Ssh! Don't use that trademark

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4933417-0.html?tag=tp_pr

By Robert Lemos
Special to CNET News.com
February 26, 2001, 3:30 a.m. PT

For security-conscious system administrators, three letters have
become a household word when it comes to securing remote computers:
SSH.

SSH, which is derived from the term "secure shell," is a set of
standards for encrypting the commands and data sent to a server from
an administrator's PC. It is widely used by Linux administrators and
others in the open-source community.

Yet the three letters also describe the original program developed by
Tatu Ylonen in 1995 and trademarked in March 1998. Now, as the founder
of SSH Communications Security, Ylonen wants others to stop using it.

"The use of the SSH trademark...is in violation of my company's
intellectual property rights, and is causing me, my company, our
licensees, and our products considerable financial and other damage,"
Ylonen, chairman of SSH Communications, wrote in a letter posted to a
developer mailing list in mid-February.

That letter has open-source developers and executives girding for a
what could become a battle that helps define one of the prickly issues
surrounding open-source computing: How does a company retain control
over its products and still participate in the open-source programming
world? The same programmers whom SSH Communications is trying to woo
are the ones who, in its mind, are trying to co-opt its name.

In the end, both sides could lose if access to an important component
of Internet security and the good will toward SSH Communications
become casualties, say open-source and intellectual property experts.
It's also not a problem that seems destined to go away quietly.

"SSH has become a very important part of the Internet. It is required.
It is necessary," said Liz Coolbaugh, a founder and managing editor of
the Linux Weekly News, which follows the open-source community
surrounding the Linux operating system.

While she stressed that many in the community can understand the
issues that SSH Communications may have with several open-source
projects using the moniker, others are appalled. That's because the
open-source community has put a lot of time and effort into helping
Ylonen develop the program, Coolbaugh said.

"Open source is the biological environment in which their ideas were
produced, tested and debated," she said.

Enemy No. 1

Helsinki, Finland-based SSH Communications maintains two versions of
its SSH Secure Shell product, one it sells and one it gives away free.
But they carry neither the GNU public license nor one of many other
public licenses, which would make them open source.

The largest open-source project--and Enemy No. 1 for SSH
Communications in the trademark battle--is OpenSSH, an effort to
create a free open-source version of the product.

"The first time we heard about this issue was the beginning of
February," said Niels Provos, a graduate student at the University of
Michigan and a developer on the OpenSSH project.

Although the project has only been around since late 1998, OpenSSH has
based much of its work on a version of SSH that Ylonen released as
source code in 1995. Provos asserts the 1995 release came with a
public license, allowing it to be co-opted by open-source developers
for use in their projects. That was the same year Ylonen created SSH
Communications and a year before he even filed for a trademark.

"We are a bunch of people that do this for fun and to give people a
more secure way to access the Internet," Provos said. "We didn't
expect to get dragged into a trademark war."

SSH Communications hopes that such open-source projects will continue,
just without SSH in their name, said George Adams, CEO of SSH
Communications.

"We are not interested in killing any (project) or stopping
e-commerce," he said. "We are just protecting our trademarks."

Yet SSH Communications' enforcement may be too little, too late.

"Trademarks are like patents," said Wyatt Starnes, co-founder and CEO
of security software firm Tripwire. "They are only as good as your
ability to defend them. If you are not careful, they can lapse into a
quasi-public domain."

Least of its worries

Tripwire should know. In many ways, the company's flagship product,
also known as Tripwire, has a similar lineage. Created at Purdue
University in 1992, the data-integrity software was released freely in
the past. But when it was, the open-source community always understood
that Purdue, and then Tripwire, owned the intellectual property,
Starnes said.

"There were (outside) people who helped write the code in the Purdue
process," he said. "But there was explicit ReadMe code that stated
that both the trademark and the intellectual property were owned."

That confusion over the history of the enforcement of the trademark
may be the least of SSH Communications' worries. What could be a worse
indicator for the company is that many administrators use the term
"SSH" for any command-line interface that securely accesses another
computer.

"Regardless of its origins, the word has become the generic
description for this type of software," said Michael Bednarek, an
intellectual property attorney at Washington, D.C.-based law firm Shaw
Pittman. "As far as I can tell, there is no other name for it."

Bednarek asserts that SSH Communications inadvertently let the name
slip into the public domain, similar to how Bayer lost the trademark
to "aspirin" in the United States. "In many countries, Bayer has the
trademark for aspirin. But here they don't because it became the
generic term."

That could be a nail in the coffin for the SSH trademark, he said. "If
this were the type of thing that was litigated, SSH would have an
uphill battle."

Is it too late?

SSH Communications said it wasn't aware of the confusion in the
marketplace until the company recently started selling SSH Secure
Shell itself. Originally, SSH Communications used another company,
F-Secure, to sell the product.

But since SSH Communications took over sales of SSH Secure Shell, the
company asserts that it quickly became apparent that customers were
confused, thinking that the OpenSSH project was somehow affiliated
with the company.

"When this came to our attention, we realized we needed to properly
enforce our trademarks," Adams said. "I don't think it's too early or
too late."

Adams added that one organization that SSH Communications has
convinced is the Internet Engineering Task Force, the group
responsible for setting technical standards on the Net.

"They have agreed to show proper attribution," Adams said, adding that
the task force has adopted a non-infringing name, SecSH, for its
working group developing secure shell standards.

Yet others in the open-source community still call the standard by the
original "SSH" moniker.

And those open-source developers have been prolifically developing
software using the name "SSH." There's KSSH, a front-end to SSH for
the KDE desktop; ScanSSH, a network scanner using the SSH scanner;
FreSSH, a newer implementation of SSH; Nifty Telnet SSH, an SSH client
for the Macintosh; and SSHBuddy, a password manager for SSH.

All could be infringing the company's trademark.

But winning the battle could be a worst-case scenario for SSH
Communications, said OpenSSH's Provos.

"Tatu is a very respected person in the community because he provided
SSH for free and helped make the Internet more secure," Provos said.
"Now, no matter what the outcome, he loses a lot of public image."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".