![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
From: Tatu Ylonen <ylo@ssh.com>
To: bugtraq@securityfocus.com
Subject: ScanSSH and infringement of SSH trademarks (open letter to Niels
[I'm sending this to bugtraq since Niels Provos's original ScanSSH
announcement was posted there. However, please send follow-up
discussion to ssh@clinet.fi, as it does not belong in bugtraq. To
subscribe, send e-mail to majordomo@clinet.fi, with "subscribe ssh" in
the body. The original ScanSSH announcement is attached at the end
for reference.]
Dear Mr. Provos,
As you and other OpenSSH core members well know and been expressly
notified earlier, SSH is a registered trademark of SSH Communications
Security Corp. We do not permit unauthorized use of the trademark in
third party product names.
As you know, I have been using the trademark SSH as the brand name of
my SSH (Secure Shell) secure remote login product ever since I
released the first version in July 1995, and have consistently claimed
it as trademark since at least early 1996.
In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.
We are also distributing non-commercial versions of our SSH Secure
Shell product under the SSH brand name, free of charge, for any use on
Linux, FreeBSD, OpenBSD, and NetBSD universities, as well as for use
by universities, charity organizations and for personal
recreational/hobby use by individuals.
The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH® mark.
SSH Communications Security has made a substantial investment in time
and money in its SSH mark, such that end users have come to recognize
that the mark represents SSH Communications Security as the source of
the high quality products and technology offered under the mark. This
resulting goodwill is of vital importance to SSH Communications
Security Corp.
Your use of the SSH trademark in the name ScanSSH is unauthorized, as
is the use of our SSH mark in the product name OpenSSH (about which
you have been notified earlier). I therefore ask you to immediately
cease this unlawful infringement of our trademark rights. I have
previously asked you and other OpenSSH core people to change the name
OpenSSH to something else that doesn't infringe our rights and cause
confusion with our trademarks and brand name.
I now ask you to also change the name ScanSSH to something else.
Since you have already been notified of the trademark and have been
asked to cease the infringement of the SSH trademark, I can see no
other possible reason for your choice of this name than to
willfully damage our trademarks and brand name.
Yours sincerely,
Tatu Ylonen
Chairman and CTO, SSH Communications Security Corp
--
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
Date: Sun, 11 Feb 2001 13:38:05 -0500
Reply-To: provos@CITI.UMICH.EDU
From: Niels Provos <provos@CITI.UMICH.EDU>
Subject: ssh protocol vulnerability scanning
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
recent security problems in ssh protocol implementations require that
vulnerable ssh protocol servers be upgraded. As an administrator of a
large network, it can be difficult to efficiently determine which
implementations of the ssh protocols are running on a network.
To solve this problem, I wrote the ScanSSH protocol scanner. It
supports very fast and flexible scanning of large networks.
You can obtain the latest version from
http://www.monkey.org/~provos/scanssh/
The ScanSSH protocol scanner is distributed under a BSD-license and
completely free for any use including commercial. It has the
following features:
- fast scanning of large networks
- unique random address generation
- network exclusion lists
The resulting output contains the version of the running ssh protocol
servers:
10.1.12.23 <timeout>
10.1.90.80 SSH-1.5-OpenSSH_2.3.2
10.1.87.85 SSH-1.5-1.2.27
10.1.35.139 <timeout>
10.1.11.92 <timeout>
10.1.84.7 SSH-1.5-OpenSSH_2.3.0
10.1.19.41 SSH-1.5-1.2.26
10.1.29.65 SSH-1.5-OpenSSH_2.3.2
10.1.14.1 SSH-1.5-OpenSSH_2.3.2
10.1.15.71 SSH-1.5-1.2.26
If you are responsible for a large network, this tool allows you to
scan your network frequently. After scanning, for example, the output
can be piped through
"|grep -i ssh |grep -v "OpenSSH_2.3.[02]"
to find ssh protocol servers that need to be upgraded.
Regards,
Niels Provos.
--
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh