VIA Releases Source To Custom WASTE Client

daten writes "VIA has released the source code to their Padlock SL product, based on the Nullsoft WASTE code previously pulled by AOL. Padlock SL offers encrypted chat, instant messaging and file sharing over a private peer-to-peer network. Unlike WASTE, which is still under active development, the VIA client offers a graphical interface for both Windows and Linux users and simpler configuration."

passive

"Unlike WASTE, which is still under active development..." More like passive development on sourceforge

passive, because flawed?

IIRC, it's impossible to remove someone from your network once they are in. For corporate use this makes firing people more trouble. Rebuild the network when firing someone? For personal use this presents a problem too, it's easy to add a trouble user to your network (just one person need exchange keys with them), but hard (impossible?) to remove them. I wonder if VIA has addressed this with Padlock SL. I have yet to see anything that would suggest it, but then again I haven't taken a look at the source yet.

Also, off topic but amusing, when I was browsing around their site for more information I found this: http://www.viaarena.com/?PageID=306 [viaarena.com]

Re:passive, because flawed?

You can also snoop in on other people's "encrypted" messages, as long as you're part of the collective. Makes me wonder how encrypted other stuff is as well. But ya, the main problem is key management.

Another problem is this: Say Jane, Joe, and Pete are on the same network, but Jane hates Pete because he didn't call the next morning, so Jane deletes Pete's key. Pete is still allowed on the network through his long time buddy Joe, and Pete can even route through Jane. We tried some tests, and this actually works.

Re:passive, because flawed?

I don't see the problem, all you have to do is call the next morning.

how private?

Does anyone know how private this network is? Do you have to get a key from a member? Does it just use encryption? Any details on this?

Re:how private?

If I recall correctly the data sent over the network was encrypted using a very long key generated by asking you to move the mouse randomly for a period of time. Doing this for a minute or so ensures that you get a unique key.

Re:how private?

I can't vouche for Padlock, but I've used WASTE and yes, you need a key, and I believe all transmissions are encrypted. Pretty nice really, has an IRC like client and several other little features. I've tried to convince my friends to stop using my ftp and use WASTE instead (its ideal for groups of 50 people) but they've been slow to follow suite. Maybe I can convince them with this software instead.

Use WebDAV

WebDAV [webdav.org] -- a standard part of Apache 2 -- is the replacement for FTP. It only uses one TCP connection (HTTP extension), goes anywhere HTTP goes, can be used over HTTPS and thus be as secure as you like.

On the client side, it is already supported by KDE (use URLs like webdavs://server/dir/file.txt), GNOME, and MS Windows [mydocsonline.com]. There are also a few command-line clients, such as neon [webdav.org].

Is this legal?

Doesn't Nullsoft's page [nullsoft.com] on WASTE say " An unauthorized copy of Nullsoft's copyrighted software was briefly posted on this website ... Any reproduction, distribution, display or other use of the Software by you is unauthorized and an infringement of Nullsoft's copyright" ?

Re:Is this legal? - this text

NOTICE OF UNAUTHORIZED SOFTWARE

An unauthorized copy of Nullsoft's copyrighted software was briefly posted on this website on or about Wednesday May 28, 2003. The software was identified as "WASTE" (the "Software") and includes the files "waste-setup.exe", "waste-source.zip", "waste-source.tar.gz" and any additional files contained in these files.

Nullsoft is the exclusive owner of all right, title and interest in the Software. The posting of the Software on this website was not authorized by Nullsoft.

If you downloaded or otherwise obtained a copy of the Software, you acquired no lawful rights to the Software and must destroy any and all copies of the Software, including by deleting it from your computer. Any license that you may believe you acquired with the Software is void, revoked and terminated.

Any reproduction, distribution, display or other use of the Software by you is unauthorized and an infringement of Nullsoft's copyright in the Software as well as a potential violation of other laws.

Thank you.

Nullsoft

I asked FSF, and FSF said...

I asked FSF, and FSF said:

"If WASTE's release was unauthorized, you have no rights to do anything with the software. I am not certain what you could be required to do, by law, should you be found to possess a copy."

"Unfortunately, there is no good way to determine whether or not the release was authorized or not. We are currently presuming that it was unauthorized, until we see convincing evidence otherwise."

Re:Is this legal?

WASTE files contain the following license at the top:

/*
WASTE - main.h (a bunch of global declarations and definitions)
Copyright (C) 2003 Nullsoft, Inc.

WASTE is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

.....

How can it be "unlicensed" if it has GPL license on each file?

On a related note: VIA is releasing their "PadLock SL" under GPL too.

Re:Is this legal?

We went over this in the story when WASTE was pulled in the first place. Basically the counter-argument (no idea who will win in court since IANAL but anyway) is that Frankel was an officer of Nullsoft, and the copyright is held by Nullsoft which is owned by AOL. As an officer of Nullsoft he had the right to release it since typically that's how he behaved when he released something.

There is a separate issue between him and AOL, discussing whether he had the authority to make the release. However, once an officer of a company releases something, it's going to be hard to say he didn't have the authority to do so.

(reposted) I asked FSF, and FSF said:

I personally asked FSF their opinion of the legal status of WASTE, and here's their reply:

"If WASTE's release was unauthorized, you have no rights to do anything with the software. I am not certain what you could be required to do, by law, should you be found to possess a copy."

"Unfortunately, there is no good way to determine whether or not the release was authorized or not. We are currently presuming that it was unauthorized, until we see convincing evidence otherwise."

But the thing is, I doubt anybody even cares. The logic in the P2P debate is always "I believe whatever supports my position, and I don't believe anything that speaks against my position."

In this case the FSF themselves say that they are presuming it to be unauthorized, and that therefore others have rights to do anything with the software.

But who cares what the FSF says, right?

Re:(reposted) I asked FSF, and FSF said:

This isn't about P2P. While waste is a P2P program, it's really not useful in the same way that Kazaa or similar is. It only allows you to share files with others on a small trusted network. (The way the network is designed, you must trust all users the same, which is stupid, but presumably it would have seen greater development inside nullsoft had there been a chance.)

The FSF saying it presumes it was an unauthorized release is prudent but equivalent to an assumption of guilt. Frankel had traditionally released software apparently at will, with nary a peep from AOL, but Waste drew fire. Given that precedent points to him being allowed to release the code, in order to prove that it was unauthorized someone is likely going to have to show that someone higher up the food chain than Frankel explicitly told him not to release Waste.

The FSF is not saying that they think it was an unauthorized release. They're saying that they have no idea, and that if you get busted the FSF's reaction will be "I told you so."

But as you say, who cares what the FSF has to say about it? They're not even involved. The GPL is covered by copyright law, not FSF law, which doesn't exist, so the FSF is irrelevant. The question is not whether the GPL applies in this situation, because clearly if he did not have the right to put the GPL on the code, then the code is not really GPL. (If you don't hold the copyright, you can't reassign it.) If he DID have the right to make the release, then the GPL certainly applies.

If you want to get a useful opinion from someone on this issue, talk to the EFF, because they're the only cavalry you can expect (hope) will come to the rescue if you are sued for doing something with the WASTE sources. Or at this point, possibly VIA, if you are a VIA customer using their release, though I sincerely doubt that they'd step in on your behalf.

Re:Is this legal?

... because Frankel was an idiot and sold his sole to them ...

Look, if AOL is dumb enough to buy fish from someone like Frankel, they deserve what they get.

Microsoft bought my halibut, and I, for one, am happy as a clam.

Re:Is this legal?

They say it, but that doesn't make it true. An agent of the company posted the software under the GPL. AOL/Nullsoft's dispute is with Justin Frankel if they contend the release was unauthorized. But released it was, and it is under the GPL.

Re:Is this legal?

If some Microsoft employee posts the Windows code under the GPL, that will not make the code GPL. If Frankel had no power to approve the release under the GPL, then it was unauthorized and the GPL does not apply.

Re:Is this legal?

If some Microsoft employee posts the Windows code under the GPL, that will not make the code GPL. If Frankel had no power to approve the release under the GPL, then it was unauthorized and the GPL does not apply.

Since Frankel had the power to release software under the GPL, and it was only after the software was released that his employers thought to limit his power to release the software, it is ok for us to continue to distribute the software.

Direct Download Links

for those that don't want to fill out the questionnaire

Windows XP Version [viaarena.com]

Red Hat Verion 9.0 [viaarena.com]

Installation Guide [viaarena.com]

User Guide [viaarena.com]

Ahhhhh

Encrypted chats via VIA!

Via?

Doesn't Via make chipsets? I don't understand where this is coming from...

Linked page is useful for figuring it out too: "Here you go, if you download it, give us feedback."

(I admit, I'm lazy and hope some fellow /.er will enlighten me :))

Re:Via?

Checkout VIA PadLock Hardware Security Suite [via.com.tw]. Their procs have built in AES encryption as well as a very high bitrate Random Number Generator. This allows their 1GHz procs to do encryption an order of magnitude faster than a 2.4GHz P4. So this software just takes advantage of and promotes their hardware.

JOhn

Re:Via?

VIA makes CPUs (C3), motherboards (EPIA), and graphics cards (S3 UniChrome integrated and DeltaChrome) too! BTW, PadLock is definitely a reference to the encryption engine in their C3 Nehemiah and newer - it means that their 1GHz C3 can murder a x.xxGHz Pentium 4 on encryption, all while barely taking any power. However, as soon as you go to standard integer or floating point, it SUCKS ASS. Integer performance is in the 300-600MHz Celery range, and FP performance is in the sub-300MHz Celery range.

VIA's system requires hardware

Via's system requires their hardware security implementations to work.

As the first step in working towards this objective, VIA was the first company in the world to introduce hardware-based security features in an x86 processor, as part of the VIA PadLock Hardware Security Suite, first with the implementation of the VIA PadLock RNG (Random Number Generator) in the initial Nehemiah core followed by the addition of a second RNG and the VIA PadLock ACE (Advanced Cryptography Engine) supporting AES encryption standards in the latest C5P Nehemiah core

From the description this is a sample application using their "Padlock" hardware

The VIA PadLock SL Utility is a sample secure messaging and information dissemination application with an advanced public key model and AES encryption for ultra-secure communication pathways between users.

Re:VIA's system requires hardware

Via's system requires their hardware security implementations to work.

From the user's guide:

PadLockSL utilizes hardware AES algorithm and random number generator provided in VIA C5P processor. The special characteristics PadLockSL has are outlined as below:
1.2.1 Support running on C5P system and non-C5P system
1.2.2 Automatically detect whether C5P ACE is available or not
If C5P ACE is available, use hardware AES in C5P ACE; otherwise, use software implemented AES when performing AES encryption/decryption
1.2.3 Automatically detect whether C5P RNG is available or not
If C5P RNG is available, use it as entropy source in random number generation routine; otherwise, use the random number generation device provided by linux.

Messaging

I used to work programming software that basically transmitted information between banks. I learnt one very simple thing that I think could be really helpful for the OSS community: Separate the message from the method of delivery.

Banks are obviously really paranoid about security. They also really need messages to get through, quickly. In the software that I worked on, you would basically configure it with a priorty list of methods that it could use to transmit the message. So the most secure and failsafe method would be the one it tried first. If that didn't work it would try other methods, gradually going down the list, which usually ended with Fax being the most primitive method.

So how is this relevant to the OSS community? Well, we all know email is pretty much broken. Businesses want message delivery that is 1) secure and 2) reliable. Email is neither. With OSS email clients, we should change our mentality a bit and treat them instead as messaging clients, with email being just one of the methods it might use to send the message. The first thing it might try would be a secure, peer-to-peer connection with the recipient of the message. If all OSS email clients followed the same standard - perhaps based on this WASTE code? - soon most messages might be sent by a better manner than email.

One day very soon, Microsoft is going to come out with a "better email". The OSS community will bitch about it, and then if it takes off they will try to copy it. I'd much prefer we did the innovating and MS had to copy... Come on guys!

Congress?!?

Why on earth do you think asking Congress to provide either a spam fix or a "secure and verifiable form of email" is a good idea?

We have seen the results of CAN-SPAM act. That should clue you in on the first point.

Next, you want a government specified secure mail protocol? I hate to be rude, but that is like asking for government specified quality literature. Any attempt at that would come out of committee dripping with pork fat, backdoored by every TLA in the country, overseen by a new agency that would tax it, and likely incapable of functioning in the real world.

Please step away from the crack pipe.

Interoperability?

Does anybody know if this can interoperate with Waste networks? I tried to get it into our waste network, and after changing the key header I got the keys to import into the waste clients, but connections still failed.

Anybody had more luck? Waste runs under wine, but there are a lot of annoying issues, and the port [dnetc.org] seems dead in the water.

Whew, some duplicate code there...

...as shown in the report [infoether.com] generated by CPD [sf.net].

That's quite a class:

[tom@hal pd]$ wc -l srchwnd.cpp
2503 srchwnd.cpp
[tom@hal pd]$

Winamp Unlimited Has The Full Story

Winamp Unlimited [inthegray.com] covered the complete story yesterday, for those of you who are interested. There are some links/information on there that haven't been mentioned with this discussion.

Justin Frankel's Reaction

Forgot to put this in the parent. Justin briefly posted his thoughts on the release, on his 04-21-04 .plan [1014.org]. From what I understand, he was quite surprised about the whole thing when he first heard about it.

Wow, I could swear I've written something like this before...

Wonder what will happen with that...

2 Sided Consent

How does this get in the way of the story from 13 April about needing both sides to contsent to chat recordings? If the solution to that is to allow 3rd party "wiretapping" of IM sessions, this would limit it severly.

Source Code

You can get the source code here....
http://www.viaarena.com/?PageID=401
Have fun!

Hardware level security ?

Anyone care to comment on how this fits in with all that palladium / DRM crap ? is it related in any way and / or is this a bonus that its under the GPL ?

nick...

CVS

So it's a P2P version of "Hotline". That's neat! It really is.

However, what I would like to see done with this project is someone tack some kind of version control system onto it. Once you do that, this could be the perfect "floating development board" system for projects such as PlayFair which cannot find shelter elsewhere due to legal problems and/or harassment.

Then all you have to do is move the transport layer from being straight P2P to the data being stored on FreeNet, and you've got a way to have totally public yet totally anonymous development of an "illegal" software application...

At the least, it could be interesting.

Re:CVS

Nope. Freenet is too slow at retrieving data and has too high a failure rate to be used for anything practically. Straight WASTE would be easier, and more practical.

Hardware Random number

At least the c3 [via.com.tw] has a hardware random number generator for better encryption. Sadly you need stepping 03 of the Nehemiah core, as I discovered when I got my motherboard and got Linux compiled to use it. I had a 01 stepping so it was no-go. Felt kinda cheated.
(as well as the low-noise really isn't all that lown noise)

RE: VIA Releases Source To Custom WASTE Client

I don't see the advantage of this over any other P2P app that already exists. Encryption strikes a dissonant chord with me in this case. If you want the advantage of public file sharing, what is the benefit of encryption, since you purposefully want to share information with the public already? There are plenty of encrypted chat programs already out there. I know Hushmail has an encrypted chat program, and I believe there are encryption plugins that exist for ICQ, etc. If I am missing something here, I welcome anyone to explain what the hoopla is all about.

but, but, but...

now people could haxor gunbound [gunbound.net].

How does it compare to SILC

SILC is exactly like IRC, but with added encryption. That means encrypted chat, and file sharing via DCC.

Still violates GPL

The WASTE code in Sourceforge still violates GPL. It still includes a bunch of RSA code that isn't GPL'ed. Some of it is explicitly under a license that is imcompatible with GPL, and the rest simply gives an RSA copyright notice and says nothing about licensing.

WASTE anarchist autonomous Networks

WASTE is real strong in being the first in several areas: purep2p, anarchistic (WASTE is the most anarchist p2p because it implements security culture, free association and mutual aid. This is thanks to it's Decentralization, Encryption and preferences/features) , passive to passive transfers (via [sic] unique routing), & in being 'illegal' open source I think more Open Source projects should reclaim proprietary ideas that were developed/discovered in places like public schools and return the knowledge to the public so we can be more self-sustainable and sharing. shutting down lifeless entities control over our intellect. padlock is not compatible I've tried. it's also got allot of disabled features. it's like a whitewash. my hope is that the sourceforge open source WASTE team http://sf.net/projects/waste/ kicks into action to make a mockery of this via project much like has been done to neomodus dc over dc++ , but this is a reverse hijacked fork protocall type thing. not that i think it even matters much. i value having a network name/ID and full control of options that are in WASTE and not in Padlock. there interface is kinda weak ,with huge buttons and striping? i guess just watch and see if they add the rest of wastes advanced features or make a more restricted program from the most anarchistic p2p i love and call WASTE.

Multi-source downloads?

Last time I checked, I don't think WASTE supported multi-source downloads (aka "swarming"). I'd love to use WASTE technology in a couple of applications, but I really want people downloading from multiple sources simultaneously instead of having to get the whole file from a single source.

Anyone know if this (or any other) WASTE-derived P2P solution supports this?

-Zak

A brief review...

VIA's release has only one real feature, that of the ability to use AES on their hardware, and possibly the linux client that actually works. The interface has been made gawd ugly, filled with blue and white crap, with a push button icon size of nearly 60x60 pixels each. It also sticks the huge disgusting logo beneath the main window, instead of a clean dialog box.

It is significantly less usable than the current WASTE client from waste.sourceforge.net . Further, it takes keys in a slightly different format, requiring you to change the header "WASTE_PUBLIC_KEY" to "PADLOCKSL_PUBLIC_KEY". The networks are otherwise fairly interoperable, although troublesome because of the key import thing. So if you really want to use padlockSL on an existing waste network, this is fine, AS LONG AS YOU'RE NOT USING A NETWORK PASSWORD.

For some inexplicable reason, VIA removed the network password feature, which immediately makes it worthless for connecting to any passworded WASTE network.

Summary, this thing is useless, except for those with VIA hardware, a strong urge to use their linux client, or if you have problems seeing certain icons, and need them about ten times larger.

New link!

Ok, the binaries are at http://padlocksl.viaarena.com/ [viaarena.com]. They have downloads for Win NT/2k and RH Linux 9.0. Maybe some debs can be made from them. :-) Still can't get to the sources. :-(

VIA has removed all traces of it...

VIA has removed all traces of the VIA Padlock SL application as of about 9:00am EST today. Interesting.

Just a quick hint...

You don't need to sign your AC posts

Re:Open Source?

Never mind. Stupid little me found the link _on the front page_ at last.. PadLockSL.src.zip [viaarena.com][viaarena.com]...

Re:Who cares?

WASTE does do things that the other clients do not, specifically for file sharing. I agree it's not the greatest when it comes to IM. The other file sharing methods you mention do not allow for easy 2-way transfer (except FTP but we know the flaws in that protocol). It allows you not only to download from other people, but to 'push' files to them as well. The WASTE protocol also handles relaying of messages so that multiple clients behind a firewall can still connect to WASTE networks on the outside.

Re:Who cares?

I think your missing the point of WASTE.

WASTE is designed for secure communications (IM, chat and file transfer) between small groups of trusted users.

Bittorrent, Kazaa etc are designed for the mass distribution of files amongst people you don't know.

The only similarities are that neither use a central server, and they can be used to transfer files. But how many protocols can't transfer files?

Re:Who cares?

POS systems aren't *fun* to develop. We only work on things that are fun for us. After all, we are doing this for fun - in our spare time.

No one has done anything like this before.

I mean seriously. It bundles in plausible deniability into the network protocol. Stuff that into your pipe and smoke it.

If you want to do skunkworks-style development, collaboration, or your just an 'ARRRRR net pirate then WASTE is a tasty morsel of goodness that is hard to find in other products.

Point of sale system, right. You don't do that open source because there's no point. Who'd use it that doesn't have a purchasing department and thus can be expected to outlay a little dough?

Re:Who cares?

BitTorrent, FTP, HTTP and KaZaa all are used for very different applications. WASTE is used for creating a private, enclosed and secure P2P network. Which of the above apps does that?

Re:USENET

Perfection? Dropped posts and a lack of distributed file sharing doesn't fit my description of "perfection".

I should get a *real* news server that has better post retention you say? Well, that costs money and WASTE/Kazaa Lite doesn't. USENET is great for many things, but not for all things.

Re:W.A.S.T.E.?

Yes, there is in the original. Care to explain this?

Re:Who cares?

> how about a usable Point of Sale system?

Fine, if you retailers want OSS to play ball and write them a POS system, then how about you get on the same field and publish a detailed requirements document publically, so that the community can get a start? The proprietary software community does have an advantage in that the client pays to have developers gather the requirements and perform production tests and so forth, but if there's an OSS solution out there, then all that you need is an integrator. But if all you say is "give me a POS system", you're going to get nothing useful back. And if you throw the requirements document over the wall and never come back with feedback, expect nothing after the initial attempt.

Hardware's another issue ... don't expect a lot of cash drawer, manager key, or card reader support without open hardware specs. If you really want an open POS system, you the retailer are going to have to lean on the register manufacturers -- the folks you're giving your money to -- to produce open specs. Otherwise don't expect people to write free software for a platform they cannot freely support.

Just compile Padlock on Mandrake

It's really easy to compile Padlock [viaarena.com] on Mandrake 9.2. First install libqt3-devel, the QT deveoper package. Then, call /usr/lib/qt3/bin/qmake and make, that's all.

You are kidding right?

Most current chat clients have had various encryption options for some time now...

Re:Unstable

Yes I meant AMD CPU, apologies... Its was more than an issue with Creative, it was some flaw in their PCI bus implementation with respect to bus mastering. Theres even a workaround in the Linux kernel for the issue. Since then I've been hesitant to use VIA....

I don't understand why my post is modded flamebait? I'm not trying to incite a riot or flamefest, just stating my opinion of via... sheesh.. looks like any monkey can moderate these days....

Re:Who cares?

How about wirting *anything* that hasn't been done 1000 times already?

I don't know whether the parent's view is accurate or not, but it does point out something I learned in [shudder] "diversity training".

In a successful organization, there are several types of individuals: those that do the R-and-D; the blue-sky dreamers who dream up uses for the stuff the R-and-D folks invent; the "people persons" who sell the products the dreamers dream up; and the accountants and production control bean counters who take pleasure in making sure that schedules are met and the bills are collected/paid. Take away any one group and the others are doomed to failure.

From my limited knowledge of OSS, it seems like it might be very heavy in the R-and-D department, but very, very light in all the others. They all are necessary.

Is this a strategic shortcoming of OSS? Are there some possible strategic alliances that might restore some balance?

I don't have any answers, but these seem like valid concerns.