An Open Letter from Darl McBride

canfirman writes "Well, it seems Darl is changing tactics as he's now published an open letter proclaiming the benefits of UNIX over any other operating system. However, most of his letter involves comparing SCO Unix to Linux from not only a business acceptance point of view, but from a technical point of view, too. Darl throws in a bunch of stats in there, too: 'In a study conducted only seven months ago they found that overall, the most vulnerable operating system for manual hacker attacks was Linux, accounting for 65.64% of all hacker breaches reported.' I'd love for somebody who has more technical knowledge than me to look at his points and see if what he says is true or not -- assuming anything coming out of Darl's mouth is true."

I can believe of the stats here...

[beh]

I can believe part of his claims in that more Linux systems get hacked, compared to commercial Unices. Though I don't think this is a general problem with security on Linux, but with the fact that most home installations of Unix based systems will be on Linux boxes - and therefore in the hands of people with less security expertise than large companies have at their disposal.

Also, companies have dedicated sysadmins or even IT security people which will (hopefully) constantly check for new vulnerabilities and immediately patch their systems.

Private "Home" Unix installations that aren't Linux based will in comparison be more likely to be in the hands of the more knowledgable folks, and hence also in the hands of people that will likely be more security aware than the average home Windows/Mac/Linux user.

How many private users with their linux box on broadband seriously do that (except for those that hold IT security / admin type positions)?

I'm a developer - and I'm not in the habit of daily (or even weekly) patching of systems. I'm occasionally checking the system and I do react (i.e. patch) when I hear about some (widely publicised) security hole... ...but outside of that most security fixes will probably come in when it's time to update the system as a whole...

Another factor in "less" security of systems in people's homes, is that most people just stay ignorant of the situation, because they think "my box doesn't contain anything important that would make it worth hacking"; but they're often with that ignoring the danger that someone might just break into their computer just to use the computer in further attacks on more "rewarding" targets.

Re:I can believe of the stats here...

[Mournblade]

Wouldn't the majority of home installations of UNIX based systems be Macs running OS X? I have no specific stats, just asking if anyone does.

Re:I can believe of the stats here...

[Henry+V+.009]

That's a fairly interesting. After all, I'd rather have my system owned by a script kiddie who's trying to shut down the internet than someone going after my identity and personal information. Does the huge sea of viruses and attacks out there grant Microsoft some sort of fitness benefit? Maybe natural selection has winnowed the weaker systems, leaving fully updated Windows systems as a harder target for manual attacks. Linux, having existed in a kinder environment, is like the boy-in-the-bubble stepping out into the world for the first time.

Re:I can believe of the stats here...

[jurt1235]

Also linux (&BSD) boxes are way more at the forefront of operations, while most unixes are far away in datacenters behind firewalls if they are even in a public available part of the internet.

Re:I can believe of the stats here...

[Henry+V+.009]

One place where natural selection has helped is Windows Update. It's hard to turn off and hard to break. Similar tools in various Linux distros are getting better, but are not as good.

On the other hand, where Linux updating bests Windows by miles is that you can often update all the software on your computer at once—if you're using all free software packaged by your distro provider, that is.

Re:I can believe of the stats here...

[Darth+Daver]

"After all, I'd rather have my system owned by a script kiddie who's trying to shut down the internet than someone going after my identity and personal information. "

    I'd rather not have my system "owned". The Windows user attitude of, "I don't care if someone breaks into my system because it contains nothing important, and I already rebuild it every few months" is not encouraging.

    What do you think the statistical likelihood of an overt attack is compared to an automated worm? Those weasels at mi2g who came up with this "study" of dubious merit, are simply looking for some way to get a dig in on Linux. Would you rather be on an OS that gets 52% of .1% of all attacks or one that gets 99% of 99.9% of all attacks?

    Getting into a Linux box should require some overt effort. Breaking Windows boxes automatically using worms has been all too easy, as proven by numerous, catastrophic examples such as Code Red, Nimda, Sasser, Slammer, Loveletter, Melissa, etc. Please refresh my memory of all the high-profile, impactful, overt Linux attacks.

Re:I can believe of the stats here...

I think that's overstating it. The fact is that far more potential hackers have access to and familiarity with Windows than UNIX, and that this has been the case for some time. I'm not trying to defend Windows...

Funny. I'm used to the hacking scene of the late 80's early 90's. It seemed to me that the good penetrators never even bothered looking at Windows because breaking in had no payoff. Unix machines had fast Internet connections; Windows boxes were behind modems if they were online at all (remember when TCP/IP was a third-party addon?). I knew plenty of people who broke into wu-ftpd, rdist, etc. and couldn't care less about nuking a Win95 box.

On my campus, we had dozens of people trying to find privilege-escalation hacks. (One of them was an admin, he told me about using a NIS exploit because he forgot the root password.) That's the kind of environment Unix-like OSes grew up in: every local user wants to be root.

I have to chuckle when people say today's Internet is more dangerous than it was then.

Re:I can believe of the stats here...

[spockvariant]

Right.
Also, just because the number of published bug reports/security holes in Linux outnumber the ones published for Unix-X doesn't mean Unix-X is more secure. Linux is not only the most popular Unix on the Internet, but also the most widely used platform for security testing and systems research. If you read up papers on automatic bug-finding tools (à la Coverity), testing tools, model checkers that look for security bugs - they're all over Linux, making a case for themselves by claiming having found '100s of security holes in Linux' (http://portal.acm.org/citation.cfm?id=502041).
No other OS gets that kind of attention.

MY open Letter to SCO

In the late 1970's Microsoft licensed UNIX source code from AT&T which at the time was not licensing the name UNIX. Therefore Microsoft created the name Xenix. Microsoft did not sell Xenix to end-users but instead licensed the software to software OEMs such as Intel, Tandy, Altos and SCO who then provided a finished version of their own Xenix to the end-users or other customers. SCO introduced its first version of Xenix named SCO Xenix System V for the Intel 8086 and 8088 in 1983. Today SCO Xenix is one of the more commonly used and found versions of Xenix.

Linux was based on Minix. A UnixLite OS designed to run on PCs. However, it was really only a teaching tool. Andrew Tanenbaum repeatedly refused to add the new (legitimate) features the users and even developers asked for. Linus Torvalds set out simply to add functionality to his own version of Minix (the copyright allows use to do so for your own personal use, but you cannot sell or distibute it).

Over time, in adding functionality to Minix, Linus Torvalds found that he had created an entirely new kernel. I was very similar to Minix but used none of the Minix source code. Torvalds had originally called it freax, for "`free' + `freak' + the obligatory `-x'. The operator of the FTP server where Linus' new kernel made its debut didn't like the name and simply called it Linux (Linus + Unix). People seemed to like the name so it stuck.

Re:Stop the lies, Linux is free.

[warpSpeed]

Linux is only free if your time has no value.

Nope, linux is still free, regardless of how you value your time.

My time is highly valuable to me, and I charge my clients for it. My clients love Linux because it "just works". Email server with uptimes of over a year or more, file servers that boot right up, no problem, after a power failure and the UPS is drained. Backups, networking, routing, firewalling, it all just works. No blue screens, no registraions, no licensing issues, no hassles, easy software patches, and best of all CHOICES of vendors.

Sure there are problems with various distos of linux. With any complex software there will be issues. But on the whole, Linux runs circles around windows in terms of the lack of headaches and reliability.

Re:Stop the lies, Linux is free.

[idontgno]

Yes, because you don't have to spend any of your valuable time supporting paid-for operating systems.

Yes indedy. If you're on a commercial OS, you can use your valuable time waiting for return calls from the vendor's "help desk", learning to understand what passes for English in whatever fungal third-world nation the "help desk" is in this week, and writing long and desperate correspondence to various level of your management explaining why you haven't solved the problem yet.

Thanks, no thanks, I'd just as soon be able to examine the kernel source myself. And I speak as a professional admin of two different closed-source unixes at a military technical facility. It's all fun and games until someone puts a production server out.

Why does Darl remind me of ex-Iraq Info. Officer?

[oringo]

I only read the beginning part of his open letter and couldn't continue because it was so full of unsupported claims. It kind of reminds me of the beloved Iraq Information Officer Mohammed Saeed al-Sahaf, who in the last days of Sadam's regime said things like:

"They are lying every day. They are lying always, and mainly they are lying to their public opinion."

"They are achieving nothing; they are suffering from casualties. Those casualties are increasing, not decreasing."

"We are determined to defeat them and destroy them on the walls of our capital, as we are determined to destroy their miserable armies in every Muslim spot."

This makes me wonder, is Darl playing the same role of the beloved Iraq Information Officer, announcing the death of SCO in a humorous way?

A rebuttal

[ZosX]

"But since SCO owns the UNIX operating system...."

Quoth the wikipedia:

The present owner of the UNIX trademark is The Open Group, while the present claimants on the rights to the UNIX source code are The SCO Group and Novell. Only systems fully compliant with and certified to the Single UNIX Specification qualify as "UNIX" (others are called "UNIX system-like" or Unix-like).

Novell also has source code rights. Also, Darl, you should be careful to use the UNIX trademark so freely as it is clearly a registered trademark of the Open Group. From their website.

"Customers can identify UNIX certified products by the Open Brand logo and the mandatory attribution declaring to which version of the specification the product complies:"

So no Darl, you do not own UNIX. Get a clue.

"The competitive battle between Pepsi and Coke is legendary, as is the battle between GM and Ford, Boeing and Airbus, and the Red Sox and Yankees."

Your analogy between Pepsi and Coke (where did you learn to write anyways? 4th grade?) is so inherently flawed that the term "apples to oranges" doesn't even begin to describe how distorted this viewpoint is, as both are still fruit. My guess is that you were trying to provide some humour. I certainly got a good laugh.

" 1. OpenServer 6 Costs Less - OpenServer 6 offers very aggressive pricing.
                The purchase price for SCO OpenServer 6 is priced from $599 to $1399
                which includes the license to the product, software fixes, and access
                to SCO's online knowledge base. Customers pay once for the product
                and run it for as long as they like."

I don't really know what kind of math you are using Darl, because in my world, $599 is a whole lot more than $0. Also, I don't really see how asking for a support contract is a "bait and switch" tactic as you claim. If you don't need support, there are more than enough FREE, as in beer and speech, alternatives out there in the Linux universe.

" "Free" is one of the most searched words on the Web today. When you
                type in "Free" in Yahoo search, it brings up more than 3 billion hits.
                "Free" is a very powerful marketing concept. We all love free. Linux
                lures you in with the promise of its being "free." But before you get
                out of the "store," you are surprised to find out that it was anything
                but free. Just remember the proverb, 'Free is the most expensive
                price.'"

Darl. All I gotta ask is, can I have some of what you are smoking. It has GOTTA be good!

"OpenServer 6's features form a very powerful server."

Yeah. Especially now that you included a bunch of, get this, FREE software. How much did apache cost you? How much did you spend on developing the open source tools that you now use? Are we, as a collective, supposed to just swallow this pill, that you attack free, open source software, and then include it in your own operating system. If that is not sheer hypocricy that I have no idea what is. Go to hell Darl. We all know what UNIX is and was and it surely is not SCO anymore, or probably ever was for what it matters. Personally I hope your lawyers bleed what little liquidity you have left, if they are smart that is. You are a joke. Nobody respects your company anymore. I hope that you go to bed everynight worrying that your illegal insider trading activities may one day land you in court. Crooks like you, and the ones that fund your pitiful crusade, deserve to sit in a 4'x4' cell with your new wife, Bubba.

Have a wonderful day!

Sincerely,

Zos/Xavius.23

Re:Stewardship Responsibility...

[schon]

A few things that bother me: 1. Novell didn't come out MUCH earlier to claim their 95% of royalties

If you read Novell's filing, you will see that they have, in fact, been doing this for the past two years. As litigation and public aggrandizement weren't their goals, they've been doing it privately (ie., the way business professionals work.) It's only when they're sure that they have 100% legal proof that SCOX wouldn't hold up their end of the contract that they brought it to court.

2. Darl et al probably will not see any jail time

Don't count this out yet - it could still happen (wait for SCO to go bankrupt first.)

3. who put SCOX up to this? And I mean proof of who's pulling the strings, not the "it just has to be MSFT" speculation, though I agree with that speculation.

Without a whistleblower, anything right now will be speculation.

For the record, I don't think anyone put them up to it - I think that MS (and possibly Sun) may have seized the opportunity to fund some anti-Linux FUD, but it started out as Darl's get-rich-quick scheme to get IBM to buy SCO. IBM called, and SCO was forced to launch the suits to maintain face.

Re:hehehe

[soft_guy]

That's funny. I just saved a ton of money on my motorcycle insurance by switching away from Geico.