Slashdot Mirror
An Open Letter from Darl McBride
canfirman writes "Well, it seems Darl is changing tactics as he's now published an open letter proclaiming the benefits of UNIX over any other operating system. However, most of his letter involves comparing SCO Unix to Linux from not only a business acceptance point of view, but from a technical point of view, too. Darl throws in a bunch of stats in there, too: 'In a study
conducted only seven months ago they found that overall, the most
vulnerable operating system for manual hacker attacks was Linux,
accounting for 65.64% of all hacker breaches reported.' I'd love for somebody who has more technical knowledge than me to look at his points and see if what he says is true or not -- assuming anything coming out of Darl's mouth is true."
I can believe part of his claims in that more Linux systems get hacked, compared to commercial Unices. Though I don't think this is a general problem with security on Linux, but with the fact that most home installations of Unix based systems will be on Linux boxes - and therefore in the hands of people with less security expertise than large companies have at their disposal.
...but outside of that most security fixes will probably come in when it's time to update the system as a whole...
Also, companies have dedicated sysadmins or even IT security people which will (hopefully) constantly check for new vulnerabilities and immediately patch their systems.
Private "Home" Unix installations that aren't Linux based will in comparison be more likely to be in the hands of the more knowledgable folks, and hence also in the hands of people that will likely be more security aware than the average home Windows/Mac/Linux user.
How many private users with their linux box on broadband seriously do that (except for those that hold IT security / admin type positions)?
I'm a developer - and I'm not in the habit of daily (or even weekly) patching of systems. I'm occasionally checking the system and I do react (i.e. patch) when I hear about some (widely publicised) security hole...
Another factor in "less" security of systems in people's homes, is that most people just stay ignorant of the situation, because they think "my box doesn't contain anything important that would make it worth hacking"; but they're often with that ignoring the danger that someone might just break into their computer just to use the computer in further attacks on more "rewarding" targets.
Yes it is. http://www.linux.org/dist/
"Simplify, simplify, simplify!" Thoreau
Dear Darl:
Too little, too late. Kiss our asses.
ChipMonk
His security stats come from MI2G. Google will tell you all you need to know about them.
Groklaw is in fine form today...
Darl's Open Letter, "Long Live UNIX," and other PR Blizzardry from SCOForum
He says that when he came to the company they decided to focus on the area that was most profitable. He then goes on to say that this focus was not on litigation. It would seem that history will not bear him out on this.
When it comes down to it, is it productive anymore to even worry about this guy? At one time, I think it was, but now, I'm not sure. If he's still a danger to the idea of OSS, then I'm all for taking him apart bit by bit until he cries. But if he's just a harmless troll now, I'm ready to move on.
Has anyone started a betting pool for the final day of SCO's existence? It can't really be that far away, can it?
Finally, one more serious question: He says that they are proud of and focused on their own for-sale version of UNIX. What advantages are there to going with a closed, expensive version of UNIX over either an open, expensive version of Linux or an open, free version of Linux? I really don't know and am very curious.
Yeah, I'm as old as my UID would suggest.
From Article
However, as the stewards of the UNIX operating system, SCO is committed to providing technology leadership and delivering on the promise of UNIX-based solutions for many years to come.
Correct me if I'm wrong, but aren't Novell the stewards of UNIX?
That ain't the body part he talks with...
In the late 1970's Microsoft licensed UNIX source code from AT&T which at the time was not licensing the name UNIX. Therefore Microsoft created the name Xenix. Microsoft did not sell Xenix to end-users but instead licensed the software to software OEMs such as Intel, Tandy, Altos and SCO who then provided a finished version of their own Xenix to the end-users or other customers. SCO introduced its first version of Xenix named SCO Xenix System V for the Intel 8086 and 8088 in 1983. Today SCO Xenix is one of the more commonly used and found versions of Xenix.
Linux was based on Minix. A UnixLite OS designed to run on PCs. However, it was really only a teaching tool. Andrew Tanenbaum repeatedly refused to add the new (legitimate) features the users and even developers asked for. Linus Torvalds set out simply to add functionality to his own version of Minix (the copyright allows use to do so for your own personal use, but you cannot sell or distibute it).
Over time, in adding functionality to Minix, Linus Torvalds found that he had created an entirely new kernel. I was very similar to Minix but used none of the Minix source code. Torvalds had originally called it freax, for "`free' + `freak' + the obligatory `-x'. The operator of the FTP server where Linus' new kernel made its debut didn't like the name and simply called it Linux (Linus + Unix). People seemed to like the name so it stuck.
Of course there are more attacks against linux than against SCO Unix. I'd imagine there are somewhere around, 300 to 400 trillion more instances of linux running than instances of SCO Unix. So it's not strange that there are more attacks against them. This is just an instance of failing to take into account the base rate.
Of course, I'm having some fun with numbers myself here, so don't take my word for it.
Religion Politics Operating Systems
Be sure to remember the Programmers Prayer
This means only one thing: that hackers have to dedicate their time at manually hacking a linux server, while for a Windows machine a quick 5-minute script will do the entire job for them.
No problem, heck the support listed there is better than what I've gotten for a lot of products I've paid for.
99 single IP
910 mass defacements
Linux (56.6%)
Win 2003 (28.9%)
Win 2000 (8.7%)
Win NT9x (2.9%)
FreeBSD (1.7%)
NetBSD (0.7%)
SolarisSunOS (0.1%)
Win XP (0.1%)
"God of Rock, thank you for this chance to kick ass. "
My guess is that he's trying to remove focus away from his unsuccessful lawsuits and trying to re-promote the business, something he should have done while CEO of The SCO Group. Let's face it, SCO's financial situation is precarious at best, downright dangerous at worse. It looks like his "golden egg" of Linux lawsuits has turned up a rotten egg, so he's trying to change direction. I'm wondering if the shareholders and/or the board is putting pressure on him to promote the business instead of the lawsuits?
Either that, or he needs more cash for his lawsuits.
It is not our abilities that show what we truly are... it is our choices.
I thank the F/OSS community's policy of full disclosure of vulnerabilities so they can be fixed sooner/faster. This is as opposed to other OS manufacturers' policy of concealment and FUD so said vulnerabilities and breaches DON'T get reported and a "patch" is released in their own sweet time.
Nonsense. There are still huge tracts of undeveloped land in the Southeastern states beckoning for retirement developments. Such enterprises will need good multi-level marketing advice.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Or does he mean manual as in "the manual". I'd say my Assembler Language manuals have suffered from more attacks than average. They've all been manual, too, now that I think about it.
I guess they'd be manual manual attacks.
I've rarely been more tempted to just respond with "whatever".
"Well, boss, we're having problems with Linux at our datacenter, but don't worry, I can go on IRC and ask someone to help me."
Terribly different from "Well, boss we're having problems with Linux at our datacenter, but don't worry, I can go to Red Hat's support and ask someone to help me."
Specially when going to Red Hat's support is GUARANTEED you will be talking with a first tier support drone, at least on the begining while chances are, if you know your work, that you can talk to the problematic program's AUTHOR, LIVE, on the proper IRC channel.
That PHBs don't like "free support" doesn't make it less valuable regarding its technical foundations.
Looks like *he's* the customer he's trying to convince.
Hack your mind out of its sandbox.
I used to be an SCO reseller. I qualified by answering a 50 question multiple choice test on their web site.
Does anyone know if they ever changed the Open Server kernel so you don't have to recompile to change the domain name? Or add a disk drive? Or a tape drive?
How about RAID support? Is that still an "extra cost" item?
I once built a linux based dial-up router that connected to an OpenServer box on the other end. I tested it using Linux on both ends, but it didn't work connecting to OpenServer. The serial port handler was just too frellin' slow, running on a box that was twice as fast as the router.
I always give a snort when I read the PR about how much better SCO UNIX is. None of my customers run it anymore. It's just too much trouble, even compared to Windows.
You may have a fundamental point there, but Darl lacks two very important things that Steve has - a very large marketing budget, and a pop icon which is pushing the otherwise measly profits from digital music sales into a huge media coup. And both of these make me at least respect Steve more - it's one thing to talk in PR-speak and such all the time, but when you have product, legions of fans, and billions in sales to back it up, at least you're getting somewhere. Ask the man on the street about an iPod, and he'll know exactly what you are talkin about. Ask the man on the street about UNIX (or even Linux *ducks*), and chances are he'll stare at you blankly.
An open letter deserves an open response. So I unzipped.
C|N>K
Said as a joke, but one that speaks the truth. The primary target of most of the lawsuits has been people who have used SCO UNIX and decided to use some other operating system instead/as well.
What Darl does not seem to understand is that people do not simply buy (exuse me, license) software, they buy the company as well.
The behavior of SCO toward their own clients is not exactly one that encourages people to buy in. Irrespective of everything else, and positing that SCO had the best operating system in the world (stop laughing and just humor me for the sake of the argument)I wouldn't go near them with somebody else's ten foot pole.
It isn't worth the aggrivation of vendor lock in by legal intimidation.
KFG
I only read the beginning part of his open letter and couldn't continue because it was so full of unsupported claims. It kind of reminds me of the beloved Iraq Information Officer Mohammed Saeed al-Sahaf, who in the last days of Sadam's regime said things like:
"They are lying every day. They are lying always, and mainly they are lying to their public opinion."
"They are achieving nothing; they are suffering from casualties. Those casualties are increasing, not decreasing."
"We are determined to defeat them and destroy them on the walls of our capital, as we are determined to destroy their miserable armies in every Muslim spot."
This makes me wonder, is Darl playing the same role of the beloved Iraq Information Officer, announcing the death of SCO in a humorous way?
web site defacement, active entry = manual hacker attack
viruses,scripts,malware,browser exploits,etc != manual hacker attack
i imagine linux has the most sites hosted?
Linux sites probably have less security minded ppl than someone that paid big $$ for thier system.
Could be true, not that it means anything. They probably hacked some poor linux server with 100 sites that nobody has been to. That could generate said statistic since i hear so little about 'manual hacker attack' lately, hehe.
Those without security know-how are a greater security risk, duh.
Yeah, don't fuck with the people who wrote nroff source for your manual pages.
Anyone got a SCO box handy?
$ man tunefs
If it doesn't say "You can tune a filesystem but you can't tune a fish", Darl deserves whatever he gets. Don't believe me? Use the nroff source, Luke.
$ cat /usr/share/man/man8/tunefs.8.gz | gzip -d
2038's still 33 years away, Darl.
Though many may reply "SCO 5ux0rz and Linux 0wnz" there is a lot of crap in this article. To back up his security claim he cits " In CNET's, May 27, 2005 article entitled "OS Makers Slow to Fix Flaw ". As any bugzilla will show Linux is patched frequently and quickly. Check google news if you don't think Linux is secure Darl. Point one for Darl, 1770 for Linux. Darl references (though gives no link) a study done by the MI2G group. This group is famous for FUD and being special interest lackeys. Great sources.
Next Darl takes Linux to task for disorganization.
Linux will likely continue to face challenges about its development methodologies and roadmaps as long as it continues to be a loosely organized set of volunteers who develop what they want, when they want.. Has he not heard of Novell, RedHat, Mandriva, or Ubuntu? What about the OSTG?!? Are these "loosely organized volunteers?" NO! These are firms, supporting and developing Linux, firms that are pounding SCO into non-existence.
He claims The grand promise of Linux was that it wouldn't fork or fragment into multiple Linux operating systems. . Never have I heard that. The grand promise of Linux is that it is open. Free as in freedom. Unlike the "Open Server" SCO sells, which is neither open nor free.
Next he asks the following.
Who is checking for compatibility across thousands of applications, drivers, hardware and peripherals? Who is verifying backward compatibility? Well if you are using Debian, it is the Debian team. If you are using SuSE it is Novell. Et cetera et cetera. Darl betrays extraordinary ingorance in thinking that all operating systems built on GNU/Linux are the same. Gentoo != Mandriva != Slackware != Knoppix. Ye the media (and Darl, who shouldn't be able to plea ignoracne) continue to ignorantly blanket statement all Linux distros as "Linux".
Frankly this is crap. He admits to being biased, but doesn't have the balls to point out where his bias is. That is because it is everywhere, throughout this ridiculous article.
And who the heck has ever heard of "Steve the Linux Super Villain Guy?" And why would a "popular internet cartoon" lend credence to a serious business claim??
Though I am going to burn Karma for this, the holy Slashdot would be a lot more interesting if it didn't post Media/FUD as news.
From TFA: "SCO Has a Customer-Driven Roadmap"
as in: We drive our customers away, thus no new features on the roadmap!
Come on, Darl, if you want anybody with a scientific or techinical disposition to take your letter seriously, you have to quote your sources and analyze the results! Look:
The initial attraction to Linux was a price tag of zero cost. Yet, they typically charge customers from $349 to $2,499 every single year.
Who is "they?" Why is this "typical?" Where do you get your numbers from?
SCO Has a Superior Kernel
By what metric? What studies show this? The only support you mention is that Linux is younger than UNIX. This is not a metric of quality in the technolgy fronteer, as new technologies superceed old ones continuously.
In a study conducted only seven months ago they found that overall, the most vulnerable operating system for manual hacker attacks was Linux, accounting for 65.64% of all hacker breaches reported.
What percentage of hacker attacks are manual, and what percentage are automated worms? What does a "hacker breach" constitute, and what kind of systems are affected by them? Are we talking about personal web servers hosting one or two files, or CIA databases?
Linux development plans and schedules are generally as unknown as they are unpredictable.
Describe the development process for the reader. How is it different from the SCO model? Is predictability in product evolution something beneficial to the world of technology, or should programmers go with the flow, developing and releasing new software versions as the technology develops?
Linux will likely continue to face challenges about its development methodologies and roadmaps as long as it continues to be a loosely organized set of volunteers who develop what they want, when they want.
What is the organization structure of Linux development? Is it really as loosely organized as you make it out to be? Where does this information come from?
When a new upgrade of Linux is required, software vendors and end users most likely have to upgrade their application as well.
How often is a complete upgrade of the Linux kernel required? What does "most likely" mean? Are there any numbers to back up this claim?
I don't think I have to continue any further. Mr. McBride, you cannot use vague terms like "most likely" and "typical" in an open letter aimed at a technologically savvy audience, and you most certainly cannot make claims without logical arguments to back them. Also, consider revising your letter to include more analysis of the stated statistics.
C-
See me after class.
/*No comment*/ #No comment
Linus started out using Minux, and alot of the early linux guys came from the minux mailing list. Linus used minux as a development platform to write, and compile linux. Don't take my word for take Andrew's word for it. http://www.cs.vu.nl/~ast/brown/rebuttal/
IANALBIPOOGL (I am not a Lawyer, but I play one on GrokLaw.)
"But since SCO owns the UNIX operating system...."
Quoth the wikipedia:
The present owner of the UNIX trademark is The Open Group, while the present claimants on the rights to the UNIX source code are The SCO Group and Novell. Only systems fully compliant with and certified to the Single UNIX Specification qualify as "UNIX" (others are called "UNIX system-like" or Unix-like).
Novell also has source code rights. Also, Darl, you should be careful to use the UNIX trademark so freely as it is clearly a registered trademark of the Open Group. From their website.
"Customers can identify UNIX certified products by the Open Brand logo and the mandatory attribution declaring to which version of the specification the product complies:"
So no Darl, you do not own UNIX. Get a clue.
"The competitive battle between Pepsi and Coke is legendary, as is the battle between GM and Ford, Boeing and Airbus, and the Red Sox and Yankees."
Your analogy between Pepsi and Coke (where did you learn to write anyways? 4th grade?) is so inherently flawed that the term "apples to oranges" doesn't even begin to describe how distorted this viewpoint is, as both are still fruit. My guess is that you were trying to provide some humour. I certainly got a good laugh.
" 1. OpenServer 6 Costs Less - OpenServer 6 offers very aggressive pricing.
The purchase price for SCO OpenServer 6 is priced from $599 to $1399
which includes the license to the product, software fixes, and access
to SCO's online knowledge base. Customers pay once for the product
and run it for as long as they like."
I don't really know what kind of math you are using Darl, because in my world, $599 is a whole lot more than $0. Also, I don't really see how asking for a support contract is a "bait and switch" tactic as you claim. If you don't need support, there are more than enough FREE, as in beer and speech, alternatives out there in the Linux universe.
" "Free" is one of the most searched words on the Web today. When you
type in "Free" in Yahoo search, it brings up more than 3 billion hits.
"Free" is a very powerful marketing concept. We all love free. Linux
lures you in with the promise of its being "free." But before you get
out of the "store," you are surprised to find out that it was anything
but free. Just remember the proverb, 'Free is the most expensive
price.'"
Darl. All I gotta ask is, can I have some of what you are smoking. It has GOTTA be good!
"OpenServer 6's features form a very powerful server."
Yeah. Especially now that you included a bunch of, get this, FREE software. How much did apache cost you? How much did you spend on developing the open source tools that you now use? Are we, as a collective, supposed to just swallow this pill, that you attack free, open source software, and then include it in your own operating system. If that is not sheer hypocricy that I have no idea what is. Go to hell Darl. We all know what UNIX is and was and it surely is not SCO anymore, or probably ever was for what it matters. Personally I hope your lawyers bleed what little liquidity you have left, if they are smart that is. You are a joke. Nobody respects your company anymore. I hope that you go to bed everynight worrying that your illegal insider trading activities may one day land you in court. Crooks like you, and the ones that fund your pitiful crusade, deserve to sit in a 4'x4' cell with your new wife, Bubba.
Have a wonderful day!
Sincerely,
Zos/Xavius.23
zosxavius photography
"Well, boss, we're having problems with Linux at our datacenter, but don't worry, I can go on IRC and ask someone to help me."
Actually I think it goes something like this:
"Well, boss, we're having problems with Linux at our datacenter, but don't worry, I just saved a ton of money on car insurance by switching to Geico."
Indeed, PHP is severely damaging the reputation of Linux. While the developers of PHP are well-intentioned, that is for sure, their creation has suffered from far too many security problems as of late. Of course, they cannot be blamed for the flaws of hastily written PHP scripts.
Nevertheless, the numerous insecurities found in PHP and scripts written in PHP are tarnishing the image of Linux. Hopefully the PHP developers put more effort into creating a web development platform that isn't as susceptible to scripts written by non-professionals. Just as Intel and AMD have moved to prevent stack overflow exploits via hardware improvements, it is time for PHP to do the same. They must make it so that insecure scripts do not run at all.
Cyric Zndovzny at your service.
This is similiar to the situation with Denethor, the Steward of Gondor. His failure was to recognize Aragorn as the rightful ruler of Gondor.
I expect it will end similiarly, with Darl coating himself in some type of oil, igniting himself and then running and jumping from the highest precipice as a plummeting human fireball.
One place where natural selection has helped is Windows Update.
I've had to reinstall Windows a number of tymes and one thing I found out quickly was to turn off automatic updates in Windows. This happened after I ran update after doing a compleat install and then running update only to have it break something. I went through this three tymes within a week. Install then run update, something gets broken so rerun install then update. Broke again so reinstall and this tyme not run update. No problems then. After reading MS's end user licenses required to run update, I know most don't read them but I did, got to be scary too.
FalconShould there be a Law?
Unfortunately for Linux, mi2g also confirmed that the Linux operating system has become somewhat of a hacker's paradise. In a study conducted only seven months ago they found that overall, the most vulnerable operating system for manual hacker attacks was Linux, accounting for 65.64% of all hacker breaches reported.
2 g_so_unpopular/
Search for "mi2g" on Google. The second result is a Register article titled, "Why is mi2g so unpopular?" According to the article, "The chief charge against mi2g is its regular predictions of withering cyber-assaults which, critics say, rarely seem to materialise." It goes on to say, "most of its staff appear to be without significant operational IT security experience".
http://www.theregister.co.uk/2002/11/21/why_is_mi
Most of the rest of the google links are news storys about experts debunking the a mi2g "study" from about 9 months ago which reports Darl's numbers. Here's a choice quote from an article at http://nwc.serverpipeline.com/52500233 :
Mi2g appeared to anticipate criticism of its study. "We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group," it said in a press release publicizing the study.
Wow. Darl's been cloned.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I'd love for somebody who has more technical knowledge than me to look at his points and see if what he says is true or not -- assuming anything coming out of Darl's mouth is true."
Come on now... a statment like that is like showing up at DefCon and handing out cards to with your IP addresses and telling everyone how you dont see the need to secure windows servers....
thats probably the best line from the whole post!
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
That's funny. I just saved a ton of money on my motorcycle insurance by switching away from Geico.
Avoid Missing Ball for High Score
What about:
Me: "Well, boss, we're having problems with Linux at our datacenter, but don't
worry, I already found the answer on one of the newsgroups."
or
Me: "Well, boss, we're having problems with Linux at our datacenter, but don't
worry, I dug into the source code and found the issue."
or
Me: "Well, boss, we're having problems with Linux at our datacenter, but don't
worry, I messaged one of the original developers on IRC and worked out what the
problem was."
Not every shop has the in-house expertise to deal without support, but there are plenty of us out here that do it. Frankly, most vendor support is shit anyways. We have support contracts for some of the software we run, and I usually don't bother; it's quicker to figure it out myself.