2201864 ) on Tuesday April 07, 2015 @01:23PM (#49424107)
      Probably more like "Docs out of date with production code, film at 11".
      • My company (specifically, my department) uses and contributes to a number of open source projects. From time to time stuff gets lost in revision control and either a commit isn't upstreamed, upstream doesn't merge pull our changes right away, the patch hasn't made it to the mainline trunk or is staged for the next release.

        It's not completely uncommon for me to pull from an upstream project and hit a bug I know we patched and then have to track down that patch's merge history internally (sometimes it doesn't

  • edgerouter.. (Score:2, Interesting)

    by bored ( 40072 )

    I have the edgerouter POE, which is a fantastic piece of hardware, but it still doesn't support proper vlan tagging controls on the embedded switch ports. A feature I would add myself but the hardware isn't open enough to do it without a lot of reverse engineering.

    So, this makes me wonder if they are sort of stuck between stupid hardware companies and the GPL. They may not be able to publish changes to the open source products without violating their NDAs with the manufactures of assorted chips/etc they use

    • Re:edgerouter.. (Score:5, Insightful)

      by gstoddart ( 321705 ) on Tuesday April 07, 2015 @01:03PM (#49423945) Homepage

      So, this makes me wonder if they are sort of stuck between stupid hardware companies and the GPL. They may not be able to publish changes to the open source products without violating their NDAs with the manufactures of assorted chips/etc they use.

      You know, that's a self-inflicted problem, and not deserving of sympathy.

      Either you run closed source stuff and write your own stuff, or you comply with the GPL.

      It's a bummer if a small company got themselves into a predicament. But, nobody cares.

      I know you're not defending them, but honestly if a company decided it wanted to steal someone else's code and not play by the rules of the GPL, that's their own damned problem.

      From the sounds of it, they knew damned well they were not compliant.

    • by awing0 ( 545366 )

      I just (as in this morning) ordered a pair of radios from them for a point to point link. Can anyone recommend good competitors for ubiq's point to point radios?

      • by caseih ( 160668 )

        I haven't anything at that price point. I gave half a dozen their point to point devices and they rock. I get a full 100MBs over about 800 feet. I'm very happy with them. Hope this issue with the kernel source gets sorted out. They seem like a good little company and they have good affordable hardware.

        A local wireless ISP in my area uses their equipment exclusively. Works very well.

      • At that price point, and in that space? Cambium ePMP.
    • There's ways around the NDA problem: put that code in a separate place where it interfaces with GPL code, but does not require actually modifying the GPL code with anything NDA-tainted, for instance. If you can't figure out how to do that, then you really have no business working with this stuff. Or just use a proprietary OS like VxWorks.

    • I feel for small companies like Ubiquiti.

      So a multi-billion dollar company like Ubiquiti, which has made its CEO one of Forbes' 10 youngest billionaires, is a small company?

    • No, it's not GPL that is PITA but closed specs and NDA requirements. They're PITA no matter whether you're using BSD or GPL. So who cares if GPL prevents you from doing things in lawyer approved OCD way those companies want? It just won't work. At most you'll end up with some BLOB nobody maintains and which gets obsolete within a year.
  • Never attribute to malice that which is adequately explained by stupidity.
    • Get your axe out (Score:4, Insightful)

      by Lead Butthead ( 321013 ) on Tuesday April 07, 2015 @01:09PM (#49423989) Journal

      Never attribute to malice that which is adequately explained by stupidity.

      Never attribute to stupidity when it's a habitual offender.

      • Habitual? Do you have links to other instances? Also, how exactly are they not complying? My understanding was that compliance in this case requires that they offer up the source code for whatever they use. If they then make changes, there is no requirement to post their changes as well.

        • Re:Get your axe out (Score:4, Interesting)

          by gstoddart ( 321705 ) on Tuesday April 07, 2015 @01:35PM (#49424175) Homepage

          No, modifying the code means you have created a derivative work and need to release those code changes to anybody using it.

          Which is what the license has said for at least 20 years.

          There is no provision to make changes to GPL code and not release it.

          If you have an application which is only ever inside your corporate firewall, it's unlikely the people in accounting will want to see the source code. But you sure as hell can't modify it, build a product around it, and then not release those changes.

          Your understanding is wrong.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          GPL requires that you provide complete source code to binaries you distribute that are derived from that source code. That includes any changes that you have made and code you have added.

          So either you get a head start from the existing code and then share your changes. Or you write it all yourself. Pretty straight forward tradeoff.

        • Re:Get your axe out (Score:5, Informative)

          by gmack ( 197796 ) <[gmack] [at] [innerfire.net]> on Tuesday April 07, 2015 @01:45PM (#49424245) Homepage Journal

          The GPL is designed to avoid the "What's yours is mine and what's mine is mine" scenario where someone uses the code +their changes to always stay one step ahead of the free version and so the GPL requires that they hand over the full source with any changes they made that were used to build whatever product they shipped. If they made changes to the GPL code that were included in the shipped product, they must publish those changes. On the other hand, if they made changes they did not ship with any product(internal releases etc), they are under no obligation to release those changes.

          In this case, they are not shipping all of the changes they made to their source code that was used to build their firmware so that is a clear violation of the GPL.

          • Thank you for your polite response (unlike the three above you). I was asking a question and you answered it. I unfortunately can't bring up the link in TFS, as it is blocked by the corporate firewall, so I can't see what they did.

            I don't routinely deal with GPL code beyond just use, so am unfamiliar with the inner workings of the GPL.

            Thank you again.

            • I'm not trying to be rude, but this isn't some kind of secret, nor some obscure "small text" in the GPL license, it's the entire reason for the GPL. If you use GPL code at all, it's good to understand the license at a very basic level; furthermore, the GPL license itself is very simple as far as licenses go, and was intentionally designed that way because it's meant for developers and users, not lawyers to argue in courtrooms for $$$/hour. It's simple: if you're given access to GPL code by its copyright o

            • by cHiphead ( 17854 )

              My understanding was that compliance in this case requires that they offer up the source code for whatever they use. If they then make changes, there is no requirement to post their changes as well.

              Your self proclaimed understanding was incredulously incorrect and shows that you did not actually have an understanding of the GPL. Playing to some niceties of politeness when you yourself are bullshitting is less than honest, sir. You asserted understanding that was false. No need to get upset when someone attempts to correct your assertion.

              Have a nice day.

      • To be fair, stupid people act stupidly on a fairly regular basis.

    • Never attribute to malice that which is adequately explained by stupidity.

      Raise your hands if you have ever worked somewhere where there was an official build system and most developers did not get matching binaries from their development systems.

  • How will this impact BroadBand HamNet [broadband-hamnet.org] (formerly HSMM) which mainly targets Ubiquiti hardware, and obsolete Linksys stuff?
  • by account_deleted ( 4530225 ) on Tuesday April 07, 2015 @01:36PM (#49424191)
    Comment removed based on user account deletion
    • by mcl630 ( 1839996 )

      Your scenario would make sense if this was just a one time thing, but the issues with Ubiquiti have been going on for many months.

  • Well, this just screwed the legal pooch... your posting pretty much kills any recovery change you hd in court.

    They could easily claim:

    (1) Witness tampering
    (2) Jury tampering
    (3) Impossibility of a fair hearing (and they get to pick the venue; how's East Texas sound?)
    (4) They were attempting to remedy the issue, and this posting did irreparable harm to their business

    Most likely they are just trying to hide a hard-coded signing key.

    Most likely, you are just bitching because you can't run your firmware on their

    • (1) Witness tampering
      (2) Jury tampering
      (3) Impossibility of a fair hearing (and they get to pick the venue; how's East Texas sound?)
      (4) They were attempting to remedy the issue, and this posting did irreparable harm to their business

      If a single blog post were enough to make it impossible to get a fair hearing, then no one would ever get a fair hearing.

  • Slashdotted (Score:4, Informative)

    by ClickOnThis ( 137803 ) on Tuesday April 07, 2015 @01:49PM (#49424275) Journal

    The linked site in TFS is suffering from (possibly slashdot-induced) overload. Here's the text from the linked page:

    Four ways Ubiquiti Networks is creatively violating the GPL
    Ubiquiti Networks is a company which makes long-range wireless equipment. Admittedly, you can do some pretty amazing stuff with it, but the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents, which isn't as amazing.

    In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.

    Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.

    1. Giving the appearance of compliance

    'You can find the complete and corresponding source in the GPL archive.'
    Ubiquiti had a website set up where you can download tarballs purportedly containing all GPL source for each and every firmware release. (I can't find it any more, but that doesn't mean that it isn't still there.) When you look through these tarballs, they appear to be complete, and there are build instructions which allow you to make your own custom firmware.

    It's only when you look closer that you start to notice problems, such as...
    2. Refusing to provide the source to their modified bootloader, even though they made changes that introduced security vulnerabilities

    Security keys
    Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified u-boot bootloader contained a security issue - It was possible to extract the plain-text config from devices running the firmware, without leaving a trace. And the plain-text config contains unencrypted WPA/WPA2/RADIUS passwords.

    Even worse than this security issue, was Ubiquiti's response to it. Namely, they:

    Refused to provide the source code, even though u-boot is under the GPL
    Didn't fix the security issue for a long time after it was publicly disclosed

    To this day, Ubiquiti still has not provided the u-boot source code.
    3. Providing source code to a version of Linux, just not the one that they actually ship, and hoping that nobody notices

    Ubiquiti Source Ubiquiti Binaries
    It would be natural to think that the binaries that Ubiquiti provides were compiled from the source code that Ubiquti provides. As it turns out, for a large number of their releases, the kernel source given does not correspond to the kernel in the official firmware images.

    As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.

    Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.

    And speaking of complaining...
    4. Dragging out GPL code requests for months on end, then inexplicably going silent

    Bureaucracy is a challenge to be conquered with a righteous attitude, a tolerance for stupidity, and a bulldozer when necessary
    In case you think that I am being mean to Ubiquiti by going public, please note that I have been trying to contact Ubiquiti for the past year about the issue of the u-boot source code. You can see my attempts here, here and here.

    In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.

    From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward m

    • by Anonymous Coward

      In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.

      unless and until wolfgang pursues legal action, there really isn't anything that can be done for force the company's hand. and that's part of the problem. you have big giant company doing whatever the hell they want to, trampling all over the license and rights granted by a much, much smaller entity who cannot afford to do anything about it.

  • by Resol ( 950137 ) on Tuesday April 07, 2015 @02:09PM (#49424393)
    I used to work for a company that was meant to be a partner of Ubiquiti -- from the first meeting with Robert, one could tell this was not going to be a "share and share alike" partnership -- more likely it was going to be a one party gives, the other takes partnership. We as partners needed access to some parts of the code, and in meetings said we'd like to get the source, and given that it was built on GPL'd code, we figured it would be a non-issue. How wrong we were. Basically told that was never gonna happen, not for us, nor anyone else that wanted it, it was their IP. Robert's one of Forbe's 10 youngest billionaires. He's gotten stinking rich off others, and refuses to give back. It certainly douses your faith in the human spirit somewhat. Anyway, not that it's much better, but you can always buy from MikroTik (ducks! ;-) )
    • by don.g ( 6394 )

      Mikrotik appears to have its own GPL issues. And good luck getting OpenWRT to run on any of their recent devices :-(

  • by monkeyzoo ( 3985097 ) on Tuesday April 07, 2015 @02:24PM (#49424497)

    If you can spare a minute, please do any or all of the following so that we can retain the GPL's power to help the community:
    - Raise awareness - upvote it, send it to friends or write a blog post about it
    - Write to Ubiquiti requesting the source - their email addresses are support@ubnt.com and info@ubnt.com. You should try both.
    - Send me an email telling me what you've done. My email address is riley@openmailbox.org

  • This is too bad (Score:2, Informative)

    by Anonymous Coward

    This is too bad. They are currently the only supported hardware maker for one of ham radio's more interesting projects: A self discovering/healing/organizing mesh network providing WiFi networking over dozens of miles on the portions of the WiFi spectrum available to hams. http://www.broadband-hamnet.org The project still officially supports the venerable Linksys WRT54G, but official support for this router is ending this month and it is a pretty old router. Then again, when you use Ubiquiti hardware and th

  • What if this was an intentional backdoor so that they-who-shall-not-be-named can spy on internet traffic of closed networks and WISPS?

    And it was not included in the the source packages because the source is subjected to a gag order and publishing it would be showing it to the world.

    Lastly, if this is true, what if this is "standard procedure" for backdoors inserted into many open-source projects, where the code presented is actually a fork of the true, backdoored code, running on lots of hardware? Or, a
  • As the article said "the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents".

    I personally discovered that their standard wifi board didn't follow the mini-pcie spec on flight mode (W_DISABLE). In fact there is no way, other than cutting power to the card, of disabling radio transmissions. Multiple inquiries on this topic were all met with stunned silence. At the time I was working for a substantial company buying boxes of car

Every successful person has had failures but repeated failure is no guarantee of eventual success.

Working...