Security

OPINION

IBM-SCO Battle Flares, Windows Beats Unix, Apple Gets Virus

Last week a number of surprising issues flared in the press.

First, IBM says it is now aggressively going after SCO’s funding sources to see where the bodies are buried, so to speak; an IDC report puts Windows ahead of Unix for the first time since, well, ever; and Apple’s OS, considered the “secure” platform, has three virus alerts out on it, one of them a severity-level 4.

IBM Gets Cranky

In just a few months, the actual trial that will determine whether IBM violated SCO’s intellectual property rights will begin. After years of discovery, IBM, according to the U.S. District Court in Utah, recently broadened its efforts to try to determine the true relationship between SCO and those that funded it.

Two of the funding parties targeted cashed out some time ago, and, clearly disillusioned with the entire thing, put some distance between themselves and SCO. BayStar Capital and the Royal Bank of Canada decided to leave after BayStar attempted to take SCO over and focus the entire company on the litigation. This clearly indicated BayStar had faith in the litigation — it just didn’t have faith in the way SCO was handling it. BayStar had brought in the Royal Bank — and when BayStar left, it took the Bank and the money with it, putting SCO in a rather precarious cash position.

Two things stand out as concerns. One of them is timing. IBM wants access to communications between the firms long after some of the key players departed and the actual events in question took place. Because of document retention policies — document retention policies actually have more to do with disposal than retention these days — there is every likelihood that what they are looking for, if it ever did exist, no longer does. IBM is the master of document retention policies going back to the Arms for Hostages deal and Profs. (This was when folks discovered that “deleted” e-mail in Profs wasn’t really deleted).

If any company understands document retention, it’s IBM. If the company knew it was going to need the information it’s now asking for, why didn’t it go after it in a timely manner — unless, that is, the firm wanted to create a specter of wrongdoing in place of something it knows never actually occurred?

Desperate Measures?

If IBM is sure it will win, and clearly that is an opinion shared by many, why would the company now need to create a false image of wrongdoing to bolster its chances in court? Granted, this could simply be a matter of insurance, but it also suggests that the folks at IBM know something we don’t, and that what they know doesn’t appear to work in their favor.

The second concern I have is over IBM’s move to go after the Royal Bank of Canada. What many probably don’t know is this bank is a Canadian IBM Keystone Account. This means other banks in Canada watch what this bank does very closely. IBM has special executives in place to make sure no one messes with this account, because if Royal Bank moves away from IBM, the rest of Canada’s banking industry might follow. I know this, because while I was working for IBM years ago, I ran into a situation where my division was creating massive problems with this bank, and when the problems were disclosed, virtually everyone who had any involvement in creating the problems was fired immediately. It took a lot for that to happen at IBM at that time.

Banks really don’t like to be named in the press as part of litigation by one of their vendors. A typical response would be to “fix” the vendor part. What would cause IBM to put its Canadian market at risk like this?

Perhaps IBM’s legal team was not at first aware of the relationship between IBM and the Bank, but I’ll bet they are now. With the SCO case looking about as weak as it ever has at this point, and running out of funds, the $50 million question is, why would IBM be making desperate moves now?

Next Topic: Windows Beats Unix

I mentioned last week that it is important to understand the process behind a study before you trust the results. It is certainly fascinating to hear that for the first time ever, Windows has jumped ahead of Unix in sales — and I understand why Linux proponents are fanatically pointing out that these systems are growing faster than Windows — however, people need to take into consideration that volume reports like the one IDC released last week are not always 100 percent reliable.

First, the method for collecting data of this nature is, typically, to call vendors and ask for estimates. The vendors are not allowed to release financial data selectively, so — unless they make data like this part of their financial statements, and in general, they don’t — the numbers are more or less guesses on behalf of both parties. The person asking the questions often throws out figures and the respondent says “higher” or “lower” until a ballpark figure passes muster without the vendor having to actually give any real numbers away.

While I was at IBM, I knew one of the folks who supplied such numbers for the company. He used to joke about how he initially doubled and then tripled what he allowed to be reported. Later I worked for Dataquest, which has since been purchased by Gartner Group. There I compiled reports like these myself. I worked very hard to make the reports as accurate as possible — and all I can say is, at times it seemed a lot of people would’ve liked to have seen me fired.

At the time, there was a unique check and balance for OS/2. For every OS/2 license IBM sold, it had to pay Microsoft a license fee. IBM was paying a fraction of what it was publicly reporting, however. Since there were substantial financial controls in place to ensure that IBM paid what it truthfully owed, it’s fair to say that IBM was reporting substantially more than it was selling.

IBM has traditionally been a major funding source for operating systems reports — in part because the company has the most platforms being reported, but also because it wants to have the most influence on the reports’ outcome. This was an incredibly painful lesson for me.

Do Numbers Lie?

Microsoft has a vested interest in staying honest because its OS is, unlike most others, material to the company. If it were caught misreporting volumes, its executives would likely pay a high price. In my experience, Microsoft, along with Novell, has always reported relatively accurate data in this regard.

Still, with Linux now largely running on hardware similar to other OSes, I begin to question how accurate these numbers can be, and — particularly on the Linux side — have trouble figuring out why anyone wouldn’t inflate the numbers. If the product is largely free, there is no financial impact and no real SEC risk. Given that people inflate numbers regularly, there would need to be a validation step that doesn’t yet exist that would mirror the SEC’s control on the proprietary side for open-source software to ensure accuracy. Figures reported by public companies like Red Hat and Novell may be accurate, but for other vendors it’s hard to tell.

The Windows and Linux markets may also be too different for an accurate volume comparison to be relevant. Many have pointed out that Linux sells against what is largely a Unix opportunity and for very high traffic implementations. Windows tends to be favored where interoperability is key and where traffic is much lower. This would suggest that the number of servers may be no more relevant than comparing the number of Mack trucks to the number of Volkswagens. Plus, given the difference in pricing methodology, revenue doesn’t seem to be a good measure either unless you include service revenue for both platforms, and then it becomes even more confusing.

Service revenue often goes to parties not involved in these surveys at all, and that’s why I don’t believe it is being accurately captured in anyone’s reports currently. Even if total service revenue for Windows were 3000 percent higher than service revenue for Linux systems, would it change any decisions? I doubt it. How about if Linux cost 3000 percent more than Windows when you factored in service? Either way, I don’t see how the service figures would be terribly useful.

Finally, the primary audience for these reports has traditionally been the vendors, who use them to showcase individual successes or failures. They make sense for hardware, because the numbers mean something — but with software, they become less useful for anything other than showing general trends. The takeaway from IDC’s report is that Windows continues to grow, and Linux is taking much of the Unix market, which is hardly new news. The real fight may be in terms of interoperability. A report on this, from my view, would be much more valuable than one focused on server penetration numbers.

Apple Platform: A Virus Magnet?

News of several security flaws in Apple’s OS X this week reminds me of a statement Larry Ellison made a few years ago suggesting that Oracle systems were unbreakably secure. The very next day, his software was breached. Apple users have for some time been saying that they are immune to malware — now they’re paying for this silliness. There is no PC platform, no matter how robust, that is immune to attack unless it is disconnected from a network, turned off and locked up.

The reality is that users remain the weakest link, and as long as we have users, we will have security exposures, regardless of the platform. Mainframes have been successfully cracked, military systems have been cracked, and some of the most secure stuff in existence has been lost, largely due to this human exposure.

The only real “protection” is to train people to be vigilant and make them aware of the risks while aggressively implementing programs that offer strong technological protections. Microsoft has been much more aggressive with this than Apple has, primarily because its users have been at risk for so long. Unless Apple steps up, Apple users may actually be less secure than Windows users in the long run.

In this respect, this really shouldn’t be a competition. I’d like to see both companies cooperate in efforts to protect users, much like the automotive companies cooperate in sharing anti-lock braking and airbag technologies to protect theirs. Customers are customers, and all companies should do their best to protect them.


Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a consultancy that focuses on personal technology products and trends.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Rob Enderle
More in Security

Technewsworld Channels