"We started off running a proof of concept of open systems for Apache web hosting with government funding," Tony Betts, IT manager at the RCGP, told vnunet.com. "Running Apache on Windows with IIS alongside showed no improvement. When moved to Linux, the speed of response improved and emails went a lot quicker."

Sending 6,000 copies of a bulletin, which typically took days and tied up the server for the whole time, now runs in 15 to 20 minutes, according to Betts. Equally important, the RCGP was already concerned with Microsoft security, having discovered that a hacker in France was downloading data using FTP. This led to a security review which found, for instance, that Exchange was acting as a conduit for spam.

So what exactly does Microsoft plan to do with the Unix code it recently licensed? Microsoft already uses some Unix code in its Services for Unix product, which makes it possible to run Unix applications on top of Windows by overlaying Windows with Unix interfaces and protocols. Microsoft execs were unavailable for comment, but an SCO spokesman says Microsoft also plans to use unspecified patented technology from SCO in future products.

One possibility could involve giving Windows' graphical administration tools more of the look and feel of Unix, for those who want it. In an interview earlier this year, Microsoft's director of Unix solutions, Doug Miller, said his group would deliver "several dozen" new Unix scripting commands sometime this year. "One of the things we heard loud and clear from Unix IT staff is, 'I'd like to be able to administer my Windows system much in the same way I do from Unix boxes,'" Miller said. ...

Not coincidentally, given the similarities between Unix and Linux, Microsoft's Services for Unix is what the vendor also sells customers who want Windows-to-Linux interoperability."

If the market for our Linux products does not grow as we anticipate or if the UNIX market continues to contract, we may not be able to grow our business.

Our revenue from the sale of UNIX based products has declined since we acquired these operations from Tarantella. This decrease in revenue has been attributable to the worldwide economic slowdown as well as from competitive pressures from alternative operating systems. Sales of Linux based products are dependent on the development of certifiable, reliable products for business and the acceptance and adoption of Linux based operating systems by businesses. If the demand for UNIX based products continues to decline, or if such demand is not replaced by new demand for Linux-based products, we may not be able to successfully implement our business plan.

We operate in a highly competitive market and face significant competition from a variety of current and potential sources, including Red Hat and Sun Microsystems; many of our current and potential competitors have greater financial and technical resources than we do; thus, we may fail to compete effectively.

Our principal competitors in the Linux market include Red Hat, Sun and SuSe. In addition, due to the open source nature of Linux, anyone can freely download Linux and many Linux applications and modify and re-distribute them with few restrictions. For example, solution providers upon whom we depend for the distribution of our products could instead create their own Linux solutions to provide to their customers. Also, established companies and other institutions could produce competing versions of Linux software.

QUESTION: "Finally. Somebody raised a possible problem that you yourselves distribute the infringing code under the GPL licence. Do you see that as a problem from your point of view?"

SONTAG ANSWER: "No we do not, because you do not have an infringement issue when you are providing customers with products that have your intellectual property in them."

In the same interview, he claims they do have "problems" even with the kernel. And he says: "There is code written which came through from AT&T Unix system labs, some written when the Unix source was under the control of Novell and some written under the control of SCO. All of that work, that body, is owned by SCO. And SCO is the owner of the Unix operating system."

This raises another issue he may not have thought through: there is a lot of BSD code in AT&T UNIX. Maybe he needs to read the settlement terms of the BSD lawsuit. The following was posted to an article on Newsforge and then reposted on Slashdot:

"As people may recall from the original settlement of the BSD lawsuit, three files had to be removed from BSD that represented things in SysV source. What is often forgotten, though, is that AT&T itself was in a far greater bind because while there was some SysV code in BSD, there was a LOT of 'borrowed' and misattributed BSD code found to be in AT&T SysV. BSD permits this, but the license at the time required the advertising clause, and AT&T fraudulently ignored this. The actual settlement said that AT&T would no longer sue the BSD people, and that the University of California would also agree to hold AT&T harmless for misappropriating BSD code. Hence, much of the code that SCO owns is actually misattributed BSD code for which UC permitted AT&T (and it's decendents) to use.

"Now much of Linux also shares code derived from ancestrial BSD sources or people who have worked in common on both, and I am sure many of the same ancestrial routines still found today at the core of SysV are in fact also BSD derived. Hence, where common code may exist, it's code that AT&T originally misappropriated, and that SCO is free to use and relicense from the AT&T/BSD settlement, but in point of law neither AT&T nor the current SysV owner has actual legal copyright over. Perhaps the regents of UC could hall these SCO scum back into court, as they are in fact in material breach of the AT&T/BSD settlement if SCO now claims copyright 'ownership' of that originally misappropriated code since the settlement gave AT&T no such rights."

The interview with Sontag also indicates what the "infringement" may be, in their eyes. Sontag compares the basis of their complaint not so much to actual lines of copied code but to obfuscation of code, like a writer who "will hijack a paragraph here or there or rework it a little bit to try and make it look as though it was not your work, it was their own. But you can tell they have moved things around so it doesn't look like it." However, this is direct contradiction to what SCO is quoted as saying in Business Week where they claim they have found verbatim code: "If you look at the code we believe has been copied in, it's not just a line or two, it's an entire section -- and in some cases, an entire program. "

However, Chris De Bona, the man Linus Torvalds suggests should be on any panel set up to review the code, says even if similar (as opposed to verbatim) code were found, it could just be evidence of convergence, not infringement:

"In millions upon millions of lines of code, you can likely expect that in two completely different codebases with much of the same desired outcome (OS, printer driver, whatever) you'll find similar code segments."

Meanwhile the Open Group points out that they own the trademark UNIX, not SCO.

The Sydney Morning Herald has an interviewwith FSF's Bradley Kuhn, in which he says:

"Most of the core GNU components are all copyrighted by the Free Software Foundation and distributed under our auspices under GPL. SCO's right to redistribute them, and Linux too, is the GNU GPL and only the GNU GPL....FSF holds documents from SCO regarding some of this code. SCO has disclaimed copyright on changes that were submitted and assigned by their employees to key GNU operating system components. Why would SCO itself allow their employees to assign copyright to FSF, and perhaps release SCO's supposed 'valuable proprietary trade secrets' in this way?"

At the same time that SCO is attacking Linux and GNU tools, it's of interest that the SCO web site as of today is running on Linux, according to Netcraft.

It's a bit like arguing over how many angels can fit on the head of a pin.... it doesn't matter what you conclude, it is what it is (or isn't), no matter what you say. Most people use Windows products and they probably will continue to do so, no matter what you say. You can't escape the EULA, so you're stuck, some say.

Examples of such online conversations here and here and here and here and here and here and here and even on Security Focus.

Some view it as a non-issue but others are taking it seriously. Some suggestions I have seen in online discussions include not enabling the automatic updates and doing them manually, not updating at all so you don't have to accept the EULA, and still others have suggested "disabling" the EULA itself, by declaring it not binding on you anyway. Don't try that at home, kids, by the way... I am just reporting what I've been reading, not what I think is good advice. Anyone who tells you that you can click on "I Agree" and then later say it isn't binding on you probably didn't go to law school. (Cf., http://www.theregister.co.uk/content/4/30325.html)

Others, more knowledgeable, say you can just encrypt the PHI and monitor exactly what Microsoft does with your hard drive.

What is the fuss all about? To understand, first you might like to go here where Microsoft waxes poetic on EULAs.

Then try this article "MS Security Path EULA Gives Billg Admin privileges on your box," by Thomas C Greene at The Register.

And this: "Windows and HIPAA," by Brian Livingston.

And these two: "Microsoft's Intrusive License Agreement Conflicts With Federal Banking Laws" by Bryan Chaffin and Brad Smith, and "Follow-Up: Microsoft EULA May Conflict With More Federal Privacy Laws" by Brad Smith.

With Windows Media Player, just not updating won't solve the problem. The EULA comes with a vital security patch, not just when you update. And if you automatically update everything on a Windows computer, Windows Media Player is included in the mix unless you take steps to avoid it.

The patch is explained in MS Security Bulletin MS02-032, June 26, 2002, updated Feb. 28, 2003, "Cumulative Patch for Windows Media Player" (Q320920), and it addresses three vulnerabilities "which could be used to run code of attacker's choice".

MS' recommendation is to upgrade, if using 7.0, to 7.1 and then patch "immediately". If you do, you get the EULA, which includes this:

"Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS components that will be automatically downloaded onto your computer."

So now you are faced with a true dilemma. Update and/or patch and accept the EULA, or don't update/patch and face the internet with critical vulnerabilities? In a HIPAA context, which is better? Is either acceptable? Just not updating is clearly not possible. But if you accept the EULA, are you then out of compliance with HIPAA?

All right you say, but if you upgrade to XP or 2000, you get more secure environments than 95/98SE, so much so that some companies covered by HIPAA are forbidding the storage or transmital of any PHI on 95/98 boxes. True, the environment is more secure, if only because neither 95 or 98 allows meaningful user access control, but upgrading to Windows XP or Windows 2000 SP3 presents the EULA question. Windows XP Professional's EULA requires "mandatory operating system software upgrades", which MS has verbally said they don't actually mean, when asked about the EULA after the storm hit. But it still says this, so which is it? You are faced with relying on MS's word that they don't mean it, going ahead and disabling the automatic updates and doing updates manually, and risking that they might change their minds and hold you to the actual wording of the EULA; or just not using their software. Hmmm. And by the way, if you update manually, you must enable ActiveX, which is itself a security issue.

To see the actual wording for XP, go here and download the PUR.pdf file, dated April of 2003, under the MS Volume Licensing Programs; or read this Infoworld article.

For Windows 2000, you can read about updates here.

To read the EULA itself, go here and click on the download link, then quit the process after you read it by saying you don't agree, or read this posted version by doing a Find for EULA in the comments after this Slashdot article.

If you already have Windows 2000 and want to see the EULA, this MS page tells you how to find it on your computer.

So there you have the dilemma. Can you protect PHI and also invite Microsoft in to visit your hard drive where the PHI is kept?

Recently I got a press release offering a HIPAA conference with a special party thrown by MS for all the attendees as part of the package. It's a big party, and it sounded like fun, with food and drink, fun tech-toys to play with at their headquarters, a chance to win an XBox, big-time speakers, etc. You can read about it here although the fun stuff is only mentioned in the press release: "SPECIAL RECEPTION SPONSORED BY MICROSOFT ON FRIDAY EVENING, JUNE 6 IN SEATTLE: -- Mingle among test tubs [sic], beakers and tablet PCs at Microsoft's Lab party in downtown Seattle on Friday night. There will be cocktails, food and music, plus all attendees can register to win an X-Box that will be given away on Saturday." The next day all the conferees are taken by bus to Microsoft's conference center for the day's talks.

It's no wonder, I thought reading the release, that talking about security problems in MS products is such a hard sell. These heavy-duty speakers at the conference are going to have a lot of fun at Microsoft's headquarters, and it must be hard to say bad things about their software after you've eaten their food, drunk their drinks, and danced to their music. I don't think perceptions about the importance of security will change overnight, but as HIPAA problems crop up, and they will, just as Nimbda and Slammer were a big education with regards to security and Microsoft software, little by little I think people working under the HIPAA umbrella will realize that security in current MS products is a challenge. MS promises to improve security in the future. Unless or until they do, I don't doubt that there will be PHI spills.

And what I wonder is: when some infuriated victim of a PHI breach sues a company that didn't succeed in preventing the spill, then what? Can they successfully argue that they met their HIPAA obligation when there are other operating systems, such as Apple and Linux, that arguably provide better security? The US Army, for example, switched from Windows NT servers to Apple servers in 1999 to increase security, because the W3C said they were more secure.

Nor is HIPAA the only worry; state consumer protection and privacy laws, when they are more stringent than HIPAA, are not wiped away by it. You can sue under state law, even if you can't sue as an individual under HIPAA, where you can only file a complaint for the government to follow up on. See "Medical Privacy: Understanding HIPAA's Security Rule," here and this page "HIPAA Privacy Law Matrix", developed by The Ohio State Medical Association and The Ohio State Bar Association Health Law Committee to compare the requirements of the HIPAA Privacy rule with privacy requirements in Ohio law, for one example.

If HIPAA has done one thing already, it's making us all more aware of issues some of us didn't worry about that much before.

Maybe you aren't the worrying kind. But if I were a health care provider, I believe I'd follow these suggestions I have seen in online discussions on this topic: first, I'd call my lawyer and get specific legal advice on the EULA and liability re the security issues, and second, I'd get expert computer security advice. HIPAA isn't a job for amateurs.

HIPAA, the Health Insurance Portability and Accountability Act, the new set of federal rules and regulations regarding privacy of medical records, is now in effect. The Privacy Rule is here

Next to be implemented will be the Security Rule, which you can read in the Federal Register or from the link here.

Not everyone is happy about HIPAA, including the American Association of Physicians and Surgeons who are urging patients to talk to their doctors and ask them for their files to take home with them, and then bring them with them to each visit themselves. Their instructions are here and the form they suggest patients sign is here.

Meanwhile, back on Planet Reality, you can learn about what HIPAA all means at CMS' official page here and here. The HIPAA Complaint form is here. There is also an attorney HIPAA Blog.

Remedies under copyright law.

History of UNIX.

Richard Stallman's chapter on the GNU tools and the GPL

"All source code for GNU tools is available; anyone can download, build, and use them for free. You can also download the current 'Top of Tree' and make modifications to the tools that are needed. If you fix a bug or add a significant feature, you should contribute it back to the community, although this is not required if you do not distribute your altered software. If you distribute such work, you are actually required to distribute your source and contribute it back to thw owner of the original software. See http://gcc.gnu.org for more information about participating in this work; always consult with your own legal authorities about your specific rights and obligations for any work you are doing.Several different license types can be used for code that is contributed to the Open Source community. See www.opensource.org for an overview of the terms and restrictions of the different licenses.

"Note that you are not required to provide the source for an application that is created using the GNU toolchain. You must, however, carefully check the license type of all libraries that are used in the code: libraries that are covered by a GPL can only be used in free software; libraries that are covered by an LGPL can be used in free or proprietary software. The www.gnu.org web page provides more information about the terms of the different licenses; when in doubt, consult your legal experts." "

Say, that's good advice. How likely is it that they didn't do so themselves, or that they had no knowledge that under the GPL, if you release a product built on it that the whole is released as GPL also? Slim or None?

In their guide for developers, they clearly state that Linux is "a UNIX-like operating system" and Linux and GNU tools are released under the GPL:

"The Linux operating system and the GNU toolchain are released under the GNU General Public License (GPL). The GPL provides that the source code to the software must be made available and that no one can restrict access to it. With this type of software, anyone can examine and extend the source code, but all such work must be released for public use. Other licenses provide for the inclusion of source code with its associated software, but GPL is the most common Open Source License. 1.2. What is OpenLinux?

"OpenLinux is Caldera's self-hosted source code Linux distribution that conforms to commercial software release procedures. OpenLinux is based on the most current stable open source technologies, but subjected to rigorous testing procedures similar to those used for proprietary operating systems."

On this page, they list SCO contributions to the Linux community, as they call it. And if you follow the links, you find one page that says they were releasing under the GPL: "Aim Benchmarks -- SCO is making Suites VII and IX of the AIM benchmarks available under the GPL. The Suites are now available to the community via download. The project will also be available on SourceForge soon." They even say on another page that they made contributions of code to the Linux kernel. If so, it wouldn't be a surprise if some code in the kernel might look like Unix code owned by SCO.

On a page describing "The Linux Support Team" they say that Caldera Open Linux distribution is based on LST Distribution, and that it is distributed under the GPL.

They have whole pages devoted to the GPL, in which they accurately explain how it works. For example, here it says: "This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License."

And on another page, they say: "Printed below is the GNU General Public License (the GPL or copyleft), under which Linux is licensed. It is reproduced here to clear up some of the confusion about Linux's copyright status--Linux is not shareware, and it is not in the public domain. The bulk of the Linux kernel is copyright ©1993 by Linus Torvalds, and other software and parts of the kernel are copyrighted by their authors. Thus, Linux is copyrighted, however, you may redistribute it under the terms of the GPL printed below. "

Intriguingly, on this page of the Installation Guide, which explains Linux and gives some of its history, it says that Linux is a "UNIX operating system clone", with no AT&T code in is:

"What makes Linux so different is that it is a free implementation of UNIX. It was and still is developed cooperatively by a group of volunteers, primarily on the Internet, who exchange code, report bugs, and fix problems in an open-ended environment. Anyone is welcome to join the Linux development effort. All it takes is interest in hacking a free UNIX clone, and some programming know-how. The book in your hands is your tour guide. (later also says: Linux is a free version of UNIX developed primarily by Linus Torvalds at the University of Helsinki in Finland, with the help of many UNIX programmers and wizards across the Internet. Anyone with enough know-how and gumption can develop and change the system. The Linux kernel uses no code from AT&T or any other proprietary source, and much of the software available for Linux was developed by the GNU project of the Free Software Foundation in Cambridge, Massachusetts, U.S.A. However, programmers from all over the world have contributed to the growing pool of Linux software." (See also SCO's OpenLinux Documentation page.)

Now Chris Sontag in an interview with MozillaQuest Magazine is saying something different:

"MozillaQuest Magazine: Darl also said in the CRN interview that "Linux comes from Unix and we own the Unix operating system." All the Linux kernel and GNU/Linux operating system people we have talked to say this is not true. They say that the Linux kernel and GNU/Linux were developed independently. They say that the Linux kernel and GNU/Linux operating system are not derived from Unix. Are you disputing what the Linux kernel and GNU/Linux people are saying about this? (Emphasis added.) Chris Sontag: Yes we are. This will all be brought out in court."

For any who are confused, this page explains who is who at SCO: "Note: Until 2001, the Santa Cruz Operation (SCO), a UNIX company, and Caldera International (CALD), a Linux company, were two different companies. In 2001, Caldera acquired SCO. Then in 2002 Caldera changed its business name to the SCO Group. However, the corporate name remains Caldera International. Many people still think of the SCO Group's Linux operations as Caldera. In order to make sure that readers would know and realize throughout the article that what is now the SCO Group is also the company once called Caldera, the SCO Group is often referred to as SCO-Caldera in this article."

So there you have it, folks. You don't need to be a programmer to figure out that their claim of inadvertent release under the GPL is not accurate, judging from this collection of documents.

ZDNET UK says that "Microsoft is acquiring rights to Unix technology from SCO...According to a statement from Microsoft, the company will license SCO's Unix patents and the source code."

MS's atty Brad Smith said acquiring the licence from SCO "is representative of Microsoft's ongoing commitment to repecting intellectual property and the IT community's healthy exchange of IP through licensing."

The only questions I have are, Was SCO their running dog from the beginning? Is this whole lawsuit manufactured with the "higher" goal of destroying Linux in the enterprise market? And just how far do they hope to take this destroy-Linux strategy?

SCO, I found out, got just 2% of its income from its Linux offerings. It's a 98% UNIX company, which by definition puts it at odds with enterprise Linux shops like RedHat and SUSe, who target the previously Unix market and who are the two Linux distributors SCO has singled out as allegedly having SCO proprietary code in their distributions. The same link shows that SCO admits there is no proprietary code in the Linux kernel.

InternetNews.com has the best article I have seen yet on the SCO-IBM case. The reporter actually contacted Columbia Law School Professor Eben Moglen, attorney for the Free Software Foundation, who confirms the GPL snag in SCO's strategy:

"From the moment that SCO distributed that code under the GNU General Public License, they would have given everybody in the world the right to copy, modify and distribute that code freely," he said. "From the moment SCO distributed the Linux kernel under GPL, they licensed the use. Always. That's what our license says."

The article continues:

"Moglen noted that SCO cannot readily make the claim that it inadvertently released the code, because the GPL requires that when code is released under its auspices, the developers must release the binary, the source code and the license, and the source code must be able to build the binary. Presumably, then, the binary functions the way the creators want it to function and has the capabilities they want it to have.

"'This isn't an inadvertent distribution case,' he said. However, he noted that the Free Software Foundation works with companies to ensure that they do not release anything under the GPL that they do not intend to release. In fact, he said, when SCO first filed its suit against IBM, he approached SCO's lawyers because it is the Free Software Foundation and not IBM which holds the copyright to the Linux distribution IBM created, Linux for S/360. IBM created the Linux distribution but released it under the GPL and signed the copyright over to the Free Software Foundation."

"Moglen said that when he approached SCO's lawyers he asked them to show him any problems with the particular Linux distribution and if there were any he would stop its distribution. 'They have never responded to that invitation,' he said.

WHY, THEN, DO THIS, SCO?

A lot of pundits have said that it's because SCO wants IBM to buy them out and put an end to their money misery. I think the refusal to show the code and the following quote in the article points to another motive, and I think this quote may come back to haunt them in court, if patent infringement becomes an issue, with regard to refusing to mitigate damages. SCO still says it won't show its evidence to Linux distributors:

"That's akin to saying, 'Show me the fingerprints so I can clean them off.' The Linux community would love for us to point out the lines of code. We're willing to show that under non-disclosure to select individuals, but the first time we show that publicly will not be in the open," SCO spokesman Blake Stowell told internetnews.com.

So, this is confirmation that SCO is not interested in fixing the problem. Rather it wishes to maintain the status quo. It seems unlikely that any court will reward that behavior. And it indicates to me that Boies needs to muzzle his client, before his entire case goes down the toilet. Not that I'm not hoping for exactly that.

Meanwhile, the InternetNews article is well done and even goes into the SCO decision to file originally in Utah state court instead of federal, which explains why they filed only a misappropriation claim, not copyright infringement. I have just bookmarked InternetNews.com.