LWN.net Weekly Edition for April 22, 2004 [LWN.net]

Lindows goes for an IPO - a detailed look

Digging through IPO registrations is hard work; they tend to be long, legalese-infested, and full of hype. Your editor, however, has been spending much of the last year looking at lawsuit filings, which are a lot worse. The chance to get into an IPO filing was too good to pass up, so, when Lindows submitted its form S-1, we dug right in. Besides, how many SEC filings come with screen shots?

Lindows proposes to sell $57.5 million worth of shares in its initial offering. The company will be using WR Hambrecht's "OpenIPO" process, which seeks to price the stock at the highest level the market will bear via an auction process. Other companies which have used this method include Salon and Andover.Net (which is now OSDN and part of VA Software).

So what is Lindows? From the filing:

We are a developer and vendor of Linux-based operating systems, application software and services designed specifically for desktop and laptop computers in homes, schools and businesses. We use technology and software developed by the collaboration of independent Linux developers, referred to as the open source community, with our own technology and software to offer affordable, easy-to-use software products and services, many of which are similar in feel and functionality to our higher-priced competitors. The cornerstone of our product line is our Linspire operating system.

The company states that, as computers get cheaper, the cost of Windows becomes more predominant, especially for desktop systems. Price pressures, they say, will cause manufacturers and consumers to look more seriously at Linux. And Lindows, of course, hopes to have the version of Linux which is best suited to this market.

A big part of the Lindows plan is to get its distribution installed widely in a short period of time. The company is targeting small computer manufacturers, offering them a "low cost" licensing program. There is also a deal with Seagate, which is pre-installing Linspire on some of its drives. Remember, ten years ago, how you could buy disks with Linux preinstalled? That market is back, it would seem.

Similarly, Elektra, a retail store chain with over 800 stores throughout Mexico, sells a low-cost computer with Linspire pre-installed. According to Elektra, since December 2003 and as of April 2004, Elektra's best selling computer was the Linspire system, outselling all other desktop computers it offers running other operating systems.

How does Lindows plan to use the money?

We expect to use a majority of the net proceeds of this offering to further develop the distribution channels for our Linux-based operating system, application software and services, to expand our sales and marketing activities, to continue to develop existing and new products, technologies and services, to increase personnel, and to repay substantially all of our outstanding debt obligations to our founder of approximately $10,400,000.

In other words, the day Lindows goes public will be a good day for Michael Robertson. Lindows says it may also use some of the money for acquisitions.

Lindows has to disclose its financial state as part of this offering, of course. The company, it turns out, brought in all of $63,131 in 2002, but that jumped up to just over $2 million in 2003. Even so, Lindows managed to lose over $4 million that year. As of the end of 2003, the company had $250,000 in the bank, a "working capital" figure of $-1.8 million, and $4.7 million in debt. How that figure squares with the $10 million owed to Mr. Robertson (and earning 10% interest) is not entirely clear.

From the obligatory "scary risk factors" section:

They just might run into some financial problems when trying to compete directly with Microsoft for desktop sales.
"We have not demonstrated the success of our open source software business model, which gives our customers the right to freely copy and distribute some of the software in our operating system and in the applications we develop and distribute. There is uncertainty in connection with open source business models, particularly as to whether or not businesses based on open source software can operate profitably."
Customers may not go for a model based on service and license fees.
Their Japanese distributions are handled by Livedoor, which, having just acquired Turbolinux, may lose interest in Lindows. Livedoor was responsible for 11% of the company's 2003 revenue.
Third-party applications for Linux may not be forthcoming.
"We have received an audit report from our independent auditors containing an explanatory paragraph stating that our historical losses and negative cash flows from operations raise substantial doubt about our ability to continue as a going concern."
The trademark fight with Microsoft could yet sink them. They are also, it appears, in a court battle with their insurance carrier over whether the costs of the Microsoft litigation are covered.

Lindows claims a little over 250,000 installed systems. How do they know?

Each time a computer running the Linspire operating system is connected to the Internet for the first time, our CNR technology automatically records this connection on our servers. We refer to this connection as a light up. We use light ups to monitor the growth of our installed base, the effectiveness of our marketing and distribution efforts and the quality and breadth of our products and services.

Among other things, Lindows learns who sold you the system when the "light up" occurs. These end-user systems generated some 1.7 million in revenue in 2003.

The company has spent some $1.4 million in legal fights with Microsoft. It has extracted most of that back from its insurance carrier through lawsuits, but that case is still outstanding. If things go badly, Lindows may have to repay the insurance carrier, which would hurt. There are still outstanding Microsoft suits in Spain, Canada, and France, and a fight in South Africa would appear to be in the works. Lindows has also sued Xandros, as it turns out. It would appear that Lindows loaned Xandros $750,000 which has not been repaid.

As of the end of March, Lindows has 62 employees, 38 of whom are software engineers. The CEO is Michael Robertson, of course, who, under a new agreement, is to be paid $410,000 per year, plus bonuses. Mr. Robertson owns something over 48 million shares of the company - 81% of the total. The number of shares to be sold in the IPO has not yet been specified, but it seems clear that Mr. Robertson will remain in possession of a majority of the outstanding shares. The next biggest holder is the "Burcham Community Property Trust," which is controlled by the parents of Mr. Robertson's wife. Kevin Carmony, the company's president, holds 3 million shares.

The aggregate message from this filing is clear: Lindows is trying to go public now because it very much needs the money. The company has large debts, a series of ongoing legal battles, and a need for money to carry its business plan forward. If the IPO fails, Lindows will have to come up with another source of funds in a hurry, or, as its accountants warn, its "ability to continue as a going concern" will be very much in doubt. Someday there will be a thriving market around desktop Linux, and Lindows may, indeed, be well positioned to profit in that market. Getting there will be a challenge, however.

Comments (16 posted)

Report from the SCO front

It has been a busy week in the SCO world. Remember last October, when BayStar and the Royal Bank of Canada invested $50 million into SCO? That was when SCO's stock hit its high point; it has been all downhill from there. On April 15, BayStar sent SCO a letter saying that it wants its money ($20 million) back. BayStar has concluded that SCO is in breach of the investment agreement, and thus must return the money - plus interest. BayStar has not said, in any public way, how it believes that SCO has breached the agreement; speculation centers, among other things, on SCO's creative representations of its intellectual property rights and failure to disclose Novell's letters contesting the ownership of the Unix copyrights. RBC has not yet tried to call back its share, but may well do so in the next few days.

Where this will go is hard to predict. Extracting money by force in this way is not an easy thing to do; BayStar must face the threat that SCO will choose to spend the money on more lawyers fighting the recall rather than hand it over. BayStar's lawyers do have some leverage, however; among other things, the amended agreement reads (Section XV(g)):

[SCO] acknowledges that a breach by it of its obligations hereunder will cause irreparable harm to the holders of Series A-1 Preferred Stock and that the remedy at law for any such breach may be inadequate. The Corporation therefore agrees, in the event of any such breach or threatened breach, that the holders of Series A-1 Preferred Stock shall be entitled, in addition to all other available remedies, to an injunction restraining any breach, without the necessity of showing economic loss and without any bond or other security being required.

That language would suggest that BayStar can go to a judge and have a good chance at getting an injunction forcing the money to be escrowed until the issue is resolved. Regular stockholders will lose out (not that they had great prospects anyway) but BayStar and RBC will do better.

This recall has serious implications for SCO. If both investors pull their money, SCO's remaining bank account will be tiny. The chances of finding other investors are also tiny. SCO's legal fees are not going to get any smaller anytime soon; the prospect of a legal battle with BayStar and RBC can only make that problem worse. Unless some sort of more overt aid comes from companies like Microsoft or Sun, SCO could find itself looking at bankruptcy in the near future.

SCO's April 21 announcement that its chief financial officer, Robert Bench, has been replaced may just be coincidental. Mr. Bench will become the "acting vice president of corporate development" until he retires later this year. His new responsibilities will be to "focus on external growth opportunities and industry partnerships" - scrambling for money, in other words. The new CFO will be Bert Young, whose history with companies like Waste Management, Inc. would seem to suit him well to SCO's way of business.

Red Hat, meanwhile, has filed a motion for reconsideration in its suit against SCO. The company claims:

Red Hat will suffer manifest injustice from a stay, since SCO apparently intends to continue to harass and threaten suit against Red Hat's customers in other jurisdictions, while Red Hat's declaratory judgment suit here, which was intended to prevent this precise harm to it and its customers, is forced to languish.

Getting the judge to rethink her ruling (which put the case on hold until the IBM case has run its course) looks like a difficult prospect, but Red Hat had to try.

In the IBM case, the latest events have to do with IBM's subpoena for information from S2 Strategic Consulting. S2, remember, is the company that helped to bring Microsoft, BayStar, and SCO together, so it's not surprising that IBM is interested in what was going on there. S2 is objecting to the subpoena, stating that it is not part of this battle and that much of the requested information is confidential. There is some interesting information to be found in this document, however, including:

Without waiver of those objections, S2 responds that it has in its possession, custody and control documents that entail communications between it and Microsoft, that relate to parties in this litigation...

S2 would appearing to be pushing for a protective order to keep these documents from being publicly disclosed. Chances are it will succeed. So we may never see just what was going on between these companies, but IBM can be expected to have some fun with that information.

Finally, this whole mess has drawn the attention of another species of shark: lawyers who do shareholder lawsuits. Among those trolling the message boards for potential plaintiffs are Ademi & O'Reilly and, inevitably, Milberg Weiss Bershad Hynes & Lerach. If you were silly enough to buy stock in SCO, believe that SCO should be held legally responsible for the predictable loss of your money, feel like enriching this particular class of lawyer, and believe that there might actually be something left for a settlement with shareholders when the dust settles, these folks would like to talk with you.

Comments (7 posted)

Open Source Risk Management's protection plan

April 21, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

On Monday, Open Source Risk Management (OSRM) put out several interesting press releases. The company has "certified" that the Linux kernel is free of "source code that could provide a basis for meritorious copyright infringement claims." OSRM has also announced the "Open Source Legal Defense Center" (OSLDC) based in Washington D.C., which will offer membership programs for developers and corporations that might find themselves being sued by SCO or another company looking to make claims on the Linux kernel. We contacted OSRM executive director John St. Clair and OSRM director of research Pamela Jones about the announcements. Jones was kind enough to respond to several questions via e-mail, and St. Clair took the time to grant LWN a phone interview.

One might wonder how OSRM could "certify" that the Linux kernel is free of infringement. According to St. Clair, OSRM is not saying that they have proven that none of the code in the Linux kernel is tainted. However, he says that the company has done due diligence and is willing to take the risk of providing legal protection for copyright infringement claims against the kernel. According to Jones:

OSRM's certification can never mean that there will be no claims in the future; it means that they've taken a look and believe the risk is de minimus and insurable, and OSRM is sufficiently confident that it is willing to put its money where its mouth is.

St. Clair declined to provide specifics of the process that OSRM used to research the Linux kernel, but he did say that OSRM has built up "an extensive database of Unix variants... and compared that database against two versions of the kernel, 2.4 and 2.6, to detect matches between those two groups of source code." According to St. Clair, OSRM used in-house technology "unique to OSRM in terms of pattern-matching" and looked for straight text matches and "more obfuscated" code that might be taken from Unix. We asked whether OSRM might release the tools that they used for this research to the community, but St. Clair said there were no plans to do so at this time.

We were also curious how the OSLDC would work for developers, and whether $25,000 would be sufficient protection for developers if SCO or another party were to sue them. According to St. Clair:

This will provide developers, who are off on their own many times, a cost-effective way at $250 to be able to get advice and legal counsel with respect to their contributions to the Linux kernel. Should they be served with a subpoena or other legal action regarding their contributions they would receive up to $25,000 in legal protection from that.

He said that the $25,000 amount should be "pretty sufficient to cover much of their exposure." St. Clair stressed that the OSRM offering is vendor-neutral, and allows developers and corporations to make changes to the code and still receive protection, unlike some of the vendor-specific indemnification plans. He also pointed out that OSRM is not selling insurance, but rather "certifying and indemnifying our work around the kernel and with these clients to provide them an indemnification that we as OSRM have an insurance policy behind us that provides the financial wherewithal to offer that indemnification."

Since much of Microsoft's FUD these days is aimed at convincing customers that the Total Cost of Ownership (TCO) for Linux is higher than for Microsoft products, we asked St. John whether it was likely that their offering would be seen as raising the TCO of Linux. St. Clair said that the Legal Defense Center membership fees shouldn't harm Linux in the TCO discussion. "This is something that end users can choose to have or not have, it's not automatically bundled as part of Linux." Even adding in the cost of OSRM's offerings, St. Clair said that he believes that Linux will still have a lower TCO than its competitors. He also said that OSRM's offerings "put a stake in the ground" to show what indemnification may cost, rather than an unknown figure that opponents may exaggerate when debating TCO.

OSRM is not planning to limit itself to copyright issues or the Linux kernel. We asked whether OSRM was planning to examine other open source software commonly used with the Linux kernel, and whether the company would be expanding its protection to patent issues. The answer is yes on both counts. St. Clair told LWN that dealing with legal issues from patents is "absolutely in our plans," and Jones replied that she is currently doing research on providing protection for patent issues:

Obviously, this is is a very large and complex undertaking that will require help from numerous kernel developers, organizations, specialized technical and legal experts, and hopefully volunteers in the community. We will be asking for help finding and collecting prior art through our new Grokline project, for example, which will go online shortly.

St. Clair said he believes that the SCO lawsuit will go away, but that SCO has "pointed to a potential vulnerability" that will last beyond SCO's suits. He said that OSRM also recognizes a need to go "up the stack" of open source software beyond the kernel that is also widely used. St. Clair said that he could not specify any software that would be covered by OSRM beyond the kernel at the moment, or give a timeline for announcing additional software.

Another area where OSRM is working, according to St. Clair, is in helping companies with risk assessment and developing indemnification programs that they can offer to their customers. He said that OSRM also helps "place their risk with third parties to provide that [indemnification] for their customers."

There is a "heavy amount of interest" in OSRM's offerings, according to St. Clair. It will be interesting to see if OSRM is successful in making a business out of offering indemnification for Linux and open source software, and whether they remain the sole business that offers this service if it proves to be popular.

Comments (1 posted)

Page editor: Jonathan Corbet

Security

TCP vulnerability: cancel red alert

The mainstream press has been quick to proclaim a new vulnerability which threatens the entire Internet. CNN, for example, tells us: "Flaw could shut down Internet traffic". A bit of time spent actually understanding the problem will quickly make it clear, for most users, there is little to worry about.

There are several parameters which identify a particular TCP packet. The source and destination addresses are exactly that: who sent the packet, and who is to receive it. The destination port number allows the packet to be routed to the proper process on the receiving system; on the server side of a connection, the destination port will usually be a well-known number assigned to a specific service. For example, the process which receives electronic mail will be expecting it to arrive on port 25. The source port identifies the process which sent the packet. On the client (initiating) side of a connection, the source port is ostensibly a random number, though, in practice, they tend to be assigned in a sequential (and thus predictable) way. Yet another parameter is the sequence number, which describes where the packet fits within the overall stream. The initial sequence numbers for a connection are assigned randomly; they then increase as data is sent over the connection.

TCP packets also have a "flags" field for control purposes. One of those flags is called "reset" or "RST"; it indicates that the sending side is shutting down the connection immediately. Resets typically happen when one side receives a packet for a connection it knows nothing about. Suppose you log into a remote system with ssh, then go out for lunch; while you are eating, the remote system is rebooted. When you return and try to type over the connection, the remote system will have no record of it, so it will send back a reset packet. That's when you get that fun "connection reset by peer" message.

Suppose you were an Internet vandal looking to shut down other people's connections. This could be accomplished by sending the right sort of reset packet. Crafting this packet is not an entirely easy thing to do: you have to match all five of the parameters listed above. Presumably coming up with source and destination addresses would not be too hard, if you know which connection you are targeting. One of the two port numbers will probably be a well-known service number, and thus easily accessible. The other port number will require a guess, but the range of possible numbers is, in many cases, small. The hardest part is the sequence number; it is a randomly-chosen, 32-bit number. In the past, poor initial sequence number generation has allowed protocol attacks, but most of those problems are long since fixed. To mount a reset attack against a modern TCP implementation, the attacker must work through the entire space of 4 billion possible sequence numbers; by the time that has been accomplished, chances are the target connection will have shut down normally anyway.

Except, as it turns out, that is not entirely true. TCP uses a "receive window" to control the flow of data. The window gives a range of sequence numbers for which the destination is prepared to receive data; this window can vary widely between systems, but 32KB is a fairly common size. Since the two sides of a TCP connection may not share the exact same idea of what the current sequence number is (one side may have sent packets that the other has not received), a reset packet with a sequence number that falls anywhere inside the receive window will be honored. Thus an attacker need not try every possible sequence number; attempts may, instead, be spaced as widely as the probable receive window. That changes the situation significantly; if the other four parameters are correct, a usable sequence number can be found with less than 100,000 attempts. It does not take very long to send that many (very short) packets, even over a relatively slow connection.

So, a dedicated attacker stands a fairly good chance of shutting down a connection. What are the implications of this? Very few, for the most part. In general, the damage caused by a prematurely closed connection is small; the user swears and restarts their download operation. It would be hard to use this technique to shut down a web server; HTTP connections tend to be short-lived to begin with. That is why the largest threat is seen to be for applications which use long-lived TCP connections for some important task. The BGP protocol used for much of the core Internet routing is one such case; most of the affected systems have already been fixed, however.

For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number.

Some vendors (mostly router manufacturers) are issuing software updates to implement the IETF suggestion. Most of us, however, can sit back and look for something else to worry about.

Comments (13 posted)

New vulnerabilities

kernel: ext3 information leak

Package(s):

kernel

CVE #(s):

CAN-2004-0177

Created:

April 21, 2004

Updated:

April 26, 2004

Description:

Solar Designer turned up a bug in the ext3 filesystem where blocks allocated to the journal file are not properly cleaned prior to use. This failure could expose some (random) kernel memory to an attacker, but only if that attacker can perform raw I/O to the device.

Alerts:

Debian	DSA-495-1	2004-04-26
Red Hat	RHSA-2004:166-01	2004-04-21
Trustix	TSLSA-2004-0020	2004-04-15

Comments (1 posted)

logcheck: symlink vulnerability

Package(s):

logcheck

CVE #(s):

CAN-2004-0404

Created:

April 21, 2004

Updated:

December 22, 2004

Description:

The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.

Alerts:

Mandrake	MDKSA-2004:155	2004-12-22
Debian	DSA-488-1	2004-04-16

LWN.net Weekly Edition for April 22, 2004

kernel: ext3 information leak

logcheck: symlink vulnerability

ssmtp format string vulnerability

utempter problems with symlink and strncpy

XChat 2.0.x SOCKS5 Vulnerability

xonix fails to drop privileges

zope: potential code execution

apache - denial of service in mod_ssl

automake: symbolic link attack

cvs: client-side file overwrite vulnerability

ethereal - multiple vulnerabilities

Filename disclosure vulnerability in fam

gtkhtml: malformed messages cause crash

iproute: local denial of service

racoon: failure to verify signatures

kdelibs: cookie disclosure

kdepim: VCF file information reader vulnerability

kernel: symlink overflow in the iso9660 filessytem

Linux kernel 2.2.10 failing function and TLB flush vulnerability

kernel-utils: setuid vulnerability

libpng, libpng3: buffer overflow

libxml2 - arbitrary code execution

mailman denial of service

metamail: integer and buffer overflows

mikmod: buffer overflow

mod_python: denial of service vulnerability

monit: buffer overflow and DOS

mozilla: multiple vulnerabilties

mpg321: format string vulnerability

MySQL: temporary file vulnerabilities

neon: format string vulnerabilities

Nessus NASL scripting engine security issues

netpbm: insecure temporary files

openssh: timing attack leads to information disclosure

OpenSSL: denial of service vulnerabilities

perl information leak

postfix: denial of service vulnerabilities

python: buffer overflow

samba privilege escalation

Scorched3D: format string vulnerability

squid - vulnerability in URL decoding

sysstat: temporary file vulnerability

File overwrite vulnerability in tar and unzip

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Multiple vendor telnetd vulnerability

xine-ui - insecure temporary file creation