Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 17, No. 04 (December, 2005)

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Solaris vs. Linux Security
in Large Enterprise Environment 

Version 0.90

Copyright 2004-2005, Dr. Nikolai Bezroukov. This is a copyrighted unpublished manuscript. All rights reserved.

Table of Contents

  1. Executive Summary

  2. Introduction

  3. Comparative security matrix
  4. References

Abstract

The level of security achievable in Linux in comparison with Solaris is discussed and the problems of Linux integration into existing enterprise infrastructure are outlined. The author argues that adding another OS to the large enterprise mix is a costly decision that has negative side effects on security independently on what OS we are adding and those side effects should not be taken lightly. That means that Solaris 10 significantly narrowed the window of opportunity for Linux to penetrate into a large corporate environment. 

We should clearly distinguish and separately evaluate savings and security benefits of moving to EM64T architecture and savings and benefits of moving to Linux as a new OS.

The key finding is that the goal of diminishing (or at least not increasing) of the diversity of  operating system environments is a key prerequisite for the security of Unix infrastructure on large enterprise level and that consideration should guide Linux deployment in the large enterprise environment.

We judge this goal to be more important for general level of security in the corporation then individual qualities of Linux in security space (or its faults in the same space).  It also strongly affects potential savings.

We suggest that the following main points support this key finding:  

  1. Typical Linux security problems are bigger compared with Solaris and AIX for all major dimensions of enterprise security. The key issues include but are not limited to number of vulnerabilities, complexity and frequency of patching, hardening procedures as well as quality and stability of the major subsystems.  The comparative security matrix presented in the paper provides additional insight at Linux security and suggest that it stand somewhere in between leading commercial Unixes and Windows 2003 servers. The main conclusion is that currently Solaris 9 leads in security in comparison to Linux (and Solaris 10 zones and AIX 5.3 partitions promise additional significant improvements unachievable in Linux space), while Windows 2003 server and Linux has generally similar  level of security with Linux having some advantages in certain areas and Windows 2003 server in others.  In no way Linux can be considered significantly more secure then Windows 2003 in heterogeneous enterprise environment. We judge that this to be an urban myth.

    At the same time we judge that there is a noticeable weakness in the level of security of the current versions of Linux in comparison with both Solaris 10 as well as AIX 5.3 and upgrades to those versions of existing servers (with the appropriate consolidation efforts due to virtualization capabilities in those OSes) might be a more suitable path of improvement enterprise security then the introduction of an additional OS.

     

  2. We suggest that in a large enterprise environment a successful Linux deployment requires  to "sacrifice" at lease one existing enterprise Unix flavor. This requirement constitutes an most important prerequisite for the secure large scale enterprise Linux deployment. There is a saying that any enterprise that is using more then two flavors of Unix is using just too many. And a valid consideration behind it is that system administers outside of selected class of super-administrators are generally incapable to muster more then two flavor of Unix into the level sufficient for maintaining an adequate level of security. The difference are just too subtle and too numerous to comprehend.   Moreover a regular Unix administrator just cannot became proficient in more then two flavors of Unix at the level necessary for adequate administration (and that statement can be measured by the number of people who hole more that two System administrator certifications: two are more or less common, three are very rare). This "too many unixes on the floor" factor alone can lead to significant deterioration of the general level of enterprise security due to introduction of Linus. We note that Linux deployment is further complicated by Linux internal fragmentation: the existence of two competing enterprise distributions (Red Hat and Suse) and there is a risk that should be properly understood by high level management that introduction of a first flavor will eventually lead to the introduction of another due to application requirements or preferences.   
     

  3. As Linux has generally wider availability of open source applications amount all Unfixes (including Solaris) in case this factor is considered an important enough advantage to justify OS deployment it  might be wise to postpone Linux deployment until the point when Linux gets lightweight VM capabilities competitive with the Solaris 10 zones or BSD jails (for example XEN introduction into Red Hat Enterprise). Not only security, but other benefits provided by Linux, should be carefully evaluated against the ability to support virtual machine concept like Solaris 10 (lightweight VM: zones) and AIX 5.3 (full VM: logical partitions).  The paper stresses any enterprise ready Unix now should provide VM capability out of the box like is the case with Solaris and AIX. Otherwise securing the servers might be might more complex job.
     
  4. Linux is surrounded by too much hype and reality of large enterprise deployments looks drastically different from newspaper articles. With Sun opening Solaris 10 and providing version of Solaris for Intel EM64T hardware platform that supports zones, the possibility of using Solaris 10  as an alternative to Linux should be considered in each individual case due to definite security advantages of "zoned" applications deployments.  In case where Solaris is already used for a particular application (for example e-commerce applications, SAP/R3, etc) just moving the hardware platform from UltraSparc to EM64T architecture and "zoning" those applications looks like significantly more secure deployment strategy. At the same time this strategy provides cost savings comparable with those that are typically associated with the conversion to Linux.
     
  5. Application security on Linux is generally less than application security on UltraSparc Solaris or AIX due to the usage of the most mass produced platform on the market and the freely available and widely used GCC compiler. For most corporate applications securitywise Linux is positioned in between RISK CPU based Unixes (AIX, HP-UX, Solaris) and Windows 2003 server. It  is pretty close to Windows in general level of security as well as in the recommended length of patch cycle. Linux applications compiled using GCC compiler have a  higher number of vulnerabilities per year (close to Windows) then the same applications on commercial Unixes that run on different architectures and use different compliers are a significant part of vulnerabilities are related to buffer overflows. Moreover unlike Solaris Linux is still unable to utilize the advantages of new EMT64T architecture with a MMU that can set a no execute bit on a memory segment. On ETM64T Solaris (like on UltraSparc) can disable execution from the stack. As a result Linux servers generally requires more frequent patching (probably monthly like in case of Windows servers) in enterprise environment. At the same time many enterprises are able to survive with quarterly patching ( or even half a year) for all but the most critical bugs (recommended cluster) for AIX and Solaris. Semiannual cycle is also the most typical for HP-UX. We suggest that using proprietary compliers like Intel complier or Sun Studio 10 complier might further  improve the security of open source applications, and first of all such widely used by enterprises packages as bind, Sendmail, and Apache, against typical exploits.
     
  6. Linus servers and applications require more frequent patching cycle. The latter is quite costly in a large enterprise environment and their effect of savings expected from the Linux deployment should be carefully evaluated. We judge that availability of high-quality open source security tools and deep hardening can somewhat offset this patching period disadvantage and might permit using quarterly patching cycle for internal firewall-protected Linux servers.  Linux has a weaker internal firewall (Solaris 10 is using IPfilter, the best open source firewall available).

    At the same time Linux has better selection of open security tools including better selection of additional PAM modules then Solaris.

All-in-all, in security space large enterprises can get additional benefits from the deployment of Linux, if and only if such a deployment is strategically aligned with the goal of diminishing the operating systems platforms diversity. Adding Linux to the enterprise Unixes mix decrease the existing level of security due to additional complexity of maintaining another flavor of Unix (often two additional flavors of Unix: Red Hat and Suse) by the existing staff of system administrators.

Executive Summary

Protecting IT infrastructure is a very challenging task in a culture where easy access to information prevails over security concerns. The key problem here is that the need for an efficient enterprise to provide relatively unfettered access to data, combined with the highly decentralized nature of operations, is irrevocably connected with the potential for serious security breaches. Maintaining and, especially, improvement of large enterprises IT security is a huge challenge and introduction of new OSes like Linux is only one relatively minor problem among many others.

Still introducing Linux as an additional OS into enterprise OS mix is a problem that, if not addressed properly, can lead to the deterioration of existing level of security. We assess the following critical issues in the executive evaluation of the security problems related to the introduction of Linux-based servers in a large enterprise IT environment:

  1. The main security problem of introduction of Linux in a large corporation IT infrastructure is the resulting increase of the diversity of existing Unix platforms, which diminishes the amount of attention to the security issues on each platform.  

    The success of Linux deployment largely depends on the ability to preserve or, better diminish the level of diversity of  OSes deployed.  It is recommended to deploy Linux only in areas where is can replace, not to add to the mix of the server operating systems currently used. In all other areas deployment Solaris 10 on  EM64T hardware can be a viable alternative to Linux deployment from the security standpoint (depends on the availability of software for EMT64T version of Solaris). 

    Most large enterprises currently standardize on all three major flavors of commercial Unixes (Solaris, AIX and HP-UX) as well as three other Intel-based OSes (MS Windows, Novell, and VMware). This is already a very costly diversity that stretches both administrators and security personnel too thin. Excessive diversity implicitly creates a situation when only two most prominent OS platforms are secured to any significant depth (for example Solaris and Windows, or AIX and Windows); other platforms are relatively less secure due to lesser attention to their security.  If this is true, than adding Red Hat, Suse (or, most probably, both) to the enterprise OS mix is a step that can backfire in security space.

    That means that a large enterprise can get additional benefits from the deployment of Linux, if and only if such a deployment is strategically aligned with the goal of diminishing the operating systems platforms diversity. Other things equal Linux deployment is the most realistic option only for those enterprises that have substantial HP-UX and Novell Netware deployment and are planning to consolidate both into Linux as a cost saving measure: HP-UX and Novell are both moving toward Linux space, so replacing their existing servers with Linux does not disrupt the relationships with those companies; still there should be no rush in the deployment of Linux servers until the corresponding firms make their Linux offering solid and robust enough for the replacement of existing servers, which might take considerable time.

    HP-UX is often used as Oracle platform in enterprise space. Oracle implements large part of OS functionality within its database (there was a project in the past to run Oracle directly on a hardware without OS layer) and also moves to the Linux as their primary platform for development, non-critical midrange database servers with HP-UX look like a natural target for Linux conversion that might provide comparable security (as this will be the platform on which Oracle does the development; such platform is inherently more secure then others even if underling OS is not) and substantial (up to a hundred thousand dollars per midrange server) hardware cost savings. Still for each such case Solaris on EMT64T should be evaluated as an alternative, as Solaris was the platform on which Oracle developed its database for a long time. For critical database servers Solaris still should be used instead of Linux.
     
  2. Linux is just kernel is as packaged as a distribution by multiple competing vendors. Thus it inherited "Unix curse" and is splintering into multiple only partially compatible enterprise distributions.  That means that enterprises often need to introduce not one but two flavors of Linux into their environment.  From an enterprise standpoint Linux has too many filesystems. Mostly for political reasons Linux vendors are promoting different, generally inferior to SGI XFS filesystem in the enterprise environment. While both ext3 (Red Hat) and Reiserfs (SuSE is the primary sponsor of Reiserfs) support large files and volumes and are journaled they are not safe to use in enterprise environment as there are no true stress tests available to the general public to help them decide which one to use. For this reason alone, the choice between Red Hat and Suse is not trivial and probably large enterprises need to have both as different vendors prefer to certify their applications for different Linux flavors (for example, currently Suse is preferable for SAP/R3, Red Hat for Oracle).

    Each distribution is creating its own installation and management tools and there is no will among Linux vendors to fight the NIH syndrome that is known to result in the spawning of a myriad of incompatible, incomplete or ill-designed clones of many software products created by or for a specific Linux distribution. Most tools are "80% done" and this "80% done syndrome is pretty typical across the variety of Linux distributions.  When a closed source project gets 80% done, its owner will redouble efforts to win market share. They will advertise heavily, work hard on enhancements, and try to take over. When an open source project gets most of the way there, its developer doesn't have a big incentive to make changes — it works fine for them. They may work on bugs, or assume that other members of the community need to pull their load now. They may even move to work on something else.

    That "multiple personality" problem with Linux makes Solaris on  EM64T hardware platform especially attractive for large enterprises. Solaris Sun formed a strategic alliance with AMD [AMD2004]and it is reasonable to expect that the quality of EM64T version of Solaris will quickly improve from the current level.  Still currently Solaris compatibility of non-Sun platforms remains limited, but this should be of a concern to large enterprises as Sun usually belongs to the list of their approved hardware vendors anyway.
     
  3. The predictability of Sun as a vendor is better then either Red Hat (which makes an unpredictable and damaging moves by trying to monopolize Linux space and force their expensive consulting services to enterprise customers) or Novell (which makes unpredictable and damaging moves because it is struggling financially).

    While Red Hat is more close to a mutual fund then to the "for profit" company and as such is more stable financially, with the recent arbitrary discontinuation of Red Hat 9 support Red Hat seriously damaged their brand and the loyalty they had for their distribution. Also RHEL licensing costs exceeding licensing costs for Solaris. Many their former customers moved to other distributions (Debian, Gentoo); some moved to FreeBSD.

    That created an opening for Novell, but the general viability of Linux model for Novell still needs to be tested on the marketplace. Some of their recent moves created internal conflict of interests (for example KDE vs Gnome).  Also their long term financial viability depends on the success of other products and first of all the success of NDS which is gradually pushed out of enterprise space by Active Directory. 
     
  4. While Linux is just a kernel, Solaris is a complete Unix system: kernel, device drivers, libraries, userland, development environment, documentation, and all the tools you need to continue doing development. Based just on completeness of functionality, it is not handled like a Linux distribution. Solaris packaging is fully controlled by Sun and that means that Solaris will have a single distribution in a foreseeable future.

    For example if Solaris development team need to make a change (for example introduce ACL) they can therefore force such a change into the system by changing it all the way to utilities. That means that Solaris can react to new technical possibilities more quickly and this recently has been shown to be the case with the introduction of zones in Solaris version 10. If something is designed wrong, and the proper fix depends on changes outside the kernel, Solaris team still can fix it by changing all the required pieces in the right places. They do not need clever kernel hacks in the wrong place to fix a problem, that should be fixed in a more complete manner.

    The quality (and security) of several major components in Solaris (NFS is the most visible example) is far above anything in Linux space.

    Solaris is better documented. The most important is the difference in the quality of man pages. in Solaris everything has man pages, including the kernel functions. Linux instead depends on FAQs, HOWTOs, and sparse documentation that comes in many different formats.
     

  5. That maturity of a OS platform from the security standpoint is highly dependent of the availability and quality of virtualization components and Solaris 10 zones represent significant security advantages over Linux.

    While both kernels are "open source" kernels there are many differences between the two kernels that are the consequences of when and how the kernels were developed. In no way Linux kernel can be considered "problem free" kernel (and OS) or the most technically advanced kernel (or OS) from the technical standpoint.  Parts of the Solaris source can be traced to more than 30 years ago and has gone through many revisions. This has resulted in excessive complexity in certain subsystems were the code is difficult to understand and modify. Linux's kernel code is newer and it keeps constantly being re-factored between versions. While this makes the code somewhat simpler at virtual machine and filesystem API  layers, stability is suffering. Especially troublesome is general device driver stability. Every Linux 2.6 release so far has had bugs that were fixed in the next minor release, while others got introduced.  Solaris has much better regression testing and this is not a problem for Solaris customers. Still Linux has caught up a lot, especially with 2.6.In 2.4 Linux kernel used to up to 12 copies of a single device driver -- one for each combination architecture and bus supported. Now most drivers have one copy. The 2.4 I/O performance issues have been largely addressed in 2.6. A major reason behind Linux's improvement is the support from commercial vendors in the basic kernel functionality (IBM), filesystems (XFS from SGI), and third-party drivers. [Matzan2005]

    Light weight virtual machines constitute the most attractive path for the improvement of application security in enterprise environment.  While virtualization does not prevent application-level exploits, it contains them to a particular VM environment that can be pretty isolated from both the network and other applications that are running on the same server. 

    Linux virtual machine components are still immature and far behind such OSes as Solaris 10 (Solaris 10 zones are a very elegant implementation of a concept of a light-weight VM, the concept originated in FreeBSD) and, especially, AIX 5.3 (which, before Solaris 10, along with FreeBSD was a leader in the Unix virtualization race; AIX virtualization facilities are not a light-weight, but a full blown VM and as such are not available for EM64T hardware). 

    This weakness can be particularly compensated by deploying Linux under third party VM environment, for example provided by VMware. Still creating multiple instances of Linux  under VMware increases the complexity in comparison with using a single OS. Essentially VMware in this case represents another addition to the corporate OS mix.  Moreover VMware licensing and support costs largely eliminate cost advantages of switching to Linux. While using Linux under VMware is attractive option of consolidating low load "one application" servers, here  Solaris 10 zones represent a more competitive solution. 

    Network infrastructure and server complexity in the large enterprises has increased so significantly that it has become a constraint on how flexible a business can be. Server consolidation based on virtual machine concept in a large enterprise environment is the necessity that no large enterprise can avoid. This movement already started in AIX space and Windows space (sometimes under VMware, which is this case can be reused for Linux virtualization purposes), but it will definitely accelerated in the future. Currently Linux is the weakest Unix  platform for virtualization and needs additional components (VMware) to be viable in this space.  
     

  6. The recommended hardware deployment platform (as well as Solaris on Intel) from the security standpoint (as well as from cost/performance standpoint) should be mid-range EM64T-based (AMD Opteron or Intel Nocona) servers.  Outside of areas where appliance-like hardening and configuration of the server is possible (like WEB hosting) usage of production Linux servers on older 32-bit Intel x86 architecture is not recommended because of higher security risks. 

    Usage of  EM64T technology (Intel's name for its 64-bit extensions to the x86 instruction set pioneered by AMD and adopted by Intel) somewhat diminishes security risks for mass exploits and provides better price/performance ratio then the traditional Intel X86 architecture. The EMT64T has a MMU that can set a no execute bit on a memory segment. On ETM64T Solaris like it does on UltraSparc can disable execution from the stack. That stops significant percentage of stack-overflow type of attacks. Therefore the usage of  EM64T should be considered to be an important security requirement for all future projects that involve mid-range Intel-based servers.  Traditional 32-bit Intel X86 architecture, being the most popular computer platform on the globe, significantly increases the changes that a particular vulnerability will be hit with the exploit before patching. It also does not scale well and this fact alone prohibits enterprises from making significant cost savings for midrange servers.
     

  7. Availability of Solaris on EM64T platform by and large neutralizes Linux advantage of running on  Intel hardware.  Opteron  currently has approximately 50% price/performance advantage over comparably proceed UltraSparc CPUs (especially on an popular low level server enterprise configuration: 2 1.5GHz CPUs with 2 or 4G of memory(V210) and 4 1.6 GHz CPUs with 4-8G of memory (V440)).  The four-way Opteron-based Sun Fire V40z server that is priced in the same range achieved world-record results on SPEC OMPM2001 (a key benchmark for scientific applications in 2004) and is priced competitively with both HP and Dell servers. The Sun Fire V20z was one of the top-performing two-way x86 servers available in 2004.

    There is no significant security or cost advantage of using Linux for typical enterprise applications on lower end servers in comparison with Solaris 10 on Intel or Windows 2003 (here "low end" means four or less CPUs and 4 or less gigabytes of RAM).  We judge that in this case from several important dimensions of security, and first of all from the point of view of availability of qualified security personnel and administrators, as well as availability of applications, Windows 2003 is competitive with Linux. Solaris costs more to manage but is more secure.  As migration of Lotus Notes from Windows server to AIX/PowerPC platform had shown, for certain applications even mid-range Windows servers can be more stable and cheaper then Unix alternatives, while being reasonably secure.
     
  8. Solaris has a significant "security via obscurity" advantage over Linux and that advantage will be preserved in a foreseeable future. 

    Linux's growing popularity is attracting unwanted attention from virus writers, script kiddies  and criminal elements. In response, Linux advocates are putting a new emphasis on security measures and working to reassure large enterprises that the OS is secure for important enterprise applications. Still in 2003-2004 there has been a lot of change in the attractiveness of Linux from the security standpoint due to its now established status as a favorable target for hackers/crackers, the status second only to Windows. Chad Dougherty, an Internet security analyst at the CERT Coordination Center, which tracks OS vulnerabilities stated that "If you look over time, there has been a consistent level of vulnerabilities."  Several remotely exploitable problems in the Linux kernel and major Linux applications are reported each year. Moreover some of the major applications vulnerabilities are exploitable only on Linux as they depend on the kernel and/or the compiler properties. For 2004 there were several reported kernel problems [Davis2004a, Davis2004b, Davis2004c, Davis2004d, Davis2004e]. In late 2003 there were several high-profile breaches. GNU project CVS repository savannah.gnu.org was compromised in early November of 2003. The compromise was discovered December 1, 2003 and Savannah was back online December 23, 2003. The last "known good" backup was dated September 16.  As a result a lot of patches for the projects maintained on Savannah (for example mc) were lost [LWN2003]. Next, the Debian Project had to take their servers down to clean out a remote vulnerability breach [Debian2003]. Then, server at Gentoo project was compromised [Slashdot2003].

    From both security and cost/performance standpoints Solaris on Intel remains the major competitor to Linux in Intel-compatible hardware space.  Just having different from Linux format of executables (and using a different compiler for kernel and other major subsystem) makes Solaris more "exploit resistant" then Linux as this represents additional "security via obscurity" layer of defense that we should not ignore.  Taking about "security via obscurity" we should state that it does provide enterprise customers an important additional layer of defense the value of which is often underestimated. This layer is higher on RISK-based platforms like UltraSparc (with its stack-overflow protection). On AMD CPUs this layer is thinner, but The EMT64T has a MMU that can set a no execute bit on a memory segment and at least on Solaris that permits blocking all "Linux-exploits copycats" style of attacks. Also in case of Solaris there is the "question of credibility" issue that dictates the necessity to make an exploit portable to UltraSparc: in order to preserve/enhance his credibility an exploit writer/porter needs to work simultaneously on two architectures. For a student that means that one needs to shell out at least $500 to get a decent (non crippled by an IDE controller) UltraSparc box (for example Ultra 30) or risk being caught abusing his/her office or University lab server/workstation. Combine this with the necessity to learn  different CPU architecture/compiler and this combination means that the potential number of people who can write/port to Solaris an exploit is several orders of magnitude less than for Linux or Windows, where nothing prevents you doing this in a privacy of your home on a regular PC.  From my experience as a teacher I would suggest that it protects from ambitious (and often reasonably capable) "exploit seekers" among the students automatically channeling their "vanity fair" zeal to more popular OSes.

    The important consideration here is that Solaris uses a different complier from Linux. Many exploits are complier dependent and the necessity to cover both gcc and Sun Studio 10 compliers significantly complicates the creation of working exploit. For this reason large enterprises should consider using Studio 10 complier for compiling open source applications on Solaris x86 whenever possible or practical (for example it is definitely recommended for compiling bind and Sendmail).  Obscurity understood here as using less popular hardware and software platforms with some additional security features is a viable method to secure any complex operating environment and being off the most popular (and the most vulnerable) platforms like Linux and Windows represents for a large enterprise a strategic, not tactical advantage. This is especially true for open source applications. Vulnerabilities "vanity fair"  flourishes mainly in Windows and Linux environments as for other environments the efforts will never create the necessary for small security companies and individual consultants PR return. But if open source applications are used then Solaris can be a direct beneficiary of the "Linux vulnerabilities vanity fair": fixes can be available at the same time but creation of exploits that can work on Solaris is more difficult and requires knowledge outside of mainstream set of knowledge. Generally this complier-based security is another example that outside specialized and narrow areas like cryptographic algorithms "security via obscurity" is the essential part of enhanced security. Actually even in cryptographic area "one time pad" that represents one of the most secure cryptographic methods of encoding of information and was used by such a formidable opponent as KGB,  the organization which probably has had specialists of very higher caliber in this particular area.
     

  9. We judge that on EMT64T-Opteron platform with the proper installation, hardening, patching and maintenance procedures  Linux has adequate security for usage only in the following deployment areas:
     
  10. It's very important to distinguish between security of the Linux itself (OS platform) and security of major open source applications (like Apache, Bind, Perl, PHP, Postgress, Sendmail, etc) , that can be used (often more securely) with the other Unix flavors.  Open Source applications security is relatively independent from the issues related to the security of the Linux kernel and filesystem (proper Linux) and actually can be improved by using Solaris as a deployment platform. At the same time most vulnerabilities that are sited as Linux vulnerabilities are actually are the vulnerabilities of the applications that are deployed on Linux. That means that enterprises has flexibility of deploying  major open source applications on alternative platforms, for example, Solaris (either on Intel or UltraSparc) or AIX depending on the security requirements (DMZ or Intranet) and the cost-effectiveness of the resulting solution. A new service expected in Solaris 10, codenamed "Project Janus" allows customers to run x86 Linux applications (binaries) on Solaris x86 unchanged without recompiling.

    The position any large enterprise needs to look at is whether there is a tactical or strategic role for open source on existing platforms. In case Linux is used as bargaining chip in negotiating with Microsoft and Unix vendors the platform deployment can be minimal (webservers and development workstations) and its safer to deploy major open source applications on existing platforms like Solaris and Windows. In case Linux is a strategic platform,  security become a high priority issue and the recommended process of hardening needs to be fully integrated into infrastructure. As we stressed before the decision to eliminate of one of the exiting server platforms is a prerequisite to the successful deployment of Linux in a large enterprise environment. 

    It's important to understand that the ROI on deploying open source applications can be substantial. For example Bernard Golden recently cited Oregon State University  example, where the school first bought a Google appliance for about $125K per year. Two years later, they replaced the appliance with an open-source search product called Nutch (license cost: $0). Nutch is not as easy to use as the Google software, so additional administration overhead of  $10K yearly. The overall five-year payback, however, even when you consider additional hardware and engineering time, still produced an internal rate of return of 2,300% [Golden2005].

    Also LAMP stack, the combination of the Linux operating system, Apache Web server, MySQL database, and scripting languages PHP, Perl or Python can be implemented as SAPP stack (Solaris, Apache, Postgress database and the same scripting languages) with additional advantages of Solaris stability, virtual machines capabilities and kernel multithreading support
     
  11. Open Source software are ideal for quick prototyping and can help to avoid costly deployment mistakes that often happen with proprietary products.  For this particular purpose Linux has an upper hand as most applications were tested on Linux and work "out of the box" in a Linux environment; the current Linux distributions can be installed on typical corporate PCs without problems (this is not yet true for Solaris 10).  The role of Linux as a antidote to red-tape should not be underestimated in a large corporate environment. Many prototypes on Linux can be created using regular workstations instead of servers with zero or minimal (the cost of additional memory) acquisition costs.   Often early prototyping can prove that open source solution are more economical than proprietary closed solutions  or can deliver at least 80% of functionality for, say, 20% of costs and thus can substantially lower software acquisition costs. In case the decision is make to go with the proprietary vendor experience gained with the open source prototype provides a much more realistic estimate of deployment costs than any other method as well as dramatically improves negotiating power in talks with the vendor and help to avoid costly mistakes.
     
  12. As Solaris 10 can run on EM64T platform and with the decision by Sun to open source their latest version of their software under very liberal license, Solaris 10 represents a viable alternative to Linux enterprise deployment.  Looking at the advantage of going the Sun route versus the Linux route it is hard to see why any organizations with a large Solaris presence would chose to switch to Linux: 
  13. Linux deployment requires re-training of system administration and security staff to create and maintain the adequate level of security.  While being a flavor of Unix, Linux is different from Solaris, AIX and HP-UX; hardware is also different from typical RISK servers ( but is the same as is used for Novell and Windows servers). That means that deployment of Linux requires additional training of Unix and security staff.  The level of retraining required is approximately the same as for transition from one brand of Unix to another, for example, Solaris to AIX or vice versa. 

    Security of the Linux generally can be improved by the similar methods as in Solaris and most tools used for improving Solaris security are applicable to Linux. Still there are substantial differences in OS architecture and the level of vulnerability of Linux servers is closer to the level of vulnerability of Windows servers then Solaris. This generally requires to more frequent patching and more complex, deeper hardening; Like Windows, Linux can benefit from "on-availability" (via patching wizard) patching cycle instead of quarterly patching cycle typically used for commercial Unixes.
     
  14. There is no substantial differences in the security of two major Linux distributions: Red Hat Enterprise Server 3 and Suse Enterprise Server 9(SLES). In the security comparison matrix (see below) they reached close scores (with Red Hat slightly ahead of Suse). Red Hat Enterprise 3 has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+ which formally makes them adequate for non-military deployments like most deployments in large enterprise space; Novell SLES 9 became the first Linux formally compliant with the Common Criteria Evaluation CAPP/EAL 4 standards, which is a slightly higher level of certification. This puts SLES9 in the same league as Windows 2000 for sales in the government sector. SUSE LINUX Enterprise Server 9 was the first Linux distribution to achieve an EAL4 certification.

    For comparison,  Sun Microsystems announced that the Trusted Solaris 8 4/01 Operating Environment (Solaris OE) received security certification under the Common Criteria Labeled Security Protection Profile (LSPP) at Evaluation Assurance Level 4 (EAL4) in May 1, 2002.  AIX 5L for POWER V5.2 received a Common Criteria EAL4 Augmented rating on Sept 8, 2003.

    But those ratings does not tell the whole story about security as they ignore several important dimensions of security as well as the security of applications.  In choosing Linux flavor for deployment one should take into account the development platform that a particular application vendor is using in-house. For example Oracle uses Red Hat as a development platform and that means that it is slightly safer to use Red Hat as a deployment platform.

    Still the mere fact of existence of two distributions of the same product makes the Linux community and most of the independent software vendors (ISV) nervous. There is a fear that one or other distribution will fold or that due to competitive motives Red Hat and Suse will further diverge, repeating the path that commercial Unix went more than two decades ago.
     
  15. In the future (three to five years) Linux also can be considered as a platform for Oracle and SAP/R3 application servers. Among current enterprise applications that in the future can me migrated to Linux from the security standpoint the following should be considered: 
     
  16. Linux distributions currently has the best selection and the level of deployment of open source security tools of all platforms.

    For example, Red Hat distribution has Tripwire pre-installed. SSH, sudo and xinetd are also pre-installed. Powerful vulnerability scanners (nmap, Nessus, etc) and intrusion detection system (Snort) are available with both Suse and Red Hat at no charge. That means that some savings can be utilized in security space by more wide usage of Linux-based open source security solutions, especially vulnerabilities scanners and IDS sensors (Snort).

    Most of those open source tools are available for Solaris too and perform as well as in Linux in Solaris environment.  But their availability is lower and most documentation is explicitly Linux-oriented.
     

  17. We judge the risks of SCO lawsuit as minimal, but the uncertainly surrounding GPL license as a real problem. The usage of GPL components need at least be documented and understood, especially in the commerce and WEB-related code provided by outsourcers. Copyright infringement suits related to open-source could be a serious distraction and PR problem for large enterprises which widely embraced the technology as a cost-saving measure.  Behavior of FSF as GPL custodian is largely unpredictable and it tends periodically launch GPL purity jihads against arbitrary targets. That might be a part of their PR strategy.

    Open-source has been around for two decades as a favorite tool of computer scientists and technology-minded IS staff, but after IBM's decision to support Linux in 1999, partly as a counterweight to the Microsoft Windows, moved into enterprise environment. Open-source software is freely available to use, distribute and modify, but it is subject to restrictions set forth in several different open-source licenses. The most restrictive open source license is so called General Public License (GPL) which among other things require the company to open the code if the code is using GPL-components and the company resell the software. As most large enterprises generally do not resell the software the risk are minimal.  

    Still the fact that in March 2003 SCO sued IBM for more than $1 billion, alleging that it had contributed to Linux proprietary code misappropriated from SCO should serve as a warning that some litigation is possible against any large enterprise with considerable Linux deployment. The heart of SCO's argument is that it claims ownership of the copyrights to Unix System V and that parts of that operating system have been illegally built into Linux code. SCO claims it bought the rights to Unix from Novell, which had purchased them from AT&T. U.S. District Court in Utah ordered that IBM must provide SCO with source code for its AIX and Dynix operating systems. The ruling clears the way for SCO to comb IBM's code for traces of proprietary SCO Unix code. Whether infringing code is found remains to be seen, but the court action should send a note of caution to IT departments everywhere.

    In addition about 1,500 companies that widely deployed Linux received warning letters from SCO. That resulted in businesses fear of open source usage related lawsuits. And SCO has since sued DaimlerChrysler, AutoZone and Novell.

    Copyright infringement suits related to open-source could be a serious distraction for large enterprises which widely embraced the technology as a cost-saving measure. For example Wal-Mart uses Linux in its cash registers and due to its size might be a potential target for a lawsuit.
     
    Linux's potential risks for intellectual property infringement litigation and the lack of indemnities and other legal protections extends to open-source software in general, especially GPL-based software [Cassim&Overly2005]. That means that while usage of open source tools (often packaged with other Unixes like in Solaris in addition to Linux) is generally safe,  the usage of GPL-based components in e-commerce and Web applications should be subject to review due to possible misappropriation of somebody else intellectual property in such components. If quality alternatives are available it is recommended that large enterprises select open source products licensed under BSD-derived licenses, Artistic license or their close derivatives, not GPL-based products.

    It's clear that there might be additional costs the company that does not protect itself from potential open-source usage related litigation. That's why code reviews for commerce and web software developed by outsourcers are recommended above. This is similar to buying insurance or the Sarbanes-Oxley compliance audit. The problem is that offshore software developers working on web and e-commerce applications routinely borrow pieces of open-source code as building blocks.  If proprietary code is mixed with the  GPL code and the software is to be redistributed or sold as a commercial product, a license conflict is possible. The extreme solution would be explicit banning GPL components in Web and e-commerce software produced by outsourcers.  More moderate approach would be use specialized scanning software to hunt for the GPL license conflicts.  An example of such software is Black Duck.  The most important aspect of the problem is that currently large corporations often simply do not know whether GPL components are used in their e-commerce or open source software. 

Introduction


A number of technology analysts observed there is a pattern of adoption of a new technology. First there is a slow adoption, then after the critical mass of early adopters is achieved there is a tremendous excitement (hype phase), followed by disillusionment. Those technologies that survive the disillusionment stage might eventually become popular in their markets moving to mainstream. The hype periods usually starts with some arbitrary "event trigger", where one or a series of event generates huge publicity, exposing the technology to a wider audience. A "peak of hype" follows where great things are universally expected. As people learns more about the technology, it starts to struggle up to meet the inflated expectations. Inevitably, this leads to the disillusionment.  For solid technologies the final stage is the "plateau of productivity" when it becomes mainstream. Sometimes as was the case with Java it ends with the more realistic understanding of the limitations of the new technology and creates a new growing industry. Often a technology can be so hyped it may never meet expectations, and as we saw with the object-oriented databases. In this case the disillusionment period means shrinking number of vendors and movement of the technology off the primary scene.

We judge that open source is currently close to the peak of the "hype phase" and information about it should be accessed critically. That does not mean that open source technology is a fake: it is actually a very useful technology that already proved its value in enterprise environment. Still the expectations currently are extremely, unrealistically high.  As the central figure in Linux kernel development Linus Torvalds noted, "open source can not cure world hunger."

There's a lot of hype surrounding Linux, but the reality behind the myth is that there are numerous issues related to deploying the technology, which require considerable expertise and effort. Many people/companies use Linux, but not many are using complex configurations with clustering failover, etc. You're more likely to see simple "multiple single-server" environments.

Definition

The term "open source" is used to refer to three somewhat different phenomena:

Each represents different aspects of open source, and will be briefly discussed here as it is impossible to understand the security of Linux without understanding a broader picture of open source movement including the current level of hype.  As this is a security paper we will discuss openly problems and weak spots of open source. This does not mean that close source software is better, that just means that open source has its set unique of problems and they are quite different from the problem of closed source software, which are also many.

The typical model for software acquisition involves the purchase of closed source software solutions from the major vendors. Closed source software is any software whose source code is hidden from the public view. Under most licenses the user cannot modify the program or redistribute it. Closed source products encompass the spectrum from server operating systems, application development platforms, office productivity suites, to small yet often expensive utilities. Each of these software solutions has an initial investment cost, maintenance and/or upgrade costs.

Organizations are now starting to embrace open source solutions as a cost-effective alternative to these closed source products. Open source solutions differ from closed source in many ways, only one of them  cost. Open source solutions are typically licensed free of charge, although some companies such as Red Hat, Novell, IBM, Oracle and Hewlett Packard (HP) sell versions of open source software with related maintenance, so called commercial open source. The following features distinguish open source licenses [OSI1999]:

  1. Free Redistribution. The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.
  2. Source Code. The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.
  3. Derived Works. The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.
  4. Integrity of The Author's Source Code. The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software.
  5. No Discrimination Against Persons or Groups. The license must not discriminate against any person or group of persons.
  6. No Discrimination Against Fields of Endeavor. The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
  7. Distribution of License. The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.
  8. License Must Not Be Specific to a Product. The rights attached to the program must not depend on the program's being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution.
  9. License Must Not Restrict Other Software. The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.
  10. License Must Be Technology-Neutral. No provision of the license may be predicated on any individual technology or style of interface.

Among multiple open source licenses, the GPL, BSD, X Consortium, and Artistic licenses are all examples of licenses that can be considered conformant with the Open Source Definition. We will briefly discuss them later. In no way GPL is the only license for open source products. There are multiple, different (and potentially conflicting with GPL) source licenses of applications (Open Source License Hell). Experience had shown that the license for a product or its interpretation can change abruptly (as was the case with MySQL).

Illusion of open code

Openness of the "open source code" is subject to discussions. In most cases the level of openness is an exaggeration and is actually the same as for close source code that is almost always obtainable via NDA agreements. Open source mode practically operated more like a shareware model and has very little to do with openness of the source. As such it does cut distribution costs and can provide high quality software. But this advantage has very little do with open source, where "modifiability" of the code base by the end user is the defining principle.

And shareware model of development of software proved to be a viable one. Think about such shareware products as RAR, TotalCMD, FAR, etc. They beat both best open source application *and* commercial applications in their areas.

But shareware distribution model has nothing to do with open source.

Actually in case of both RHEL and Suse distributions source code is more of a marketing trick then a real asset: there are too much of it and it is very poorly documented to be useful. RHEL is essentially a private kernel based on Linux so here the situation is even more complex. Attempts to use it on source code level brings a lot of unanticipated troubles. Even recompiling applications can be a non-trivial task.

In this sense only Gentoo is loyal to the "open source" as a principle. Both Red Hat and Suse are to a certain extent deviations.

Moreover for most large open sourced components even in best case you get an "assembler code", not high level code as there are no credible attempts to document it and simplify modification of the source base by the end user. Moreover there are deliberate attempts in the opposite direction: attempts to keep the level of code as low and as poorly documented as possible to preserves the competitive  advantage. That means a open betrayal of KISS principle and that's can be a partial reason why we have all those non-maintainable C or C++ monstrous distributions and applications.  C became an assembler code of the XXI century, so calling the C-codebase open is a little bit of a stretch as it is open only for those who can spent hundreds of hours digging in this codebase. 

The real problem for Linux is how you can complete on the TCO basis with products like Windows 2003 and Solaris 10 in enterprise space. Hobbyists will always gravitate to something that can be downloaded for free and that means that they can still be loyal to Linux despite all those TCO perversions in enterprise space that we observe with Linux. But for enterprises the key issue is cost in a long run and here Linux faces real problems as Red Hat is probably the most expensive proposition out of Microsoft, RH, Sun troika.

So cutting bureaucratic red tape is a very nice feature but not enough positively differentiate open source.  And for Red Hat this existing TCO level does spell troubles in a near future when IBM's inspired marketing fag about "new Linux system" (which is actually 14 years old) will dissipate.  More and more articles about "successes" pf enterprises Linux deployments looks like plain vanilla marketing hype.  See for example "Computing: Linux Cuts Costs for Finance Firm" (LinuxToday Feb 24, 2005) for a nice example of such a story.

Linux as the major open source software project is different from closed source OSes (and from other open source alternatives like FreeBSD and OpenBSD) in several major aspects:

It should be noted that most large corporations that never started formal deployment of Linux already has some limited exposure.  Usually some guerilla installations can be found among IS and research staff.

GPL licensing of the Linux kernel
 and related adoption of Linux by hacker world

Linux is licensed under so called GNU General Public License (GPL) version 2. The GPL is a free software license, created by the GNU project in 1985 [Stallman1985] It is also referred to as the GNU GPL and  was developed by Richard Stallman, the creator and leader of the GNU project [Stallman1999d]

The purpose of the GPL is to grant the user almost unlimited rights to copy, modify, and redistribute programs (normally prohibited by copyright), and to ensure that those rights are preserved any derivative works [FSF1991].  In contrast, end-user licenses for proprietary software deny those rights, and usually prohibit further redistribution of software and creation of derivative works.  The main controversy around GPL is connected with the granting third parties rights to "use, modify, and redistribute the program's code or any program derived from it but only if the distribution terms are unchanged.". The GPL does not allow redistribution of private, close source modifications of the codebase. Any changes must also be distributed under the GPL (viral quality). 

Additionally, the GPL does not allow the incorporation of licensed programs into proprietary software or any software licensed under the license that that does not grant the same rights as the GPL. For this reason GPL is often called "the incompatible license". There only one exception: software libraries that are normally distributed with the compiler or operating system may be linked with programs licensed under the GPL.

An alternate form of the GPL, the GNU General Library Public License or LGPL, allows the linking of free software libraries into proprietary executables [FSF1999a] This is a more acceptable license for private companies as this way commercial development can also benefit from free software.

Probably partially due to the anarchistic nature of the license Linux system has become the No.1 platform for hackers of all kind. That created an additional security issues for enterprise customers who deploy Linux, as in this case they need to defending their turf against the opponent who knows the system better, does not need additional resources to create a test systems and does not need to pay money to acquire the knowledge, required to use system including the knowledge of internals.  In case of Linux hackers play on the game on their own home turf.  We should not absolutize this problem as a mere volume of the code serves as a good deterrent for all, but the most motivated hackers, but still this is a factor to consider as it contributes to "ego-pleasing" stream of vulnerabilities (not only individual hackers but also some small security companies are involved). This stream created a "patching pressure" that significantly (to the level of Microsoft systems) increases the cost of maintenance.

Resent adoption of Linux by big players like IBM slightly increase the level of comfort among bog enterprise customers, but the concerns still remain. Partially due to this reason Linux is considered by security specialists the most vulnerable OS (along with Microsoft Windows) and companies do need exercise some caution in Linux deployment and carefully select the deployment target to maximize benefits and minimize risks of such deployment. 

Other Open Source Licenses and Open Source License Hell

The term "Open Source" was adopted in large part because is sounds more "enterprise friendly" and is promoted by Linux distributors such as Red Hat that sell "commercial open source" as well as because there is a multitude of  other free software licenses that are often conflict with each other creating legal problems for users. There are several related terms that the reader needs to understand: free software, public domain software, freeware and shareware.

The term "free software" is often used as an synonym of the anarchistic social ideology of "software liberation", whereas Open Source is a more commercially oriented term. For example, the Free Software Foundation advocates free software as a right, emphasizing the ethical obligations associated with software distribution [Stallman1999a]. Open Source is more commonly used to describe the business case for free software, focusing more on the development process and software quality rather than any underlying moral requirements.

Various free/open source software licenses have been developed and they often conflict with each other. All free/open source licenses disclaim all warranties. The intent is to protect the author from any liability associated with the software. Since the software is provided free of charge, this is a reasonable condition, but that issue becomes more complex for expensive commercial distributions like Red Hat were year licensing fees are compatible with the closed source software fees. 

The major open source software licenses include GPL, LGPL, BSD, and Artistic license. The following table provides a comparison of several common licenses.

Table 1. Comparison of various free software licensing practices.

License Can be linked with close source (proprietary) software Modifications can be taken private and distributed
commercially
Modified version can be distributed under a different license Contains special privileges for the original copyright holder over your modifications
GPL        
LGPL X      
BSD X X X  
Artistic X X X X
Public Domain X X X  

The GPL is a political manifesto as well as a software license, and much of the text is concerned with explaining the rationale behind the license. This has alienated many developers. For example, Larry Wall, creator of Perl and the Artistic license, says: "the FSF [Free Software Foundation] has religious aspects that I don't care for."[Lash1998].  Less strict version of GPL is called LGPL and often is used for libraries.

The X license and the related BSD and Apache licenses are more acceptable for commercial companies. They essentially codify academic ethic in a sense that they grant all right in return just for honest acknowledgment of the code source.  The most important difference is that BSD-licensed software modifications can be made closed and any BSD-licensed program can be modified and redistributed without including the source or applying the BSD-license to the modifications. Other developers have adopted the BSD license, including the developers of X widows system (X-license) and the Apache web server (Apache license). 

The Artistic license was originally developed for Perl, however it has since been used for other software. The terms are more loosely defined in comparison with other licensing agreements, and the license is more commercially oriented. For instance, under certain conditions modifications can be converted into closed source. Furthermore, although sale of the software is prohibited, the software can be bundled with other programs, which may or may not be commercial, and sold.

Legal Risks Due to SCO Lawsuit

On March 7, 2003, the SCO Group (formerly known as Caldera Systems) filed a $1 billion lawsuit against IBM for allegedly "devaluing" its version of the UNIX operating system due to the use of GPL for their proprietary code, including the code jointly developed for Monterey project (former joint project with IBM to developed a 64-bit enterprise Unix, a successor of AIX and UnixWare for use on Itanium CPU, the project that was later abandoned by IBM in favor of Linux).  The amount of alleged damages was later increased to $3 billion, and then to $5 billion. SCO claimed that IBM had, without authorization, contributed SCO's intellectual property to the codebase of the Linux operating system. Though IBM is the only company named in SCO's lawsuit, other Linux vendors, like Red Hat could suffer collateral damage.

Since then, the claims and counter-claims made by both sides have escalated, with both IBM and Linux distributor Red Hat starting legal action against SCO, and SCO send a threatening letter to large companies known for wide adoption of Linux.

On September 30, 2003 judge Kimball granted the SCO Group's request for a delay until February 4, 2004, "to file any amended pleadings or add parties to this action". This pushes the start of the actual lawsuit back until 2005.

Although chances of SCO winning this lawsuit seems to be slim, it is premature to dismiss their lawsuit as complete nonsense like many Linux enthusiasts do. SCO may not be very good at making a profit by selling software (last year the company lost $24.9 million on sales of $64.2 million.). But historically speaking it was a very good record at getting what it wants from other companies. And it has a tight circle of influential friends. In 1996, SCO's predecessor company, Caldera, bought the rights to a decrepit version of the DOS operating system and used it to sue Microsoft, eventually shaking a settlement believed to be about 155 million dollars. In 1997, Darl McBride, now SCO's chief executive, sued his then employer, IKON Office Solutions, and won a settlement that he says was worth multiple millions. McBride joined Caldera as chief executive in June 2002. Two months later he changed the company's name to the SCO Group, based on the name Unix on Intel vendor that Caldera had purchased in 2001 from its creator, The Santa Cruz Operation. There are some striking similarities between the 1996 DOS lawsuit against Microsoft, in the current lawsuit over Unix and Linux.

SCO is basically owned and run by the Canopy Group, a Utah firm with investments in dozens of companies. Canopy's chief executive, Ralph J. Yarro III, is chairman of SCO's board of directors and engineered the suit against Microsoft in 1996.

In action that affects large companies directly, in May 2003 SCO has sent letters to about 1,500 of the world's largest corporations warning they could be liable for using Linux. "We believe that Linux infringes on our Unix intellectual property and other rights," the letter said. "We intend to aggressively protect and enforce these rights. Legal liability that may arise from the Linux development process may also rest with the end user." [Shankland2003]

In March, 2004 SCO sued two  big Linux enterprise customers AutoZone  and DaimlerChrysler [Shankland2004b

AutoZone have responded to SCO's legal challenge by filing a motion to stay the lawsuit until SCO vs IBM, SCO vs Red Hat and SCO vs Novell have been fully litigated. A failure for SCO to prevail in any one of these cases would resolve the AutoZone lawsuit in favor of AutoZone, as according to AutoZone's motion the case depends on SCO being able to establish that SCO owns the Unix code in question, and that AutoZone has infringed that code by using Linux. These are issues to be directly resolved by other pending lawsuits.

It its lawsuit against Daimler-Chrysler SCO claimed the existence of alleged violations of its UNIX software agreement with SCO as Daimler-Chrysler is a license of SCO UnixWare.  According to the official SCO press release:

SCO's lawsuit seeks the following relief:

  • Enter an order that DaimlerChrysler has violated Section 2.05 of the Software Agreement by refusing to provide the certification of compliance with the "provisions" of that Agreement;
  • Enter an order permanently enjoining DaimlerChrysler from further violations of the DC Software Agreement; and
  • Issue a mandatory injunction requiring DaimlerChrysler to remedy the effects of its past violations of the DaimlerChrysler Software Agreement; and
  • Award damages in an amount to be determined at trial; and
  • Enter judgment in favor of Plaintiff together with costs, attorneys' fees and any such other or different relief that the Court may deem to be equitable and just.
  • The lawsuit was later dismissed by the court on the basis that Daimler-Chrysler no longer uses SCO UnixWare and thus does not need to comply with the licensing agreement.

    Some Linux distributors feel threatened by SCO lawsuit and countersued. On August 4,2004 Red Hat, Inc. filed suit for Declaratory Judgment, requesting permanent injunctions, costs, and treble damages from SCO, on the basis that there is no infringement of trade secrets or copyright by Red Hat in Linux, and that SCO is engaged in false advertising in violation of the Lanham Act, deceptive trade practices, unfair competition, and trade libel and disparagement. A Delaware district Judge on April 8, 2004 has rejected the SCO Group's request to throw out Red Hat's lawsuit against it, but stayed the case pending the result of SCO vs. IBM. Judge Robinson said it would be "a waste of judicial resources" for the case to continue while litigation between IBM and SCO continues in Utah. That case isn't due to be heard until next year.

    Novell hasn't countersued, but has made the case that SCO doesn't own what it thinks it owns - rights to System V UNIX - which completely undermines SCO case against IBM [Orlowski2004]. The SCO Group has sued Novell, claiming the born-again Linux company is interfering with SCO's right to collect money from Linux users. The 'Slander of Title' suit - which is invoked when ownership of a contested property has not yet been established by the courts -- seeks to block Novell from filing further UNIX copyrights that SCO claims are rightfully its own. On October 7, 2003 Novell produced the document that contains a summary of Novell's interpretation of the 1995 technology license agreement with SCO [Novell2003] and claim that Novell has the right to indemnify its customers under the agreement.

    Participation in SCO's licensing program appears very weak. Though Microsoft has entered into a license agreement with SCO "to respect SCO's intellectual property", the move is widely regarded as a way provide financially strapped SCO with funds to survive prolonged litigation that can indirectly benefit Microsoft weakening its major competitor IBM. 

    There are many complications involved in the case, including but not limited to:

    As of August 2004, the lawsuit is still not resolved, but generally the development favors IBM case. Still Linux enterprise customers might fear a train wreck, given that in a shrinking market the intellectual-property agendas of some of the largest IT companies appear to be on a collision course. The fast-growing popularity of Linux and other open-source products has garnered the attention of large commercial vendors, who see opportunities for building open-source communities that ultimately works similar to outsourcing, contributing to the bottom lines of their for-profit software using the free labor of computer enthusiasts that are involved in those open source projects. For instance, IBM hopes to encourage developers to write applications in Java, greasing the wheels for sales of its expensive WebSphere middleware and other commercial products.

    But the potential to run afoul of intellectual-property claims, combined with the sheer proliferation of open-source projects, means customers need to make open-source choices carefully.  One particular area of concerns is patents. Concerns about what software patents the city of Munich, Germany, might violate in moving 14,000 PCs from Windows to Linux caused city officials to delay those plans. Patent issues could be a "catastrophe" for the city's Linux effort, an official says.

    Open Source Risk Management Inc., a startup that offers insurance against open source projects patent and copyright violations released a study that cites 283 possible patent claims that might be applied against Linux. A third of the patents are owned by Linux backers, including Hewlett-Packard, IBM, Novell, and Oracle, which are unlikely to assert claims. For example IBM spokesman stressed that "IBM has no intention of ever asserting its patent portfolio against the Linux kernel unless forced to". Still a lot of patents that potentially were violated in Linux code are owned by Linux opponents like Microsoft or neutral parties that at some point can became hostile to Linux like Sun.

    Linux Indemnification Issues

    Indemnity is when one party holds another party harmless in the event that, as a result of a contract that exists between the two, a third party brings a claim against one or both of the original two parties. When you offer someone indemnity, you are acting as if you are the insurer with respect to third party claims. If SCO is that third party and it sues you, the company that's holding you harmless will stand between you and SCO as a shield,  covers legal costs and absorbing any damages you sustain as a result of entering this contract [Rosenbaum2004].

    It's worth stating that there is a way to avoid getting sued altogether, that SCO essentially wants to enforce.  This might be a good option for any image-conscious company that wants to avoids the legal limelight. One is to simply to pay SCO $699 per server for a perpetual license of their intellectual property. According to SCO's Stowell, "The license that we are offering to commercial end users of Linux is called the SCO Intellectual Property License. The end user is provided with a license that allows them to run SCO's intellectual property as it is found in Linux in binary form only. This license is meant to apply to any version of Linux (based on the 2.2 kernel and later) that is being run in a commercial environment."[SCO2004] A major advantage of going this route is that it is Linux distribution neutral.

    Another option to minimize the chances of being sued is to run open source software on another operating system, one that includes indemnification (Solaris, HP-UX). Of the four major commercial Unixes (AIX, HP-UX, Solaris and Linux) the AIX is the most risky from the intellectual property standpoint and will be harmed in an unlikely case if SCO succeed because of SCO's revocation of IBM's Unix license. Until SCO lawsuit is resolved, IBM's AIX should be considered as the most vulnerable Unix flavor.  Also only Solaris and Linux are available on the Intel architecture. As far as HP-UX is concerned, Intel's recent announcement regarding its AMD64-compatible Nacona hybrid puts a question mark over the future of all of HP's operating systems and makes for them Linux as the only viable choice.

    Currently three companies provide Linux indemnification for their customers: HP, Novell and Sun. In all three cases only distributions supported by respective companies are covered: 

    IBM was the first and largest company to be sued by SCO, but it has yet offer indemnification of any kind to customers. But it did took some steps in this direction. In addition to its contribution to the OSDL defense fund (see below), IBM helped bankroll Novell's acquisition of Suse, a move that amounts to an indirect indemnification play. Meanwhile, Red Hat, the most popular distributor of Linux, has promised to replace any source code that's found to be infringing on a copyright. The company has earmarked a recent $1 million contribution to the Open Source Now Fund to help defray the legal costs of open source developers and academic institutions that become entangled in SCO's legal web [Shankland&Kanellos2003]

    Open Source Development Lab (OSDL), created by IBM, Intel and several other large companies) and the current employer of Linux kernel original developer Linus Torvalds has established a separate legal defense fund with the intention of helping some Linux customers that come under litigation from SCO" [Shankland2004a ]

    For Linux customers, the highly fractured response has resulted in more questions than answers. How can companies like HP, which don't have their own distributions of Linux, offer indemnification? Even stranger, how is it that HP can offer indemnification on a version of Linux that even its distributor (Red Hat) won't indemnify? This raises the question of what happens when an HP customer running Novell's Suse Linux must invoke its rights to indemnification. Which of the two indemnification agreements takes precedence in addressing the customer's needs?

    Finally, does IBM's and Red Hat's failure to offer indemnification amount to a lack of confidence in their legal standing versus SCO that enterprises must take seriously when selecting Linux distributions and solution providers. Or, is it a sign that real indemnification is impossible to achieve, therefore rendering the three existing programs as less than they're cracked up to be? Or, is it as they have maintained in their public statements, that the SCO claims are baseless and don't warrant extraordinary indemnification measures?

    Other Major Open Source Projects

    It is important to understand that Linux is just one example of open source project and there are many others that the company can benefit from. There are literally thousands of open-source projects in existence. These projects include operating systems, programming languages, utilities, Internet applications and many more. Most of them are not interesting and cannot compete with the commercial application; also quality and the level of security  varies with a lot of project never achieving the magic version 1.0 (relatively debugged version). The following 12 projects are notable for their influence, longevity, the size of the codebase (in the second column in thousand of source lines (KLOS)), and the level of success:

    Table 2. Major open-source projects

    Project Size of the code|
    base (KLOC)
    License Application Domain
    Apache 100 BSD-style The most popular HTTP server on the Internet. Used by many large companies along with the commercial web servers.
    Linux 800 GPL Operating system
    BIND 150 BSD Dominant DNS server. Used by most large companies
    KDE 250 GPL and LGPL Desktop environment. Often used with Suse Linux
    GNOME 150 GPL Desktop environment. Along with Linux is used in Solaris 8 and 9 workstations. Supported by Sun.
    Sendmail 200 BSD Dominant mailservers on the Internet. Widely used for enterprise mailservers (especially external, Internet-facing mailservers)
    Perl 150 Artistic and GPL Dominant scripting language. Widely used for Unix scripting and in  in production systems. Installed by default in Solaris
    PHP 150 BSD-style Popular in WEB applications scripting language (often used with MySql). Widely used in large corporations (Yahoo)
    Python 160 BSD-style Scripting language that competes with Java
    Samba 150 GPL Microsoft compatible file server protocol implementation
    MySql 250 GPL Relational database for web applications. Popular in ecommerce applications. Used by Yahoo. Often used with PHP
    Postgress 300 BSD Powerful relational database. Often used with Perl

    Security Risks Inherent in the Open Source Development Process

    From management perspective open source development can be considered as a special kind of outsourcing. Like in any outsourcing, the potential weaknesses in open-source software development are many and almost all of them affect security [Bezroukov1999a, Bezroukov1999b].  Of course, the problem outlined below are not limited to open source projects, the nature of open source development just make them more acute in comparison with close source projects. But the ability to resolve those problem in open source projects almost completely depends on the personality of the leader of the project, who often acts as a benevolent dictator:

    Some Recent Deployment Statistics and Industry Trends

    As Linux introduces another OS into the current stable of existing OSes it is very important to develop integration strategy that does not increase the complexity of the current infrastructure and thus weaken overall security of the environment due to the staff spreading too thin between multiple different OSes. That means that businesses should be very cautious with the deployment decisions and try to synchronize Linux deployment which the reduction of the variety of existing OSes, the move that is probably possible with Netware and HP-UX and that will be discussed later in this whitepaper. There is growing understanding that fashion-based Linux deployments are not cost effective. In his paper Switching to Linux picks up steam published on ZDNet on August 31, 2004 David Becker  wrote:

    In a report on total cost of ownership for the Linux, Unix and Microsoft Windows operating systems, research company The Yankee Group found that only 4 percent of businesses planned to migrate Unix servers to Linux within the next two years. A total of 11% intended to move Windows servers to Linux, while 21% proposed to add Linux servers to a predominantly Windows environment.

    On the desktop, 36% of businesses expected to have a few Linux PCs in their business, but only 5% planned a total migration to Linux. A majority--57% --planned no changes for Windows on the desktop.

    The main problem is that while moving to Intel-based servers is definitely a very cost effective move,  move to Linux is only one of the possible ways to achieve that as open source software can be deployment on other flavors of Unix and in some cases even under Windows:

    "All of the firms would like to reduce the amount of up-front capital expenditure dollars they spend on expensive Windows and Unix software licenses," the report found. "However, they also recognize that in certain instances, a wholesale or significant switch to Linux might reduce up-front costs but result in higher overall costs."

    Factors to consider in such a cost analysis range from interoperability with existing applications to the relative scarcity of trained Linux support personnel. "The establishments that have or are seriously considering Linux bemoaned the present dearth and high cost of skilled Linux administrators, even as they praised the open-source operating system's ease of use," the report stated.

    Such concerns may loom larger if a company is governed by a central IT strategy, which would discourage a piecemeal approach to technology adoption, Yankee analyst Dana Gardner said.

    "The position companies need to look at is whether there's a tactical or strategic role for Linux and open source," Gardner said. "They're looking at what would be a strategic platform that's fully integrated and supported."

    Comparative Security Matrix

    Below we tried to quantify relative level of security based on the criteria discussed above. Of course this methods has its limitations (we assume equal weight of each component of the metric and the scoring is subjective). Still I think that total scores provide some useful insights into the integral security of the OSes involved. Here are total scores for each OS. The total cores are as following:

    Red Hat Suse Solaris on Sparc Solaris on Opteron AIX HP-UX Windows
    148 137 176 163 159 150 129 (+12)

    Notes:

    Below we will reproduce the whole matrix:

    Name Red Hat  ES SuSE Solaris on Ultra
    Sparc
    Sola-ris on  Opte-ron AIX HP-UX on  PA RISK Win-dows Server 2003 Notes
    Accounts and passwords  security 8 8 8 8 8 7 8 Linux provides reasonable level of account security but it does not support RBAC. Some features of RBAC can be emulated via sudo that is preinstalled in both Red Hat and Suse distributions.
    Root security 7 7 6 6 6 6 n/a In Linux root by default has in own directory /root that improves the security of this account.
    Filesystem security

    8

    8
    9 9
    9
    8
    7
    Linux provides an extensive set of filesystems mounting attributes and can mount filesystem as read-only and NOSUID. Still virtualization capabilities are very rudimentary and here Linux is far behind leading commercial Unixes (AIX and Solaris).  Linux has only basic filesystem virtualization mechanisms (chroot)
    File Permissions 8 7 9 9 9 8 8 Some Linux filesystems like Ext3 support ACLs but quality of support of ACLs in commercial Unixes is higher.   Ext3 supports BSD-style extended attributes.
    Integrity checking 8 7 8 8 6 6 7 Linux approximately equal Solaris in integrity checking capabilities and Red Hat ships with Tripwire as an installation option. Still in Linux there is no MD5 database like in Solaris although some features of it can be emulated using RPM database.
    Shell and scripting security 7 7 8 8 8 8 8 Neither operating system have advantages in this area but Linux has some additional vulnerabilities due to a large number of shells and scripting languages installed by default.
    SSH support 8 8 8 8 6 6 5 Like in Solaris in Linux ssh is supported out of the box (is an installation option)
    PAM support 9 9 8 8 6 6 5 Linux looks quite competitive with Solaris and has wider selection of PAMs then Solaris. Both of them definitely surpass AIX and HP-UX.
    X11 security 4 4 6 6 6 6 n/a The problems with X security on Linux are mainly due to lesser security of  its desktop managers Gnome and KDE (especially Gnome).
    TCP wrapper support 8 8 8 8 6 6 1 Linux has TCP wrapper functionality ion xnetd daemon
    NFS 6 6 9 9 8 8 5 Linux NFS support is rudimentary and is not that stable.  Solaris has a much better implementation.
    Built-in firewall 8 8 8 8 6 6 8 Linux has a built-in firewall that is enabled by default
    Quotas enforcement and accounting data collection 6 6 8 8 8 8 8 Commercial Unixes are still superior in this area.
    Logging 6 6 8 8 7 7 7 All Unixes are approximately equal in this area, but Linux has better log postprocessing tools. Solaris has much better kernel based logging mechanisms that help in the debugging.
    Patching process quality

    6

     6

    9

      9

    8

    8 8 Patching in Linux involves updating the whole packages. Patching process in both Red Hat and Suse is weaker then Solaris patching process and patching support requires maintenance contract.
    The number of Exploits and Hacking Attacks Statistics

    4

    4 8 7 8 8 4 As for number exploits Linux is less secure then commercial Unixes; it can be rated as equal in insecurity to Windows.
    Process security

    6

    6 9 9 10 6 8 Solaris 10 has zones, AIX 5.3 partitions available by default.
    Kernel security 4 4 9 8 9 7 6 Security of the kernel in Linux is hampered by the number of contributors and complexity of the built process.  Security-wise Linux kernel does not have capabilities of Solaris or AIX kernels.
    Network security

    4

    4 8 8 7 7 4 Linux network security is bad due to the number of installed network applications.
    Package management 8 7 6 6 4 4 6 RPM is an impressive package manager created by Red Hat and Red Hat RPM based packages dominate among all applications in Linux space.

    Education and Security Certifications

    9 7 8 7 7 6 10 The number of books devote to Red Hat security is considerable and by an order of magnitude surpass the number of Solaris books. Red Hat offers four security-related training courses (approximately the same as Sun for Solaris). We judge that in this area Linux surpasses all other Unixes and trails only Windows.

    Hardware Related Security Issues

    6 6 8 7 8 8 6 32 bit Intel hardware is the most hacked hardware in existence and is widely available to hackers of any country on the globe. By just switching to 64-bit hardware we can somewhat decrease hardware-related security risks.

    Legend:

    References

    [AMD2004] One Year Later, AMD And Sun Continue To Redefine Enterprise Computing  AMD press release, November 17, 2004 URL://http://www.amd.com/us-en/Corporate/VirtualPressRoom/0,,51_104_543~92079,00.html

    [Berlind2004a] David Berlind. HP's protection: SCO-only, but no dollar limit
    ZDNet, February 18, 2004 URL: http://techupdate.zdnet.com/techupdate/stories/main/HP_protection.html accessed 4 March 2004.

    [Berlind2004b] David Berlind. Novell’s protection: Covers more than SCO, caps damages, targets enterprises, ZDNet, February 18, 2004 URL: http://techupdate.zdnet.com/techupdate/stories/main/Novell__protection.html  accessed 4 March 2004.

    [Bezroukov1999a] Nikolai Bezroukov.
    "Open Source Development as a Special Type of Academic Research (Critique of Vulgar Raymondism),"  First Monday, volume 4, number 10 (October),
    URL: http://firstmonday.org/issues/issue4_10/bezroukov/, accessed 4 March 2004.

    [Bezroukov1999b] Nikolai Bezroukov, "A Second Look at the Cathedral and the Bazaar," First Monday, volume 4, number 12 (December), at http://firstmonday.org/issues/issue4_12/bezroukov/, accessed 4 March 2004.

    [BSD1979] The 4.4BSD Copyright

    [Breslow86] Jordan J. Breslow. Copyright Law, 1986, Walnut Creek, CA 94596, USA, URL: http://www.ifla.org/documents/infopol/copyright/breslow.txt

    [Broersma2004] Matthew  Broersma, "Linux security problems are your own fault" InfoWorld,  August 02, 2004. URL: http://www.infoworld.com/article/04/08/02/HNlinuxsecurity_1.html

    [Cassim&Overly2005] Yusuf Cassim and Michael R. Overly. The Real Price of Linux Software By
    Law.com, January 28, 2005 URL: http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1106573739477

    [Debian2003] Debian -- News -- Some Debian Project machines compromised

    [Davis2004a] Noel Davis. Apache Repaired  O'Reilly LinuxDevCenter.com  May 17, 2004, URL: http://www.linuxdevcenter.com/pub/a/linux/2004/05/17/insecurities.html. URL:

    [Davis2004b] Noel Davis. Linux Kernel Problems O'Reilly LinuxDevCenter.com,  May 19, 2003, URL: http://www.linuxdevcenter.com/pub/a/linux/2003/05/19/insecurities.html#lin

    [Davis2004c] Noel Davis. Linux Kernel Exploitation O'Reilly LinuxDevCenter.com  September 09, 2004. URL: http://www.linuxdevcenter.com/pub/a/linux/2004/09/09/insecurities.html

    [Davis2004d] Noel Davis. ELF Trouble O'Reilly LinuxDevCenter.com  December 01, 2004. URL: http://www.linuxdevcenter.com/pub/a/linux/2004/12/01/security_alerts.html

    [Davis2004e] Noel Davis. Linux AMD64 Kernel Bug O'Reilly LinuxDevCenter.com  December 29, 2004. URL:  http://www.linuxdevcenter.com/pub/a/linux/2004/12/29/security_alerts.html

    [DiBona1999] Chris DiBona, Sam Ockman and Mark Stone (editors),  Open Sources: Voices from the Open Source Revolution. 1999. Sebastopol, Calif.: O'Reilly & Associates.

    [IEoF2002] Internet Encyclopedia of Philosophy. http://www.utm.edu/research/iep/s/soc-cont.htm

    [FSF1998] Richard Stallman. The BSD License Problem. Free Software Foundation, 1998-2002. URL: http://www.gnu.org/philosophy/bsd.html

    [FSF1991] GNU General Public License - GNU Project - Free Software Foundation (FSF) Version 2, June 1991

    [FSF1999a] GNU Lesser General Public License - GNU Project - Free Software Foundation (FSF)  Version 2.1, February 1999

    [Gregbillock2002] Stolen open source a corporate legal risk   kuro5hin.org, 04/09/2002

    [Golden2005] Bernard Golden The ROI of Open Source - PUNDIT - CIO Magazine Jun 15,2005 URL: http://www.cio.com/archive/061505/et_pundit.html

    [Kelty2001]  Christopher M. Kelty. Free Software/Free Science. First Monday, volume 6, number 12 (December 2001), URL: http://firstmonday.org/issues/issue6_12/kelty/index.html

    [Krishnamurthy2002] Sandeep Krishnamurthy. "Cave or Community?: An Empirical Examination of 100 Mature Open Source Projects".  First Monday, volume 7, number 6 (June 2002),
    URL: http://firstmonday.org/issues/issue7_6/krishnamurthy/index.html

    [LaMonica2005] Martin LaMonica Mixing up the LAMP stack Mixing up the LAMP stack News.blog CNET News.com URL: http://news.com.com/2061-10795_3-5746474.html?part=rss&tag=5746474&subj=news

    [Lancashire2001] David Lancashire.
    The Fading Altruism of Open Source Development, First Monday, volume 6, number 12 (December 2001), URL: http://firstmonday.org/issues/issue6_12/lancashire/index.html

    [Lash1998]. Alex Lash. Source code for the masses. CNET News.com [online] (February 2, 1998), URL: http://news.com.com/2009-1001-207659.html?legacy=cnet  [Accessed 27 July 2004].

    [Lemos2002] Robert Lemos. Too much trust in open source? CNET News.com, March 20, 2002, URL: http://zdnet.com.com/2100-1104-864256.html

    [Levesque2004] Michelle Levesque. Fundamental issues with open source software development First Monday, volume 9, number 4 (April 2004),
    URL: http://firstmonday.org/issues/issue9_4/levesque/index.html

    [LWN2003] LWN Savanna.gnu.org compromised too

    [Malcolm2003] Jeremy Malcolm. Problems in Open Source Licensing. iLaw.au, 2003. This is a paper presented at Australia's national Linux conference, Linux.conf.au on 24 January 2003 http://www.ilaw.com.au/public/licencearticle.html

    [Matzan2005Jem Matzan   BSD cognoscenti on Linux NewsForge, June 15, 2005 URL: http://os.newsforge.com/os/05/06/09/2132233.shtml

    [McMillan2005] Robert McMillan IBM goes silent on Linux desktop effort  

    Computerworld, JANUARY 25, 2005  URL:

    [Meyers2000] Bertrand Meyer, The Ethics of Free Software  Software Development, March 2000. 
    URL: http://www.sdmagazine.com/documents/s=746/sdm0003d/0003d.htm

    [MICROSOFT2000a] Microsoft.  Questions about GPL URL://http://www.microsoft.com/korea/business/downloads/licensing/Gpl_faq.doc

    [Millard2004] Elizabeth Millard. Survey Results Show Few Linux Security Problems Linux Insider,   June 28, 2004 URL: http://www.linuxinsider.com/story/35421.html

    [Miller2002] Robin Miller. Linux, Open Source have ‘more security problems than Windows’  NewsForge.com  November 15, 2002 URL: http://www.theregister.co.uk/2002/11/15/linux_open_source_have_more

    [Moglen1999] Eben Moglen  "Anarchism Triumphant: Free Software and the Death of Copyright," First Monday, volume 4, number 8 (August 1999),
    URL: http://firstmonday.org/issues/issue4_8/moglen/,
    accessed 4 March 2002.

    [Mozilla1999] Mozilla Public License version 1.1

    [Mozilla2001] Mozilla Relicensing FAQ

    [MySQL_AB2002] MySQL News FAQ on MySQL vs. NuSphere Dispute

    [Naraine2002] Ryan Naraine. Yahoo Goes PHP in Open Source Embrace. internetnews.com October 30, 2002. URL:  http://www.internetnews.com/dev-news/article.php/1491221

    [Netcraft2004] Netcraft. Slight Linux Market Share Loss for Red Hat. Netscaft Inc. July 12, 2004 URL:  http://news.netcraft.com/archives/2004/07/12/slight_linux_market_share_loss_for_red_hat.html

    [Novell2003] Technology License Agreement

    [Oncoresystems2002] GNU Public License Clarification  http://www.oncoresystems.com/linux_gpl.htm

    [Orlowski2004] Andrew Orlowski. Novell offers SCO last drink at System V saloon. Register.  February 12, 2004. URL:  http://www.theregister.co.uk/2004/02/12/novell_offers_sco_last_drink  Accessed April 10, 2004.

    [OSI1999] Open Source Initiative. The Open Source Definition, Version 1.4 [online]. URL: http://www.opensource.org/osd.html Accessed April 10, 2004.

    [Perens1999] Bruce Perens, "The Open Source Definition," http://www.opensource.org/docs/definition.php (last visited March 8, 2004).

    [REDHAT2002]  redhat.com Trademark Guidelines

    [Raymond1998a] Eric S. Raymond,  "The Cathedral and the Bazaar," First Monday, volume 3, number 3 (March, 1998), URL:  http://firstmonday.org/issues/issue3_3/raymond/, accessed March 4, 2004.

    [Raymond1998b]  Eric S. Raymond,  "Homesteading the Noosphere," First Monday, volume 3, number 10 (October, 1998), URL:  http://firstmonday.org/issues/issue3_10/raymond/, Accessed  March 4, 2004.

    [Rosenbaum2004] Joseph Rosenbaum.  Protect Thyself 101: A primer on indemnification. ZDNet,  February 18, 2004, URL: http://techupdate.zdnet.com/techupdate/stories/main/indemnification_primer.html  http://wwws.sun.com/software/linux/

    [Salkever2001] Alex Salkever. Is Open-Source Security Software Safe?  BusinessWeek Online December 11, 2001 http://www.businessweek.com/bwdaily/dnflash/dec2001/nf20011211_3015.htm

    [SCO2004] SCO Group Inc. Intellectual property license.  SCO Group, February 2, 2004. URL: http://www.thescogroup.com/scosource/scoip_eula_feb204.pdf  Accessed  March 4, 2004.

    [Shankland2003] Stephen Shankland. SCO targets Linux customers, CNET News.com, May 14, 2003, URL: http://zdnet.com.com/2100-1104-1001609.html  Accessed  March 4, 2004.

    [Shankland&Kanellos2003] Stephen Shankland. Red Hat files suit against SCO CNET News.com August 4, 2003  URL: http://zdnet.com.com/2100-1104-5059547.html

    [Shankland2004a] Stephen Shankland. SCO suits target two big Linux users, CNET News.com, January 12, 2004 URL: http://zdnet.com.com/2100-1104-5138820.html  Accessed  March 4, 2004.

    [Shankland2004b] Stephen Shankland. SCO suits target two big Linux users, CNET News.com, March 3, 2004 URL: http://news.com.com/2100-1014-5168921.html Accessed  March 4, 2004.

    [Slashdot2003] Slashdot Gentoo rsync Server Compromised [updated] http://slashdot.org/article.pl?sid=03/12/03/1921235

    [Stallman1985] Richard Stallman.  The GNU Manifesto

    [Stallman1998] Richard Stallman.  Netscape Public License - GNU Project - Free Software Foundation (FSF)

    [Stallman1999a] Richard Stallman.  http://mail.gnome.org/archives/gnome-announce-list/1999-February/msg00031.html

    [Stallman1999b] Richard Stallman. Why you shouldn't use the Library GPL for your next library, LinuxToday, Feb 1, 1999 URL: http://linuxtoday.com/news_story.php3?ltsn=1999-02-01-004-05-OP; Also at FSF Website, URL: http://www.gnu.org/philosophy/why-not-lgpl.html

    [Stallman1999c] Richard Stallman. Freedom and the GNU GPL - Oct 4, 1999 Linuxword.com, 1999

    [Stallman1999d] Richard Stallman. "The GNU Operating System and the Free Software Movement."  in Chris DiBona, Sam Ockman and Mark Stone (editors),  Open Sources: Voices from the Open Source Revolution. 1999. Sebastopol, Calif.: O'Reilly & Associates. URL: http://www.oreilly.com/catalog/opensources/book/stallman.html

    [Stallman2002b] Richard Stallman . RMS condemns per-seat licensing Linux, GNU, and freedom  Linux and Main, May 31 2002 URL:  http://www.linuxandmain.com/modules.php?name=News&file=article&sid=83 Accessed May 31, 2004

    [SUN2004] Sun's Linux Offerings http://wwws.sun.com/software/linux/  http://wwws.sun.com/software/linux/



    Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: June, 04, 2016