|
The "Unclean Hands" Accusation |
|
Wednesday, December 15 2004 @ 11:28 PM EST
|
No doubt you, like me, were a bit surprised and maybe even disgusted to see SCO accusing IBM, in SCO's Memorandum in Opposition to IBM's Motion for Partial Summary Judgment on its Counterclaim for Copyright Infringement (Eighth Counterclaim),
of "hacking" their website, under the Computer
Fraud and Abuse Act, no less, when all IBM did was download Linux, GPL'd software SCO has made available to the public for years at no cost, from SCO's website, some of which software
IBM wrote itself, during an IBM investigation into SCO's infringement of IBM's copyrights. Is anything too low for SCO, I asked myself? And my next question was, Is this going to fly? What happens now? How bad could it get? Why would SCO do this? In litigation, nausea at the loathsome tactics of others
is useless. You have to answer everything successfully.
So, despite my feeling that SCO should be ashamed of itself for even raising the issue, what about that statute?
I have never done criminal law, so I was totally in the dark. I therefore decided it made sense to ask Webster Knight, because he's an attorney who does criminal law, if he'd explain the Computer Fraud and Abuse Act to me. This is both a civil and a criminal statute, so Webster explained the statute from the criminal aspect. And we have some references to help us understand. A later article by another attorney will talk about the statute's use in civil litigation.
His initial opinion, based only on facts that are currently available, is that it has no prosecutorial merit as a criminal offense, as a felony. For that matter, no criminal action has been brought to date that we've heard about.
Webster doesn't believe there ever will be either, for reasons you'll see as we go along.
SCO didn't ask to add a new cause of action for hacking under this statute either. All SCO did so far was tell the judge that the evidence of SCO's infringement that IBM found and presented to the court shouldn't be considered because IBM allegedly has "unclean hands" for finding it the way they did. Unclean hands is an affirmative defense, meaning if someone accuses you of something, if you can show the accuser has unclean hands by virtue of doing something unethical related to the claim, then the complaint can be dismissed or the accuser denied judgment. So, SCO isn't asking that IBM be arrested and plopped in jail for years as punishment. They are using an affirmative defense to try to escape being found guilty of infringing IBM's copyright. You can read the Declaration of Kathleen Bennett, presented in support of IBM's Redacted Memorandum in Support of IBM's Motion for Partial Summary Judgment on Counterclaim for Copyright Infringement (8th Counterclaim),
to refresh your memory on IBM's downloading of the files in question. Here is the pertinent section:
"10. Also under my direction, our team of programmers compared the IBM Copyrighted Works to code we found available for download on SCO's website. On January 9, 2004, I observed while a member of my team accessed via the Internet the following four SCO web pages, and downloaded code from these web pages:
(1) http://linuxupdate.sco.com/scolinux/update/RPMS.updates;
(2) http://Linuxupdate.sco.com/scolinux/SRPMS;
(3) http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux; and
(4) ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002-026.0/SRPMS.
"11. The code posted and made available for download via the Internet from SCO's website included verbatim copies of files from the IBM Copyrighted Works appearing at Exhibits 5.1 through 20.1 of the accompanying Sorenson Declaration. The files from SCO's website that are verbatim copies of files within the IBM Copyrighted Works comprise approximately 783,000 lines of code, and appear at Exhibits 5.3 through 20.3 of the Sorenson Declaration.
"12. My team and I accessed SCO's website from the Internet, using a standard computer and web browser. Any person with access to the Internet, a standard web browser and a personal computer or laptop could access SCO's website and download Linux code, just as my team and I did. No special expertise would be necessary.
"13. On August 4, 2004, my team again visited the SCO web pages listed in Paragraph 10, and confirmed that all of the code attached as Exhibits 5.3 through 20.3 of the Sorenson Declaration was still available for download from SCO's website."
In this account, the files seem to have been freely available. Of course, no one but IBM can know what they saw on the screen on the dates in question or what steps they took, but from the description, it sounds like anyone and their mom could access the files and download them. No special skills needed. She doesn't specify if they downloaded only IBM's code or other code as well. She doesn't indicate there was any password or any other access prevention mechanism. Out of this, here is what SCO morphed it into,
in its Memorandum in Opposition to IBM's 8th Counterclaim re copyright infringement:
"B. IBM's Unauthorized Access Into SCO's Website
"Another well-established basis for the application of the doctrine in the context of the Copyright Act arises when the claimant has obtained evidence by improper means.6
"SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. ¶17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion. Id. ¶¶20-27.
"The Computer Fraud and Abuse Act, 18 U.S.C. §1030(a)(2)(C), makes it a felony for any person to access another person's computer, via the internet or otherwise, unless authorized to do so. See, e.g., Creative Computing v. GetLoaded.com, LLC, 386 F.3d 930 (9th Cir. 2004);
I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info Sys., Inc., 307 F. Supp. 2d 521, 523-24, 526 (S.D.N.Y. 2004) (citing cases); AOL, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444, 450 (E.D. Va. 1998). By improperly obtaining the evidence assertedly in support of its counterclaim and instant motion, IBM comes to the Court with unclean hands. . . .
________
6 "See, e.g., Fleming v. Miles, 181 F. Supp. 2d 1143, 1154 (D. Or. 2001) (holding copyright registrant who denied existence of competing registration in his registration application could not recover damages for alleged infringement by competing registrant);Russ Berrie & Co. v. Jerry Elsner Co., 482 F. Supp. 980, 987-88 (S.D.N.Y. 1980) (declining to enforce copyright because the owner's knowing failure to disclose material facts in registration applications constituted 'reason for holding the registration invalid and thus incapable of supporting an infringement action, or denying enforcement'); Rixon, Inc. v. Racal-Milgo, Inc., 551 F. Supp. 163, 171 (D. Del. 1982) ('Unclean hands in the procurement of a patent from the Patent and Trademark Office or in prior enforcement action, for example, may render the patent unenforceable.'); see also Nimmer, supra, §13.09[B] (the doctrine applies where the claimant 'obtained information as to the nature of defendant's work through unfair means'); see also Gemveto Jewelry Co., Inc. v. Lambert Bros., Inc. , S42 F. Supp. 933, 939 (S.D.N.Y. 1982)."
As you can see, the two accounts don't match at all. I don't think their description of the statute, 18 U.S.C. §1030(a)(2)(C), is accurate, from what I've had explained to me, because their wording ("§1030(a)(2)(C), makes it a felony for any person to access another person's computer, via the internet or otherwise, unless authorized to do so") stops without mentioning the remaining elements needed to reach the status of a felony, perhaps because from what we currently know, IBM seems not to have matched those elements. Where, for example, is there a $5,000 loss to SCO? What really doesn't match in my eyes is the alleged offense -- in its worst possible light, from SCO's description -- and what the Department of Justice says were the kinds of situations the law, as amended (it originally applied only to government computers), was designed to address. Because this is such a long section, I have made it colored text, so you don't get confused about where it begins and ends:
Subsection (a)(2) is, in the truest sense, a provision designed to protect the confidentiality of computer data. As was noted in 1986 by the Senate Judiciary Committee,
[t]he premise of 18 U.S.C. 1030(a)(2) will remain the protection,
for privacy reasons, of computerized credit records and computerized
information relating to customers' relationships with financial
institutions. . . . Because the premise of this subsection is
privacy protection, the Committee wishes to make clear that 'obtaining
information' in this context includes mere observation of the data.
S. Rep. No. 99-432 at 6.
With the continued evolution of the National Information Infrastructure (NII), however, Congress has come to recognize that not only financial records and credit information warrant federal protection. As noted in the commentary to the Draft Principles, "with the NII, the assumption is that large amounts of sensitive information will be on line, and can be accessed, perhaps without authority, by a large number of network users." 59 Fed. Reg. at 27207. Moreover, "the NII will only achieve its full potential if individual privacy is properly protected." Id. Therefore, the new subsection 1030(a)(2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. Moreover, the provision has been restructured so that different paragraphs protect different types of information, thus allowing easy additions or modifications to offenses if events require.
Certainly not all computer misuse warrants federal criminal sanctions. The problem is that no litmus test can accurately segregate important from unimportant information, and any legislation may therefore be under- or over-inclusive. For example, a frequent test for determining the appropriateness of federal jurisdiction--a monetary amount--does not work well when protecting information. The theft from a computer of a judge's draft opinion in a sensitive case or the copying of medical records might not meet such a monetary threshold, but clearly such information should be protected. Therefore, the act of taking all of this kind of information is now criminalized. Even so, it is important to remember that the elements of the offense include not just taking the information, but abusing one's computer authorization to do so.
The need to protect information is highlighted by recent studies indicating that people are increasingly misusing computers to obtain information. In 1993, the General Accounting Office (GAO) presented testimony before the House Government Operations Committee, Subcommittee on Information, Justice, Agriculture, and Transportation, on the abuse of National Crime Information Center (NCIC) information. The testimony stated that, following an investigation, GAO determined that (1) NCIC information is valuable, (2) such information has been misused by "insiders" (individuals with authorized access), (3) this misuse included selling NCIC information to outsiders and determining whether friends and relatives had criminal records, and (4) incentives for misuse outweighed potential penalties. Statement of Laurie E. Ekstrand, July 28, 1993, p. 6 [hereinafter "Ekstrand Statement"]. The GAO found that some of this misuse jeopardized the safety of citizens and potentially jeopardized law enforcement personnel. Id. at 16. Moreover, because there were no federal or state laws specifically directed at NCIC misuse, most abusers of NCIC were not criminally prosecuted. Id. at 17. GAO concluded that Congress should enact legislation with strong criminal sanctions specifically directed at the misuse of NCIC. Id. at 20.
Of course, protecting only NCIC data (or, more broadly, criminal history information), would be underinclusive, because other types of sensitive data are clearly at risk. For example, during Operation Desert Storm, it was widely reported that hackers accessed sensitive but unclassified data regarding personnel performance reports, weapons development information, and logistics information regarding the movement of equipment and personnel. . . .
The seriousness of a breach in confidentiality depends, in considerable part, on either the value of the information or the defendant's motive in taking it. Thus, the statutory penalties are structured so that merely obtaining information of minimal value is only a misdemeanor, but certain aggravating factors make the crime a felony. More specifically, the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.
As for enhancements not based on the value of the property obtained, recent documented cases indicate that individuals misuse information for a variety of unacceptable purposes. The terms "for purposes of commercial advantage or private financial gain" and "for the purpose of committing any criminal or tortious act" are taken from the copyright statute (17 U.S.C. § 506(a)) and wiretap statute (18 U.S.C. § 2511(1)(d)) respectively.
As for the monetary threshold, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property "in the thieves' market," can be used to meet the $5,000 valuation. See, e.g., United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).
The relationship between the existing § 1030(a)(3) provision and the newly amended § 1030(a)(2) merits some discussion. Section 1030(a)(3) protects the computer from outsiders, even if the hacker obtains no information. Thus, an intruder who violates the integrity of a government machine to gain network access is nonetheless liable for trespass even when he has not jeopardized the confidentiality of data. Section 1030(a)(2), on the other hand, protects the confidentiality of data, even from intentional misuse by insiders. Additionally, although a first violation of § 1030(a)(3) is always a misdemeanor, a § 1030(a)(2) violation may constitute a felony if the information taken is valuable or sufficiently misused. See § 1030(c)(2)(B)(raising the offense to felony level based upon the value or intended use of the improperly acquired data). Although a single act may violate both provisions, the provisions protect against different harms and, in any event, the actor's conduct would be aggregated for the purposes of sentencing. . . .
Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far in excess of $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, it is more appropriate to except from the felony provisions of subsection 1030(a)(4) only cases involving no more than $5,000 of computer use during any one-year period.
So, as you can see, the law was intended to take into account both the value of any loss and the intent behind the access. "Certainly not all computer misuse warrants federal criminal sanctions," they say. Was IBM breaking into Cray computers to run password cracking programs? So even the DOJ is saying that there is a reasonableness standard they were striving for as far as the felony aspect of the statute was concerned. But, having said that, what about the civil side? You need to read the statute, and when you do, I think your hair will stand on end.
The statute is so broad in its wording, when it comes to civil litigation, it's hard to imagine what *wouldn't* qualify as "hacking", if someone was determined to make it seem so. SCO is alleging an offense under 18 U.S.C. §1030(a)(2)(C), and Webster has made the important parts red, just for ease of comprehension, not to make your hair stand on end. It'll do that altogether on its own. Here's just the (a)(2)(C) part, to start us off:
(a)
Whoever—
(1)
having knowingly accessed a computer without
authorization or exceeding authorized access, and by means of such
conduct having obtained information that has been determined by the
United States Government pursuant to an Executive order or statute to
require protection against unauthorized disclosure for reasons of
national defense or foreign relations, or any restricted data, as
defined in paragraph y. of section 11 of the Atomic Energy Act of 1954,
with reason to believe that such information so obtained could be used
to the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate,
deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it, or
willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2)
intentionally
accesses a computer without authorization or exceeds authorized access,
and thereby obtains—
(A)
information contained in a financial record of a
financial institution, or of a card issuer as defined in section 1602
(n)
of title 15,
or contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15
U.S.C. 1681
et seq.);
(B)
information from any department or agency of the
United States; or
(C)
information from any protected computer if the
conduct involved an interstate or foreign communication;
It seems to say that mere access, even if all you do is read, is verboten if you don't have authorized access or exceed your authorized access. You might also like to read an analysis of the law, and the article also explains how the law has been interpreted in what the author calls "an expansive, and perhaps mildly startling, fashion". A bit more on how it was used to retaliate in a trade secrets theft case a few years ago. We'll have much more about this in the followup article. The bad thing about laws that are written badly is that some
ethically-challenged entity will try to use them to fight dirty, and if a law is written badly
enough, they might do some damage with it.
The good thing about laws that are vague and badly written is, they usually
can't stand up to scrutiny in the courts longterm, or the law gets tweaked until it is better, or judges find a way to say to an overreaching plaintiff trying to take advantage of a law's flaws to do harm in a particular case, in effect, "This is silly." But for now, we'll have to assume that this vague
statute says what it means and isn't unconstitutional, and so let's analyze the situation
with that assumption. First, SCO mentions the word felony, so we'll assume they are
alleging both loss, over $5,000, and bad intent/unauthorized access, or as the DOJ explanation put it, "committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000." Right. Does that sound like IBM to you? Hardly. Is it all starting to feel ridiculous and a bit icky too? Here is a simple explanation of the difference between criminal and civil, and as you will see, in a civil case, the wronged party, or the party imagining himself wronged, brings the action. In a criminal case, it's up to the law enforcement entities to decide whether to bring a case or not. If they do, they represent the people, and hence the allegedly wronged individual. So, here, it means that unless somebody actually brings a criminal action under the Computer Fraud and Abuse Act, IBM is not actually, officially accused of anything criminal, let alone found guilty of anything. It's an accusation, and as nauseating as it must be for IBM to have to answer something like this, the bottom line is that it's an unproven allegation. From SCO.
Webster has highlighted the statute in red to show us the parts that matter
here, and his remarks are in blue, but remember, his remarks are his notes on the criminal aspects here, not the civil. The bottom line in his view? It's nonsense, in his opinion, that isn't
going anywhere as far as criminal law is concerned. Of course, there is another side to the law, the civil side, which we'll talk about in the later article. And Webster is analyzing this just to give us a feel for the statute. We don't, after all, actually know what IBM saw on the screen, whether there really was a password set up, whether it was a bug in the code as SCO says or whether they just didn't get around to setting up an actual password-only access mechanism. There are four sites listed in the Bennett declaration and two dates, and while we've certainly heard plenty of eyewitness accounts, there is no single account and without knowing exactly what IBM saw and did, we can only analyze so far and will have to wait for IBM's answer for the rest. So, with that disclaimer, and for educational purposes only, here is the statute, marked by Webster for clarity. ********************************
Section 1030. Fraud and related activity in connection with computers
(a) Whoever -
(1) having knowingly accessed a computer without authorization
or exceeding authorized access, and by means of such conduct
having obtained information that has been determined by the
United States Government pursuant to an Executive order or
statute to require protection against unauthorized disclosure for
reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y. of section 11 of the
Atomic Energy Act of 1954, with reason to believe that such
information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully
communicates, delivers, transmits, or causes to be communicated,
delivered, or transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or transmitted
the same to any person not entitled to receive it, or willfully
retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains -
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in
section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are
defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;
[This is
too broad and does not exclude innocent, accidental, ignorant conduct.]
(3) intentionally, without authorization to access any
nonpublic computer of a department or agency of the United
States, accesses such a computer of that department or agency
that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such
use, is used by or for the Government of the United States and
such conduct affects that use by or for the Government of the
United States;
(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value
of such use is not more than $5,000 in any 1-year period;
(5)(A)(i) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer;
(ii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes
damage; or
(iii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage;
and
(B) by conduct described in clause (i), (ii), or (iii) of
subparagraph (A), caused (or, in the case of an attempted
offense, would, if completed, have caused) -
(i) loss to 1 or more persons during any 1-year period (and,
for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a
government entity in furtherance of the administration of
justice, national defense, or national security;
(6) knowingly and with intent to defraud traffics (as defined
in section 1029) in any password or similar information through
which a computer may be accessed without authorization, if -
(A) such trafficking affects interstate or foreign commerce;
or
(B) such computer is used by or for the Government of the
United States; (FOOTNOTE 1)
(FOOTNOTE 1) So in original. Probably should be followed by
''or''.
(7) with intent to extort from any person any money or other
thing of value, transmits in interstate or foreign commerce any
communication containing any threat to cause damage to a
protected computer;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of
this section shall be punished as provided in subsection (c) of
this section.
(c) The punishment for an offense under subsection (a) or (b) of
this section is -
(1)(A) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(1) of this section which does not occur after a
conviction for another offense under this section, or an attempt
to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
twenty years, or both, in the case of an offense under subsection
(a)(1) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under
this title or imprisonment for not more than one year, or both,
in the case of an offense under subsection (a)(2),
[This is a misdemeanor only] (a)(3),
(a)(5)(A)(iii), or (a)(6) of this section which does not occur
after a conviction for another offense under this section, or an
attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5
years, or both, in the case of an offense under subsection
(a)(2), or an attempt to commit an offense punishable under this
subparagraph, if -
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
[It was done just for information
and evidence, legal reasons. IBM has so many arguments against this.]
(ii) the offense was committed in furtherance of any criminal
or tortious act in violation of the Constitution or laws of the
United States or of any State; or
[I'm sure SCO can argue something, but SCO can't really
argue loss until they prove their case.]
(iii) the value of the information obtained exceeds $5,000;
and
(C) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(2), (a)(3) or (a)(6) of this section which occurs after a
conviction for another offense under this section, or an attempt
to commit an offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more
than five years, or both, in the case of an offense under
subsection (a)(4) or (a)(7) of this section which does not occur
after a conviction for another offense under this section, or an
attempt to commit an offense punishable under this subparagraph;
and
(B) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs
after a conviction for another offense under this section, or an
attempt to commit an offense punishable under this subparagraph;
(4)(A) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 10 years, or both, in the
case of an offense under subsection (a)(5)(A)(i), or an attempt
to commit an offense punishable under that subsection;
(B) a fine under this title, imprisonment for not more than 5
years, or both, in the case of an offense under subsection
(a)(5)(A)(ii), or an attempt to commit an offense punishable
under that subsection;
(C) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 20 years, or both, in the
case of an offense under subsection (a)(5)(A)(i) or
(a)(5)(A)(ii), or an attempt to commit an offense punishable
under either subsection, that occurs after a conviction for
another offense under this section; and
(5)(A) if the offender knowingly or recklessly causes or
attempts to cause serious bodily injury from conduct in violation
of subsection (a)(5)(A)(i), a fine under this title or
imprisonment for not more than 20 years, or both; and
(B) if the offender knowingly or recklessly causes or attempts
to cause death from conduct in violation of subsection
(a)(5)(A)(i), a fine under this title or imprisonment for any
term of years or for life, or both.
(d)(1) The United States Secret Service shall, in addition to any
other agency having such authority, have the authority to
investigate offenses under this section.
(2) The Federal Bureau of Investigation shall have primary
authority to investigate offenses under subsection (a)(1) for any
cases involving espionage, foreign counterintelligence, information
protected against unauthorized disclosure for reasons of national
defense or foreign relations, or Restricted Data (as that term is
defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C.
2014(y)), except for offenses affecting the duties of the United
States Secret Service pursuant to section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an
agreement which shall be entered into by the Secretary of the
Treasury and the Attorney General.
(e) As used in this section -
(1) the term ''computer'' means an electronic, magnetic,
optical, electrochemical, or other high speed data processing
device performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but such term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other similar
device;
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or
foreign commerce or communication of the United States;
(3) the term ''State'' includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth,
possession or territory of the United States;
(4) the term ''financial institution'' means -
(A) an institution, with deposits insured by the Federal
Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve
including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National
Credit Union Administration;
(D) a member of the Federal home loan bank system and any
home loan bank;
(E) any institution of the Farm Credit System under the Farm
Credit Act of 1971;
(F) a broker-dealer registered with the Securities and
Exchange Commission pursuant to section 15 of the Securities
Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are
defined in paragraphs (1) and (3) of section 1(b) of the
International Banking Act of 1978); and
(I) an organization operating under section 25 or section
25(a) (FOOTNOTE 2) of the Federal Reserve Act;
(FOOTNOTE 2) See References in Text note below.
(5) the term ''financial record'' means information derived
from any record held by a financial institution pertaining to a
customer's relationship with the financial institution;
(6) the term ''exceeds authorized access'' means to access a
computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not
entitled so to obtain or alter;
[IBM can say they are entitled by the mere access or were accidently
misled by such.]
(7) the term ''department of the United States'' means the
legislative or judicial branch of the Government or one of the
executive departments enumerated in section 101 of title 5;
(8) the term ''damage'' means any impairment to the integrity
or availability of data, a program, a system, or information;
[If appropriate, IBM can say there was no damage.]
(9) the term ''government entity'' includes the Government of
the United States, any State or political subdivision of the
United States, any foreign country, and any state, province,
municipality, or other political subdivision of a foreign
country;
(10) the term ''conviction'' shall include a conviction under
the law of any State for a crime punishable by imprisonment for
more than 1 year, an element of which is unauthorized access, or
exceeding authorized access, to a computer;
(11) the term ''loss'' means any reasonable cost to any victim,
including the cost of responding to an offense, conducting a
damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense, and any
revenue lost, cost incurred, or other consequential damages
incurred because of interruption of service; and
[IBM can argue that they caused absolutely no loss.]
(12) the term ''person'' means any individual, firm,
corporation, educational institution, financial institution,
governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized
investigative, protective, or intelligence activity of a law
enforcement agency of the United States, a State, or a political
subdivision of a State, or of an intelligence agency of the United
States.
(g) Any person who suffers damage or loss by reason of a
violation of this section may maintain a civil action against the
violator to obtain compensatory damages and injunctive relief or
other equitable relief. A civil action for a violation of this
section may be brought only if the conduct involves 1 of the
factors set forth in clause (i), (ii), (iii), (iv), or (v) of
subsection (a)(5)(B). Damages for a violation involving only
conduct described in subsection (a)(5)(B)(i) are limited to
economic damages. No action may be brought under this subsection
unless such action is begun within 2 years of the date of the act
complained of or the date of the discovery of the damage. No
action may be brought under this subsection for the negligent
design or manufacture of computer hardware, computer software, or
firmware.
[Bingo. IBM will argue this too, "SCO negligence". How does that sound?]
(h) The Attorney General and the Secretary of the Treasury shall
report to the Congress annually, during the first 3 years following
the date of the enactment of this subsection, concerning
investigations and prosecutions under subsection (a)(5).
[If you get these reports, I doubt you'll see any misdemeanors.
They can't claim computer fraud until they win their case and thereby
claim loss. They can't claim unclean hands until it is a crime.
It can't be prosecuted until they can say it was their code alone to
hide. They first then have to convince some prosecutor to charge a crime
and then win a conviction. No prosecutor will because there is no apparent
loss and there are too many potential defenses, SCO negligence being one,
and he has better things to do.
IBM can say they were just investigating someone abusing their copyrighted
material. SCO then has to prove it is their copyrighted material to advance
their criminal accusation and found their "unclean hands" claim. This of course
is the ball game.
Note that if they were to get someone to prosecute IBM, IBM gets the right to discover
what is called "Brady" material, evidence favorable to the defense in the possession of the
prosecutor.
It's the endless, begging the question, who's-on-first, lift-oneself-by-bootstrap,
cart-before-the-horse argument that SCO makes: They stole our code. No, it's their
code. Yes, because they stole it. Where? In there. Where in there? We don't know,
they haven't told us yet. Make them tell us.
There is no loss that I can see. They are saying IBM took the code long ago before they
filed suit. This supposed hack adds nothing. SCO can be accused of having "unclean
hands" in that they want to hide their copyright violations of distributing IBM
copyrighted materials. IBM will likely slam them back with this. Mutual unproved
accusations are a wash.
It has no prosecutorial merit, in my opinion.]
|
|
Authored by: chrisbrown on Wednesday, December 15 2004 @ 11:59 PM EST |
Post your OTs Here.
Don't forget to HTML tag them:
<a href="http://www.example.com/tobenice.html">text</a>[ Reply to This | # ]
|
- Testing the waters? - Authored by: Anonymous on Thursday, December 16 2004 @ 01:29 AM EST
- Off-Topic Threads - Authored by: Curtman on Thursday, December 16 2004 @ 02:31 AM EST
- Analysts: Sun should buy Red Hat or Novell - Authored by: SkArcher on Thursday, December 16 2004 @ 05:14 AM EST
- Sun COULD create it's own Distro... or, I would buy Mandrake if I were them! - Authored by: Anonymous on Thursday, December 16 2004 @ 07:47 AM EST
- Sun COULD create it's own Distro... or, I would buy Mandrake if I were them! - Authored by: LarryVance on Thursday, December 16 2004 @ 09:17 AM EST
- Why Mandrake. - Authored by: Anonymous on Thursday, December 16 2004 @ 11:03 AM EST
- Sun COULD create it's own Distro... or, I would buy Mandrake if I were them! - Authored by: midav on Thursday, December 16 2004 @ 11:08 AM EST
- Sun COULD create it's own Distro... or, I would buy Mandrake if I were them! - Authored by: pdp on Thursday, December 16 2004 @ 01:02 PM EST
- Mandrake has a very progressive Desktop and Server product. - Authored by: Anonymous on Thursday, December 16 2004 @ 01:14 PM EST
- Mandrake - Authored by: davcefai on Thursday, December 16 2004 @ 04:19 PM EST
- Mandrake - Authored by: micheal on Thursday, December 16 2004 @ 07:55 PM EST
- Mandrake - Authored by: davcefai on Friday, December 17 2004 @ 01:08 AM EST
- Mandrake - Authored by: Anonymous on Friday, December 17 2004 @ 09:50 AM EST
- Sun COULD create it's own Distro... or, I would buy Mandrake if I were them! - Authored by: skidrash on Thursday, December 16 2004 @ 02:19 PM EST
- Analysts: Sun should buy Red Hat or Novell - Authored by: Brian S. on Thursday, December 16 2004 @ 10:19 AM EST
- Analysts: Sun should buy Red Hat or Novell - Authored by: Stumbles on Thursday, December 16 2004 @ 02:00 PM EST
- History of Linux (enjoyable read) - Authored by: johnzap on Thursday, December 16 2004 @ 05:55 AM EST
- Completely OT: Firefox NYT Ad - Authored by: Steve Martin on Thursday, December 16 2004 @ 07:15 AM EST
- Off-Topic Threads - Authored by: odysseus on Thursday, December 16 2004 @ 07:41 AM EST
- Greg Aharonian's Anti-Copyright Lawsuit: He Intends to Defy the GPL! - Authored by: Simon G Best on Thursday, December 16 2004 @ 09:20 AM EST
- I now own Groklaw - Authored by: josmith42 on Thursday, December 16 2004 @ 09:56 AM EST
- OT Legal Question - Authored by: dracoverdi on Thursday, December 16 2004 @ 11:04 AM EST
- Begging the question - Authored by: Anonymous on Thursday, December 16 2004 @ 12:50 PM EST
- LightBulb - Authored by: MunchWolf on Thursday, December 16 2004 @ 01:45 PM EST
- LightBulb - Authored by: Anonymous on Thursday, December 16 2004 @ 03:42 PM EST
- No they wont - Authored by: Anonymous on Friday, December 17 2004 @ 08:44 AM EST
- OT- Can unclean hands work as a defense in criminal defense? - Authored by: Anonymous on Thursday, December 16 2004 @ 01:30 PM EST
- Microsoft buys anti-spyware technology firm - Authored by: clark_kent on Thursday, December 16 2004 @ 01:46 PM EST
- The government is holding out - Authored by: clark_kent on Thursday, December 16 2004 @ 01:50 PM EST
- Okay - Authored by: Anonymous on Thursday, December 16 2004 @ 05:08 PM EST
- The real idiot - Authored by: Kalak on Friday, December 17 2004 @ 07:35 PM EST
- EU Council passes patent law back to the EU Parliament. - Authored by: Brian S. on Thursday, December 16 2004 @ 02:00 PM EST
- OT: GPL violation by router manufacturer (first report) - Authored by: Anonymous on Thursday, December 16 2004 @ 02:30 PM EST
- Litigation as a business - Authored by: LarryVance on Thursday, December 16 2004 @ 02:34 PM EST
- Groklaw in Melanie Holland's latest column - Authored by: mojotoad on Thursday, December 16 2004 @ 02:42 PM EST
- Official: Itanic sunk. - Authored by: Anonymous on Thursday, December 16 2004 @ 03:52 PM EST
- OT: SCO Licensing Renewals? - Authored by: Anonymous on Thursday, December 16 2004 @ 04:28 PM EST
- SCO files SEC form 8-K - Authored by: Anonymous on Thursday, December 16 2004 @ 05:07 PM EST
|
Authored by: chrisbrown on Thursday, December 16 2004 @ 12:00 AM EST |
n/t [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:12 AM EST |
"No action may be brought under this subsection for the negligent design or
manufacture of computer hardware, computer software, or firmware."
Does that mean that if I make bad PHP script and run Apache/PHP as root that
allows attacker to access my computer freely and use it under root priviledges
because my script has "negligent desing"?[ Reply to This | # ]
|
|
Authored by: Brian S. on Thursday, December 16 2004 @ 12:13 AM EST |
"SCO provided its customers who purchased SCO Server 4.O with a password
to enter at a log-in screen so that only they could access source code via the
internet..........."
I can't believe that IBM has not legally purchased a
copy of SCO Server 4.0.
For the most innocent of reasons, it pays to know
what a competitor is offering. Brian S. [ Reply to This | # ]
|
|
Authored by: tknarr on Thursday, December 16 2004 @ 12:14 AM EST |
I think IBM has an even easier way to knock this down. I'm assuming there was
no password required, since if it was I doubt IBM would have proceeded to crack
the password. I believe SCO's advertised this exact site to their own customers
to download the software from, it's not a URL IBM would have had to go hunting
for. The GPL requires SCO to make the source code available to any third party,
so if SCO claims to comply with the GPL then they're authorizing any third party
to download the code. They may authorize it to be downloaded from another site
if you're not a customer, but with no password on this site I can't see a judge
considering downloading the same software from the wrong server a significant
ethical breach. And if SCO claims third parties aren't authorized to download
the source from anywhere, IBM shrugs and quotes SCO's own filing in their
counterclaim, and SCO can't claim any unclean hands on IBM's part there. I
suspect this is exactly the bind the Nazgul want SCO in. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:15 AM EST |
SCO will try anything to wiggle out of the PSJ.
This judge is intelligent and knows what's going on, SCO won't be able to wiggle
out of this so easily.[ Reply to This | # ]
|
|
Authored by: darksepulcher on Thursday, December 16 2004 @ 12:16 AM EST |
Even if they knew that this one is a non-starter, how much time (read: delay)
could this buy SCO if they decide to press the issue anyway? Better yet, how
big of a crater could IBM's returned fire leave when they answer this mess?
---
Had I but time--As this fell Sergeant, Death
Is strict in his arrest--O, I could tell you--
But let it be.
(Hamlet, Act V Scene 2)
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:17 AM EST |
His initial opinion, based only on facts that are currently
available, is that it has no
prosecutorial merit as a
criminal offense, as a felony. For that matter, no criminal action
has been brought to date that we've heard about. Webster doesn't believe
there ever will
be either, for reasons you'll see as we go
along. SCO didn't ask to add a new cause of
action for
hacking under this statute either. All SCO did so far was tell the judge
that the
evidence of SCO's infringement that IBM found and
presented to the court shouldn't be
considered because IBM
allegedly has "unclean hands" for finding it the way they did.
Do we know that isn't part of SCO's attempt to file a
3rd amended complaint?
The prospective 3rd amended complaint is sealed,
we haven't seen it, all we know about it is what Darl (etc) and O'Gara have told
us in the press which may not accurately reflect its content.
I do
realize the court has not yet ruled whether or not SCO will be allowed to file a
3rd amended complaint
But can we absolutely rule out, that allegations
of "hacking" of this type, do not appear in the *prospective* 3rd amended
complaint?
Quatermass
IANAL IMHO
P.S.
Joke: SCO's
loss is more than $5000. After all, each copy downloaded or distributed
internally in IBM to do the analysis is worth $699 or $1399 -- you do
the math!
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:19 AM EST |
But IBM has cross license with SCO via the Novell license sale to SCO. If that's
not enough, all IBM has to do is show ONE copy of LinuxWare that they obtained
legitimately, and BINGO. Either SCO violates the GPL, or IBM is entitled to a
copy of the code by virtue of the fact they have a copy of the code in question,
legitimately.
Sort of like a snake eating it's own tail. The only value this has is that it's
going to cost time and cause delay. Since SCO only wants to cost time and cause
delay so they can spin this out as a "win", then they actually do win
what they want, regardless if it's tossed out four years from now.
You know, I really think I hate this. It makes my brain hurt following all these
twisty little shyster moves.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:23 AM EST |
I admit, I was a little chagrined at the "unclean hands" charge. I
remember accessing the sco.com ftp site last summer, and don't remember it
requiring a password to access the kernel source files.
Did it?[ Reply to This | # ]
|
|
Authored by: jwoolley on Thursday, December 16 2004 @ 12:24 AM EST |
In this account, the files seem to have been freely available. Of
course, no one but IBM can know what they saw on the screen on the dates in
question or what steps they took, but from the description, it sounds like
anyone and their mom could access the files and download them. No special skills
needed. She doesn't specify if they downloaded only IBM's code or other code as
well. She doesn't indicate there was any password or any other access prevention
mechanism.
A quick google search reveals that links to the same
material and a discussion of the contents are posted in a Slashdot thread from
February 2004. So to the extent that the people who posted those comments are
trustworthy (I can see no reason why they would have made up the URLs and what
they found at those URLs), we can assume that it was NOT just IBM who found this
material on SCO's website in that timeframe, even though the site is now
protected by basic authentication (an access control method which would have
taken somebody about 0.5 minutes to put in place and could have been added at
any time, I might add). Even if the access controls were supposed to
have been there all along, the fact that they were not there originally is not
the fault of the people who then had access to the contents of that website. It
is the fault of the person who configured the website and then failed to test
the configuration to see that it was broken and allowed anybody in (which would
have taken another 0.1 minutes, by the way).
--Cliff [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:35 AM EST |
If I put a site up on the internet, without access restriction, am I then able
to sue anybody who hits that page (including google etc.) because I had not
explicity authorised that action?
It seems to me that the letter of the law supports my ability to do so, but is
this really the intent of such law?
I imagine SCO must also have 'unclean hands', since downloading Linux from
kernel.org etc. without explicit authorisation from the site owners would also
be 'hacking'.
[ Reply to This | # ]
|
- Implied license - Authored by: Anonymous on Thursday, December 16 2004 @ 12:40 AM EST
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:36 AM EST |
Another question, I asked this efore
(1) Footnote 6 appears to be cases
supporting the proposition that not doing your copyright or patent
registrations properly, generates "unclean hands" when you get to enforcing
the copyrights.
(2) Yet in the main part of the memo, SCO seems to use
Footnote 6 to argue that being accused of hacking, generates "unclean
hands" when you get to enforcing copyrights.
Maybe it's just me, but I
don't see that (2) logically follows from, is in anyway related to
(1).
Any thoughts, comments or explanations, folks? Webster? Marbux?
AllParadox?
Quatermass
IANAL IMHO etc
[ Reply to This | # ]
|
|
Authored by: rand on Thursday, December 16 2004 @ 12:55 AM EST |
IBM, of course:
"The following network operating systems have been tested for compatibility
with the [IBM] BladeCenter HS20:...SCO Linux 4.0 - (UL1.0 based)"
http://www-1.ibm.com/support/docview.wss?uid=psg1MIGR-52843
That's supposing, of course, that IBM doesn't test their front-line systems with
pirated software ;)
---
The wise man is not embarrassed or angered by lies, only disappointed. (IANAL
and so forth and so on)[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:02 AM EST |
I think anyone who accesses an SCO website should wash their
hands afterwards just in case...
Stephen Lewis[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:09 AM EST |
"SCO mentions the word felony...and bad intent/unauthorized access....
Does that sound like IBM to you?"
As a balancing thought, it's healthy to recognize that all large corporations
engage in espionage to one degree or another.
Does it sound like IBM to me? Yes. Does it sound like IBM _in_this_case_? No,
they're too smart to play like that with $5 billion on the line.[ Reply to This | # ]
|
|
Authored by: jdg on Thursday, December 16 2004 @ 01:09 AM EST |
"10. Also under my direction, our team of programmers compared the IBM
Copyrighted Works to code we found available for download on SCO's website. On
January 9, 2004, I observed while a member of my team accessed via the Internet
the following four SCO web pages, and downloaded code from these web pages:
(1) http://linuxupdate.sco.com/scolinux/update/RPMS.updates; ...
"11. The code posted and made available for download via the Internet from
SCO's website included verbatim copies of files from the IBM Copyrighted Works
appearing at Exhibits 5.1 through 20.1 of the accompanying Sorenson Declaration.
The files from SCO's website that are verbatim copies of files within the IBM
Copyrighted Works comprise approximately 783,000 lines of code, and appear at
Exhibits 5.3 through 20.3 of the Sorenson Declaration.
It is my impression that the access in January did not even nominally require a
password process. I am guessing that this does not even quite fit TSG's
definition of hacking. See:
"12. My team and I accessed SCO's website from the Internet, using a
standard computer and web browser. Any person with access to the Internet, a
standard web browser and a personal computer or laptop could access SCO's
website and download Linux code, just as my team and I did. No special expertise
would be necessary.
The next paragraph does not say that they downloaded anything. The copies of
the files were from the January access, not the August access. The August
access was done to ascertain if the material was still there. I do not think
that you have to download the material to determine if it is there.
"13. On August 4, 2004, my team again visited the SCO web pages listed in
Paragraph 10, and confirmed that all of the code attached as Exhibits 5.3
through 20.3 of the Sorenson Declaration was still available for download from
SCO's website."
Does this diminish the force of TSG's argument (conditional on there being
something to it)? Of course, there is also the issue that IBM probably had
legal access to it by meeting the conditions presented for access. We will
probably see when IBM's response is filed.
---
SCO is trying to appropriate the "commons"; don't let them [IANAL][ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:12 AM EST |
In order to evaluate this claim we would need to know the following:
Were these four URLs accessible without a password ('anonymous' ftp doesn't
count!) on 9 January 2004 and 4 August 2004:
(1) http://linuxupdate.sco.com/scolinux/update/RPMS.updates;
(2) http://Linuxupdate.sco.com/scolinux/SRPMS;
(3) http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux; and
(4) ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002
-026.0/SRPMS.
It would also be nice to find what this refers to. I didn't find anything in
Google, will go search some other archives:
After news of a bug in the website's security system was reported on internet
websites...
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:23 AM EST |
The phrase "badly written laws", brings up what can only be described
as a "Tech Sargeant Chen" moment (Galaxy Quest in-joke).
As in, "And besides, I just had an interesting idea."
If, as I recall, SCO is *required* to keep their GPL'd code up and available for
some period of time...
... but IBM is upset with them misappropriating their copyrighted code...
... IBM could tighten the noose, by invoking the DMCA and its "safe
harbour" clause on SCO and/or its ISP (requiring them to remove the code or
cut off access to it).
No code available, instant GPL violation, slam dunk, red dress time.
Maybe not as satisfying as seeing the Nazgul full-court press, but any outright
defeat of SCO is likely to satisfy many.
Well, that thought made *my* day, anyway. :-)
briand[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:37 AM EST |
Suppose Mr X puts a downloadable copy of Microsoft Office on his web site
(without permission from Microsoft)
If he adds a log-in screen or a message saying "You may not access this
site if your work for Microsoft, it's attorney's, the BSA or any similar
organization, or intend to use materials obtained from this site in any civil
litigation or criminal prosecution"
Even if Mr X's log-in protection and message was always displayed (unlikely
SCO's which even according to them was broken).... would that stop the BSA or
Microsoft suing for copyright infringement?
If SCO's argument were correct, it would.
(and this is why I don't think it's correct)
IANAL
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 01:48 AM EST |
"[...]and having improperly hacked into SCO's website to obtain the very
evidence that is the supposed basis for IBM's motion"
Could this a case of libel, slander or an infamatory remark? I have some vague
idea that one may make very unsubstantiated claims in a motion like that of SCO,
but I (and they) could be wrong.
Anyone with better knowledge?[ Reply to This | # ]
|
- Is this libel? - Authored by: Anonymous on Thursday, December 16 2004 @ 01:53 AM EST
|
Authored by: Zarkov on Thursday, December 16 2004 @ 01:54 AM EST |
The phrase 'Protected Computer' kept jumping off the page as I read the
legislation.
From all the accounts of GrokLawyers who tried to access that site I very much
doubt that SCO could put up an argument that it was on a 'Protected Computer'
under the terms of the Act. I recall reading that at best, SCO put up a login
prompt which did not require a UserID or password, essentially a dormant
dialog...
What is the burden of proof on the part of the complainant to show that
'adequate', not just 'minimal' measures have been put in place for their
equipment to qualify as a 'Protected Computer'?
[ Reply to This | # ]
|
|
Authored by: kawabago on Thursday, December 16 2004 @ 02:49 AM EST |
How much time should Darl spend in prison for all the money he's lost the
company in this purile Linux extortion scam?
---
constructive irrelevance.[ Reply to This | # ]
|
|
Authored by: dodger on Thursday, December 16 2004 @ 02:55 AM EST |
SCO will have to show the logs on their servers that show the user login
information and the passwords given for all downloads during that period.
Without these (complete) records, they will be proving their own negligence. And
since I was one 'hacker' who downloaded, the login/password information I used
will be in those logs.
I downloaded because SCO was making press of the illegality and
unconstitutionality of the GPL - and I wanted to see if they were nevertheless
distributing Linux under the GPL.
[ Reply to This | # ]
|
|
Authored by: RedBarchetta on Thursday, December 16 2004 @ 03:08 AM EST |
From the above DOJ paper:
"The relationship between the existing
§ 1030(a)(3) provision and the newly amended § 1030(a)(2) merits some
discussion. Section 1030(a)(3) protects the computer from outsiders, even if
the hacker obtains no information. Thus, an intruder who violates the integrity
of a government machine to gain network access is nonetheless liable for
trespass even when he has not jeopardized the confidentiality of data. Section
1030(a)(2), on the other hand, protects the confidentiality of data, even from
intentional misuse by insiders. Additionally, although a first violation of §
1030(a)(3) is always a misdemeanor, a § 1030(a)(2) violation may constitute a
felony if the information taken is valuable or sufficiently
misused.
So the DOJ states that the "first violation
[..] is always a misdmeanor." Let's give TSG the benefit of the doubt and
assume they have a valid point. According to the above, what's the worst
possible outcome for IBM? A misdemeanor? And does it mean this particular
evidence is thrown out? I truly can't answer that, because IANAL. But why
would it make a difference?
TSG doesn't deny distributing the GPL code
due to "obligations to their customers" That admission is all the proof IBM
needs.
By the way, I remember this error by SCO, and when I pulled up
the site to witness the idiocy myself, I recall that nowhere did it explicitly
display access limitation notices. Nowhere did it say who was limited in
accessing the archives. No STOP! notices, no scary "Leave now if you aren't
XYZ," no warning signs. Nothing. You were just presented with a login/password
window. The mere accidental click of the OK button, or the accidental slip of
the ESC key revealed an openly accessible system.
Is that enough for a
§ 1030(a)(3) violation?
IMHO, TSG loses on a technicality just because
of the lack of visible warning notices, forget about everything
else...
--- Collaborative efforts synergise. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 03:34 AM EST |
Actually I think it's easier than this. SCO are trying to get around the GPL by
"not distributing the code".
This is almost certainly the blank password that everyone can guess, but SCO
hasn't disclosed. If SCO doesn't tell you the password, you can't get the code,
so SCO is in the clear with respect to the GPL distribution clause.
The license doesn't apply, because SCO did not distribute the code to you (you
don't have a password).
This just isn't going to work, of course. Any former SCO Linux customers who
want to exercise their GPL rights by passing the code to IBM?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 03:42 AM EST |
SCO says they had a login and IBM bypassed it.
IBM does not mention a login but says anyone could
have downloaded the code.
Both could tell the truth:
If SCO configured a login prompt for a part of their
website, where are links to other parts of their website, which contain the code
but don't need a login.
Then people who now the 'secret' URLs are able to
download the code without a login. This could happen if:
- there was no login before and the urls are bookmarked
- there are urls in the documentation of the software, customers got through
other ways
- someting got through to google and was cached
Even if this happened, SCO is not allowed to speak
of a protected computer and a hack because it would
be a failure of the setup on their side, since an
innocent downloader knowing the exact urls of the code
wouldn't even see a login. Or even a direct link could
be produced as the result of a google search.
Tux
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 03:44 AM EST |
As anything said in court (or in submissions to the court) is protected, SCO is
using this as a way to get lies and accusations into the record. Next we will
find Darl and others repeating the accusation in interviews and other public
statements knowing full well that IBM can do nothing about it.
Until that is, TSG is trampled into dust by a thundering herd of wild laywers.[ Reply to This | # ]
|
|
Authored by: muswell100 on Thursday, December 16 2004 @ 04:26 AM EST |
This whole charade is beginning to resemble something like a very public and
very messy divorce, with SCO taking the part of the bitter, hysterical
ex-partner who is trying for the house, the kids and the car, while shooting
wildly in all directions - citing mental cruelty, alcoholism, infidelity, snake
handling and double-parking. In fact... ANYTHING that might lead to a win.
Unfortunately for them, their desperation shows all too clearly.
PS: And for the pedants out there, 'ex-partners' can be male as well as female.
PPS: And I've nothing against snake handlers.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 04:32 AM EST |
Can I ask a question of those who know far more about this than me. If SCO could
get someone to prosecute IBM for this in order to prove the claim (and hence the
unclean hands accusation) wouldn't they then be asking for a delay in SCO vs.
IBM until the new case were resolved?
And isn't that just the kind of thing SCO have been doing all this time?[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 04:45 AM EST |
The access to the ftp site has been mentioned many times by many web sites
indicating it as a prove that SCO was still distributing GPL code therefore
agreeing to it.
During that time, the files could be downloaded with a direct link. (I have not
tested it now.)
If a file has access protected, trying to download the file should prompt for a
login screen.
In section 16. of the SCO memo (the other article), they state:
"16. Between October 31 and December 1, 2003, IBM repeatedly accessed the
SCO log-in site but did not obtain access to the SCO Linux Server 4.0 files. Id.
¶25. After news of a bug in the SCO site's security system was reported on
internet websites, IBM exploited the bug to bypass the security system, hack
into SCO's website, and download the very files IBM has now attached to this
motion. Id. ¶¶22-27 (SCO therefore disputes IBM St. ¶27.)"
So they say that IBM tried but could not access the files only after a bug was
reported on internet websites.
- What is this bug that they are talking about?
- What internet websites?
- What reports?
I just browsed ftp://ftp.sco.com/ using a standard web browser and I did not
get a login screen, I did see some files named Legal_Notice dated 6/25/2004
and an ls-lR file dated 7/3/01 indicating that the Legal_Notice file was a
recent addition. (Still there is no reason to trust a date in a computer.)
If a login/password was given to customers, do customers have any
recollection of it.
Besides, if IBM just wanted to access the site, they did not need to
"hack" they
could just ask a SCO customer for it, perhaps, IBM or company owned by IBM
might have already bought a license being therefore a customer with a right
to download the file. Right?
Cheers.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 04:56 AM EST |
"12. My team and I accessed SCO's website from the Internet, using a
standard computer and web browser. Any person with access to the Internet, a
standard web browser and a personal computer or laptop could access SCO's
website and download Linux code, just as my team and I did. [B]No special
expertise would be necessary[/B]"
Isn't that last sentence alone enough to make this claim fail?
To me it appears IBM foresaw the possibility of SCO using 'unclean hands', so
why do SCO go through with it anyway? Utter despair? This makes no sense to me
and looks like an utter waste of time of SCO's account and only a little waste
of time for IBM; I'm pretty sure they've already prepared for this.[ Reply to This | # ]
|
- IBM laid a trap? - Authored by: Anonymous on Thursday, December 16 2004 @ 06:17 AM EST
- IBM laid a trap? - Authored by: Anonymous on Thursday, December 16 2004 @ 08:49 AM EST
|
Authored by: Wesley_Parish on Thursday, December 16 2004 @ 05:27 AM EST |
I went to The SCO Group ne Caldera ftp site several
times during 2003 and I
can verify that the ftp site was
set up in exactly the same way as most other
ftp sites it
has been my joy to visit. My browser handled the login
details
sending it the bog-standard "anonymous"
password or my email address,
I'm not sure.
I got exactly the same experience as I encountered
first experiencing the WWW in 1996 and browsing the
Auckland University and
University of Canterbury (NZ) ftp
sites in search of good programming software
to supplement
or supplant the DOS/Windows software I was using in the
Lincoln University (NZ) courses I was doing.
Any idea that visiting
an open ftp site
was trespassing is rubbish - ftp
is a
specialized form of data transfer via a network,
and is exactly
the same as visiting a web site.
Network intrusion is quite
different and anyone
with half a brain capable of symbolic as
opposed to
shambolic processing will understand
that!!! --- finagement: The Vampire's veins and Pacific
torturers stretching back through his own season. Well, cutting like a child on
one of these states of view, I duck [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 05:28 AM EST |
SCO's action is just another desperate diversionary tactic.
They know each of these diversionary tactics will eventually fail. However they
are just trying to buy time because they believe the fairy godmother will
eventually appear, if only they can stay alive long enough![ Reply to This | # ]
|
|
Authored by: heretic on Thursday, December 16 2004 @ 05:36 AM EST |
Anonymous FTP
One of the earliest methods of
Internet publication, anonymous
FTP uses the FTP Protocol
along with some simple
conventions. (emphasis
added)
FTP was designed to let a user connect a remote system on which
he
had an account, authenticate himself using a userid/password
combination,
then navigate a directory hierarchy and retrieve
files.
Anonymous FTP extends this idea by allowing users without
accounts to use
FTP for retrieving "public" (emphasis
added) data.
To do this, a user connects to an anonymous
FTP server with a
normal FTP client, offering anonymous as a userid and
sending an identifying
string, typically an email address, as password.
Servers configured for
anonymous FTP will accept almost anything as password,
so this information is
really based on an honor code.
Once connected in this manner, the user
can examine the server's file
repository and download anything of interest using
FTP's standard capabilities.
Anonymous FTP servers typically implement various
security measures to prevent
anonymous users from access anything but an area
designated for public information.
From Connected: An Internet
Encyclopedia
Even worse from a pure legalistic point of view is
probably the the following:
What is Anonymous
FTP?
Anonymous FTP is a means by which archive sites allow
general access
to their archives of information. These sites create a
special
account called "anonymous". User "anonymous" has limited access
rights
to the archive host, as well as some operating restrictions.
In fact, the only
operations allowed are logging in using FTP,
listing the contents of a limited
set of directories, and retrieving
files. Some sites limit the contents of a
directory listing an
anonymous user can see as well. Note that "anonymous"
users are not
usually allowed to transfer files TO the archive site, but can
only
retrieve files from such a site.
Traditionally, this special
anonymous user account accepts any string
as a password, although it is common
to use either the password
"guest" or one's electronic mail (e-mail) address.
Some archive
sites now explicitly ask for the user's e-mail address and will
not
allow login with the "guest" password. Providing an e-mail address
is a
courtesy that allows archive site operators to get some idea of
who is using
their services.
From RFC1635 - How to
Use Anonymous FTP
heretic [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 06:14 AM EST |
From The Register
http://www.theregister.co.uk/2003/08/08/sco_still_offers_infringing_linux/
"Published Friday 8th August 2003 00:49 GMT
"SCO has told the public that its version of Linux is no longer for sale
due to its legal pursuit of IBM and Linux users. That much is true. In fact, the
code does not cost a penny with SCO providing a rather swift download site for
SCO Linux.
"Close to 30 Reg readers have sent along the following link
(ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-020.0/SRPMS/linu
x-2.4.13-21S.src.rpm ) that leads directly to a FTP download of the Linux
kernel, at the time of this report. It's part of SCO's OpenLinux 3.1.1.
(...snip...)
"This link to SCO's code has been talked about for quite awhile, so we
wonder why the legal team of Boies Inc. would let it stay up. ®"[ Reply to This | # ]
|
|
Authored by: fredex on Thursday, December 16 2004 @ 06:24 AM EST |
"the bottom line is that it's an unproven allegation. From
SCO"
I'm shocked, SHOCKED I say!
:^/[ Reply to This | # ]
|
|
Authored by: elderlycynic on Thursday, December 16 2004 @ 06:27 AM EST |
The UK Computer Misuse Act 1990 says:
1. (1) A person is guilty of an offence if:
(a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the
function that that is the case.
17. (1) The following provisions of this section apply for the
interpretation of this Act.
(5) Access of any kind by any person to any program or data held in a
computer is unauthorised if:
(a) he is not himself entitled to control access of the kind in question
to the program or data; and
(b) he does not have consent to access by him of the kind in question to
the program or data from any person who is so entitled.
For example, if I meet another delegate at an IT conference and he says
"I am system manager of XXX; here is a username and password for access
to YYY", am I breaking the law if I use that without further checking?
And how would the prosecution disprove such a defence?
Similar remarks to the ones you quote have been made by lawyers about it
being simultaneously draconian and unenforceable. The only case I heard
of was so serious (and clear-cut) that it could equally well have been
prosecuted as malicious damage or some other ancient law.
[ Reply to This | # ]
|
|
Authored by: spuluka on Thursday, December 16 2004 @ 07:01 AM EST |
IBM can say they were just investigating someone abusing their copyrighted
material. SCO then has to prove it is their copyrighted material to advance
their criminal accusation and found their "unclean hands" claim. This of course
is the ball game.
The Pittsburgh federal prosecutor and FBI dropped a
case in Pittsburgh because the victim did this type of investigation on their
own. In that case the victem entered a former employee's computer at his new
company where he had stolen source code. The FBI told him that because he could
guess the persons password and gain access, the criminal case was over for
unclean hands. It was no defense that he was seeking evidence of his own stolen
property being there, even thought it was true. The act of using a password
that was not his own sunk his case. --- Steve Puluka
Pittsburgh, PA [ Reply to This | # ]
|
|
Authored by: Steve Martin on Thursday, December 16 2004 @ 07:02 AM EST |
I think it's worth pointing out (just for the sake of accuracy) that, while
link number 4 in the quoted document above indeed would have initiated an
anonymous FTP transaction, the other three are links via HTTP, authentication of
which would have been handled by the HTTP server.
Netcraft shows
linuxupdate.sco.com to be running Apache on Linux. Authentication on such a
system can be as simple as checking against a plain-text "hidden" file in the
directory being accessed, or it can be much more stringent (even including
querying a MySQL database for credentials). All of these, however, require
setting up by the sysadmin; they are not present and active by
default.
There is no escaping the fact that some sysadmin at TSG failed
to implement the required setup properly (since the system allowed access with
no user ID and no password), and that resulted in an improperly protected
system, one for all purposes identical to one where no setup had been done at
all. Thus, no "circumvention" of the security features would have been needed,
because said "security" features were non-functional. I can't complain that
someone broke into my house if I left all the doors and windows
unlocked.
So yes, IBM did in fact access TSG's download site via
anonymous FTP, but they also accessed using protocols that could have been
restricted by TSG, but in effect weren't. Thus, TSG IHMO (IANAL) cannot claim
"hacking" (or, ahem, the more correct term "cracking") if no restrictive
features were in use.
--- "When I say something, I put my name next
to it." -- Isaac Jaffee, "Sports Night" [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 07:15 AM EST |
"Where, for example, is there a $5,000 loss to SCO?"
How about the
$5B loss they are eventually going to suffer?[ Reply to This | # ]
|
|
Authored by: om1er on Thursday, December 16 2004 @ 07:51 AM EST |
I live for the day that happens.
You know it's coming. It is just so obvious.
---
Keeping an eye on the bouncing ball.[ Reply to This | # ]
|
|
Authored by: jp.fielding on Thursday, December 16 2004 @ 07:58 AM EST |
i admit that i'm not intimate with all provisions of the GPL, but wouldn't this
be at odds with freely available source? if they've modified it, and are
distributing, don't they have to make it freely available? customer only
(assuming payed) password protected sounds off.
IANAL, heck, i ain't even reel smart![ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 08:21 AM EST |
Shouldn't they have to provide it if you just ask? They are possibly a third
party and certainly anybody who has purchased any version of Linux from SCO
would be able to then provide it to IBM (it's GPL'd after all). The GPL says
they must provide it for three years. Surely somebody has actually asked them
by now?
---------------------- Section 3 of GPL Below -------------
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 and 2
above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1 and 2
above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object code
or executable form with such an offer, in accord with Subsection b above.) [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 08:22 AM EST |
Thanks Pamela and friends for another great insight into the legal system ...
have a great day![ Reply to This | # ]
|
|
Authored by: PenguinLust on Thursday, December 16 2004 @ 08:26 AM EST |
Why does it look like IBM's efforts were concentrated on OpenLinux and not
OpenServer?
IBM states they accessed these pages all of which seem to deal with SCO's no
longer existent linux product.
I observed while a member of my team accessed via the Internet the following
four SCO web pages, and downloaded code from these web pages:
(1) http://linuxupdate.sco.com/scolinux/update/RPMS.updates;
(2) http://Linuxupdate.sco.com/scolinux/SRPMS;
(3) http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux; and
(4)
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002-026.0/SRPMS.
While SCO seems to be talking about their Unix product.
"SCO provided its customers who purchased SCO Server 4.O with a
password to enter at a log-in screen so that only they could access source code
via the internet.
It looks like SCO's real claim is that they never offered OpenLinux and instead
IBM accessed OpenServer. It's either that or their lawyers are over-tired from
work and misread IBMs statement.
On a side note while trying to find reference to OpenLinux on the current SCO
website, I noticed they have a static PR blurb on "5 Reasons to choose Unix
instead of Linux".[ Reply to This | # ]
|
- Errrr? - Authored by: Steve Martin on Thursday, December 16 2004 @ 09:51 AM EST
- Errrr? - Authored by: frk3 on Thursday, December 16 2004 @ 10:22 AM EST
|
Authored by: mhoyes on Thursday, December 16 2004 @ 08:28 AM EST |
Let's say that SCOG tries to say that if the evidence is admited, then they lose
their $5bil lawsuit. This would be the damages required so then you can get it
thrown out. But if you do that, then there are no damages, so it should be
accepted.
I know the legal system doesn't work that way, but it is an interesting view.
meh[ Reply to This | # ]
|
- Are you saying? - Authored by: Anonymous on Thursday, December 16 2004 @ 02:42 PM EST
|
Authored by: kberrien on Thursday, December 16 2004 @ 08:35 AM EST |
I would say PJ and Webster have done more research on this whole issue, than SCO
did itself before making their claim. Otherwise they would not have brought it
(except of course to toss marbles on the floor and delay). Its really sad.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 08:39 AM EST |
Yet another one of SCO's obligations under the GPL, as a commercial distributor
of binary code without complete source code attached (specifically, boxed sets
of its OpenLinux distribution):
b) Accompany it with a written
offer, valid for at least three years, to give any third party, for a charge no
more than your cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be distributed under
the terms of Sections 1 and 2 above on a medium customarily used for software
interchange IBM is certainly any third party. IBM can
certainly argue that they were entitled to source code access on the basis of
GPL section 3(b), as I quoted above. If SCO does not provide source code to
third parties for three years after selling a CD of compiled software -- and it
appears they have taken steps to avoid distributing source code to third parties
-- then they are prima facie in violation of the GPL. Is that REALLY what
SCO wants to argue here? Perhaps their lawyers really do need to take a "GPL
for Dummies" course. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 08:53 AM EST |
If the binaries were accompanied by the source code then SCO's obligations under
section 3 of the GPL are covered by sub-section a and SCO has no obligation
under sub-section b.
Of course proving that IBM employee's should know that software distributed
freely planet wide is somehow "unauthorized" when distributed from SCO
servers seems like an awful stretch of the imagination.
It's as if IBM was looking for a water fountain, there were signs and people
telling them there was a water fountain through a door, IBM went through the
unlocked door, there was the water fountain and then they were accosted for
"breaking and entering". The public has certain rights of perception
that you just can't ignore without seriously handicapping people's ability to
interact (sans legal council). If you install a water fountain, distribute the
knowledge of it's existence, fail to secure the location and make no attempt to
inform people of the water fountain’s private nature you can hardly cry foul
when the general public uses it. That almost sounds like some sort of
entrapment designed to abuse the legal system and ensnare innocent citizens.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 08:56 AM EST |
Or from one of their other lawsuit targets? (e.g. Autozone). Methinks it very
possible they might have done a comparable thing sometime.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 09:08 AM EST |
Not a Lawyer but:
Since whether or not IBM encountered and bypassed any "access
restrictions" appears to be a matter of fact not law, and since for summary
judgement the judge has to interpret all disputed matters of fact in favor of
the non-moving party, is this accusation enough to derail the motion for partial
summary judgment?
Devon Gnoll
[ Reply to This | # ]
|
|
Authored by: John Hasler on Thursday, December 16 2004 @ 09:16 AM EST |
-- [ Reply to This | # ]
|
|
Authored by: CRConrad on Thursday, December 16 2004 @ 09:21 AM EST |
It can never apply, since paragraph 5 is a logical union of sub-paragraphs 5
(A) and 5 (B), and certainly none of the clauses of 5 (A) applies to IBM. Look
just before the "B":
"; >,and (B) by conduct
described in clause (i), (ii), or (iii) of subparagraph (A), caused
[...]"
All the clauses ("(i), (ii), or (iii)") of
sub-paragraph 5 (A) deal with variations of "caus[ing] damage" to a
("protected") computer -- which, AFAICS, presumably must mean SC^H^HCaldera's
Web server, since that's the only machine IBM accessed "without
authorization".
I'll bet you anything they aren't going to succeed in a
claim that IBM downloading these files, as opposed to anyone else doing so,
somehow damaged the Web server they downloaded from. ---
--
Christian R. Conrad
Helsinki, Finland E-mail: MyUserID@MyISP.CountryCode [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 10:07 AM EST |
Given SCOs own behaviour, I wouldn't put it past them if:
a) They are arguing a passwordless or empty/null password download would
constitute what they are arguing.
b) They put a password ONLY for IBM-assigned IPs (which would explain why nobody
here remembers having to enter a password other than empty/null/anonymous or not
all all.
I guess we'll have to wait for IBM's response and future SCO documents to know
for sure.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 10:14 AM EST |
... merely using rights based on their paid up non-revocable license to SVR4 to
access SCO's site?
IBM IS still a SVR4 licensee, right?[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 10:15 AM EST |
. . . Does this mean I have to have management's permission to go in? Uh, no. If
Wal-Mart tells me to leave, yes, I have to leave. But they can't arrest me for
burglary.
Same with SCO's FTP site. It was open 24 hours and didn't require a password.
Do you need a jury for this?[ Reply to This | # ]
|
|
Authored by: darkonc on Thursday, December 16 2004 @ 10:16 AM EST |
I grabbed a copy of
kernel-source-2.4.19.SuSE-133.nosrc.rpm (it's gone
now) back on June 18, 1993. I published the GPG signature of the file in a slashdot journal
article. (I think I also posted it in a public comment at about the same
time). There was no password required -- other than the anonymous FTP practice
of asking for something that looks vaguely like an email address, which is
handled automatically by almost all FTP programs.
If SCO's "bug" is that
the site was available via anonymous FTP, this is both a requirment of the GPL,
and would give abslutely no indication to IBM investigators that the
infomation was protected -- quite to the contrary, it would be like charging
your me with tresspassing for showing up at your open house at 5pm, not
realizing that you intended to pull the sign down and close the door at
4pm.
(with the reason for the tresspassing charge being that, when I went to
examine the bedroom, I found you in bed with my wife and charged you with
adultery). --- Powerful, committed communication. Touching the jewel within
each person and bringing it to life.. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 10:17 AM EST |
This is not quite as funny as the story I read about the burglar who goes in
through a window, breaks his arm, and SUES the company he was trying to rob for
his injury. However it is in the same class.
On the other hand Microsoft "WON" the antitrust lawsuit by a finding a
loophole, so perhaps this is not as funny as me thinks.
[ Reply to This | # ]
|
|
Authored by: jim Reiter on Thursday, December 16 2004 @ 10:42 AM EST |
This is an allegation - as with all the TSG material, it
requires that we believe the TSG version of things - even
thought TSG has shown itself to be a blatant liar on many
occasions.
The only reason it gets attention is because there is
nothing else to write about.
My reply to TSG is " (_!_) "
Sorry PJ, but enough is enough. [ Reply to This | # ]
|
|
Authored by: brian on Thursday, December 16 2004 @ 11:01 AM EST |
"And my next question was, Is this going to fly? What happens now? How bad
could it get? Why would SCO do this? In litigation, nausea at the loathsome
tactics of others is useless. You have to answer everything successfully. So,
despite my feeling that SCO should be ashamed of itself for even raising the
issue, what about that statute? "
Half of me wants SCO to lose this argument and half of me wants SCO to win
it....
Now before you get that look on your face hear me out...
I want SCO to lose it for the IBM case (and knowing how bad the SCO legal team
is they probably will). It is a silly argument when they didn't have it
protected at the time.
OTOH, if they win it then everyone being sued by the MPAA / RIAA can use this
same ruling / law in defense. That should cut the RIAA / MPAA pirates off at the
knees when the thousands they already sued countersue for violation of the
Computer Fraud & Abuse Act violations....
One can dream...
B.
---
#ifndef IANAL
#define IANAL
#endif[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:01 AM EST |
Focusing on this particular
URL:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002-
026.0/SRPMS
Two components of this URL are very telling about
the intent and purpose of the file that was downloaded. It is a standard in the
software industry that the URLs for a company would appear in the form
"http://www.company.tld" (for the public web site) and "ftp://ftp.company.tld"
(for the public ftp site). In SCO's case, the web site is "http://www.sco.com",
so the standard for their public ftp site would be "ftp://ftp.sco.com".
In
addition, the "/pub" is also an industry standard as a short form of "public".
I would expect anything under /pub to be open to the general public by default,
personally, and I suspect that 99% of anyone who uses FTP to think the same way
as I do.
As a further extension, "/pub/incoming" is the default place for the
general public to upload files to a public FTP site so they can be checked by
the site owner. This indicates that /pub has been a standard for so long that
other standards have been built on top of it.
SCO, as a technology company,
is aware of this detail, even if it is inconvenient.
Following from my 99%
logic, IBM had a reasonable expectation that anything under
ftp://ftp.sco.com/pub was fair game. If, however, SCO was using it as a honeypot in an attempt to
entrap IBM . . . shouldn't that be interpreted to mean that SCO has unclean
hands here?
I can imagine that in front of Judge Kimball - "So, you set a
trap for IBM?" would be an interesting comment to have in the public
record.
Of course, if SCO has now password-protected that site, aren't
they in admitted violation of the GPL requirements that they
freely resdistribute the GPL software that they used in their version of Linux?
Is it time to start burying them in GPL lawsuits? [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:19 AM EST |
If IBM says in its response, "SCO has presented no evidence to support
its assertion that IBM has dirty hands," would that answer this canard
sufficiently? AFAIK, SCO hasn't offered any deposition or statement that
asserts the "dirty hands for accessing an anonymous FTP site" defense; all we
have it their lawyers saying it is so. Do the Nazgul really have to spend any
more effort that that to keep the PSJ on track? [ Reply to This | # ]
|
- Easy IBM answer? - Authored by: Anonymous on Thursday, December 16 2004 @ 01:59 PM EST
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:23 AM EST |
FWIW, the first 3 links that aren't linked in the above message, do indeed have
a passowrd protection scheme applied as of my attempt to access them this
morning.
However, the last link is still open to anonymous access, I'm looking at it with
gftp right now.
So my opinion is that the password access to the other site was not, in all
probability, in place on that August 2004 day that IBM accessed it and
downloaded their own copyrighted code, made freely available to the anyone of
the "public" who has a computer with the usual complement of browsers
and ftp agents.
However, I note that the there subdirs of /pub/OpenLinux311, are indeed empty as
of today, effectively saying that the stuff isn't available *today*.
However, in other subdirs of the /pub tree, there are plenty of downloadable
files shown. I don't have any use for any of it, so I won't waste my bandwidth.
There is a Legal Notice file in the above subdir, which reads in part that new
procedures to access the updates for OpenLinux-3.1.1 were instituted on 1
November 2003.
However, and I find this very telling, that file is dated June 25 2004!
Make of it what you can.
--
Cheers, Gene
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:24 AM EST |
This is all interesting, but a bit of a tangent and perhaps irrelevant. The
main value of Bennett's
affidavit is to indicate that unrestricted access to
Linux via SCO's servers was
available to any one in Jan. '04. Remember that in
the Summer of '03, SCO
had to answer arguments that it had already GPL'ed
whatever it thinks it has
in
Linux when it distributed a Linux product. This
was mainly answered with the
assertion that it didn't know
about its ip at the
time. (I think it was also answered with some vague
explanation that 2.2 was
clean but 2.4 was jam-packed with SCO ip, which in
some sense contradicts the
"we didn't know" assertion.) And yet, months after
"it knew," it was still
distributing. (January '04 is an interesting point in time as it was the month
after SCO indicated it was going to prepare a copyright infringement claim
within the next 30 days.)
So what happened in August? Did the IBM
employee who checked SCO's
site
own a registered copy? Did the employee
exploit the configuration error (SCO
calls it a software bug), the publicly
reported URL, and bypass any
requests for passwords? Was the employee,
throughout 2004, visiting a
bookmarked URL and, without knowing it, bypassing
the legal notices and
password requests? (In which case, the affidavit
documents that some day in
August '04
was the last time the bookmark worked.)
Was SCO's Linux distribution still
available via http or anonymous ftp? Perhaps
the employee actually
engaged in some sketchy (but commonly known) means to
access the site's
file listings. A
supplemental affidavit detailing the
nature of the August '04 access would clarify the issue, to the degree it
matters.
Now here's where the lawyers can help me. Suppose that IBM
cannot
successfully show that its activities are completely above board. Does
that
throw out the entire counter-claim or does it only throw out the evidence
obtained with unclean hands. The latter seems to be the correct scale to me.
So, the "available in August" part of the affidavit is stricken and we are left
with
IBM obtaining evidence in Jan. 04 of the distribution of IBM's
copyrighted files
by SCO. The
August '04 evidence is gratuitous. The
unclean hands assertion about the
obtaining of the August '04 evidence is a red
herring. In my humble opinion,
of course. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:32 AM EST |
Yale accused Princeton Admissions of "hacking" over the same kind of
issue. I don't remember how things were resolved, but I believe SCO is
expecting to use something like this. Another case
involved news journalists "guessing" URLs and getting information before it was
meant to be public.
Then again, if IBM purchased a copy of SCO
OpenServer (and IBM does have that kind of money), then there is no question
that it was authorized by SCO to download the product. And if that product
contained IBM code that wasn't supposed to be restricted the way SCO restricted
it, I don't see SCO's claim of unclean hands going anywhere. [ Reply to This | # ]
|
|
Authored by: mossc on Thursday, December 16 2004 @ 11:35 AM EST |
Simple for the Judge to clear this up:
Judge: Do you acknowledge that the files were available for public download at
some point?
TSG: Yes
Judge: What day precisely was the access restricted?
TSG: Um, well, not sure
Judge: Do you have a sworn affidavit by the person who actually implemented this
restriction?
TSG: No, but Sontag read something about it.
Judge: Do you have records of when your customers were notified they would need
accounts and passwords to access the downloads?
TSG: um, well no
Judge: Do you have any records that show this was ever required?
Do you have any evidence that you ever actually issued a registered user a
password?
Any customer that will swear to that?
Any server logs that show authenticated downloads?
Have you filed any criminal charges?
TSG: ???? (maybe some snoring from silver)
IBM: We do have several articles mentioning that downlaods were available on a
specific date, and thousands of internet uesers who have copies of the files
who will swear that they were able to download them without
password/authentication on specific dates.
Chuck
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:38 AM EST |
Wouldn't that be hilarious, if IBM are authorized, with police power, to raid
any site they please if they just *think* it has some of their copyrighted work
on it? That would frost Orrin Hatch's shorts. In this case, IBM would even
have good cause to believe it, not like the RIAA going after some 12 year old
girl with Orrins blessing.
On top of that the site was open. No real password required (just an email
address for anonymous, and even THAT is not required under the FTP protocols).
Does it qualify as a password if EVERYBODY who knows your email address knows
the "password" that any anonymous site requests. Is George W Bush
then an automatic potential SCOG "hacking" felon, just because
somebody knows his email address? I sure hope Judge Kimball doesn't have an
email address! The criminal! ;)
It was desperation by SCOG, but the claim finally puts SCOG in the noose IBM
wants them in. If they persist claiming the code was not available, they were
in violation of GPL and IBM wins the counter. If they say it *was* available,
they've refuted the GPL too by adding the extra license requirement, and were
distributing IBM copyrighted code without an appropriate license. Either way,
they lose.
Even better: no matter which way IBM goes, EVERY OTHER GPL code writer can now
go after SCOG, maybe in small claims court (imagine that! Tens of thousands of
cases around the world, which could not be gathered into a class action either.
Neat!).
SOCG dug themself a hole so deep, it's starting to make a black hole look like a
little bump. Oh sure, no light gets out of a black hole but no TRUTH gets out
of a SCOG hole, violating Hawkings information flow theorom for black holes. So
the SCOG hole is "deeper" than a black hole!
SCOG Hole (or maybe just SCO Hole). Has a nice ring.
With two, it even works for Christmas: SCO Hole Hole!
Maybe they'll get an extra lump of coal this year.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 11:49 AM EST |
"After news of a bug in the website's security system was reported on
internet websites, IBM exploited the bug to bypass SCO's security
system..."
I noticed that some of the files were from the FTP site. Is it possible that
BOTH the web server AND the ftp server had a "bug" AT THE SAME TIME?
Also, the FTP URL is as follows:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/server/CSSA-2002-026.0/SRPMS
Doesn't "pub" stand for "public"?
fb.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:08 PM EST |
It is indisputable that ftp.sco.com was open to the public, so IBM was safe in
accessing it. The question is whether linuxupdate.sco.com was intended to be
publically accessible, or, rather, whether IBM could reasonably assume that it
was intended as such.
There are three possibilities with regards to SCO's intentions:
1) SCO intentionally left the site unprotected because there was nothing on it
worth protecting.
2) SCO tried to protect the site, but inadvertently left it open. They were
aware of the problem, but took no steps to fix it because there was nothing
worth protecting.
3) SCO tried to protect the site, but inadvertently left it open, and didn't fix
it because they were unaware of the problem.
It seems to me that assumptions 1 and 2 are far more reasonable than 3. Here is
what IBM could have been thinking:
- Allowing open access to Linux sources is a virtually universal practice.
- It is very unlikely that the SCO IT dept doesn't know how to password-protect
a web site.
- If the SCO IT dept simply forgot to take some of the steps necessary to
protect the site, it seems likely that this problem would be noticed by glancing
at a log (or reading Groklaw!). Therefore, the failure to fix it must have been
intentional.
I think that IBM can reasonably claim that they accessed the site in good faith.
If SCO continues to dispute this, IBM can subpoena the SCO IT dept.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 12:28 PM EST |
Let me give a legal analysis of SCO's claim (I am a lawyer, BTW) -- SCO's claim
of "unclean hands" is inapplicable, irrelevant, and incorrect as a
matter of law.
Here's why. The fundamental concept of the equitable defense of "unclean
hands" is the following: if a moving party in a complaint has himself
committed the same wrongs, or is responsible for the chain-of-causation that
contributed to the creation of the complained-of behavior, then the moving party
has come to the courts with 'unclean hands', and is, in a sense, equitably
estopped from soliciting the court's help.
So -- SCO would have to show, as part of an unclean hands defense regarding
infringement, that IBM cannot complain (is estopped from complaining) about
SCO's infringement because IBM had somehow participated and facilitated SCO's
infringing acts.
What were SCO's infringing acts? Continuing to release the LINUX code after
violating the GPL. Did IBM 'participate' or 'facilitate' SCO's activities in
releasing the code? NO.
What did IBM do? IBM merely gathered evidence of SCO's infringing acts, by
documenting, for the court's consideration, evidence that SCO continued to
distribute the code after notice that they were infringing IBM's rights under
the GPL.
IBM's access to SCO website is offered by IBM only to prove that public access
was possible, and that SCO was continuing to provide the code with the intent
that members of the public could access it and use it. IBM was not 'stealing'
evidence from SCO, i.e., securing SCO's files to gain access to the CONTENT of
the files. IBM was merely demonstrating that SCO was PROVIDING access to the
files. And IBM was demonstrating that fact in the only possible way, but
accessing the SCO site and documenting that the files were being proffered by
SCO.
SCO, by the way, cannot claim that its contractual obligations to its existing
customers somehow trumps or negates IBM's rights to protect IBM's IP. The fact
that SCO has existing obligations to 3rd parties is SCO's problem, not IBM's,
and cannot create, out of whole cloth, an SCO right to infringe IBM's IP.
So -- to net it out -- if IBM was collecting evidence for trial, i.e.,
documents where IBM intended to prove at court the truth of the matter asserted
in such documents -- then IBM could potentially be subject to an "unclean
hands" defense. Hoewever, IBM is merely demonstrating that the documents
EXIST on SCO's website, in a form being offered to all or some of the public.
And IBM has apparently successfully proved that.The act of access is the form of
proof, not the content of the docs (because that can be proved independently).
Therefore -- no unclean hands defense should be available.[ Reply to This | # ]
|
|
Authored by: ujay on Thursday, December 16 2004 @ 12:34 PM EST |
I find the usage of the term unauthorized to be somewhat fuzzy.
Not being a lawyer, my assumption here may be wrong, but unauthorized seems to
imply, in legal terms, a lack of consent to the access.
On the computer, the term is quite different. In *nix systems, ALL connections
are passed through an authentication module, and if not a recognized authorized
account, refused entry.
Even an 'anonymous' account must be granted authorization.
If I log on to an FTP site as 'anonymous', I get the message 'Anonymous access
granted' with a password prompt ( usually just your email address or 'mozilla@',
etc... That is a direct granting of authorization for access to the site.
SCO's spin on this will not stand up to any level of scrutiny, as the access was
granted without having to take any steps to bypass non existant security
measures. Even if thier intent was to limit access to password protected
customer accounts, by leaving the anonymous account active, they are authorizing
access via the authorization modules to anonymous accounts.
Whatever SCO management may say about this issue, the fact remains that the
logon by IBM to their public area was AUTHORIZED by the server itself, and
AUTHORIZATION WAS GRANTED.
---
Oh NO! Spankme.com just threw a brick through our Windows![ Reply to This | # ]
|
|
Authored by: overshoot on Thursday, December 16 2004 @ 12:43 PM EST |
Actually, I'm a bit disappointed if IBM doesn't have hard records of the process
used. A video record of the process using visual tools is the common approach,
but they could also have simply used wget and captured the
logfiles.
Again, I would expect a hard record of the downloads just as
standard chain-of-evidence stuff; the defense against an "unclean hands"
accusation would simply be a fortuitous benefit. [ Reply to This | # ]
|
- wget it - Authored by: Ninthwave on Thursday, December 16 2004 @ 01:13 PM EST
- wget it - Authored by: Anonymous on Thursday, December 16 2004 @ 02:37 PM EST
- wget it - Authored by: Anonymous on Thursday, December 16 2004 @ 04:13 PM EST
- wget it - Authored by: Steve Martin on Thursday, December 16 2004 @ 10:18 PM EST
- wget it - Authored by: Anonymous on Friday, December 17 2004 @ 03:24 PM EST
- wget it - Authored by: Ninthwave on Friday, December 17 2004 @ 08:17 AM EST
- So far...... - Authored by: roadfrisbee on Thursday, December 16 2004 @ 04:29 PM EST
|
Authored by: tangomike on Thursday, December 16 2004 @ 01:51 PM EST |
1. There is no 'SCO Server 4.0' according to TSCOG's website knowledge base.
2. Sontag Declaration 17 - 19, where there are such paragraphs, do not refer in
any way to IBM access to TSCOG internet sites.
Is this just my incompetence, or has the crack TSCOG legal team filed more
erroneous briefs?
The recent filing to correct errors made in earlier submissions raises the
question, "How many mistakes do parties get to make?" The reason I ask
is that in order to rebut TSCOG arguments you'd have to be able to figure out
what they were. When TSCOG states something about a product they don't sell, how
do you challenge that?
---
In a recent survey 87% of respondents thought TSCOG are greedy and dishonest.
The other 13% thought they are also stupid.
[ Reply to This | # ]
|
- Nit Picks - Authored by: Steve Martin on Thursday, December 16 2004 @ 02:10 PM EST
- Nit Picks - Authored by: Anonymous on Thursday, December 16 2004 @ 02:38 PM EST
- Nit Picks - Authored by: Anonymous on Thursday, December 16 2004 @ 02:43 PM EST
|
Authored by: Anonymous on Thursday, December 16 2004 @ 03:27 PM EST |
This is an on Register article from last August, that points to the Linux
RPMs on the SCO ftp server. The link of course is now broken. But here's where
it gets interesting.
ftp://ftp.sco.com/pub/updates/m
irrors.xml says "NOTICE: Linux users go to:
www.thescogroup.com/support/linux_info.html."
Linux_info.html
says
How to access RPMs and SRPMs for OpenLinux, eServer, or eDesktop
through the password accessible download area.
The Linux rpm and sprm files
once available on SCO's ftp site are now offered for download to existing
customers of OpenLinux, eServer, or eDesktop through a protected download
area. To enter these areas you will be asked for a username and password. If
you do not have a username and password, please read the Registration section
below. [emphasis added]
This is a pretty clear indication that
these files were once available via ftp outside of a "protected download
area."
IBM Lawyers, are you listening?
-- davidwr_ [ Reply to This | # ]
|
|
Authored by: kbwojo on Thursday, December 16 2004 @ 04:10 PM EST |
Wouldn't having to register to download these files be a further restriction
that would violate of section 6 of the GPL?
6. Each time you
redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute
or modify the Program subject to these terms and conditions. You may not
impose any further restrictions on the recipients' exercise of the rights
granted herein. You are not responsible for enforcing compliance by third
parties to this License.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 04:14 PM EST |
If SCO can't prove 'unclean hands', it can't win this issue hurting its
credability. Not winning the lawsuit means no windfall earnings from the
lawsuit. It also means more lawyer costs pursuing a spurious dead end.
Well maybe it won't hurt SCO's reputation (= litigate, stall, litigate).[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 04:45 PM EST |
This whole thing may the matter of law, but as a matter of fact, I have (on my
backup tapes) copies of Linux 2.4.13, download as source RPM (SRPM) from SCO FTP
site, as late a August 2003. This is way beyond the date they claimed Linux was
infringing. I used a command line FTP client available in Red Hat Linux to do
this and there was no proxy between myself and SCO.
And yes, the SRPM contained a FULL Linux kernel tarball, identical to the one
available from www.kernel.org (verified by md5sum). And yes, I have checked the
text of the licence inside and it was the GPL.
So, SCO can try all they want, but if IBM (or anyone else) ask, I'll give them
my signed statement. BTW, IBM have been notified of this by me. I'm sure many
others did the same.
Bottom line - no hacking (or cracking) was required to do any of this. SCO are
(as usual) full of it.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 05:16 PM EST |
SCO says:
"SCO provided its customers who purchased SCO Server 4.O with a password to
enter at a log-in screen so that only they could access source code via the
internet."
And says who that IBM don't own a legal copy of SCO Server 4.0?[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 05:28 PM EST |
So if I wanted to search someone else's computer... let's suppose that I know
that they downloaded something from my web site. Can I now sue them and gain
access to their archives to prove that they downloaded something illegally?
Perhaps that's what SCO hopes to do.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 06:57 PM EST |
Does anyone remember if SCO's web pages had any statement or notification of
what constituted proper use or who was or was not authorized to access the
website? Such notice would have provided SCO a defense against any flawed
password system. I doubt that the presence of a password dialog box by itself
would constitute such notification. I seem to recall a case in the past where a
hacker broke into a VMS system and were caught, but the judge threw out the case
because the message displayed after logging in was "Welcome to VMS".
My computers at work all display healthy notification and warning messages for
similar reasons.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, December 16 2004 @ 10:56 PM EST |
I believe it would be prudent for IBM to file for discovery of the date and time
stamp, of the authentation schema. And demand backup copies of the server before
and after the date that SCO would be required to provide[ Reply to This | # ]
|
|
Authored by: StLawrence on Saturday, December 18 2004 @ 03:45 PM EST |
According to SCO's current website, here are the names of
the individuals
responsible for the management and direction
of The SCO
Group:
Darl C. McBride, President & CEO,
Director
Chris Sontag, Senior VP & GM of SCOsource
Division
Bert Young, CFO
Ryan E. Tibbetts, General
Counsel
Jeff Hunsaker, Senior VP & GM of UNIX Division
Reg
Broughton, Senior VP
Alan Raymond, VP
Ralph J. Yarro
III, Chairman of the Board
Edward E. Iacobucci,
Director
Darcy Mott, Director
Thomas P. Raimondi, Jr.,
Director
R. Duff Thompson, Director
K. Fred Skousen,
Director
Daniel W. Campbell, Director
Inquisitive Googlers are
referred to http://www.groklaw.net
for
complete information on the results of the
management of TSCOG by
these individuals.
The Internet has a long memory.
[ Reply to This | # ]
|
|
|
|
|