| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for April 22, 2004Lindows goes for an IPO - a detailed look Digging through IPO registrations is hard work; they tend to be long, legalese-infested, and full of hype. Your editor, however, has been spending much of the last year looking at lawsuit filings, which are a lot worse. The chance to get into an IPO filing was too good to pass up, so, when Lindows submitted its form S-1, we dug right in. Besides, how many SEC filings come with screen shots?Lindows proposes to sell $57.5 million worth of shares in its initial offering. The company will be using WR Hambrecht's "OpenIPO" process, which seeks to price the stock at the highest level the market will bear via an auction process. Other companies which have used this method include Salon and Andover.Net (which is now OSDN and part of VA Software). So what is Lindows? From the filing:
We are a developer and vendor of Linux-based operating systems,
application software and services designed specifically for desktop
and laptop computers in homes, schools and businesses. We use
technology and software developed by the collaboration of
independent Linux developers, referred to as the open source
community, with our own technology and software to offer
affordable, easy-to-use software products and services, many of
which are similar in feel and functionality to our higher-priced
competitors. The cornerstone of our product line is our Linspire
operating system.
The company states that, as computers get cheaper, the cost of Windows becomes more predominant, especially for desktop systems. Price pressures, they say, will cause manufacturers and consumers to look more seriously at Linux. And Lindows, of course, hopes to have the version of Linux which is best suited to this market. A big part of the Lindows plan is to get its distribution installed widely in a short period of time. The company is targeting small computer manufacturers, offering them a "low cost" licensing program. There is also a deal with Seagate, which is pre-installing Linspire on some of its drives. Remember, ten years ago, how you could buy disks with Linux preinstalled? That market is back, it would seem.
Similarly, Elektra, a retail store chain with over 800 stores
throughout Mexico, sells a low-cost computer with Linspire
pre-installed. According to Elektra, since December 2003 and as of
April 2004, Elektra's best selling computer was the Linspire
system, outselling all other desktop computers it offers running
other operating systems.
How does Lindows plan to use the money?
We expect to use a majority of the net proceeds of this offering to
further develop the distribution channels for our Linux-based
operating system, application software and services, to expand our
sales and marketing activities, to continue to develop existing and
new products, technologies and services, to increase personnel, and
to repay substantially all of our outstanding debt obligations to
our founder of approximately $10,400,000.
In other words, the day Lindows goes public will be a good day for Michael Robertson. Lindows says it may also use some of the money for acquisitions. Lindows has to disclose its financial state as part of this offering, of course. The company, it turns out, brought in all of $63,131 in 2002, but that jumped up to just over $2 million in 2003. Even so, Lindows managed to lose over $4 million that year. As of the end of 2003, the company had $250,000 in the bank, a "working capital" figure of $-1.8 million, and $4.7 million in debt. How that figure squares with the $10 million owed to Mr. Robertson (and earning 10% interest) is not entirely clear. From the obligatory "scary risk factors" section:
Lindows claims a little over 250,000 installed systems. How do they know?
Each time a computer running the Linspire operating system is
connected to the Internet for the first time, our CNR technology
automatically records this connection on our servers. We refer to
this connection as a light up. We use light ups to monitor the
growth of our installed base, the effectiveness of our marketing
and distribution efforts and the quality and breadth of our
products and services.
Among other things, Lindows learns who sold you the system when the "light up" occurs. These end-user systems generated some 1.7 million in revenue in 2003. The company has spent some $1.4 million in legal fights with Microsoft. It has extracted most of that back from its insurance carrier through lawsuits, but that case is still outstanding. If things go badly, Lindows may have to repay the insurance carrier, which would hurt. There are still outstanding Microsoft suits in Spain, Canada, and France, and a fight in South Africa would appear to be in the works. Lindows has also sued Xandros, as it turns out. It would appear that Lindows loaned Xandros $750,000 which has not been repaid. As of the end of March, Lindows has 62 employees, 38 of whom are software engineers. The CEO is Michael Robertson, of course, who, under a new agreement, is to be paid $410,000 per year, plus bonuses. Mr. Robertson owns something over 48 million shares of the company - 81% of the total. The number of shares to be sold in the IPO has not yet been specified, but it seems clear that Mr. Robertson will remain in possession of a majority of the outstanding shares. The next biggest holder is the "Burcham Community Property Trust," which is controlled by the parents of Mr. Robertson's wife. Kevin Carmony, the company's president, holds 3 million shares. The aggregate message from this filing is clear: Lindows is trying to go public now because it very much needs the money. The company has large debts, a series of ongoing legal battles, and a need for money to carry its business plan forward. If the IPO fails, Lindows will have to come up with another source of funds in a hurry, or, as its accountants warn, its "ability to continue as a going concern" will be very much in doubt. Someday there will be a thriving market around desktop Linux, and Lindows may, indeed, be well positioned to profit in that market. Getting there will be a challenge, however.
Report from the SCO front It has been a busy week in the SCO world. Remember last October, when BayStar and the Royal Bank of Canada invested $50 million into SCO? That was when SCO's stock hit its high point; it has been all downhill from there. On April 15, BayStar sent SCO a letter saying that it wants its money ($20 million) back. BayStar has concluded that SCO is in breach of the investment agreement, and thus must return the money - plus interest. BayStar has not said, in any public way, how it believes that SCO has breached the agreement; speculation centers, among other things, on SCO's creative representations of its intellectual property rights and failure to disclose Novell's letters contesting the ownership of the Unix copyrights. RBC has not yet tried to call back its share, but may well do so in the next few days.Where this will go is hard to predict. Extracting money by force in this way is not an easy thing to do; BayStar must face the threat that SCO will choose to spend the money on more lawyers fighting the recall rather than hand it over. BayStar's lawyers do have some leverage, however; among other things, the amended agreement reads (Section XV(g)):
[SCO] acknowledges that a breach by it of its obligations
hereunder will cause irreparable harm to the holders of Series A-1
Preferred Stock and that the remedy at law for any such breach may
be inadequate. The Corporation therefore agrees, in the event of
any such breach or threatened breach, that the holders of Series
A-1 Preferred Stock shall be entitled, in addition to all other
available remedies, to an injunction restraining any breach,
without the necessity of showing economic loss and without any bond
or other security being required.
That language would suggest that BayStar can go to a judge and have a good chance at getting an injunction forcing the money to be escrowed until the issue is resolved. Regular stockholders will lose out (not that they had great prospects anyway) but BayStar and RBC will do better. This recall has serious implications for SCO. If both investors pull their money, SCO's remaining bank account will be tiny. The chances of finding other investors are also tiny. SCO's legal fees are not going to get any smaller anytime soon; the prospect of a legal battle with BayStar and RBC can only make that problem worse. Unless some sort of more overt aid comes from companies like Microsoft or Sun, SCO could find itself looking at bankruptcy in the near future. SCO's April 21 announcement that its chief financial officer, Robert Bench, has been replaced may just be coincidental. Mr. Bench will become the "acting vice president of corporate development" until he retires later this year. His new responsibilities will be to "focus on external growth opportunities and industry partnerships" - scrambling for money, in other words. The new CFO will be Bert Young, whose history with companies like Waste Management, Inc. would seem to suit him well to SCO's way of business. Red Hat, meanwhile, has filed a motion for reconsideration in its suit against SCO. The company claims:
Red Hat will suffer manifest injustice from a stay, since SCO
apparently intends to continue to harass and threaten suit against
Red Hat's customers in other jurisdictions, while Red Hat's
declaratory judgment suit here, which was intended to prevent this
precise harm to it and its customers, is forced to languish.
Getting the judge to rethink her ruling (which put the case on hold until the IBM case has run its course) looks like a difficult prospect, but Red Hat had to try. In the IBM case, the latest events have to do with IBM's subpoena for information from S2 Strategic Consulting. S2, remember, is the company that helped to bring Microsoft, BayStar, and SCO together, so it's not surprising that IBM is interested in what was going on there. S2 is objecting to the subpoena, stating that it is not part of this battle and that much of the requested information is confidential. There is some interesting information to be found in this document, however, including:
Without waiver of those objections, S2 responds that it has in its
possession, custody and control documents that entail
communications between it and Microsoft, that relate to parties in
this litigation...
S2 would appearing to be pushing for a protective order to keep these documents from being publicly disclosed. Chances are it will succeed. So we may never see just what was going on between these companies, but IBM can be expected to have some fun with that information. Finally, this whole mess has drawn the attention of another species of shark: lawyers who do shareholder lawsuits. Among those trolling the message boards for potential plaintiffs are Ademi & O'Reilly and, inevitably, Milberg Weiss Bershad Hynes & Lerach. If you were silly enough to buy stock in SCO, believe that SCO should be held legally responsible for the predictable loss of your money, feel like enriching this particular class of lawyer, and believe that there might actually be something left for a settlement with shareholders when the dust settles, these folks would like to talk with you.
Open Source Risk Management's protection plan On Monday, Open Source Risk Management (OSRM) put out several interesting press releases. The company has "certified" that the Linux kernel is free of "source code that could provide a basis for meritorious copyright infringement claims." OSRM has also announced the "Open Source Legal Defense Center" (OSLDC) based in Washington D.C., which will offer membership programs for developers and corporations that might find themselves being sued by SCO or another company looking to make claims on the Linux kernel. We contacted OSRM executive director John St. Clair and OSRM director of research Pamela Jones about the announcements. Jones was kind enough to respond to several questions via e-mail, and St. Clair took the time to grant LWN a phone interview.One might wonder how OSRM could "certify" that the Linux kernel is free of infringement. According to St. Clair, OSRM is not saying that they have proven that none of the code in the Linux kernel is tainted. However, he says that the company has done due diligence and is willing to take the risk of providing legal protection for copyright infringement claims against the kernel. According to Jones:
OSRM's certification can never mean that there will be no claims in the
future; it means that they've taken a look and believe the risk is de
minimus and insurable, and OSRM is sufficiently confident that it is
willing to put its money where its mouth is.
St. Clair declined to provide specifics of the process that OSRM used to research the Linux kernel, but he did say that OSRM has built up "an extensive database of Unix variants... and compared that database against two versions of the kernel, 2.4 and 2.6, to detect matches between those two groups of source code." According to St. Clair, OSRM used in-house technology "unique to OSRM in terms of pattern-matching" and looked for straight text matches and "more obfuscated" code that might be taken from Unix. We asked whether OSRM might release the tools that they used for this research to the community, but St. Clair said there were no plans to do so at this time. We were also curious how the OSLDC would work for developers, and whether $25,000 would be sufficient protection for developers if SCO or another party were to sue them. According to St. Clair:
This will provide developers, who are off on their own many times, a
cost-effective way at $250 to be able to get advice and legal counsel with
respect to their contributions to the Linux kernel. Should they be served
with a subpoena or other legal action regarding their contributions they
would receive up to $25,000 in legal protection from that.
He said that the $25,000 amount should be "pretty sufficient to cover much of their exposure." St. Clair stressed that the OSRM offering is vendor-neutral, and allows developers and corporations to make changes to the code and still receive protection, unlike some of the vendor-specific indemnification plans. He also pointed out that OSRM is not selling insurance, but rather "certifying and indemnifying our work around the kernel and with these clients to provide them an indemnification that we as OSRM have an insurance policy behind us that provides the financial wherewithal to offer that indemnification." Since much of Microsoft's FUD these days is aimed at convincing customers that the Total Cost of Ownership (TCO) for Linux is higher than for Microsoft products, we asked St. John whether it was likely that their offering would be seen as raising the TCO of Linux. St. Clair said that the Legal Defense Center membership fees shouldn't harm Linux in the TCO discussion. "This is something that end users can choose to have or not have, it's not automatically bundled as part of Linux." Even adding in the cost of OSRM's offerings, St. Clair said that he believes that Linux will still have a lower TCO than its competitors. He also said that OSRM's offerings "put a stake in the ground" to show what indemnification may cost, rather than an unknown figure that opponents may exaggerate when debating TCO.
OSRM is not planning to limit itself to copyright issues or the Linux
kernel. We asked whether OSRM was planning to examine other open source
software commonly used with the Linux kernel, and whether the company would
be expanding its protection to patent issues. The answer is yes on both
counts. St. Clair told LWN that dealing with legal issues from patents is
"
Obviously, this is is a very large and complex undertaking that will
require help from numerous kernel developers, organizations, specialized
technical and legal experts, and hopefully volunteers in the community.
We will be asking for help finding and collecting prior art through our new
Grokline project, for example, which will go online shortly.
St. Clair said he believes that the SCO lawsuit will go away, but that SCO has "pointed to a potential vulnerability" that will last beyond SCO's suits. He said that OSRM also recognizes a need to go "up the stack" of open source software beyond the kernel that is also widely used. St. Clair said that he could not specify any software that would be covered by OSRM beyond the kernel at the moment, or give a timeline for announcing additional software. Another area where OSRM is working, according to St. Clair, is in helping companies with risk assessment and developing indemnification programs that they can offer to their customers. He said that OSRM also helps "place their risk with third parties to provide that [indemnification] for their customers." There is a "heavy amount of interest" in OSRM's offerings, according to St. Clair. It will be interesting to see if OSRM is successful in making a business out of offering indemnification for Linux and open source software, and whether they remain the sole business that offers this service if it proves to be popular.
Page editor: Jonathan Corbet Security TCP vulnerability: cancel red alert The mainstream press has been quick to proclaim a new vulnerability which threatens the entire Internet. CNN, for example, tells us: "Flaw could shut down Internet traffic". A bit of time spent actually understanding the problem will quickly make it clear, for most users, there is little to worry about.There are several parameters which identify a particular TCP packet. The source and destination addresses are exactly that: who sent the packet, and who is to receive it. The destination port number allows the packet to be routed to the proper process on the receiving system; on the server side of a connection, the destination port will usually be a well-known number assigned to a specific service. For example, the process which receives electronic mail will be expecting it to arrive on port 25. The source port identifies the process which sent the packet. On the client (initiating) side of a connection, the source port is ostensibly a random number, though, in practice, they tend to be assigned in a sequential (and thus predictable) way. Yet another parameter is the sequence number, which describes where the packet fits within the overall stream. The initial sequence numbers for a connection are assigned randomly; they then increase as data is sent over the connection. TCP packets also have a "flags" field for control purposes. One of those flags is called "reset" or "RST"; it indicates that the sending side is shutting down the connection immediately. Resets typically happen when one side receives a packet for a connection it knows nothing about. Suppose you log into a remote system with ssh, then go out for lunch; while you are eating, the remote system is rebooted. When you return and try to type over the connection, the remote system will have no record of it, so it will send back a reset packet. That's when you get that fun "connection reset by peer" message. Suppose you were an Internet vandal looking to shut down other people's connections. This could be accomplished by sending the right sort of reset packet. Crafting this packet is not an entirely easy thing to do: you have to match all five of the parameters listed above. Presumably coming up with source and destination addresses would not be too hard, if you know which connection you are targeting. One of the two port numbers will probably be a well-known service number, and thus easily accessible. The other port number will require a guess, but the range of possible numbers is, in many cases, small. The hardest part is the sequence number; it is a randomly-chosen, 32-bit number. In the past, poor initial sequence number generation has allowed protocol attacks, but most of those problems are long since fixed. To mount a reset attack against a modern TCP implementation, the attacker must work through the entire space of 4 billion possible sequence numbers; by the time that has been accomplished, chances are the target connection will have shut down normally anyway. Except, as it turns out, that is not entirely true. TCP uses a "receive window" to control the flow of data. The window gives a range of sequence numbers for which the destination is prepared to receive data; this window can vary widely between systems, but 32KB is a fairly common size. Since the two sides of a TCP connection may not share the exact same idea of what the current sequence number is (one side may have sent packets that the other has not received), a reset packet with a sequence number that falls anywhere inside the receive window will be honored. Thus an attacker need not try every possible sequence number; attempts may, instead, be spaced as widely as the probable receive window. That changes the situation significantly; if the other four parameters are correct, a usable sequence number can be found with less than 100,000 attempts. It does not take very long to send that many (very short) packets, even over a relatively slow connection. So, a dedicated attacker stands a fairly good chance of shutting down a connection. What are the implications of this? Very few, for the most part. In general, the damage caused by a prematurely closed connection is small; the user swears and restarts their download operation. It would be hard to use this technique to shut down a web server; HTTP connections tend to be short-lived to begin with. That is why the largest threat is seen to be for applications which use long-lived TCP connections for some important task. The BGP protocol used for much of the core Internet routing is one such case; most of the affected systems have already been fixed, however. For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number. Some vendors (mostly router manufacturers) are issuing software updates to implement the IETF suggestion. Most of us, however, can sit back and look for something else to worry about.
New vulnerabilities kernel: ext3 information leak
logcheck: symlink vulnerability
ssmtp format string vulnerability
utempter problems with symlink and strncpy
XChat 2.0.x SOCKS5 Vulnerability
xonix fails to drop privileges
zope: potential code execution
Updated vulnerabilities apache - denial of service in mod_ssl
automake: symbolic link attack
cvs: client-side file overwrite vulnerability
ethereal - multiple vulnerabilities
Filename disclosure vulnerability in fam
gtkhtml: malformed messages cause crash
iproute: local denial of service
racoon: failure to verify signatures
kdelibs: cookie disclosure
kdepim: VCF file information reader vulnerability
kernel: symlink overflow in the iso9660 filessytem
Linux kernel 2.2.10 failing function and TLB flush vulnerability
kernel-utils: setuid vulnerability
libpng, libpng3: buffer overflow
libxml2 - arbitrary code execution
mailman denial of service
metamail: integer and buffer overflows
mikmod: buffer overflow
mod_python: denial of service vulnerability
monit: buffer overflow and DOS
mozilla: multiple vulnerabilties
mpg321: format string vulnerability
MySQL: temporary file vulnerabilities
neon: format string vulnerabilities
Nessus NASL scripting engine security issues
netpbm: insecure temporary files
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
perl information leak
postfix: denial of service vulnerabilities
python: buffer overflow
samba privilege escalation
Scorched3D: format string vulnerability
squid - vulnerability in URL decoding
sysstat: temporary file vulnerability
File overwrite vulnerability in tar and unzip
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
Multiple vendor telnetd vulnerability
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||