decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books


Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook


Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

Whatever Happened to Investigative Journalism? - by Paul Couture
Sunday, February 08 2004 @ 03:15 PM EST

Paul Couture has graciously agreed to write an article for Groklaw on MyDoom. I found him when I was reading about MyDoom on Slashdot for the story I did about the crank calls, and I noted a comment from someone who seemed knowledgeable about protecting companies from such things, who said that he dealt with such issues on a daily basis in connection with his work, and that in his opinion, this had all the emarks of professional spammers, not a Linux enthusiast. How, he wondered, could the media get this so wrong?

So I contacted him, after researching a little about him and his work (he did computer work for six years for the US Air Force and now works in network support and does web design). I asked him to explain a bit about MyDoom and why he is convinced from the way MyDoom was written that it is professional spammers. SCO isn't the main target, in his opinion.

He isn't alone in that opinion, by the way. Did you know that MyDoom will attack Kazaa next? It seems MyDoom will create worm-laden copies of entertainment software after the attack on SCO.

Here's information on this angle:

After the planned assault on licensing company SCO, other coming MyDoom backdoor attacks will target users of the Kazaa peer-to-peer file sharing network by creating worm-laden copies of popular entertainment software swapped over Kazaa like the Winamp music player and the game Nuke2004. When run, these generate new floods of MyDoom e-mail.
The Independent also has a very thorough report, and a number of experts confirm that this looks like the work of criminals known to do this sort of thing. Here's a snip or two to give you an idea:
But to security experts, MyDoom marked a serious step up in the evolution of the virus because it had all the fingerprints of organised crime. MyDoom did not just email itself to addresses found in the files of any computer it infected. It also installed a "back door" that would let hackers control your machine remotely; it installed "keylogging" software that would silently note every keypress, including bank passwords and credit card numbers when you used web pages; and it could direct a deadly attack on a particular website belonging to a software company called SCO.
It seems the purpose of the backdoor is often to threaten the company: pay a ransom or it will happen again. Such threats did happen just before the SuperBowl to gambling sites:
Couldn't MyDoom just be an annoyed Linux programmer's revenge? It is possible, but unlikely when you view it in the context of other well-organised online crime. A week ago, as the American Super Bowl was ramping up, the owners of online gambling sites were nervously staring at their screens, waiting to see if they would be hit by a DDOS that would make them disappear from the internet, just at the time they would want to be open and ready for gambling fans.

Before the game started, Ido Raviv, the manager of Netgames in Belize, which runs the online sports book, said: "I expect that on Sunday, during the Super Bowl, you're going to see a lot of [sports betting] websites down. I know it for a fact. Everybody's scared."

They were right to be. Though Riverhead Networks, a company which offers entirely legal network protection against DDOS onslaughts, was able to fend off a number of attacks against gaming sites which began on Friday and continued through the weekend, far more sites were not so lucky. They were disabled. "DDOS attacks are becoming a significant and growing threat to online enterprises, government agencies and providers of all sizes," said Steve Woo, who is in charge of business development at Riverhead.

Of course, the ransom demand could be drop the lawsuit instead of money, they acknowledge, but even then, they conclude, the demand wouldn't be from anybody but a well-organized criminal gang. The sophistication of the code and the general MO points to that conclusion. There is also a box at the end of the article, listing things to look for on your Windows computer that would indicate your computer is compromised.

So there is more to this story than SCO. In fact, SCO doesn't seem to be the primary target after all. With that background, here is the article by Paul Couture. (For those interested in the what-has-happened-to-journalism topic, here is a related article on that very subject in Online Journalism Review.)


Whatever Happened to Investigative Journalism?
~by Paul Couture

After making a post on /. a few days ago regarding the Mydoom.a virus and the now infamous media stories from authors that were apparently easily duped by a secondary exploit that the worm carried out, I was shocked to find a request from our own beloved hero, Pamela Jones, in my inbox requesting that I expand a bit on some of the points in the post for the loyal readers (and those of you just stopping by) here at Groklaw. I couldn't resist the opportunity.

First off, let me tell you a bit about myself. One of the things I find unnerving about "Internet Media" is the fact that you often know little about the source of information, I'll do my best to explain why I feel qualified to make the comments I will be making. First off, I love computers, all computers, always have - almost as far back as I can remember. My first computer was a Commodore Vic-20 and I was lucky enough to get it when I was the tender young age of eight, and I was a published programmer not long after. I helped to set up and run one of the first BBSs in the Southeastern United States, and learned all I could about making these wonderful new tools, do the things I wanted them to do. Since those early days I have tried to remain active with computing because it has always been one of my true loves. The advent and growth of the Internet only fueled that passion, and I have been professionally developing web sites, and providing computer and network support for close to five years now. I spend most of my waking hours cultivating quite a monitor tan.

I am a Linux user, my preferred distro is Mandrake 9.1 - but I spend quite a bit of time behind the keyboard and mouse of Windows machines, probably more than I get to spend on my own Linux box. I have provided technical support for almost every major operating system since Windows 3.1. I have done well over a thousand clean OS installs, I build PCs, I do my best to teach "newbies" the ropes, and I troubleshoot computer issues every day. I work for a well known web-based software developer for the automotive industry, and I am a strong advocate for diversity in operating systems because of the security against large cascading failures that it provides. Furthermore, as I learned in six years in the USAF, you work most efficiently when you apply the "Primitive Pete" rule - use the right tool for the right job.

One thing I have learned over the past few years, is something that most of you already know; since the dot-com bubble burst, there has been a huge increase in the number of people who want to get rich quick with the Internet, and they won't let things like morals or scruples stand in the way. The vast majority of problems I deal with aren't buggy software issues, hardware failures, or gaping security holes being exploited; they are spyware and spammers. People that are getting rich quick off the backs of unsuspecting users - and viruses like Mydoom, Sobig, and many of the latest fast spreading e-mail worms are just the latest tool in these unscrupulous types' bag of tricks. Most of the media aren't tech-savvy enough to realize this, and so when something is attached like a distributed denial of service attack (DDoS) on SCO, a company that seems to love playing the victim for the media's cameras, it's easy for them to point their fingers at that rogue group that use the "other, other operating system - Linux"

Mydoom.a was the fastest spreading Internet worm in history. The most reported, and most common misconception is that this virus's purpose was to create a DDoS against SCO's web servers. While this is partially true, anyone who takes as much as 5 minutes to research the virus, will find that Mydoom.a is a vicious, evil wolf in grumpy, annoyed, yet still scary, wolf's clothing.

Let's examine what MyDoom really does. A quick visit to is where I usually start my research into these little nasties when they start to affect my world. Symantec is the maker of Norton Anti-virus software - my personal choice in anti-virus protection for Windows based PCs. By visiting the Security Response section, and searching for the virus by name, or by looking at the 10 latest virus threats, you can find the following information about the Mydoom.a virus. I'll save you the clicking on the links and provide you with a a quote right here:

Quote From Symantec: Norton Security Response - mydoom.a

"W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

"When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

"In addition, the backdoor can download and execute arbitrary files.

"There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date."

Ok, first off, let's see what the real purpose is here, since most of the media reports I have seen appear convinced that the only purpose of this virus is to attack SCO in retaliation for their attacks on the Linux community.

Only one in four infected machines will participate in a DDoS attack on SCO, and those that are infected and set to participate, will in fact, cease spreading the virus to other computers (probably in an attempt to appear uninfected as anti-virus programs are updated, but users are too "busy" to allow for a full system scan.) Still, though this means that 75% of the infected machines will have a whole different purpose to their infection.

  1. To spread as far and as fast as possible.
  2. To make the machine what is commonly called a "zombie box" for the worm writers true intentions down the road.

Both the 75% that do not participate in the DDoS and the 25% that do will be in the same boat after February 12, 2004. They will cease spreading, and attacking, yet will remain active "zombie boxes" for other uses. The simple fact that only one in four machines are going to be part of the DDoS attack tells me right off the bat, that can't be the virus writers main intention. If it were, the virus writer is weakening how effective the DDoS will be. When I was in the military, they called this type of thing misdirection and camouflage - and it seems to be working extremely well for those behind this little gem.

To give another comparison, think about the first Gulf War. Allied forces used a small group of the US Marines and the Navy to stage an attack on the Kuwaiti coastline to the east, while the vast majority of the forces moved in from the southwest catching the Iraqi army completely off guard, dug in with their turrets turned the wrong way. That is what is happening here. The virus writer is sacrificing 25% of the machines he/she can infect to launch a weak, brief, and what should have been a largely ineffective DDoS against SCO and drawing fire away from his/her true intent of creating a vast network of "zombie boxes" to do his/her bidding at a later date.

Next, let's look at one of the largest and most reported viruses of the last year, aptly named Sobig. Like the vast majority of computer worms in the past year or so Sobig had the primary purpose not of destroying data, not of being destructive to networks and systems, but in spreading and creating a vast network of "zombie boxes" for the purpose of launching more and more unsolicited commercial e-mail, commonly known as spam. Just like Mydoom, but without the nasty payload on 25% of the infected machines. A quick search on Google provided the following information:

Quote from C|Net's Robert Lemos's Article "Sobig spawns a recipe for secret spam" - June 25, 2003

"Initial analysis by antivirus companies indicated that the mass-mailing computer worm, called Sobig.E, doesn't have a malicious payload. However, e-mail service provider MessageLabs believes spammers will use the virus's mail program on victims' computers to send anonymous messages.

"'This is almost certainly being precipitated by a spammer that is trying to create more open relays to send spam,' said Mark Sunner, chief technology officer for the New York-based company."

This has been the norm for the most common viruses/worms over the past year. Mydoom shares a lot in common with these other viruses as well. It appears to have been written by an individual or very small group, it also appears to be written for hire (at least in the ".b" variant) and seems to have originated in Russia - the same place that much of the worst spam you get originates. For most of the press, it was easy to see that Sobig was a way to send more spam every day via infected computers with new open relays because that was the main and obvious purpose of the virus. Suddenly, when Mydoom hits, everyone seems to forget that, and decides that because a small percentage of the infected machines do something sensational, attack a company that thrives on this sort of publicity for example, they ignore the fact that the majority of infected machines will be doing the same thing that happened with Sobig.

The camouflage worked.

Something else that these viruses have in common, is they remain on the system to receive further instructions down the road, create their own self-controlled SMTP server so that they can e-mail out whatever, and whenever the virus writer pleases.

That is the true intention behind Mydoom, and Sobig, and many other fast spreading viruses over the past year. To generate more spam. The war on spam has escalated to the point that laws are being passed to try to stem the flow, filters are becoming the norm, and the average user is learning the old trick of not buying from, and deleting spam when it shows up in their inbox. That means you have to send more spam to get those few sales you do get and therefore make your effort profitable.

I find it interesting how quickly this worm spread. It almost instantly spread out from thousands of "infected" machines. My own e-mail account had received almost sixty copies of the virus an hour before it was even given a name. Who in the world has the ability to suddenly mass e-mail out to millions a virus laden e-mail? Maybe it would be the same people that send out millions of e-mails everyday - professional spammers.

If indeed the purpose, and it appears that it is, of this snippet of code, is to make more spam launching points by including the DDoS on SCO the virus writer(s) accomplished their job, made the uninformed, and spoon fed in the technology reporting sector take the bait and misdirect the anger toward the virus writer at a completely different group, Linux users- commonly known as a group to despise this sort of tactic and one of the primary reasons most of the community will state they migrated away from other operating platforms, because they love the security and relative safety that Linux provides. They have also chosen to ignore the more deadly and dangerous payload that is the true purpose of the worm.

If I were to stoop to the level that I would write a virus like this, I would probably be thinking along the same lines, by including something like a DDoS, I would be masking my true purpose, and make it hard to find me based on my intention and purpose. By attacking a rather unpopular company, I would also become a needle in a stack of needles, instead of the proverbial needle in the haystack.

I won't lie, and I look at this whole situation objectively. I honestly believe that there could be a tiny minority of Linux users somewhere that might attack SCO. Comparing the entire Linux community to such a small sub-group that might ignore the law is like saying that everyone that owns an automobile supports late-night drag racing. There are zealots for everything on this planet, and you can't blame an entire community of millions for the actions of a few. There are probably many more "script kiddies" out there using Windows to hack away at Yahoo Messenger in VB so they can boot people they don't like from chat rooms. Does that mean that all Windows user's hate Yahoo and are busy coding away in their parents basement? Of course not.

By attacking the entire user base, SCO and the media spoon-fed by their press releases have certainly given this impression of our community. Furthermore, they have drawn the ire of millions away from the true people that deserve it, the people that flood your child's inbox with advertisements for porn and offer to sell you illegal prescription drugs in plain packaging.

It would do us all some good to learn to research before we react, especially if our reaction is to publish a story that will affect the opinion millions of readers have about a community as diverse as Linux users.


Whatever Happened to Investigative Journalism? - by Paul Couture | 253 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Nick_UK on Sunday, February 08 2004 @ 04:26 PM EST
Ummm. And being a Sysadim, I was astonished how this spread SO fast across the
Internet without using any vunerabilties whatsoever - except people executing an

_That_ is what is scary.

And here is another scary thing. I mailed all my users on the day it became
apparant in the UK (I think the Tuesday morning), basically telling them to
*THINK* and if in any doubt DELETE any suspicious e-mail - treat GUILTY until
innocent even if sent from your Mum.

I had one user actually open the attachment, embed it in a M$-Word document (I
know, I know) and mail it to me - "Is this the virus?" he asked?

To say I was livid is not the word.


[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Sunday, February 08 2004 @ 04:28 PM EST
Good article!
Especially considering the number of complaints news organisations are getting
that direct them to groklaw as a source for balance.
Are you sure spam should be capitalised? I was under the impression
"spam" is unsolicited mail and "SPAM" is a trademark of a
pork luncheon meat producing company.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: grouch on Sunday, February 08 2004 @ 04:29 PM EST
Great job, Paul!

TheRegister recently posted an article that might explain why so many boxes were vulnerable:

Clueless office workers help spread computer viruses

"Two-thirds of the 1,000 people quizzed by market researchers TNS in January admit they are not aware of even the most basic virus prevention measures."

These folks either need responsible reporting to inform them, or a system that protects them better from their ignorance.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Stumbles on Sunday, February 08 2004 @ 04:37 PM EST
Nice article. Though I still think the real culprits are those companies that pay the spammers. I mean, somebody has to be paying these guys, the spammers are not doing it for free.

[ Reply to This | # ]

Licensing Company
Authored by: lpletch on Sunday, February 08 2004 @ 04:59 PM EST
"After the planned assault on licensing company SCO"

Licensing Company

I like that.
Very good reporting.
More factual than most.


[ Reply to This | # ]

Click-to-run madness!
Authored by: freeio on Sunday, February 08 2004 @ 05:02 PM EST
Quite frankly I lay this one directly at the feet of Microsoft. My reason is
that, in the name of user convenience, they have created a system which
inherently trusts all input from outside, and is set up specifically to run
attachments. They have, in essence, created a situation where the vast majority
of their users (who will NEVER "get it" with regard to security) are
immediately susceptible to the crassest of trojan horses.

My BOFH background is telling me that there are some folks for whom a fully
protected sand-box environment is all they should ever be allowed. The entire
"click here to get a really neato mouse cursor" culture is an
extremely foolish thing. Do that on any of the systems I administer and you
will be pushing a number 2 pencil instead of a keyboard for a long time.

The very idea that anything sent my email from anyone at all should be
immediately run with one click is absurd. No, worse than that, it is actually
evil. This violates every "safe software" guideline imginable. The
semi-clueless should never have the default choice infect their system.

Oh, never mind. I am tired of being considered a modern Ned Lud by those who
figure that I am somehow the sysadmin spoil-sport, because I am constantly
harping on why they must never do what seems to them to be harmless. Microsoft
in their wisdom has created the perfect augar for trojan horse growth and
propagation, and I see no way out. Pandora's box is open now...


[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Sunday, February 08 2004 @ 05:16 PM EST
nice article, thanks for the information

[ Reply to This | # ]

What are the chances....
Authored by: grampa1951 on Sunday, February 08 2004 @ 05:18 PM EST
that SCO has links to Organized Crime?
Seems more likely to me than Mydoom being linked to the linux

[ Reply to This | # ]

How about the right target for Anti-Spam Laws?
Authored by: Anonymous on Sunday, February 08 2004 @ 05:27 PM EST
Since the vast majority of these unsolicited messages are sent with the intent
of selling something (yes, I know, there are the Nigerian and other scams) ant
the legislation passed to date seems mostly futile, maybe we should reexamine
the target of the legislation. Let's put the burden on the SPONSORS of the
messages: those business that pay, directly or indirectly, for their messages to
be sent using these techniques.

Without their dollars going to the spammers, the stream should be cut
substantially. And the sponsors can't be very deeply hidden, else their span
targets wouldn't be able to find them to do business.

Of course, this won't be the cure to the entire problem since the criminal
scammers won't be threatened by this approach, Nor will be the politicians
paying to have the email sent, since they will exempt themselves from coverage.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Sunday, February 08 2004 @ 05:30 PM EST
On the opposite end of the scale, take a look at this drivel the journalism
students at the University of Montana pumped out on Friday, Feb 5:

Old news and many inaccuracies. Obviously no investigating whatsoever was done
for this piece. You may vent your anger by emailing

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: RSC on Sunday, February 08 2004 @ 05:31 PM EST
Thank PJ for asking for and publishing Pauls' excelent article.

I is comforting to now that there are still a few sane voices reaching the
public, when there are so many media outlets who are no longer driven by the
need to inform the public.

Quite a few people here and in other forums have expressed their discussed at
the media droids willingness to forgo research, in favor of regurgitating press
releases from organisations who have the appearance of legitimacy. If the media
in the '70s behaved the same ways as they are now, the watergate fiasco would
not have been uncovered, and US would never have know about Nixons behaviour.

What really scares me is that we no longer live in a world where the media
undertake any real investigative Journalism. Because of this we have no idea of
what is really going on. What sort of issues are we missing? How are we to know
what the governments and corporations are really up to? As it is, we may never


An Australian who IS interested.

[ Reply to This | # ]

Is it really the dumb users fault?
Authored by: mac586 on Sunday, February 08 2004 @ 05:38 PM EST
Thanks for the insights Paul, and for participating at Groklaw.

At home I use a router as a firewall, Mandrake 9.2 on my workstation and laptop,
but I have one WinXP box for my wife and daughter to use (QuickBooks Pro and
Games). Of course, I run Norton Antivirus with the most secure settings, and
have installed the latest Mozilla for surfing. I filter my mail theough
SpamAssassin, but the latest tactics still let a lot of SPAM filter through. I
try to keep up with the latest MS patchs, and as an IT professional, I am much
more informed than the average user.

Even with these precautions, I get uptight everytime a Melissa or a MyDoom hits
the web. This leads me to the
one topic you didn't address in your article.

With MyDoom, I was amazed at how the press repeated the MS mantra of "its
the dumb users fault." Actually, the users do the clicking, but the OS is
doing the executing.

If a letter bomb blows up in the mail room, it is not the clerks fault!! The
blame ultimately rests with the bomber, but also with the flawed security
measures of the mail system. Too much of the press blamed the media and very
few, if any, questioned the security flaws in MS applications and operating
systems. The spammers would be out of business very quickly if MS products were
not so damn vulnerable.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: the_flatlander on Sunday, February 08 2004 @ 05:43 PM EST
Thank you Mr. Couture, great article, it was informative, authoritative and

Thank you PJ, great find, great idea, nice catch.

The Flatlander

Groklaw: Better, faster, stronger than all other News Sources. People who
*want* to know tune to Groklaw.

[ Reply to This | # ]

ERROR: This is not *investigative* journalism.
Authored by: Anonymous on Sunday, February 08 2004 @ 05:54 PM EST
A fundamental mistake. This is hardly *investigative* journalism. It is
*informative* jounalism. It explains. I see very little investigation in the
entire story. And the introduction by PJ was a little too gushing.

Please sell it for what it is, PJ.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Sunday, February 08 2004 @ 05:55 PM EST

As a lurker, I found this interesting news commentary

[ Reply to This | # ]

Missed a couple of things -- Nitpicking
Authored by: Anonymous on Sunday, February 08 2004 @ 06:53 PM EST
The backdoor component wasn't a "standard" backdoor component, it was
specifically taylored for this virus. It also won't accept many
"standard" connections. Because of this reason alone IMHO it isn't
being used for SPAMing, but DOS/DDOS attacks. I kinda think PJ got it right
with the possible link to sports betting, but I havn't seen any emperical
evidence for this connection. More than likely someone was looking for an army
of robots and got *incredibly* lucky.

It looks like the DOS on SCO only being used 25% of the time is a *programming*
error, not intentional (There are references for this -- it's time/clock

The "bad" guys arn't scanning and using this backdoor component as
much as they normally due when a virus like this comes out. Scans for the
backdoor component arn't high enough, and comparable to Sobig.x viruses.

Excluding my comments it's a good overview of the problem(s) facing most admins
these days (ugh!).

[ Reply to This | # ]

The Independent report
Authored by: Anonymous on Sunday, February 08 2004 @ 06:57 PM EST
A few nitpicks with the Independent report her e:
SCO says the free Linux operating system contains code copied from Unix, which it now owns, and is demanding damages and licence payments, a demand which has met a collective raspberry from Linux users.

Following the latest change of course, "copied" should probably be changed to "derived".
As mentioned earlier, "which it now owns" is rather too simplistic.
There are two problems :
(1) There are multiple versions of Unix
(2) SCO's "ownership" is disputed - the extent of its rights over the relevant UNIX versions is unclear.
Possible rewording would be :
"SCO says the free Linux operating system contains code derived from its version of Unix, and is demanding ..."

On 1 February, SCO's website disappeared from the internet under a blizzard of hits. These were known as a DDOS (distributed denial of service) attack from MyDoom-infected PCs. SCO's servers were kept so busy answering trivial requests to identify themselves (called "pings") that they had no time to display web pages.

Whilst the errors in this paragraph don't change its meaning, it's worth trying to get the story right.
The attack wasn't "pings", it was http "get" requests. Pings were already being stopped before reaching the site, and would probably have had no significant effect.
SCO actually chose to take the site down, initially by simply disconnecting http connections without response, then by removing the DNS record, so that infected PCs couldn't locate it to attack it. Assuming the weight of the attack justified it, this was a "responsible" way to handle it, minimising the effect of DDoS traffic elsewhere.
At the time the site was removed (around 1800 GMT on Feb 1st) it was probably also being "Slashdotted", making it difficult to assess the weight and effect of the DDoS attack.

[ Reply to This | # ]

SCO DDOS is only medium sized
Authored by: jeleinweber on Sunday, February 08 2004 @ 07:07 PM EST
Another aspect of the MyDoom story which is even more underreported than the
Russian mafia / spammer / backdoor aspect is that the DDOS against SCO is not
actually that severe as such things go. If anyone starts claiming it was
"the biggest ever" or other similar hyperbole, demand that they back
that opinion up with some hard facts.

Some examples from 2003 illustrate what other people have been coping with. A
year ago the SQL slammer worm caused a general slowdown of the Internet for
around 26 hours, including completely knocking down the Korean national
backbone. IRC networks which have incurred the wrath of the computer underground
have been subjected to DDOS attacks involving 2-3 gigabits/second for weeks on
end. Several anti-spam sites were forced to shutdown permanently by repeated
DDOS attacks, presumably fomented by spammers. When the MSBlaster/LoveSan worm
was trying to take down Microsoft's windows update site last August, they had to
push their content over to Akamai's distributed cache network for a while. In
comparison with these, the attack on SCO, while equally deplorable, is not very

I'm not part of the ISP community and don't have any numbers for internet
traffic into Utah recently, but I don't believe SCO was having that scale of
problem. For example, other IP addresses near the former server
such as remain accessible, and traceroutes from various places
around the country into the upstream ISP aren't showing problems with
packet loss or latency.

Opinions on SCO's response to the impending DDOS were scathing. Among folks
more closely associated with NANOG (that's the North American Network Operators'
Group, made up of the folks that actually run half the Internet on a day to day
basis) than I, the general sentiment was that a corporation with a clue and a
will to survive should have coped much better. They seemed to think that either
SCO wanted to milk the DDOS for publicity by suffering visible damage, or that
they were responding to the threat ineffectively, or perhaps both. Conspiracy
theorists might note that SCO's web site is not as essential to their day to day
operations as Microsoft's or Cisco's is.

Note that part of my information on SCO's situation and IRC attacks is hearsay,
not direct personal knowledge. But I am a member of the incident response team
for the University of Wisconsin - Madison ("BadgIRT"), which is
affiliated with FIRST, and do I have personal acquaintance with and trust in my
sources for this. Unfortunately, confidentiality restrictions forbid me to cite
them directly, and when I asked for permission to quote them in this public a
forum, they declined. The rest of this is public knowledge.

For examples of some of the accessible information, has some data
and analysis papers for SQL-Slammer and the December syn-flood attack against
SCO. Note that modern operating systems such as Linux haven't been moderately
resistant to SYN-flood attacks for several years now. Provided your ISP's
network pipes aren't filled by the traffic, well managed servers should stay up
and functional.

-- Jim Leinweber (Madison, WI)

[ Reply to This | # ]

Coporate PC users.
Authored by: Buddha Joe on Sunday, February 08 2004 @ 07:11 PM EST
I have worked in IT for about 9 years now. Done everything form Break and Fix to
Net Admin work just about all of it in the financial industry. Most of it in
Desktop Support (by choice.)

What I have found is that the users just do not care. They can't be bothered to
learn anything about the tools they are using (their PCs). In their minds it is
not their job, it is IT's job. Their time is much to valuable to be wasted
learning anything about there machines other then I click on the blue thingy it
dings then I click on the pink thingy.

It boils down to arrogance and apathy.

The only stupid question is the one never asked

[ Reply to This | # ]

Tactical goals in indirectly targeting Linux users
Authored by: Anonymous on Sunday, February 08 2004 @ 07:19 PM EST
Here's an aluminum foil hat speculation for you all. One consideration that has
not been addressed so far - at least that I know of - is that because OSS
systems are inherently more secure, even if not perfectly so, they offer less
opportunity for spammers and computer extortionists. These
"professions" are dependent on the prevalence Microsoft and the basic
trust mode. The proliferation of linux and BSD as desktop systems and as
secured servers creates a potential growth obstacle for spammers and online
extortionists who think strategically. Therefore, it becomes a valid tactical
goal for spammers and others to limit the proliferation of secured systems. It
could be then, that SCO was targeted, but Linux and the Open Source community
were the target of choice. One can also argue, given the above that spammers
and other computer criminals do not expect MS operating systems to be secured in
the near future.

[ Reply to This | # ]

Microsoft source code was stolen in Fall 2000 by Russian hackers
Authored by: Ursus_Orribilus on Sunday, February 08 2004 @ 07:32 PM EST
Remember when Microsoft's own in-house developer servers were compromised in the
fall of 2000, while they were still working on XP to rush it to gold? At that
time, it was discovered that there had been a back door open into their
non-public servers for at least six weeks, and a significant amount of the
source code for XP had been stolen. Now, perhaps, we can see what use they may
have intended putting that stolen code to use for.

[ Reply to This | # ]

Why make a noisy virus?
Authored by: valdis on Sunday, February 08 2004 @ 07:46 PM EST
Here's something I wrote for the NANOG mailing list on why a professional hacker would write such a noisy worm for his masters:

Consider - the perpetrator releases a very noisy worm with a DDoS engine on it (admittedly buggy). Then you go on vacation someplace warm and sunny, where visually attractive people of your preferred gender are walking around wearing a lot less than you need to wear where you were...

Computers catch it. Computers spew it. Computers do their DDoS tapdance. Hopefully users and ISP staff notice and take action.

Then 3 weeks later, you come back, tanned and rested - and run another scan. If you find your spam backdoor on port 3127 still open on a machine, you can be fairly sure you can spam away with impunity - if the user and their ISP didn't notice the box spewing mail the FIRST time, they won't notice the second time.....

[ Reply to This | # ]

Ransom? I doubt it.
Authored by: Anonymous on Sunday, February 08 2004 @ 07:51 PM EST
If anyone (Linux supporter or plain criminal) were attempting blackmail SCO
would have gone public instantly and claimed it as harassment from Linux

They have not done that, I consider that 100% conclusive proof there's no
blackmail plot. 99% conclusive there's not the slightest evidence SCO can find
that OSS or Linux people were even implicated.

SCO simply could not resist an opportunity like this.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Sunday, February 08 2004 @ 08:01 PM EST
Make no mistake, SCOG is not influential nor significant enough to get
these headlines without outside help from VERY influential forces.
Think about it. SCO is just a pawn in a much bigger game.

Major advertisors have a huge influence over the content of magazines.
It is impossible for me to believe that Microsoft was not involved.
They have the money, the clout, the motive, the linux paranoia, and
the lack of morals to push any journalist they can find to publish
their propaganda and anti-linux FUD.

[ Reply to This | # ]

OT, Way, Way OT
Authored by: the_flatlander on Sunday, February 08 2004 @ 08:36 PM EST
Sorry, this is way off topic, and purely information free...

So, I see the whole fiaSCO as one of the silent movies, a'la the Perils of
Pauline, er, Pamela...

Darl, as Simon L'Gree
PJ as the star, Pamela... (metaphorically speaking, as Linux), you see...
Linus Torvalds as Dudley DoRight
The train is labeled I. B. M. for the Indianapolis, Baltimore, Montreal Line.

So, Simon L'Gree ties himself to the railroad tracks, and Pamela's at the
throttle on the train, and Dudley is loading coal into the firebox as fast as he
can. And the train just keeps picking up speed, and well, the cameras cut away
of course, but Simon really affixed himself well to the tracks, so let us just
say: he won't show up in the next installment.

See? That what's wrong with the story the SCOundrels are enacting, it doesn't
really have space for a happy ending for them.

The Flatlander

Really, I think PJ should just ban me from the site. I'm addicted; I'm not in
control of this anymore. She should feel free to crush this post... It's just

[ Reply to This | # ]

I suspect spam itself is the tip of the iceberg
Authored by: mjscud on Sunday, February 08 2004 @ 08:41 PM EST
I think sending spam is as secondary a use for these worms as was the DOS attack
on SCO. It's zombies the perpetrators are after.

Sending spam is a relatively small budget operation, and leaves a fairly easy to
track down financial trail. I think the real goal is financial markets and
electronic money, or perhaps blackmail.

Probably the real target is getting a lot of zombies that can all buy a stock
which you can profit on as the price goes up, without it being obvious who you
are. Or some similar nefarious scam that can rope in somewhere in the 10s of
millions and up.

Even a fool, when he keeps silent, is considered wise. Proverbs 17:28

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: toolboxnz on Sunday, February 08 2004 @ 08:48 PM EST
Having read a few of the threads in here which blame the dumb users, it's not
entirely their fault (other than using Outlook/Express, of course). I am
currently on a long term contract developing and maintaining email marketing
software (no, we're not spammers :p) which runs on Windows. I prefer to code on
Unix platforms but a job's a job and all that.

Anyway, to the point.

Our incoming mail system was getting heaps of stuff coming in from the MyDoom
virus and they were sitting in this Exchange mailobox. I logged on this morning
in using Outlook to check how much was currently in the inbox. I saw there was
an email that was a MyDoom one (stupid virus writers that make it so easy to
spot them by always making the subject the same) and thought I'd open it (just
the email) to see what was in it.

As soon as I opened the *email* an open dialog box opened up. I didn't click
anything other than open the message. Being a smart user I know to shut that
dialog box down and not do anything. But note that in just *viewing* the email
and not clicking on the attachment Outlook was able to open this dialog. I'm
sure even relatively smart dumb users might get caught out here and do something

What's even scarier is that by default Outlook/Express have that preview pane
open so as soon as an email hits your inbox it displays in the bottom pane,
activating whatever nasty scripts are in the email *without you even doing

Every time something like this virus hits it makes me so glad my platforms of
choice are Linux and *BSD. And it can only get worse for Windows users. This
virus was by all accounts pretty sophisticated. But I'm sure it could be made
much sexier and harder to spot than it really is...

[ Reply to This | # ]

Media influence and Loss productivity.
Authored by: RSC on Sunday, February 08 2004 @ 08:52 PM EST
Back in july 2001, I worked for a large outsourcing conpany as a firewall
engineer in the Secure Internet Gatway they were running for a group on govt.
depts. When the code red worm hit, all in the team were on it like a flash, as
you would expect. Within an hour of the release of the virus sig file update, it
was in and running and nuking any that came our way.

At the same time we verified that the firewall rule sets on the three firewalls
between the internet and our customers were right to handle any eventuallity and
we also verified the the autoupdate for the desktop and server virus checkers
were working and that the new sig file was distributed.

All in All we were very well covered, and only recorded a few instances of the
worm getting through before the measures were put in place. All those that had
got through had been picked up before infection.

In other words we had done everything right and our customers had not been
impacted internally to any degree.

Fine you might say. But we were ordered, as so many others in the industry had,
to shutdown the gateway. The reason? Because of the media hype. We strongly
recommended not to because we were well covered, but the the order had been from
the top, so we unplugged the incoming internet connection physically. For 2 days
the gatway was offline.

Here we have a perfect example were the medias' stupidity actually created a
loss of productivity because the execs listened to them and not to what their
technical "experts" were saying.

Based on this type of response, how many organisations around the world have
placed less of a priority on MyDoom because all they see it doing is the DDoS,
but not the other two nasties, based on the medias lack of details?



An Australian who IS interested.

[ Reply to This | # ]

I challenge that MYDOOM came from Russia
Authored by: Night Flyer on Sunday, February 08 2004 @ 08:55 PM EST


Why does everyone say the virus came from Russia? Aren't the coded comments in
English? Aren't the false file names it generates in English? Yes, yes, I know
lots of people in Russia speak English, but...

Suppose I wrote a virus. If I E-mail it to several people in Russia, and it
circulates inside Russia for a while, eventually it will spread beyond the
borders to North America. It is inevitable, because there is so much E-mail
traffic in North America, and between North America and everywhere.

Because of language-cultural-political-legal differences between Russia and our
country, we really can't track the virus's path within Russia, much less verify
its ultimate country of origin. Besides, it was probably re-sent multiple times
before it was noticed as viral, and before it went beyond the Russian borders.

If the virus writer spoofed the original sending address as coming from someone
in Russia; BINGO, its Russian, (or Russian Organized Crime) and we don't need to
put any more thoughtware into it.

I'd like some better evidence that it came from Russia.

I didn't accept the quick judgement that it came from LINUX discontents, either.

I belong to a LUG, and know the people quite well, no one in our neck of the
woods did it. Quite the contrary, we are insulted and incensed.


My clan Motto: VERITAS VINCIT ! (Truth Conquers)

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: bruce_s on Sunday, February 08 2004 @ 08:58 PM EST
Article on the BBC News24 program "Click Online". Program presenter (Stephen Cole) refers to SCO being a "Giant software manufacturer", but I think he is being verrry sarcastic.

Bruce S.

[ Reply to This | # ]

OT: The question I have for journalists
Authored by: Anonymous on Sunday, February 08 2004 @ 08:58 PM EST
(Sorry this is in part a repeat/improved version of a previous post that I made)

The Salt Lake Tribune (Bob Mims) has a quote from Heise (SCO's lawyer) saying SCO don't know what is copied, and it is literally impossible for SCO to know what is copied, without access to the entire history of AIX.

Journalists who were not present at the hearing, should be able to verify this quote from Heise very shortly, by reading the transcript of the February 6th hearing.

The question I have then - is will any journalists ask Darl McBride, Blake Stowell or Chris Sontag - to explain how this can be consistent with what these guys have previously claimed - and moreover what numerous journalists have quoted them as saying.

In short, SCO have for months asserted:
1. They already know what is copied.
2. It is millions of lines
3. It is from System V
4. IBM did some of the copying
5. SCO have already told IBM the code at issue

I will show examples of these claims below. So is any journalist going to ask them -- how the above 5 claims can in any way be consistent with SCO now saying they don't know what is copied??? What have SCO been showing under NDA???

Here is what Heise said February 6th 2003:
"Heise insisted, however, that without IBM's compliance, 'it is literally impossible' for SCO to itself provide direct proof of the Unix-to-AIX/Dynix-to-Linux continuum it argues exists.

Here is what to compare it to:

What were all those NDA presentations about?

What was those hundreds of files and very specific numbers of lines of code relating to IBM works (JFS, etc) at SCOforum in August 2003 about?

Why did SCO tell Bill Claybrook that they already had evidence of direct copying by IBM? And not just tell, but go out of their way to "correct" an earlier impression that they gave him, that they didn't have evidence of direct copying. s/os/li nux/story/0,10801,82070,00.html

One thing that "bothered" him, he said, is that he asked SCO officials if they had any "direct evidence" that IBM copied any System V code into Linux and was first told there was no such evidence. Hours later, he said, SCO officials called him back and told him that they had "misspoken" and that they did have such evidence.

"That's kind of strange," Claybrook said.
Or what about this one:

Clay brook is under the impression that so-called "derivative works" are more important to SCO than any purported acts of IBM, which SCO is suing for a billion dollars, that resulted in directly copying Unix code into Linux. He's a bit confused over whether SCO has evidence of direct copying or not. SCOsource senior VP Chris Sontag at one point denied it did, a statement that was later corrected.

Or this one
< BR> Sontag said IBM employees were among those who copied code. In reading Big Blue's Web site describing Linux contributions, one can "find a lot of areas they mention code contributions they have made from AIX into Linux," Sontag said. AIX is IBM's version of Unix.


SCO said the apparent copying led to its SCOsource strategy. "It's way wider than we expected. We thought our main focus would be with IBM. It still is our predominant effort," Sontag said.

Or this one

the company had identified "significant source code copying issues within Linux, some of which we believe comes from IBM but many others of which come from third parties. All of these are very troubling to us," Sontag said.

And what about the million lines they claimed to supposedly already identified BreakingNews/dailya rchives.asp?ArticleID=46153

In that one example, copyrighted code had been misappropriated and there's substantial benefit out there that has still not been rectified. There are other literal copyright infringements that we have not publicly provided, we'll save those for court. But there are over one million lines of code that we have identified that are derivative works by IBM and Sequent that have been contributed into Linux that we have identified and there's been no effort by Linux leaders to start acting and rectify that situation.

Or this one -- WHERE ARE THE EXAMPLES HE REFERS TOO - DARL SAID IN MAY HE ALREADY HAD THEM !!!!!,14 179,2 913802,00.html

In the last 18 months, we found that IBM had donated some very high-end enterprise-computing technologies into open-source. Some of it looked like it was our intellectual property and subject to our licensing agreements with IBM. Their actions were in direct violation of our agreements with them that they would not share this information, let alone donate it into open-source. We have examples of code being lifted verbatim.

And IBM took the same team that had been working on a Unix code project with us and moved them over to work on Linux code. If you look at the code we believe has been copied in, it's not just a line or two, it's an entire section -- and in some cases, an entire program.

Or what the heck did think that had ALREADY found in June 2003:
When we filed against IBM, they were supposed to respond in 30 days, and they filed an extension for another 60 days. So we had about 60 days where we were waiting for IBM to respond. So we turned a group of programmers loose--we had three teams from different disciplines busting down the code base, the different code bases of System 5, AIX and Linux. And it was in that process of going through the deep dive of what exactly is in all of these code bases that we came up with these more substantial problems

On how about this break down McBride gave in July (note "primarily other than IBM" -- means there is some amount that SCO attributes to IBM, just they blame other people more) 7 771

McBride claimed SCO has found three distinct areas of infringement:

Direct line-by-line code taken from SCO's Unix System V, which he noted made its way into Linux from various vendors, "primarily other than IBM" Direct line-by-line code taken from derivations of Unix System V code, like IBM's AIX; McBride noted that its contracts with Unix vendors prevent those companies from donating any code based on or derived from the Unix System V kernel Non-literal infringement which stems from code which borrows from the concepts and structure of Unix

Or from August

An IBM executive stood up and basically announced, 'We're moving our AIX (Unix) expertise into Linux, and we're going to destroy the value of Unix,' " says McBride, who contends that the statement alone was a violation of IBM's AIX contract. McBride says that's when they started digging deeper and uncovered the copied code.

Or how about claiming to have already told IBM the code at issue:

From a time line standpoint, one thing that you can expect to see from us, Larry, this is again separate from the IBM issues and the contract issues there. By the way, we have shared the code in question there with IBM under the litigation event. They know what we're talking about there. On the copyright front, expect us to be showing this to the end-use customers as we go forward as one event, and then also the, as David mentioned, you know, a set of customers that we will follow up on, in the time frame that David talked about.--

Or this official SCO press release from 14 January 2004:

The actions of these vendors today doesn't change the fact that SCO's intellectual property is being found in Linux. Commercial end users of Linux that continue to use SCO's intellectual property without authorization are in violation of SCO's copyrights. SCO continues to publicly show evidence of this infringement. We invite interested parties to view some of this evidence for themselves at .

Or this SCO press release 13 January 2004:

The SCO Group, Inc. "Indemnification programs or legal defense funds won't change the fact that SCO's intellectual property is being found in Linux. SCO is willing to enforce our copyright claims down to the end user level and in the coming days and weeks, we will make this evident in our actions."

Or this SCO press release 15 January 2004:

The SCO Intellectual Property (IP) License permits the use of SCO's intellectual property, in binary form only, as contained in Linux distributions. By purchasing the license, customers are properly compensating SCO for the UNIX source code, derivative UNIX code and other UNIX-related intellectual property and copyrights owned by SCO as it is currently found in Linux.

Or this SCO release from August 2003:

LINDON, Utah, Aug 13, 2003 -- The SCO® Group (SCO)(Nasdaq: SCOX) delivered final written notice yesterday to Sequent Computer Systems for termination of its UNIX® System V software contract. Sequent is now owned by IBM. The Sequent (IBM) contract was terminated for improper transfer of Sequent's UNIX source code and development methods into Linux. As a result, IBM no longer has the right to use or license the Sequent UNIX product known as "Dynix/ptx." Customers may not acquire a license in Dynix/ptx from today's date forward.

SCO's System V UNIX contract allowed Sequent to prepare derivative works and modifications of System V software "provided the resulting materials were treated as part of the Original [System V] Software." Restrictions on use of the Original System V Software include the requirement of confidentiality, a prohibition against transfer of ownership, and a restriction against use for the benefit of third parties. Sequent-IBM has nevertheless contributed approximately 148 files of direct Sequent UNIX code to the Linux 2.4 and 2.5 kernels, containing 168,276 lines of code. This Sequent code is critical NUMA and RCU multi-processor code previously lacking in Linux. Sequent-IBM has also contributed significant UNIX-based development methods to Linux in addition to the direct lines of code specified above. Through these Linux contributions, Sequent-IBM failed to treat Dynix as part of the original System V software, and exceeded the scope of permitted use under its UNIX System V contract with SCO.

Also from August 2003:

"We've had more than 300 companies in the first four business days of this program contact SCO to inquire about SCO's Intellectual Property License for Linux," said Chris Sontag, senior vice president and general manager, SCOsource, SCO's software licensing division. "This Fortune 500 company recognizes the importance of paying for SCO's intellectual property that is found in Linux and can now run Linux in their environment under a legitimate license from SCO. We anticipate this being the first of many licensees that will properly compensate SCO for our intellectual property. After having initiated the program last week, we are very pleased with the licensing interest to date."

Or July 2003:

In May, SCO announced that Linux contained SCO's UNIX System V source code and that Linux was an unauthorized derivative of UNIX. SCO also indicated that Linux end users could face liability for running it in their organization. Beginning this week, the company will begin contacting companies regarding their use of Linux and to offer a UnixWare license. SCO intends to use every means possible to protect the company's UNIX source code and to enforce its copyrights.


Hundreds of files of misappropriated UNIX source code and derivative UNIX code have been contributed to Linux in a variety of areas, including multi-processing capabilities. The Linux 2.2.x kernel was able to scale to 2-4 processors. With Linux 2.4.x and the 2.5.x development kernel, Linux now scales to 32 and 64 processors through the addition of advanced Symmetrical Multi-Processing (SMP) capabilities taken from UNIX System V and derivative works, in violation of SCO's contract agreements and copyrights.

"For several months, SCO has focused primarily on IBM's alleged UNIX contract violations and misappropriation of UNIX source code," said Darl McBride, president and CEO, The SCO Group. "Today, we're stating that the alleged actions of IBM and others have caused customers to use a tainted product at SCO's expense. With more than 2.4 million Linux servers running our software, and thousands more running Linux every day, we expect SCO to be compensated for the benefits realized by tens of thousands of customers. Though we possess broad legal rights, we plan to use these carefully and judiciously."

Or June 2003:

"The Software and Sublicensing Agreements and related agreements that SCO has with IBM includes clear provisions that deal with the protection of source code, derivative works and methods," said Mark J. Heise, Boies Schiller, & Flexner, LLP. "Through contributing AIX source code to Linux and using UNIX methods to accelerate and improve Linux as a free operating system, with the resulting destruction of UNIX, IBM has clearly demonstrated its misuse of UNIX source code and has violated the terms of its contract with SCO. SCO has the right to terminate IBM's right to use and distribute AIX. Today AIX is an unauthorized derivative of the UNIX System V operating system source code and its users are, as of this date, using AIX without a valid basis to do so."

Or McBride on CNN, 30 January 2004: < BR>
MCBRIDE: This is a new digital frontier. We came out, we found that key parts of our code -- we owned the Unix operating system -- was showing up in this new upstart program called Linux. These new programmers working with IBM. We found that things were violated against our copyrights.

On Chris Sontag on 19 December 2003

CRN: Have you identified exactly what code is at issue here?

SONTAG: We've identified a lot of different things. Early on when we filed against IBM, people wanted us to show the code. Even though we're fighting a legal case and [a courtroom] is where it's appropriately vetted, we decide to take at least one example and show it. We had to do so under NDAs [nondisclosure agreements], because if you're comparing our System V code, it is not released without confidentiality agreements.

Or August 2003

But Stowell insisted that the GPL only applied to Linux, not to the Unix code which, SCO claims, was added to Linux.

He maintained that SCO had identified specific derivative Unix software contributed to Linux by IBM. This included read-copy-update, non-uniform memory access and journalled file system.

Or Darl McBride's interview (explicitly about SCO v IBM) with Peter Williams of VNUnet

Are you still saying categorically that there is offending code in the Linux kernel?
Yeah. That one is a no-brainer. When you look in the code base and you see line-by-line copy of our Unix System V code - not just the code itself, but comments to the code, titles that were in the comments and humour elements that were in the comments - you see that everything is taken straight across.
Everything is exactly the same except they have stripped off the copyright notices and pretended it was just Linux code. There could not be a more straightforward case on the Linux side.
And that's actually the Linux kernel, as opposed to other parts?
Correct, the kernel.

Or from August 2003, they claim over a million lines, and identify IBM (indirectly by referring to RCU, NUMA, JFS, etc) as the source of some of these lines

SCO yesterday dismissed claims that Linux can be rewritten to remove code allegedly taken from Unix V, claiming that replacing over a million offending lines would be impossible. ...

... SCO maintains that its code is primarily found in Linux dealing with several key areas: Non-Uniform Memory Access, Read Copy Update, journalled file system, XFS, Schedulers, Linux PowerPC 32- and 64-bit support and enterprise volume management systems.

Or Chris Sontag May 2003

What you are saying then is: if there is Unix code put into Linux by IBM, and SuSE is using Linux, they would therefore be liable by default?


You do a great deal of writing, analysis and so on. I assume that your work is copyrighted. What about a company who takes Peter Williams's work and posts it somewhere else on the internet and attributes it to themselves? Taking 100 per cent of your work. That's a problem isn't it?

Yes, it does happen. But it is not quite on the same scale.
What also occurs is that people will hijack a paragraph here or there or rework it a little bit to try and make it look as though it was not your work, it was their own. But you can tell they have moved things around so it doesn't look like it. But really it was your work. That is still a copyright issue.

So when certain elements in the Linux community say 'show us the lines of code', yes there are lines of code. But of even greater concern to us are the areas we have identified that we say have been obfuscated: changed around so as to hide the fact they are from our source.

That's a problem. That's a huge problem to us. Rewriting a line of code to obfuscate does not solve the problem. Do you understand where I am going?

Just to confirm. The offending code, was it all SCO-written? Or did some of it come from AT&T or even in UnixWare when owned by Novell?
There is code written which came through from AT&T Unix system labs, some written when the Unix source was under the control of Novell and some written under the control of SCO. All of that work, that body, is owned by SCO. And SCO is the owner of the Unix operating system.

I could go on...

So in short, Journalists:

1. Does SCO still allege there are millions of lines of infringing code, hundreds of files, including direct copying from System V?

2. Does SCO still attribute much of this to IBM?

3. Does SCO contend they have told IBM the code at issue.

4. If the answer to any of 1 to 3 is no, what has changed in their position - or how do they explain their earlier statements?

5. How does Heise's comments on February 6th fit into this?

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: bruce_s on Sunday, February 08 2004 @ 09:04 PM EST
There is a patch for the full version of Outlook (2K & XP) to stop
you to be able to open attachments. Actually it stops you from
being able to access some attachments at all, so you can't even
just download them. MS going from "you're able to run
everything" to "You know that data you were able to access, now
you can't".

Bruce S.

[ Reply to This | # ]

Microsoft breach from Russia with love
Authored by: converted on Sunday, February 08 2004 @ 09:14 PM EST
I wonder if it's just a coincidence that M$ code server breach and Mydoom both came from the same country?

Unknown hackers with a St. Petersburg e-mail address have accomplished what a U.S. Justice Department antitrust lawsuit failed to do: extract the secret blueprints for Microsofts Windows operating system.
And here..
The attack tentatively has been traced back to St. Petersburg, Russia, sources said, fueling speculation the break-in was an act of industrial espionage.
And here..
Microsoft's security staff discovered that passwords were being sent to an e-mail address in St. Petersburg, Russia, apparently using the QAZ Trojan software exploit.

"I am not a demographic! I am a human being!"

[ Reply to This | # ]

Bring out Rob Rosenberger!
Authored by: Anonymous on Sunday, February 08 2004 @ 09:28 PM EST
I think Rob Rosenberger would get along famously with this guy (what is it about
the Air Force that makes good virus experts?). Too bad is no longer
being updated. may still be, though.

Anyways, good work!

[ Reply to This | # ]

Why attachments are double clickable in Outlook Express etc
Authored by: Anonymous on Sunday, February 08 2004 @ 09:36 PM EST
The reason is actually quite simple

The Windows Shell API -- and how Outlook Express chose to use it

When you say "open" in Windows for local files -- it means using the
Shell Execute API, or rather that is what Windows Explorer does

Shell Execute sort of says

- Is it an EXE or other program? If yes, run it

- Is it an another file type? If yes, look in the system configuration for which
program it goes with (e.g. word, paintbrush etc.) and how to open the
associated program with that file (DDE, OLE, command line, etc). Then do do

This makes sense for the Windows GUI. You double click on a program or document
file and it opens.

The stupidity is not ShellExecute API per se. The stupidity is that Outlook
Express has no intelligence to say the first (running a program) is a lot more
drastic than opening a document. In other words, the stupidity is the designers
of Outlook Express chose to treat attachments as if they were the user's own
files, with no additional warnings, etc.

The stupidity is compounded by the extension thing (hiding extensions in the
GUI) in Win 95 and later. To be fair, not all Windows programs do this (and some
have options not to hide or hide extensions -- but MS adopted as a universal
style, even when they shouldn't for their own applications). This makes it
Outlook's dangerous behaviour even more dangerous. The reason for the extension
thing is probably Windows/DOS has a UNIX-like file system (bag of bytes), rather
than the Mac's approach with resource forks and true file types. To make
Windows/DOS appear a little more Mac-like (appear as if it had true file types)
the extension hiding was added.

In short, the attachment trick exploits a *combination* of

(1) Outlook Express being way to trusting of attachment (how about a warning
before running an EXE?)

(2) Outlook Express designers being too lazy, just calling ShellExecute for any
attachment that is clicked

(3) Outlook Express (and many Windows apps) trying to be more Mac like, when
they lack the underlying infrastructure

(4) User's stupidity. I'm sorry there is a stupidity in accepting unquestioning
attachments and opening them. If you look at the emails containing these
viruses, they do not generally look like real email at all. They are not from
people you know, near always. Even novice users have heard of viruses spreading
by email attachments.

(5) What they can do, once they get in.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: muzza on Sunday, February 08 2004 @ 10:13 PM EST

This quote from Terry Pratchett comes to mind whenever I think about the spam and virus problems:

Shortly before the Patrician came to power there was a terrible plague of rats. The city council countered it by offering twenty pence for every rat tail. This did, for a week or two, reduce the number of rats -- and then people were suddenly queueing up with tails, the city treasury was being drained, and no one seemed to be doing much work. And there still seemed to be a lot of rats around. Lord Vetinari had listened carefully while the problem was explained, and had solved the thing with one memorable phrase which said a lot about him, about the folly of bounty offers, and about the natural instincts of Ankh-Morporkians in any situation involving money: "Tax the rat farms."

Call me paranoid but I do not trust the companies who want to see the end of free email, who want a profit for every message sent. A free email system clogged with junk can only help further their point. A portion of the spam I receive now contains no product information at all, just random giberish, who is paying the spammers to send that stuff? Similarly it is hardly in the interest of an anti-spam company to see an end of spam.

[ Reply to This | # ]

Press release, amicus curiae
Authored by: Thomas Frayne on Sunday, February 08 2004 @ 10:19 PM EST
I sent this note to PJ.

I have been preparing a press release, and have been posting related discussion and drafts in thread After the ruling - status of AIX claims

I just received a post from Yahoo post that suggested that a group of Groklaw members should submit an amicus curiae based on the press release.

I want to send the press release tonight, whether or not we could put together an amicus curiae that quickly. I think that SCO is sending more FUD about last week's events, and I want to spread the truth as widely as possible before the stock market opens tomorrow.

Would you be willing to endorse the press release? Would you be willing to sponsor an amicus curiae?


Would anyone like to be on the list of those endorsing the amicus curiae?

[ Reply to This | # ]

Slightly OT: Something wierd about the kernel contributions...
Authored by: Anonymous on Sunday, February 08 2004 @ 10:32 PM EST
Has anyone looked at the 2.6 ChangeLog files? The latest one for 2.6.2 has an
awful lot of contributions from good ole' big blue... but it also has a lot of
contributions from HP, Intel, and others.

SCO hasn't made even the slightest negative gesture towards HP, and yet HP is
clearly contributing to Linux as well. This brings up a number of fascinating

1) SCO is being used as a proxy by HP and Sun to beat up on big blue, and that's
what this whole thing is really all about.

2) SCO thinks their legal position is stronger against IBM than HP or Sun for
some reason.

3) SCO was really miffed about IBM (and Intel) scuttling project Monterrey, and
this is really just a personal vendetta.

4) HP and/or Sun are secretly hoping that SCO wins and they can share the bounty
of this land grab with them by licensing and reselling "SCO Linux."

Any facts to support any of these speculations?

[ Reply to This | # ]

Reduce virus file attachment threat -- change Windows default behavior
Authored by: Anonymous on Sunday, February 08 2004 @ 11:13 PM EST
A number of posts and comments here have involved the default "click-on and
run" behavior of Windows and the default settings that hide a file or
attachment's true extension so that a script file can masquerade as an innocent
jpeg file e.g. AnnaKornikova.jpeg.scr appears as AnnaKornikova.jpeg to the

I agree that these default settings are inappropriate and that users should know
better than to click on attachments. However, many of these threats can easily
be dealt with by making an approriate registy file (.reg) and merging in into
the registry of machines on your network. About 90% of my users were able to
right-click on the reg file and select the "Merge" option. I helped
the others and found it an opportune time to educated users about security. The
combination of these changes and anti-virus software handled most anything that
came along.

Before changing any registry keys, it would be wise to capture the default
settings manually or by exporting the keys to reg files. For the affected file
types, users need to understand that they should open files from within
applications, rather than by clicking on the file's icon.

The listing below is offered as a sample for changing Window's default settings
with a reg file. It should be evaluated and edited for your situation. One
should also understand the functional effect of changing settings. Note that
these changes may also be made using Windows Explorer. In W2k -- Tools >
Folder Options > File Types (select file type here) > Advanced.


[HKEY_CLASSES_ROOTMicrosoft Internet Mail MessageShell]
[HKEY_CLASSES_ROOTMicrosoft Internet Mail MessageShellEdit]
[HKEY_CLASSES_ROOTMicrosoft Internet Mail MessageShellEditcommand]
@="notepad.exe %1"
[HKEY_CLASSES_ROOTMicrosoft Internet Mail Message]
[HKEY_CLASSES_ROOTMicrosoft Internet News MessageShell]
[HKEY_CLASSES_ROOTMicrosoft Internet News MessageShellEdit]
[HKEY_CLASSES_ROOTMicrosoft Internet News MessageShellEditcommand]
@="notepad.exe %1"
[HKEY_CLASSES_ROOTMicrosoft Internet News Message]

It is nice to get calls from users who are viewing virus files in NotePad,
rather than "OOPS, I clicked on it" calls.

Linux--making the world a better place

[ Reply to This | # ]

How to make Windows safe
Authored by: Anonymous on Sunday, February 08 2004 @ 11:51 PM EST

I and my wife both use Linux, but my daughters use Windows. I have managed to make their computer safe from viruses and security flaws in Windows. I have also managed to set it up so that they can use it unsupervised without risk of seeing "bad stuff" on the internet.

I am truly convinced that my method is the one and only way to protect a Windows computer. I'm sure all Groklawyers have already figured out this method, but we need to spread the word.

Let's face it, some people are going to insist on using Windows, but if they do so, they should do it safely. They should stop unwittingly spreading chaos and damage across the internet. So, kiddies, go ahead and use Windows if you feel you must, just keep your toy computer OFF THE NETWORK! The grownups are trying to use it to get some work done.

[ Reply to This | # ]

OT - Spam
Authored by: Anonymous on Monday, February 09 2004 @ 01:58 AM EST
It occurred to me recently what may be an aid to spammers.

The emails that everyone gets from their friends/family etc - "Forward this
to at least 10 friends" type messages - are an obvious way of capturing
email addresses.

Each time I get one of these it will usually have a long list of people who
recieved it before me. Even addresses that the message was copied to.

Eventually each of these messages will get to a spammer - who thinks "what
a tasty morsel"! Or would if it weren't an automated email snatcher. A
free list of email addresses.

Think before you forward

[ Reply to This | # ]

I would like to make two points.
Authored by: Anonymous on Monday, February 09 2004 @ 02:25 AM EST
1) If you were a spammer who needed an insecure OS to
survive which OS would you like.

2) The comments in the virus's are in English, viruses can
be relayed through Russia just as they can be in any other
country. If you want to hide your identity you relay
though a country that is unlikely to cooperate with local
authorities. I would not be surprised if Russia is a
further missdirection.

[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Monday, February 09 2004 @ 02:51 AM EST
What is wrong with late night drag racing?


[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: PeteS on Monday, February 09 2004 @ 03:56 AM EST
I have done a number of things - network administration, hardware design, software/firmware design, test engineering and teaching (post secondary), amongst other things.

I have found that the average person uses a computer as a glorified calculator, and in particular, as a substitute brain.



While teaching electronics, one question came up which required doing the following operation:

Solve for x, where x = 10 / 2

The entire class, as one, reached for their calculators.

Sad, in a way, but also a strong statement of a culture of mental atrophy, which it is up to us to work against. If we don't do something, who will?

It is quite amazing how otherwise apparently intelligent people suddenly become (apparent) incompetents as soon as they sit in front of a (usually) Windows box.

I can't blame the IT folks; after all, they have plenty to do just keeping the network running. I do blame companies in general for not having training classes on just what a computer is good for (and conversely, what it is not good for).

This boils down to cost, and we all know it is far cheaper to prevent these problems, but companies are 'challenged' on their budgets every day. They don't spend money on prevention because it is not seen as 'productive'. I know there are exceptions to the rule, but this, in general, is what I have found.

The other part of this, of course, is inherent system security, which is sadly lacking (due to design choices) in Microsoft products.

It is truly ironic that the average user (once they learn to log in) is safer on any flavor of *nix (or Linux) simply because of the operating model, and that it takes a real power user to use a Windows machine safely.

Good article; it should be disseminated far and wide in the industry press.

Recursion: n. See Recursion

[ Reply to This | # ]

My mydoom experience
Authored by: Anonymous on Monday, February 09 2004 @ 04:26 AM EST

I was talking to a number of people about mydoom and I tried to tell them that
SCO would only be collateral damage to let people look into the wrong direction.
Although I regard these people as highly intelligent they didn't see the fact
that SCO is too small a company not only compared to the thousands of infected

I got dozens of virus notifications in conjunction with mydoom. Not a single
notification held a real, existing user name within my domains. The combination
of affected domains was only possible by having access to a persons address
list, more specifically to address lists of members of my family. It is
impossible to get this combination by other means and I never got spam affecting
these domains without affecting at least one other domain.

Since a few days now I get spam of a very special kind:
exactly those domains affected by mydoom's forgery a couple of days before are
affected by this spam. And each single spam mail is sent to real, existing
users within these domains.

The spammers could have filtered mydoom mails they received accidently. But that
isn't very likely for more than 90% of spam I normally get is sent to
non-existant user names. So why should a spammer filter to only match real

I may be wrong but I am pretty sure the spammers had direct access to the
address list of this member of my family. (BTW: thank you for spreading my

And still the above mentioned people think SCO was the main target.



[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: Anonymous on Monday, February 09 2004 @ 05:47 AM EST
Why not do write an antidote? Some should write a worm that fixes holes and
undos stuff evil-worms do. For every worm there should be the anti worm
spreading even faster. Well in my opinion at least ;)


[ Reply to This | # ]

Whatever Happened to Investigative Journalism? - by Paul Couture
Authored by: zjimward on Monday, February 09 2004 @ 08:34 AM EST

Great article. I was also wondering why any Linux person would waste their time
looking for and writing a script for Windows. The answer, the wouldn't any more
than Microsoft will port any of it's products to run on Linux.

[ Reply to This | # ]

Yeah, it's MS's fault
Authored by: Anonymous on Monday, February 09 2004 @ 10:05 AM EST
Since the monopoly suit didn't accomplish much, it's time to charge MicroSoft
with racketeering. Their software supports organized crime. (Even without
examining their EULA.)

[ Reply to This | # ]

Not ALL bad
Authored by: Anonymous on Tuesday, February 10 2004 @ 09:43 AM EST
It's not all myDoom and gloom (sorry, couldn't help myself):
"Couldn't MyDoom just be an annoyed Linux programmer's revenge? It is
possible, but unlikely when you view it in the context of other well-organised
online crime."

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )