HP Indemnifies Linux Customers
On October 1, 2003, Hewlett-Packard began indemnifying its Linux customers against any future action from the SCO Group. This means that if your company has obtained and loaded Linux from HP, the manufacturer will shield your organization from any threatened legal action from SCO.
As you may recall, SCO filed a $1 billion lawsuit against IBM for "stealing" code from UNIX and then said it would go after customers who had bought Linux as well. Since that time, the SCO lawsuit has risen to $3 billion, IBM has countersued, and SCO has created a $699 license that Linux customers can purchase. (Recent reports indicated that only one Linux customer has purchased this license.) This created a silent panic in the customer movement toward the Linux operating system: Would SCO come after them too?
The SCO-IBM suit is going to take years to iron out in the courts, who the winner will be is unclear, and customer FUD factor for Linux has been substantially bolstered--and funded--by Microsoft's support of SCO's action through its own purchase of a license agreement for UNIX technology that it has never pursued.
Now, this HP announcement clears a path through this legal car wreck so that companies that want to make the move toward Linux can do so without recklessly endangering their own organizations by opening them to legal repercussions.
HP will offer full legal indemnification to customers buying Linux on HP hardware with a standard support package after they sign an addendum to their sales contract. Under the contract, no modifications to the source code can be made, but desired changes can be discussed with HP on a case-by-case basis.
Industry analysts are also predicting that IBM will soon follow HP's lead, also indemnifying its own Linux customer base. By offering this protection, IT can get on with their management's directives to get beyond the Microsoft Windows server environment--with its high maintenance licensing fees, maintenance contracts, and questionable safety record.
IBM Ups the Stakes in SCO Countersuit
Meanwhile, IBM has gone back to court to amend its countersuit against SCO Group. Last August, IBM filed its initial legal action against SCO, claiming that SCO had violated the GNU General Public License (GPL) software license that governs Linux and infringed upon a number of IBM software patents. The lawsuit asserts that SCO's rights to distributed Linux had been terminated but that the company continued to sell Linux for some period. IBM's new amendment to its countersuit has added the charge of copyright infringement.
IBM is also asking the court to rule on whether SCO has the right to seek the $699 per-processor licensing fee that SCO now demands of Linux users. According to IBM's legal brief, "SCO has no right to assert...proprietary rights over programs that SCO distributed under the GPL." Last month, SCO began threatening to send out invoices directly to the largest Linux customers, demanding payment on the license fee. This legal move by IBM is an attempt to get a quick ruling to prevent a kind of extortion from impacting IBM's customer base.
"Microsoft Windows" Safety Report?
Meanwhile, a report studying the impact of operating system "monoculture" has become cannon fodder to the battle between Microsoft supporters and detractors. The report entitled "CyberInSecurity: The Cost of Monopoly" and subtitled "How the Dominance of Microsoft's Products Pose a Risk to Security" was crafted by seven independent IT security researchers and released through the highly partisan Computer and Communications Industry Association (CCIA).
The report's primary contention is that, in a global environment, the dominance of any single vendor's product group makes those products natural targets for hackers. Microsoft's monopoly stature--controlling over 95% of the desktops with its proprietary Windows and Office products--is predisposed to attacks simply because its presence is so pervasive.
A quote from the report reads: "Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture. Efforts by Microsoft to improve security will fail if their side effect is to increase user-level lock-in."
The report goes on to detail how Microsoft's market strategies and proprietary hold on its products actually prevents progress from being made to secure them, and it calls for governments to take action with internal procurement policies that will break up the government's reliance upon any single system.
Interesting enough, this is exactly the same message that IBM has been promoting in its e-Government initiatives, but with a slightly different spin.
IBM's position is that governments need to follow open standards for interoperability between agencies across government and should consider the use of open-source technologies to provide the most cohesive applications from a diverse group of operating system and application vendors. Of course, at the top of that list is IBM's own product, supported by the IBM cross-platform Linux implementation.
According to the CCIA released study, "The threats to international security posed by Windows are significant and must be addressed quickly." The report then discusses the problem in principle, Microsoft and its actions in relation to those principles, and the social and economic implications for risk management and policy.
The risk management to the authors of the report, however, was evidently not considered. One of them, @stake CTO Daniel Geer, was immediately fired by his company upon the report's publication.
@stake is a national consulting company that specializes in providing security solutions and consultations to large, multinational corporations and evidently doesn't want to be associated with any anti-Microsoft movement, no matter what.
@stake's official perspective about the cyber-threat posed by hackers and worms is considerably more Microsoft-neutral than Daniel Geer's. In fact, the company's recent September 10, 2003 testimony before the US Congressional hearings entitled "Worm and Virus Defense: How Can We Protect the Nation's Computers from These Threats?" only mentions Microsoft three times and only in passing.
This strikes this reporter as being somewhat odd. Why? Because the hearings were called in response to the specific attacks on Microsoft products by the worms Blaster.D and Sobig.F! Instead of addressing Microsoft's specific vulnerabilities, @stake's testimony focuses upon how the rogue programs penetrate systems, seeming to ignore the possibility that the underlying security architecture of the operating system may be at fault.
Indeed, Blaster.D and Sobig.F specifically targeted Microsoft systems because of their documented vulnerabilities and Microsoft's inability to provide a plausible security response.
Yet, in light of circumstances, @stake's testimony at the hearings made perfect sense: The majority of @stake's clientele are companies who have hired them to secure the Microsoft products that have been installed. No CEO in his right mind would diss the goose that laid the golden egg, and @stake's subsequent firing of the author of a report criticizing Microsoft--and one that contradicts its official US Congressional testimony--was probably a foregone conclusion.
As the Worm Turns
Meanwhile, the speculation about who released Sobig.F and Blaster.D and why continues to revolve around professional spam artists. As reported here last month, FBI and Department of Homeland Security officials now believe these rogue programs are part of an international effort to build a spam network composed of household and company computers, controlled anonymously by hackers who would sell access to the network to the highest bidder. By implanting worms into these machines, spammers could buy bandwidth from these hackers to send out their messages. By doing this, they can still remain hidden to network officials and police.
The implications of such a threat--based upon Microsoft's contentious vulnerabilities and its unparalleled dominance on desktops--are exactly what the CCIA report is talking about.
Anti-Spammer Blacklist Purveyors Throw in the Towel
One of these actions was an informal network of email "blacklists" that identified the SMTP open relays through which spammers sent their missives. Internet administrators could subscribe to these lists, obtain IP addresses of known spamming computers, and then filter out any communications sent to their servers.
Unfortunately, some of these anti-spam, blacklist Web sites--along with their owners--have paid the ultimate Internet price: Distributed Denial of Service (DDoS) attacks. According to these owners, spammers shut them down so hard that their actual businesses were threatened. And last week, after fighting unsolicited commercial email for years, two of these online anti-spam businesses threw in the towel.
Ron Guilmette, owner of independent software company Monkeys.com, and Joe Jared, owner of foot orthopedics design business Orisoft.com, had their anti-spam, blacklist Web sites shut down by hackers who ravaged their online businesses with DDoS and other attacks. A third blacklist provider, Compu-Net Enterprises, also ended public distribution of its blacklist because of similar fears.
In an open email posting on an email abuse online bulletin board, Guilmette announced his "unconditional surrender" so that spammers would stop the attacks.
"I am deeply sorry that I have to withdraw from this fight, but at this point I clearly have no choice," he wrote. "I will simply not be allowed to continue fighting spam. I don't have either the bandwidth or the level of interest among either big network providers or law enforcement authorities that is clearly necessary in order to fight this kind of concentrated onslaught from thousands of separate zombie machines at a time. I would be the first to say that it is a damn shame that the bad guys have won yet another round, but their really isn't a damn thing that I can do about it."
According to Guilmette, his focus on anti-spam efforts in recent months attracted the wrath of the spammers. By working with Internet service providers around the world, he and his colleagues constructed an "open proxy honeypot network." These proxies used automated logging software to see where spammers were hijacking access on insecure servers to send out spam. The honeypot collected the IP addresses of the spammers, and he and others then used those addresses to get the Internet's largest spammers kicked off the network by their own service providers.
In response, spammers seemed to have rallied to place Guilmette's own Internet connection under a DDoS. Guilmette attempted to retaliate to get his service under control, but after the last attack, he said, "I'm done fighting spam. I didn't decide this. The spammers have done this for me. I can't do this work if I can't connect to the Internet."
Meanwhile, analysts from a number of companies that track the progress against spammers called the shutdowns "a massive blow to the movement." According to these analysts, FBI and other officials are still failing to take these kinds of attacks seriously, and businesses are at risk if they become the targets of the spam industry's wrath.
With the Internet becoming the feeding ground for this kind of underworld activity--and with insecure software remaining the status quo--the entire e-business model seems increasingly problematic.
Microsoft Settles California Class-Action Suit
Perhaps or perhaps not! But if recent events are any measure of the stakes involved for the company, we're seeing Microsoft's financial vulnerabilities beginning to show.
For instance, if you or your company purchased Microsoft products in California between February 18, 1995, and December 15, 2001, you're entitled to participate in the class-action settlement that Microsoft signed last June with the State of California. Microsoft has agreed to pay up to $1.8 billion in vouchers to individuals and businesses. These vouchers can be used to purchase desktop computers, laptops, tablet computers, printers, scanners, monitors, keyboards, printing devices, and software made by any manufacturer.
The settlement was reached last June as a direct result of the anti-monopoly legal actions taken by the US Department of Justice and the California DOJ in response to Microsoft's anti-competitive marketing and bundling schemes.
Individuals and companies that purchased specific Microsoft products within the State of California--individually or in volume--between the specified dates can claim the following:
- $16 for each Microsoft Windows or MS-DOS license
- $29 for each Microsoft Office license
- $5 for each Microsoft Word, Home Essentials, or Works Suite license
- $26 for each Microsoft Excel license
For home users who kept their desktops up-to-date during the five years specified, this is like a Microsoft tax refund.
For companies that performed roll-outs of new products as they were released during that time, the monetary value of the vouchers quickly becomes significant.
If you are a California home computer user and are claiming up to five product licenses, you don't need to have the product license key. More than five product claims require you to provide either product key numbers for the CDs or documentation of purchase.
More information about this California settlement--including FAQs, claim forms, and the complete terms of the settlement--are available at the special Microsoft California Settlement Web site.
The point is that Microsoft can be held liable, and the legal and financial consequences are not trivial to the company. If the corporation should be found liable in a "product defect" lawsuit related to its security flaws, this current class action settlement of $1.8 billion would seem like peanuts, and the overall impact to both the company and the desktop computing and e-business communities could be devastating.
In this light, the SCO-IBM lawsuit, the HP indemnifications, the virus and spam efforts of the underworld, and the reluctance of the political and legal officials to take action bode ill for the future of our profession as a whole. Where would we go? How would we manage? What would be the future of e-business and the Internet?
Your guess is as good as mine.
Thomas M. Stockwell is Editor in Chief of MC Press, LP.