Posted on 07/25/2003 7:16:17 PM PDT by HAL9000
The continued adoption of Linux by large enterprise in the face of SCO's legal threats is not surprising, said Yankee Group analyst Laura DiDio. "I don't think many of them thought of it as a big threat, I think they viewed it as a mosquito at a picnic -- a sort of gnat buzzing around."Despite legal threats from SCO Group, Linux use by large enterprises is growing, according to a survey by network security company Netcraft. The firm's survey shows Linux growth in the Web server sector, which has long been one of the open source OS's strongest markets.
The list of large enterprise sites that have migrated to Linux in the last two months includes Royal Sun Alliance, Deutsche Bank, SunGard, and Schwab. Linux saw a net gain of 100 sites among the 24,000 Web sites run by 1,500 large companies in this period, according to Netcraft.
Netcraft data even shows that the White House site is powered by Apache on Linux, though this appears to have been set up prior to the SCO suit.
The continued adoption of Linux by large enterprise in the face of SCO's legal threats is not surprising, said Yankee Group analyst Laura DiDio. "I don't think many of them thought of it as a big threat, I think they viewed it as a mosquito at a picnic -- a sort of gnat buzzing around."
However, "I think that's going to change as the months go on," she told NewsFactor.
Warning Letter
In May, SCO sent letters to 1500 of the largest companies globally warning them of the legal risks involved in running Linux. Although SCO did not make the identities of these companies public, Netcraft noted that it is "likely that the list of companies that received letters from SCO is quite similar to the list of sites we use to study enterprises' web site technology choices."
Some analysts speculate that SCO's legal action will slow enterprise Linux adoption among enterprises, both large and small. Meta Group analyst Thomas Murphy told NewsFactor that "If SCO has the intellectual property rights, then they're going to be the license holder, and any Linux distribution would pick up a fee, potentially, from SCO for every single copy."
Given that one of Linux's biggest advantages is that it is lower cost than proprietary software, this added fee "would be detrimental," to Linux adoption, Murphy said.
Reasons for Continued Growth
Explaining the apparent paradox of continued Linux growth in the face of potential legal action, Netcraft said that "It may well be that although SCO has generated an enormous amount of attention from the media and Linux evangelists, it does not presently have the attention of IT practitioners in large companies."
Netcraft listed a variety of additional possible explanations for Linux's increased growth despite legal threats: Companies realize the costs of migrating from Linux to FreeBSD at a later date, if needed, would be small, and they may feel the chance of a SCO victory is remote.
Relying On IBM
These large companies figure that "it will be years before this gets to court, they'll probably settle, IBM says 'don't worry,'" DiDio said.
However, "IBM had better step up to the plate and start saying whether or not they will indemnify their customers, and if so, to what extent," she said. SCO has filed a $3 billion lawsuit against IBM, alleging that IBM misapropriated SCO's Unix intellectual property, using it to increase Linux's capabilities.
Though IBM has denied SCO's charge, IBM should indemnify their customers anyway, DiDio said. "Microsoft has a great indemnification clause in their contract that they put in back in April," she noted.
That IBM has yet to offer their customers such an indemnification is troubling, DiDio said. "That fact that they're not doing it, and that they're not saying what they're going to do, I find that silence really ominous."
Some Move To Windows
Although Linux saw a net gain, "it is by no means one way traffic," Netcraft said. Of the 24,000 enterprise sites included in the survey, in the past twelve months over 1600 have changed operating systems.
Indeed, some firms have migrated to Windows. Examples of these firms are Valaro Energy, National Service Industries and Colt. Cadbury Schweppes has tried all three operating systems in last two years, and it currently runs on Windows 2000.
I'm afraid your last post was possibly somewhat over my head. If you care to repeat it in more terms that I might understand.
To clarify my argument, I disagree with the "many eyes" security model, simply because you have no way to determine the ratio of "bad" eyes vs. "good". Thanks in advance for your response.
I did not claim any of those things. I stated, correctly, that none of the Causes of Action in SCO's complaint involve copyright infringement or patents. SCO is of course free to amend its complaint, but to date SCO has not included any patent or copyright claims among its courses of action.
Nor did I claim that "only code written by IBM is the only duplicated code in Linux." I stated, correctly, that these are the items named in the lawsuit. The lawsuit is, after all, against IBM. It should not surprise any of us that claims not involving IBM are not in the IBM lawsuit. To date, SCO has not filed any other linux-related lawsuits, so it is too soon to say what they might eventually allege concerning others.
It might be worth noting that there are two "trials" going on here. One is moving slowly through the court system (I believe the first hearing is scheduled for some time in 2005), and there is a second trial taking place in the press. So far the press trial has consisted of numerous press conferences, press releases, and interviews conducted by SCO officials. They are making noise on many subjects, including copyrights, but for whatever reason not much of what they say to the press is reflected in their actual complaint filed with the court. Meanwhile their insiders continue to sell. IBM has mercifully confined itself to issuing boilerplate legalese one-liners of the "we will vigorously defend" variety. The trial in the press is therefore heavily skewed toward claims made by SCO. They are making new ones every day, and IBM seems to be taking the position that press releases do not assist with lawsuits.
It was a clear misrepresentation of the truth. Something I see in 99% of your posts regarding this or the trials and events surrounding the RIAA.
Further, that the code is published means that everyone is free to audit it, including the NSA (which produced its own set of patches for Linux and ended up doing their own Linux distribution and made it freely available).
If the WH were using Windows XP, they would not have the ability to view the source code, and under US law could not decompile it to assure themselves it was working correctly.
Your entire post is basically incorrect.
Actually, the bulk of it is right on the money.
You say "security through obscurity is a bad idea." No it's not, it the basis of the entire "classification" system of the US Government. I know because I have worked there.
The "security through obscurity" idea is deeply flawed, and the example you cite relies only marginally on StO practices in that certain data is kept classified and certain terms are deemed classified entirely or when used in concert with other terms. However, the means of keeping it classified is not via StO practices but thoroughly reviewed and openly-tested means of security.
Bottom line: Security through Obscurity Isn't. If it was, then Microsoft wouldn't be leading the pack in terms of having the most worm- and trojan-friendly OS and applications out there. As it stands, it does...even though its product is closed-source.
You bring up the NSA Linux, but failed to provide the hyperlink.
Haven't we had this discussion before? I know I provided you a link then, but I'll provide it again.
As soon as you provide it, I will use, cut copy and paste right from it and post back on here where it says it is NOT a security solution for Linux.
To quote from the site:
This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux.
Essentially it provides a version of Linux that possesses mandatory access control (a system-wide chrooted jail if you will) for all processes and files (since UNIX treats everything as a file, this is actually quite important).
Sure, it's not the be-all/end-all of security solutions, but it's a far cry better than what Microsoft has to offer. Hell, that OS coughs up system-wide control at the drop of a hat.
The White House very well could request to review the source of XP, which they may or may not have done.
What would be the point? So the White House could direct its tech professionals to strip the Windows OS down to the point that it no longer resembles the XP with which the rest of the populace has to suffer? Besides, Microsoft itself has already admitted to fundamental flaws in its code base that spans all versions of Windows. The flaws are so fundamental that Microsoft itself has stated that they cannot fix them.
Doesn't exactly leave me with a sense of confidence in Microsoft's closed-source "security"...
-Jay
You could lay out every single security system used at Fort Knox and let people download the blueprints over the Net, and Fort Knox would be no less secure than it is today. Fort Knox's location is known to anyone who cares to look at a map.
Security through obscurity would posit that Fort Knox' location would not be generally known, and depend on that to provide protection.
Bingo. It should also be noted that even Fort Knox's vaults have metal plates on the interior bevel of the vault doors which outline the fault tolerances of the hardware. That means that even Fort Knox is not impenetrable.
So why is Fort Knox considered "secure"? Well, it's got one helluva Intrusion Detection System (IDS) for one. For another, it's got very good countermeasures to thwart an attacker. And finally, the certainty of capture and eventual prosecution (rather than any ridiculously exaggerated penalties for an attempt) is an unparalleled deterrent.
Yet for some reason, people overlook these simple realities when it comes to computer security and computer crime.
-Jay
To agree with that poster's statement as you did certainly calls your decision making into question. Publishing the complete blueprints of Fort Knox's security systems will NOT make it more secure, jeez man, what are you people smoking?
Which is precisely why Linux is secure, for reasons similar to why the strongest cryptographic algorithms are freely available for review. "Black box" security is no kind of security, boxes are meant to be opened.
Precisely. That is why Linux security is superior to the closed source Microsoft.
Indeed, if the "security through obscurity" model were even remotely viable, then we wouldn't see the repulsively voluminous number of worms, trojans and viruses that we do on the Windows OS.
Nimda, Code Red, ILOVEYOU, Melissa and the Slammer worm are all living proof that closed source software offers absolutely no security benefit. Indeed, closed-source software and "security through obscurity" ultimately affords all users only the illusion of security.
-Jay
First, not one of the people I know who have any experience with Unix or VMS has had any experience remotely close to yours.
I took the liberty of doing a "find in forum" search on your posts. You have not contributed recently to any thread or forum that is not having to do with MS vs Linux or something similar. Each time you have been pro-MS.
Do you own stock in Microsoft? Are you employed by a company with a vested interest in seeing MS succeed?
Why would I need to post that? You can buy it for $59.95 these days.
And since you brought up such information as an example of inestimably valuable data, I'd like to point out that most people willingly give up that information to unknown third parties -- and I mean _ALL_ of that information -- just so they can save a few pennies on their grocery bill, get cable TV, or file their income taxes electronically.
And you mean to tell me that such information is in the same league as classified data? Please.
-Jay
That's not what they proved at all. They simply were created by malicious programmers whose intent is to attack the largest footprint, which M$ clearly has. They also were likely were created by the legions of M$-haters that reside in the *NIX world, who else unashamedly displays such hate?
A perfect example is this Chinese hacker group, who just "open sourced" a whole new worm for Windows late today:
http://news.com.com/2100-1002_3-5055759.html?tag=fd_top
My statement was that none of the Causes of Action in SCO's complaint involve copyright infringement or patents.
The SCO Amended complaint of June 16, 2003 is here. This is the most current verion of SCO's filing. Anyone is free to examine it. There are three Causes of Action related to Breach of Contract, one alleging Unfair Competition, another on Interference with Contract, and the last alleging Misappropriation of Trade Secrets. They are as I described them.
To agree with that poster's statement as you did certainly calls your decision making into question. Publishing the complete blueprints of Fort Knox's security systems will NOT make it more secure, jeez man, what are you people smoking?
*sigh* As I pointed out in my post, the overall security of Fort Knox is penetrable. What keeps it robust is the Intrusion Detection Systems and counterattack response it possesses. The vault doors can be breached, as can any other door on the premesis. What part of my point aren't you getting?
-Jay
Yes, and No. My ongoing attacks against linux are a result of the incredible ammounts of disinformation provided by posters such as Nick Danger, as well as my concern over loss of US trade secret technology to the world without compensation, or worst case being utilized in countries that might have previously suffered trade restriction.
Also, being employed in the tech industry, I don't feel that making anything we supposedly do 'free' is a good idea. And 'free' is a false promise anyway.
Yes but publishing the blueprints does NOT further secure those mechanisms. It weakens them by making them available to the next generation of bank robbers whose tricks we may not even know yet ourselves.
Again, are you going to post your name, birhdate and ssn, or is "security by obscurity" protecting them for you?
That's not what they proved at all. They simply were created by malicious programmers whose intent is to attack the largest footprint, which M$ clearly has.
Actually, UNIX (all flavors, including Linux and *BSD) holds the largest footprint (65%) whereas Microsoft holds around 25% of the total market. If your imaginary scenario were true, then attackers would be focusing exclusively on UNIX.
As it stands, many a dedicated attacker does focus on UNIX and all its variations...yet none have produced a worm equal in magnitude and severity to Nimda, Code Red, and the others.
Once again, this is proof that open source carries no additional security risk and closed source actually places the user at greater risk since its "security" is based on little more than smoke and mirrors.
They also were likely were created by the legions of M$-haters that reside in the *NIX world, who else unashamedly displays such hate?
I don't hate Microsoft. I just loath businesses that produce shoddy, insecure products while at the same time claiming that Linux is a "threat to national security."
A perfect example is this Chinese hacker group, who just "open sourced" a whole new worm for Windows late today:
http://news.com.com/2100-1002_3-5055759.html?tag=fd_top
Once again, more proof that Windows closed-source "security" is just a disaster waiting to happen.
-Jay
While your figures are debatable, you still improperly grouped all *NIX products together, which is a false anology simply because not all virus for some *NIX products affect other *NIX products at all. This is a perfect example of the disengenuous arguments you people constantly make.
Once again, more proof that Windows closed-source "security" is just a disaster waiting to happen.
Your defense of Chineese hackers is sickening.
Yes but publishing the blueprints does NOT further secure those mechanisms.
How do you know that? Like it or not, peer review is one of the most effective means of finding and fixing security holes around. As Bruce Schneier once observed, just because a cryptographer can't crack his own code doesn't mean it's secure. The same goes for any security system.
It weakens them by making them available to the next generation of bank robbers whose tricks we may not even know yet ourselves.
That's nonsense. Your scenario totally precludes the existence and involvement of goodwill in the security profession.
Again, are you going to post your name, birhdate and ssn, or is "security by obscurity" protecting them for you?
Nah. I'll post 'em right here, right now. Here it is.
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.2 (TreacherOS) hQIOA44s5R7Ef1FQEAgApdU8+td0ar6DBtvC1ShIVOe4y09h2oWbloLNFV8+4jyz Ckn7Xl+8Lz5Ne1EsweKoywJyy6TCrKTw55iv2b/dcKEt9vijvu4JsJ6yLKv6ofHH kZl7mNERrnQ+95quA7I/wsQoJNHop3YGIPyox8KG89sVLHMV6bCBK56/fSB5EBFP DQR7vzvQnL0cLZFv4aKQfzLm5Kh72ME/owYaiTdDOk+J0MiEjbb3FDX3NbxxSqnj 7/P4+JOrsaxeScpa2gpyrPjmNndRG8r1kQVxBwI538LX2rwNkkNAcyebm0qGpt88 LICsFgQMYATMV8N0ZOnJyXdQJfyUSKK/ITVmLKs6Fwf/VRuLAKHawDMy+suqbqZ5 fDk33KBaUq/+v3Q10KAuhlhzwU3c3ASEKjxLAHO3nY4GC2YxQ2qDi5NzdkJ7H2b+ Ygg6Q5YeCckSuMRwAzF2QiBDfLA7/F9UImEzkzE/JdDLhOgUYhu9HZlt+SXWKzym RqEgBIGXJIv/DSZ9l9jXMFKvuQS3HZUG2luegjowyIZAg88B0gRjf3wwSlm4MCAX W0253wgPW+EW5Yg3ErvY+jr6DcWBGZ9avc2oDLncu7fqfrZcC/mqY1JnEK+5b9E7 EwoZi+NtWgEi8SiaPeZlTHQnoQWWwBkWRZnMQ852WheaeEYDnRjLSDqz4O9RCUZY WdKhASQ8aiJyHdfwDS6G07CwOOA8ZqF4ENCjPnbEsNizpzUJQ6O02oDoMfWj7VKk WgmR75BitzMjj0PL/jP1D64LUzKT9t2VJNqU6t3DXhgEaW8DIUQh+D++MG9tE9FK 1LjBMP4baJutfvyT1H7epQ8ISyNDi1CjwTXkjSv8ZyzV9zA4Bm5wnhNh03Z+qUd7 KY0bqadyNWyU50mrU+UnapVcDAU= =Ms3Q -----END PGP MESSAGE-----
There. That contains my full name, address, phone number, SSN, DOB, and even my mother's maiden name. I'll even throw in the key ID:
pub 1024D/65EDA6E7 2002-09-08 Jay D. Dyson <jdyson@treachery.net>
Bear in mind that this is encrypted with an OPEN SOURCE encryption program (Gnu Privacy Guard) on an OPEN SOURCE Linux system using an OPEN SOURCE kernel built with an OPEN SOURCE compiler...so, by your reasoning, the data is vulnerable since the bad guys have had access to its inner workings.
I would not be sleeping so well were I using Microsoft's sloppy "security" products with such sensitive data.
-Jay
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.