What Is Going On in SCOLand?

Sunday, August 24 2003 @ 12:11 AM EDT

Contributed by: PJ

I noticed that Friday there was a big surge in volume of SCOX stocks traded, from an average volume of 358,749 to 526,910, and the price shot up 7.03% to $13.55, from an opening of $12.21. Why? Nothing good happened in the news that day, that's for sure, about SCO. Quite the opposite.

Today, I am reading that SCO's web site is down. A traceroute indicates it is not likely an attack, but more likely that they took their site down themselves. Sco.de is down too. Canopy.com is up and vultus.com is up. So their ISP isn't staggering under Sobig or whatever to the point that it is affecting everyone.

Then I noticed this:

"SCO Chief Financial Officer Robert Bench during a conference call said company insiders had sold a total of 117,000 shares during the most recent quarter, which it said was less than 1.5 percent of the stock owned by insiders.

"Bench said the share sales by some executives was done largely to cover the tax costs of restricted stock grants the company made them.

"SCO said two executive officers may sell up to 141,000 shares of its stock in the October ended quarter."


That's some ongoing tax bill. I wonder which two execs? And now this posting to pclinuxonline from someone claiming to work in the same building as SCO, allegedly working for another Canopy Group company:

"There was a lot of buzz about mergers a few weeks ago. It seemed that everyone was going to join into one large company called, you know it: SCO! That buzz ended yesterday. Now the talk, all over the group, is how to distance ourselves from SCO and Canopy. The mention of our company on Slashdot resulted in very negative feedback and two potential customers walking away. Other's got it even worse. I hear Trolltech spent most of the day on the phone smoothing things over with their customers. Upper management meetings were held all afternoon among the group's companies (I'm not privvy to those, but can guess the subject matter). Companies that were considering a merger with SCO (some as close as 5 days away) are now backpedalling as fast as they can."

I have absolutely no idea what is what with this story, and I'm reporting it saying take it for what it's worth. I don't normally report things I can't verify personally, but this is for a purpose. Somebody out there already knows what's happening in SCOLand, but the rest of us will just have to wait patiently. While we wait, though, this is a heads up that it's probably a good time to pay close attention to all clues.

Here is the analysis from the reader who ran the traceroute, minus the actual data, which is privately available. I did my own traceroutes to confirm:

"Just a note on SCO / Caldera websites being down. I thought I'd run some traceroutes to see where the problem is, and the results are quite interesting. . . .

"Analysis. Canopy, Caldera, and SCO, all have addresses that are within the same class C addressing range, respectively: XXX.XXX.140.120, XXX.XXX.140.125, XXX.XXX.140.112. [numbers masked, but they are identical. pj] While this makes it very possible that all three sites are served by the same machine, we can't prove that from this information. It is however, much more than likely that they are served from the same router.

"The next thing to note is that the route to SCO and Caldera both fail at the 14th step in the tracert. The last router that responds for each of them, at the 13th step, is den1-edge-01.tamerica.net (albeit from different ports). Canopy also passes through den1-edge-01.tamerica.net at the 13th step, but continues on to a router at viawest.com. From there, it passes through 2 more routers at ViaWest, and 3 routers at Center7.

"ViaWest and Center7 are both Canopy companies.

"On initial analysis, for any other company, a network manager/sys admin/networking consultant (such as me) would simply assume that there SCO/Caldera was having a problem with their ISP. The weird thing, though, is the presence of Canopy's IP address right *between* SCO's and Caldera's addresses.

"Assume that all 3 segments are served by the same router (no, we can't prove it from this data, but it's extremely likely). Canopy, in that case, should be experiencing experiencing problems too, if the site were under a DOS attack. In fact, anyone planning a DDOS attack would find it easier to just take out the whole address range that includes all 3 sites rather than focus on just the SCO/Caldera sites, for technical reasons alone. Never mind that they would want to target Canopy as well.

"Given all this, it is a pretty safe bet that SCO/Caldera has taken its websites down itself.

"Why? To protect themselves from a DDOS attack? No. Any decent firewall could take care of that for them."


So, if you see SCO claiming it was the victim of an attack, this analysis indicates you might want to take it with a grain of salt. For any of you curious and wanting to see this for yourself but stuck on a Windows box and not command line-oriented, one place you can go is www.visualware.com, where you'll find a demo of its Visualroute tool, if you click on Products, and then under Visualroute "Live Demo", then choose from the list of servers, read the Terms of Use to make sure they are acceptable to you, and if so, then type in the address you want to check. It has a map, even, to show you the route and a text report.

Correction This sentence, he now tells me, was mistaken: "The weird thing, though, is the presence of Canopy's IP address right *between* SCO's and Caldera's addresses." He misread the numbers. Thanks for the correction.

129 comments



http://www.groklaw.net/article.php?story=247