Practical Technology

for practical people.

March 4, 2004
by sjvn01
0 comments

Leaked Memo Revives SCO-Microsoft Connection Furor

In the open-source community, the rumor that just won’t die claims that Microsof Corp. is funding The SCO Groups legal actions against Linux. On Thursday, those allegations rose again with reports of a memo that links Microsoft with a financial backer of SCO.

The rumors center around a $50 million investment in SCO by the Larkspur, Calif.-based BayStar Capital investment fund last October. At the time, online reports suggested that BayStar, which invests money from a variety of companies, had taken money from Microsoft for the SCO funding. However, in an interview last fall with eWEEK, BayStar officials denied that Microsoft was an investor in this transaction.

The latest twist surfaced Wednesday on the Web with a document that brings into question Microsofts claim that it had nothing to do with the BayStar Capital funding of SCO—and, by association, of SCOs lawsuits against Linux vendors and users.

The new memo was published to the Web on late Wednesday by open-source advocate Eric Raymond. The memo was picked up by the Slashdot Web site on Thursday morning.

Blake Stowell, SCOs director of communications, acknowledged that the leaked memo is real.

But, Stowell claimed, pundits had mischaracterized the memos context. “We believe the e-mail was simply a misunderstanding of the facts by an outside consultant who was working on a specific unrelated project to the BayStar transaction and he was told at the time of his misunderstanding. Contrary to the speculation of Eric Raymond, Microsoft did not orchestrate or participate in the BayStar transaction.”

Responding to the allegations, a Microsoft spokesman said: “The allegations in the posting are not accurate. Microsoft has purchased a license to SCOs intellectual property, to ensure interoperability and legal indemnification for our customers. The details of this agreement have been widely reported and this is the only financial relationship Microsoft has with SCO. In addition, Microsoft has no direct or indirect financial relationship with BayStar.”

The alleged memo, to which Raymond referred as the “Halloween X” memo, is dated October 12, 2003 and penned by Mike Anderer, whom Raymond identifies as a consultant with a company called S2 Strategic Consulting, which has ties to SCO.

S2 had been hired, according to the contract to help “with the formulation and implementation of various options for Intellectual property management.” In essence, S2 was to help SCO make money from its IP.

Four days after the alleged memo was distributed, on October 16, 2003, SCO received the $50 million cash infusion from BayStar Capital and other funders.

A number of industry watchers at that time questioned whether Microsoft had any involvement in the $50 million BayStar financing deal. Some pundits noted that by providing SCO with funding, Microsoft and/or other parties would be helping to fuel SCOs lawsuits against Linux vendors and customers, thereby benefiting Windows. Microsoft and BayStar officials both denied that Microsoft was involved in the funding deal in any way.

he Halloween X memo appears to link Microsoft to BayStar.

“I realize the last negotiations are not as much fun, but Microsoft will have brough(sic) in $86 million for us including BayStar,” said S2 Consultings Anderer in the memo.

“Microsoft also indicated there was a lot more money out there and they would clearly rather use BayStar like entities to help us get signifigantly(sic) more money if we want to grow further or do acquisitions,” Anders continued in the alleged internal memo.

Meanwhile, Microsoft is known to have made at least two lump sump payments to SCO in order to license Unix. Microsoft executives said in May that the company wanted to be on the right side of intellectual-property law. (Microsoft makes available a number of Unix utilities in the form of its Services for Unix product.) One of these payments was for $8 million, according to Securities and Exchange documents; the amount of the other is not known.

Raymond has published a number of alleged internal memos from a variety of companies, including several from inside Microsoft. Raymond referred to all of the leaked memos he posted to the Web as the “Halloween memos,” since he published the first of them on November 1, 1998, the day after Halloween.

Microsoft has verified the accuracy of several of the early Halloween documents that outlined the companys strategy to compete with Linux.

BayStar Capital spokesman Bob McGrath said “we have no way of knowing where it (the memo) comes from or anything about it.” He added that BayStar is standing by its statement from last fall that “Microsoft was not a participant in BayStars fund” that went to backing SCO.

A version of this story first appeared in eWEEK.

March 4, 2004
by sjvn01
0 comments

SCO Can’t Win

I think The SCO Group deserves every penny they’re asking for… if they were right, but theyre not. Ive been following SCO as a writer since the late 80s, and Ive been using its products for even longer. When Caldera came out with one of the first commercial Linux distributions, I was there too. In short, I know this company and its IP claims simply don’t hold up.

If SCO had just gone after IBM on contract terms, because of how IBM handled the attempt to bring AIX 5L to Intel (Project Monterey) that would be a different story. From what I know of that deal, I think SCO was treated shabbily.

SCOs owners, the Canopy Group, should have, in my humble opinion, kept Ransom Love as CEO and continued to support Linux. Had they done so then SCO, with its close Novell ties, would have been acquired by Novell-not SuSE. $200+ million down the drain for Canopy.

As it is, the ownership decided they wanted to shift gears from being an operating system company to one that tries to make money from lawsuits. Now, personally, I don’t like this. Id rather make things than haul people to court. But those businesses can work. In fact, there are companies that do nothing but acquire patents, wait until someone has created something that may infringe on those patents and then swoop in like vultures.

In SCOs case, however, the company is trying to create a house of cards. If any one of those cards shifts, the entire litigious structure falls.

Darl McBride, SCOs CEO, talks about SCO being defending the rights of intellectual property like the RIAA. Its not. SCOs IP claims are much weaker. We know a song belongs to an artist and a label. SCOs copyright claims are much murkier.

First, SCO has to establish that it actually owns the copyright to Unix System V code. Novell says it doesnt. The agreements transferring the IP rights, to my non-lawyer eyes, dont clearly give SCO all the rights they need to make its sweeping copyright claims.

OK, lets suppose that the courts agree that SCO, not Novell, owns the IP and all the rights to control how its used. Next, SCO has to prove that IBM, or other companies, took code from Unix and placed it in Linux. I don’t see how they can do that. SCO has never presented a shred of significant evidence that there is any Unix code in Linux. Besides, we do know for a fact that SCO was trying to get Linux and Unix to work together. If any code duplication is found, SCO could have been the one doing the copying.

SCO was working on this even before Caldera bought out SCOs Unix division and intellectual property. Specifically, SCO added Linux compatibility to its Unix properties with operating system packages like UnixWares Linux Kernel Personality (LKP). The LKP enables UnixWare, one of SCOs Unix operating systems, to run Linux binaries.

So SCO was adding Linux functionality, Linux code, into its own Unix products, and was also considering bringing Linux functionality to its older OpenServer Unix. Given SCOs own reasoning, could all this Linux functionality be added to Unix without introducing Linux code into Unix? I think not.

Look at the history. When Caldera first bought SCO in August 2000, the company suggested that it was going to open source a good deal of Unix. That never happened. Because as Love explained, “We quickly found that even though we owned it, it was, and still is, full of other companies copyrights.”

But what Caldera did do, as described in a Caldera white paper dated March 8, 2001, “Linux and UNIX are coming Together” by Dean R. Zimmerman of SCO, was to try and merge the best features of both operating systems. In the first pages of the white paper, theres a line that fits perfectly with open-source gospel: “For a programmer, access to source code is the greatest gift that can be bestowed.”

And then, deeper into the white paper, “Caldera has begun the task of uniting the strengths of UNIX technology, which include stability, scalability, security and performance with the strengths of Linux, which include Internet-readiness, networking, new application support and new hardware support. Calderas solution is to unite in the UNIX kernel a Linux Kernel Personality (LKP), and then provide the additional APIs needed for high-end scalability. The result is an application deploy on platform with the performance, scalability and confidence of UNIX and the industry momentum of Linux.”

So here we are, SCO/Caldera software developers were not only working on their own Linux— and with SuSE on what would become UnitedLinux— but were adding Linux kernel functionality to Unix too.

Oh, and lest we forget, if there is Unix system code in Linux, it doesnt matter anyway. For you see, SCO has another major legal problem. It was given the code that SCO claims was stolen via the GPL. That basically means that SCO itself has already open-sourced any Unix code that might be in Linux.

If SCO actually owned the IP in question, had any proof that it was stolen, and sourced the code from somewhere other than the GPL, maybe SCO should win. But, at best, I dont how SCO can prove any of the above, except possibly that SCO, and not Novell, owns the copyrights.

Enough! This is just silly. SCO cant win and it shouldn’t win. In the short run, SCO can get some cash from foolish companies like Computer Associates and EV1Servers that are willing to waste their money. And, so long as they can keep the anti-Linux FUD coming, Microsoft will keep supporting them. In the long run though, SCO will rightly lose.


A version of this story was first published in eWEEK.

February 3, 2004
by sjvn01
0 comments

MyDoom, Windows and Linux

In MyDoom’s aftermath, once more I’m confronted with the old lie that if Linux were only as popular as Windows, it too would have Windows-sized security problems. What nonsense!

Yes, Linux has security problems too. Yes, by sheer count of security problems patched, Linux (not Windows) has more holes. But thats not important.

Whats really important is how serious those problems are. With Linux, the problems tend to be small and fixed quickly. With Windows, the problems tend to be larger and not fixed quickly enough. Take, for example, the Internet Explorer phishing bug, which everyone knew about by early December but wasn’t fixed until Feb. 2.

Or, more to the point, take MyDoom itself. According to mi2g Intelligence Unit Ltd., a digital risk firm, MyDoom has done at least $22.6 billion of economic damage in terms of loss of business, bandwidth clogging, productivity erosion, management-time reallocation and cost of recovery.

I believe mi2gs numbers. Companies hate to talk about security problems, but off the record I know of at least five Fortune 500 companies that had to shut down their e-mail systems and desktops for hours to clean out the worm, which had clogged their e-mail systems worse than any spam blitz.

I wouldnt be surprised if most of the Fortune 500 were significantly damaged. Despite the lessons of SoBig and Blaster, security continues to be an afterthought in most companies and far too many companies rely on Windows for their desktop operating system and Outlook for their e-mail reader.

Desktop Windows built-in problems come from its history as a stand-alone PC operating system. Unfortunately, today its a networked world. Windows applications have interprocess communications (DLLs, OCXs, ActiveX) that can be activated by user-level scripts (Word macros, for example) or programs (Outlooks view window), which can then run programs or make fundamental changes to the operating system. Microsoft included this because it makes IPC very easy for Windows programs, and it does do exactly that. This is fine in a stand-alone PC where you may want to have your Word documents financial chart to change depending upon the information set in an Excel spreadsheet, but its a fatal security flaw in a networked computer.

Now, the security of Outlook—which is by far the most vulnerable of Windows applications—has improved significantly since the day in 2000 when ILOVEYOU was the worm of the hour and I said Outlook was a “security hole that happens to be an e-mail client.” Todays versions of Outlook come with proper security settings so that a user cant start a worm simply by reading or using the view pane to look at a file. But that still leaves other problems.

The closest thing Unix/Linux has to this is that for many years some programs required Joe User or Joe Users process to be “root” (the master user with command over all the machines processes) and these programs would automatically do this for Joe. Many Unix/Linux security breeches were based on this hole. Today, most of these programs have been closed down, and this trick doesnt work anymore. Of course, if you run your Linux computer as root, you too can be hammered, but the key difference is that in almost all Linux distributions, default users do not run as root.

In Windows, though, any user can always act as root for their machines core programs and MyDoom uses this opening to add %system%/shimgapi.dll, %temp%/Message and %system%/taskmon.exe. Taskmon.exe is a core Windows 98 family file, and Windows lets a user-level program change this, or in the case of the NT/2000/XP family, add this file! This is security at its worst.

Adding insult to injury, Windows also lets this user-level program add keys and values to the Windows registry and set up a Simple Mail Transport Protocol (SMTP) client—that is, a mail server that sends out MyDoom-infected messages! How crazy is this? Linux was designed from the get-go to be an operating system that works with multiple users on a network. Unlike desktop Windows, it doesn’t have networking and basic multiuser security jury-rigged on top of it.

s Linux vulnerable to attacks? You betcha it is. But it is not now, nor will it ever be, as vulnerable to attacks as Windows, no matter how popular it gets.

However, Linux boxes can be taken down. In all the hubbub around MyDoom no one seems to have noticed that SCO, for all of its Linux hating ways, runs its Web servers on its own UnitedLinux and OpenBSD/NetBSD. Any server—Linux or not—can be brought down by a bad enough distributed denial-of-service (DDoS) attack.

Indeed, MyDoom doesn’t even use a fancy DDoS attack; all it does is constantly fire HTTP GET requests at www.sco.com. Thats probably why MyDooms DDoS attack hasn’t caused, as some expected, much trouble on overall network throughput. Hundreds or even thousands of GET requests wont cause that much trouble on most networks—its when hundreds of thousands of them target a single IP address that things start to go awry. In short, MyDoom relies on volume, rather than sophistication, to get its DDoS point across.

No, as I see it the real trick to preventing such attacks is twofold. The first, as Larry Seltzer eloquently puts it in his column “MyDoom Lessons: Failures of Education, Antivirus Vendors,” is to start using SMTP authentication at the network level to stop the rogue SMTP servers on which MyDoom, Welchia and SoBig rely. The other is for companies to start weaning themselves from Windows desktops. Linux desktops arent perfect, but they are inherently more secure in todays Internet world; thats a fact that any CIO adding up the costs of his MyDoom cleanup needs to keep in mind.

A version of this story was first published in eWEEK.

February 1, 2004
by sjvn01
0 comments

SCO’s MyDoom DDoS Hammering Begins

As expected, SCO’s Web site was overwhelmed by a MyDoom-created DDoS attack early Sunday morning.

The SCO Group Inc. confirmed that by midnight EST today, a large-scale, DDoS (distributed-denial-of-service) attack had rendered its Web site completely inaccessible.

The MyDoom (dubbed Novarg.A by Symantec Corp. and MiMail.R by Trend Micro Inc.) DDoS flood began building momentum on Saturday evening, and hours later the SCO Web site was completely swamped.

The attack on SCO was anything but unexpected. Experts had been predicting this since shortly after it became clear that MyDoom was going to prove that it would be one of the most widely distributed worms of all time.

Jeff Carlon, worldwide director of SCOs IT infrastructure, said, “This large-scale attack, caused by the MyDoom computer virus that is estimated to have infected hundreds of thousands of computers around the world, is now overwhelming the Internet with requests to www.sco.com. While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning.”

According to Blake Stowell, director of public relations for the Lindon, Utah, company, “Hundreds of thousands of MyDoom-infected PCs are attempting to contact our site. Its as bad as anyone thought it could be.”
SCO will not be defending itself against the attack though until Monday. Stowell explains, “We dont expect many real site visitors on not only Sunday, but Super Bowl Sunday.” Stowell goes on, “We have seen this coming and do have plans in place to address it on Monday morning. If Plan A doesnt work, were ready with Plan B, and then with Plan C.”

Although Carlon expects the attack not to end for several weeks, MyDoom, in its current form, is scheduled to end its assault on SCOs Web site on February 12, 2004. Active MyDoom infections, with their built-in backdoors, could be modified to extend the attack or to perform other tasks at its makers bidding.

Some ISPs, in order to preserve the quality of service for their users, have elected to stop all traffic to SCOs Web site, according to Stowell. While Stowell didnt reveal which ISPs had taken such action, an anonymous ISP source said that Wanadoo, a major French ISP, has taken this course.

Netcraft Ltd., the Bath, England-based Net performance and security firm, had expected SCO “might take www.sco.com out of the Domain Name System (DNS) in the run up to the MyDoom DDoS payload in order to keep the denial-of-service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response. That said, the sco.com hostmaster is reserving his options, with the Time to Live (TTL) set to just 60 seconds.”

With a TTL of 60 seconds, SCO could reset its IP address to another domain in less than a minute. As of Sunday morning, 11 a.m. EST, SCO has not availed itself of this option.

Microsoft Corp. used just such an option to deflect last Augusts Blaster DDoS attacks.
Stowell says “While that is an option were looking at, I cant say if that will be the first thing we try.”

Microsoft opted to shift its Web site front doorway to Akamai Technologies Inc., a Cambridge, Mass. content-distribution network (CDN) that runs its services on Linux.

But messages at Netcrafts imply that this could be an embarrassment to SCO. SCO itself, according to Netcrafts own records, has been running its Web site through 2003 and most of 2004 on its own UnitedLinux distribution. Recently, SCO shifted to running on NetBSD/OpenBSD.

A version of this story was first published in eWEEK.

January 6, 2004
by sjvn01
0 comments

Get The FUD

Microsoft is calling its new anti-Linux ad campaign “Get the Facts,” but I call it “Get the FUD.”

At the heart of the campaign is a new Microsoft web site that provides you with the “industry case studies, business analysts reports, and test lab results” to make an intelligent decision between Microsofts operating systems and Linux. Yeah. Right. And, Im Bill Gates.

If you go to the site, the first report up is a 2002 vintage IDC report, which was sponsored by Microsoft, comparing total cost of ownership (TCO) of Windows 2000 to Linux. IDC found that W2K beat out Linux in four out of five common enterprise tasks. This was because “The cost advantages are driven primarily by Windows significantly lower costs for IT staffing, generally the largest single component of IT costs.”

I have no argument with that … in 2002 for Windows 2000. Too bad for Microsoft that its 2004. There are a lot more Linux technicians and administrators now than there were then, and now, Microsoft wants you to buy Server 2003, not W2K. Do the exact same study today and I suspect youll find Linux ahead of the game in IT staff costs.

There are far more experienced Linux IT staffers today than in 2002, and Linuxs network administration tools have gotten much better. As the IDC crew noted in the report, “Mature computing platforms have an advantage in cost measurements.” Today, Linux administrators have the edge over Server 2003 administrators in experience and maturity.

But, wait theres more. IDCs analysts also wrote that the “TCO advantage is not always, in and of itself, a compelling reason to initiate a move from one platform to the other. IDC notes that evaluating such a move would require a return on investment (ROI) justification as well as a compelling TCO metric.” IDC concludes, “when the TCO values that are associated with each of the compared platforms are relatively close, as is the case in our comparison of Linux and Windows 2000. Therefore, where platforms are currently in use within an organization, continued use of those platforms often makes a great deal of economic sense.”

In short, IDC concluded that while W2K was cheaper in TCO terms, it still wasnt so significantly cheaper.

That was then. This is now.

Windows has gotten more expensive in terms of TCO, thanks to Licensing 6 and the introduction of a new platform; Linux has gotten cheaper. Next example of how much better Microsoft is, please.

Ah yes, next up is the Microsoft-sponsored study of Server 2003 versus Linux on the mainframe. Although the META Group name is attached to it, its sole role was to verify that the benchmark configurations and procedures were appropriate. META Group was not asked to, nor did they, endorse the results.

Microsoft also notes that although the boys from Redmond, Wash., used Ziff Davis Medias PC Magazine NetBench and WebBench tests, neither Ziff Davis Media nor VeriTest, the people in charge of developing and maintaining the benchmarks, were involved in the testing.

Now I happen to know those benchmarks pretty darn well. Ive used them for numerous projects over the years, and I know that theyre easy to beat. All you need do is control how the server is tuned, and objectivity goes out the window. I can make the same machine with the same operating system mosey along the way I do when Im going to the dentist for a root canal or zoom along as if I were trying to find out just how fast my 91 Toyota MR-2 sports car can go on a straightaway (124 mph by the by).

So in this case, Microsoft doesnt even hire someone to run the benchmarks: Microsoft itself is comparing competing products to its own, and wow, they win! I am so impressed.

There are 0 user comments on this Linux & Open Source story.

Table of Contents:

1. Get The FUD
2. ‘ Driving Up TCO ‘
3. ‘ The Giga Report ‘
4. ‘ No Ballmer Rant ‘

Rate This Article:
Poor Best
E-mail

Print

PDF Version
Get The FUD – ‘ The Giga Report ‘
( Page 3 of 4 )

Next, we have the report that Microsoft bought from Giga Information Group that compared J2EE/Linux software development costs to Windows and .Net. Microsoft pushes the fact that the study found that it was cheaper to develop with Windows and .Net. What Microsoft doesnt trumpet is that Giga Informaiton Group also reported, “The study also indicates that many organizations will adopt Linux instead of Microsofts alternative.” Thats because many organizations saw Linux as a good way to reduce costs while retaining their Unix skills investments.

Microsoft also doesnt note that even with such caveats, the study was subjected to such a firestorm of criticism that Giga Information Group backed away from it, though it did not fully repudiate it.

Specifically, George Colony, the CEO of Forrester Research, Giga Information Groups parent company, said in a public letter, “Recently, in two isolated and unrelated cases (Microsoft and PeopleSoft), we conducted privately sponsored studies for two vendor clients. We stand by the integrity of both studies. However, we erred in allowing those clients to publicize the research findings.”

Colony went on, “In response to these two isolated events, Forrester has taken immediate steps to tighten our internal process and clarify our Integrity Policy. As part of this clarification, the company will no longer accept projects that involve paid-for, publicized product comparisons.”

Underneath the polite words, Forrester Research was saying that it saw studies like the J2EE one as endangering the “research integrity (that) is the core value of our company and is fundamental to Forresters value proposition.” If thats the kind of strong analyst backing Microsoft is finding to support its case, Microsoft is in trouble.

At least Microsoft is trying to be rational this time. Were not seeing Steve Ballmer rant and rave about open-source software being a threat to the software world. This time we no longer have such errant Microsoft-sponsored nonsense as the Alexis de Tocqueville Institutions comment: “The GPL has many risks, but the greatest is its threat to the cooperation between different parties who collaborate and create new technologies.” Uh, excuse me, but isnt the whole idea of the GPL to free programmers to work together?

Ah well, never mind that nonsense. This time around, Microsoft is trying to put together reasonable arguments to show that its products are better choices than those of the open-source community. Unfortunately for Microsoft, its own selections show there arent a whole lot of reasonable arguments against Linux out there.

I actually find this rather odd. Linux isnt perfect. XP Professional, W2K and Server 2003 do have points in their favor. Even so, I think that Linux is still the better choice for most businesses, but heck, I could argue better for Microsofts cause than they do! If the best Redmond can do is rehash old and discredited analyst reports, maybe Microsoft really is right to worry about Linux.

A version of this story was first published in eWEEK.

January 6, 2004
by sjvn01
0 comments

Suns Cobalt Server Software Gets Open-Source Life

Sun Microsystems Inc. is ending its Cobalt server product line, but thats not the end of the Cobalt story. Sun has elected to release the Cobalt RaQ 550 server appliance source code under a Berkeley style open-source license, thus giving the old product line new life.

The release of the RaQ 550 code follows in the footsteps of Sun releasing the Cobalt lines ROM source code at the SourceForge developer site under the GNU General Public License (GPL). This ROM code is a custom BIOS for the x86-based Qube and RaQ products. This followed Sun open-sourcing its user interface and back-end software, formerly Sausalito, now called Blue Quartz. This was released in July 2003 under a BSD-like license.

The once popular Cobalt line is still used by many Web hosting companies and ISPs for low-end Web and Internet services: for example, for e-mail and dynamic host configuration protocol (DHCP) server. Despite the retirement of the line, Sun plans to maintain the knowledge base and support forum for the Cobalt RaQ 550 device for three more years, through mid-February 2007.

Duncan Laurie, a Sun engineer, is watching over the BIOS code even though the project is not sponsored by Sun. The Japan-based Blue Quartz project is also an independent effort. This effort is supported by the Cobalt User Group.

The release of all this code makes it possible for other vendors to release Cobalt clones, since all the necessary firmware and software is now openly available.

Though such moves may have little impact in the enterprise market, which in recent years turned away from the once-popular Cobalt line and other rack-mount and application device servers to cheaper, more compact blade servers, it opens the potential for the now-collectors items to continue to be used in small and home offices and in consumer server applications. The Sun Cobalt line is dying, but low-end Cobalt usage may continue to live on in smaller or vertical businesses.

A version of this story first appeared in eWEEK.