[Savannah-hackers] Legal aspects of post-crack reconstruction

[Eben Moglen]

Greetings to all, 

Bradley Kuhn has asked me to present you some information concerning
the legal aspects of the decisions we took in reconstructing Savannah
after the crack.

My primary concern, in this respect, has been to ensure that FSF,
which physically maintains Savannah and would be the object of any
legal action about it, would be prepared to meet a lawsuit brought
against us if malware were subsequently discovered in Savannah-
produced software.  We need to be able to show, in the event of such a
lawsuit, that we used our utmost efforts to protect the security of
the system, both in reestablishing service after the crack, and in
doing everything we could to find any code maliciously introduced into
programs under development at Savannah.

For this reason, as the lawyer around here, I strongly advised Bradley
to take all reasonable measures fully to secure the system layer below
the Savannah application layer before beginning to restore service.  I
wanted to be able to show, in the event of any subsequent controversy,
that we responded to the crack by immediately following best practices
security measures.  The intention behind this activity wasn't the
exclusion of Savannah's own project leaders from the reconstruction,
or the prolongation of downtime.  But because we were also engaged in
an investigation of the crack, in which we are cooperating with other
organizations in the free software world that have been cracked in
recent months, I did ask for certain measures that added further
burden to our already overloaded sysadmins.

I don't have much to contribute to the conversation about the
division of responsibility between FSF sysadmins and Savannah
hackers.  We face strong evidence that there is a concerted attempt to
undermine the free software infrastructure, including cracks at
ftp.gnu.org, Debian, and attempted insertion of malware in the
kernel.  We are being tested, and we have to pass the test, or--I
suspect--we're suddenly going to find ourselves under attack from
supporters of unfreedom taking advantage of our problems.  We need to
maintain our best cooperation in the presence of that challenge.  I'm
sure everyone's most careful effort will be available to increase
Savannah's security without harming its usefulness to all the
programmers who have taken advantage of the wonderful work of the
hackers who have built and maintained it.

Best regards,
Eben

-- 
 Eben Moglen                       voice: 212-854-8382 
 Professor of Law                    fax: 212-854-7946       moglen@
 Columbia Law School, 435 West 116th Street, NYC 10027     columbia.edu
 General Counsel, Free Software Foundation   http://moglen.law.columbia.edu