From: Tatu Ylonen <ylo@ssh.com> To: bugtraq@securityfocus.com Subject: ScanSSH and infringement of SSH trademarks (open letter to Niels [I'm sending this to bugtraq since Niels Provos's original ScanSSH announcement was posted there. However, please send follow-up discussion to ssh@clinet.fi, as it does not belong in bugtraq. To subscribe, send e-mail to majordomo@clinet.fi, with "subscribe ssh" in the body. The original ScanSSH announcement is attached at the end for reference.] Dear Mr. Provos, As you and other OpenSSH core members well know and been expressly notified earlier, SSH is a registered trademark of SSH Communications Security Corp. We do not permit unauthorized use of the trademark in third party product names. As you know, I have been using the trademark SSH as the brand name of my SSH (Secure Shell) secure remote login product ever since I released the first version in July 1995, and have consistently claimed it as trademark since at least early 1996. In December 1995, I started SSH Communications Security Corp to support and further develop the SSH (Secure Shell) secure remote login products and to develop other network security solutions (especially in the IPSEC and PKI areas). SSH Communications Security Corp is now publicly listed in the Helsinki Exchange, employs 180 people working in various areas of cryptographic network security, and our products are distributed directly and indirectly by hundreds of licensed distributors and OEMs worldwide using the SSH brand name. There are several million users of products that we have licensed under the SSH brand. We are also distributing non-commercial versions of our SSH Secure Shell product under the SSH brand name, free of charge, for any use on Linux, FreeBSD, OpenBSD, and NetBSD universities, as well as for use by universities, charity organizations and for personal recreational/hobby use by individuals. The SSH mark is a significant asset of SSH Communications Security and the company strives to protect its valuable rights in the SSH® mark. SSH Communications Security has made a substantial investment in time and money in its SSH mark, such that end users have come to recognize that the mark represents SSH Communications Security as the source of the high quality products and technology offered under the mark. This resulting goodwill is of vital importance to SSH Communications Security Corp. Your use of the SSH trademark in the name ScanSSH is unauthorized, as is the use of our SSH mark in the product name OpenSSH (about which you have been notified earlier). I therefore ask you to immediately cease this unlawful infringement of our trademark rights. I have previously asked you and other OpenSSH core people to change the name OpenSSH to something else that doesn't infringe our rights and cause confusion with our trademarks and brand name. I now ask you to also change the name ScanSSH to something else. Since you have already been notified of the trademark and have been asked to cease the infringement of the SSH trademark, I can see no other possible reason for your choice of this name than to willfully damage our trademarks and brand name. Yours sincerely, Tatu Ylonen Chairman and CTO, SSH Communications Security Corp -- SSH Communications Security http://www.ssh.com/ SSH IPSEC Toolkit http://www.ipsec.com/ SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh Date: Sun, 11 Feb 2001 13:38:05 -0500 Reply-To: provos@CITI.UMICH.EDU From: Niels Provos <provos@CITI.UMICH.EDU> Subject: ssh protocol vulnerability scanning To: BUGTRAQ@SECURITYFOCUS.COM Hi, recent security problems in ssh protocol implementations require that vulnerable ssh protocol servers be upgraded. As an administrator of a large network, it can be difficult to efficiently determine which implementations of the ssh protocols are running on a network. To solve this problem, I wrote the ScanSSH protocol scanner. It supports very fast and flexible scanning of large networks. You can obtain the latest version from http://www.monkey.org/~provos/scanssh/ The ScanSSH protocol scanner is distributed under a BSD-license and completely free for any use including commercial. It has the following features: - fast scanning of large networks - unique random address generation - network exclusion lists The resulting output contains the version of the running ssh protocol servers: 10.1.12.23 <timeout> 10.1.90.80 SSH-1.5-OpenSSH_2.3.2 10.1.87.85 SSH-1.5-1.2.27 10.1.35.139 <timeout> 10.1.11.92 <timeout> 10.1.84.7 SSH-1.5-OpenSSH_2.3.0 10.1.19.41 SSH-1.5-1.2.26 10.1.29.65 SSH-1.5-OpenSSH_2.3.2 10.1.14.1 SSH-1.5-OpenSSH_2.3.2 10.1.15.71 SSH-1.5-1.2.26 If you are responsible for a large network, this tool allows you to scan your network frequently. After scanning, for example, the output can be piped through "|grep -i ssh |grep -v "OpenSSH_2.3.[02]" to find ssh protocol servers that need to be upgraded. Regards, Niels Provos. -- SSH Communications Security http://www.ssh.com/ SSH IPSEC Toolkit http://www.ipsec.com/ SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh