decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal

User Functions



Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

SCO Sets Up Alternative Address - Finally
Monday, February 02 2004 @ 09:17 AM EST

Their press release announces they have set up an alternate address, which is a technique they obviously could have implemented sooner. They had a week to prepare, after all. Of course, then they couldn't send out breathless press releases. This is the new address:

It will be interesting to find out if there are some disappearing documents as a result of this whole incident. I have gotten one report that the LKP page is missing so far.

Bob Mims has some interesting details. Stowell says they have a number of backup tricks they can try:

   "We have had a good four to five days' notice of this," Stowell said, noting Mydoom's Jan. 26 launch. "We have a lot of backup plans in place."
This raises the obvious question: why didn't they implement them *before* they were forced off the internet? If you see a train headed straight toward you, the sensible next move is off the tracks. Is that too simple and obvious? Or does SCO have an agenda that requires that they get taken down periodically? The Mims piece notes:
Since it first filed suit against IBM last March, SCO claims its site has been crashed by several smaller scale denial-of-service attacks -- assaults which flood a target with commands that prevent others from accessing the site.

The attacks seemed timed in conjunction with controversial SCO announcements or Linux-related legal filings.
Dan Gilmore puts it bluntly:
That doesn't excuse the DDOS, but it does say something about SCO's credibility, not for the first time. SCO and its senior executives have shown themselves to be willing to stretch, if not snap, the truth -- such as Darl McBride's ridiculously inaccurate meanderings about copyright law, as Larry Lessig has picked apart in some detail. (The world is still waiting for SCO to show any actual violations of copyright, meanwhile.)
The pattern I've noticed is odd. Am I misremembering or has anyone else formed the impression that every time Darl gratuitously makes a public statement about SCO being attacked, within a short time, there is some kind of alleged attack? I remarked to someone that it reminds me of Bin Laden releasing videos as a signal for attacks to begin. Of course, it could all just be a remarkable coincidence. Incidentally, you might find Netcraft's report on this of interest, as well as their FAQ and their chart on web servers. Netcraft noticed one detail: actually resolves to the same ip address as
% host has address
% host has address

The press release:



SCO to provide alternate access to company Web site through

LINDON, Utah—Feb. 2, 2004—The SCO Group, Inc. (Nasdaq: SCOX), the owner of the UNIX ® operating system and a leading provider of UNIX-based solutions, today announced it has put alternatives in place for individuals wanting to access its company Web site. The company is asking customers, resellers, developers, shareholders and all other Web site visitors to use as the destination for the company’s Web site through the end of Feb.12, 2004. The company is putting this alternative Web address in place because the recently announced Mydoom or Novarg virus creates an attack that is designed to prevent access to from Feb.1–12, 2004.

“Security experts are calling Mydoom the largest virus attack ever to hit the Internet, costing businesses and computer users around the world in excess of $1 billion in lost productivity and damage,” said Darl McBride, president and CEO, The SCO Group, Inc. “Because one of its purposes is to interrupt access to the Web site, we are taking steps to help our important stakeholders continue to access the information, data and support that they need from this new Web site.”

The Web site will provide visitors with all of the accessibility and resources that they would normally have when visiting In addition, the company is including links that point visitors to security vendors, including Network Associates and Symantec, that will provide them with all of the latest information on how to download software updates and protect their PCs against the Mydoom virus.

“Increased traffic has already begun hitting in the last couple of days,” said Jeff Carlon, director of worldwide IT infrastructure, The SCO Group. “We expect hundreds of thousands of attacks on because of these viruses. Starting on Feb.1 and running through Feb.12, SCO has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders. The first step of that plan is the implementation of” For those having problems getting through to SCO on the Web, customers may call their local sales office or 1-800-SCO-UNIX (726-8649) to gain assistance from a SCO representative.

Earlier this week, SCO announced that it is working with U.S. law enforcement authorities including the U.S. Secret Service and Federal Bureau of Investigation (FBI) to determine the identity of the perpetrators of the Mydoom virus. The company also announced that it has offered a reward of up to a total of $250,000 for information leading to the arrest and conviction of the individual(s) involved with the creation of the virus. Anyone with credible information or leads should contact their local FBI office. “We believe that Microsoft’s $250,000 reward in addition to the $250,000 reward offered by SCO will significantly assist the FBI in obtaining serious leads that may help catch the perpetrators of this virus,” said McBride.


SCO Sets Up Alternative Address - Finally | 321 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
From the horse's mouth...
Authored by: Anonymous on Monday, February 02 2004 @ 09:31 AM EST
SCO Partner Alert

Mydoom or Novarg Virus Work-arounds
Mirrored availability of SCO Web site at

As you are probably aware, on Monday, January 26, a computer
virus called Mydoom (Network Associates' name) or Novarg
(Symantec's name) spread quickly across the Internet. Antivirus
companies have determined that this worm is coded such that
computers infected with the Mydoom variant are set to conduct
a distributed denial of service (DDOS) attack against
from February 1 - 12.

In short, the virus is activated when users open an innocent-looking
e-mail message that contains an attached program file (with a .bat,
.cmd, .exe, .pif, .scr, or .zip extension) which then accesses
the user's e-mail address book and sends itself to all of that
user's contacts. The offending e-mail message usually
arrives with a subject line such as "Test," "Hi," or
"Mail Transaction Failed."

The SCO Group boldly condemns this latest action, and is taking
several active steps to fight against acts of cyber-terrorism
such as that launched by the creator(s) of the Mydoom virus.

* On January 27, SCO announced that we are offering a reward of
up to a total of $250,000 for information leading to the arrest
and conviction of the individual(s) responsible for creating the
Mydoom virus.

* SCO is working closely with U.S. law enforcement authorities
including the U.S. Secret Service and the Federal Bureau of
Investigation (FBI) to determine the identity of the Mydoom

* SCO is launching a "mirrored" Web site (which will provide
all of the information currently available at to
continue business as usual with partners and customers -

As a valued SCO Solution Provider, your uninterrupted, successful
SCO UNIX business is important to us. If you are unable to connect
to the information or resources that you need during the targeted
dates of the Mydoom virus, please contact SCO right away by

Thank you for your continued support,

Darl McBride
President & CEO
The SCO Group

This message was sent by The SCO Group using Responsys Interact.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Anonymous on Monday, February 02 2004 @ 09:35 AM EST
Hey, did anyone else notice that the word "Linux" doesn't appear
anywhere in those messages?

I'm impressed that Darl resisted what so many journos haven't been -- the
temptation to say Mydoom is a tool of disgruntled Linux users.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: belzecue on Monday, February 02 2004 @ 09:41 AM EST
It really is mind-boggling. You cannot buy this level of publicity.

By giving SCO the global platform the likes even *they* could not have imagined,
the authors of MyDoom have done more damage to FOSS's image than anyone anywhere
-- all in a few days. Was this their intention, or did they simply fail to see
how SCO would turn it around to its own advantage? Was it what many suspect:
that spammers simply piggybacked the DDOS as an afterthought with SCO being the
first target, understandably, that popped into their heads?

Cry me a river. Next we will discover that Darl is fielding book and movie

Friday cannot come too soon.

[ Reply to This | # ]

Inaccessible docs
Authored by: Anonymous on Monday, February 02 2004 @ 09:48 AM EST
> It will be interesting to find out if there are some
> disappearing documents as a result of this whole incident.

Given how much Groklaw and other critics of SCO refer
directly to documents at, it could be said to be
suspiciously convenient to SCO, if some embarrassing files
become permanently, or even just temporarily inaccessible at
the addresses the critics use to refer to them. Hmm...

What happens if, say, IBM files on Friday a motion that has
references pointing to the SCO site (because it has been
in preparation for a longer time), but they cannot be read
by the judge because of MyDoom?

Anyone still thinking that the "Linux Community" could
somehow be behind the MyDoom worm? The attack against could in fact be considered evidence of exactly
the opposite!

[ Reply to This | # ]

SCO still 'owns' UNIX
Authored by: Anonymous on Monday, February 02 2004 @ 09:53 AM EST
First thing I noticed about this post was that SCO is still on the same track (no surprise) and is still claiming to be the owner of the UNIX ® operating system.

Lots of people say "it ain't that simple", for example: com/2010-1071_3-1015624.html?tag=fd_nc_1

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Alizarin on Monday, February 02 2004 @ 09:59 AM EST
You know, Microsoft better show signs of the virus attack or SCO is going to
look like an even bigger liar then they already are.

[ Reply to This | # ]

Groklaw has no need to stoop to this level of comment on SCO
Authored by: Anonymous on Monday, February 02 2004 @ 10:03 AM EST
Their press release announces they have set up an alternate address, which is a technique they obviously could have implemented sooner. They had a week to prepare, after all.
Until now, Groklaw has done an excellent job on commenting on legal claims made by SCO. Simply pointing out the details of every statement SCO made has been enough to bang SCO on the head with a hammer. In the reporting on the MyDoom case however, it seems that we all need to tell the world that we would have responded much more clever and coherent if it was us that was the target of MyDoom. This is well below the standards that made Groklaw famous. It may indeed be quite difficult to ensure that all pages refer to the domain name, while at the same time making sure that it will also work when they can ever switch back to their original domain. Maybe it is simple and they just missed the chance. But this has very, very little to do with the real issues we have with SCO.

[ Reply to This | # ]

OT: Newspaper article
Authored by: gbl on Monday, February 02 2004 @ 10:03 AM EST
The following is the text of a short article in a UK free paper (Metro, Mon, Feb 2nd.)

Software giant is first to meet Mydoom

The Mydoom Internet virus claimed its first corporate scalp yesterday, paralysing the website of software giant SCO with a massive data blitz. SCO, which has angered many programmers by claiming copyright over parts of the Linux operating system, said its site went down after it was "flooded with requests beyond capacity". A variant of the virus has been timed to target Microsoft tomorrow.

A "software giant" ?!?

If you love some code, set it free.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: rand on Monday, February 02 2004 @ 10:04 AM EST
SCOG last edited the www.thescogroup.cpm record on Jan 29, 2004. Hmmm....

They've had available since Aug, 2002; they could have been
using it anytime, but didn't.

I've been doing some early checking, and so far, any content that used to be
under or seems to be available at With all the eyes on them, they'd be stupid to start
trying to hide stuff now.

The Wright brothers were not the first to fly an aircraft...they were the first
to LAND an aircraft. (IANAL and whatever)

[ Reply to This | # ]

Interesting fact-ette.
Authored by: TwinDX on Monday, February 02 2004 @ 10:05 AM EST resolves to the IP address, which is the same
IP address as, and From what I recall, was also on this IP address. has been working fine for ages and has had some good
response times over the past couple of days. Also if I recall correctly, from
some research by Symantec or someone, the virus didn't point to but
to the IP address instead (it'd already resolved it) and taking apart the virus
in a hex editor (I was bored) there was no sign of in plain text
whatsoever, but there was a load of Windows API names obvious there, so I doubt
any obfuscation has taken place and it really is in there as an IP address
instead (my Windows box has updated antivirus software so I can't look again to
double check).

My meandering through thoughts leads me to this:

SCO took precautions to prevent the DDoS but couldn't resist another press
release. Their server rode out the storm, and never went down (that'll be
because it's not running their shoddy OS but FreeBSD now, according to Netcraft)
- but that wouldn't make news in Darl's world - better to make out that you were
taken down by Open Source Commie Pinkos but came back fighting with the twin
spears of capitalism and proprietary software, and won.

Incidentally, earlier today BBC News carried the story but only mentioned
Microsoft in the summary - nothing about Darl's Army - and it appeared just next
to a big article about how Linux was conquering everything and how IBM's Linux
work is great =)

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: phrostie on Monday, February 02 2004 @ 10:23 AM EST
i agree that many documents will disappear with the server, but the
new name does help make a distinction between sco and scog/scox.

we should concentrate on how to use this to help people understand that they are
not the Santa Cruz Organization.
they are not the OpenGroup(they don't own Unix(R))

they are the failed business formerly known as Caldera.
they did release their software under the GPL.
they did and do understand what the GPL says.
and now, they are grasping at staws as they sink down below the surface.
[sounds of bubbles]

on a side note:
i was thinking last night, if the media won't let go of the idea of mydoom being
someones idea of revenge against scog.
maybe someone should point out that a former Unixware Admin or resaler would
have more reason to hate the current scog leadership than the Linux community.
after all this is done, Linux will continue on. it will adapt and be stronger
next time.
regardless of the outcome scog and unixware are history. no one will ever
willingly do business with them again.
the TCO of the keeping laywers is too high.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

SCO's Website Was Never Down !!
Authored by: Anonymous on Monday, February 02 2004 @ 10:50 AM EST
With all these conflicting reports of SCO being hit, did it ever occur to anyone
to try the following:

Their site has been up and running all weekend without any slowdowns or
interruption. Maybe they thought the virus writers were stupid enough to target
a subdomain or they think people are too stupid to know that you don't need to
have "www" in the website address.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: AMc on Monday, February 02 2004 @ 11:04 AM EST
Actually, this goes directly to the heart of the case against SCO Group. SCO
Group has taken the facts; a virus that will test for internet connectivity by
polling once, and twisted them into something along the lines of the

- an attack starting before their 10k filing
- an on-going attack lasting from 29 Jan to 12 Feb
- ISP's blocking their website to 'protect' them
- their own website 'hammered' offline
- their own dns entry removed

The antivirus community has picked apart the virii, so it's activities are
documented. Yet they attempt to portray the virii as actively attacking their
webservers for nearly two weeks. Three different stories about how SCO Group
would ride out the storm, none entirely accurate. And an ongoing attempt to
imply substantial damages without a single citation or study to back it up. If
only from a business perspective, the leadership of SCO Group has reached the
point where thier lack of credibility should be chasing people away.

After the 'DDoS' attack at the end of last year, I attempted to cut through the
FUD layers to see if it was a user error or a software bug that caused it. I
couldn't get any direct answers, and finally they adopted the line of contact
the FBI for information. When I called the FBI's Salt Lake City office, the
agent I spoke to sounded as if she blurted out her coffee and laughed at the
idea that SCO Group had contacted them. I pressed that SCO Group had told me to
contact the FBI, and she laughed again and said that if there was an active
investigation she wouldn't be able to comment. She ended by suggesting I
contact SCO Group again, as she didn't know why they'd said to contact the

I followed this up with a phone call to the local police department. The chief
informed me that they weren't aware of any ongoing investigations, and no
special precautions had been made for the trial. The only unusual thing he
reported was a number of complaints about protesters, which were always gone by
the time a patrolman reached the SCO Group offices. He was very curious why I
was interested, as he'd had several inquiries from the United Kingdom as well (I
suspect the Register, but I didn't follow up).

I do have a letter somewhere between here and my Congressmen and Senators
offices to try to verify that as of the end of 2003 there was no active
investigations into the DDoS attacks SCO Group claimed. It became a moot point
because my employer had me retire the remaining *nixWare machines in January.
In the end, it seems that at the best SCO Group is guilty of a lack of response
to the law enforcement community about their 'problems'. At worst is entirely
subjective, but in every case continuing evidence that they play fast and lose
with the truth.

[ Reply to This | # ]

The new SCO website promotes.... Macintosh!
Authored by: Chris Cogdon on Monday, February 02 2004 @ 11:11 AM EST
Have a look at the new sco website. The computer sitting on the desk is in fact
an Apple Macintosh iBook.

Yes, we all know this kind of gaffe crops up regularly in Microsoft advertising
copy, too, as they use stock photography rather than create their own. It's
still amusing to see it crop up in SCO advertising, too :)

[ Reply to This | # ]

We remain suspicious" of the open source community
Authored by: Anonymous on Monday, February 02 2004 @ 11:13 AM EST

Pointing fingers: "We remain suspicious" of the open source community,
Stowell said. "And we are a little disappointed there haven't been leaders
within that community and the Linux industry who have not come out and more
publicly condemned this."

[ Reply to This | # ]

dead link / LKP
Authored by: phrostie on Monday, February 02 2004 @ 11:29 AM EST
i did not try very many, but did come up with one dead link.
the Linux Kernel Personality (Product & Services > UNIX > Linux Kernel
Personality) takes you to a dead page.
so it seems that not everything was moved to the new site.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: bbaston on Monday, February 02 2004 @ 11:31 AM EST
A client converting to Linux from Windows (:D) asked me an interesting question,
paraphrased as, "Do all these announcements mean SCO Unix can get

Point being, at least one business manager now has the impression that Unix is
under viri attack too. I'm sure Darl didn't even think of that spin against

Ben B
imaybewrong, iamnotalawyertoo, inmyhumbleopinion, iamveryold,

[ Reply to This | # ]

InformationWeek Article: MyDoom Author: "Sorry"
Authored by: Anonymous on Monday, February 02 2004 @ 11:40 AM EST
On Google News I saw the following reference to an article
(which appears to be slashdotted ..?)

I Quoth from Google News:
Information Week - 14 minutes ago
A variant of the virus has a cryptic message in which the author appears to
apologize for creating the infection. By Antone Gonsalves, TechWeb News. ...

Has anyone read this article?

[ Reply to This | # ]

Some things are missing, and have been!
Authored by: jlp on Monday, February 02 2004 @ 11:41 AM EST
Just before the last alledged DDoS I had been looking at the sco web site and
success stories.

I cached 10 of the best success stories I could find on their site (all
pertaining to Caldera Openlinux). After the DDoS those success stories

I have been checking periodically to see if they would come back, but they have

One story dealt with sco placing openlinux on a bunch of used computers at a
software company could telecomute and work at home.

I just thought that it was interesting.

Argue for your limitations; And sure enough they are!

[ Reply to This | # ]

Consider me corrected!
Authored by: TwinDX on Monday, February 02 2004 @ 11:56 AM EST
I'm used to being corrected =) I am a C+ techy bod at best, no higher. I know
for a fact that the GET command wasn't visable in the editor so it must've been
obfuscated in some way. Maybe I was using a Greek font =)

[ Reply to This | # ]

Consider me corrected!
Authored by: TwinDX on Monday, February 02 2004 @ 12:01 PM EST
Bah. I broke Geeklog. This should've been way up there as a reply to a followup
to my earlier post.

Sorry all.


[ Reply to This | # ]

Why a "mirror"?
Authored by: rjamestaylor on Monday, February 02 2004 @ 12:16 PM EST
I don't understand why SCO found it necessary to set up a "mirror" site with the new domain name. A mirror is used to duplicate the contents of one web server on another by different entities or for the purpose of load balancing. All SCO had to do was rename *.12 (the IP Address of the server, IIRC) from to and the "attack" would have been effectively thwarted. For good measure SCO could have moved the primary web server IP address to something other than *.12 to compensate for stale DNS cacheing (*cough*AT&T Worldnet*cough*). Making such a change (assuming relative internal links on web pages) would require 2 changes:
      DNS Zonefile A record
      Apache httpd.conf ServerName
(One could also change the hostname if one was anal about such things.) Regardless, no content need be copied, no "mirroring" required. Just change the name and maybe IP address of the exact same server with the exact same content; maybe a note to explain the name change, but hardly any other content change required.

My suspicions are further raised by reports of "missing" documents by regular visitors to

Something stinks here.

SCO delenda est! Salt their fields!

[ Reply to This | # ]

Authored by: TechnoCat on Monday, February 02 2004 @ 12:41 PM EST
The SCO Group boldly condemns this latest action

Oooh, they're going out on a limb there boldly condemning the virus! Who, using their vernacular, has been meekly condemning it? It's almost as if they have a list of adjectives and verbs they want to use each month for quote purposes. Imagine later...

The SCO Group was recognized in January for taking "bold" steps against viruses and trojan horses.

[ Reply to This | # ]

  • Boldly? - Authored by: Anonymous on Monday, February 02 2004 @ 12:45 PM EST
  • Boldly? - Authored by: sbungay on Monday, February 02 2004 @ 12:58 PM EST
    • Baldly? - Authored by: Anonymous on Monday, February 02 2004 @ 04:33 PM EST
Netcraft again exposes SCO
Authored by: rjamestaylor on Monday, February 02 2004 @ 12:52 PM EST
The SCO Group, Inc.
will use as an alternate web site while remains
under a denial of service attack from machines infected with the My Doom worm,
the company said this morning. The URL is expected to serve as an interm site
for SCO through Feb. 12, when the DDoS is expected to conclude. "SCO has
developed layers of contingency plans to communicate with our valued customers,
resellers, developers, partners and shareholders," asid Jeff Carlon, the
company's director of worldwide IT infrastructure, who called the new domain
"the first step" in its planning. actually resolves to the same ip
address as 

% host has address
% host has address

Performance data on is available now.

SCO delenda est! Salt their fields!

[ Reply to This | # ]

I think I know where the copyright infringement code is.
Authored by: GrueMaster on Monday, February 02 2004 @ 12:54 PM EST
Bear with me here, but if you follow this obfuscated logic to conclusion, then SCO does own a chunk of linux (however, the GPL will ultimately triumph).

If SCO's claims of IBM's code is derived works from Unix (added to Unix & Linux simultaniously by IBM), and SCO's licensing contract regarding derived works does stand up, then, (in a round about way) all code added by IBM that also is added to Unix (AIX) would in fact be owned by SCO. Kind of like a writer publishing an article in a magazine. Some magazines claim copyright of the writer's articles, even if the writer is freelance. It all depends on the contracts (which is what the lawsuit is esentially about).

But, as pointed out here and in multiple other sites now, SCO actually contributed a lot of this code, either directly, or from IBM through them.

Just trying to follow the logic behind the madness.


"Get your facts first, and then you can distort them as much as you please." Mark Twain (1835 - 1910)

[ Reply to This | # ]

OT --Everyones Favorite....?
Authored by: lpletch on Monday, February 02 2004 @ 01:01 PM EST
Some news from everyones favorite Columnist/Anal yst

"You won't hear of these firms by name because they are afraid that if they were to go public, they would be attacked mercilessly by the Linux community. For these companies, freedom of speech is now a distant memory denied to them by these Linux thugs."

Rob Enderle


[ Reply to This | # ]

A Big Question for Darlor how stupid is SCO?
Authored by: shareme on Monday, February 02 2004 @ 01:17 PM EST
the obvious question for Darl and CSo is if MyDoom is DDOs the ip addreess of, then oh why oh wisen truthfull Darl have you seen fit to take down the
site with ip address of

Could it be you are in fact lying about being DDosed by the virus?

Sharing and thinking is only a crime in those societies where freedom doesn't

[ Reply to This | # ]

Enderle's inexorable ascent
Authored by: Tim Ransom on Monday, February 02 2004 @ 01:18 PM EST
into the lightbulb of discredited PR flacks continues unabated.
Try and find the cached version on Google - maybe if technewsworld stops getting hits from this clown, they will purchase their 'news' from a different PR mill.

[ Reply to This | # ]

The got an article in the Evening Standard
Authored by: Anonymous on Monday, February 02 2004 @ 01:50 PM EST
They managed to get themselves a front page story on the
London Evening Standard today.

The Evening Standard are not known for their tech
coverage. They are more likely to cover problems with the
London Underground and rants about the congestion charge.

[ Reply to This | # ]

Groklaw and PJ getting a little out of hand....
Authored by: Anonymous on Monday, February 02 2004 @ 02:16 PM EST
I noticed over the past month or two PJ, and Groklaw frequenters in general getting out of hand with conspiracy theories. I think the biggest problem is a good deal of the crowd here aren't programmers and network admins and frankly don't understand the technical nature of what happens.

Many just regurgitate what others have said. The fact is, even though I'm no fan of SCO, they have plenty reason to have waited until the last minute to change to You have to consider, no one knows if the address of the web site could be changed dynamically (the address in the virus that is). The virus does setup back doors on your computer, so it is a possibility. If they had changed it over late last week, the virus could have been modified to reflect the changes.

Also, the reason on waiting until Monday rather than changing it Sunday night. SCO does not work holidays and weekends. We saw that with the holidays in december (delaying the IBM case). Everyone has this mapped out to be some SCO scheme. I see it as nothing more than incompetitence.

SCO and their network engineers aren't the smartest people. I don't think they are capable of some massive conspiracy as many of you believe.

You guys need to leave your tin foil hats behind.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: phrostie on Monday, February 02 2004 @ 02:32 PM EST
[CnP] from linuxtoday

"Shares in Red Hat Inc. are seen as overvalued by some investors, as the
leading distributor of free Linux software faces a deep-pocketed rival,
according to an article in the latest edition of Barron's...

"Red Hat shares have quadrupled in the past year, and at $20, a level
reached two weeks ago, Red Hat shares trade for 105 times next fiscal year's
estimated earnings, and 'more than four times the most bullish estimate on the
total addressable market for its primary product three years out,' Barron's

so how can they claim that a company that has no marketable product and has run
off all it customers is worth 45USD, but a company that has good products and a
growing customer base is overvalued at 20USD.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

Rob Enderle - The MyDoom Effect: Crossing the Line into Terrorism
Authored by: Anonymous on Monday, February 02 2004 @ 02:32 PM EST

"Some Linux advocates are saying they would load this virus
"gladly" just so they could harm strangers who did nothing more than
work for SCO or run an OS they don't like. The words "civil liability"
come to mind, and this is one of the few instances in which I hope the legal
community sees blood in the water and does something meaningful with
class-action litigation. We are talking about billions of dollars in

Unbelieveble this Enderle-guy! And yeah "the legal community" should
do something against such a low attempt to link a community to
"terrorism" and other very bad stuff, just because a few underaged
kids (or depressed personalities) say some stupid stuff on messageboards.

By the way Sir Enderle, i'm not part of that community, i aim a full time
windows-user and still know the difference between right and wrong and you Sir
(and Sco) are very wrong and act both in a very bad and low way.

Sorry for my bad english! I'm Dutch!

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Anonymous on Monday, February 02 2004 @ 02:37 PM EST
Some people complain about some misbehaviour with linux 'Zealots'. But if you
look at people like McBride , Elderele or other I think it is not to bad.

[ Reply to This | # ]

OT - SCO Gets a Mention on ITV
Authored by: sjgibbs on Monday, February 02 2004 @ 02:39 PM EST

Coverage of the MyDoom malware on ITV left alone the SCO contraversy and covered Microsoft as if it were the bigger, or more newsworthy, problem. S.C.O got a brief mention at the end, as well as an anonymous reference near the beggining.

Where it mentioned the web site outage, I felt the peice could have been worded more accurately ("failed to dogde"?) without getting bogged down in politics, and describing SCOG as a "software company" is a bit generous too ;-)

Overall though, I liked the piece, it was short and to the point focussing on what users should do to avoid being gotten at.

As we know SCO are grandstanding on this and deliberately allowing the site to suffer for publicy. Unfortunately they have enjoyed some sucess at this, malware normally does get TV time in the UK, but having SCO mentioned without the proper qualifications is A Bad Thing (tm).

The equivalent article online definately should have had an opposing expert giving an opinion, but Blake Stowell's quote is interesting.

In other news the home office is considering draconian anti terror laws that will endanger civil liberties. Ho hum...


[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: pooky on Monday, February 02 2004 @ 02:43 PM EST
I just love the new site, expecially the ALT text on the main graphic:

alt="SCO Keeps One Step Ahead of the Virus"

And the message delivered inthe graphic:

"An alternate Websitethat unites vendors to combat virus"

It's nice and slow to boot. If they were really serious about being one step
ahead of the virus, they would have had this already prestaged at an alternate
IP or preferably an alternate provider and it would have been on-line right
before the start of the attack.


Veni, vidi, velcro.
"I came, I saw, I stuck around."

[ Reply to This | # ]

SCO is smart!
Authored by: k12linux on Monday, February 02 2004 @ 03:53 PM EST
Come on guys... this was brilliant of SCO to handle things this way!

1 - various outages (regardless of fault) make them even more ravaged victims of
the linux horde
2 - damages continue to skyrocket as customers can not get to sections of SCO's
"emergency" site (never mind it hints at incompitence, or the fact
that nobody is likely to try to buy from them)
3 - No way to tell if the virus would have actually done any damage since the
attack won't actually go out now
4 - To any journalist who hasn't seen the latest press releases,
STILL appears to be down due to an attack.

- k12linux

[ Reply to This | # ]

Proof of an attack?
Authored by: Anonymous on Monday, February 02 2004 @ 04:36 PM EST
IANASA (Not A SysAdmin) but by simply changing the DNS name (but leaving
itpointing to the same IP address) doesn't that mean that any attack affecting should affect since the attacks would be hitting the
same machine (or load-balancer or whatever)? If that is the case, then why are
we seeing stable uptimes on but failures on

Also, since the netcraft results that I've seen seem to only report errors or
successes, what is keeping SCO from simply having their web server drop
connections periodically to convey the results of a DDOS? To rephrase, do we
actually have proof that hundreds of thousands of connection requests are
hitting or are we just seeing that the site is down and thus "must
be under attack"?

[ Reply to This | # ]

Anyone recording the Harvard Speech tonight? I might...
Authored by: Anonymous on Monday, February 02 2004 @ 04:39 PM EST
I was wondering if anyone was going to try and record the broadcast of the
speech tonight - it might be useful for making a transcript. I realize thay have
these lectures archived on the website, but I dont know how long it will take
for them to make it available, or if it will be made available at all. (Notice
not all of the featured speakers are recorded for the archives.)

If anyone is interested, I will try and record it just to be safe, even if I
have to do a cheap digital camcorder job of my terminal.

If a recording isn't made available, you can reply to this post and I can see
about getting a copy for you so we can all review the lecture.

Mike A.

[ Reply to This | # ]

Slightly OT
Authored by: Anonymous on Monday, February 02 2004 @ 05:05 PM EST
Has anyone else noticed that the virus propagation seems to have died out today?
Was it set to quit spreading when the DDOS began? Checking ye ol' Symantec
system center consol, we don't seem to have received any contaminated e-mails
since early this AM.

[ Reply to This | # ]

What attack?
Authored by: k12linux on Monday, February 02 2004 @ 05:28 PM EST
I was curious (and a bit bored) so I decided to run a test. I have a copy of Win2000 that lives in a vmWare session under Linux. It has no access to the outside world (or my network) other than what I allow. It's also set up so I can simply "undo" any changes. To me this seemed like a good testbed.

I set up a fake DNS server and added records for and I pointed to a bogus mail server and pointed to a temporary web server. I started up ethereal on my Linux box and started tcpdump watching for any 'sco' traffic. Then I infected the system with MyDoom.A.

It took a few seconds (looking at the hard drive and registry I would guess) and then started doing name resolution. It looks to me that it grabbed every string which even remotely could be a domain name including things like "PUBLIC/ding.wav" and then started doing hostname lookups on variations of the domain prefixing them with various machine names. (smtp., mx., gate., gt., gw.,, relay., mx1... to name a few.)

Oddly it tried to do a simple host resolution instead of doing a mail server query. (ie: Instead of just asking for the mail server for, it tried,,, etc.) Also interesting (IMHO) was that it seemed to try to resolve the names any way possible. It queried WINS, Novell NDS, DNS, and even sent netbios broadcasts out on the network. I also thought it was odd that it tried repeatedly to resolve the same unresolvable names... literaly hundreds of times.

Step 2 - Set system timezone to GMT and time to 11:59pm on 2/1.
And.... nothing. It just kept trying to resolve host names. After looking up the details on the worm, this shouldn't have been a surprise. It wasn't scheduled to "attack" until Feb 2 at 4:09pm GMT. Doh!

Step 2 (2nd try) - Set the system time to 4:08pm on Feb 2nd.
The clock struck 16:09pm GMT and... again nothing new, and specifically no DNS query or http GET for Ok.. well.. maybe the virus only checks the time when it is first loaded? So I rebooted. Nothing for

Ok, I had expected to at least see it attempt to pull a page from But.. no... nothing. It never even tried to resolve to an IP address. I even tried a bunch of other dates/times and system reboots... nothing ever made it so much as query for and nothing made a request to my web server.

If someone can point out something that I'm missing or that I did wrong I'd be happy to retest. Short of that, however, the whole SCO attack seems to be a non-event.

- k12linux

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: WhiteFang on Monday, February 02 2004 @ 05:54 PM EST
I was refreshing the screen and saw this as the title:

SCO Sets Up Alternative Universe - Finally.

Must ... get ... sleep.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Anonymous on Monday, February 02 2004 @ 06:11 PM EST
Some list of news about MyDoom: Most of the news site just report the fact that SCO is attact. SOme of the news site add some poletics and write some negative things about the linux comunity.

SCO believes the latest DDoS attack and several that preceded it are the work of open-source advocates who have been critical of the $3 billion legal fight against IBM and Linux that SCO launched last March
EE Times
Laura Didio:"The open-source and Linux community in 2004 is going to have to distance themselves from the questionable tactics of this fringe element of Linux extremists. If they don't, it's going to hurt them more than SCO can."

I've been threatened and other analysts have been threatened, as well," Enderle said

CBS< br> Proberly the best article so far... Only mistaken said SCO is 'Santa Cruz operation'

thecarol inachannel
This is a news site wich only mention the attack. No anti linux and no MCBride et al... There are many of them


Blake Stowell, the director for public relations at SCO, declined to give details of those preparations, saying that his information technology department "would hang me in effigy if I divulged what we had in place or didn't have in place.

[ Reply to This | # ]

Well done BBC - corrected SCO story
Authored by: Anonymous on Monday, February 02 2004 @ 06:40 PM EST
I noticed in the BBC's article "Mydoom cripples US firm's website" that they initially said SCO owned the UNIX operating system.

I sent this email to the editor

Re. the MyDoom virus attacking SCO's web site. In your article you say that SCO owns the UNIX operating system. This is not true. UNIX is a standard, and SCO owns an operating system that has been certified as conforming to that standard. Other companies like Sun, IBM, and HP all have their own versions of UNIX. SCO want people to think they own UNIX (which is a registered trademark of the Open Group by the way) so that they believe SCO have a chance in the case against IBM and so buy SCO shares, which currently have a value far above what they are really worth. This is a far more interesting story in my opinion. If you watch what's happening you'll see another Enron is in the making with SCO.
I got a reply from the BBC technology editor saying that whilst the error was small and not likely to mean much to the lay reader, they wished to be accurate and have ammended the story accordingly, which you can see at the link above. The fix isn't entirely correct as the BBC now say SCO is the company "which owns the source code of the Unix operating system" but at least it shows they're willing to listen. 9 out of 10 this time for the BBC.

[ Reply to This | # ]

Linux Community is responsible for My Doom Virus
Authored by: Anonymous on Monday, February 02 2004 @ 06:48 PM EST
i doubt that a respected member of the linux community or even a self
programmer would release a script kiddie to launch DoS. I for one am trying to
figure out where to download that MyDoom, but so far i could not find one. I
guess only the media and those security experts are the only ones who have
access to that virus, would you think thats a bit odd.

Due to this immense publicity, SCO and Microsoft have placed a bounty prize of
$250,000 to the author of the virus. But as you can all see SCO brought down
their site and change the DNS and everything to to me thats
of the most intelligent thing that the company has done however if they are
willing to put a bounty of 250000 bux for the author wouldnt they get more info
at the net traffic that MyDoom would cause on their site?

And now one of the media spin offs claims that the author apologizes for this
virus and the reason for him to do this is that he is getting paid. hah how
In addition to that some spinoffs claims that Microsoft server is next haha.
Damn those media whores.

Reading these new spin offs to the MyDoom virus makes me remember the the
microsoft counter-advertisements against linux a month ago. someone in my head
saying it is a plot to bring linux down.

[ Reply to This | # ]

DNS lookup in article is out of date
Authored by: Anonymous on Monday, February 02 2004 @ 06:50 PM EST
The DNS record has been deleted, points to the same place as
the new domain name:

~$ host
Host not found: 3(NXDOMAIN)
~$ host has address
~$ host has address

[ Reply to This | # ]

My Doom DoorooomDoom Doom
Authored by: Anonymous on Monday, February 02 2004 @ 07:01 PM EST
its just a matter of time to see if the hype lives up to its words

[ Reply to This | # ]

An Unfounded Conspiracy Theory
Authored by: Anonymous on Monday, February 02 2004 @ 07:50 PM EST
I wonder about the missing files.

It seems to me that, whether or not SCO orchestrated these attacks, I wonder if
they're not using them as excuses to retract information previously available
which might embarass them now? Perhaps that was the plan all along? (Then
again, it could just as well be a recent idea to capitalize on the situation;
something I must admit they've always been good at, even though I deplore many
of their actions, such as never showing any actual evidence, so far as we know,
even to the defendants...)

[ Reply to This | # ]

Enough is enough - Finally
Authored by: entre on Monday, February 02 2004 @ 07:56 PM EST
Hollywood Cracks on Code: The DVD Copy Control Association has dropped its
3-year-old suit against several folks who published the source code of DeCSS,
which lets users bypass DVD copy protection. Presumably the group decided it was
hard to prove the defendants revealed trade secrets when anyone can buy the code
silk-screened on a T-shirt. Now I know how to end the SCO lawsuits: Put Unix
code on a really big shirt, then convince Ruben Studdard to wear it.
From an article by
Monday, February 2, 2004

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: nhm on Monday, February 02 2004 @ 08:10 PM EST
A couple of questions here, as I'm rather new to posting on groklaw, but long
time lurker! (Dang, that sounds like a call-in show.. Ask Prof. PJ... )

In anycase, my questions:

1) It seems that Darls inflaminitory press releases directed at Linux has
invited retribution. Now this retribution should in all honestly be limited to
contrasting press releases (and why has little of this happened?) Not DDoS
attacks. Not to mention the virtual egging on of IBM, Red Hat, and Novell. Why
have none of the three requested an injunction to prevent him from continuing
his tirads? I realize that he has a right to make his opinion, but I also
remember these two things called libel and slander... I further realize the
many people here (myself included) have many of them posted on the office wall
for when I need some humor in the day.

2) Has FSF and other Open Source organizations been fairly silent on the PR
releases or I am simply not finding much out side their websites and a few close

I honestly don't believe this attack is by a "normal" open source
supporter, as this obviously is the action of a "third party" such as
spammers (an almost certain conclusion given the evidence...

I'm old enough to know better, but young enough to still enjoy it.

[ Reply to This | # ]

OT - UK Local Paper mentions SCO
Authored by: KevinR on Monday, February 02 2004 @ 08:24 PM EST
The Evening Echo, the local paper in South Essex - to the East of London, UK - carried a short entry on its single National and World News page. So the story is being pushed fairly high by the UK Wire Services - probably PA but could be Reuters.
A COMPUTER virus that targeted a small Utah software company performed as its perpatrators promised...
I was especially fond of the word small. The words UNIX and Linux never appear in the story. The main emphasis is before a similar virus...attack Microsoft Corp.

The story got about 2 column inches.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Alastair on Monday, February 02 2004 @ 08:51 PM EST

Does anyone else find it amusing that the “Linux community” is being blamed for the development of a piece of Windows malware?

I'd bet good money that it was compiled with Microsoft's C compiler (or maybe it's even written in Visual Basic), which are tools that you have to pay (a lot) for. Many programmers are members of the “Linux community” in the first instance because they can't afford (or don't want to pay for) Microsoft's expensive software. I actually own some Microsoft development tools (VB and Visual C++), but I prefer developing on UN*X (actually these days, Mac OS X), so they don't see much use. So:

  1. Many of us don't own the tools that were almost certainly used to build MyDoom.
  2. Those of us that do prefer spending time writing software on UN*X systems to working with Microsoft's OS.
  3. Those people most able to claim membership of “the Linux community” (Linus or Alan Cox, for instance) would certainly rather spend their time improving the FOSS programs for which they are responsible.

Basically, writing MyDoom would be a waste of time that could be better spent doing other things, as well as, quite probably, a waste of money. Unless you were going to use it to send spam (which the Linux community is active against) or harvest credit card numbers, bank account details and passwords (again, the Linux community is law abiding, so wouldn't do this).

The Linux community isn't responsible for this. Some idiot in Russia is, by the sound of things. And I'd be surprised if he isn't running Microsoft software, not FOSS.

[ Reply to This | # ]

SCO Sets Up Alternative Address - Finally
Authored by: Alastair on Monday, February 02 2004 @ 09:14 PM EST

It's also interesting that CNET is reporting here that many security experts are making comments about how MyDoom illustrates a need to improve the security of corporate networks.

Given that it executes only when a user is stupid enough to run it, I would say that it illustrates a need to better educate users, rather than trying to coerce corporations into buying yet more software that they probably don't need.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )