Peacocks and crows in IT security
A field report on open source, competition, enforcement of rights, and the question of how to defend a fair and sustainable open source ecosystem.
Summary
This report describes a real case of misuse of open source software using the example of OPENVAS, the open source vulnerability management system we developed. A market participant had systematically integrated open-source code and data into its own products in violation of license and copyright laws and passed them off as its own work. Here, we report on the technical, forensic, and legal steps that were necessary to prove the misuse and effectively stop it, including warning letters, preliminary injunctions, and the involvement of platform operators. Special attention is paid to a case that was successfully brought in Germany for the first time to enforce the Open Database License (ODbL). The article is aimed at open-source developers, companies, and users and shows the requirements and costs associated with enforcing open source licenses—and why their consistent defense is crucial for a fair and sustainable open source ecosystem.
An in-depth analysis from a legal perspective has been published by IFROSS.
The peacocks and the crow in IT security
|
The Peacocks and the Crow Fab. Aesop. 188. Phaedrus lib. I. Fab. 3. A proud crow adorned itself with the colorful feathers of the peacocks and, when it believed itself to be sufficiently adorned, boldly mingled with these splendid birds of Juno. |
When software vendors want to adorn themselves with borrowed plumes, open source is an easy source. Of course, this is not compatible with open source licenses, but who cares? “What’s the worst that could happen?” seem to say some who even build their own business models on the work of others, which they also pass off as their own. Anyone who wants to fight back has a long road ahead of them and will have many interesting and not always pleasant experiences along the way. We did that, and here is our report.
With OPENVAS, we produce a globally popular and widely used open source vulnerability management system. Our project automates the search for security vulnerabilities in IT systems. We have around 200,000 tests to find security vulnerabilities, plus scanners to run them and applications to control the entire process from scanning to reporting. We provide an open source solution free of charge, as well as additional modules and services for our paying customers. This allows us to finance ourselves and also make the solution available to the community free of charge. What we do makes us at least competitive with our proprietary competitors (large international providers, mostly from the US), and in some cases even better. This also makes our code an attractive target.
We know many small providers around the world who offer their own products based on our open source solution. Larger ones sign contracts with us. Many comply with the licenses, others do not. Of course, this annoys us, but on the other hand, we prefer to put our energy into our project rather than engage in legal disputes somewhere in the world. But if a competitor goes too far, we take action. “Going too far” means changing copyright notices in our code and replacing our name with their own company name, ignoring attribution requirements, and violating open source licenses.
We have just successfully pursued such a case. We believe that the story is interesting for various groups: for open source developers, projects and companies, for people interested in legal issues (after all, we have set a legal precedent along the way – more on that later), and also for users of open source products and projects who are interested in the security of their supply chain.
There are essentially five things you need to successfully defend yourself against misuse: time, money, expertise, strong nerves, and a lot of patience. Expertise includes legal expertise, which means a good lawyer who is familiar with open source licenses. Of course, the jurisdiction in which you want to defend yourself is also a decisive factor, as you will always prefer the country in which your company is based, because this has several advantages that are also reflected in the costs. The law under which the case is heard is important. If you want to defend yourself internationally, you also need a law firm with the appropriate resources or network. Unless you are a large company with ample resources, you will not want to choose this route. We therefore conducted the proceedings discussed here in Germany, where our company is headquartered. Another part of the expertise is technical and forensic. After all, you must prove that your own code was used in the abusive application. If the other party does not fulfill its open source obligations and provide the source code, you must obtain the relevant code and prove that your share of it is part of the products that the other party is marketing. It is advisable to purchase the products through a third party to be able to provide proof.
Once proof has been provided, the next steps are as follows: issue a warning letter and, if the manufacturer does not respond, obtain a preliminary injunction from the court. This prevents the products from being placed on the market until the defect (the abusive and unlicensed use of the software) has been remedied. In our case, the products were also distributed via hyperscaler platforms such as Microsoft Azure. Here, based on the Digital Services Act, the operator can be notified that licenses are being violated, which means that the products can no longer be distributed there because Microsoft (in the case of Azure) blocks them in the store if, for example, the preliminary injunction is pointed out there. This is a very good thing because it puts additional pressure on the product provider. Of course, this is only possible if you have plausible evidence, which can be quite a lot of work to obtain, depending on how much energy the product provider has expended to conceal the unlicensed use of third-party components. In our experience, advanced concealment techniques are used less frequently than expected: we were able to provide clear evidence both that the sources were ours and that it was not a mistake.
In our case, extensions were also linked to our libraries in violation of the copyleft. To conceal the license violation, our copyright notice was added to their own extensions. When we discovered these manipulations, we were naturally astonished at the audacity and immediately investigated further. We found that we were not the only victims of this provider but decided to focus on our own proceedings for the time being.
We had three goals when we started the project: to stop the misuse, to possibly obtain damages, and ultimately to impose the not inconsiderable costs of the proceedings on the other party. We have already achieved one goal: our injunction is legally binding and can no longer be appealed.
We have already achieved a significant legal victory in our proceedings, which has to do with the licensing of our product’s database content. Background: our solutions consist of three components: the application and system code and associated binaries, many thousands of test scripts for vulnerability detection, which together with information on already known vulnerabilities and input on how to fix them form a large database. This database is licensed for our community product under the Open Database Public License (ODbL). The ODbL allows a database to be freely copied, distributed, modified, and used (e.g., for your own applications or analyses). At the same time, it ensures that derived databases remain available under the same freedoms. The well-known geodatabase OpenStreetMap is licensed under the ODbL. Anyone who mixes an ODbL database with their own proprietary content must also place this modified database under the ODbL, which is therefore a copyleft license. In our case, an ODbL database was successfully defended in a license dispute for the first time in Germany. This resulted in a landmark decision that others can now refer to . We are very pleased about this.
And we are going even further: we have currently filed a lawsuit. This will deal with copyright and competition law issues, and will also address the issue of damages.
That sums up a process that has dragged on for several months and will continue into the future. If I were to draw a conclusion today, it would be a positive one: we have won on all important issues so far. We make open source stronger when we enforce its rules. Open source is a cornerstone of our business model, which is why it is important to us at to defend this foundation. On the other hand, the effort involved is considerable. Our business purpose is to provide our users with the greatest possible security for their IT infrastructure, not to engage in legal disputes. We only want to do this in a very measured way and only where the prospects of success are high and the framework conditions are favorable (as in our case here, where we can operate within the familiar legal system). We would like to thank our excellent legal representative, Dr. Till Jaeger from JBViniol, and the outstanding forensic expertise of DN-Systems – without their help, we would not have been able to achieve these successes.
We have a list of just over 100 suspected cases, and we regularly receive reports of such cases from partners, the community, and employees. The conditions are not always as favorable as in this case, and the relevance is not always great enough. Where this is the case, we will act against providers again, despite the considerable effort involved. We want a fair and healthy open source ecosystem, and particularly brazen violations – such as the one reported here – naturally trigger us. With this report, we also want to encourage others and – in keeping with the open source idea – share our knowledge.
