SCO's defense is to allege IBM deliberately bypassed "security measures" -- in this case, we find out, a password prompt that didn't actually require a password or hinder free access in any way, due to SCO's incompetence -- and so they allege IBM "hacked" into their site. If that is illegal, could someone please rewrite that law so it isn't stupid any more?

We also learn that SCO is not an avid reader of either Slashdot or the SCOX Yahoo message board. News that no password was needed to access SCO's Linux files was posted on Slashdot, they say, on October 31, 2003, and on February 18, 2004 on the Yahoo SCOX board. It was on March 4, 2004 that SCO finally "became aware of the problem and immediately fixed it." Immediately meaning after 4+ months, that is. Then it happened again in July, when SCO reintroduced the bug, as they call it, and over a month later, SCO realized they had done it again, and fixed it a second time. IBM is, therefore, to hear Mr. Sontag tell it, guilty of bypassing a buggy security system that didn't work to keep anybody out, if I have understood his argument. They claim there was a notice there, but I've heard and read conflicting stories about that.

I have read that many persons said that on the sites visited, there was no password required at all to gain access. It was, I've been told, like Windows 98, where they confront you with a password prompt, but if you hit Return, you access without one. Is that hacking? IBM is guilty of hitting the Return key. If that is "hacking", maybe we need to redefine our terms as well as rewrite the law. In any case, according to this declaration, SCO's distribution of Linux files was terminated on December 31, 2004.

Mr. Sontag appears to make the argument that SCO had to continue to violate the GPL, because it was contractually obligated to offer updates to previous customers. This is the same company that would like IBM held to the strictest -- one might even say the most ridiculous -- possible interpretation of the laws on "hacking". First, SCO's argument is like saying you had to steal the Hope diamond because you were under a contractual obligation to do it and had already been paid to steal it.

Second, they could offer updates without doing so from a website, instead of making it so easy for anyone to access. They could have sent out CDs by mail, for example. Their excuse for making the files readily downloadable to the public is that they were incompentent and kept goofing. And of course, IBM is to blame for that, I suppose. This all assumes that IBM wasn't a previous customer and neither were any of their employees.

Third, SCO seems to think that as long as it didn't charge any new customers, they were permitted to continue to distribute to their previous customers. I think they don't understand the GPL. If you lose your right to distribute, you lose your right to distribute. The issue isn't whether you charge for the distribution, just that you did it after you lost your right to distribute. And by any GPL measure that I know, SCO continued to distribute after they lost their right to distribute.

I am puzzled by one of Sontag's claims. He says that when SCO participated in the UnitedLinux project, it had no idea that JFS was derived from SCO'S proprietary software or that it had been contributed to Linux by IBM "in violation of IBM's agreements with SCO." He also claims they hadn't a clue that the other features SCO marketed, like asynchronous I/O, enterprise volume management systems, and better SMP scaling, were developed by IBM. They just went by what the rest of the UL consortium told them.

Aside from the unbelieveability of such a claim, which depends on SCO executives reading nothing but the comics for several years, never once really looking at the code it was selling, the copyright notices, for example, and being totally incompetent, how exactly can it be that functionality that you don't have at all in your software is derived from your code when it does things you can't do with your code? I would like SCO to explain that, because I can't understand how that is possible.

It must be me, because of not being a programmer. But if you want to program something new, why would you start with something old that doesn't do what you want and hack on that, instead of just writing something new? To me it's like saying the New York Times owns Groklaw, because I write news stories sometimes, and they did news stories first. Groklaw is doing something the Times, venerable though it is, never even thought to do. Even if GL and the Times had once been contractually bound, say over earlier templates the Times might have invented for covering the news and even if there was a clause saying that any modification of the templates remained under the control of the Times, when GL did something entirely different, open source legal research, how would that be covered by any NYTimes "news template" contract? I'm doing something utterly new and not even trying to do things the way the Times does, even though in the big picture we are each covering the news. It must be SCO's theory of "derived", meaning if you ever drove within 50 miles of Unix System V, your code is now barnecled onto the mother ship, and your brain is owned in perpetual serfdom until you die and are set free at last. In heaven, should you go there, you can code again in freedom.

There is one other odd thing. Paragraph 30, to my reading, says that instead of attaching their Intellectual Property License for Linux, they tell the judge to look at a "similar" one that IBM attached as Exhibit 33 on its Motion for Summary Judgment on its Eighth Counterclaim. I must have that SCO IP License for Linux somewhere, but I'm not at home, so I can't retrieve it. Any of you have it handy? If they can't find it, let's help them out.

This is another of the paper documents Frank Sorenson got for us from the courthouse. And thanks also to belzecue for the OCR, BobDowling for transcribing, and justjeff for the html (although, sadly, I didn't see his until after I had done it myself -- I still appreciate it though), and robert and Chris Lingard for proofing.

Note that they mention some exhibits, which we will have ready soon. Here is Exhibit E, the product announcement, and Exhibit C, the termination letter to Sam Palmisano. Here's the one you are waiting for, the logs, Exhibit F. Also, note that their pagination is off, and I didn't follow it, simply because it was too confusing, and I followed the PDF pagination instead. There are also a couple of tempting [sic] moments, but I restrained myself.

*********************************

Brent 0. Hatch (5715)
BATCH, JAMES & DODGE
[address, phone, fax]

Robert Silver (admitted pro hac vice)
Edward Normand (admitted pro hac vice)
Sem Eskovitz (admitted pro hac vice)
BOIES, SCHILLER & FLEXNER LLP
[address, phone, fax]

Stephen N. Zack (admitted pro hac vice)
Mark J. Heise (admitted pro hac vice)
BOIES, SCHILLER & FLEXNER LLP
[address, phone, fax]

Attorneys for Plaintiff

____________________________

IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF UTAH, CENTRAL DIVISION

THE SCO GROUP, Inc. Plaintiff, v. INTERNATIONAL BUSINESS MACHINES CORPORATION, Defendant.

Case No. 2:03CV0294DAK Hon. Dale A. Kimball Magistrate Judge Brooke C. Wells DECLARATION OF CHRISTOPHER SONTAG

1

2. I submit this Declaration in support of SCO's Memorandum in Opposition to Defendant/Counterclaim-Plaintiff IBM's Motion for Partial Summary Judgment on SCO's Contract Claims, and in support of SCO's Memorandum in Opposition to IBM's Motion for Partial Summary Judgment on IBM's Copyright Infringement Claim (the Eighth Counterclaim).

3. I have participated in the management, administration, and enforcement of SCO's UNIX System V ("SVRX") software agreements since 2002. Other than through express written agreements and for due consideration, SCO has never intended to waive and has always sought to protect and enforce its rights under those agreements. I am not aware of any instance -- other than through such written agreements -- in which SCO has intentionally waived any right to enforce any provision of any of those agreements.

4. IBM and Sequent are among SCO's SVRX licensees. SCO has concluded that IBM (which acquired Sequent after Sequent became an SVRX licensee) has violated its (and Sequent's) SVRX agreements by contributing to the Linux operating system source code from a derivative or modified work that IBM developed based on SVRX after entering into its SVRX agreements.

5. SCO did not know that IBM had contributed source code to Linux in violation of its (and Sequent's) SVRX licenses until December 2002 or January 2003.

6. In selling SCO Linux 4.0 and other products, SCO marketed features such as asynchronous I/O, enterprise volume management systems, better SMP scaling, and

2

7. With the sole exception of JFS, all the features were known simply by their appearance in Linux, not by where they originated. SCO had no knowledge that they were developed by IBM, or that they were derived fiom SCO's proprietary software licensed to IBM, or that they were contributed by IBM to Linux in violation of IBM's agreements with SCO.

8. SCO identified JFS in its marketing as "developed by IBM," but SCO did not know that JFS was derived from SCO's proprietary software licensed to IBM, or that it was contributed to Linux by IBM in violation of IBM's agreements with SCO.

9. SCO filed suit against IBM for breaching the IBM and Sequent software agreements within months of concluding that IBM had done so. SCO thereby expressly acted on and manifested its intent to enforce those licenses.

10. The same day it filed suit against IBM for breaching the SVRX agreements, on March 6, 2003, SCO sent a termination letter to IBM's Chief Executive Officer explaining that IBM's right to use or distribute any software product based on UNIX System V, including AIX, would be terminated on June 13, 2003, unless IBM cured those breaches. Exh. A hereto. SCO sent a similar letter to IBM regarding Sequent, and Dynix/ptx, on May 29, 2003. Exh. B hereto.

11. On July 12, 2003, SCO further demonstrated its intent to enforce its rights under those agreements by delivering a termination notice to IBM pursuant to Section 6.3 of the SVRX agreement. Exh. C hereto. After sending its termination letters, SCO had attempted to meet and confer with IBM, including through a meeting held on June 2,

3

12. After filing suit against IBM, SCO considered whether to continue to sell and market all of its Linux-related products, including SCO Linux Server 4.0. I was personally involved in those discussions at SCO.

13. In analyzing that question, an important consideration SCO took into account was its obligations to its existing customers. SCO took the view that SCO's customers were entitled to order SCO's products and updates from SCO for a period of time after becoming customers. See, e.g., Exh. E hereto ("Product Announcement for Linux Server 4.0," dated November 19, 2002, in which SCO promises to offer purchasers the "SCO Linux Update Service" for twelve months, including "Access to an up-to-date repository of UnitedLinux and other updates for their system."). SCO did not want to abandon its current customers unless there was no other alternative.

14. SCO decided that the most sensible solution was to suspend its sale and marketing of all of its Linux-related products effective May 14, 2003, but to continue to allow SCO's current customers (to whom SCO had obligations) to order such products.

15. By suspending the sale of its Linux-related products, including the operating system, services, support, professional services, education, and layered applications, SCO eliminated approximately 5-10% of its revenues. From May 14, 2003, until May 31,

4

16. In taking into account the foregoing considerations and reaching the foregoing decisions, SCO never intended to waive its right to enforce its SVRX agreements, including against IBM and Sequent.

17. In compliance with its contractual obligations, SCO has provided customers who purchased SCO Linux Server 4.0 Server files with access to the product through a secret, individual password that the customer could use at the log-in screen to SCO's website, and will continue to provide such access through December 31, 2004.

18. I understand that IBM claims that SCO made sixteen of IBM's copyrighted works available to the public through SCO's website. IBM's Kathleen Bennett contends (Bennett Decl. (8/5/04) ¶ 4; Bennett Decl. (8/16/04) ¶ 10) that access to these works was available on the following four web pages:

a. http://linuxupdate.sco.com/scolinux/update/RPMS.updates,
b. http://Linuxupdate.sco.com/scolinux/SRPMS,
c. http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux, and
d. ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002-026.O/SRPMS.

19. The first three of the above-listed sites contained files related to SCO Linux Server 4.0 products. In accordance with SCO's agreements with its customers and with the UnitedLinux consortium, access to these and all other SCO Linux 4.0 download sites has always required password-protected authentication. For that purpose, those who registered SCO Linux 4.0 product received a login username and password to access the files. The website had a legal notice that access was limited to SCO's customers.

5

21. Anyone who accessed the site by exploiting this bug would have known they were bypassing a security login -- that is, hacking into the system.

22. On October 31, 2003, someone explained this password-bypass procedure on the internet at Slashdot.org. On February 18, 2004, news of this bug was posted on the SCOX message board at messages.yahoo.com. On March 4, 2004, SCO became aware of the problem and immediately fixed it.

23. On July 18, 2004, the authentication bug was inadvertently reintroduced when a SCO programmer was fixing an unrelated problem. SCO was unaware of this reoccurrence until August 23, 2004, when the problem was immediately repaired again.

24. SCO maintains server logs showing access to its download sites. The log files I analyzed demonstrate conclusively that the Ms. Bennett's IBM "team" never attempted to log in with a valid username on January 9, 2004. Instead, they immediately bypassed authentication by exploiting the bug.

25. The logs also show that between October 31 and December 1, 2003, IBM repeatedly accessed the SCO log-in site but did not obtain access to the SCO Linux Server 4.0 files.

6

26. According to the server log files, IBM never attempted to exploit the bug between March 4 and July, 18, 2004, the period when the initial repair of the authentication bug was in place. Therefore, IBM would have been unaware that SCO had repaired the bug in the authentication process when, as shown on Exh. F hereto, Ms. Bennett's team returned to the site without authorization on August 4, 2004, during the second period that the bug was active.

27. The logs confirm unauthorized accesses from IBM IP addresses, during which 51 files were downloaded, from January 9, 2004, to August 4, 2004, including the very files that IBM now relies on in its motions for summary judgment. Complete logs of all unauthorized downloads by IBM are available.

28. This the text of the legal notice that was posted to sco.com on August 8, 2003:

NOTICE: SCO has suspended new sales and distribution of SCO Linux until the intellectual property issues surrounding Linux are resolved. SCO will, however, continue to support existing SCO Linux and Caldera OpenLinux customers consistent with existing contractual obligations. SCO offers at no extra charge to its existing Linux customers a SCO UNIX IP license for their use of prior SCO or Caldera distributions of Linux in binary format. The license also covers binary use of support updates distributed to them by SCO. This SCO license balances SCO's need to enforce its intellectual property rights against the practical needs of existing customers in the marketplace.

Dear SCO customer,

7

Starting on November 1, 2003, SCO will institute new procedures for you to access binary updates and source rpms. If you own an SCO licensed copy of Linux (such as OpenLinux, eDesktop, etc.) it will be necessary for you to register (or re-register) in order to continue to receive support files. During the registration process you will receive instructions on how the new access procedure will work or you can visit: http://www.sco.com/support/linux_infc.html

This or similar text was on the site at all times IBM attempted (and obtained) access.

29. Access to the fourth website mentioned by Ms. Bennett, which contained only one of the sixteen programs (the Omni Print Driver), became subject to password protection on August 13, 2004. No files for SCO Linux Server 4.0 were ever available at that site.

30. The SCO Intellectual Property License for Linux is sold pursuant to written agreements, with the licensing clause worded similarly to that of the Questar agreement attached as Exhibit 33 to IBM's Motion for Summary Judgment on its Eighth Counterclaim. These licenses contain a release of claims, a covenant not to sue, and a waiver of any infringement claims SCO may have against the licensee. These licenses are solely for SCO's UNIX software.

31. Other than SCO Linux Server 4.0 and SCO Open Linux 3.1.1, no SCO product contained any of the sixteen programs at issue. SCO never modified any of the sixteen programs.

8

November 30, 2004

____[signature]___
Christopher Sontag