22
Sun, Dec
3 New Articles

Industry Notes from the Underground

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

HP Indemnifies Linux Customers

On October 1, 2003, Hewlett-Packard began indemnifying its Linux customers against any future action from the SCO Group. This means that if your company has obtained and loaded Linux from HP, the manufacturer will shield your organization from any threatened legal action from SCO.

As you may recall, SCO filed a $1 billion lawsuit against IBM for "stealing" code from UNIX and then said it would go after customers who had bought Linux as well. Since that time, the SCO lawsuit has risen to $3 billion, IBM has countersued, and SCO has created a $699 license that Linux customers can purchase. (Recent reports indicated that only one Linux customer has purchased this license.) This created a silent panic in the customer movement toward the Linux operating system: Would SCO come after them too?

The SCO-IBM suit is going to take years to iron out in the courts, who the winner will be is unclear, and customer FUD factor for Linux has been substantially bolstered--and funded--by Microsoft's support of SCO's action through its own purchase of a license agreement for UNIX technology that it has never pursued.

Now, this HP announcement clears a path through this legal car wreck so that companies that want to make the move toward Linux can do so without recklessly endangering their own organizations by opening them to legal repercussions.

HP will offer full legal indemnification to customers buying Linux on HP hardware with a standard support package after they sign an addendum to their sales contract. Under the contract, no modifications to the source code can be made, but desired changes can be discussed with HP on a case-by-case basis.

Industry analysts are also predicting that IBM will soon follow HP's lead, also indemnifying its own Linux customer base. By offering this protection, IT can get on with their management's directives to get beyond the Microsoft Windows server environment--with its high maintenance licensing fees, maintenance contracts, and questionable safety record.

IBM Ups the Stakes in SCO Countersuit

Meanwhile, IBM has gone back to court to amend its countersuit against SCO Group. Last August, IBM filed its initial legal action against SCO, claiming that SCO had violated the GNU General Public License (GPL) software license that governs Linux and infringed upon a number of IBM software patents. The lawsuit asserts that SCO's rights to distributed Linux had been terminated but that the company continued to sell Linux for some period. IBM's new amendment to its countersuit has added the charge of copyright infringement.

IBM is also asking the court to rule on whether SCO has the right to seek the $699 per-processor licensing fee that SCO now demands of Linux users. According to IBM's legal brief, "SCO has no right to assert...proprietary rights over programs that SCO distributed under the GPL." Last month, SCO began threatening to send out invoices directly to the largest Linux customers, demanding payment on the license fee. This legal move by IBM is an attempt to get a quick ruling to prevent a kind of extortion from impacting IBM's customer base.

"Microsoft Windows" Safety Report?

Meanwhile, a report studying the impact of operating system "monoculture" has become cannon fodder to the battle between Microsoft supporters and detractors. The report entitled "CyberInSecurity: The Cost of Monopoly" and subtitled "How the Dominance of Microsoft's Products Pose a Risk to Security" was crafted by seven independent IT security researchers and released through the highly partisan Computer and Communications Industry Association (CCIA).

The report's primary contention is that, in a global environment, the dominance of any single vendor's product group makes those products natural targets for hackers. Microsoft's monopoly stature--controlling over 95% of the desktops with its proprietary Windows and Office products--is predisposed to attacks simply because its presence is so pervasive.

A quote from the report reads: "Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture. Efforts by Microsoft to improve security will fail if their side effect is to increase user-level lock-in."

The report goes on to detail how Microsoft's market strategies and proprietary hold on its products actually prevents progress from being made to secure them, and it calls for governments to take action with internal procurement policies that will break up the government's reliance upon any single system.

Interesting enough, this is exactly the same message that IBM has been promoting in its e-Government initiatives, but with a slightly different spin.

IBM's position is that governments need to follow open standards for interoperability between agencies across government and should consider the use of open-source technologies to provide the most cohesive applications from a diverse group of operating system and application vendors. Of course, at the top of that list is IBM's own product, supported by the IBM cross-platform Linux implementation.

According to the CCIA released study, "The threats to international security posed by Windows are significant and must be addressed quickly." The report then discusses the problem in principle, Microsoft and its actions in relation to those principles, and the social and economic implications for risk management and policy.

The risk management to the authors of the report, however, was evidently not considered. One of them, @stake CTO Daniel Geer, was immediately fired by his company upon the report's publication.

@stake is a national consulting company that specializes in providing security solutions and consultations to large, multinational corporations and evidently doesn't want to be associated with any anti-Microsoft movement, no matter what.

@stake's official perspective about the cyber-threat posed by hackers and worms is considerably more Microsoft-neutral than Daniel Geer's. In fact, the company's recent September 10, 2003 testimony before the US Congressional hearings entitled "Worm and Virus Defense: How Can We Protect the Nation's Computers from These Threats?" only mentions Microsoft three times and only in passing.

This strikes this reporter as being somewhat odd. Why? Because the hearings were called in response to the specific attacks on Microsoft products by the worms Blaster.D and Sobig.F! Instead of addressing Microsoft's specific vulnerabilities, @stake's testimony focuses upon how the rogue programs penetrate systems, seeming to ignore the possibility that the underlying security architecture of the operating system may be at fault.

Indeed, Blaster.D and Sobig.F specifically targeted Microsoft systems because of their documented vulnerabilities and Microsoft's inability to provide a plausible security response.

Yet, in light of circumstances, @stake's testimony at the hearings made perfect sense: The majority of @stake's clientele are companies who have hired them to secure the Microsoft products that have been installed. No CEO in his right mind would diss the goose that laid the golden egg, and @stake's subsequent firing of the author of a report criticizing Microsoft--and one that contradicts its official US Congressional testimony--was probably a foregone conclusion.

As the Worm Turns

Meanwhile, the speculation about who released Sobig.F and Blaster.D and why continues to revolve around professional spam artists. As reported here last month, FBI and Department of Homeland Security officials now believe these rogue programs are part of an international effort to build a spam network composed of household and company computers, controlled anonymously by hackers who would sell access to the network to the highest bidder. By implanting worms into these machines, spammers could buy bandwidth from these hackers to send out their messages. By doing this, they can still remain hidden to network officials and police.

The implications of such a threat--based upon Microsoft's contentious vulnerabilities and its unparalleled dominance on desktops--are exactly what the CCIA report is talking about.

Anti-Spammer Blacklist Purveyors Throw in the Towel

Yet, because officials seem somewhat blind to this specific kind of threat, Internet activists have been trying to take vigilante actions.

One of these actions was an informal network of email "blacklists" that identified the SMTP open relays through which spammers sent their missives. Internet administrators could subscribe to these lists, obtain IP addresses of known spamming computers, and then filter out any communications sent to their servers.

Unfortunately, some of these anti-spam, blacklist Web sites--along with their owners--have paid the ultimate Internet price: Distributed Denial of Service (DDoS) attacks. According to these owners, spammers shut them down so hard that their actual businesses were threatened. And last week, after fighting unsolicited commercial email for years, two of these online anti-spam businesses threw in the towel.

Ron Guilmette, owner of independent software company Monkeys.com, and Joe Jared, owner of foot orthopedics design business Orisoft.com, had their anti-spam, blacklist Web sites shut down by hackers who ravaged their online businesses with DDoS and other attacks. A third blacklist provider, Compu-Net Enterprises, also ended public distribution of its blacklist because of similar fears.

In an open email posting on an email abuse online bulletin board, Guilmette announced his "unconditional surrender" so that spammers would stop the attacks.

"I am deeply sorry that I have to withdraw from this fight, but at this point I clearly have no choice," he wrote. "I will simply not be allowed to continue fighting spam. I don't have either the bandwidth or the level of interest among either big network providers or law enforcement authorities that is clearly necessary in order to fight this kind of concentrated onslaught from thousands of separate zombie machines at a time. I would be the first to say that it is a damn shame that the bad guys have won yet another round, but their really isn't a damn thing that I can do about it."

According to Guilmette, his focus on anti-spam efforts in recent months attracted the wrath of the spammers. By working with Internet service providers around the world, he and his colleagues constructed an "open proxy honeypot network." These proxies used automated logging software to see where spammers were hijacking access on insecure servers to send out spam. The honeypot collected the IP addresses of the spammers, and he and others then used those addresses to get the Internet's largest spammers kicked off the network by their own service providers.

In response, spammers seemed to have rallied to place Guilmette's own Internet connection under a DDoS. Guilmette attempted to retaliate to get his service under control, but after the last attack, he said, "I'm done fighting spam. I didn't decide this. The spammers have done this for me. I can't do this work if I can't connect to the Internet."

Meanwhile, analysts from a number of companies that track the progress against spammers called the shutdowns "a massive blow to the movement." According to these analysts, FBI and other officials are still failing to take these kinds of attacks seriously, and businesses are at risk if they become the targets of the spam industry's wrath.

With the Internet becoming the feeding ground for this kind of underworld activity--and with insecure software remaining the status quo--the entire e-business model seems increasingly problematic.

Microsoft Settles California Class-Action Suit

Now imagine what would happen if Microsoft were in some way found liable for the security flaws in its products. Could it survive such a legal onslaught? Could it even happen?

Perhaps or perhaps not! But if recent events are any measure of the stakes involved for the company, we're seeing Microsoft's financial vulnerabilities beginning to show.

For instance, if you or your company purchased Microsoft products in California between February 18, 1995, and December 15, 2001, you're entitled to participate in the class-action settlement that Microsoft signed last June with the State of California. Microsoft has agreed to pay up to $1.8 billion in vouchers to individuals and businesses. These vouchers can be used to purchase desktop computers, laptops, tablet computers, printers, scanners, monitors, keyboards, printing devices, and software made by any manufacturer.

The settlement was reached last June as a direct result of the anti-monopoly legal actions taken by the US Department of Justice and the California DOJ in response to Microsoft's anti-competitive marketing and bundling schemes.

Individuals and companies that purchased specific Microsoft products within the State of California--individually or in volume--between the specified dates can claim the following:

  • $16 for each Microsoft Windows or MS-DOS license
  • $29 for each Microsoft Office license
  • $5 for each Microsoft Word, Home Essentials, or Works Suite license
  • $26 for each Microsoft Excel license

For home users who kept their desktops up-to-date during the five years specified, this is like a Microsoft tax refund.

For companies that performed roll-outs of new products as they were released during that time, the monetary value of the vouchers quickly becomes significant.

If you are a California home computer user and are claiming up to five product licenses, you don't need to have the product license key. More than five product claims require you to provide either product key numbers for the CDs or documentation of purchase.

More information about this California settlement--including FAQs, claim forms, and the complete terms of the settlement--are available at the special Microsoft California Settlement Web site.

The point is that Microsoft can be held liable, and the legal and financial consequences are not trivial to the company. If the corporation should be found liable in a "product defect" lawsuit related to its security flaws, this current class action settlement of $1.8 billion would seem like peanuts, and the overall impact to both the company and the desktop computing and e-business communities could be devastating.

In this light, the SCO-IBM lawsuit, the HP indemnifications, the virus and spam efforts of the underworld, and the reluctance of the political and legal officials to take action bode ill for the future of our profession as a whole. Where would we go? How would we manage? What would be the future of e-business and the Internet?

Your guess is as good as mine.

Thomas M. Stockwell is Editor in Chief of MC Press, LP.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: