Practical Technology

for practical people.

March 4, 2004
by sjvn01
0 comments

SCO Can’t Win

I think The SCO Group deserves every penny they’re asking for… if they were right, but theyre not. Ive been following SCO as a writer since the late 80s, and Ive been using its products for even longer. When Caldera came out with one of the first commercial Linux distributions, I was there too. In short, I know this company and its IP claims simply don’t hold up.

If SCO had just gone after IBM on contract terms, because of how IBM handled the attempt to bring AIX 5L to Intel (Project Monterey) that would be a different story. From what I know of that deal, I think SCO was treated shabbily.

SCOs owners, the Canopy Group, should have, in my humble opinion, kept Ransom Love as CEO and continued to support Linux. Had they done so then SCO, with its close Novell ties, would have been acquired by Novell-not SuSE. $200+ million down the drain for Canopy.

As it is, the ownership decided they wanted to shift gears from being an operating system company to one that tries to make money from lawsuits. Now, personally, I don’t like this. Id rather make things than haul people to court. But those businesses can work. In fact, there are companies that do nothing but acquire patents, wait until someone has created something that may infringe on those patents and then swoop in like vultures.

In SCOs case, however, the company is trying to create a house of cards. If any one of those cards shifts, the entire litigious structure falls.

Darl McBride, SCOs CEO, talks about SCO being defending the rights of intellectual property like the RIAA. Its not. SCOs IP claims are much weaker. We know a song belongs to an artist and a label. SCOs copyright claims are much murkier.

First, SCO has to establish that it actually owns the copyright to Unix System V code. Novell says it doesnt. The agreements transferring the IP rights, to my non-lawyer eyes, dont clearly give SCO all the rights they need to make its sweeping copyright claims.

OK, lets suppose that the courts agree that SCO, not Novell, owns the IP and all the rights to control how its used. Next, SCO has to prove that IBM, or other companies, took code from Unix and placed it in Linux. I don’t see how they can do that. SCO has never presented a shred of significant evidence that there is any Unix code in Linux. Besides, we do know for a fact that SCO was trying to get Linux and Unix to work together. If any code duplication is found, SCO could have been the one doing the copying.

SCO was working on this even before Caldera bought out SCOs Unix division and intellectual property. Specifically, SCO added Linux compatibility to its Unix properties with operating system packages like UnixWares Linux Kernel Personality (LKP). The LKP enables UnixWare, one of SCOs Unix operating systems, to run Linux binaries.

So SCO was adding Linux functionality, Linux code, into its own Unix products, and was also considering bringing Linux functionality to its older OpenServer Unix. Given SCOs own reasoning, could all this Linux functionality be added to Unix without introducing Linux code into Unix? I think not.

Look at the history. When Caldera first bought SCO in August 2000, the company suggested that it was going to open source a good deal of Unix. That never happened. Because as Love explained, “We quickly found that even though we owned it, it was, and still is, full of other companies copyrights.”

But what Caldera did do, as described in a Caldera white paper dated March 8, 2001, “Linux and UNIX are coming Together” by Dean R. Zimmerman of SCO, was to try and merge the best features of both operating systems. In the first pages of the white paper, theres a line that fits perfectly with open-source gospel: “For a programmer, access to source code is the greatest gift that can be bestowed.”

And then, deeper into the white paper, “Caldera has begun the task of uniting the strengths of UNIX technology, which include stability, scalability, security and performance with the strengths of Linux, which include Internet-readiness, networking, new application support and new hardware support. Calderas solution is to unite in the UNIX kernel a Linux Kernel Personality (LKP), and then provide the additional APIs needed for high-end scalability. The result is an application deploy on platform with the performance, scalability and confidence of UNIX and the industry momentum of Linux.”

So here we are, SCO/Caldera software developers were not only working on their own Linux— and with SuSE on what would become UnitedLinux— but were adding Linux kernel functionality to Unix too.

Oh, and lest we forget, if there is Unix system code in Linux, it doesnt matter anyway. For you see, SCO has another major legal problem. It was given the code that SCO claims was stolen via the GPL. That basically means that SCO itself has already open-sourced any Unix code that might be in Linux.

If SCO actually owned the IP in question, had any proof that it was stolen, and sourced the code from somewhere other than the GPL, maybe SCO should win. But, at best, I dont how SCO can prove any of the above, except possibly that SCO, and not Novell, owns the copyrights.

Enough! This is just silly. SCO cant win and it shouldn’t win. In the short run, SCO can get some cash from foolish companies like Computer Associates and EV1Servers that are willing to waste their money. And, so long as they can keep the anti-Linux FUD coming, Microsoft will keep supporting them. In the long run though, SCO will rightly lose.


A version of this story was first published in eWEEK.

February 3, 2004
by sjvn01
0 comments

MyDoom, Windows and Linux

In MyDoom’s aftermath, once more I’m confronted with the old lie that if Linux were only as popular as Windows, it too would have Windows-sized security problems. What nonsense!

Yes, Linux has security problems too. Yes, by sheer count of security problems patched, Linux (not Windows) has more holes. But thats not important.

Whats really important is how serious those problems are. With Linux, the problems tend to be small and fixed quickly. With Windows, the problems tend to be larger and not fixed quickly enough. Take, for example, the Internet Explorer phishing bug, which everyone knew about by early December but wasn’t fixed until Feb. 2.

Or, more to the point, take MyDoom itself. According to mi2g Intelligence Unit Ltd., a digital risk firm, MyDoom has done at least $22.6 billion of economic damage in terms of loss of business, bandwidth clogging, productivity erosion, management-time reallocation and cost of recovery.

I believe mi2gs numbers. Companies hate to talk about security problems, but off the record I know of at least five Fortune 500 companies that had to shut down their e-mail systems and desktops for hours to clean out the worm, which had clogged their e-mail systems worse than any spam blitz.

I wouldnt be surprised if most of the Fortune 500 were significantly damaged. Despite the lessons of SoBig and Blaster, security continues to be an afterthought in most companies and far too many companies rely on Windows for their desktop operating system and Outlook for their e-mail reader.

Desktop Windows built-in problems come from its history as a stand-alone PC operating system. Unfortunately, today its a networked world. Windows applications have interprocess communications (DLLs, OCXs, ActiveX) that can be activated by user-level scripts (Word macros, for example) or programs (Outlooks view window), which can then run programs or make fundamental changes to the operating system. Microsoft included this because it makes IPC very easy for Windows programs, and it does do exactly that. This is fine in a stand-alone PC where you may want to have your Word documents financial chart to change depending upon the information set in an Excel spreadsheet, but its a fatal security flaw in a networked computer.

Now, the security of Outlook—which is by far the most vulnerable of Windows applications—has improved significantly since the day in 2000 when ILOVEYOU was the worm of the hour and I said Outlook was a “security hole that happens to be an e-mail client.” Todays versions of Outlook come with proper security settings so that a user cant start a worm simply by reading or using the view pane to look at a file. But that still leaves other problems.

The closest thing Unix/Linux has to this is that for many years some programs required Joe User or Joe Users process to be “root” (the master user with command over all the machines processes) and these programs would automatically do this for Joe. Many Unix/Linux security breeches were based on this hole. Today, most of these programs have been closed down, and this trick doesnt work anymore. Of course, if you run your Linux computer as root, you too can be hammered, but the key difference is that in almost all Linux distributions, default users do not run as root.

In Windows, though, any user can always act as root for their machines core programs and MyDoom uses this opening to add %system%/shimgapi.dll, %temp%/Message and %system%/taskmon.exe. Taskmon.exe is a core Windows 98 family file, and Windows lets a user-level program change this, or in the case of the NT/2000/XP family, add this file! This is security at its worst.

Adding insult to injury, Windows also lets this user-level program add keys and values to the Windows registry and set up a Simple Mail Transport Protocol (SMTP) client—that is, a mail server that sends out MyDoom-infected messages! How crazy is this? Linux was designed from the get-go to be an operating system that works with multiple users on a network. Unlike desktop Windows, it doesn’t have networking and basic multiuser security jury-rigged on top of it.

s Linux vulnerable to attacks? You betcha it is. But it is not now, nor will it ever be, as vulnerable to attacks as Windows, no matter how popular it gets.

However, Linux boxes can be taken down. In all the hubbub around MyDoom no one seems to have noticed that SCO, for all of its Linux hating ways, runs its Web servers on its own UnitedLinux and OpenBSD/NetBSD. Any server—Linux or not—can be brought down by a bad enough distributed denial-of-service (DDoS) attack.

Indeed, MyDoom doesn’t even use a fancy DDoS attack; all it does is constantly fire HTTP GET requests at www.sco.com. Thats probably why MyDooms DDoS attack hasn’t caused, as some expected, much trouble on overall network throughput. Hundreds or even thousands of GET requests wont cause that much trouble on most networks—its when hundreds of thousands of them target a single IP address that things start to go awry. In short, MyDoom relies on volume, rather than sophistication, to get its DDoS point across.

No, as I see it the real trick to preventing such attacks is twofold. The first, as Larry Seltzer eloquently puts it in his column “MyDoom Lessons: Failures of Education, Antivirus Vendors,” is to start using SMTP authentication at the network level to stop the rogue SMTP servers on which MyDoom, Welchia and SoBig rely. The other is for companies to start weaning themselves from Windows desktops. Linux desktops arent perfect, but they are inherently more secure in todays Internet world; thats a fact that any CIO adding up the costs of his MyDoom cleanup needs to keep in mind.

A version of this story was first published in eWEEK.

February 1, 2004
by sjvn01
0 comments

SCO’s MyDoom DDoS Hammering Begins

As expected, SCO’s Web site was overwhelmed by a MyDoom-created DDoS attack early Sunday morning.

The SCO Group Inc. confirmed that by midnight EST today, a large-scale, DDoS (distributed-denial-of-service) attack had rendered its Web site completely inaccessible.

The MyDoom (dubbed Novarg.A by Symantec Corp. and MiMail.R by Trend Micro Inc.) DDoS flood began building momentum on Saturday evening, and hours later the SCO Web site was completely swamped.

The attack on SCO was anything but unexpected. Experts had been predicting this since shortly after it became clear that MyDoom was going to prove that it would be one of the most widely distributed worms of all time.

Jeff Carlon, worldwide director of SCOs IT infrastructure, said, “This large-scale attack, caused by the MyDoom computer virus that is estimated to have infected hundreds of thousands of computers around the world, is now overwhelming the Internet with requests to www.sco.com. While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning.”

According to Blake Stowell, director of public relations for the Lindon, Utah, company, “Hundreds of thousands of MyDoom-infected PCs are attempting to contact our site. Its as bad as anyone thought it could be.”
SCO will not be defending itself against the attack though until Monday. Stowell explains, “We dont expect many real site visitors on not only Sunday, but Super Bowl Sunday.” Stowell goes on, “We have seen this coming and do have plans in place to address it on Monday morning. If Plan A doesnt work, were ready with Plan B, and then with Plan C.”

Although Carlon expects the attack not to end for several weeks, MyDoom, in its current form, is scheduled to end its assault on SCOs Web site on February 12, 2004. Active MyDoom infections, with their built-in backdoors, could be modified to extend the attack or to perform other tasks at its makers bidding.

Some ISPs, in order to preserve the quality of service for their users, have elected to stop all traffic to SCOs Web site, according to Stowell. While Stowell didnt reveal which ISPs had taken such action, an anonymous ISP source said that Wanadoo, a major French ISP, has taken this course.

Netcraft Ltd., the Bath, England-based Net performance and security firm, had expected SCO “might take www.sco.com out of the Domain Name System (DNS) in the run up to the MyDoom DDoS payload in order to keep the denial-of-service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response. That said, the sco.com hostmaster is reserving his options, with the Time to Live (TTL) set to just 60 seconds.”

With a TTL of 60 seconds, SCO could reset its IP address to another domain in less than a minute. As of Sunday morning, 11 a.m. EST, SCO has not availed itself of this option.

Microsoft Corp. used just such an option to deflect last Augusts Blaster DDoS attacks.
Stowell says “While that is an option were looking at, I cant say if that will be the first thing we try.”

Microsoft opted to shift its Web site front doorway to Akamai Technologies Inc., a Cambridge, Mass. content-distribution network (CDN) that runs its services on Linux.

But messages at Netcrafts imply that this could be an embarrassment to SCO. SCO itself, according to Netcrafts own records, has been running its Web site through 2003 and most of 2004 on its own UnitedLinux distribution. Recently, SCO shifted to running on NetBSD/OpenBSD.

A version of this story was first published in eWEEK.

January 6, 2004
by sjvn01
0 comments

Get The FUD

Microsoft is calling its new anti-Linux ad campaign “Get the Facts,” but I call it “Get the FUD.”

At the heart of the campaign is a new Microsoft web site that provides you with the “industry case studies, business analysts reports, and test lab results” to make an intelligent decision between Microsofts operating systems and Linux. Yeah. Right. And, Im Bill Gates.

If you go to the site, the first report up is a 2002 vintage IDC report, which was sponsored by Microsoft, comparing total cost of ownership (TCO) of Windows 2000 to Linux. IDC found that W2K beat out Linux in four out of five common enterprise tasks. This was because “The cost advantages are driven primarily by Windows significantly lower costs for IT staffing, generally the largest single component of IT costs.”

I have no argument with that … in 2002 for Windows 2000. Too bad for Microsoft that its 2004. There are a lot more Linux technicians and administrators now than there were then, and now, Microsoft wants you to buy Server 2003, not W2K. Do the exact same study today and I suspect youll find Linux ahead of the game in IT staff costs.

There are far more experienced Linux IT staffers today than in 2002, and Linuxs network administration tools have gotten much better. As the IDC crew noted in the report, “Mature computing platforms have an advantage in cost measurements.” Today, Linux administrators have the edge over Server 2003 administrators in experience and maturity.

But, wait theres more. IDCs analysts also wrote that the “TCO advantage is not always, in and of itself, a compelling reason to initiate a move from one platform to the other. IDC notes that evaluating such a move would require a return on investment (ROI) justification as well as a compelling TCO metric.” IDC concludes, “when the TCO values that are associated with each of the compared platforms are relatively close, as is the case in our comparison of Linux and Windows 2000. Therefore, where platforms are currently in use within an organization, continued use of those platforms often makes a great deal of economic sense.”

In short, IDC concluded that while W2K was cheaper in TCO terms, it still wasnt so significantly cheaper.

That was then. This is now.

Windows has gotten more expensive in terms of TCO, thanks to Licensing 6 and the introduction of a new platform; Linux has gotten cheaper. Next example of how much better Microsoft is, please.

Ah yes, next up is the Microsoft-sponsored study of Server 2003 versus Linux on the mainframe. Although the META Group name is attached to it, its sole role was to verify that the benchmark configurations and procedures were appropriate. META Group was not asked to, nor did they, endorse the results.

Microsoft also notes that although the boys from Redmond, Wash., used Ziff Davis Medias PC Magazine NetBench and WebBench tests, neither Ziff Davis Media nor VeriTest, the people in charge of developing and maintaining the benchmarks, were involved in the testing.

Now I happen to know those benchmarks pretty darn well. Ive used them for numerous projects over the years, and I know that theyre easy to beat. All you need do is control how the server is tuned, and objectivity goes out the window. I can make the same machine with the same operating system mosey along the way I do when Im going to the dentist for a root canal or zoom along as if I were trying to find out just how fast my 91 Toyota MR-2 sports car can go on a straightaway (124 mph by the by).

So in this case, Microsoft doesnt even hire someone to run the benchmarks: Microsoft itself is comparing competing products to its own, and wow, they win! I am so impressed.

There are 0 user comments on this Linux & Open Source story.

Table of Contents:

1. Get The FUD
2. ‘ Driving Up TCO ‘
3. ‘ The Giga Report ‘
4. ‘ No Ballmer Rant ‘

Rate This Article:
Poor Best
E-mail

Print

PDF Version
Get The FUD – ‘ The Giga Report ‘
( Page 3 of 4 )

Next, we have the report that Microsoft bought from Giga Information Group that compared J2EE/Linux software development costs to Windows and .Net. Microsoft pushes the fact that the study found that it was cheaper to develop with Windows and .Net. What Microsoft doesnt trumpet is that Giga Informaiton Group also reported, “The study also indicates that many organizations will adopt Linux instead of Microsofts alternative.” Thats because many organizations saw Linux as a good way to reduce costs while retaining their Unix skills investments.

Microsoft also doesnt note that even with such caveats, the study was subjected to such a firestorm of criticism that Giga Information Group backed away from it, though it did not fully repudiate it.

Specifically, George Colony, the CEO of Forrester Research, Giga Information Groups parent company, said in a public letter, “Recently, in two isolated and unrelated cases (Microsoft and PeopleSoft), we conducted privately sponsored studies for two vendor clients. We stand by the integrity of both studies. However, we erred in allowing those clients to publicize the research findings.”

Colony went on, “In response to these two isolated events, Forrester has taken immediate steps to tighten our internal process and clarify our Integrity Policy. As part of this clarification, the company will no longer accept projects that involve paid-for, publicized product comparisons.”

Underneath the polite words, Forrester Research was saying that it saw studies like the J2EE one as endangering the “research integrity (that) is the core value of our company and is fundamental to Forresters value proposition.” If thats the kind of strong analyst backing Microsoft is finding to support its case, Microsoft is in trouble.

At least Microsoft is trying to be rational this time. Were not seeing Steve Ballmer rant and rave about open-source software being a threat to the software world. This time we no longer have such errant Microsoft-sponsored nonsense as the Alexis de Tocqueville Institutions comment: “The GPL has many risks, but the greatest is its threat to the cooperation between different parties who collaborate and create new technologies.” Uh, excuse me, but isnt the whole idea of the GPL to free programmers to work together?

Ah well, never mind that nonsense. This time around, Microsoft is trying to put together reasonable arguments to show that its products are better choices than those of the open-source community. Unfortunately for Microsoft, its own selections show there arent a whole lot of reasonable arguments against Linux out there.

I actually find this rather odd. Linux isnt perfect. XP Professional, W2K and Server 2003 do have points in their favor. Even so, I think that Linux is still the better choice for most businesses, but heck, I could argue better for Microsofts cause than they do! If the best Redmond can do is rehash old and discredited analyst reports, maybe Microsoft really is right to worry about Linux.

A version of this story was first published in eWEEK.

January 6, 2004
by sjvn01
0 comments

Suns Cobalt Server Software Gets Open-Source Life

Sun Microsystems Inc. is ending its Cobalt server product line, but thats not the end of the Cobalt story. Sun has elected to release the Cobalt RaQ 550 server appliance source code under a Berkeley style open-source license, thus giving the old product line new life.

The release of the RaQ 550 code follows in the footsteps of Sun releasing the Cobalt lines ROM source code at the SourceForge developer site under the GNU General Public License (GPL). This ROM code is a custom BIOS for the x86-based Qube and RaQ products. This followed Sun open-sourcing its user interface and back-end software, formerly Sausalito, now called Blue Quartz. This was released in July 2003 under a BSD-like license.

The once popular Cobalt line is still used by many Web hosting companies and ISPs for low-end Web and Internet services: for example, for e-mail and dynamic host configuration protocol (DHCP) server. Despite the retirement of the line, Sun plans to maintain the knowledge base and support forum for the Cobalt RaQ 550 device for three more years, through mid-February 2007.

Duncan Laurie, a Sun engineer, is watching over the BIOS code even though the project is not sponsored by Sun. The Japan-based Blue Quartz project is also an independent effort. This effort is supported by the Cobalt User Group.

The release of all this code makes it possible for other vendors to release Cobalt clones, since all the necessary firmware and software is now openly available.

Though such moves may have little impact in the enterprise market, which in recent years turned away from the once-popular Cobalt line and other rack-mount and application device servers to cheaper, more compact blade servers, it opens the potential for the now-collectors items to continue to be used in small and home offices and in consumer server applications. The Sun Cobalt line is dying, but low-end Cobalt usage may continue to live on in smaller or vertical businesses.

A version of this story first appeared in eWEEK.

December 22, 2003
by sjvn01
0 comments

Linus Torvalds Refutes SCO Copyright Claims

In a letter sent last week to Linux companies, The SCO Group Inc made a number of specific claims about programs within Linux it contends were stolen from its Unix intellectual property. However, several Linux experts, including Linux founder Linus Torvalds, on Monday countered SCOs assessment, wondering if the programs cited by SCO are Linux through and through.

Eric Raymond, president of the Open Source Initiative, told eWEEK.com there was a good reason why some of the code looked similar. “Do you know that there is not one bit of executable code in those files? They’re pretty much all macros and declarations forced by POSIX and other technical standards.”

Meanwhile, Bruce Perens, an open-source leader, told eWEEK.com that some parts of the code seemed to show gaps in Lindon, Utah-based SCOs interpretation of evolutionary history. “There are mistakes in the Linux versions that don’t exist in the Unix ones, and i386 Linux doesnt even use the same numbers as in Unix, Perens said.

Torvalds went into far deeper detail. “I’m pretty sure the same is true of the errno.h file too (which is then duplicated several times for each architecture),” Torvalds told eWEEK.com.

“In fact, I’m pretty sure the error numbers aren’t even the same on Linux/x86 as they are on traditional Unix, exactly because the Linux header file was written independently,” he said.

“But [the errno.h files] obviously have the same error names. That’s not because they were copied; it’s because that’s specified by several standards, not Unix per se—you’ll find those error names in any operating system that has a C compiler,” Torvalds said.

Torvalds said he picked two of the 71 files SCO listed as examples of intellectual-property theft; ones that he had written himself.

“This is just a quick analysis, but it boils down to the fact that SCO is [yet again] claiming copyright on something that they did not write, and that I can prove that they did not write,” Torvalds said.

Torvalds moved his discussion into the code itself.

“SCO lists the files include/linux/ctype.h and lib/ctype.h, and some trivial digging show that those files are actually there in the original 0.01 distribution of Linux [of September, 1991]. I can state I wrote them. Looking at the original ones, I’m a bit ashamed—the toupper() and tolower() macros are so horribly ugly that I wouldn’t admit to writing them if it wasn’t because somebody else claimed to have done so!”

He continued that “the details in them aren’t even the same as in the BSD/Unix files. The approach is the same, but if you look at actual implementation details you will notice that its not just that my original tolower/toupper were embarrassingly ugly; a number of other details differ, too.”

“In short: for the files where I personally checked the history, I can definitely say that those files are trivially written by me personally, with no copying from any Unix code, ever. So its definitely not a question of all derivative branches, [rather] its a question of the fact that I can show—and SCO should have been able to see—that [SCOs] list clearly shows original work, not copied work,” Torvalds asserted.

In addition, Torvalds claimed that some similarities (and differences) between Linux and traditional Unix can be attributed to the limited number of ways available to efficiently implement programming functions and other features.

“Both Linux and traditional Unix use a naming scheme of underscore and a capital letter for the flag names. There are flags for is upper case (_U) and is lower case (_L), and surprise, surprise, both Unix and Linux use the same name. But think about it: If you wanted to use a short flag name, and you were limited by the C standard naming, what names would you use? Maybe youd select U for Upper case and L for Lower case?”

“Looking at the other flags, Linux uses _D for Digit, while traditional Unix instead uses _N for Number. Both make sense, but they are different.”

“I personally think that the Linux naming makes more sense (the function that tests for a digit is called isdigit(), not isnumber()), but on the other hand I can certainly understand why Unix uses _N—the function that checks for whether a character is alphanumeric is called isalnum(), and that checks whether the character is an upper-case letter, a lower-case letter or a digit (a k a number),” Torvalds said.

“In short, there aren’t that many ways you can choose the names, and there is lots of overlap, but its clearly not 100 percent,” he said.

A version of this story first appeared in eWEEK.