FTC "Dealing With SCO" - And More on Security From Karjala, Linus, Felton & MS

Tuesday, February 17 2004 @ 06:09 AM EST

Contributed by: PJ

Some interesting news from New Zealand. Complaints have been lodged with the Commerce Commission, alleging that SCO's demands for license fees run afoul of the Fair Trading Act, and a spokeswoman for the Commission, Jackie Maitland, told The New Zealand News that it is her understanding that the FTC in the US is "dealing with" SCO's demands for licenses. That's news to me, although I knew some complaints had been filed. That's not all she had to say.

She also said the Commission's preliminary view is that "no one should pay an invoice unless they are clear on the obligation to pay". Here's the rest of what she said:

"Furthermore, Maitland says that 'it is not clear that SCO are entitled to charge end-users who have downloaded a product on the condition they understood the product was free'.

"A person or a company falsely claiming to have ownership of a product or service or the rights to payment could breach the Fair Trading Act, said Maitland.

"The commission is at this stage not clear what if any representations have been made in NZ, but says it is aware that the ACCC in Australia and FTC in the US 'are dealing with [SCO's licensing demands]'."

Evidently, there is now a new legal front for SCO to cope with. And a new group of journalists are trying to comprehend what SCO is doing, but they do seem to be getting up to speed a great deal faster in NZ. Notice how the article ends:

"However, Linux itself has always been covered by the GNU General Public Licence, which states any software offered under its terms is freely distributable, copyable and modifiable. This apparent paradox has not prevented SCO from claiming licence fees."

At least it's apparent to the journalist that SCO's position is paradoxical. Other words spring to mind as well.

Meanwhile, Microsoft is dealing with the leak of its code, but it seems a certain female analyst, whose name shall no longer cross Groklaw's lips (why should we make her more famous?) was wrong, once again, in her analysis. It seems the leak is not expected to have serious security consequences after all, so all of your ankles are probably safe. Here's what the New Zealand Herald found out from McAfee and Microsoft spokespersons, neither of whom supported her gloomy forecast:

"David Emm, product marketing manager at McAfee, which produces antivirus and 'firewall' products to protect PCs, said the leak was more embarrassing than dangerous: 'the bad guys don't need source code to latch on to vulnerabilities.'

"A source within Microsoft agreed: 'It's not going to make a whole lot of difference in the hacking world, because what they tend to do is to look at the fixes we send out, and then try to work backwards to see what hole we're fixing.'"

How do you get to be an analyst, anyway, I wonder? If you don't need to know much about your subject but need to have strong opinions on the subject regardless, and you can be wrong time after time and still keep your job, I'd like to get paid to give my incorrect opinions too. I know little or nothing about stocks and pump-and-dumps and things like that, so that seems a perfect assignment for me. I think I could come up with some factually inaccurate quotable quotes, with a splash of vivid imagery on a good day, and once I get really steamed up and on a roll, maybe some defamatory remarks here and there. If they paid me enough, I'd even tell a goofball joke now and then.

I also know pretty much nothing about physics, so I'm thinking I could surely be relied upon to say something didiotic about the universe, or maybe about NASA and Mars and things like that, if they'd only give me a chance. Journalists could ask me if we should be spending so much money to go to Mars, and I'm positive I'd be wrong almost always. If that's what journalists are looking for, I am so ready.

A segment of a Channel Web article, posted on Netcraft confirms that security experts agree the leak won't make a big difference, and they bothered to contact two people who actually know something about technology to get their opinions, Ed Felton and Linus Torvalds:

"'The leak will do some damage to the security of Windows machines, but it's not clear how much,' said Ed Felten of Princeton University, a security researcher who has reviewed Windows source code and was an expert witness in the antitrust case against Microsoft. . . . 'This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case.'

"'It makes the sources potentially more available to crackers, and that has security issues - but I don't think that is anything really new,' Linux founder Linus Torvalds told ChannelWeb. 'At most, it just makes it easier for a bored teenager to find the thing. It may make some people realize that the protection of proprietary shrouded source code really isn't a protection at all. It's just a guarantee that the code doesn't get any good outside code review.'"

Speaking of security, would you like to know how SCO makes sure its code isn't exported to forbidden places? I found this notice on its download page for SCO OpenServer Release 5.0.7:

"Please read the following export notice:

"Please note that the electronic transfer of this data to a destination outside of the United States constitutes an export (as defined by the U.S. Bureau of Export Administration) and is authorized ONLY to the end user. Any subsequent re-exportation of this data requires that the end user obtain an additional export license. Also note that it is illegal to re-route SCO product to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria and that you must file a special license if you intend to re-route goods to the embargoed regions of Serbia or the Taliban controlled areas of Afghanistan. Placement of this order constitutes an agreement to comply with these stipulations."

I'm sure no one who wished to get their software but was in, oh, North Korea, would violate a promise as sacred as that. And none of them have friends or relatives in the US who would buy it for them and the bring it home to hand-deliver it. Such a high-tech workaround wouldn't occur to them, and it wouldn't be right, anyway, so I'm sure no "bad guys" would ever do that. And as we all know, it's simply impossible to find bookleg software in Asia.

FOSS has similar notices, where appropriate, by the way. All US software is under the same restrictions. I think SCO forgot to tell Congress in their letter that it was their own employees who helped write the very kernel they now complain about, who added to its high-end functionality the features they now say are so dangerous, and that they distributed the kernel on their servers too.

Woops. Old business plan.

Finally, I ran across the Free Software Foundation's legal directions on accepting contributions of code safely. They were in a manual put out some years back. Here's the careful way they handled contributions of code to make sure the code could never have a courtroom date with the likes of SCO:

"Accepting Contributions

"If the program you are working on is copyrighted by the Free Software Foundation, then when someone else sends you a piece of code to add to the program, we need legal papers to use it--just as we asked you to sign papers initially. _Each_ person who makes a nontrivial contribution to a program must sign some sort of legal papers in order for us to have clear title to the program; the main author alone is not enough.

"So, before adding in any contributions from other people, please tell us, so we can arrange to get the papers. Then wait until we tell you that we have received the signed papers, before you actually use the contribution.

"This applies both before you release the program and afterward. If you receive diffs to fix a bug, and they make significant changes, we need legal papers for that change.

"This also applies to comments and documentation files. For copyright law, comments and code are just text. Copyright applies to all kinds of text, so we need legal papers for all kinds.

"We know it is frustrating to ask for legal papers; it's frustrating for us as well. But if you don't wait, you are going out on a limb--for example, what if the contributor's employer won't sign a disclaimer? You might have to take that code out again!

"You don't need papers for changes of a few lines here or there, since they are not significant for copyright purposes. Also, you don't need papers if all you get from the suggestion is some ideas, not actual code which you use. For example, if someone send you one implementation, but you write a different implementation of the same idea, you don't need to get papers.

"The very worst thing is if you forget to tell us about the other contributor. We could be very embarrassed in court some day as a result.

"We have more detailed advice for maintainers of programs; if you have reached the stage of actually maintaining a program for GNU (whether released or not), please ask us for a copy."

The manual had another page that mentions Unix and says: "Don't in any circumstances refer to Unix source code for or during your work on GNU! (Or to any other proprietary programs.)"

Speaking of proprietary programs, I got a followup from Dennis Karjala, Professor of Law at Arizona State University, on the Microsoft code. I mentioned that I got a lot of email and comments about that and I specifically asked him this time if looking at the leaked code might result in increased liability in any copyright infringement action. Here is his reply:


I recently wrote a short piece outlining the formal legal position of people who come into possession of portions of Microsoft source code that have recently been leaked to the internet. My main point was that, while distributing, saving, calling to the screen, or printing any of that code would be copyright infringement (absent fair use), merely reading a copy independently made by someone else would not. Many readers have asked the next, quite logical, question: How vulnerable are we if, having read (without infringement) a copy of Microsoft's code, we now write new code incorporating some of the knowledge gleaned from that reading?

This question is the crucial one relating to the copyright protection of computer software. Like many crucial legal questions, it is not amenable to an easy answer. We can start by saying that, for sure, Microsoft's literal code is protected, so copying all or a substantial part of it verbatim and including it in a new program would infringe, much like copying a chapter out of John Grisham's latest novel and incorporating into your own work would infringe. Close paraphrases of Microsoft's code, for example by changing little more than the names of the variables, will infringe, as will translating it line-by-line into a different programming language. At the other extreme, it is not infringing simply to duplicate the functionality of Microsoft's code via independently written new code. So, if one person examines the Microsoft code, describes its functionality in a set of specifications, and gives those specifications to a second person who has not seen the Microsoft code (a "clean room"), the resulting program written by the second person does not infringe.

In between these extremes, we are in the murky gray area. The generally accepted rule derives from a Second Circuit decision of about 12 years ago (Computer Associates v. Altai), which says that we determine the "protected elements" of Microsoft's program by looking at various stages of abstraction running from literal code to overall function and filtering out (at each stage) elements dictated by efficiency, compatibility, or external factors. I have long argued that this test means that nothing besides literal code and close paraphrases can be protected, because everything in a program is there for a functional reason. (Whether the particular solution arrived at by Microsoft is "good" or "bad" in engineering terms is not, and should not, be a concern of copyright courts. No software engineer deliberately tries to make his or her program "bad" just so broader copyright protection can be claimed.) So, program structure (so-called "SSO" for "structure, sequence, and operation") should not be protected by the program copyright. I believe that the subsequent judicial decisions generally support this argument, at least in their results. However, no court to my knowledge has formally adopted my simpler and policy-based argument. Courts still rely on the unnecessarily complex formula laid out in the Computer Associates case.

That means, if Microsoft is on the other side, you should not be surprised to find yourself litigating a copyright infringement case if, after examining the Microsoft code, you build a program incorporating elements like SSO from that Microsoft code in order to achieve compatibility with all the programs that now run on the Microsoft platform. I believe you should win that case, but I also believe that there are more enjoyable things to do in life than litigate against a litigious company that has a bottomless supply of cash.


Proprietary software companies like Microsoft and SCO speak against free software, but they surely don't seem to mind using it. Alexy writes that SCO's new recently (1/30/2004) released 2nd update pack for their OpenServer 5.0.7 includes:

"It's also interesting how they claim to start supporting hyper-threading technology in their update packs. (What HT does is it essentially makes single CPU with HT support to look like two individual CPUs, so the system can run in SMP mode.) And strictly speaking, you don't need to do anything special - if your OS is capable of running on SMP machine it is capable of running on CPU with HT enabled. And that's pretty much what they recommend in that update pack - to enable SMP support. How they can make that much hype of supporting HT is beyond my comprehension.

"This is a link to readme of 2nd update pack (it has link the 1st update pack inside): http://sco.com/support/update/download/osr507up.html "

News.com is reporting that the leaked Microsoft code shows they aren't above using GPL code either:

"Despite Microsoft's ill will toward open source, it may be benefiting. The apparent inclusion of several community-created programs--such at the GZIP compression program and the program builder GnuMakefile--in the source code shows that the company is not above using open-source software itself, when it can do so without license restrictions."

UPDATE: Microsoft has put out a statement:

"Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property. These actions include communicating both directly and indirectly with those who possess or seek to possess, post, download or share the illegally disclosed source code.

"Specifically, Microsoft is sending letters explaining to individuals who have already downloaded the source code that such actions are in violation of the law. Additionally, Microsoft has instituted the use of alerts on several peer-to-peer clients where such illegal sharing of the source code has taken place. These alerts are designed to inform any user who conducts specific searches on these networks to locate and download the source code that such activity is illegal."