Here's Chris Sontag's latest declaration, in which he tries to support SCO's accusation IBM broke the law when it downloaded, from SCO's website, GPL'd Linux kernel code IBM itself wrote and owns the copyright on. IBM at the time was looking for evidence of copyright infringement, by the way. You know, like SCO's hero, the RIAA? SCO was in violation, IBM says, of the GPL by distributing that code in the first place, and hence SCO had no right to distribute that code to anyone, because they were violating IBM's copyright by so doing.
SCO's defense is to allege IBM deliberately bypassed "security measures" -- in this case, we find out, a password prompt that didn't actually require a password or hinder free access in any way, due to SCO's incompetence -- and so they allege IBM "hacked" into their site. If that is illegal, could someone please rewrite that law so it isn't stupid any more?
We also learn that SCO is not an avid reader of either Slashdot or the SCOX Yahoo message board. News that no password was needed to access SCO's Linux files was posted on Slashdot, they say, on October 31, 2003, and on February 18, 2004 on the Yahoo SCOX board. It was on March 4, 2004 that SCO finally "became aware of the problem and immediately fixed it." Immediately meaning after 4+ months, that is. Then it happened again in July, when SCO reintroduced the bug, as they call it, and over a month later, SCO realized they had done it again, and fixed it a second time. IBM is, therefore, to hear Mr. Sontag tell it, guilty of bypassing a buggy security system that didn't work to keep anybody out, if I have understood his argument. They claim there was a notice there, but I've heard and read conflicting stories about that.
I have read that many persons said that on the sites visited, there was no password required at all to gain access. It was, I've been told, like Windows 98, where they confront you with a password prompt, but if you hit Return, you access without one. Is that hacking? IBM is guilty of hitting the Return key. If that is "hacking", maybe we need to redefine our terms as well as rewrite the law. In any case, according to this declaration, SCO's distribution of Linux files was terminated on December 31, 2004.
Mr. Sontag appears to make the argument that SCO had to continue to violate the GPL, because it was contractually obligated to offer updates to previous customers. This is the same company that would like IBM held to the strictest -- one might even say the most ridiculous -- possible interpretation of the laws on "hacking". First, SCO's argument is like saying you had to steal the Hope diamond because you were under a contractual obligation to do it and had already been paid to steal it.
Second, they could offer updates without doing so from a website, instead of making it so easy for anyone to access. They could have sent out CDs by mail, for example. Their excuse for making the files readily downloadable to the public is that they were incompentent and kept goofing. And of course, IBM is to blame for that, I suppose. This all assumes that IBM wasn't a previous customer and neither were any of their employees.
Third, SCO seems to think that as long as it didn't charge any new customers, they were permitted to continue to distribute to their previous customers. I think they don't understand the GPL. If you lose your right to distribute, you lose your right to distribute. The issue isn't whether you charge for the distribution, just that you did it after you lost your right to distribute. And by any GPL measure that I know, SCO continued to distribute after they lost their right to distribute.
I am puzzled by one of Sontag's claims. He says that when SCO participated in the UnitedLinux project, it had no idea that JFS was derived from SCO'S proprietary software or that it had been contributed to Linux by IBM "in violation of IBM's agreements with SCO." He also claims they hadn't a clue that the other features SCO marketed, like asynchronous I/O, enterprise volume management systems, and better SMP scaling, were developed by IBM. They just went by what the rest of the UL consortium told them.
Aside from the unbelieveability of such a claim, which depends on SCO executives reading nothing but the comics for several years, never once really looking at the code it was selling, the copyright notices, for example, and being totally incompetent, how exactly can it be that functionality that you don't have at all in your software is derived from your code when it does things you can't do with your code? I would like SCO to explain that, because I can't understand how that is possible.
It must be me, because of not being a programmer. But if you want to program something new, why would you start with something old that doesn't do what you want and hack on that, instead of just writing something new? To me it's like saying the New York Times owns Groklaw, because I write news stories sometimes, and they did news stories first. Groklaw is doing something the Times, venerable though it is, never even thought to do. Even if GL and the Times had once been contractually bound, say over earlier templates the Times might have invented for covering the news and even if there was a clause saying that any modification of the templates remained under the control of the Times, when GL did something entirely different, open source legal research, how would that be covered by any NYTimes "news template" contract? I'm doing something utterly new and not even trying to do things the way the Times does, even though in the big picture we are each covering the news. It must be SCO's theory of "derived", meaning if you ever drove within 50 miles of Unix System V, your code is now barnecled onto the mother ship, and your brain is owned in perpetual serfdom until you die and are set free at last. In heaven, should you go there, you can code again in freedom.
There is one other odd thing. Paragraph 30, to my reading, says that instead of attaching their Intellectual Property License for Linux, they tell the judge to look at a "similar" one that IBM attached as Exhibit 33 on its Motion for Summary Judgment on its Eighth Counterclaim. I must have that SCO IP License for Linux somewhere, but I'm not at home, so I can't retrieve it. Any of you have it handy? If they can't find it, let's help them out.
This is another of the paper documents Frank Sorenson got for us from the courthouse. And thanks also to belzecue for the OCR, BobDowling for transcribing, and justjeff for the html (although, sadly, I didn't see his until after I had done it myself -- I still appreciate it though), and robert and Chris Lingard for proofing.
Note that they mention some exhibits, which we will have ready soon. Here is Exhibit E, the product announcement, and Exhibit C, the termination letter to Sam Palmisano. Here's
the one you are waiting for, the logs, Exhibit F. Also, note that their pagination is off, and I didn't follow it, simply because it was too confusing, and I followed the PDF pagination instead. There are also a couple of tempting [sic] moments, but I restrained myself.
Brent 0. Hatch (5715)
BATCH, JAMES & DODGE
[address, phone, fax]
Robert Silver (admitted pro hac vice)
Edward Normand (admitted pro hac vice)
Sem Eskovitz (admitted pro hac vice)
BOIES, SCHILLER & FLEXNER LLP
[address, phone, fax]
Stephen N. Zack (admitted pro hac vice)
Mark J. Heise (admitted pro hac vice)
BOIES, SCHILLER & FLEXNER LLP
[address, phone, fax]
Attorneys for Plaintiff
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF UTAH, CENTRAL DIVISION
SCO GROUP, Inc.
Case No. 2:03CV0294DAK
Hon. Dale A. Kimball
Magistrate Judge Brooke C. Wells
1. My name is Christopher S. Sontag, and I am Senior Vice President and
General Manager of The SCO Group, Inc. ("SCO"). Unless otherwise noted or
evident from context, this declaration is based on my personal knowledge.
2. I submit this Declaration in support of SCO's Memorandum in Opposition
to Defendant/Counterclaim-Plaintiff IBM's Motion for Partial Summary
Judgment on SCO's Contract Claims, and in support of SCO's Memorandum
in Opposition to IBM's Motion for Partial Summary Judgment on IBM's
Copyright Infringement Claim (the Eighth Counterclaim).
3. I have participated in the management, administration, and enforcement
of SCO's UNIX System V ("SVRX") software agreements since 2002. Other
than through express written agreements and for due consideration, SCO
has never intended to waive and has always sought to protect and enforce
its rights under those agreements. I am not aware of any instance -- other
than through such written agreements -- in which SCO has intentionally
waived any right to enforce any provision of any of those agreements.
4. IBM and Sequent are among SCO's SVRX licensees. SCO has concluded
that IBM (which acquired Sequent after Sequent became an SVRX licensee)
has violated its (and Sequent's) SVRX agreements by contributing to the
Linux operating system source code from a derivative or modified work
that IBM developed based on SVRX after entering into its SVRX agreements.
5. SCO did not know that IBM had contributed source code to Linux in
violation of its (and Sequent's) SVRX licenses until December 2002 or
6. In selling SCO Linux 4.0 and other products, SCO marketed features
such as asynchronous I/O, enterprise volume management systems, better
SMP scaling, and
journaling file system support ("JFS") because, according to SCO's
partners in the UnitedLinux consortium, these features were included in
the version of Linux contained in the pertinent SCO product.
7. With the sole exception of JFS, all the features were known simply
by their appearance in Linux, not by where they originated. SCO had no
knowledge that they were developed by IBM, or that they were derived fiom
SCO's proprietary software licensed to IBM, or that they were contributed
by IBM to Linux in violation of IBM's agreements with SCO.
8. SCO identified JFS in its marketing as "developed by IBM," but SCO did
not know that JFS was derived from SCO's proprietary software licensed
to IBM, or that it was contributed to Linux by IBM in violation of IBM's
agreements with SCO.
9. SCO filed suit against IBM for breaching the IBM and Sequent software
agreements within months of concluding that IBM had done so. SCO thereby
expressly acted on and manifested its intent to enforce those licenses.
10. The same day it filed suit against IBM for breaching the SVRX
agreements, on March 6, 2003, SCO sent a termination letter to IBM's
Chief Executive Officer explaining that IBM's right to use or distribute
any software product based on UNIX System V, including AIX, would be
terminated on June 13, 2003, unless IBM cured those breaches. Exh. A
hereto. SCO sent a similar letter to IBM regarding Sequent, and Dynix/ptx,
on May 29, 2003. Exh. B hereto.
11. On July 12, 2003, SCO further demonstrated its intent to enforce
its rights under those agreements by delivering a termination notice to
IBM pursuant to Section 6.3 of the SVRX agreement. Exh. C hereto. After
sending its termination letters, SCO had attempted to meet and confer
with IBM, including through a meeting held on June 2,
2003, but IBM had failed to cure its breaches during the 100-day period
provided in SCO's termination letter to IBM and the two-month period
provided in SCO's termination letter to Sequent. Accordingly, effective
June 13, 2003, SCO terminated IBM's SVRX agreements; and effective July
30, 2003, SCO terminated the Sequent SVRX agreements. Exhs. C and D
hereto. SCO thus further demonstrated its intent to enforce its rights
under those agreements.
12. After filing suit against IBM, SCO considered whether to continue to
sell and market all of its Linux-related products, including SCO Linux
Server 4.0. I was personally involved in those discussions at SCO.
13. In analyzing that question, an important consideration SCO took into
account was its obligations to its existing customers. SCO took the view
that SCO's customers were entitled to order SCO's products and updates
from SCO for a period of time after becoming customers. See, e.g., Exh. E
hereto ("Product Announcement for Linux Server 4.0," dated November 19,
2002, in which SCO promises to offer purchasers the "SCO Linux Update
Service" for twelve months, including "Access to an up-to-date repository
of UnitedLinux and other updates for their system."). SCO did not want
to abandon its current customers unless there was no other alternative.
14. SCO decided that the most sensible solution was to suspend its sale
and marketing of all of its Linux-related products effective May 14,
2003, but to continue to allow SCO's current customers (to whom SCO had
obligations) to order such products.
15. By suspending the sale of its Linux-related products, including the
operating system, services, support, professional services, education,
and layered applications, SCO eliminated approximately 5-10% of its
revenues. From May 14, 2003, until May 31,
2004 (when SCO last sold a unit of Linux Server 4.0), SCO sold 83 units
and had 79 units returned, for a gross revenue of $1,849.
16. In taking into account the foregoing considerations and reaching the
foregoing decisions, SCO never intended to waive its right to enforce
its SVRX agreements, including against IBM and Sequent.
17. In compliance with its contractual obligations, SCO has provided
customers who purchased SCO Linux Server 4.0 Server files with access
to the product through a secret, individual password that the customer
could use at the log-in screen to SCO's website, and will continue to
provide such access through December 31, 2004.
18. I understand that IBM claims that SCO made sixteen of IBM's
copyrighted works available to the public through SCO's website. IBM's
Kathleen Bennett contends (Bennett Decl. (8/5/04) ¶ 4; Bennett
Decl. (8/16/04) ¶ 10) that access to these works was available on
the following four web pages:
c. http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux, and
19. The first three of the above-listed sites contained files related to
SCO Linux Server 4.0 products. In accordance with SCO's agreements with
its customers and with the UnitedLinux consortium, access to these and all
other SCO Linux 4.0 download sites has always required password-protected
authentication. For that purpose, those who registered SCO Linux 4.0
product received a login username and password to access the files. The
website had a legal notice that access was limited to SCO's customers.
20. On September 23, 2003 an upgrade was done to the authentication
mechanism on the download site, linuxupdate.sco.com. Through this upgrade,
a bug in the authentication software was inadvertently introduced. If
someone entered an invalid username or password (or both), they would
simply have the login prompt re-represented to them up to 3 times. After
three failed attempts, they would get an error message and be denied
access. However, if they left the username and password fields blank on
any attempt, the authentication process was delayed (by approximately
15-30 seconds) and access was eventually allowed.
21. Anyone who accessed the site by exploiting this bug would have known
they were bypassing a security login -- that is, hacking into the system.
22. On October 31, 2003, someone explained this password-bypass procedure
on the internet at Slashdot.org. On February 18, 2004, news of this bug
was posted on the SCOX message board at messages.yahoo.com. On March 4,
2004, SCO became aware of the problem and immediately fixed it.
23. On July 18, 2004, the authentication bug was inadvertently reintroduced
when a SCO programmer was fixing an unrelated problem. SCO was unaware of
this reoccurrence until August 23, 2004, when the problem was immediately
24. SCO maintains server logs showing access to its download sites. The
log files I analyzed demonstrate conclusively that the Ms. Bennett's
IBM "team" never attempted to log in with a valid username on January 9,
2004. Instead, they immediately bypassed authentication by exploiting
25. The logs also show that between October 31 and December 1, 2003,
IBM repeatedly accessed the SCO log-in site but did not obtain access
to the SCO Linux Server 4.0 files.
The first successful exploit of the authentication bypass by an IBM host
occurred on December 1, 2003. Apparently understanding the bug by that
date, the Bennett team thereafter entered the site without authorization
several more times between then and January 9, 2004. True and accurate
excerpts from the pertinent logs, along with explanatory notes, are
attached as Exh. F hereto.
26. According to the server log files, IBM never attempted to exploit
the bug between March 4 and July, 18, 2004, the period when the initial
repair of the authentication bug was in place. Therefore, IBM would have
been unaware that SCO had repaired the bug in the authentication process
when, as shown on Exh. F hereto, Ms. Bennett's team returned to the site
without authorization on August 4, 2004, during the second period that
the bug was active.
27. The logs confirm unauthorized accesses from IBM IP addresses,
during which 51 files were downloaded, from January 9, 2004, to August
4, 2004, including the very files that IBM now relies on in its motions
for summary judgment. Complete logs of all unauthorized downloads by
IBM are available.
28. This the text of the legal notice that was posted to sco.com on
August 8, 2003:
NOTICE: SCO has suspended new sales and distribution of SCO Linux until
the intellectual property issues surrounding Linux are resolved. SCO
will, however, continue to support existing SCO Linux and Caldera
OpenLinux customers consistent with existing contractual obligations.
SCO offers at no extra charge to its existing Linux customers a SCO
UNIX IP license for their use of prior SCO or Caldera distributions of
Linux in binary format. The license also covers binary use of support
updates distributed to them by SCO. This SCO license balances SCO's need
to enforce its intellectual property rights against the practical needs
of existing customers in the marketplace.
Dear SCO customer,
Starting on November 1, 2003, SCO will institute new procedures
for you to access binary updates and source rpms. If you own an SCO
licensed copy of Linux (such as OpenLinux, eDesktop, etc.) it will be
necessary for you to register (or re-register) in order to continue to
receive support files. During the registration process you will receive
instructions on how the new access procedure will work or you can visit:
This or similar text was on the site at all times IBM attempted (and
29. Access to the fourth website mentioned by Ms. Bennett, which contained
only one of the sixteen programs (the Omni Print Driver), became subject
to password protection on August 13, 2004. No files for SCO Linux Server
4.0 were ever available at that site.
30. The SCO Intellectual Property License for Linux is sold pursuant to
written agreements, with the licensing clause worded similarly to that of
the Questar agreement attached as Exhibit 33 to IBM's Motion for Summary
Judgment on its Eighth Counterclaim. These licenses contain a release of
claims, a covenant not to sue, and a waiver of any infringement claims
SCO may have against the licensee. These licenses are solely for SCO's
31. Other than SCO Linux Server 4.0 and SCO Open Linux 3.1.1, no SCO
product contained any of the sixteen programs at issue. SCO never modified
any of the sixteen programs.
I declare under penalty of perjury that the foregoing is true and correct.
November 30, 2004