|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells
Copyright 2004-2005, Dr. Nikolai Bezroukov. This is a copyrighted unpublished manuscript. All rights reserved.
The level of security achievable in Linux in comparison with Solaris is discussed and the problems of Linux integration into existing enterprise infrastructure are outlined. The author argues that adding another OS to the large enterprise mix is a costly decision that has negative side effects on security independently on what OS we are adding and those side effects should not be taken lightly. That means that Solaris 10 significantly narrowed the window of opportunity for Linux to penetrate into a large corporate environment.
We should clearly distinguish and separately evaluate savings and security benefits of moving to EM64T architecture and savings and benefits of moving to Linux as a new OS.
The key finding is that the goal of diminishing (or at least not increasing) of the diversity of operating system environments is a key prerequisite for the security of Unix infrastructure on large enterprise level and that consideration should guide Linux deployment in the large enterprise environment.
We judge this goal to be more important for general level of security in the corporation then individual qualities of Linux in security space (or its faults in the same space). It also strongly affects potential savings.
We suggest that the following main points support this key finding:
Typical Linux security problems are bigger compared
with Solaris and AIX for all major dimensions of enterprise security. The key issues include
but are not limited to number of vulnerabilities, complexity and frequency of patching, hardening
procedures as well as quality and stability of the major subsystems. The comparative
security matrix presented in the paper provides additional insight at Linux security and suggest
that it stand somewhere in between leading commercial Unixes and Windows 2003 servers. The main
conclusion is that currently Solaris 9 leads in security in comparison to Linux (and Solaris 10
zones and AIX 5.3 partitions promise additional significant improvements unachievable in Linux space),
while Windows 2003 server and Linux has generally similar level of security with Linux having
some advantages in certain areas and Windows 2003 server in others. In no way Linux can be
considered significantly more secure then Windows 2003 in heterogeneous enterprise environment.
We judge that this to be an urban myth.
At the same time we judge that there is a noticeable weakness in the level of security of the current versions of Linux in comparison with both Solaris 10 as well as AIX 5.3 and upgrades to those versions of existing servers (with the appropriate consolidation efforts due to virtualization capabilities in those OSes) might be a more suitable path of improvement enterprise security then the introduction of an additional OS.
We suggest that in a large enterprise environment
a successful Linux deployment requires to "sacrifice" at lease one existing enterprise Unix
flavor. This requirement constitutes an most important prerequisite for the secure large scale enterprise
Linux deployment. There is a saying that any enterprise that is using more then two flavors
of Unix is using just too many. And a valid consideration behind it is that system administers outside
of selected class of super-administrators are generally incapable to muster more then two flavor
of Unix into the level sufficient for maintaining an adequate level of security. The difference
are just too subtle and too numerous to comprehend. Moreover a regular Unix administrator
just cannot became proficient in more then two flavors of Unix at the level necessary for adequate
administration (and that statement can be measured by the number of people who hole more that two
System administrator certifications: two are more or less common, three are very rare). This
"too many unixes on the floor" factor alone can lead to significant deterioration of the general
level of enterprise security due to introduction of Linus. We note that Linux deployment
is further complicated by Linux internal fragmentation: the existence of two competing enterprise
distributions (Red Hat and Suse) and there is a risk that should be properly understood by high
level management that introduction of a first flavor will eventually lead to the introduction of
another due to application requirements or preferences.
All-in-all, in security space large enterprises can get additional benefits from the deployment of Linux, if and only if such a deployment is strategically aligned with the goal of diminishing the operating systems platforms diversity. Adding Linux to the enterprise Unixes mix decrease the existing level of security due to additional complexity of maintaining another flavor of Unix (often two additional flavors of Unix: Red Hat and Suse) by the existing staff of system administrators.
Protecting IT infrastructure is a very challenging task in a culture where easy access to information prevails over security concerns. The key problem here is that the need for an efficient enterprise to provide relatively unfettered access to data, combined with the highly decentralized nature of operations, is irrevocably connected with the potential for serious security breaches. Maintaining and, especially, improvement of large enterprises IT security is a huge challenge and introduction of new OSes like Linux is only one relatively minor problem among many others.
Still introducing Linux as an additional OS into enterprise OS mix is a problem that, if not addressed properly, can lead to the deterioration of existing level of security. We assess the following critical issues in the executive evaluation of the security problems related to the introduction of Linux-based servers in a large enterprise IT environment:
For example if Solaris development team need to make a change (for example introduce ACL) they can therefore force such a change into the system by changing it all the way to utilities. That means that Solaris can react to new technical possibilities more quickly and this recently has been shown to be the case with the introduction of zones in Solaris version 10. If something is designed wrong, and the proper fix depends on changes outside the kernel, Solaris team still can fix it by changing all the required pieces in the right places. They do not need clever kernel hacks in the wrong place to fix a problem, that should be fixed in a more complete manner.
The quality (and security) of several major components in Solaris (NFS is the most visible example) is far above anything in Linux space.
Solaris is better documented. The most important is the difference in the quality of man pages.
in Solaris everything has man pages, including the kernel functions. Linux instead depends on FAQs,
HOWTOs, and sparse documentation that comes in many different formats.
Linux virtual machine components are still immature and far behind such OSes as Solaris 10 (Solaris
10 zones are a very elegant implementation of a concept of a light-weight VM, the concept originated
in FreeBSD) and, especially, AIX 5.3 (which, before Solaris 10, along with FreeBSD was a leader
in the Unix virtualization race; AIX virtualization facilities are not a light-weight, but a full
blown VM and as such are not available for EM64T hardware).
This weakness can be particularly compensated by deploying Linux under third party VM environment, for example provided by VMware. Still creating multiple instances of Linux under VMware increases the complexity in comparison with using a single OS. Essentially VMware in this case represents another addition to the corporate OS mix. Moreover VMware licensing and support costs largely eliminate cost advantages of switching to Linux. While using Linux under VMware is attractive option of consolidating low load "one application" servers, here Solaris 10 zones represent a more competitive solution.
Network infrastructure and server complexity in the large enterprises has increased so significantly
that it has become a constraint on how flexible a business can be. Server consolidation based on
virtual machine concept in a large enterprise environment is the necessity that no large enterprise
can avoid. This movement already started in AIX space and Windows space (sometimes under VMware,
which is this case can be reused for Linux virtualization purposes), but it will definitely accelerated
in the future. Currently Linux is the weakest Unix platform for virtualization and needs additional
components (VMware) to be viable in this space.
Usage of EM64T technology (Intel's name for its 64-bit extensions to the x86 instruction
set pioneered by AMD and adopted by Intel) somewhat diminishes security risks for mass exploits
and provides better price/performance ratio then the traditional Intel X86 architecture. The EMT64T
has a MMU that can set a no execute bit on a memory segment. On ETM64T Solaris like it does on UltraSparc
can disable execution from the stack. That stops significant percentage of stack-overflow type of
attacks. Therefore the usage of EM64T should be considered to be an important security requirement
for all future projects that involve mid-range Intel-based servers. Traditional 32-bit Intel
X86 architecture, being the most popular computer platform on the globe, significantly increases
the changes that a particular vulnerability will be hit with the exploit before patching. It also
does not scale well and this fact alone prohibits enterprises from making significant cost savings
for midrange servers.
Linux's growing popularity is attracting unwanted attention from virus writers, script kiddies and criminal elements. In response, Linux advocates are putting a new emphasis on security measures and working to reassure large enterprises that the OS is secure for important enterprise applications. Still in 2003-2004 there has been a lot of change in the attractiveness of Linux from the security standpoint due to its now established status as a favorable target for hackers/crackers, the status second only to Windows. Chad Dougherty, an Internet security analyst at the CERT Coordination Center, which tracks OS vulnerabilities stated that "If you look over time, there has been a consistent level of vulnerabilities." Several remotely exploitable problems in the Linux kernel and major Linux applications are reported each year. Moreover some of the major applications vulnerabilities are exploitable only on Linux as they depend on the kernel and/or the compiler properties. For 2004 there were several reported kernel problems [Davis2004a, Davis2004b, Davis2004c, Davis2004d, Davis2004e]. In late 2003 there were several high-profile breaches. GNU project CVS repository savannah.gnu.org was compromised in early November of 2003. The compromise was discovered December 1, 2003 and Savannah was back online December 23, 2003. The last "known good" backup was dated September 16. As a result a lot of patches for the projects maintained on Savannah (for example mc) were lost [LWN2003]. Next, the Debian Project had to take their servers down to clean out a remote vulnerability breach [Debian2003]. Then, server at Gentoo project was compromised [Slashdot2003].
From both security and cost/performance standpoints Solaris on Intel remains the major competitor to Linux in Intel-compatible hardware space. Just having different from Linux format of executables (and using a different compiler for kernel and other major subsystem) makes Solaris more "exploit resistant" then Linux as this represents additional "security via obscurity" layer of defense that we should not ignore. Taking about "security via obscurity" we should state that it does provide enterprise customers an important additional layer of defense the value of which is often underestimated. This layer is higher on RISK-based platforms like UltraSparc (with its stack-overflow protection). On AMD CPUs this layer is thinner, but The EMT64T has a MMU that can set a no execute bit on a memory segment and at least on Solaris that permits blocking all "Linux-exploits copycats" style of attacks. Also in case of Solaris there is the "question of credibility" issue that dictates the necessity to make an exploit portable to UltraSparc: in order to preserve/enhance his credibility an exploit writer/porter needs to work simultaneously on two architectures. For a student that means that one needs to shell out at least $500 to get a decent (non crippled by an IDE controller) UltraSparc box (for example Ultra 30) or risk being caught abusing his/her office or University lab server/workstation. Combine this with the necessity to learn different CPU architecture/compiler and this combination means that the potential number of people who can write/port to Solaris an exploit is several orders of magnitude less than for Linux or Windows, where nothing prevents you doing this in a privacy of your home on a regular PC. From my experience as a teacher I would suggest that it protects from ambitious (and often reasonably capable) "exploit seekers" among the students automatically channeling their "vanity fair" zeal to more popular OSes.
The important consideration here is that Solaris uses a different complier from Linux. Many exploits
are complier dependent and the necessity to cover both gcc and Sun Studio 10 compliers significantly
complicates the creation of working exploit. For this reason large enterprises should consider using
Studio 10 complier for compiling open source applications on Solaris x86 whenever possible or practical
(for example it is definitely recommended for compiling bind and Sendmail). Obscurity understood
here as using less popular hardware and software platforms with some additional security features
is a viable method to secure any complex operating environment and being off the most popular (and
the most vulnerable) platforms like Linux and Windows represents for a large enterprise a strategic,
not tactical advantage. This is especially true for open source applications. Vulnerabilities "vanity
fair" flourishes mainly in Windows and Linux environments as for other environments the efforts
will never create the necessary for small security companies and individual consultants PR return.
But if open source applications are used then Solaris can be a direct beneficiary of the "Linux
vulnerabilities vanity fair": fixes can be available at the same time but creation of exploits that
can work on Solaris is more difficult and requires knowledge outside of mainstream set of knowledge.
Generally this complier-based security is another example that outside specialized and narrow areas
like cryptographic algorithms "security via obscurity" is the essential part of enhanced security.
Actually even in cryptographic area "one time pad" that represents one of the most secure cryptographic
methods of encoding of information and was used by such a formidable opponent as KGB, the
organization which probably has had specialists of very higher caliber in this particular area.
For example, Red Hat distribution has Tripwire pre-installed. SSH, sudo and xinetd are also pre-installed. Powerful vulnerability scanners (nmap, Nessus, etc) and intrusion detection system (Snort) are available with both Suse and Red Hat at no charge. That means that some savings can be utilized in security space by more wide usage of Linux-based open source security solutions, especially vulnerabilities scanners and IDS sensors (Snort).
Most of those open source tools are available for Solaris too and perform as well as in Linux
in Solaris environment. But their availability is lower and most documentation is explicitly
Still the fact that in March 2003 SCO sued IBM for more than $1 billion, alleging that it had contributed to Linux proprietary code misappropriated from SCO should serve as a warning that some litigation is possible against any large enterprise with considerable Linux deployment. The heart of SCO's argument is that it claims ownership of the copyrights to Unix System V and that parts of that operating system have been illegally built into Linux code. SCO claims it bought the rights to Unix from Novell, which had purchased them from AT&T. U.S. District Court in Utah ordered that IBM must provide SCO with source code for its AIX and Dynix operating systems. The ruling clears the way for SCO to comb IBM's code for traces of proprietary SCO Unix code. Whether infringing code is found remains to be seen, but the court action should send a note of caution to IT departments everywhere.
In addition about 1,500 companies that widely deployed Linux received warning letters from SCO. That resulted in businesses fear of open source usage related lawsuits. And SCO has since sued DaimlerChrysler, AutoZone and Novell.
Copyright infringement suits related to open-source could be a serious distraction for large
enterprises which widely embraced the technology as a cost-saving measure. For example Wal-Mart
uses Linux in its cash registers and due to its size might be a potential target for a lawsuit.
Linux's potential risks for intellectual property infringement litigation and the lack of indemnities and other legal protections extends to open-source software in general, especially GPL-based software [Cassim&Overly2005]. That means that while usage of open source tools (often packaged with other Unixes like in Solaris in addition to Linux) is generally safe, the usage of GPL-based components in e-commerce and Web applications should be subject to review due to possible misappropriation of somebody else intellectual property in such components. If quality alternatives are available it is recommended that large enterprises select open source products licensed under BSD-derived licenses, Artistic license or their close derivatives, not GPL-based products.
It's clear that there might be additional costs the company that does not protect itself from potential open-source usage related litigation. That's why code reviews for commerce and web software developed by outsourcers are recommended above. This is similar to buying insurance or the Sarbanes-Oxley compliance audit. The problem is that offshore software developers working on web and e-commerce applications routinely borrow pieces of open-source code as building blocks. If proprietary code is mixed with the GPL code and the software is to be redistributed or sold as a commercial product, a license conflict is possible. The extreme solution would be explicit banning GPL components in Web and e-commerce software produced by outsourcers. More moderate approach would be use specialized scanning software to hunt for the GPL license conflicts. An example of such software is Black Duck. The most important aspect of the problem is that currently large corporations often simply do not know whether GPL components are used in their e-commerce or open source software.
A number of technology analysts observed there is a pattern of adoption of a new technology. First there is a slow adoption, then after the critical mass of early adopters is achieved there is a tremendous excitement (hype phase), followed by disillusionment. Those technologies that survive the disillusionment stage might eventually become popular in their markets moving to mainstream. The hype periods usually starts with some arbitrary "event trigger", where one or a series of event generates huge publicity, exposing the technology to a wider audience. A "peak of hype" follows where great things are universally expected. As people learns more about the technology, it starts to struggle up to meet the inflated expectations. Inevitably, this leads to the disillusionment. For solid technologies the final stage is the "plateau of productivity" when it becomes mainstream. Sometimes as was the case with Java it ends with the more realistic understanding of the limitations of the new technology and creates a new growing industry. Often a technology can be so hyped it may never meet expectations, and as we saw with the object-oriented databases. In this case the disillusionment period means shrinking number of vendors and movement of the technology off the primary scene.
We judge that open source is currently close to the peak of the "hype phase" and information about it should be accessed critically. That does not mean that open source technology is a fake: it is actually a very useful technology that already proved its value in enterprise environment. Still the expectations currently are extremely, unrealistically high. As the central figure in Linux kernel development Linus Torvalds noted, "open source can not cure world hunger."There's a lot of hype surrounding Linux, but the reality behind the myth is that there are numerous issues related to deploying the technology, which require considerable expertise and effort. Many people/companies use Linux, but not many are using complex configurations with clustering failover, etc. You're more likely to see simple "multiple single-server" environments.
The term "open source" is used to refer to three somewhat different phenomena:
Each represents different aspects of open source, and will be briefly discussed here as it is impossible to understand the security of Linux without understanding a broader picture of open source movement including the current level of hype. As this is a security paper we will discuss openly problems and weak spots of open source. This does not mean that close source software is better, that just means that open source has its set unique of problems and they are quite different from the problem of closed source software, which are also many.
The typical model for software acquisition involves the purchase of closed source software solutions from the major vendors. Closed source software is any software whose source code is hidden from the public view. Under most licenses the user cannot modify the program or redistribute it. Closed source products encompass the spectrum from server operating systems, application development platforms, office productivity suites, to small yet often expensive utilities. Each of these software solutions has an initial investment cost, maintenance and/or upgrade costs.
Organizations are now starting to embrace open source solutions as a cost-effective alternative to these closed source products. Open source solutions differ from closed source in many ways, only one of them cost. Open source solutions are typically licensed free of charge, although some companies such as Red Hat, Novell, IBM, Oracle and Hewlett Packard (HP) sell versions of open source software with related maintenance, so called commercial open source. The following features distinguish open source licenses [OSI1999]:
Among multiple open source licenses, the GPL, BSD, X Consortium, and Artistic licenses are all examples of licenses that can be considered conformant with the Open Source Definition. We will briefly discuss them later. In no way GPL is the only license for open source products. There are multiple, different (and potentially conflicting with GPL) source licenses of applications (Open Source License Hell). Experience had shown that the license for a product or its interpretation can change abruptly (as was the case with MySQL).
Openness of the "open source code" is subject to discussions. In most cases the level of openness is an exaggeration and is actually the same as for close source code that is almost always obtainable via NDA agreements. Open source mode practically operated more like a shareware model and has very little to do with openness of the source. As such it does cut distribution costs and can provide high quality software. But this advantage has very little do with open source, where "modifiability" of the code base by the end user is the defining principle.
And shareware model of development of software proved to be a viable one. Think about such shareware products as RAR, TotalCMD, FAR, etc. They beat both best open source application *and* commercial applications in their areas.
But shareware distribution model has nothing to do with open source.
Actually in case of both RHEL and Suse distributions source code is more of a marketing trick then a real asset: there are too much of it and it is very poorly documented to be useful. RHEL is essentially a private kernel based on Linux so here the situation is even more complex. Attempts to use it on source code level brings a lot of unanticipated troubles. Even recompiling applications can be a non-trivial task.
In this sense only Gentoo is loyal to the "open source" as a principle. Both Red Hat and Suse are to a certain extent deviations.
Moreover for most large open sourced components even in best case you get an "assembler code", not high level code as there are no credible attempts to document it and simplify modification of the source base by the end user. Moreover there are deliberate attempts in the opposite direction: attempts to keep the level of code as low and as poorly documented as possible to preserves the competitive advantage. That means a open betrayal of KISS principle and that's can be a partial reason why we have all those non-maintainable C or C++ monstrous distributions and applications. C became an assembler code of the XXI century, so calling the C-codebase open is a little bit of a stretch as it is open only for those who can spent hundreds of hours digging in this codebase.
The real problem for Linux is how you can complete on the TCO basis with products like Windows 2003 and Solaris 10 in enterprise space. Hobbyists will always gravitate to something that can be downloaded for free and that means that they can still be loyal to Linux despite all those TCO perversions in enterprise space that we observe with Linux. But for enterprises the key issue is cost in a long run and here Linux faces real problems as Red Hat is probably the most expensive proposition out of Microsoft, RH, Sun troika.
So cutting bureaucratic red tape is a very nice feature but not enough positively differentiate open source. And for Red Hat this existing TCO level does spell troubles in a near future when IBM's inspired marketing fag about "new Linux system" (which is actually 14 years old) will dissipate. More and more articles about "successes" pf enterprises Linux deployments looks like plain vanilla marketing hype. See for example "Computing: Linux Cuts Costs for Finance Firm" (LinuxToday Feb 24, 2005) for a nice example of such a story.
Linux as the major open source software project is different from closed source OSes (and from other open source alternatives like FreeBSD and OpenBSD) in several major aspects:
It should be noted that most large corporations that never started formal deployment of Linux already has some limited exposure. Usually some guerilla installations can be found among IS and research staff.
Linux is licensed under so called GNU General Public License (GPL) version 2. The GPL is a free software license, created by the GNU project in 1985 [Stallman1985] It is also referred to as the GNU GPL and was developed by Richard Stallman, the creator and leader of the GNU project [Stallman1999d]
The purpose of the GPL is to grant the user almost unlimited rights to copy, modify, and redistribute programs (normally prohibited by copyright), and to ensure that those rights are preserved any derivative works [FSF1991]. In contrast, end-user licenses for proprietary software deny those rights, and usually prohibit further redistribution of software and creation of derivative works. The main controversy around GPL is connected with the granting third parties rights to "use, modify, and redistribute the program's code or any program derived from it but only if the distribution terms are unchanged.". The GPL does not allow redistribution of private, close source modifications of the codebase. Any changes must also be distributed under the GPL (viral quality).
Additionally, the GPL does not allow the incorporation of licensed programs into proprietary software or any software licensed under the license that that does not grant the same rights as the GPL. For this reason GPL is often called "the incompatible license". There only one exception: software libraries that are normally distributed with the compiler or operating system may be linked with programs licensed under the GPL.
An alternate form of the GPL, the GNU General Library Public License or LGPL, allows the linking of free software libraries into proprietary executables [FSF1999a] This is a more acceptable license for private companies as this way commercial development can also benefit from free software.
Probably partially due to the anarchistic nature of the license Linux system has become the No.1 platform for hackers of all kind. That created an additional security issues for enterprise customers who deploy Linux, as in this case they need to defending their turf against the opponent who knows the system better, does not need additional resources to create a test systems and does not need to pay money to acquire the knowledge, required to use system including the knowledge of internals. In case of Linux hackers play on the game on their own home turf. We should not absolutize this problem as a mere volume of the code serves as a good deterrent for all, but the most motivated hackers, but still this is a factor to consider as it contributes to "ego-pleasing" stream of vulnerabilities (not only individual hackers but also some small security companies are involved). This stream created a "patching pressure" that significantly (to the level of Microsoft systems) increases the cost of maintenance.
Resent adoption of Linux by big players like IBM slightly increase the level of comfort among bog enterprise customers, but the concerns still remain. Partially due to this reason Linux is considered by security specialists the most vulnerable OS (along with Microsoft Windows) and companies do need exercise some caution in Linux deployment and carefully select the deployment target to maximize benefits and minimize risks of such deployment.
The term "Open Source" was adopted in large part because is sounds more "enterprise friendly" and is promoted by Linux distributors such as Red Hat that sell "commercial open source" as well as because there is a multitude of other free software licenses that are often conflict with each other creating legal problems for users. There are several related terms that the reader needs to understand: free software, public domain software, freeware and shareware.
The term "free software" is often used as an synonym of the anarchistic social ideology of "software liberation", whereas Open Source is a more commercially oriented term. For example, the Free Software Foundation advocates free software as a right, emphasizing the ethical obligations associated with software distribution [Stallman1999a]. Open Source is more commonly used to describe the business case for free software, focusing more on the development process and software quality rather than any underlying moral requirements.
Various free/open source software licenses have been developed and they often conflict with each other. All free/open source licenses disclaim all warranties. The intent is to protect the author from any liability associated with the software. Since the software is provided free of charge, this is a reasonable condition, but that issue becomes more complex for expensive commercial distributions like Red Hat were year licensing fees are compatible with the closed source software fees.
The major open source software licenses include GPL, LGPL, BSD, and Artistic license. The following table provides a comparison of several common licenses.
Table 1. Comparison of various free software licensing practices.
|License||Can be linked with close source (proprietary) software||Modifications can be taken private and distributed
|Modified version can be distributed under a different license||Contains special privileges for the original copyright holder over your modifications|
The GPL is a political manifesto as well as a software license, and much of the text is concerned with explaining the rationale behind the license. This has alienated many developers. For example, Larry Wall, creator of Perl and the Artistic license, says: "the FSF [Free Software Foundation] has religious aspects that I don't care for."[Lash1998]. Less strict version of GPL is called LGPL and often is used for libraries.
The X license and the related BSD and Apache licenses are more acceptable for commercial companies. They essentially codify academic ethic in a sense that they grant all right in return just for honest acknowledgment of the code source. The most important difference is that BSD-licensed software modifications can be made closed and any BSD-licensed program can be modified and redistributed without including the source or applying the BSD-license to the modifications. Other developers have adopted the BSD license, including the developers of X widows system (X-license) and the Apache web server (Apache license).
The Artistic license was originally developed for Perl, however it has since been used for other software. The terms are more loosely defined in comparison with other licensing agreements, and the license is more commercially oriented. For instance, under certain conditions modifications can be converted into closed source. Furthermore, although sale of the software is prohibited, the software can be bundled with other programs, which may or may not be commercial, and sold.
On March 7, 2003, the SCO Group (formerly known as Caldera Systems) filed a $1 billion lawsuit against IBM for allegedly "devaluing" its version of the UNIX operating system due to the use of GPL for their proprietary code, including the code jointly developed for Monterey project (former joint project with IBM to developed a 64-bit enterprise Unix, a successor of AIX and UnixWare for use on Itanium CPU, the project that was later abandoned by IBM in favor of Linux). The amount of alleged damages was later increased to $3 billion, and then to $5 billion. SCO claimed that IBM had, without authorization, contributed SCO's intellectual property to the codebase of the Linux operating system. Though IBM is the only company named in SCO's lawsuit, other Linux vendors, like Red Hat could suffer collateral damage.
Since then, the claims and counter-claims made by both sides have escalated, with both IBM and Linux distributor Red Hat starting legal action against SCO, and SCO send a threatening letter to large companies known for wide adoption of Linux.
On September 30, 2003 judge Kimball granted the SCO Group's request for a delay until February 4, 2004, "to file any amended pleadings or add parties to this action". This pushes the start of the actual lawsuit back until 2005.
Although chances of SCO winning this lawsuit seems to be slim, it is premature to dismiss their lawsuit as complete nonsense like many Linux enthusiasts do. SCO may not be very good at making a profit by selling software (last year the company lost $24.9 million on sales of $64.2 million.). But historically speaking it was a very good record at getting what it wants from other companies. And it has a tight circle of influential friends. In 1996, SCO's predecessor company, Caldera, bought the rights to a decrepit version of the DOS operating system and used it to sue Microsoft, eventually shaking a settlement believed to be about 155 million dollars. In 1997, Darl McBride, now SCO's chief executive, sued his then employer, IKON Office Solutions, and won a settlement that he says was worth multiple millions. McBride joined Caldera as chief executive in June 2002. Two months later he changed the company's name to the SCO Group, based on the name Unix on Intel vendor that Caldera had purchased in 2001 from its creator, The Santa Cruz Operation. There are some striking similarities between the 1996 DOS lawsuit against Microsoft, in the current lawsuit over Unix and Linux.
SCO is basically owned and run by the Canopy Group, a Utah firm with investments in dozens of companies. Canopy's chief executive, Ralph J. Yarro III, is chairman of SCO's board of directors and engineered the suit against Microsoft in 1996.
In action that affects large companies directly, in May 2003 SCO has sent letters to about 1,500 of the world's largest corporations warning they could be liable for using Linux. "We believe that Linux infringes on our Unix intellectual property and other rights," the letter said. "We intend to aggressively protect and enforce these rights. Legal liability that may arise from the Linux development process may also rest with the end user." [Shankland2003]
In March, 2004 SCO sued two big Linux enterprise customers AutoZone and DaimlerChrysler [Shankland2004b]
AutoZone have responded to SCO's legal challenge by filing a motion to stay the lawsuit until SCO vs IBM, SCO vs Red Hat and SCO vs Novell have been fully litigated. A failure for SCO to prevail in any one of these cases would resolve the AutoZone lawsuit in favor of AutoZone, as according to AutoZone's motion the case depends on SCO being able to establish that SCO owns the Unix code in question, and that AutoZone has infringed that code by using Linux. These are issues to be directly resolved by other pending lawsuits.
It its lawsuit against Daimler-Chrysler SCO claimed the existence of alleged violations of its UNIX software agreement with SCO as Daimler-Chrysler is a license of SCO UnixWare. According to the official SCO press release:
SCO's lawsuit seeks the following relief:
Enter an order that DaimlerChrysler has violated Section 2.05 of the Software Agreement by refusing to provide the certification of compliance with the "provisions" of that Agreement; Enter an order permanently enjoining DaimlerChrysler from further violations of the DC Software Agreement; and Issue a mandatory injunction requiring DaimlerChrysler to remedy the effects of its past violations of the DaimlerChrysler Software Agreement; and Award damages in an amount to be determined at trial; and Enter judgment in favor of Plaintiff together with costs, attorneys' fees and any such other or different relief that the Court may deem to be equitable and just.
The lawsuit was later dismissed by the court on the basis that Daimler-Chrysler no longer uses SCO UnixWare and thus does not need to comply with the licensing agreement.
Some Linux distributors feel threatened by SCO lawsuit and countersued. On August 4,2004 Red Hat, Inc. filed suit for Declaratory Judgment, requesting permanent injunctions, costs, and treble damages from SCO, on the basis that there is no infringement of trade secrets or copyright by Red Hat in Linux, and that SCO is engaged in false advertising in violation of the Lanham Act, deceptive trade practices, unfair competition, and trade libel and disparagement. A Delaware district Judge on April 8, 2004 has rejected the SCO Group's request to throw out Red Hat's lawsuit against it, but stayed the case pending the result of SCO vs. IBM. Judge Robinson said it would be "a waste of judicial resources" for the case to continue while litigation between IBM and SCO continues in Utah. That case isn't due to be heard until next year.
Novell hasn't countersued, but has made the case that SCO doesn't own what it thinks it owns - rights to System V UNIX - which completely undermines SCO case against IBM [Orlowski2004]. The SCO Group has sued Novell, claiming the born-again Linux company is interfering with SCO's right to collect money from Linux users. The 'Slander of Title' suit - which is invoked when ownership of a contested property has not yet been established by the courts -- seeks to block Novell from filing further UNIX copyrights that SCO claims are rightfully its own. On October 7, 2003 Novell produced the document that contains a summary of Novell's interpretation of the 1995 technology license agreement with SCO [Novell2003] and claim that Novell has the right to indemnify its customers under the agreement.
Participation in SCO's licensing program appears very weak. Though Microsoft has entered into a license agreement with SCO "to respect SCO's intellectual property", the move is widely regarded as a way provide financially strapped SCO with funds to survive prolonged litigation that can indirectly benefit Microsoft weakening its major competitor IBM.
There are many complications involved in the case, including but not limited to:
As of August 2004, the lawsuit is still not resolved, but generally the development favors IBM case. Still Linux enterprise customers might fear a train wreck, given that in a shrinking market the intellectual-property agendas of some of the largest IT companies appear to be on a collision course. The fast-growing popularity of Linux and other open-source products has garnered the attention of large commercial vendors, who see opportunities for building open-source communities that ultimately works similar to outsourcing, contributing to the bottom lines of their for-profit software using the free labor of computer enthusiasts that are involved in those open source projects. For instance, IBM hopes to encourage developers to write applications in Java, greasing the wheels for sales of its expensive WebSphere middleware and other commercial products.
But the potential to run afoul of intellectual-property claims, combined with the sheer proliferation of open-source projects, means customers need to make open-source choices carefully. One particular area of concerns is patents. Concerns about what software patents the city of Munich, Germany, might violate in moving 14,000 PCs from Windows to Linux caused city officials to delay those plans. Patent issues could be a "catastrophe" for the city's Linux effort, an official says.
Open Source Risk Management Inc., a startup that offers insurance against open source projects patent and copyright violations released a study that cites 283 possible patent claims that might be applied against Linux. A third of the patents are owned by Linux backers, including Hewlett-Packard, IBM, Novell, and Oracle, which are unlikely to assert claims. For example IBM spokesman stressed that "IBM has no intention of ever asserting its patent portfolio against the Linux kernel unless forced to". Still a lot of patents that potentially were violated in Linux code are owned by Linux opponents like Microsoft or neutral parties that at some point can became hostile to Linux like Sun.
Indemnity is when one party holds another party harmless in the event that, as a result of a contract that exists between the two, a third party brings a claim against one or both of the original two parties. When you offer someone indemnity, you are acting as if you are the insurer with respect to third party claims. If SCO is that third party and it sues you, the company that's holding you harmless will stand between you and SCO as a shield, covers legal costs and absorbing any damages you sustain as a result of entering this contract [Rosenbaum2004].
It's worth stating that there is a way to avoid getting sued altogether, that SCO essentially wants to enforce. This might be a good option for any image-conscious company that wants to avoids the legal limelight. One is to simply to pay SCO $699 per server for a perpetual license of their intellectual property. According to SCO's Stowell, "The license that we are offering to commercial end users of Linux is called the SCO Intellectual Property License. The end user is provided with a license that allows them to run SCO's intellectual property as it is found in Linux in binary form only. This license is meant to apply to any version of Linux (based on the 2.2 kernel and later) that is being run in a commercial environment."[SCO2004] A major advantage of going this route is that it is Linux distribution neutral.
Another option to minimize the chances of being sued is to run open source software on another operating system, one that includes indemnification (Solaris, HP-UX). Of the four major commercial Unixes (AIX, HP-UX, Solaris and Linux) the AIX is the most risky from the intellectual property standpoint and will be harmed in an unlikely case if SCO succeed because of SCO's revocation of IBM's Unix license. Until SCO lawsuit is resolved, IBM's AIX should be considered as the most vulnerable Unix flavor. Also only Solaris and Linux are available on the Intel architecture. As far as HP-UX is concerned, Intel's recent announcement regarding its AMD64-compatible Nacona hybrid puts a question mark over the future of all of HP's operating systems and makes for them Linux as the only viable choice.
Currently three companies provide Linux indemnification for their customers: HP, Novell and Sun. In all three cases only distributions supported by respective companies are covered:
IBM was the first and largest company to be sued by SCO, but it has yet offer indemnification of any kind to customers. But it did took some steps in this direction. In addition to its contribution to the OSDL defense fund (see below), IBM helped bankroll Novell's acquisition of Suse, a move that amounts to an indirect indemnification play. Meanwhile, Red Hat, the most popular distributor of Linux, has promised to replace any source code that's found to be infringing on a copyright. The company has earmarked a recent $1 million contribution to the Open Source Now Fund to help defray the legal costs of open source developers and academic institutions that become entangled in SCO's legal web [Shankland&Kanellos2003]
Open Source Development Lab (OSDL), created by IBM, Intel and several other large companies) and the current employer of Linux kernel original developer Linus Torvalds has established a separate legal defense fund with the intention of helping some Linux customers that come under litigation from SCO" [Shankland2004a ]
For Linux customers, the highly fractured response has resulted in more questions than answers. How can companies like HP, which don't have their own distributions of Linux, offer indemnification? Even stranger, how is it that HP can offer indemnification on a version of Linux that even its distributor (Red Hat) won't indemnify? This raises the question of what happens when an HP customer running Novell's Suse Linux must invoke its rights to indemnification. Which of the two indemnification agreements takes precedence in addressing the customer's needs?
Finally, does IBM's and Red Hat's failure to offer indemnification amount to a lack of confidence in their legal standing versus SCO that enterprises must take seriously when selecting Linux distributions and solution providers. Or, is it a sign that real indemnification is impossible to achieve, therefore rendering the three existing programs as less than they're cracked up to be? Or, is it as they have maintained in their public statements, that the SCO claims are baseless and don't warrant extraordinary indemnification measures?
It is important to understand that Linux is just one example of open source project and there are many others that the company can benefit from. There are literally thousands of open-source projects in existence. These projects include operating systems, programming languages, utilities, Internet applications and many more. Most of them are not interesting and cannot compete with the commercial application; also quality and the level of security varies with a lot of project never achieving the magic version 1.0 (relatively debugged version). The following 12 projects are notable for their influence, longevity, the size of the codebase (in the second column in thousand of source lines (KLOS)), and the level of success:
Table 2. Major open-source projects
|Project||Size of the code|
|Apache||100||BSD-style||The most popular HTTP server on the Internet. Used by many large companies along with the commercial web servers.|
|BIND||150||BSD||Dominant DNS server. Used by most large companies|
|KDE||250||GPL and LGPL||Desktop environment. Often used with Suse Linux|
|GNOME||150||GPL||Desktop environment. Along with Linux is used in Solaris 8 and 9 workstations. Supported by Sun.|
|Sendmail||200||BSD||Dominant mailservers on the Internet. Widely used for enterprise mailservers (especially external, Internet-facing mailservers)|
|Perl||150||Artistic and GPL||Dominant scripting language. Widely used for Unix scripting and in in production systems. Installed by default in Solaris|
|PHP||150||BSD-style||Popular in WEB applications scripting language (often used with MySql). Widely used in large corporations (Yahoo)|
|Python||160||BSD-style||Scripting language that competes with Java|
|Samba||150||GPL||Microsoft compatible file server protocol implementation|
|MySql||250||GPL||Relational database for web applications. Popular in ecommerce applications. Used by Yahoo. Often used with PHP|
|Postgress||300||BSD||Powerful relational database. Often used with Perl|
From management perspective open source development can be considered as a special kind of outsourcing. Like in any outsourcing, the potential weaknesses in open-source software development are many and almost all of them affect security [Bezroukov1999a, Bezroukov1999b]. Of course, the problem outlined below are not limited to open source projects, the nature of open source development just make them more acute in comparison with close source projects. But the ability to resolve those problem in open source projects almost completely depends on the personality of the leader of the project, who often acts as a benevolent dictator:
As Linux introduces another OS into the current stable of existing OSes it is very important to develop integration strategy that does not increase the complexity of the current infrastructure and thus weaken overall security of the environment due to the staff spreading too thin between multiple different OSes. That means that businesses should be very cautious with the deployment decisions and try to synchronize Linux deployment which the reduction of the variety of existing OSes, the move that is probably possible with Netware and HP-UX and that will be discussed later in this whitepaper. There is growing understanding that fashion-based Linux deployments are not cost effective. In his paper Switching to Linux picks up steam published on ZDNet on August 31, 2004 David Becker wrote:
In a report on total cost of ownership for the Linux, Unix and Microsoft Windows operating systems, research company The Yankee Group found that only 4 percent of businesses planned to migrate Unix servers to Linux within the next two years. A total of 11% intended to move Windows servers to Linux, while 21% proposed to add Linux servers to a predominantly Windows environment.
On the desktop, 36% of businesses expected to have a few Linux PCs in their business, but only 5% planned a total migration to Linux. A majority--57% --planned no changes for Windows on the desktop.
The main problem is that while moving to Intel-based servers is definitely a very cost effective move, move to Linux is only one of the possible ways to achieve that as open source software can be deployment on other flavors of Unix and in some cases even under Windows:
"All of the firms would like to reduce the amount of up-front capital expenditure dollars they spend on expensive Windows and Unix software licenses," the report found. "However, they also recognize that in certain instances, a wholesale or significant switch to Linux might reduce up-front costs but result in higher overall costs."
Factors to consider in such a cost analysis range from interoperability with existing applications to the relative scarcity of trained Linux support personnel. "The establishments that have or are seriously considering Linux bemoaned the present dearth and high cost of skilled Linux administrators, even as they praised the open-source operating system's ease of use," the report stated.
Such concerns may loom larger if a company is governed by a central IT strategy, which would discourage a piecemeal approach to technology adoption, Yankee analyst Dana Gardner said.
"The position companies need to look at is whether there's a tactical or strategic role for Linux and open source," Gardner said. "They're looking at what would be a strategic platform that's fully integrated and supported."
Below we tried to quantify relative level of security based on the criteria discussed above. Of course this methods has its limitations (we assume equal weight of each component of the metric and the scoring is subjective). Still I think that total scores provide some useful insights into the integral security of the OSes involved. Here are total scores for each OS. The total cores are as following:
|Red Hat||Suse||Solaris on Sparc||Solaris on Opteron||AIX||HP-UX||Windows|
While Red Hat has a better score (after all this is the dominant Linux distribution with probably 2/3 share of the Linux market), Novell is the only company that has existing rights for using Unix products, so that they can indemnify their customers against SCO and other related lawsuits; that may be a major consideration).
Windows Server 2003 would have total score 141 if we compensate for two n/a entries.
Below we will reproduce the whole matrix:
|Name||Red Hat ES||SuSE||Solaris on Ultra
|Sola-ris on Opte-ron||AIX||HP-UX on PA RISK||Win-dows Server 2003||Notes|
|Accounts and passwords security||8||8||8||8||8||7||8||Linux provides reasonable level of account security but it does not support RBAC. Some features of RBAC can be emulated via sudo that is preinstalled in both Red Hat and Suse distributions.|
|Root security||7||7||6||6||6||6||n/a||In Linux root by default has in own directory /root that improves the security of this account.|
||Linux provides an extensive set
of filesystems mounting attributes and can mount filesystem as read-only
and NOSUID. Still virtualization capabilities are very rudimentary and
here Linux is far behind leading commercial Unixes (AIX and Solaris).
Linux has only basic filesystem virtualization mechanisms (chroot)
|File Permissions||8||7||9||9||9||8||8||Some Linux filesystems like Ext3 support ACLs but quality of support of ACLs in commercial Unixes is higher. Ext3 supports BSD-style extended attributes.|
|Integrity checking||8||7||8||8||6||6||7||Linux approximately equal Solaris in integrity checking capabilities and Red Hat ships with Tripwire as an installation option. Still in Linux there is no MD5 database like in Solaris although some features of it can be emulated using RPM database.|
|Shell and scripting security||7||7||8||8||8||8||8||Neither operating system have advantages in this area but Linux has some additional vulnerabilities due to a large number of shells and scripting languages installed by default.|
|SSH support||8||8||8||8||6||6||5||Like in Solaris in Linux ssh is supported out of the box (is an installation option)|
|PAM support||9||9||8||8||6||6||5||Linux looks quite competitive with Solaris and has wider selection of PAMs then Solaris. Both of them definitely surpass AIX and HP-UX.|
|X11 security||4||4||6||6||6||6||n/a||The problems with X security on Linux are mainly due to lesser security of its desktop managers Gnome and KDE (especially Gnome).|
|TCP wrapper support||8||8||8||8||6||6||1||Linux has TCP wrapper functionality ion xnetd daemon|
|NFS||6||6||9||9||8||8||5||Linux NFS support is rudimentary and is not that stable. Solaris has a much better implementation.|
|Built-in firewall||8||8||8||8||6||6||8||Linux has a built-in firewall that is enabled by default|
|Quotas enforcement and accounting data collection||6||6||8||8||8||8||8||Commercial Unixes are still superior in this area.|
|Logging||6||6||8||8||7||7||7||All Unixes are approximately equal in this area, but Linux has better log postprocessing tools. Solaris has much better kernel based logging mechanisms that help in the debugging.|
|Patching process quality||
|8||8||Patching in Linux involves
updating the whole packages. Patching process in both Red Hat and Suse is
weaker then Solaris patching process and patching support requires
|The number of Exploits and Hacking Attacks Statistics||
|4||8||7||8||8||4||As for number exploits Linux is
less secure then commercial Unixes; it can be rated as equal in insecurity
|6||9||9||10||6||8||Solaris 10 has zones, AIX 5.3
partitions available by default.
|Kernel security||4||4||9||8||9||7||6||Security of the kernel in Linux is hampered by the number of contributors and complexity of the built process. Security-wise Linux kernel does not have capabilities of Solaris or AIX kernels.|
|4||8||8||7||7||4||Linux network security is bad due to the number of installed network applications.|
|Package management||8||7||6||6||4||4||6||RPM is an impressive package manager created by Red Hat and Red Hat RPM based packages dominate among all applications in Linux space.|
Education and Security Certifications
|9||7||8||7||7||6||10||The number of books devote to Red Hat security is considerable and by an order of magnitude surpass the number of Solaris books. Red Hat offers four security-related training courses (approximately the same as Sun for Solaris). We judge that in this area Linux surpasses all other Unixes and trails only Windows.|
Hardware Related Security Issues
|6||6||8||7||8||8||6||32 bit Intel hardware is the most hacked hardware in existence and is widely available to hackers of any country on the globe. By just switching to 64-bit hardware we can somewhat decrease hardware-related security risks.|
[AMD2004] One Year Later, AMD And Sun Continue To Redefine Enterprise Computing AMD press release, November 17, 2004 URL://http://www.amd.com/us-en/Corporate/VirtualPressRoom/0,,51_104_543~92079,00.html
[Berlind2004a] David Berlind. HP's protection:
SCO-only, but no dollar limit
ZDNet, February 18, 2004 URL: http://techupdate.zdnet.com/techupdate/stories/main/HP_protection.html accessed 4 March 2004.
[Berlind2004b] David Berlind. Novell’s protection: Covers more than SCO, caps damages, targets enterprises, ZDNet, February 18, 2004 URL: http://techupdate.zdnet.com/techupdate/stories/main/Novell__protection.html accessed 4 March 2004.
[Bezroukov1999a] Nikolai Bezroukov.
"Open Source Development as a Special Type of Academic Research (Critique of Vulgar Raymondism)," First Monday, volume 4, number 10 (October),
URL: http://firstmonday.org/issues/issue4_10/bezroukov/, accessed 4 March 2004.
[Bezroukov1999b] Nikolai Bezroukov, "A Second Look at the Cathedral and the Bazaar," First Monday, volume 4, number 12 (December), at http://firstmonday.org/issues/issue4_12/bezroukov/, accessed 4 March 2004.
[BSD1979] The 4.4BSD Copyright
[Breslow86] Jordan J. Breslow. Copyright Law, 1986, Walnut Creek, CA 94596, USA, URL: http://www.ifla.org/documents/infopol/copyright/breslow.txt
[Broersma2004] Matthew Broersma, "Linux security problems are your own fault" InfoWorld, August 02, 2004. URL: http://www.infoworld.com/article/04/08/02/HNlinuxsecurity_1.html
Price of Linux Software
Law.com, January 28, 2005 URL: http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1106573739477
[Debian2003] Debian -- News -- Some Debian Project machines compromised
[Davis2004a] Noel Davis. Apache Repaired O'Reilly LinuxDevCenter.com May 17, 2004, URL: http://www.linuxdevcenter.com/pub/a/linux/2004/05/17/insecurities.html. URL:
[Davis2004b] Noel Davis. Linux Kernel Problems O'Reilly LinuxDevCenter.com, May 19, 2003, URL: http://www.linuxdevcenter.com/pub/a/linux/2003/05/19/insecurities.html#lin
[Davis2004c] Noel Davis. Linux Kernel Exploitation O'Reilly LinuxDevCenter.com September 09, 2004. URL: http://www.linuxdevcenter.com/pub/a/linux/2004/09/09/insecurities.html
[Davis2004d] Noel Davis. ELF Trouble O'Reilly LinuxDevCenter.com December 01, 2004. URL: http://www.linuxdevcenter.com/pub/a/linux/2004/12/01/security_alerts.html
[Davis2004e] Noel Davis. Linux AMD64 Kernel Bug O'Reilly LinuxDevCenter.com December 29, 2004. URL: http://www.linuxdevcenter.com/pub/a/linux/2004/12/29/security_alerts.html
[DiBona1999] Chris DiBona, Sam Ockman and Mark Stone (editors), Open Sources: Voices from the Open Source Revolution. 1999. Sebastopol, Calif.: O'Reilly & Associates.
[IEoF2002] Internet Encyclopedia of Philosophy. http://www.utm.edu/research/iep/s/soc-cont.htm
[FSF1998] Richard Stallman. The BSD License Problem. Free Software Foundation, 1998-2002. URL: http://www.gnu.org/philosophy/bsd.html
[FSF1991] GNU General Public License - GNU Project - Free Software Foundation (FSF) Version 2, June 1991
[FSF1999a] GNU Lesser General Public License - GNU Project - Free Software Foundation (FSF) Version 2.1, February 1999
[Gregbillock2002] Stolen open source a corporate legal risk kuro5hin.org, 04/09/2002
[Golden2005] Bernard Golden The ROI of Open Source - PUNDIT - CIO Magazine Jun 15,2005 URL: http://www.cio.com/archive/061505/et_pundit.html
[Kelty2001] Christopher M. Kelty. Free Software/Free Science. First Monday, volume 6, number 12 (December 2001), URL: http://firstmonday.org/issues/issue6_12/kelty/index.html
[Krishnamurthy2002] Sandeep Krishnamurthy. "Cave or Community?: An
Empirical Examination of 100 Mature Open Source Projects". First Monday,
volume 7, number 6 (June 2002),
[LaMonica2005] Martin LaMonica Mixing up the LAMP stack Mixing up the LAMP stack News.blog CNET News.com URL: http://news.com.com/2061-10795_3-5746474.html?part=rss&tag=5746474&subj=news
[Lancashire2001] David Lancashire.
The Fading Altruism of Open Source Development, First Monday, volume 6, number 12 (December 2001), URL: http://firstmonday.org/issues/issue6_12/lancashire/index.html
[Lash1998]. Alex Lash. Source code for the masses. CNET News.com [online] (February 2, 1998), URL: http://news.com.com/2009-1001-207659.html?legacy=cnet [Accessed 27 July 2004].
[Lemos2002] Robert Lemos. Too much trust in open source? CNET News.com, March 20, 2002, URL: http://zdnet.com.com/2100-1104-864256.html
[Levesque2004] Michelle Levesque. Fundamental issues with open source
software development First Monday, volume 9, number 4 (April 2004),
[LWN2003] LWN Savanna.gnu.org compromised too
[Malcolm2003] Jeremy Malcolm. Problems in Open Source Licensing. iLaw.au, 2003. This is a paper presented at Australia's national Linux conference, Linux.conf.au on 24 January 2003 http://www.ilaw.com.au/public/licencearticle.html
[Matzan2005] Jem Matzan BSD cognoscenti on Linux NewsForge, June 15, 2005 URL: http://os.newsforge.com/os/05/06/09/2132233.shtml
[McMillan2005] Robert McMillan IBM goes silent on Linux desktop effort
Computerworld, JANUARY 25, 2005 URL:
[Meyers2000] Bertrand Meyer, The Ethics of
Free Software Software Development, March 2000.
[MICROSOFT2000a] Microsoft. Questions about GPL URL://http://www.microsoft.com/korea/business/downloads/licensing/Gpl_faq.doc
[Millard2004] Elizabeth Millard. Survey Results Show Few Linux Security Problems Linux Insider, June 28, 2004 URL: http://www.linuxinsider.com/story/35421.html
[Miller2002] Robin Miller. Linux, Open Source have ‘more security problems than Windows’ NewsForge.com November 15, 2002 URL: http://www.theregister.co.uk/2002/11/15/linux_open_source_have_more
[Moglen1999] Eben Moglen "Anarchism Triumphant:
Free Software and the Death of Copyright," First Monday, volume 4,
number 8 (August 1999),
accessed 4 March 2002.
[Mozilla1999] Mozilla Public License version 1.1
[Mozilla2001] Mozilla Relicensing FAQ
[MySQL_AB2002] MySQL News FAQ on MySQL vs. NuSphere Dispute
[Naraine2002] Ryan Naraine. Yahoo Goes PHP in Open Source Embrace. internetnews.com October 30, 2002. URL: http://www.internetnews.com/dev-news/article.php/1491221
[Netcraft2004] Netcraft. Slight Linux Market Share Loss for Red Hat. Netscaft Inc. July 12, 2004 URL: http://news.netcraft.com/archives/2004/07/12/slight_linux_market_share_loss_for_red_hat.html
[Novell2003] Technology License Agreement
[Oncoresystems2002] GNU Public License Clarification http://www.oncoresystems.com/linux_gpl.htm
[Orlowski2004] Andrew Orlowski. Novell offers SCO last drink at System V saloon. Register. February 12, 2004. URL: http://www.theregister.co.uk/2004/02/12/novell_offers_sco_last_drink Accessed April 10, 2004.
[OSI1999] Open Source Initiative. The Open Source Definition, Version 1.4 [online]. URL: http://www.opensource.org/osd.html Accessed April 10, 2004.
[Perens1999] Bruce Perens, "The Open Source Definition," http://www.opensource.org/docs/definition.php (last visited March 8, 2004).
[REDHAT2002] redhat.com Trademark Guidelines
[Raymond1998a] Eric S. Raymond, "The Cathedral and the Bazaar," First Monday, volume 3, number 3 (March, 1998), URL: http://firstmonday.org/issues/issue3_3/raymond/, accessed March 4, 2004.
[Raymond1998b] Eric S. Raymond, "Homesteading the Noosphere," First Monday, volume 3, number 10 (October, 1998), URL: http://firstmonday.org/issues/issue3_10/raymond/, Accessed March 4, 2004.
[Rosenbaum2004] Joseph Rosenbaum. Protect Thyself 101: A primer on indemnification. ZDNet, February 18, 2004, URL: http://techupdate.zdnet.com/techupdate/stories/main/indemnification_primer.html http://wwws.sun.com/software/linux/
[Salkever2001] Alex Salkever. Is Open-Source Security Software Safe? BusinessWeek Online December 11, 2001 http://www.businessweek.com/bwdaily/dnflash/dec2001/nf20011211_3015.htm
[SCO2004] SCO Group Inc. Intellectual property license. SCO Group, February 2, 2004. URL: http://www.thescogroup.com/scosource/scoip_eula_feb204.pdf Accessed March 4, 2004.
[Shankland2003] Stephen Shankland. SCO targets Linux customers, CNET News.com, May 14, 2003, URL: http://zdnet.com.com/2100-1104-1001609.html Accessed March 4, 2004.
[Shankland&Kanellos2003] Stephen Shankland. Red Hat files suit against SCO CNET News.com August 4, 2003 URL: http://zdnet.com.com/2100-1104-5059547.html
[Shankland2004a] Stephen Shankland. SCO suits target two big Linux users, CNET News.com, January 12, 2004 URL: http://zdnet.com.com/2100-1104-5138820.html Accessed March 4, 2004.
[Shankland2004b] Stephen Shankland. SCO suits target two big Linux users, CNET News.com, March 3, 2004 URL: http://news.com.com/2100-1014-5168921.html Accessed March 4, 2004.
[Slashdot2003] Slashdot Gentoo rsync Server Compromised [updated] http://slashdot.org/article.pl?sid=03/12/03/1921235
[Stallman1985] Richard Stallman. The GNU Manifesto
[Stallman1998] Richard Stallman. Netscape Public License - GNU Project - Free Software Foundation (FSF)
[Stallman1999a] Richard Stallman. http://mail.gnome.org/archives/gnome-announce-list/1999-February/msg00031.html
[Stallman1999b] Richard Stallman. Why you shouldn't use the Library GPL for your next library, LinuxToday, Feb 1, 1999 URL: http://linuxtoday.com/news_story.php3?ltsn=1999-02-01-004-05-OP; Also at FSF Website, URL: http://www.gnu.org/philosophy/why-not-lgpl.html
[Stallman1999c] Richard Stallman. Freedom and the GNU GPL - Oct 4, 1999 Linuxword.com, 1999
[Stallman1999d] Richard Stallman. "The GNU Operating System and the Free Software Movement." in Chris DiBona, Sam Ockman and Mark Stone (editors), Open Sources: Voices from the Open Source Revolution. 1999. Sebastopol, Calif.: O'Reilly & Associates. URL: http://www.oreilly.com/catalog/opensources/book/stallman.html
[Stallman2002b] Richard Stallman . RMS condemns per-seat licensing Linux, GNU, and freedom Linux and Main, May 31 2002 URL: http://www.linuxandmain.com/modules.php?name=News&file=article&sid=83 Accessed May 31, 2004
[SUN2004] Sun's Linux Offerings http://wwws.sun.com/software/linux/ http://wwws.sun.com/software/linux/
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September, 12, 2017