It appears SCO isn't only working to discourage companies from using Linux without ponying up license fees; they seem particularly unhappy with firms that are making technical contributions to the open-source OS.
That's my read after yesterday's SCO conference call with reporters and analysts. Of course, I'm not the only one wondering how SCO picked the targets for its initial end-user lawsuit. While SCO officials declined to explain why DaimlerChrysler and AutoZone were first in SCO's legal crosshairs, SCO CEO Darl McBride did complain about companies that have had access to his company's source code and then possibly "taken that knowledge ... [and] contributed to Linux."
That certainly provides some fodder for those who believe SCO isn't simply out to protect its IP and make some money but is on a search-and-destroy mission against Linux. Temporarily slowing Linux growth is one thing; but having a chilling effect on technical contributions to an open-source project is quite another.
Meanwhile, SCO revealed that it generated $20,000 last quarter from its "SCOsource licensing initiative" -- its attempt to intimidate users into paying for Linux licenses before proving its case in court, as well as seeking to enforce what it says is its contract and IP rights. The Q1 cost of the effort, probably mostly legal fees, was $3.44 million.
Not much of an ROI so far.
The lawsuits filed this week show "a bit of desperation on SCO's part," Brian Ferguson, a partner at the law firm McDermott, Will & Emery, told the Financial Times.
In its filing with the Security and Exchange Commission, SCO says revenues from its quest to get licenses "remains difficult to predict in the short-term due to the nature of these licensing transactions and the variability of the timing of revenue recognition." Nevertheless, SCO "anticipates revenue from its SCOsource initiatives will increase in future periods." Well maybe, maybe not. A fair number of legal experts believe SCO's cases will ultimately be tossed out. Many more agree that the issue may take years to untangle in court. Yet SCO CFO Robert Bench told analysts yesterday that he expects SCOsource revenues "will gain traction this quarter" and "increase in the next several quarters."
McBride promised investors more lawsuits and license negotiations.
He compared SCO's suits to recording industry lawsuits against end users who illegally downloaded copyrighted music. But there's a key difference: Nobody seriously argues that record companies don't own rights to the music they sell. Plenty of people dispute SCO's claim that its IP was illegally used in Linux.
Tell me again why anyone would want to become a SCO customer now?
DaimlerChrysler?
The international automaker joins AutoZone as targets of SCO's first lawsuits against enterprises using Linux, and I can't help wondering: WHAT IS SCO THINKING?
The AutoZone suit makes sense -- in the context of SCO's own strategy, that is, since they're trying to intimidate the customers of vendors they've targeted. AutoZone is an IBM customer, and SCO has been clear about its intent to go after Big Blue.
But suing one of their own customers, and a $7 billion corporation at that? (see story) Let's just say I wouldn't want to be a SCO salesman this week trying to get new enterprises to sign up.
SCO says the automaker wouldn't provide a certificate of compliance with its software license. It's hard to believe they're the only ones that balked, though. Maybe SCO is ticked off at legal setbacks in Germany, where a court ruled SCO must stop claiming it owns rights to Linux, according to NewsFactor, a translation of Computerwoche (Computerworld Germany) at GrokLaw and other sites. DaimlerChrysler, created when Daimler-Benz bought Chrysler in 1998, is based in Stuttgart, Germany.
Who wants Java to be open-source? It seems that everyone does, except not exactly in the same way. Actually, it appears that IBM and Sun each want the other's source code to be revealed.
IBM has long urged Sun to make its Java open-source. At the recent EclipseCon conference, a Sun executive said IBM should release its Java implementation to the open-source community (see story).
In what Ovum Research describes as calling Sun's bluff, IBM vice president of emerging technologies Rod Smith offered to work with Sun "on an independent project to open-source Java."
Ovum research director Gary Barnett notes that IBM couldn't simply decide on its own to make its Java implementation open-source, because that would violate its Java license issued by Sun. However, one would assume if Sun is now saying they should, they could.
Barnett believes it would be in Sun's interest to open-source Java, considering the company's "almost unique ability to combine enormous expertise in software development with a apparent inability to make any money out of it. Sun has spent a fortune on Java and has received far less in return - it's time to move on."
Newsforge reported that Sun and IBM officials would actually be meeting soon to discuss this. I'm still awaiting callback from either company on the status of such plans.
Another reader weighed in with some interesting comments this week on the "is the leak of Windows source code a security threat?" debate.
"Linux code is reviewed by white and black [hat hackers] alike," says system support specialist Robert L. Bagamery. "The difference is that Linux patches generally appear within hours or days - not several months like the ASN.1 bug-patch. Also, given the broad Linux community, the best patch for a problem can be selected, not the patch that is decided on by a small group of individuals serving their own interests. . . .
"My own take on this long patch release time differs from M$ in that they weren't interested in testing to make sure it was compatible, oh no! When the bug first appeared M$ was in the process of forcing people into new, expensive and totally unacceptable licensing agreements. It wouldn't have been very good incentive to the IT community to admit a grave error in your proprietary code, would it?"
Question? Comment? Opinion? Drop me an e-mail.
A few weeks ago, I wondered about alarm expressed over the leak of some Windows source code. When so many people are arguing that open-source software is more secure precisely because its code can be inspected by all, why is it a security (as opposed to trade-secret) problem if Windows code is released?
Reader Dr. Lara H. Baker, CTO at Sequestered Solutions Alaska LLC, responds that there is a difference between planned and leaked open-source.
"The argument about what the [postulated] increased vulnerability of Windows 200* or NT versus the security of open-source systems is not a valid comparison," he wrote. "Open source is just that, open, so lots of people can read it AND FIX IT. Much of the 'security' of windows is based on the fact that the source code is NOT available, therefore people can't see how to attack it. History shows us the validity of that argument.
"Microsoft seems to like the "security by obscurity" approach, as well as the obvious (and reasonable) trade secret value of hidden source code."
Good points. In theory, of course, the code should already be secure so a leak shouldn't be an issue at all. (OK, it is hard to write that with a straight face....) In practice, it's going to depend on which hackers work faster, the white hats or black hats.
Microsoft is planning a "security center" for XP Service Pack 2, according to Beta News. The control-panel-like interface will let users easily see whether items such as firewalls, automatic updates and antivirus software are present and turned on.
The IT job market may still be soft, but demand for Linux skills is strong, according to an article in the News & Observer. Since the News & Observer and Red Hat are both based in North Carolina's Research Triangle, it's possible their local outlook on Linux is a little more rosey than the nation's at large. For isntance, the first out-of-work tech pro interviewed in the piece got an expectedly quick job offer from ... Red Hat.
But the piece goes on to cite other unemployed professionals who found non-Linux-vendor jobs in part because of their Linux skills. Increasing use of Linux at corporations, schools and government agencies "is good news for technology workers familiar with Linux," according to N&O staff writer Vicki Lee Parker.
If you haven't had enough of the "Is Linux ready for the desktop?" debate, Business Week's Stephen H. Wildstrom has yet another look, concluding: "While Linux isn't for everyone, it has come a long, long way." Who knew?
Seriously, though, Wildstrom does examine some issues that would be of interest to enterprise users, such as making Linux work with Exchange, as well as the much-discussed matter of office application suites (StarOffice "doesn't have all the bells and whistles of Microsoft Office, but it's more than good enough for most users," he decides). Linux isn't quite there yet, according to Wildstrom, but it won't take much to become a serious desktop player.
Trusted Solaris will continue as a separate OS and not be merged into Sun's mainstream OS, Computerwire reports from the RSA conference. Nevertheless, some key Trusted Solaris technologies are moving to just-plain Solaris, and new Trusted versions will be announced around the same time as Solaris updates.
iSEC says it's found another "critical" security hole in the Linux kernel, which would allow a local user to obtain "full super-user privileges," according to Paul Starzetz at iSEC. Kernel versions 2.2 to 2.2.25, 2.4 to 2.4.24 and 2.6 to 2.6.2 are affected.
Kernel patch information is available at kernel.org. Several vendors, including Red Hat, have already released patches for the problem.
The flaw involves memory management within Linux's mremap(2) system call. Another, unrelated mremap bug was found last month.
Microsoft is offering a free Windows CD with all "critical updates released through October 2003" as well as antivirus and firewall trial software (see story). The CD is for Windows XP, Me, 2000, 98 and 98 SE. For more details, head to www.microsoft.com/security/protect/cd/order.asp.
The U.K.-based security firm mi2g claims "the world's safest and most secure online operating system[s]" are BSD Unix and Darwin-based Mac OS X. The company's January study concludes: "Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Microsoft Windows based servers have fallen consistently for the last ten months."
According to mi2g, 80% of all successful online server attacks were on Linux, with only 12% Windows; in government, 57% of attacks were on Linux boxes and 35% Windows.
But there are a couple of important pieces missing here. What are the respective market shares? And are reported breaches likely to reflect overall breaches?
Without knowing how many overall servers are running each OS, it's tough to put these numbers in context. To take an extreme case, if three-quarters of government servers were running Linux, the fact that 57% of successful attacks were on Linux would reflect well on the OS. If only one-third of all government servers are Linux boxes, this is a huge problem.
mi2g says January's numbers are "in stark contrast to the situation six months ago, when in August 2003 Microsoft Windows (51%) was significantly
higher in terms of recorded government server breaches in comparison to Linux (14%)." The security firm blames "the swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications."
The unanswered question: Has the increase in successful Linux attacks exceeded, kept pace with or fallen below Linux's market share?