SCO’s lawsuit against IBM and SCO’s demanding money from companies using Linux has caused some using Linux to worry that this wonderful “too good to be true” operating system may be too good to be true. Perhaps Linux really did have stolen intellectual property, or IP, that was owned by SCO either by copyright or trade secret statute. SCO’s initial refusal to reveal the alleged stolen Unix code in Linux made it impossible to prove or disprove their claim. Their continued refusal got everyone quite worried and I even have had a client ask me about his risk in continuing to use Linux for his firewalls and servers.
Fortunately, SCO finally chose to show some of their claim as people were starting to doubt that they “had” anything. This was done at SCOforum on 18 August 2003 to convince SCO’s dwindling customer base that they are king of the Unix and Linux world. During a presentation SCO showed slides with two columns, the first column had Linux code and the second column had Unix code. In some of the examples, SCO wanted to “maintain its trade secrets” and so displayed the code in the greek character set. This was almost as clever as Adobe using ROT13 as an encryption algorithm. It was “cracked” by researchers just as fast.
SCO did demonstrate that some sequences of source code were found both in SCO Unix and in the Linux 2.5 kernel. It took less than a day for researchers to trace the code further. Some of the code was from ancient versions of Unix that previously had been released into the public domain. This means that while SCO had the right to include it in their Unix code, the Linux community also had the right to include it in Linux with no consideration to SCO. Oops.
It turns out that the code was not added to Linux by IBM nor Sequent, which IBM later acquired. Oops again. Actually, this would not absolve IBM from any liability but it would reduce the amount of damages by a possible unintentional use of standard Linux code if it contained stolen code. However, since the code is public domain there is no claim by SCO against IBM. The code is public domain both because SCO declared it so and because a U.S. Federal judge stated in 1993 that he doubted that AT&T had an legitimate copyright claim to the bulk of the Unix code due to its failure to put a copyright notice in the code — don’t try this at home as the law for newly created works no longer requires the notice.
But wait. There’s more. Some of the other examples of “SCO Unix code” turned out to have originated in the Berkeley Unix code. This code was copyrighted — by the Regents of the University of California. SCO programmers stripped this copyright out before “dropping” this code into SCO Unix.
But what if SCO really did have a claim? Would the Linux world collapse? As soon as SCO made its initial claim, kernel developers asked SCO to tell them what code was “stolen” so that it could be replaced with “legal” code. Had SCO done so, this sanitized kernel could have been offered to the world in a day or two. In the U.S. and most countries, lawsuit awards depend on the value of the damage and whether it was malicious and the fickleness of the jury.
If the damaged code could be replaced with little effort it has no significant value. Its inclusion, had it occurred, clearly was not malicious on the part of the “kernel team” nor by Distributions nor by users. Juries usually root for the little guy. Would a jury rule that a “mom and pop” shop owed money to SCO? I doubt it. SCO would go bankrupt before it filed many of these suits anyway.
Where do we go from here? First, ignore any letters from SCO and assure management that there is no risk in using Linux, only advantages. Point out that had there been stolen code in Microsoft code you would have no more protection and still could be sued successfully by whomever owned the code. Read your Microsoft EULA; you give up any right to sue Microsoft for anything. There is such a suit concerning stolen code in a purchased Microsoft product right now in the U.S. courts. The users probably will lose big.
Be grateful for IBM and Red Hat having the courage to fight SCO rather turn tail and run, tossing money to SCO as Hewlett-Packard did. Be thankful to Eric Raymond and others who volunteered their time to analyze this problem and publicize that there is no threat. Be relieved that Linux developers will be even more careful about IP. Be impressed that the Linux community will protect itself and the world against assault by bullies such as SCO and Microsoft. Tell everyone you know that Linux is the most secure, reliable, and cost-effective solution to their problems and help them transition.
Bob Toxen is author of the new book “Real World Linux Security: Intrusion Prevention, Detection, and Recovery, 2/e“, the first edition (available in English, Chinese, and Japanese), one of the 162 official developers of Berkeley Unix, and one of the four programmers who first ported Unix to the Silicon Graphics workstation. The book’s web site is www.realworldlinuxsecurity.com. An interview with Bob is available here.
Bob has his own consulting company specializing in inexpensive Linux solutions for network security, helping clients around the world. These solutions include Firewalls, VPNs, virus and spam filters, backup software, security audits, and security consulting.