Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
It wouldn't be an over-exaggeration to say that a bulk of SCO-related talks happen here on Slashdot. Even NY Times and other mainstream media frequently refer to Slashdot, when they need a quote from "open-source community", "Linux users" and other group that is mentioned in the article. Thus any DDOS attack organization wouldn't probably go unnoticed on this site.
So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
SCO will sue Groklaw for illegal use of the term "DDoS", which of course SCO lays claim to.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Wednesday, December 10 2003 @ 04:37 PM EST
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
But I sure know that groklaw is DOS'd.
Connection refused.
That just causes more problems for their servers.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
"SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really?"
;)
Groklaw certainly has just been
Cheers,
rob.
stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
I thought Groklaw was more of an expert in law.
Security Expert: "Oh, so um, you claim malicious linux users who you wanted to sue are DDoSing your servers Mr. McBride? Well, let me get out my laptop and check it out."
*boots up linux distro of choice*
"Nope, doesn't look like it was that at all, sorry!"
*evil snicker*
Buy Steampunk Clothing Online!
First they claim they own Linux, and now DOS! What's next, CP/M?
sulli
RTFJ.
What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Casual Games/Downloads
SCO's web site was only designed to handle one person at a time. Until recently, it worked well enough, but recently two people tried to access the web site simultaneoulsy. This, of course, brought down their server. And since the two people were located at different locations, it was distributed; hence, we have a distributed denial of service (DDoS) attack.
And now you know the real story.
For every post, there is an equal and opposite re-post.
There's a poll here.
Belief is the currency of delusion.
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:
1 63721614
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
Do not look into laser with remaining eye.
SCO Experiences Distributed Denial of Service Attack
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
I'm sure this is just an overture to...
Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
Why don't we SYN flood their FTP server? If their claims are correct, it should go offline, right?
But there is another kind of evil that we must fear most... and that is the indifference of good men.
-SCO sold all their servers to increase revenue.
-They took everything down to install MS Windows Advanced Server 2004
- The guy that took over for the sysadmin, after they fired him, tripped and spilled coffee all over the cisco rack. They're waiting for replacements, shipped Express.
- Daryl opened an attachment
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
bye.edu was down, uvsc.edu was down.. iomega was down.. What do they all have in common.. They are in the Salt Lake City valley area. I was bored and decided to visit sco and it was down.. traceroutes to all locations revealed that a OC-12 connection between level3.net and x0.net was down somewhere in chicago.. thus causing me not to get into the SLC area.
There's no Freedom like UFP-dom
Well the only point I can make is that not a lot of people read the comments. The proof I have is groklaw was fine until this story was posted and now it is slashdotted. I am sure the slashdot crew could tell us the % of people that go and read the comments but I would guess less the 20%.
I didn't use the preview button, so get over it!!!!
Mike
Later SCO will claim that this is the same server that held the only copy of their moutain of evidence and all of their source code too.
SCO was taking a publicity beating on several fronts:
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.
I don't have conformation that they were trying to hit SCO, but this headline jibes.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
lack of technical knowledge.
If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.
it is total and absolute speculation at this point
No, it most certainly is not.
It is a logical conclusion, drawn from deductive reasoning.
From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.
This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.
Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...
Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...
It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.
The interesting thing here is that it came back up for what looked like an house according to netcraft. Look at the New York graph it was even responding normally, how strange.
o .com
http://uptime.netcraft.com/perf/graph?site=www.sc
If a first you don't succeed, your a programmer...
It was all their remaining technical people sending out floods of job applications.
One line blog. I hear that they're called Twitters now.
I have confirmation. SCO ips (and Google's) were being attempted by the virus/worm our users have.
;-)
From the sysadmin: "Its's gotta be some 15 yo - he also tried going after google and anyone who knows anything knows that that'd be futile"
SCO isn't [completely] lying for once.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
I think that it is you that missed the networking class. Different IP addresses on the same subnet do NOT have to use the same gateway at all. It is in fact possible for a class C subnet (254 addresses) to have 127 hosts(workstations) and 127 routers on the same subnet. In this bizarre and highly unlikely scenario, each of the 127 hosts could have its own unique, personal gateway.
It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.
Dear Mr. Judge,
I am sorry but we are unable to provide the source code examples you have requested. These examples were stored on our web server and were lost in a recent DDoS attack on these servers.
By my reckoning, that means we win. Tell IBM to pay up.
-D. McBride
CEO, SCO Group
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Near the top of the article, a security expert from Australia says:
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
He also claims that ftp.sco.com should be unavailable if the DoS attack were real.
However, near the bottom of the article, another user writes in:
"There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.
"Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.
This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'
However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.
The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)
2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.
Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
Did anyone else see this article linked from SCO's main page? It starts off saying 'I have a hard time seeing the Linux Zealots as any different from terrorists because of the nature of their threats.'. I knew Darl and Co. were a bunch of asshats, but this is ridiculous.
they recompiled apache so it doesn't reveal the host OS
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
On a different note, perhaps we should all (all /. readers) visit the SCO site each day, maybe even multiple times a day, to make sure we don't miss out on some important information.
And remember, you'll want to disable your cache to do this. Oh, and if you have a browser that allows you to set it to auto refresh, that would be a good idea too. It would really be a shame to miss an important press release just because you forgot to hit Refresh often enough...
Unfortunately, SCO's unknown (linux) server is having some difficulty right now.
What (obviously) amuses me is that this frequent refreshing of their news page would be justified, given their proclivity for using press releases to disseminate important information.
.sigs are for post^Hers.
They forgot to buy a liscense from themselves, and were forced to shut their server down to keep from getting sued by themselves?
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!
216.250.128.7 ftp-rsync.sco.com
216.250.128.9 lists.caldera.com
216.250.128.12 www.sco.com
216.250.128.13 ftp.sco.com
216.250.128.14 ftp.dev.caldera.com
216.250.128.15 ftp.beta.caldera.com
216.250.128.16 ftp.iso.caldera.com
216.250.128.17 ftp2.sco.com
216.250.128.32 colonet.caldera.com
216.250.128.33 artemis.caldera.com
216.250.128.35 apollo.sco.com
216.250.128.37 stage.caldera.com
216.250.128.44 colofailover1.caldera.com
216.250.128.45 colofailover2.caldera.com
216.250.128.46 cologw.caldera.com
216.250.128.47 colobcast.caldera.com
216.250.128.64 vultusnet.ut.sco.com
216.250.128.65 medusa.ut.sco.com
216.250.128.66 minotaur.ut.sco.com
216.250.128.67 sphinx.ut.sco.com
216.250.128.69 pegasus.ut.sco.com
216.250.128.70 cyclops.ut.sco.com
216.250.128.71 griffon.ut.sco.com
216.250.128.72 chimaera.ut.sco.com
216.250.128.194 public.sco.com
216.250.128.197 register.sco.com
216.250.128.198 authentica.caldera.com
216.250.128.199 sonic.ut.caldera.com
216.250.128.200 vupdate.sco.com
216.250.128.210 bosshog.j2.net
216.250.128.215 openwbem.caldera.com
216.250.128.220 scoxweb.sco.com
216.250.128.221 scoxdb.sco.com
216.250.128.222 scoxdemo.sco.com
216.250.128.225 zeus.ut.sco.com
216.250.128.235 www.vultus.com
216.250.128.236 data.vultus.com
216.250.128.237 bugzilla.vultus.com
216.250.128.238 mardon.ut.sco.com
216.250.128.241 linuxupdate.sco.com
216.250.128.245 uw713doc.caldera.com
216.250.128.246 ou800doc.caldera.com
216.250.128.247 docsrv.caldera.com
216.250.128.248 locutus3.calderasystems.com
216.250.128.251 ntop.ut.caldera.com
216.250.128.253 fgw.calderasystems.com
216.250.128.254 c7-gw.calderasystems.com
It's astonishing that rumors spread like wildfire if the facts are so easy to check.
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
Good idea, but just to make sure you get it all, you should mirror the contents. "wget -m" should do the trick, and when the site does get hosed, you'll already have a mirror to share with /. readers!
I've dealt with huge synflood attacks, in the wild.
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
I realize this is offtopic, but something just struck me... Lets look at the possible outcomes of the lawsuit
A) SCO wins, Linux does in fact contain code that was copyrighted.
- So now the Linux community is in shock. However if SCO wants to release ANY Linux software they will have to GPL the code or remove it - thus revelaing it to the rest of the community allowing them to remove the offending code and making the lawsuit a moot point.
B) SCO loses, the code doesn't exist, or was previously GPL'd by SCO.
- SCO loses its entire customer base (never trust a traitor, not even one you create). And closes its doors or is sold on the cheap.
C) Someone bails SCO out, buys everything before the lawsuit ends.
- SCO doesn't sell cheaply, Daryl gets out with millions in "severance pay", Linux community moves on.
You tell me where the lawsuit is going.
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
Looks like both to me. Someone at SCO has a cron job running that starts a DDoS (SYN) attack against www.sco.com from their internal network, and sends out a press release at the same time.
That way Darl doesn't even have to climb out of his lawyers' lap, where he spends the day happily napping and dreaming of Linus as his shoe shine boy.
It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.
Well assuming that it is a hoax (and, being the cautious type, I do have to concede the possibility that it may be legitimate - stranger things have happened), I honestly don't find myself terribly surprised that they have taken this route.
If you really look at it, SCO has been trying to create an atmosphere of fear - all of which was brought to an abrupt end when the judge commanded them to put up or shut up, essentially. I don't know if they could issue another press release about how their IP is in Linux without irritating the judge, which would destroy any chance they have of actually winning the case.
So, how do you continue to remain active and relevent?
Well, if they can demonstrate that this attack came from the open source community, they can gain some public support, which puts pressure on IBM (as they are representing open source), all without even mentioning the oft-repeated "SCO IP is in Linux" line.
It could even be elegant, if SCO hadn't blown the case out of proportion with their press blitz and threats earlier.
Robert B. Marks
Author, Demonsbane in Diablo Archive
enjoy
www.sco.com resolves to 216.250.128.10, just two hosts away from the IP address in parent.
http://216.250.128.10
Why do you think sco hopped IP addresses?
HMMMMMM?
Buford "Maddog" Tannen is fighting mad! And I hate that name too, so now I'm even madder!
Buford "Mad Dog" Tannen