BEST OF ECT NEWS

GandhiCon Three and the Antics of SCO

Mohandas Gandhi, a master of the tactics of civil disobedience against civilized foes, once had this to say about the stages of a successful campaign for an idea whose time has come: “First they ignore you. Then they laugh at you. Then they fight you. Then you win.”

Advocates of open-source software development and the Linux operating system love this quote and have emblazoned it on t-shirts next to Tux the penguin. It has even been condensed into a verbal shorthand that plays off the U.S. military’s DefCon levels for defensive alerts; it’s used to describe the stages of acceptance of open source at workplaces.

So when a fellow geek says, “We’ve reached GandhiCon Three at my company,” that means, “They’ve stopped laughing and started fighting. I expect we’ll win shortly.” If we in the community of open-source hackers at large needed confirmation that it has come to GandhiCon Three, the antics of SCO would provide it.

License Shakedown

It all started as an implausible lawsuit against IBM that slandered open-source developers in passing, with SCO asserting that the Linux operating system had been worthless junk produced by incompetents before IBM injected stolen SCO technologyinto it. Since then, SCO has escalated its claims into a full-throated attack on Linux and the entire community around it.

Linux developers have responded with a simple offer: Show us what code in Linux you can prove to be your property, and we’ll remove it. SCO’s answer has been to stonewall, to mutter mathematically impossible accusations about a million lines of stolen code, and to try to shake down Linux users for license fees before any court has ruled that SCOowns anything at all.

SCO had to do some embarrassing back-pedaling recently after it disclosed what was supposed to be smoking-gun evidence of massive code theft in Linux.

Within hours, several experts pointed out that SCO didn’t own the code that it alleged had been stolen, that there were reasonable paths for Linux to legally incorporate it from sources which were freed either by the outcome of the AT&T-vs.-BSD lawsuit in 1993 or by SCO-Caldera’s own open-source releases of the “ancient Unix” code in 2002.

Breach of Good Faith

Now SCO’s chief of PR is rewriting history, saying they were never claiming the disclosed code was stolen.

As if that wasn’t bad enough, SCO CEO Darl McBride has been indulging in public episodes of paranoid ranting — claiming that all the opposition to the lawsuit is a sham, an insidious conspiracy masterminded by little gray men from Armonk. Either McBride islying for tactical reasons or he is incapable of recognizing genuine grassroots outrage when he sees it.

And make no mistake, open-source developers are outraged. There is massive license violation and theft of intellectual property going on, all right — but it’s SCO doing the thieving. By breaching the terms of the GNU General Public License as it has done, SCO has violated the copyrights of thousands of Linux hackers who contributedtheir work in good faith.

SCO made money from that work for eight years, and has now turned around and betrayed the community that created its product by claiming to own all the code they wrote. But there is worse.

Nigerian Oilfield?

SCO has not stopped at claiming to own Linux. They have announced that they are going to try to get all open-source software licenses invalidated by the courts.

They’re aiming to destroy the entire open-source community, the people whose creativity and vision and hard work gave us the Internet and the World Wide Web, by making it legally impossible for programmers to cooperate without having their work hijacked by third parties.

And why are they doing that? Well, SCO’s lawsuit is now being funded to the tune of more than six megabucks by Microsoft, which is known to regard Linux as its only serious competition.

If you believe that is mere coincidence, can I interest you in some prime Nigerian oilfield leases?


Eric S. Raymond is an observer-participant anthropologist in the Internet hacker culture. His research has helped explain the decentralized open-source model of software development that has proven so effective in the evolution of the Internet.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels

Why Web-Based Businesses Should Automate Their Content Security Policy

For decades, the cybersecurity industry has emphasized the need to protect the server side, or back end of a business to ensure smooth IT operations and protect the overall integrity of the business and the data it stores.

However, for businesses whose models center on the use of websites and webpages that require customer inputs, it’s the actual client-facing side of the business and user browsers that are now just as much in the crosshairs of forward-thinking CSOs and CISOs.

These executives, at the most foundational level, need to keep their businesses flying high and clear of cybercriminals looking to take advantage of client-side vulnerabilities as well as a traditional content security policy (CSP) that lacks needed automation to provide proper protection.

Security Protocols

Just as a commercial pilot would never use the “set it and forget it” approach to a flight path or flight operations, a business website’s security stance must also be continually monitored for any needed changes or actions. Pilots have a steady stream of new passengers coming aboard that must be thoroughly checked. They have to make sure that systems are working properly, and they must be trained on how to react and remediate issues that may suddenly spring up.

A website’s traffic is similar in that it welcomes an unending stream of new users. Additionally, changes and improvements are always made, and it needs to offer IT and development staff a pathway for easily rectifying potentially dangerous actions that must be addressed. In essence, like an airline, web-based businesses know they must keep their passengers safe, their engines running, and avoid a series of errors that could lead to delays, unhappy customers, or worse.

Furthering this flying analogy, it would never be possible for a pilot to manually (let alone continually) monitor all the essential systems of a plane without the assistance of sensors and computers specifically designed to do so. They go through their pre-flight safety check that rarely if ever changes and, if everything is up to snuff, the plane is good to go — but only with the knowledge and peace of mind that a highly sophisticated plane is working in the background and notifying pilots of anything that may need their attention.

The Case for Automation

Client-side security for a large company’s webpages clearly requires automation. After all, today’s cybersecurity solutions, even for the server side of a business, harness the power of AI, machine learning and various automated tasks to provide ongoing protection. Client-side security didn’t previously enjoy that same level of innovation until recently.

The constant media reports about stolen user information continues — and it’s spawning a demand among CSOs and CISOs to figure out what needs to change and why. They’re learning that front-end security is all about the need to fix a major problem: without ongoing visibility into what’s going on, you don’t know what you don’t know. Scary, but fixable.

It turns out that the content security policy frequently used by web-based businesses is all-too-often positioned in the minds of IT personnel as a generic one-off step that’s simply taken to add basic levels of security to a website. It’s not that simple — far from it. A CSP can be leveraged as a dynamic tool, but it must also be audited to see which policies work and don’t work. It must also still operate correctly if new plugins are added, etc.

Front-end systems often use many thousands of scripts that are gathered from numerous third-, fourth- or even fifth-party sources. For that reason alone, they can’t be instantly trusted. But because of the shear number of scripts used, an automated system must be in place because it’s nonsensical to think that any human would effectively or consistently be capable of reviewing or optimizing the sheer volume of scripts.

What a CSP Aims To Uncover

Unsafe scripts are one of the major items a CSP identifies. These scripts can enable cybercriminals to successfully conduct point-of-sale (POS) skimming attacks, which are gaining in popularity, as well as other types of similar attacks such as cross-site scripting (XSS) and JavaScript injection attacks.

When third-party scripts are modified, or new marketing trackers or plugins are used, there’s an opening for attacks. CSPs need to make it easy to keep track of CSP violations, initiating remediation and helping personnel fine-tune policies. If a script shouldn’t access certain assets and it’s trying to do so, red flags pop up and attacks can be averted moving forward.

By continually crawling a website and acting like an actual user, an automated CSP approach can effectively evaluate scripts, data and what they’re doing — all before it’s too late. Unlike the nearly impossible task of manually managing a large-scale CSP, an automated approach can enable an initial scan, policy creation, emulation testing, policy enforcement, violation reporting and policy tuning to take place in in moments instead of months or longer.

This greatly simplified management and monitoring of a CSP creates a far more robust security posture for the client-side of a business. Throughout the tailored CSP creation, day-to-day management and real-time policy optimization, IT personnel not only address this growing client-side threat, but they free themselves to assist with their core business more readily — while also helping to maintain a superior customer experience that emphasizes security — a differentiation that sets their business apart from the competition. It’s another way to help website visitors enjoy their “ride” with confidence.

Ivan Tsarynny is CEO and Co-Founder of Feroot Security.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories