If The BSA Is So Sure Companies Would Pay For Software, Why Did It Use Free Webserver Software?

from the well,-look-at-that dept

We recently did our latest debunking of the BSA's latest laughable report on "piracy" of software and its impact on the economy and jobs. We have to do this every few months, as the BSA continues to trot out the same laughable and debunked analysis, including the flat-out ridiculous idea that every unauthorized copy is a $1 for $1 lost sale. A few years ago, when a BSA VP and IDC VP called me up to defend the report, they insisted that "their research" showed the $1 to $1 ratio was pretty accurate, insisting that companies who need software really want proprietary software, and that open source or other alternatives generally aren't what they're looking for.

Of course, most people know better than this, but a recent Matt Asay column highlights how more and more of the world moves to open source and cloud-based solutions could seriously change that equation. In it, there's a lovely tidbit about how much the BSA itself doesn't seem to believe its own claims about open source software -- or, even that good software is worth paying a license for:
Ironically, the BSA has discovered one of the few ways to "pirate" open-source software, and is apparently an advocate. The BSA's website apparently runs on Red Hat Enterprise Linux clone CentOS. Surely a license-respecting organization like the BSA would want to pay full freight for a RHEL license rather than undermine Red Hat by choosing CentOS? Evidently not.
Yes, so even in a case where the BSA itself can pay for a nice open source license, it chose to go with a free version instead. This is, of course, perfectly legal. But it seems pretty ridiculous that the BSA would claim that others wouldn't do what it seems to have done. That said, as you look into the details, it appears that the main BSA site does, in fact, run on Microsoft IIS (I'm sure with a nice license from BSA favorite member, Microsoft). The site that was claimed to be on CentOS was a separate "educational" (and I use that term loosely) site called b4usurf.org (gotta love the attempt to sound relevant using txt-spk). Oddly, I can't find any info on what that site now runs on Netcraft. Anyone have a better way of figuring this out?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    abc gum, Sep 29th, 2010 @ 9:15pm

    Hypocrisy, the petrol of the highfalutin.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Gene (profile), Sep 29th, 2010 @ 10:07pm

    b4usurf.org looks like it is still CentOS, Apache, and even PHP (and rather old versions if the headers are correct):
    Server: Apache/2.0.52 (CentOS)
    X-Powered-By: PHP/4.3.9

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Sep 29th, 2010 @ 10:08pm

    http://www.securityspace.com/sprobe/probe.html

    Basic Information

    Site being probed: http://www.b4usurf.org/
    Web Server: Apache/2.0.52 (CentOS)

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Sep 29th, 2010 @ 10:39pm

    Heh, looks like version 2.0.52 is listed a bunch of times on Apache's vulnerabilities page. Lucky for the BSA, I'm not bored enough to mess with them. Now if they were the ESA...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 12:54am

    Re:

    Perhaps they are convinced they need to pay for upgrades and therefore don't?

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Jose_X, Sep 30th, 2010 @ 4:53am

    not an open book

    People can run whatever they want inside their network, and, unless you exploit an unintentional opening, there is no way for you to know.

    And even the public facing servers (or proxies) can spit out whatever string info it wants (though there might be other ways to guess better at the server type.. keeping in mind it could be a custom brew very difficult to identify).

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 5:48am

    Re:

    RHEL (and thus CentOS) tends to use older versions of software (well, they were recent when the distribution was released, but with support lengths exceeding 7 years, they get old pretty fast).

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 5:50am

    Re:

    If it is CentOS (and thus has everything from RHEL), it probably has backported fixes for all these vulnerabilities (RedHat prefers to backport the fixes instead of upgrading to a newer release). The version number becomes meaningless for vulnerabilities, unless you know the full package version number (2.0.52-1, 2.0.52-2, ...).

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    abc gum, Sep 30th, 2010 @ 5:56am

    Re: not an open book

    Not sure what the point is here.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 6:06am

    According to nmap, it's some kind of CentOS. They also have a public facing MySQL, which is weird. Anyway, this seems to be hosted at a public hosting service, so I don't think they actually built the site. What's very, very weird is that the site and the host are registered from Singapore. So apparently BSA doesn't care to provide work to americans either.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 6:32am

    Cute! They don't even have the class to get the low-cost Red Hat Enterprise version with awesome support. Guess they don't need the support. But in defense of CentOS 5, we run it on a dozen production servers here simply because it works so damn well. I wouldn't change it if you paid me. What you forgot to ask is if BSA pays for support on CentOS?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 6:43am

    Just installed a new Dell with Windows Server package as an Internet and broadcasting server and it ran about $6,000 USD. It's too bad a lot of companies are locked into being MicroSoft houses and are the ones that are picking up the slack (sadly) for MicroSoft's sinking revenues. What used to be called the IBM money pit is now the MicroSoft money pit. The one thing to be thankful for is now that Intel has reached the 4GHZ limit on CPU speed machines are no longer becoming obsolete in 2 weeks. We finally have 64 bit OS's and the slow Motorola Apple crap is now powering phones and pads where it belongs. We might actually begin to count on our hardware for longer than a day. Wondrous times ahead!!

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 6:45am

    They probably use GoDaddy!

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 6:45am

    They probably use GoDaddy!

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Jamie, Sep 30th, 2010 @ 8:06am

    Fingerprinting web servers

    Mike -

    You asked how to check the web server/OS brand. Keeping in mind, of course, that software can easily be made to lie, do this from a command prompt:

    telnet b4surf.org 80

    It will tell you about an escape character, and let you type things. Now, type this:


    HEAD / HTTP/1.0


    Followed by two(2) carriage returns. Most of the time, you'll see something like this:


    HTTP/1.1 200 OK
    Date: Thu, 30 Sep 2010 15:29:05 GMT
    Server: Apache/2.0.52 (CentOS)
    Last-Modified: Mon, 03 Apr 2006 05:47:11 GMT
    ETag: "8d47e5-509-526435c0"
    Accept-Ranges: bytes
    Content-Length: 1289
    Connection: close
    Content-Type: text/html


    That "Server" header is the one you're interested in.

    Again, web servers, mail servers, etc. can, and do, lie about what they are. You can get a more reliable idea of operating systems, sometimes, by learning to use nmap, and I'll leave that explanation to an nmap tutorial you can easily find online if you want to spend time on it.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Svante Jorgensen (profile), Sep 30th, 2010 @ 10:54am

    B4USurf.org is fun

    I just love the mindless lies on B4USurf.org:
    Copyright infringement is stealing and is a serious offence that can attract criminal and civil penalties.

    Say what now?

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    AMusingFool (profile), Sep 30th, 2010 @ 1:12pm

    full nmap output

    Just for giggles:

    ~ (890) nmap -A b4usurf.org

    Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-30 16:01 EDT
    Interesting ports on mercury25.networknoc.com (203.117.89.34):
    Not shown: 990 filtered ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp ProFTPD 1.3.0
    53/tcp open domain ISC BIND 9.2.4
    80/tcp open http Apache httpd 2.0.52 ((CentOS))
    | robots.txt: has 8 disallowed entries
    | /admin/ /contrib/ /doc/ /lib/ /modules/ /plugins/
    |_ /scripts/ /tmp/
    |_ html-title: B4USurf - Home
    110/tcp open pop3 Courier pop3d
    |_ pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING APOP TOP LOGIN-DELAY(10)
    143/tcp open imap Courier Imapd (released 2004)
    |_ imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
    443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
    |_ sslv2: server still supports SSLv2
    |_ html-title: Default PLESK Page
    554/tcp open rtsp?
    3306/tcp open mysql MySQL 4.1.22
    | mysql-info: Protocol: 10
    | Version: 4.1.22
    | Thread ID: 992302
    | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
    | Status: Autocommit
    |_ Salt: uuj4`ipu{,b.[`OKl]l+
    7070/tcp open realserver?
    8443/tcp open http Apache httpd 1.3.33 ((Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e PHP/5.0.5)
    | html-title: 302 Found
    |_ Did not follow redirect to https://mercury30.networknoc.com:8443
    Service Info: Host: localhost.localdomain; OS: Unix

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 148.67 seconds

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Sep 30th, 2010 @ 9:02pm

    actually whats the point of this article?

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Hephaestus (profile), Oct 1st, 2010 @ 8:46am

    Re:

    Thanks great resource ... just pointed that at techdirt

    Apache/1.3.33 (Unix) PHP/5.2.12 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7g

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This