A recent copyright infringement (+ "threat to national security") lawsuit filed by a government contractor against its former employee highlights two terms the government frequently fears: open source and hacking.
Open source software (especially free open source software) is often portrayed by government officials as inherently unsafe to deploy. If anyone can see the source code then surely anyone can exploit it, they state. This is institutional resistance is aided greatly by companies like Microsoft who would prefer to see lucrative software licensing contracts continue indefinitely. Not that "closed source" software is any more secure, as Microsoft itself (along with Adobe) can certainly attest. But that irrational fear remains, and greatly hinders the adoption of open source software by government agencies.
Hacking is another of the government's favorite boogeymen. The oft-abused CFAA has turned exploration of software and systems into a crime. The government uses the words "hacking" and "hacker" almost exclusively to denote criminal activities and criminals. This continues long after the words have entered the mainstream to reflect positive activities. (See also: the extremely popular Lifehacker website; any number of events with the word "-hack" appended that result in extremely constructive outcomes.)
Andreas Schou brought this restraining order granted by an Idaho judge to many people's attention on Google+. (H/T to unnamed Techdirt reader for the submission.) It's an ultra-rare "no notice" restraining order that resulted from a wholly ex parte process involving only the plaintiff, government contractor Battelle Energy Alliance. The restraining order allowed Battelle to seize its former employee's computer, as well as prevent him from releasing the allegedly copied software as open source.
Schou details how he heard about the case.
Yesterday afternoon, my good friend (and former client) got a panicked call from his wife. Attorneys for the government contractor he formerly worked for had showed up at his door with some sort of order, demanding to be let in to seize his computers. While his wife was held out on the lawn by private attorneys, the contractor's counsel tried to call in the sheriff to -- I guess -- break down his door.
My first thought, obviously, was: this is all some sort of misunderstanding. Because Corey [Thuen] -- who's a professional security researcher -- has worked for the government his entire career, both at the FBI and as a security researcher specializing in SCADA systems, cyberterrorism, and critical infrastructure. He's a straight-laced, church-attending guy with three kids and an admittedly strange job.
And here's what he's been accused of: threatening national security by open-sourcing a network visualization and whitelisting tool.
The arguments made in Battelle's original complaint were bought almost in their entirety by Judge B. Lynn Winmill. Battelle claims copyright infringement, citing Corey Thuen's software, Visdom, resembles its own Sophia software. As evidence of this, it offers the following:
- Thuen worked on Sophia and had access to the code.
- Visdom's name is remarkably similar to Sophia. (The short version: Sophia is the goddess of wisdom. Wisdom/VISDOM.)
- There's no way Thuen could have come up with his own program in such a short period of time without copying substantial amounts of Sophia's code.
Battelle also points out that Thuen's company, Southfork, made a bid to license Sophia but withdrew it a short while later, inferring that Thuen's allegedly infringing copy made licensing software an unneeded expense. (Thuen's response claims that Southfork withdrew its bid when it became apparent Battelle wasn't interested in pursuing an open source option.)
Schou points out that if Battelle had done any due diligence, it would have realized that its infringement claim -- especially the claim that Thuen couldn't have created competing software in that time frame without copying Sophia -- is just plain wrong.
Somehow, despite spending a great deal of money on a BigLaw firm and getting an unprecedented ex parte order for the seizure of critical business infrastructure, they didn't check Github. And if they had, they'd have found out that the open-source project is built in a different language, using open libraries. They'd have been able to check the code commits to look at the period the software was written in.
And they wouldn't have sued to begin with.
Thuen breaks it down even more simply in his response:
Visdom, unlike Sophia, makes heavy use of third party open source libraries to accomplish many of the tasks for which the Sophia development team had to write code ourselves. An example for illustration: as part of my work on Sophia, I created a scrollbar from scratch, which means I had to implement the click and drag behavior (along with buttons) that causes a scrollbar to do what the average user expects a scrollbar to do. Visdom, on the other hand, builds on top of other, third party components that make scrollbars inherent. In other words, on Sophia development I spent significant time creating basic components to a user interface, whereas Visdom did not require such efforts. Visdom's heavy use of open source libraries facilitated its development in a matter of several months.
As Schou states, it's also written in a completely different coding language. Battelle and its representation may think
it's just a simple copy-paste job to "port" software from one language to another, but Thuen dismantles this misperception.
In developing Visdom, I specifically avoided any code, modules, sequences, routines, structures, screenshots, or any other materials that may have constituted some part of Sophia, based on my knowledge of Sophia as of the end of my access to it on or about August 2, 2012. Visdom is intended to solve the same problems as Sophia, but it is not a copy of Sophia, just as an electric car is not a copy of a gas-powered car simply because both are used for the same purpose.
What the judge determined to be "adequate circumstantial evidence" to justify ordering a no-notice restraining order (which included the seizure of Thuen's computer -- because he's a "hacker" -- more on that in a bit) completely falls apart when confronted with technical knowledge and observable facts.
Thuen's project is still listed at github where anyone can view related information
, including development time, commits and, most importantly, the source code itself, where anyone with the technical knowledge would have seen that a) it pulled from other sources to speed production and b) is written in a completely different language.
Unfortunately, Battelle also abused the term "hacking" to justify the seizure of Thuen's computer without notice. Its arguments in the original complaint quotes one of its own employees
in support of its "if we notify him, he'll just wipe the hard drive" theory. The court cites this in its justification of the ex parte restraining order
[B]attelle asserts that defendants are likely to wipe the hard drives on Thuen's computer, thus destroying direct evidence of wrongdoing. Battelle suggests that either of these actions would render further prosecution of the lawsuit fruitless...
The Court finds it significant that defendants are self-described hackers, who say, "We like hacking things and we don't want to stop."
A well-known characteristic of hackers is that they cover their tracks… This makes it likely that defendant Thuen will delete material on the hard drive of his computer that could be relevant to this case...
The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates. The tipping point for the Court comes from evidence that the defendants - in their own words - are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. And concealment likely involves the destruction of evidence on the hard drive of Thuen's computer. For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.
The supposedly damning declaration by Thuen comes from Southfork's home page
We're pretty good at hacking things. The idea is:
Identify what you want looked at
We hack it
You fix it
Your customers love you and you gain a little bit more peace of mind. We wouldn't mind bringing your people in to participate and see first-hand how an attacker views your system. We'd love to train ourselves out of a job.
Southfork will test system security when hired by a company specifically for that purpose
. Battelle's filing attempts to spin Southfork's technical knowledge into a purely evil thing. According to Battelle, hackers are always
adversaries, even when the company's own front page statement proclaims otherwise. Just because the knowledge is there doesn't mean it will only
be deployed to cause damage. Thuen's response points out the flaw in this reasoning.
As a cybersecurity professional, I am aware of, and possess ability for, many “hacking” techniques that may be used in illegal ways, but I put them to use improving my customers’ security. In other words, I’m much like a locksmith who possesses the ability to pick a lock and uses his knowledge to help as a contributing member of society… In my career, I have held government clearances with the Federal Bureau of Investigation and the United States Department of Energy, which required me to pass multiple lie detector tests, psychological tests, extensive background checks, and other miscellaneous tests.
Battelle's goes even further than this in its complaint, painting Thuen's hacking ability and his "threat" to take his project open source as a danger to national security.
BEA's copyrighted software is called Sophia and protects the United States' energy infrastructure by alerting utility administrators of potential hackers or other threats to the integrity of the nation's energy grid.
Given the nature of Sophia, Defendants' actions have implications for our national security. Defendants know of these implications but have ignored them.
Fortunately, this stretched argument doesn't weigh in the judge's restraining order, but it's still a part of Battelle's complaint against Thuen. This argument is baseless as well, relying heavily on the allegation that Thuen's
code is Battelle's
code. Theun points out the flaw in Battelle's portrayal of open source code as inherently dangerous.
I disagree with Battelle that security software like Sophia or Visdom cannot be open source because then hackers would have access to the source code. Security systems are better served by being open source so that complicated things, like cryptographic algorithms and implementations, can be reviewed by independent expert auditors rather than sitting behind smoke screens. The plethora of open source software used in secure systems today completely debunks the notion that you cannot have valuable and secure software that is also open source…
In the statements dealing with irreparable harm, Battelle claims it wouldn't be able to compete with Southfork's Visdom if Thuen chose to give it away (earning money from support packages and custom modules). Clearly, Battelle and its lawyers are unaware that top selling programs like Microsoft Office (LibreOffice) and Photoshop (GIMP) compete with fully-featured (and open source) free programs all the time.
There are many more flawed arguments in Battelle's filing, but it appears that both the plaintiff and the presiding judge had just enough knowledge between them to reach a bad conclusion. Thuen's response tackles every accusation from Battelle's complaint, punching some big holes in its filing. Unfortunately, the court decided to handle this ex parte and is only now aware of the weaknesses of Battelle's allegations.
What this looks like is a government contractor hoping to shut down a competitor by deploying two "chilling" favorites: copyright infringement and "threats to national security." It also hurts itself by falling for government FUD -- "open source is dangerous" and "hackers are bad" -- both of which contributed to the general level of failure contained in its complaint.