madison
Home / News & Blogs

Open source's quiet revenge

Evan Leibovitch | February 21, 2001 12:00 AM PST

Summary

All the lawyers in Finland won't fix the predicament of Secure Shell vendor SSH Communications Security.

Topics

Evan Leibovitch, Technology News
Lastweek, I said I'd be discussing the business models used by Linuxdistributors and vendors of other open source software. While it's stillmy intention to do so, I just couldn't neglect a fascinating tale thatunfolded this week surrounding the Secure Shell (SSH) Internetprotocol and its related software.

While the search for truly workable open source business models remains achallenge, the SSH experience offers a textbook case of a businesspractice that, from what I can see, is doomed to fail.SSH is a sort of secure Telnet-type connection running over an encryptedchannel and featuring full public-key-basedauthentication. The first release was developed under anopen license and attracted a worldwide community of developers. SSHhead developer Tatu Ylonen submitted the underlying protocol as an Internetstandard.

Version one of SSH became quite a community project. Because of U.S.government restrictions, it wasn't adopted as quickly as proponentswould have liked. But for many security-conscious folk, SSH becamethe replacement for Telnet and FTP.

And then, midway through the development of release 1.2.12 in 1995, Ylonenquietly changed the license to amore restrictive one that prohibited commercial distribution andasserted a trademark on the name "ssh." He then incorporated a company,SSH Communications Security, to sell the software to commercial users. Thecompany would later make a second version of the commercial SSH softwarethat was incompatible with the old open one.

The Finland-based company is now in a war of words and lawyers' letterswith developers of an increasingly popular open source implementationknown as OpenSSH. The OpenSSHdevelopers, many of whom worked on the original SSH community project,viewed the license restrictions as a betrayal. It was one thing for Ylonento try to make a buck off his work, but the new licensing prohibited anyof the other developers from doing so.

The developers responded in the only way they knew how. They took the lastversion of SSH that was completely open source and created a new projectto maintain and extend a free version of it. That project became OpenSSHand was shepherded by the OpenBSDgroup, which already had a reputation for being obsessed with secure freesoftware.

Within the last year, a number of events have converged to turn therivalry into a full-blown competition. Most importantly, OpenSSH finallybecame good enough to use as a drop-in replacement for the proprietarystuff.Meanwhile, SSH Communications Security raised $14million in capital, a move that gave the company lots of cash inreturn for a new leadership with less tolerance for the free alternative.Add the U.S. government's relaxingof its restrictions on cryptography, and you had a volatile situationjust waiting for a head-on confrontation.

That confrontation started last week when SSH Communications spent some ofthat $14 million on lawyers. The goal? Force OpenSSH to change its name.The weapon? A U.S. trademark onthe lower-case letters ssh. The chance of success? Slim to none,according to OpenBSD leader Theo de Raadt, who also says there's no reasonor desire within the OpenSSH community to change the name.

There are many arguments being given throughout the community for the futility of anylegal action. Here is a sample:

  • OpenBSD and OpenSSH are based in Canada, which doesn'tnecessarily recognize the SSH trademark.
  • Ylonen promoted the SSH name as a standard in the early days anddidn't put restrictions on use. He later promoted the supposed trademarkas the nameof an Internet-standard protocol.
  • The trademark is only on a specific graphic of the letters SSH inlower case in a specific font. The term SSH itself isn't trademarked.
  • As they produce software that's freely downloadable, the OpenSSHdevelopers are arguably not engaged in commercial gain. According to oneinterpretation of the U.S. trademark law , this prevents anytrademark-related action against OpenSSH.
  • Who do you sue? The individual developers scattered around the world?OpenSSH maintains no formal organized structure. And if the company won,how much in damages could be extracted from these volunteers?
In honesty, few of the people offering such opinions are lawyers. But deRaadt says he's consulted enough legal professionals to assure him thatany real action on the matter would get the Finns nowhere. He says theOpenSSH project has no intention of changing its name or even reacting tothe threat. And as if to rub salt in the wound, the OpenSSH folk this weekannounced a new release of their software. Version 2.5.1fixes some compatibility problems with the commercial SSH, furtheringOpenSSH's push to outdo the proprietary version at its own game.

Maybe SSH Communications Security will continue to be profitable despitethe existence of a freely available (and now completely compatible)version. The company seems faced with two options: It can pursue a costlylegal attack with no guarantee of winning, and reap only negligiblereturns if it does win. Or it can back away, leaving OpenSSH anopportunity to call its bluff, thus drawing even more attention to thefree software upstarts.

Somehow I think things would have been less messy had Ylonen not changedthe SSH license in mid-stream. This is not a business practice worthemulating.

What do you think of the SSH-OpenSSH skirmish? Let me know in the TalkBack below.

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity