[conspire] Analysis of netzero.deb

[Daniel Gimpelevich]

I decided to take a look at NetZero's website to see their
Lindows/Linspire package myself. They have some instructions on its usage,
and the screenshots clearly show that it is version 6, but on John's
system, I noticed that he had version 5, which is apparently now neither
available nor supported, so I'm guessing that he downloaded it quite some
time ago. Navigating their website did not allow me to download their
Lindows/Linspire software without having a NetZero account, but evidently
if I had that, the website would simply have given me the same download
link I got from the topmost link on Google's first search results page:

http://dl.netzero.net/pub/netzero/linux/lindows/netzero.deb

The package, a 1.7MiB download, installs some files here and there to
support the software it installs into /opt/nzclient. Among these is a
"desktop config file" in root's home directory that would tell GNOME or
KDE what to run if clicked, and what icon to display, among other things.
The file it says to run appeared to be a shell script, but turned out to
be nothing more than a line to pass a specific classpath to Java. Indeed,
it appears NetZero's Linux software is written almost entirely in Java, so
any Linux on any architecture could potentially use it to connect to
NetZero, as long as a Java Runtime Environment is installed. However, the
package does have a file "nzppp" in it, and it's an i386 dynamically
linked executable which is not stripped. A quick look at the file reveals
it to be some kind of modification to the following GPL code:

http://www.ibiblio.org/pub/Linux/system/network/serial/ppp/pppsetup.2.28.tar.gz

Therefore, all it would take to get their software working on a K/X/Ubuntu
or Debian system running on either PowerPC or AMD64 would be a simple GPL
source code request for their modifications to that piece of code, which
can then simply be recompiled. Since that code does not do much, I'm
wondering why they didn't just do what it does using proprietary Java
code, like the rest of the package. A GPL source code request may prompt
them to do just that, which would still accomplish the
NetZero-on-other-architectures feat, by instantly making the package
platform-independent. No reverse engineering necessary either way.

It's no surprise that there are reports that NetZero's software will not
function properly without superuser privileges, but something doesn't feel
right about granting such privileges to a Java Virtual Machine. Still, you
gotta do what you gotta do.