Monthly Archives: April 2015


Category : Uncategorized

Brief introduction

Copyright holders decide how to manage their exploitation rights through copyright licenses. Licenses work on top of copyright law, and are interpreted by judges under different jurisdictions, and different applicable laws. As copyright is very rigid, copyright holders can make it more flexible through licenses.

However, most generic-purpose licenses are not flexible, and this does not help Creators with specific needs for their products. When Generic-purpose licenses don’t reach the particular needs of makers, customization is a most. Can we synchronize customization with the Open source Software and P2P production principles? Sure we can. Our answer is POLYMORPHIC LICENSES.


The main purpose of a copyright license is functional. A copyright license is a legal tool used to decide the permissions and conditions for the exploitation of protected works. You can decide about the right to use, the right to distribute, the right of public communication, the right to create derivative works, combined works, and so on.

Beyond this functional nature of a copyright license, generic-purpose public licenses have helped to create an open world, in many domains such as software, culture, literature, databases, music, 3d-models, and so on. Generic purpose licenses have been the legal representation of some philosophies, and copyright initiatives. Some of the most relevant are: The 4 free software freedoms definition (FSF), the open source software initiative, the free culture definition, and the copyfree initiative.

Until now, you have chosen a generic-purpose public license if it fits to your own needs or perhaps philosophically. However, most of them are not flexible to customization. As emergent technologies appear, sometimes situations are very specific, and customization is a must.

Polymorphic licenses don’t aim to compete with well established initiatives or philosophies, instead, they will provide makers the possibility of taking the best out of such open movements, and reach the particular goals of their production through customization.

What is a polymorphic license?

In programming, “polySmorphism is the provision of a single interface to entities of different types1. Let’s see an example in cpp code:

class Production {

virtual string type() = 0;


class Production_Music: public Production{

string type() {return (“

Commercial uses that require permission for exploiting this work are: Publicity, Movie soundtracks.

Time of permission: 1 year.

Compensation: $100 or equivalent in BTC

Royalties: I collect my own royalties from live shows.”);}


class Production_Drone-models: public Production{

string type() {return (“

Commercial uses that require permission for exploiting this work are: Anyone who sells drones built with these models.

Time of permission: undefinite.

Compensation: 10 built drones with the model for the copyright holders”);}


This is a very powerful object oriented programming concept, because it allows us to write a single interface, but produce different results. Thus, polymorphism is an excellent methodology for license customization. Let’s analyze the previous cpp example:

1. The class Production. This may be any generic-purpose copyright license if it allows different options. The Production License.

2. The subclass Production_Music. It inherits all clauses from the Production License, but with some environmental variables that are specific to music.

The copyright holder decides that only Publicity and Movie soundtracks are commercial uses that must pay a compensation, and the authorization lasts 1 year. Furthermore, he decides to collect his own royalties only from live shows.

3. The subclass Production_Drone-Models. It also inherits all clauses from the Production_Generic_License, but with a different focus. It requires some of the built drones in return.

How does it work?

Method: Licenses would be generated by an open source software called LTK (License-Tool-Kit). Copyright holders may generate their customized licenses using LTK, or by using their own tools.

Authenticity: The license’s output must come in more than one format. The md5 and sha1 hashes will be automatically generated. This will avoid license spoofing.

Reliability: The copyright holder(s) will keep their own customized license in their own server, website, or within the products. However, we will also set up a registry of polymorphic licenses with their correspondent hashes.

Current projects that may implement it

The polimorphic licenses methodology is currently developed by the FOSS lawyers legal community. But we want to promote the polymorphic license methodology to FOSS and P2P projects.

Currently we are working on two generic-purpose licensing projects:

– Common based reciprocity licenses (Copyfair).

– Ubiquitous commons.


Category : Uncategorized

//Foss lawyers will be present in Amsterdam between may 18th – may 22th, for the OWASP project submission. The OWASP KBA-PMP project. The project is growing

complete version: KBA paradigms and challenges

Can we say that static KBA is no longer suitable for today’s security challenges? During the last years, we have heard rumors about the death of the KBA. While some part of the industry wants to kill all KBA procedures, Dynamic KBA providers want to only kill static KBA. The truth is that static KBA is the oldest method of authentication, and will remain for a while due to its low cost (compared to biometric authentication), its effectiveness for remote procedures of identification (can be used from anywhere), and especially, the option that users have to change their information or simply lie to the web application to increase security. We cannot blame non developed countries to implement it.

Static KBA is not insecure by itself, it is a matter of implementation. But static KBA confronts 2 huge problems today: (1) Secret information is not secret anymore, (2) Most users will tell the truth to the application.

For dynamic KBA software vendors, KBA has evolved from the challenge questions, to a much more sophisticated way of implementing dynamic KBA. The information comes from public records, credit records, judicial records, your ID card, and perhaps social networks. These have happened in recent years, and it seems to work for many. However, there are some issues to resolve, some of them seems to be universality, and privacy.

Universality.- When I contacted some of the dynamic KBA vendors, my biggest concern was that they don’t have universal solutions. They had access to country based public records, especially in the USA, UK, Canada and Australia. So what about the rest of the world? It is clear that for a transnational dynamic KBA solution, vendors will need to have data sources everywhere. Central American banks may not use dynamic KBA, because KBA providers don’t have data sources in those countries. So how can we kill static KBA, if Dynamic KBA solutions are not available in most countries?

Privacy.- Data protection, and privacy laws are stronger in some countries than others. So the meaning of public records, is related to jurisdictions. As an example, let’s think about personal data in Europe. The Data Protection directive forbids the transfer of personal data to third countries without an adequate level of protection1. Let’s analyze what is personal data under European law2:

(a) ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Furthermore, personal data has to be processed lawfully, fairly, and only for specific and legitimate purposes. The data subject has to “unambiguously give his consent”3 unless process is necessary for contract performances, legal obligations, vital interests of the data subject, or the public interest.

Following of all these paradigms and challenges, the answer is YES, we need to develop a KBA standard. Web application security is not only about secure coding, encryption, and patching vulnerabilities. Remote authentication is the core of security, and KBA implementations must follow basic guidelines, but not only for higher risk environments as banks, because security is interconnected and attackers will always find the weakest point of the security chain.