Equifax Security Hack and Apache Struts

The Equifax security breach has been big news lately. Understandably, there was much concern over a breach that involved sensitive information held by a credit bureau, involving millions of consumers.

One article in Quartz noted that the perpetrators of the breach may have exploited a security vulnerability in Apache Struts, an MVC framework for creating Java web applications with plugins to support REST, AJAX and JSON. The Quartz article mentioned several potential vulnerabilities cited in a William Baird & Co. report, and about one, commented that “the vulnerability announced on Sept. 4” had existed in Struts for many years.

The Apache Software Foundation responded publicly, and pointing that the problem was a so-called Zero Day vulnerability, or a vulnerability that may have existed for some time in a code base, but was not previously known to the developers.  The ASF commented: “Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years.  If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier.  But this was actually not the case here — we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. ”

It may seem, after wide reporting of a few open source vulnerabilities such as Heartbleed, that open source is being publicly linked with security problems with increasing frequency. That might, in turn, seem to imply that open source is not secure. However, given that so much infrastructure software now is open source, and security breaches (or at least detecting them) are increasing in frequency, the reporting of open source security vulnerabilities is probably mostly confirmation bias. It isn’t as big news when a security breach happens due to proprietary software. And all reporting of breaches is to some degree imprecise forensic archeology; it may not always be clear in retrospect which vulnerabilities were actually exploited.  

Infosec professionals would probably say that legacy software is always a potential security problem, whether it is open source or not. Tech security is, in part, a process of continual updating to keep ahead of the villains. But this new incident underscores, again, the need to ensure that widely used open source projects have the resources to stay ahead of security concerns.

Open Source Skills in High Demand

It was interesting to see a recent article in ZDNet on the un-slaked demand for open source professionals.  The article says, “The single most desirable job most hiring managers want to fill is developer (73 percent). Don’t despair if you’re not a programmer; demand is also high for DevOps (60 percent) and Systems Administrators (53 percent).”  The information comes from the 2017 Open Source Jobs Report issued by the Linux Foundation.

Those of use who work in this area also know that experienced open source compliance managers and legal analysts are also in strong demand.

Open Source Community Over-REACTs to X Rated Code

Recently, Apache re-classified code under Facebook’s “BSD+ Patents” license to “Category X,” effectively banning it from future contributions to Apache Foundation projects.  The move has re-ignited controversy over the patent grant, but like many events in the open source community, the controversy is more partisan than practical.  In fact, it’s unlikely the move will affect adoption of ReactJS, and the criticisms of the BSD+patent grant mostly don’t survive the scrutiny of reason.

The Facebook patent grant, officially called the Additional Grant of Patent Rights Version 2, has been in effect for years.  It applies to the wildly popular ReactJS code — a Javascript library for rendering user interfaces.  The roster of major technology companies using the code is impressive, including such consumer-facing giants as Netflix — and of course, Facebook itself.

A New Reaction to an Old Grant

The reaction to this news is surprising, given the parallel patent licensing model is nothing new.  Facebook released its “BSD+Patents” grant in 2013 (with a revision in 2015).  But a similar model was used with some fanfare by Google with its WebM codec in 2010.  This licensing model involves two parallel and simultaneous grants of rights: a BSD license to the copyright in the software, and a separate grant to practice patents that read on the software.  Putting the two together means there are two independent and parallel grants of rights.  In this respect, it is quite similar to the Apache 2.0 license which, like BSD, is a permissive license, and which also contains a defensive termination provision that exists alongside the copyright license grant.

Much of the reaction to Apache Foundation’s announcement has just created confusion, such as this article misleadingly calling it “booby-trapped.”  In fact, many open source licenses have defensive termination provisions — which are mostly considered a reasonable mechanism to discourage patent lawsuits, rather than a booby trap.  They are also the rule rather than the exception; all major open source licenses with patent grants also have defensive termination provisions — each with slightly different terms.  The difference between the Facebook grant, which Apache has rejected, and the Apache 2.0 license, which Apache requires for its projects, is more subtle than the controversy suggests.

Defensive Termination Provisions Come in Many Flavors

Defensive termination provisions vary in two main ways: the trigger for termination, and the scope of rights terminated.  As to the scope of rights terminated, there are two camps: those that terminate only the patent rights grant (including Apache 2.0, Eclipse Public License, and the Facebook grant) and those that also terminate the copyright license as well (Mozilla Public License and GPL 3).  In other words, for most licenses, bringing a patent infringement suit can only cause termination of one’s patent rights; for the others, bringing a patent lawsuit can result in termination of the copyright license as well — forcing one to stop using the code.  Copyright license termination is a much stronger anti-patent mechanism, and more risky for private businesses, resulting in some private companies refusing to use GPL3 or MPL code.

The Facebook grant differs from most other open source licenses in its threshold for triggering termination.  In Apache 2.0, for example, the termination of the patent grant is triggered by a patent claim accusing the software provided under the license.  The idea is to create a “patent commons” for the software.  Most other open source licenses follow roughly this calculus.  The Facebook patent license also terminates if the licensee brings a claim against Facebook, or against any party accusing a Facebook product.  In that respect, the termination trigger is similar to the one in the Common Public License 1.0, written many years ago by IBM.  (“If Recipient institutes patent litigation against a Contributor with respect to a patent applicable to software…then any patent licenses granted by that Contributor to such Recipient under this Agreement shall terminate as of the date such litigation is filed”)

Nothing New Under the Sun

Defensive termination provisions of the scope in the Facebook grant are very common in patent licensing, outside of the open source landscape.  Most patent licenses terminate if the licensee bring patent claims against the licensor.  The reason is that a licensor does not want to be unilaterally “disarmed” in a patent battle.  Most patents are only used defensively — asserted when a competitor sues the patent owner.  A sues B and then B sues A, resulting in mutually assured destruction.  If B has released its software under an open source license without a broad defensive termination provision, B is potentially without recourse, and has paid a high price for its open source code release.  A gets to simultaneously free ride on B’s software development and sue B for patent infringement.

Finally, the Facebook grant itself is not new.  The grant was released in 2013, and ReactJS’ popularity has been growing since then.  As with many open source licenses, the industry’s willingness to absorb a new license depends on the tastiness of the code released under it.  In the case of ReactJS, the code was great, and the patent license terms were new, but reasonable.

Is it Open Source?

Some have suggested that the BSD+Patents Clause violates the Open Source Definition.  The OSD does not allow licenses that discriminate against persons or groups, or fields of endeavor.  But the patent grant does not have license scope limitations; it terminates if the licensee misbehaves — that misbehavior having a lower threshold for actions against the code author than for others.  So it seems likely that BSD+Patents does not violate the OSD, and moreover, CPL is already approved by the Open Source Initiative as compliant.  CPL, like BSD+Patents, sets a lower threshold for termination based on patent suits against the code author.

What is the Upshot?

The practical result of the Apache Foundation’s decision is unclear.  Category X licensed code cannot be included in an Apache Foundation repository.  (That category also includes licenses like GPL.) Apache’s re-classification doesn’t mean anyone is restricted from using ReactJS — it just can’t be committed in an Apache project.  It’s not even clear that an Apache project cannot contain a dependency on BSD+Patents licensed code.

Meanwhile, in private business, there is little controversy about using code under the BSD+patent terms.  Most companies have examined the marginal legal risk of this license compared to others (like Apache 2.0) and considered it underwhelming.  Unless a company decides to sue Facebook (or accuse its products), the termination trigger has no actual effect.  If you want to fling patent claims at a company that developed and released a great piece of code, removing the code from your business seems like a reasonable price to pay.

Some of the controversy seems to arise from concern that Facebook is advantaged over others in the license terms.  But that is not the same as harming the open source community.  The BSD+patents grant establishes the same “patent commons” as Apache 2.0, as a baseline, but provides more protection for the contributor (Facebook) against software patent claims of licensees.  It’s odd that a community so opposed to software patents would find this objectionable, particularly in light of the array of defensive termination provisions that have been used in the past.

PLEASE NOTE: This blog entry is about the BSD+patent license, not about Facebook.  This post represents my personal views only, and not the views of Facebook.  I do represent Facebook on open source matters, but I did not draft the BSD+patents license grant.

We’re Exhausted! US Supreme Court Speaks Out on Patent Exhaustion

The US Supreme Court is setting things right these days.  Last week it was a patent jurisdiction that slashed the patent litigation industry of the Eastern District of Texas, and this week it is Impression Products, Inc. v. Lexmark International, Inc., a decision supporting robust application of the exhaustion doctrine in the sale of patented articles. In the Lexmark decision last year, the Federal Circuit upheld the ability of Lexmark to avoid patent exhaustion, when selling its printer toner cartridges, by promulgating a legend that the cartridges were sold for single use.  After that decision came down, I went onto Zazzle and made up a coffee mug with this legend:



Drinking from this mug confirms your acceptance of the following license agreement. This promotional mug is provided to you free of charge in connection with promotion of legal services (method patent pending) subject to a restriction that it may be used only once. Following this initial use, you agree to return the mug to Heather Meeker. A regular price mug without these terms is available.

I gave them to a dozen or so people, none of whom returned them.  Now my little prank is irrelevant, but that’s probably for the best.