
Hacking Team used open source code to build Android monitoring software - devy
https://www.mulliner.org/blog/blosxom.cgi/security/hackingteam.html
======
chrisacree
That's what open source is, isn't it? Anyone can use it, including hackers,
NSA, etc. Why is it surprising that they, like nearly every other technology
company, depend on open source software?

~~~
jasonlotito
Well, there are two things:

1) The intent behind the original license doesn't match with what the author
intends. This seems to be the likely case. But, there is also the second issue
to look at.

2) The violation of the license, assuming the source code was not shared with
the clients. This is a direct violation, and through the common use of the
term theft when it applies to copyright violation, it matches. Basically, if
you don't adhere to my license, you don't have a right to use my code, and as
a result, you've effectively "stolen" it.

People like to pretend that even MIT style licenses don't have requirements.
They do, and you can violate that license, and by violating, you never had the
right to use that code.

Basically...

> Anyone can use it, including hackers, NSA, etc.

Incorrect. Anyone who abides by the license can use it. While that might not
seem onerous, it's an important distinction to make. So, considering the code
in discussion was licensed under a GPL license (one of them, not sure which),
one wonders if they were abiding by the license.

~~~
FireBeyond
"2) The violation of the license, assuming the source code was not shared with
the clients. This is a direct violation, and through the common use of the
term theft when it applies to copyright violation, it matches. Basically, if
you don't adhere to my license, you don't have a right to use my code, and as
a result, you've effectively "stolen" it."

Because you know that the nation states who used the services of this company
didn't also receive the source code to the tools, correct?

~~~
jasonlotito
> Because you know that the nation states who used the services of this
> company didn't also receive the source code to the tools, correct?

"The violation of the license, _assuming_ the source code was not shared with
the clients."

It's called speculation. Read it as "Hypothetically, if the source code was
not shared with the clients, it was a violation of the license."

~~~
FireBeyond
Uprooted because I glazed over that word in my reply, and it does alter the
point.

------
lawl
Popular german blogger and hacker fefe also complained that hacking team used
his open source code. He now calls for an NOMIL/NOINTL version of the GPL and
wants to sit down with a lawyer to create something along these lines, or see
if that is possible at all.

Original article:
[http://blog.fefe.de/?ts=ab645846](http://blog.fefe.de/?ts=ab645846)

Google translate of the above:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fblog.fefe.de%2F%3Fts%3Dab645846&edit-
text=&act=url) (shitty because the original is written in a more colloquial
style, google doesn't seem to handle that too well)

Code in question is dietlibc:
[https://en.wikipedia.org/wiki/Dietlibc](https://en.wikipedia.org/wiki/Dietlibc)

~~~
mikegerwitz
[https://www.gnu.org/philosophy/programs-must-not-limit-
freed...](https://www.gnu.org/philosophy/programs-must-not-limit-freedom-to-
run.html)

------
amalcon
Unless I misunderstand, this is software that runs _on_ the target device.
Does that count as distribution? Did the victims receive a copy of the license
and access to the source code? Is there some kind of infringement case here if
we could find someone this was used on?

------
venomsnake
A company that don't respect human rights also don't respect copyright. Color
me surprised ...

------
ericfrederich
Once you figure out how to write a software license to prevent this kind of
usage can you work on that 3d printer that will print anything except weapons?

Next on your list is to define "repressive governments" in non-ambiguous terms
such that it doesn't include more than half of the world.

You may be able to prevent them _legally_ using your work, but will never
prevent them from using your work.

------
em3rgent0rdr
Hackers operate outside of the law. Licensing, conversely, exists only in the
legal realm. So I dont see how any licensing scheme can prevent hackers from
using his tool, as the author wishes for, other than don't make it open
source. We must accept that our open source tools may be used for evil.

~~~
cmiles74
"The Hacking Team" was a (supposedly) legitimate company and should be
expected to abide by the license.

~~~
eonw
governments rarely prosecute those that trade in secrets.

------
AdmiralAsshat
Submitted yesterday:
[https://news.ycombinator.com/item?id=9926868](https://news.ycombinator.com/item?id=9926868)

But I guess it's good to have the primary source.

------
Joky
The title here is "Hacking Team steals open source code to build Android spy
tool", while it seems to me that they didn't "steal" anything. They just
_used_ some open-source software to build their tools. Maybe someone could
argue that it is GPL code and there should be redistribution of the code, but
this is only towards the client of Hacking Team.

~~~
bluejekyll
What's funny is that one of Stallman's arguments for GPL over BSD style
licenses, i.e. Free vs. Open licenses, is specifically about the code being
used for nefarious purposes, like DRM. In this case it's used to create
something even more sinister, but by all accounts they are following the
licensing by keeping the source open.

So it says more to me about picking a license that you are comfortable with,
and understanding that based on that choice it's going to possibly be used in
the worst way that you could imagine.

They were correct to leave his name as copyright holder, as doing anything
different would mean that they stole his copyright, which they did not.

~~~
bcg1
There is not evidence that they complied the license. They were hacked and
this source code was exposed. I suspect that they were not properly
distributing links to the source for the LGPL library they used (especially
since it seems like this is Android spyware).

BTW even if they cited the author as the copyright holder... that does not
necessarily mean that they were complying with the license, which could
definitely be copyright infringement

