SCO Is Back Online

Friday, December 12 2003 @ 05:19 PM EST

Contributed by: PJ

The very first Linux distro I ever tried was Red Hat. This was some years ago, and I was clueless. It took about a month before I realized my box was 0wned. I don't know when it happened, maybe immediately. But any way you look at it, it was fast.

So I completely reinstalled. It took about 2 weeks before I saw it had happened again. This time, I saw games on my computer I specifically had not installed and weird notes from people inside otherwise normal files.

I completely reinstalled again. It took one day before I was 0wned again. At this point, I knew it was time to figure out the real problem, which wasn't Red Hat. The problem was me. It took me months and months of reading and asking and learning to realize I needed to fix the configuration and set up a firewall and things like that I just didn't know about before.

I couldn't figure that part out fast enough, so I bought Mandrake, because it had a firewall built in with a GUI to make it configurable by newbies, which back then Red Hat didn't have. After that, my life got better.

Why were people cracking into my computer? I don't know and I hated it and them for doing it. It was, I knew, nothing personal. I was, after all, nobody and had no enemies. It just happens. And it happens to everybody. In the office, my firewall constantly noted serious efforts to get in to the Windows box, mostly from places like Korea, where I don't know a soul. So it wasn't that anyone was furious with me or trying to get back at me. It's life on the internet, sadly.

If you go on the internet, you have to be responsible for being there. I felt that responsibility, and so I took the trouble to try to learn, not that I'm an expert. But I wanted to at least be competent. People interact on the internet, so we each have a responsibility not to contribute to problems. Sometimes individuals lack the knowledge to do that well, but surely companies can and should take the time and spend the money to hold up their end. Tom Ridge of Homeland Security gave a speech recently in which he basically told companies to get their computers secured or the government would likely step in and make them take security seriously.

Now, what if I had an agenda? Let's imagine one. What if I was married and my husband and I were arguing over whether or not it's safe to be on the internet for banking and shopping. Let's imagine he says it is safe and I insist it isn't. We each dig our heels in and want to prove the other wrong. What might I do the next time I see my computer was broken into? Would I hide the problem from him and fix it quick? Or, would I more likely let it get even worse so as to demonstrate my point in a way he can't refute and win the argument? Well, in real life, I wouldn't do either, but we are just imagining something to make a point.

SCO, I am happy to say, reports it is back online again. Here is the Techweb report. CAIDA, a highly respected group of researchers, with far greater resources at their disposal than most, is reporting backscatter that would indicate there was some kind of attack in their view. You can read about backscatter here. I have no known reason not to accept their conclusion. It doesn't indicate who did it, of course, not that SCO felt constrained from saying who they think it was, namely somebody in the Linux community.

It is clear, with this further information that something did happen to SCO, so I asked Steve McInerney, the Australian security expert who was quoted in Groklaw's original report, to comment on the new evidence and he provided this statement:

"SCO did suffer a Distributed Denial of Service (DDoS) attack, consisting of two attacks against both their webserver and ftp server. The new, missing, evidence which has so dramatically changed my conclusion was brought to light by CAIDA. This is a most regrettable incident, and I personally condemn the attack. There is no justification for such vandalism. Given that setting up alternate paths for their staff to continue to work and send/receive emails is trivial to both pre-consider and utilize, it is somewhat surprising that SCO did not seem to have done so in order to mitigate. The DDoS is true; I was wrong there. The charge of incompetence still stands."

May I just ask you this question: is there any other company in the world that could announce they were being attacked and have a large section of the world, including security professionals, refuse to believe it until a third party verifies? I put the CAIDA information at the end of our original story yesterday. And I am highlighting it again today, to be honest and fair and to provide all the facts, not just those that I wish were so. Groklaw is about telling the truth, no matter what. It isn't possible for imperfect humans to be right 100% of the time, and a news site has to report as a story unfolds, and all the facts are not always immediatley known, particularly in a complex story, but we can surely make sure that as new information comes to light we report it all and keep the record accurate that way.

The fact that no one in the community could believe this allegation is proof that we don't know anyone who would do such a thing. At least, I know for a fact I don't. I deplore and detest such behavior. I am very sorry this happened to SCO and I condemn it, whoever did it. If SCO is short-staffed and need a helping hand, I am confident the real Linux community, the one that I know, would be glad to help them. The battle in the court room is quite separate, and just as two attorneys can argue fiercely before a judge and then politely shake hands, I feel the same way. I might add that I haven't seen on Groklaw a single comment yet that said anything justifying or approving such an attack. That is as it should be. There are still unanswered questions. We will report further details on this story down the road as they become known.

This can't keep happening to SCO. Groklaw's experts pointed out that there are steps a company can take to prevent and cope with attacks. One of the authors of the CAIDA report said the same:

"'There are definitely things out there that they can buy, or services that solve this problem,' said David Moore, assistant director and researcher at the Cooperative Association for Internet Data Analysis (CAIDA) and an expert on denial-of-service attacks. 'It is just a question of how important your Web site is to you and how much you are willing to spend.'"

This is what Groklaw reported. It's really up to SCO now. If they want to fix their problem, surely they ought to be able to do so. If they don't want to solve the problem, and such events continue to occur, followed by headlines accusing the Linux community before anyone knows who did it, then the question really has to be, why? What's going on?

UPDATE:Here is a snip from an article on InternetWeek regarding our initial report:

"We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included: contributing editor Don MacVittie, who is currently an IT project manager for a major midwestern utility company, and has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, they agreed that Groklaw's analysis of the situation is credible and knowledgeable."