Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Security

SSH Claims Trademark Infringement by OpenSSH 593

Olmy's Jart writes: "Tatu Ylonen has just posted the following message to the Openssh developers mailing list, openssh-unix-dev@mindrot.org. He is claiming OpenSSH, http://www.openssh.com, is infringing on his trademark on the terms "SSH" and "Secure Shell" and demanding that the OpenSSH project change their name." Thanks to Olmy's Jart for attaching the message - I've included it in the text below. The e-mail provides the background and thinking behind the letter.
This has not yet shown up on the OpenSSH mailing list archives, http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2, although some replies are already there.

==================================================

From: Tatu Ylonen
To: openssh-unix-dev@mindrot.org
Subject: SSH trademarks and the OpenSSH product name
Organization: SSH Communications Security, Finland
Sender: owner-openssh-unix-dev@mindrot.org

Friends,

Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.

As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.

In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.

To protect the SSH trademark I (or SSH Communications Security Corp.,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.

The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH® name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.

We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.

Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.

I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.

The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthening the life cycle of the fundamentally broken SSH1
protocols.

The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.

I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.

Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.

Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.

Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.

Regards,

Tatu Ylonen

SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh


"

Update: 02/14 02:44 PM by CT : I just wanted to insert my 2 bits into this story. This is a problem close to my heart: I hate getting tech support for PHPSlash. I don't care that it exists, in fact, I'm happy that it does, it fills a need and a lot of people like it. But there is no doubt that this is confusing to people, I get the bug reports to prove it. (My other peeve examples are Linux Mandrake taking a certain Linux developer's name even though they knew better, and the K5 guys naming their project 'Scoop' even tho another major Web site was created by a guy with the same name). I have no problem with any of these projects: I think all 3 of them are great projects, but if they were just a little more original there would be no confusion. Now I'd personally never go so far as to call copyright infringement, I shouldn't have to. We're all nice people here. Maybe I'm just a bit idealistic on this one.

This discussion has been archived. No new comments can be posted.

SSH Claims Trademark Enfringement by OpenSSH

Comments Filter:
  • It seems pretty obvious, at least among people posting here, that "ssh" is thought of as the name of a protocol first, a command second, and MAYBE a "brand name" after that.

    For marketing reasons, maybe SSH, Inc might be better off changing THEIR name to something less generic.

    On the "OpenSSH" side, perhaps instead of removing/changing the "ssh" part of the name, they could change the name to something like "OtherSSH" or "DifferentSSH" or something equally obviously "not the SSH, inc product".

    While I've got to give the guy credit for apparently writing his own cease-and-desist letters before shoveling money on lawyers, the wording of the letter posted to Bugtraq (as reported by this Newsforge article [newsforge.com]) didn't give me a good impression. In the last paragraph he writes:

    "I now ask you to also change the name ScanSSH to something else. Since you have already been notified of the trademark and have been asked to cease the infringement of the SSH trademark, I can see no other possible reason for your choice of this name than to willfully damage our trademarks and brand name."[emphasis added]

    Maybe this is just standard issue legal blather, but to a non-lawyerly person like me it sounds like he's completely refusing to acknowledge the established use of SSH as a "generic" description for things involving the SSH protocol, and instead claiming everyone using it is obviously just out to "get" him.

    My take, anyway...


    ---
    "They have strategic air commands, nuclear submarines, and John Wayne. We have this"
  • For the curious, the license is available at http://www.openssh.com/LICENCE [openssh.com]. Don't blame me, I didn't misspell LICENSE.

  • This sounds a lot like X10:
    1) There is an open standard by the name.
    2) There are many, many makers of the product.
    3) There is one company with the standard as the name.

    I don't see X-10 (the company, note, has a dash) going after everyone that uses the term "X10" on their equipment. In fact, when you say "X10" many people think of the company, NOT the standard. But can you use "X10" to describe your product? Would "OpenX10" be legal? Yes.

    SSH is a STANDARD. When I say SSH I mean the STANDARD, not the IMPLEMENTATION. He can trademark SSH all he wants, that just means that the company is SSH, it does NOT control what the binary can be called or anything derivitive. His TRADEmark is SSH. Fine. OpenSSH's TRADEmark is OpenSSH. Your point, sir?

    IN FACT, OpenSSH is different enough to NOT be "confusingly similar" to "SSH Communications, Ltd." so although he's experiencing some confused people heading towards him for OpenSSH support, that's just standard human idiocy flack and should be taken with a grain of salt.

    OpenSSH does not need to change its name. While I applaud the owner of SSH Com. for this approch rather than a full legal onslaught, I disagree with his position that OpenSSH is confusingly similar to his product.

    What next? Does he want the IETF standard renamed? Is that too similar? I agree with the second poster: this industry is getting more depressing as the days go by, as greedy people (not this fellow, really) hunt down their "IP" and try and milk it. <sigh>
    --
  • Score5???? For incorrect information as well!

    Amazing... Some people don't read the stories or the other posts. THE PROTOCOL IS CALLED SECSH. NOT SHH.

    Okay? Got it? SSH is an implementation of SecSH. OpenSSH is an implementation of SecSH. Clearly, OpenSSH is leaching off the brand and name that SSH has developed. Renaming it, as they are doing to OpenSecSH, solves all these problems, and the guy is happy with that.

    Crikes, why should SSH Communications have to spend time and money dealing with support for OpenSSH just because the person is confused?

    Imagine that the first car was a Ford Explorer. Along comes Toyota and calls their car Toyota Explorer. This is clearly not right. This is exactly the same.

    The guy has been in contact with them before to try and get them to change the name. He has not got sufficiently annoyed so as to post it on a public developers list as they will not change the name. Next step will be a lawyer, and this would not do the open source cause any good at all. He is being reasonable, think about the people who are not being reasonable?!

    I know the difference between ssh and openssh, so do you. But IT consultant X running 'ssh' on a Unix box doesn't know (or care) whether it is SSH or OpenSSH - but if something is funny, or goes wrong, the first port of call is SSH, not OpenSSH.

    So, the steps to be taken:

    1. Rename ssh in the /etc/services file to secsh - this applies to all operating systems
    2. Rename OpenSSH to OpenSecSH. Already done, look at http://www.opensecsh.org/
    3. Change references to ssh on all websites to secsh. Only mention ssh as an instance of the secsh protocol.
    4. Etc....
    Sorry if this is a little terse, and I doubt it will do my karma any good, but this is how I see the problem, and how I see the solution.
  • by xant ( 99438 )
    Shell Hopefully Having no Holes
    --
  • > The hardest part for most people would be learning to type "fresh" after their fingers are trained to type "ssh"

    "osh" would be easy to type: Open Secure Hwatever.

    Also note that it's not a "shell" in the ordinary sense anyway:

    #!/usr/bin/ssh-agent /bin/sh

    You could remove the SH part will little damage to the concept, IMO.

    --
  • Good point. A brief web search turned up arguments both ways. You are clearly correct about the timing; it was a trademark before WWI, and they lost a lawsuit attempting to protect it in 1921.

    It appears that it was more of a strange patent ruling than a trademark dispute; the patent the drug ran out in 1917, and with it -- the court ruled -- did the trademark. This ruling confuses me, but I guess we can excuse it because it is old.

    Check it out yourself at

    http://cyber.law.harvard.edu/metaschool/fisher/d om ain/tmcases/bayer.htm

    or just a quote:

    The most striking part of the label read, 'Bayer-- Tablets of Aspirin.' While this did not show any abandonment of the name, which there has never been, it did show how the plaintiff itself recognized the meaning which the word had acquired, because the phrase most properly means that these tablets were Bayer's make of the drug known as 'Aspirin.' It presupposes that the persons reached were using the word to denote a kind of product. Were it not so, why the addition of 'Bayer,' and especially why the significant word 'of'?


    So I fess up. I was talking outta my ass again. You were right in questioning me.
  • by bwt ( 68845 )
    Gee, "sh" certainly exists in the prior art. Perhaps he is thinking that "Openssh" is meant as Open-ssh, when it's obvious to us in the know that it is really Opens-sh, which sort of describes what it does in plain old english, which is surely not trademark infringement.

    I also note that he added 1 letter to a public domain program name -- "s" to "sh", wheres we added five "opens" to the same public domain program name.

    We're talking about a 3 letter trademark, two-thirds of which is derivitive. It really strikes me as phenominally bizarre to then claim that the addition of four more letters is not sufficient to avoid confusion. Out of 7 letters in "Openssh", four are new, two are prior art, and only one is really original. Basing a trademark infringement on reuse of one letter seems almost laughable. Worse, the letter is "s" - that's only a single crummy point in scrabble.

    I also wonder about the fact that openssh actually does have a common code base with ssh. Does that not afford it some licence to have a somewhat similar name. If a lot of the code actually is a licenced derivitive version of ssh, doesn't that implicitly grant you the right to have 42.85% of your name in common?
  • by Eric Green ( 627 ) on Wednesday February 14, 2001 @11:30AM (#433241) Homepage
    Diffie-Hellman requires that the base and modulus be publically shared between the two ends. So the base and modulus would not be secret in any event. A given base and modulus is supposed to generate a prime field. If it does, then the NSA can study it all they want and there will be no problem. If it doesn't, I want to know beforehand, not after the NSA discovers that a "probably prime" modulus and base that were dynamically generated at runtime generates repeating subfields (i.e., drastically reduces the shared key space) rather than a single prime field.

    The kind of "probably prime" number generators that can operate in real time are pretty lousy, in my opinion, and I'd much rather trust a known good modulus and base pair.

    -E

  • * secsh - secure remote sh - "kinda like running sh, but remotely"
    * seccp - secure remote cp - "kinda like running cp, but remotely"

    etc...
  • It's not like there haven't been many Secure SHell (ssh) products on UNIX for ages and ages. I remember using them on BSD 4.1 distributions back in the 1980s.

    If there's a trademark, it's yet another example of the USPTO causing trouble ... in this case, by taking a generic term and granting a monopoly on it to one (relatively) undeserving entity, rather than letting it continue to be a generic term. ("Personal Computer" comes to mind...)

    Too bad trademark law doesn't seem to incorporate "prior art" ... though of course, the USPTO doesn't seem to act according to its responsibilities in that context.

  • Honestly, since the command name will probably be the same regardless of the name the project uses (lets see them try to patent command names..)
    Trademark, not patent.

    It's not at all clear to me that one can't trademark command names. Is there any legal precedent on this? If you want to find out, try releasing a program called "Excellent Game" with command name "Excel" and see what happens.

  • There are a lot of RH7 cds out there. OpenSSH is finding its way into many places where commercial ssh will never go.

  • You still have to make it know that it's a mark... you can still protect what you do without registering the mark. THis is trademark, not patent.
  • Until then, I don't really think that he can trademark SSH because just like RSH and the others it's a standard acronym.
    More precisely, SSH and (more clearly) Secure Shell are descriptive terms, and, at least in the United States, that's grounds for refusal of the mark.
  • not everyone is going to be a security guru right off the bat, but until you actually are able to distinguish SSH from OpenSSH, then I'm not sure why it matters as you clearly haven't passed the minimum intelligence test to use either.

    Um, you don't get it. The point of the protocol is they're not supposed to be limited to security professonals, but to people without seignificant security experience and need to remotely access shells, graphical apps, perform secure copies, anbd secure FTP etc. I'd hate if anything `secure' was limited to security professionals. Wouldn't you? As you said, there's a whole heap of Telnet servers around and people who think its okay to use them (printer and router companies that don't use SSH give me the shits. They aren't security professionals. SSH discourages that behaviour.
  • What you are referring to is correct, it's called 'trade secret'. The recipe for KFC or Coke is a trade secret, and as long as it remains a secret, it can be protected quite extensively by the law. They could get the recipe back because it was possible to do so, as those who had it hadn't revealed it yet, in other words, it hadn't become public knowledge yet.

    If the recipe for coke was wide public knowledge, because coke 'ignored' a threat to it for a week ro two, and everyone in the country and every newspaper had a copy in it, then they could no longer claim *ANY* trade secret protections on it. It's no longer a secret.

    And no.. that has nothing to do with this case.
  • Well, those suggestions were mostly a joke. However, I'd point out that "GNU" is not considered to infringe on UNIX, so I think GNASSH would be considered safe as well.

    As for the ASS thing, I think you completely miss the cynical sense of humor that most people have. Admittedly, ASS is not a good brand name to establish yourself in the general populace, but it's probably a great name to establish yourself in the IT community.
  • Interesting point, but here are two areas which I think negate it's imporance

    1) the user links to rsh, not ssh. If ssh installed itself as rsh by default, then yes, that might be a problem (similar to if openSSH installed itself as openSSH, not ssh, so you were reminded every time you ran the program that it wasn't the official ssh).

    2) I doubt Berkeley has a trademark on rsh... it's just a minor util after all, and not an entire product, as in the case of ssh. If they had (or could) trademark the name of every minor unix utility, it would be nearly impossible to create a unix clone.

    Doug
  • Jesus H-Bomb Fucking Christ, this man is a hero, and lamerz who are either too young or too inbred to figure it out are treating him like a devil.

    Before ssh, there was nothing but telnet, an insecure nightmare. If the explosive growth of the Internet had occurred while administrators were still telnetting into their servers, we'd have many more owned servers, an exponental creep into darkness.

    So we have this fantastic tool, thanks to the work of one man, Tatu Ylonen. Now he's gone and turned this work into a product, and a company. You may not respect that, but you should respect this: without his work, we'd all be owned.

    So Tatu discovered fire, and he shared the fire, and then he asked people to bring him stuff to eat, in return for the fire. You may not like the last part, but you'd be eating raw whatever-the-fuck-it-is-you-just-caught in the dark without him.

    Whether you agree with the letter or not, you can tell he understood the issues and the community. He's trying to break this as lightly as he can, but he does need to break it, if he hopes to keep ssh (a name he created) for his product.

    As far as I'm concerned, this man was and continues to be a hero, so please just stop the ignorant criticism.

  • Encrypted Terminal [Session] : et, or ets
    Encrypted Terminal Connection, or rather, "so on to the next [box]": etc

    Or just "esh" for Encrypted SHell, because the security is never factual anyway.

    This is fun :)

    Just my 0,02 FIM
  • I'd be greatly concerned about any product called `secure Telnet'. Simple because I've been telling clients to uninstall Telnet and ban the protocols use within their networks for quite some time. I'm sure many other admins have too. `Secure Telnet' would make things confusing.
    Furthermore, that isn't what SSH does - Telnet is generally used (in sites I work at) to test SMTP and HTTP servers. SSH is used as a secure method of running shells, and graphical apps (Telnet should be avoided for the first and makes the second a headache). Telnet lacks file transfer mechanisms.
  • Seriously, the best suggestions I've seen so far (on linuxtoday, by the way) are:

    SHH - Shh! I'm talking to my computer

    FRESH - Free Remote Encypted Shell

    But coming up with a good name is the easy part, the hard part is determining if it's morally right for the author to attempt to enforce an IP claim on an IEC standard. IMHO, he should have enforced his claim *before* it was accepted as a standard, not after. Letting the standard be accepted without moving to enforce his claim should really be the same, legally, as putting the IP into the public domain.

    By the way, are you reading this, Scott, please take note.
    --

  • AFAIK, this is not a copyright issue. It's a *trademark* issue. Spare the juvenile flames [theaimsgroup.com].
  • > HSS - Host Secure Session

    There might be better names, but this one appeals to me: it's short; it's reminiscent of the 'less' is 'more' naming trick; and it combines a mild slap at ssh(tm) (for putting us through this) with a nod of recognition to its common origin. What's more, there is no way this can be confused with ssh(tm).

    It merits a place on the shortlist.
  • 1) This isn't patent infringement; it's a trademark dispute. They are *very* different.

    2) The original license on SSH, which OpenSSH is based on, states basically that the name 'ssh' should not be used if the derivative work is incompatable with the ssh protocols specified in the RFCs. This implies that it's OKAY to use the name ssh if you ARE compatable.

    3) Under trademark law, you *MUST* defend your mark. This mark is already highly dilute; there are many software packages known to the plaintiff here that use the ssh name, and he's known about openssh for quite some time.

    4) ssh is the name of a publicly available protocol as specified in the rfc's, and the name of the common unix command used to implement such a protocol, regardless of vendor. It's already diluted. THe common techie does *not* automatically associate 'ssh' with meaning 'the product from company X'. They mean the protocol.. just like ftp or anything else.

    That's why he can't enforce it.

    It's not about what we can get away with. If he wanted to protect the name he should have made it clear from the beginning, and that hasn't happened.
  • I just got a message yestersday from him saying that SSH2 had a reasonable license. Not for my uses. I suspect this little stunt will kill SSH for good. He had a monopoly on a very useful technology but tried to milk it for more than it was worth and that created OpenSSH. Had he not been greedy, he would have had a decent license, SSH2 would be wide spread and there would be no OpenSSH and he would have cornered the market. Now he will be competeing and with OpenSSH and I don't think he's going to win. This is going to turn out like CERN's http vs Apache.
  • Trademarks have to be protected, no matter how little you care, or else they will become invalid and anyone can use them. If he doesn't go after OpenSSH, tomorrow it'll be Microsoft using the name.
    So license "SSH" to OpenSSH already! Hell, license it for a dollar, under terms Microsoft or any other money-seeking interest will not accept, and be done with it! Trademarks are licensed all the time. GM [gm.com] had do pay Beretta Arms [beretta.it] about a million dollars to call one of their cars the "Chevrolet Beretta."

    --
  • I don't know why rusty named Scoop [kuro5hin.org] Scoop, but I do know that Slashcode isn't alone in getting support emails for PHPSlash :p

    Consider this email regardling PHPNuke [phpnuke.org]:
    "Subject: The best nuked site Ive never seen
    To: Kuro5hin.org Help
    Dear Sirs of Kuro5hin,

    Im journalist and Im new to PHP nuke.
    Ive been visiting many nuked sites and yours is the VERY best.

    I wonder if you could send my your theme files, not to use or copy it in my
    site, I dont have a site, just to learn to develope a good theme.

    Thank you very much, and sorry about my english.

    Best regards, ..
    "
    --
  • Linux Today: Tatu Ylonen requests OpenSSH to change its name
    Slashdot: SSH Claims Trademark Infringement by OpenSSH

    Linux Today: Quotes the letter.
    Slashdot: Links to it, surrounds it with summary like "demanding that the OpenSSH project change their name". At least there wasn't any color commentary for spin value this time, could be because Taco didn't post it.

    Look, it's SSH and it's more than three letters, it's basically the same damn product. The author (not his lawyers) is personally asking to change the name to something that causes less confusion with his product that came first. Yet people are ready to string him up for this, because the reporting of it practically has him banging his shoe and screaming and sending forth the lawyers.
    --
  • ssh is not telnet. telnet is a specific protocol, with lots of protocol commands and options. ssh implements none of them. you can't call any ssh implementation telnet any more than you can call it ftp.
    --
  • As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".


    Sure looks like 'permission' to me.

    Errr he gave permission to derive work from SSH, and permission to call your project something other than SSH and Secure Shell.

    He did not give permission to infringe on the SSH trademark.

    Or are we reading a different bit of text?

  • We should put this on a Slashdot poll.

    Should OpenSSH be renamed to a name that does not include the term SSH?

    or maybe:

    New name for OpenSSH:
    • OpenXYZ
    • OpenThis
    • OpenThat
    • Keep the name
    • CowboyNeal
  • It is necessary to name executable "ssh" to make it compatible with scripts and other programs that intend to use the functionality of SSH protocol, so, trademarked or not, the reason to name executable "ssh" is not to create confusion but to provide actual functionality in a compatible manner. The name OpenSSH both reflects the functionality (open implementation of SSH protocol) and provides enough distinction to avoid confusion as much as possible.

    The fact that OpenSSH is a superior product is pretty much irrelevant to the issue, however it explains why OpenSSH is more popular then the original SSH now -- certainly users chosen it because they expected that it will work better and because of more liberal license, not because they thought that they are installing the original SSH.

  • I think you're missing a key aspect of the piece you quoted:

    I would thus like to ask you to change the name OpenSSH to ... something that is clearly different and doesn't cause confusion. ... The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product

    Tatu is being very disingenuous here, because it was entirely on the back of his original ssh1 that SSH the protocol became famous, and so his commercial sales of ssh2 are primarily a consequence of the so-called "confusion" (actually a mental association) with ssh1 and hence OpenSSH by his own admission in the mind of the buyer. Nobody buys ssh2 in isolation; they buy it because it is an implementation of the SSH protocol, and very commonly the decision is also strongly influenced by community support for the protocol which arose through using ssh1 and/or OpenSSH.

    In other words, it goes something like this. As a sysadmin at a commercial site, I hear from the open software and security communities that SSH the protocol is good. So, I look for an implementation, I try out either ssh1 or OpenSSH and I like it, then if I want support I buy the commercial version of ssh2 from Ylonen, otherwise I stick with ssh1 or with OpenSSH. These are all implementations of the SSH protocol, and the fact that there is a choice of implementations doesn't cause confusion --- it merely creates multiple associations, a "confusion" I "struggle" with every time that I want bread and have to decide whether to buy Sunblest or Hovis. Ssh1 and OpenSSH are no less an implementation of the SSH protocol than ssh2.

    [In fact, the only source of confusion that there has ever been was caused by Tatu himself when he created a new product and made it partly incompatible with the tool that he himself had earlier called "ssh".]

    OpenSSH through being similar to ssh1 continues to lay the groundwork on which Ylonen's commercial success is based, just like his old product did. Many people will buy ssh2 as a result of trying ssh1 or OpenSSH annd associating it with ssh2. It is utterly disingenuous that Ylonen should even think of preventing them from associating the SSH protocol with pre-ssh2 implementations when the whole existence of his enterprise is based on people's earlier associations between protocol and product.
  • I think my second-last paragraph addresses your concern... OpenSSH was derived from the original SSH according to it's license, and uses the SSH protocol. What does he expect people to call it?

    I've been slow to reply in this thread because I believe over top-level posts have said all I'd have to say anyway, but just to sum up, I think that using the term "SSH" in the name of a product that interoperates with computers using SSH is fair enough. I don't think it's confusingly similar at all (the Open is there for a reason). By allowing SSH to permeate the industry as a command name, and the name of a protocol (basically a noun - see this [slashdot.org] post), and leaving all of the products called *SSH* alone up to now, the trademark's already been diluted. Legal claims in the small print aside, I don't think he can fairly claim exclusive rights to *SSH*.

  • I use SecureCRT at work, PuTTY at home. SecureCRT does have a few more features, but it costs $100. PuTTY is fast, stable (more so then SecureCRT) and as has already been pointed out, tiny. I recommend it to all my customers. Get it at http://www.chiark.greenend.org.uk/~sgtatham/putty/ [greenend.org.uk]
  • I'll go out on a limb here:
    The original poster was not saying that the base and modulus should be generated in real time. That would be pointless. Rather, I think he was saying they should be generated per-machine or per-site. That way the benefit of 'studying' these values is minimized. Also, magic numbers are always undesirable in a cryptographic protocol. Even if you can't see any way they could be cooked.
    That's why Schneier used digits from PI for constants.
  • Oooh! I really like this one. Clever, humorous, and on top of all that, quite convenient to use.
  • this is exactly equivalent to the GIF trick, because he's waited until the OpenSSH name is well established before acting.

    Actually, there's one significant difference, and it's heavily in OpenSSH's favor. Unisys has a patent on LZW compression. Patents are legally binding at the discretion of the holder and may be prosecuted at will (or not) until they expire.

    Tatu has a trademark on the name SSH. Trademarks only remain valid so long as they are agressively protected. 3Com has a really funny page [3com.com] about this topic. Since Tatu has implicitly allowed numerous outside groups to use the SSH name, he's probably lost his claim to it already.

  • Except that OpenSSH supports both Protocols 1 and 2 and protocol 1 can be turned off and only older clients are still using version 1 by default. I think for a period of time you will need ssh1 around until those older version are phased out. I think he's just pissed he released it (v1) under an open license and then thought better of it and released a new product under a very different license and just wants people to move to the new non-free version.
  • Having fought through a cancellation of a registered trademark before, here are a couple of things one should consider:

    1. Is there a likelihood of confusion between SSH and OpenSSH? I'd say "yes" because they are similar products and the trademark "SSH" is contained in the name "OpenSSH". So not much of a chance for defending OpenSSH on the grounds of "no likelihood of confusion".

    2. Was Tatu the first to use the name "SSH" for a secure shell? If not, then there might be grounds for having his trademark cancelled on grounds of "application in bad faith". This is possibly in Germany, for example, for 10 years after the trademark has been applied for.

    3. Having not defended his trademark for four years, Tatu will have trouble getting others to drop the name "SSH" or combinations thereof. HOWEVER, this protects only existing uses of the name "SSH", not other individuals or companies using the name for future products. Also, while he have not have a case against the OpenSSH people, he might thereby have a case against companies like Red Hat or Suse distributing OpenSSH as part of their distributions, and definitely against companies that will be bringing out new Linux distributions in the future. If you have trademark case, you can go after everybody in the food chain. This can get messy.

    4. Tatu says he has registrations for "Secure Shell" pending. If someone feels that this name should be free, please contact a lawyer and have him send a nice letter to the respective trademark offices opposing the registration. NOW it is relatively easy to oppose the registration, LATER ON this will be much more difficult.

    5. Do any of the OpenSSH developers have sufficient funds to fight this through? This could be getting mighty expensive soon.

    This all said, I think the e-mail this guy sent has been very polite and not the typical lawyer-attack letter. Either he's just polite and interested in finding a solution, or he knows he's on shaky grounds.

    I put this together just to show you what's possible. If Tatu is in his right to use his trademark, then work out a solution. If there are legitimate reasons for keeping the name "SSH" free, then go ahead and defend against it!

    As always, IANAL, but I won a trademark lawsuit before.

    -Martin

  • by lpontiac ( 173839 ) on Wednesday February 14, 2001 @03:09AM (#433361)
    SSH Connection Protocol [ietf.org] (36516 bytes)
    SSH Transport Layer Protocol [ietf.org] (53476 bytes)
    SSH Authentication Protocol [ietf.org] (26537 bytes)
    SSH Protocol Architecture [ietf.org] (27345 bytes)

    All of these documents are published on the IETF website. All of these documents cite Mr. Ylonen as an author. And all of these documents describe the SSH protocol. Not the "secsh" protocol - they consistantly refer to the discussed protocol as "SSH."

    It's clear that "SSH" is the common name for the protocol that OpenSSH uses. Furthermore, by putting his name on a standards document that doesn't refer to the protocol by another name, surely he's endorsing this common use of "SSH"? And surely by publishing an open standard that in itself makes no claim to the name (I don't see the documents referring to the "SSH (R)" protocol), he should be relinquishing all exclusive rights to the name as a means of describing the protocol?

    I don't see how OpenSSH could be construed to be deceptive in any way. It's derived from the original SSH in accordance with it's license, and interoperates with other computers using the SSH protocol. To turn around now and claim it's trademark violation which deceives the consumer, is analogous to Microsoft saying that "Word Viewer" is a trademark violation. Actually, it's closer to the Regents of the University of California accusing FreeBSD of trademark violation.

    At best, it doesn't make sense. At worse, it's a deliberate and deceitful attempt to stab the people that are using the protocol (whose name he gave his blessing!) in the back.

  • This letter is the nicest cease and desist I've read. Probably because it wasn't written by lawyers who usually say something like "stop doing this right now and we'll probably sue you anyway. Deliver us your first born child or I'll generate 80 billable hours this week to bring the wrath of our perverted court system down upon your ass."

    This letter contained every nicety but "Wishing you and yours well in the coming New Year(tm)".
  • You can't trademark a number. This is why Intel named the processor Pentium. They discovered in court that Cyrix can call their chip 386's, and 486's without problems.
  • Of course, I feel that RMS ought to use the term "liberated software" to avoid the whole "free beer/free speech" issue, but that's another story....

    That is not such a good idea.

    "Liberated" is slang in many areas for "procured by illicit means" (e.g. he "liberated" a pack of cigarretts from the local five and dime). To many "liberated software" has an unsavory implication of "warez."

    The Free Speach/Free Beer discussion is IMHO a good one ... it forces people to think about what freedom and free really mean, and allows an easy and natural avenue for pointing it out to those less aware.

    ObSSH: if the SSH trademark should be enforceable (which I doubt, given that "ssh" is the name of an IETF standard, the original license allowed derivative products to use the term "ssh" as long is such products adhered to the RFCs, and OpenSSH has been using it for over a year now) I think your suggestion (Fresh) would be an excellent choice.
  • Or perhaps

    SNS - SNS's Not SSH

  • by nakaduct ( 43954 ) on Wednesday February 14, 2001 @03:29AM (#433376)
    [in addition to SSH, I] also have a registration pending on the Secure Shell mark. ... I want to be able to continue using the SSH and Secure Shell names as identifying my ... products and technologies,

    Well then, Mr. Secure Shell, what should we call it? Trademark law essentially prohibits trademarking nouns (and, in fact, you can lose the trademark if it's commonly used as a noun). Thus you have Tylenol-brand pain reliever, Rollerblade-brand inline skates, and so on. If there's no common noun to describe your product other than its trade name, then you don't get to keep the trademark. A quick search will turn up [ladas.com] lots of tidbits like this:

    it is imperative that trademarks be used in advertising copy as adjectives, never as nouns or verbs
    In the letter, he repeatedly uses both SSH and Secure Shell as nouns. He called it a "secure remote login product" a couple of times, but that's inadequately descriptive. "Tylenol-brand pain reliever" is OK; "Aspirin-brand pills" is not.

    It seems to me this guy wants to erase, or at least obscure, the excellent free replacement that's made his product irrelevant.

    Going forward, and in the interests of bringing closure to this pressing issue, I'd suggest Mr. Ylonen piss up a Rope(TM)-brand rope.

    cheers,
    mike

  • by miracle69 ( 34841 ) on Wednesday February 14, 2001 @03:30AM (#433378)
    Great name.

    I'd also like to comment about the other postings in this thread. There seems to be about 90% of the 2+ posters talking about how he didn't defend his trademark initially, so screw him. OpenSSH should stay. May I ask these posters what the reaction would've been had he done so initially? Exactly. Same negative reaction.

    There are also a few who have noted that this isn't a letter from lawyers. It is written by a person who understands and even has contributed to the very open source community he is appealing to. I suggest that these facts are taken into consideration.

    My observations are these:

    1) This guy isn't a lawyer.
    2) This guy helped create openSSH.
    3) This guy didn't care about the use of the name OpenSSH until his customers started getting confused.
    4) Free projects change their name fairly regularly without losing a users.
    5) He wrote a reasonable and non-lawyer request to a group asking not for them to cease and desist design and implementation of their program, but for a name change.

    It seems like a reasonable thing to do to change the name.
  • by rkasper ( 114894 ) on Wednesday February 14, 2001 @03:31AM (#433379) Homepage
    Check the USPTO trademark database. My search for "ssh" turned up a few hits [uspto.gov]. There's one match for a withdrawn trademark application on the word "SSH" [uspto.gov]. Since the application was withdrawn, he has no claim.

    There's a live claim on an SSH logo [uspto.gov]. This one is valid. It prevents others from using the logo. It doesn't prevent others from using the word "SSH".

    There are a few other SSHs of no significance to this issue. His claim that OpenSSH infringes on his trademark is BS.

  • by s.a.m ( 92412 ) on Wednesday February 14, 2001 @03:33AM (#433382) Journal
    Well I think that his complaint can be a valid one. When most people in the *nix world are thinking about ssh, most of the people I've talked to think of OpenSSH. They, being the SSH Communications Security Corp., are losing business that they could have gotten from corporations if they were to use their, SSH Communications Security Corp., ssh program which implements the ssh2 protocol.

    "I have started receiving a significant amount of e-mail where people are confusing OpenSSH as either my product or my company's product, or are confusing or misrepresenting the meaning of the SSH and Secure Shell trademarks. I have also been informed of several recent press articles and outright advertisements that are further confusing the origin and meaning of the trademark."

    As you can see here he's loosing business to a group who have implemented the ssh2 protocol, with a much better nicer and less restrictive license than theirs.

    As others have said, if you don't protect your trademark then you loose the ability to enforce it. He's published the protocol under the name of ssh. Now that word just also happens to be the word that they patented. My question is if the word is now used to label something that is implemented in public domain and is avaiable from a standards comittee such as IETF, how the hell can you still use it in a trademark?

    "we have offered certain licenses to use the SSH mark to refer to the protocol and to indicate that a product complies with the standard."

    It seems to me that his company has allowed the use of the name and if I'm not mistaken, the OpenSSH group got their name from the protocol and not from the originating company. It was not explicitly stated that the name of the protocol couldn't be used in the name itself. If this is the case, then they should be allowed to keep their name as it stands.

  • > The OpenSSH 'product'?

    Excuse me, did OpenSSH spring fully-formed from a random configuration of bits? Of course not. Ppl worked on it, made it, distributed it. Therefore it's a product, as in "something produced". The fact that it's free is neither here nor there; nor is the fact that bcos you haven't paid for it, you don't consider it a "product". As an example, you haven't paid for songs downloaded from Napster, but these songs are still the product of the music industry.

    And why is there a requirement to know how the thing works? All the newbie user needs to know is that SSH improves security. Are you claiming that you don't deserve a secure system until you're reached a certain level of experience?!

    Grab.
  • by stripes ( 3681 ) on Wednesday February 14, 2001 @03:34AM (#433386) Homepage Journal

    As far as I know the IETF doesn't like people publishing RFCs for technology that is patented, but they don't seem to have a similar policy for RFCs for protocalls that have a trademark infringing name, and no useful open use of the mark. Or do they and it was violated with SSH?

    SMTP is the protocall, sendmail is the program and trademark. DNS is the protocall, bind is the program, and if there is a service mark it is bind, not DNS.

    Why should SSH1/SSH2 be accepted as an open standard if nothing can be named that (or the very similar OpenSSH)?

    I do think there are acceptable uses of a trademark on protocall names. If the trademark were used to make sure nothing was called "RADIUS" unless it implmented all the MUST parts of the RFC, none of the MUST NOT, and provided a argment on why SHOULD/SHOULD NOT wasn't followed, then I'm all for it. In that case the mark is actually protecting the word. For SSH the mark is being used after the fact to un-level the playing field.

  • Back in the days of yore, DEC had a lovely slogan Isn't every computer a Digital computer? Digital as a logo was rigidle protected but you could still talk about digital computers in general.

    A secure shell (note the absence of capitals) is just that. It is a description and could be equated to Boeing trademarking "jet fighter". Ok, so OpenSSH has to change, but the commands shouldn't, neither should the description.

  • by Fjord ( 99230 ) on Wednesday February 14, 2001 @04:48AM (#433389) Homepage Journal
    1) If you didn't want people to hack on the code, why did you initially release it under a license that allowed that? It can't be retroactively retracted, y'know...

    2) The OpenSSH team doesn't need your approval; you in effect gave them your approval when you licensed it as you did (see 1).

    It's pretty clear from the whole text that this is not his gripe. He doesn't care that they are hacking the systema and he knows he gave them that right with the license. What he cares about is that it "is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product". The paragraph you quited talks about how the cofusion is worse. This all related to the same thing. They are using the SSH trademark, and there are actualy damages in the confusion because customers continue to use the older code thinking it's an equivelent product.

    In short, I doubt he would mind them continuing to use the old code base, as long as they change their name.

  • I'd guess that SSH Corp. has a problem on its hands if the version of ssh that they released to the open-source community with no strings attached to form the basis of OpenSSH compiles to a binary called "ssh", and if the source tarball itself is called "ssh".

    When Netscape and Sun released major products in open source form, they took some time to change the program's name. Netscape released "Mozilla" to the community, not "Netscape Communicator". Sun released "OpenOffice", not "StarOffice'. The trademark holders retained their "product" and opened up the source to an identical thing with a different name.

    That the IETF RFCs authored by Mr. Ylonen specifiy protocols called "ssh" doesn't help his company's belated case.

    At least he's trying to be civil about it.
  • Whether or not they can isn't the point. What he is saying is that continuing to support SSH1 is a Bad Idea. Kinda like saying continuing to drive a Ford Explorer with Firestone tires is a Bad Idea.

    Can he stop them? No.
    Do they have every right to continue supporting it? Yes.
    Is it a good idea to continue supporting it? I don't think so.
  • I'd say this guy is well within his rights

    Except this term is descriptive -- ssh is an acronym for "secure shell", clearly derived from the traditional "remote shell". While it's possible to trademark descriptive terms, they tend to be much much weaker, and do *not* protect against other descriptive use of the term.

    --

  • I don't know about you, but I am suddenly thinking about Mentos.

    Get FRESH!

  • As opposed to some of these silly things like RAMBUS trying to sue everyone for profit, I think Tatu is right. And he handled it in a very professional and thoughtful manner. Customer confusion can be a major PIA.

    He tried to be discreet, and he says he got no exposure, so he posted to all the developers.

    I can relate sort of. A few years ago I developed a digital lock product using Dallas iButtons [ibutton.com] It was intended for residential customers to unlock their houses at the touch of a button. I searched the net extensively trying to see if my preferred name (DigiLock) was used elsewhere. I came up empty. I didn't trademark it myself because we were a small company and I just did want the trademark hassle.

    Well, about a year later, I start getting emails and calls from people asking if I sold a DigiLock that would secure a gym locker or cabinet. At first I thought they were confused. Well, eventually, I got someone inquiring to tell me more and eventually found a company that sold locks you could mount on cabinet and locker doors that also used iButtons. They called it the DigiLock and TM was all over the website. Sure enough - a check of the trademark website (which wasn't nearly as useful when I first developed my product) turned up that that company had a trademark for that name and they got it like 6 months before our product was released.

    Our products were too close and I honestly didn't want to deal with all the folks inquiring about a product I didn't sell. So I changed the name to something I knew wasn't trademarked. Simple enough and my customers accepted the change easily when we publicized it.

    Bottom line is - he's dead on about the added aggrevation dealing with confused customers because of a name.

    I vote for secsh.

    --

  • by Simon Tatham ( 66941 ) on Wednesday February 14, 2001 @03:42AM (#433399) Homepage

    The protocol is called SSH. Now it's obvious that people will want to name their applications after the protocols they implement. So: either Tatu should have named his app and his protocol differently, and trademarked the app name only; or he shouldn't have trademarked the name. If he'd trademarked the app name only, OpenSSH would have named itself after the protocol and there'd have been no problem.

    Releasing a supposedly "open" protocol and then trademarking the name is an evil business practice, because it means that only Tatu is allowed to name his implementation in the obvious way. It's the trademark analogy of the GIF trick: releasing a supposedly "open" file format and then patenting the only known algorithm that can generate it.

    In fact, this is exactly equivalent to the GIF trick, because he's waited until the OpenSSH name is well established before acting. If he'd had a polite word right when OpenSSH was starting out, they'd probably have released it under a different name initially and nobody would have a problem now. But by waiting until they're established and then complaining, he's trying to force the change of a name people are used to - which will do harm to OpenSSH.

    If Tatu were genuinely concerned about brand recognition, he would have (a) arranged that the protocol name could be used without restriction, instead of deliberately making it the same as his brand name; and (b) he would have notified OpenSSH at a more appropriate time. Given that he's done neither of these, it seems to me that he's using this trademark as a weapon, not a legitimate form of protection.

    (Disclaimer: this is a moral position, not a legal one. The law will probably not recognise arguments like this. If so, the law needs fixing.)

  • by Chris Pimlott ( 16212 ) on Wednesday February 14, 2001 @04:54AM (#433400)
    This the first paragraph from the COPYING file of ssh 1.2.12, the last "free" version of ssh which OpenSSH is based on.

    This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland


    COPYING POLICY AND OTHER LEGAL ISSUES

    As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".


    I find this interesting. By specifically saying when the terms "ssh" and "Secure Shell" can _not_ be used, it is in effect saying that use of these terms in a derivitive work is acceptable (in fact, what better way to show that OpenSSH is derived from SSH that including SSH in the name?).
    Moreover, this version was released in November 1995, before either term was registered and before December 1995, when SSH Communicatins Corp. was founded.

    I can see him politely asking OpenSSH to change the name, but I can't see that they would be required to do so.
  • OpenSRL (SecureRemoteShell)

    OpenCS (CryptoShell)

    OpenSRC (SecureRemoteConnection)

    OpenSRSH (SecureRemoteSHell)
  • The guy creates a product. The guy builds a business around his product. Other people use the product to create a different product of their own.
    You missed out sentences 2 and 3: "He releases it under a Free license. That free license helps it to gain popularity." He's already given away his right to limit modification and redistribution (and by doing so, gained a vast amount of uptake for his product). He can't now take that back. It's like a bank offering zero-interest 5-year loans, then saying "hang on, this is damaging our business, you have to pay us interest after all".
  • by DeadSea ( 69598 ) on Wednesday February 14, 2001 @04:55AM (#433403) Homepage Journal
    Names do not have to be functional. Sun gets pissed off when people use Java in the name of the product just because it was written in Java, and rightly so. It makes no sense to me that people name their products/websites things like WinSoAndSo, XWidget, EShop, or JavaInvaders.

    Does Ebay have the word 'auctions' in its name? Does Yahoo use the word 'directory'? You can name your product something off the wall, and people will pick up on it.

    Name your stuff creativly. It doesn't hurt and you won't be crowding in on somebody else's brand image. (Its called creating your own hype folks.)

  • by Anonymous Coward
    can we please stop confusing copyright and trademarks?
    there is no such deed as 'copyrighting something'. copyright is an intrinsic right you get by the mere act of creating whatever you did, be it music, text, image, ...
    copyright does not require the author to do anything special to have it. nor does he have to actively and generally protect it. he can sue whoever he wants whenever he wants, independently of the actions he took towards previous 'infringements'.

    now trademarks on te contrary are an entierly different class of IP. a trademark is a sign or a word or a phrase that someone went out and got registered (like in this case).
    contrary to thecopyright holder, a trademark holder is required to actively defend his mark. failure to do so may lead to the trademark being lost.

    this isnt meant to specifically flame the parent post here, but im growing sick and tired of people making silly claims about what an IP holder should or shouldnt be doing if they dont even understand the very basic differences between the different types of IP.

  • Comment removed based on user account deletion
  • by jrennie ( 79374 ) on Wednesday February 14, 2001 @05:08AM (#433413) Homepage
    Do you honestly think the first course of action this guy would take would be to send an e-mail to a semi-public mailing list? Of course not, as he said, he has contacted those who initiated openssh. Apparently, they have refused to change the name, so he's doing what he can to avoid getting lawyers involved. SSH is *his* trademark and he has a right to protect that trademark.

    He must actively defend his trademark and he must send out notices and take legal action "quickly," but the definition of "quickly" can depend heavily on the circumstances. If someone started a national advertising campaign for openssh, he would need to react within a few months or weeks in order to not lose his copyright due to inaction. However, for a case where an infringement is lesser known and less publicly known, I'm sure judges generally allow for a longer period of time before action must be taken. If Tatu sent out notices to the main openssh developers shortly after he learned of openssh, then I think it is very safe to assume that he would win any copyright battle in court.

    Jason
  • Does Ebay have the word 'auctions' in its name? Does Yahoo use the word 'directory'?

    eBay's original name was AuctionWeb. eBay was the guy's ISP's name, which he bought out when his site became popular.
  • I'm not sure what you're asking...

    The term 'cola' is not trademarked... so the 'cola' part has nothing to do with it.

    Trademark only protects your 'mark' in a given 'trade' (hence the name).

  • by Fervent ( 178271 ) on Wednesday February 14, 2001 @06:05AM (#433429)
    He didn't enforce his trademark for the last year and a bit

    Bullshit. So me and a bunch of hardware hackers build a new machine, calling it an "OpenApple". We sell them out of our garage for close to a year, until finally they become so popular that most of the computer industry picks up on it, including Apple itself. Apple now files a complaint.

    How could the original SSH guys possibly know how big a breadth OpenSSH would get in a year? It's just a bunch of hackers, after all. Not a definable company.

  • by Shimbo ( 100005 ) on Wednesday February 14, 2001 @05:17AM (#433433)
    I note that they all explicitly acknowledge the SSH trademark.

    "SSH is a registered trademark...These trademarks may not be used as part of a product name or in otherwise confusing manner".

    It's always bad news when the name of a product derives from its canonical implementation. It's not a BFD though - Samba is none the worse for a forced name change. At least with trademark infringment, nobody stops you hacking the code. If the name matters so much to them, I say let them have it.

  • by Col. Klink (retired) ( 11632 ) on Wednesday February 14, 2001 @04:04AM (#433435)
    - actually reading the letter doesn't give the impression that the author is "demanding" the name change. He states he is "asking" twice. Yet the comments from slashdot readers are talking about "litigation," "demands," etc.

    I guess you missed this part:

    Some of the OpenBSD/OpenSSH developers/sponsors have also received a formal legal notice about the infringement earlier.

  • by Kwantus ( 34951 ) on Wednesday February 14, 2001 @04:17AM (#433448)
    it just seems he is bitter because openssh hasn't had the same security holes as ssh

    Uh, yeah, that's why he complained about the security problem in older forms of both products and how OpenSSH is prolonging their lives.

    I'm sorry; I read his letter; he's not asking OpenSSH to stop development, quite the contrary; he's just asking that they change the name enough that his company isn't put to expense and ... what should I call it, faceloss? ... damage to reputation ... getting inquiries or support calls or misleading journalism because of the consequent confusion. He even asks very nicely. I have no grand philosophical problem with his request; if I had any standing with the OpenSSH project I'd say "let's change the name".

  • by deaddog ( 75387 ) on Wednesday February 14, 2001 @06:09AM (#433449) Homepage
    Wouldn't that make it "OpenASS"?
    --
  • by Watts Martin ( 3616 ) on Wednesday February 14, 2001 @04:26AM (#433465) Homepage
    If you look at ssh.com, you'll see "SSH (R) Secure Shell tm." "(R)" means, I wish I had any rights to reserve.

    No, "R" means "registered." After a trademark has been in use for two or more years (with the "TM" mark), it can be registered with the patent and trademark office; until it's officially approved it's "trademark pending"--which indicates the process is underway.

    Simply using another name isn't going to kill anyone. "FreSH is a free, open source implementation of the SSH2 protocol." Bam. (The hardest part for most people would be learning to type "fresh" after their fingers are trained to type "ssh"... although on second thought, you know everyone's going to just make a symbolic link to "fresh"--or whatever it's called--from "ssh" anyway.)

    People in the open source movement are very good at standing on principle, or at least shouting on it, but there are times I think they should be a bit more willing to accept "be courteous" as a valid principle, too. "Technically we can do this, so screw you, corporate whore" may give you a warm fuzzy feeling, but it's an attitude which quashes useful communication.

  • by Ektanoor ( 9949 ) on Wednesday February 14, 2001 @04:36AM (#433485) Journal
    In a market point of view while I wouldn't blame the author for restricting the use of SSH, I would clearly note that the term "Secure Shell" is less of being considered as a trademark. Sorry Mr. Ylonen but morally you are incorrect on the whole. You also once took the term "Shell" and "SH" from somewhere right? Let us note that these things are "Remote Shell" and "RSH", a UNIX system for remote use. So your restriction is, in a moral point of view quite incorrect.OpenSSH people is doing the same you did some years ago. And don't tell me these things are different. Look back at those times before you started building the Corp.

    But let's forget this point and restrict to the money one. SSH Corp., (TM) as we see, is loosing money. So, we may understand they wish to avoid confusions with those who are, _potentially_, hitting their pockets. So it may be understandable that SSH wants to restrict its name. But there is a problem here. Also, in economical terms, SSH didn't do a bunch to secure its own name during all these years. So now "SSH" AND "Secure Shell" are terms of use. Much like "telnet", "ftp", "http". The only to blame here is Mr. Ylonen himself. Well we may give out SSH back to the owner if he wishes to. However the term "Secure Shell", a composition of two common words and being a technical derivate of "Remote Shell" conceptions is harder to give out. Meanwhile it is an established technical concept. Restricting such term for private use is a serious demonstration of being very unfriendly to a huge community of users and developers.

    Mr. Ylonen is not only securing a trademark but also creating hassles in hows and whens of the use of a technical concept. By trademarking this concept he is forcing people to create other namings and conventions. This will break a continuity of the use of these namings and conventions on technical docs, manuals and products. Whishes he this or not, he is doing more damage then use. Frankly, this may be the real killer of the SSH mark as people may choose other namings and conventions to avoid such selfish consideration of his own value.
  • by Paul Crowley ( 837 ) on Wednesday February 14, 2001 @04:40AM (#433489) Homepage Journal
    Misdesign of the USPTO database means I can't follow your link; everyone will have to do their own search. Oh well, that they're idiots we knew.

    However, it looks as if the one relevant live trademark, held by "SSH Communications Security", is I think meant to cover the name as well as the logo: thus the opening line "Word Mark: SSH" and the "Mark Drawing Code: (5) WORDS, LETTERS, AND/OR NUMBERS IN STYLIZED FORM".
    --
  • by TheWhiteOtaku ( 266508 ) on Wednesday February 14, 2001 @01:39AM (#433498) Homepage
    Isn't it obvious what they can gain? (Hint: it starts with "m" and ends with "oney")
  • by kieran ( 20691 ) on Wednesday February 14, 2001 @01:42AM (#433506)
    My one objection to this is the obvious: isn't it a little late to start complaining? He doesn't mention when he first got around to asking the developers about this, but OpenSSH has been around for a while.

    That said, if the developers are willing I wouldn't have any great problem with a name change. Perhaps "ossh"? *shrug*
  • by sharkticon ( 312992 ) on Wednesday February 14, 2001 @01:43AM (#433511)

    Don't blame him, he has no real choice in this matter. Trademarks have to be protected, no matter how little you care, or else they will become invalid and anyone can use them. If he doesn't go after OpenSSH, tomorrow it'll be Microsoft using the name.

    Blame instead the entire trademark system which has perpetuated this kind of attitude. It's gone from a system meant to protect rights to one that encourages, even demands, companies to trample all over their rivals.

  • by kramer ( 19951 ) on Wednesday February 14, 2001 @01:45AM (#433518) Homepage
    As always, IANAL --

    Trademarks must be defended against infringments or you risk losing them. Further, they must be defended as quickly as possible against infringement. You're not allowed to let someone use it for a couple of years then suddenly decide to go after them when they become successful.

    By looking at the whois record for openssh.com, it's obvious that Openssh has been using the name Openssh publicly since at least October of 1999. That's well over a year. I would hardly call this a timely filing.
  • by drudd ( 43032 ) on Wednesday February 14, 2001 @07:11AM (#433554)
    You're missing the point...

    The problem is not that openSSH resembles the original SSH, it has to in order to do what it does. But when it looks like SSH, acts like SSH, and the name is similar besides, it definitely can cause confusion.

    IIRC, debian installs openSSH (since it falls under it's definition of "free"), but the package itself is called ssh. A user may think they are getting the true "ssh," when they are actually getting openSSH. This is a definite example of trademark confusion.

    What wouldn't be bad is if someone released a first person shooter like quake, calling it openSSH. No confusion could arise, the fps "openSSH" and the secure shell "SSH" would be completely different products.

    Doug
  • by Noryungi ( 70322 ) on Wednesday February 14, 2001 @01:57AM (#433570) Homepage Journal
    OpenSHHHH... Sorry, we can't mention the name of the "other" product.

    OpenSHL... Hey, what's a single letter between friends?

    Open S S H... Oh, Come on, quit whining. You registered "SSH" and NOT "S S H", so there!

    OpenWhat?... How do you pronounce "SSH" anyway?

    Open-You-Know-What... Just add a ".org" and, presto! We are back in business...

    WeAreSecureAndWeAreCanadian... Yep, it's getting longer and longer.

    OpenSourceSecureShell... There, feeling better already? Shush, it's all going to go away.

    Ho and by the way, I want to get sued too!! I am going to register:

    openssh.co.uk
    openssh.org.uk
    openssh.fr
    openssh.asso.fr
    openssh.ch
    openssh.it

    (...etc...)

    Anybody cares to bankroll me ?? =)

    Bonus question: How on earth can you copyright a three letters acronym? I'll try copyrighting "IBM".

    At least, it's going to make the fight more interesting and potentially more lucrative. Hmmmm. US$50,000,000 out-of-court settlement. Please note that this is just the "Acronym", not the logo, which is copyrighted by our big, blue friends in Armonk.

    And remember people: OpenBSD needs your help! Order your 2.8 CD today and makes the world a better place for security and a worse place for script kiddies and copyright hoarders...

  • by BJH ( 11355 ) on Wednesday February 14, 2001 @02:05AM (#433579)
    Just to point a few things out...

    I would thus like to ask you to change the name OpenSSH to something else that doesn't infringe the SSH or Secure Shell trademarks, basically to something that is clearly different and doesn't cause confusion.

    OK, I can go along with this. He has the trademark, the two applications are very similar, I can see where he's coming from.

    The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks
    very much like my product (without my approval for any of it, by the way). The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers.
    OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols.


    Now this is a completely different kettle of fish.
    1) If you didn't want people to hack on the code, why did you initially release it under a license that allowed that? It can't be retroactively retracted, y'know...
    2) The OpenSSH team doesn't need your approval; you in effect gave them your approval when you licensed it as you did (see 1).
    3) Yes, SSH1 has security problems. WHo developed it? You did. Also, IIRC, OpenSSH was just about the only implementation that wasn't vulnerable to several of the vulnerabilities that have been found so far.
    4) OpenSSH supports SSH2 anyway, so I don't see how its existence is encouraging the use of SSH1. More than likely, people who had been put off by your version of SSH2's restrictive licensing terms moved to SSH2 only when OpenSSH provided it.

    All in all, it seems a mix of a legitimate claim with some very clumsy revisionism and FUD.

  • by Sloppy ( 14984 ) on Wednesday February 14, 2001 @05:57AM (#433581) Homepage Journal

    But all but one of those are completely unrelated -- some temperature control thingie, mail catalog, and an electronic organ, I think. None of those are likely to ever be confused with the ssh that we're talking about, so the trademarks don't really conflict.

    IMHO, Tatu Ylonen's wishes in this matter should be respected. The only serious weaknesses in his trademark are

    1. His product and the open protocol have the same name
    2. The "submarine" action: apparently (I don't know this for 100% certain) he didn't start trying to do something about the infringement until after OpenSSH became well established.
    If it weren't for these two issues, his claim would be quite solid.

    But even with these holes in his argument, he's still pretty compelling, for two reasons:

    1. It looks to me like he has acted in Good Faith (something you don't see in all these kinds of cases). Even the submarine action is pretty easily explainable: perhaps he didn't think the similarity between the names was going to be a problem. But then his customers started getting confused. And it's not like he's trying to inhibit interoperability -- he just wants a name changed. And furthermore: he's polite and not arrogant. And instead of hiring a lawyer to write his letter and use terms like "demand you cease and desist", he has explained his arguments himself, and uses terms like "I am asking you to please choose another name."
    2. Changing the name of a free software project just isn't a big deal. It's not like OpenSSH is a commercial interest where a lot of marketing dollars and effort has been invested in shoving the word "OpenSSH" into the public's mind. Changing OpenSSH's name to something else, has negligable cost. Accomodating this guy's wishes will not be hardship, or mess up anyone's project or significantly restrict what they can do.
    And for those reasons, I think the guy deserves some slack and consideration. Adios, OpenSSH.

    One other thought: the name of the protocol should be changed too. Yes, it's his fault that the names conflict. So what? Let's just fix the problem.


    ---
  • by mfterman ( 2719 ) on Wednesday February 14, 2001 @08:30AM (#433594)
    Normally I'd be on the side of the person who owns the trademark except there are a few things about this that I do not like.

    First off, getting SSH as the name of an IETF protocol, and then trademarking it. This is the act that really stinks. Its as bad as Apple's Firewire stunt, getting an IEEE protocol set up and trademarking the name associated with it. This reeks of trademark trapping, or trying to grant oneself a monopoly with regards to an IETF protocol, or at least an unfair advantage. Only his software can use the name of the protocol in the name of the software using the protocol. It would be like trademarking HTTP.

    Second off, I am somewhat suspicious at the time lag involved between the founding of OpenSSH and the present. If you're going to do the trademark enforcement thing, do it at the very beginning and go with the lawyers and accept the PR meltdown that is going to result because you did a sleazy thing like trademark an IETF protocol in the first place.

    In short, this is someone who is trying to have it both ways. Playing the IETF and open standards game while still having the trademark and the exclusive right to make software with the name of that protocol in it. He tried to engineer himself an unfair marketing advantage and some reasonable uses of the SSH protocol name are causing him business confusion. You will notice there is no talk of his changing his software name and setting up a new trademark. And while you can talk about his investment in the mindshare of the SSH name, he did it in a fashion that puts other people trying to use the SSH protocol at an unfair disadvantage.

    Now, perhaps I am being unfair here, perhaps he did not intend to do things that way, at least not consciously. But the end result is the same. He took an open protocol name and trademarked it so that no one else could use the protocol name in software that implements the software protocol but him, giving him an unfair advantage. Now that people are trying to erode that unfair advantage, he is crying foul, and after other people have invested work in the OpenSSH brand name as well.

    Oh yes, and tradmarking "Secure Shell" strikes me about on the level of trying to trademark "Windows". You might be able to do it but its a really sleazy thing to try. Whatever sympathy I have for him was completely destroyed when that fact came to surface. This is a person using trademarks in an abusive fashion and I'd like to see that reap the rewards it deserves.
  • by X ( 1235 ) <x@xman.org> on Wednesday February 14, 2001 @02:05AM (#433597) Homepage Journal
    • NSSH: Not Secure SHell.
    • GNASSH: GNASH's Not A Secure SHell.
    • ASS: A Secure Shell.
    • SSH NT: SSH Not Trademarked.
    • LDUSSH: Lawyer's Don't Use Secure SHells.
    • RSSH: Really Secure SHell.
    • (In case the previous one is not different enough) RRSSH: Really, Really Secure SHell.
  • by TicTacTux ( 99149 ) on Wednesday February 14, 2001 @02:08AM (#433612) Homepage
    Well, this is about the first time I see a copyright holder contacting his 'opponents' in a rather friendly manner. You may argue about his claim but at least formally he's showing manners and common sense.

    That said I suggest that we at least *try* to find a way to solve this manner; unfortunately most postings here range from 'get lost, creep' to downright hostile, but I haven't seen many that are constructive.

    So, how about 'Secure Telnet' or 'Secure Login' (as it is not exactly a shell but rather an encrypted connection to a shell)? Ah, yes, something with 'Open' in it (doesn't that contradict the 'secure' term? A secured system cannot exactly be described as 'open', right?). So, how about OSTAKAS (Open Secure Telnet Also Known As SSH). Uh, no, the acronym must be recursive, like ONS (O's Not SSH).

    Now go use your imagination, this one time not for coding...

  • by X ( 1235 ) <x@xman.org> on Wednesday February 14, 2001 @02:09AM (#433615) Homepage Journal

    Bonus question: How on earth can you copyright a three letters acronym? I'll try copyrighting "IBM".

    He didn't copyright SSH, he trademarked it. You can indeed do this, and IBM is indeed a registered trademark.

    Actually, when you look at this case, it's a pretty clear example of why trademarks were created in the first place: to avoid customer confusion about branding. I'd say this guy is well within his rights.

  • by Anonymous Coward on Wednesday February 14, 2001 @02:20AM (#433643)

    This is the license that OpenSSH is based on:

    As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".

    Sure looks like 'permission' to me.

  • by MobyDisk ( 75490 ) on Wednesday February 14, 2001 @02:20AM (#433644) Homepage
    He hinted at another reason for all this:

    "OpenSSH is doing a disservice to the whole inernet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols."

    Also - Isn't the actual protocol, as recognized by the IETF, named "SSH" - if so, how can you trademark that?
  • by mindstrm ( 20013 ) on Wednesday February 14, 2001 @02:28AM (#433666)
    1) He didn't enforce his trademark for the last year and a bit, so as far as the community is concerned 'ssh' is now a common word, not a 'product'. He didn't defend it right away, so he will lose it. That's how Trademark law works. (as opposd to Patent law, where you can selectively enforce it wherever you want, and ignore others)

    2) If someone managed to get the recipe for Coca-Cola, they could use it to make another product and market it. The only reason they don't is it's a SECRET, and nobody knows what it is. What they can't do is call it 'coke' or 'coca cola' because that's coke's registered trademark. If they called it 'OpenCocaCola' and it was rather popular and it was 2 years before Coke sued them... coke would probably lose it's trademark.

    This has nothing to do with patent.

  • by mindstrm ( 20013 ) on Wednesday February 14, 2001 @02:34AM (#433698)
    Anyone can apply for trademark and get it. Whether it is enforcable is another thing altogether.

    Does not the original license on the ssh code allow for use 'for any purpose?'

    IT also states that if the software functions differently from the protocol specified in the rfc's (called ssh1 and ssh2), it should not be called ssh.

    That's like saying that as long as it behaves according to the protocols, it can be called ssh.

    The protocols are commonly know to the entire internet community as 'ssh'... good luck enforcing that trademark.

  • by wowbagger ( 69688 ) on Wednesday February 14, 2001 @02:38AM (#433700) Homepage Journal
    Any name with "SSH" in it will be an infringing name. Therefor, any new name must not contain "SSH".

    I suggest FRESH: Free Remote Encrypted SHell.
    1. It covers the fact that it is Free Software.
    2. It points out that the primary use is for remote access
    3. It points out that the link is encrypted


    I make this name available without restriction.

    <Off-topic>
    Of course, I feel that RMS ought to use the term "liberated software" to avoid the whole "free beer/free speech" issue, but that's another story....
    </Off-topic>
  • by Col. Klink (retired) ( 11632 ) on Wednesday February 14, 2001 @02:48AM (#433735)
    Secure Host to Host (SHH).
  • by Jeff Mahoney ( 11112 ) on Wednesday February 14, 2001 @08:09AM (#433742)
    Slashdot has become quite accustomed to throwing their arms up in anger, and accusing others of not being good neighbors - but when the time comes for an open source project to be the good neighbor, what happens? We hear shouts of "well, they should have protected their trademark better." Damned if you do, damned if you don't.

    Most of the "infringment" stories that Slashdot has seen are of the inflammatory nature. Many of them are projects that have nothing to do with one another, but here we have a different case.

    The OpenSSH group is being asked by the project from whom their original code derived, and which group came up with the protocol they're implementing, to change their name. This isn't some monster corporation looking to quash competition. This is a small company which is receiving legitimate confusion about their product due to the success of a free implementation.

    And when they ask the free implementation to change their name - the open source community scoffs. IMO, the open source community isn't being a very good neighbor.

    Really, what's lost with a name change? Do the executables need to be renamed, thus causing confusion for the user? NO A while ago, when Sun first came out with what is now known as NIS, it was called Yellow Pages (yp). I believe it was British Telecom who held the trademark for the "Yellow Pages" name, and Sun was forced to change the name of their product. Did it cause confusion for the user? Maybe some initially, while people got acclimated to the new name in documentation, etc -- but the utilities, today, over 10 years later, still bear their original names of yp*. An earlier post mentioned other free projects creating symbolic links to the more widely known executable names, such as vim and elvis..

    But even further, why must a project's name match the name of their executable? Apache installs httpd, not apached. (Ignoring windows, here). Samba installs [ns]mbd, not sambad. OpenSSH itself, as it is NOW doesn't install "opensshd".

    All in all, I think the Open Source community needs to be a good neighbor here. This is more than a case of name usage, this is a case of a coder developing one of the most widely used pieces of software on the 'net. For better or worse, he chose to take it and make money with it, changing his license in the process. Should this negate the fact that the earlier code was out there? That he put the effort in to coming up with the protocol as well? I certainly don't think so.

    Really, it doesn't take much effort to change the name of newly released products, and I don't think they're asking to change the millions of installed copies. All that would really be required is a new chosen name, and the registration of an appropriate domain.

    Who knows, by being good neighbors, SSH Communications might even foot the bill for it.

    If not, email me. I will.

    -Jeff
  • by Dunedain ( 16942 ) on Wednesday February 14, 2001 @02:53AM (#433745) Homepage
    I've always used ssh1, I don't know why, I guess because the first time I started using it, a friend said to me: "Use ssh1, ssh2 sucks". So I did. What are the main differences between ssh1 and ssh2 and why is ssh1 fundamentally broken and ssh2 not?

    Put simply, Tatu considers ssh1 broken because he released it under a non-restrictive license and wishes he could take it back. While it is true that ssh2 encrypts more of the communications channel than ssh1, the attacks on ssh1 are of a difficulty roughly on par with stealing a TCP connection from a modern OS: the attack is possible, but extremely impractical.

    I do consider ssh2 to be broken crypto. The protocol specifies the base and modulus for its public-key-exchange algorithm. This means that anybody can sit down and "study" that base and modulus for weaknesses and attack spots. Heck, the NSA -- or Tatu -- could have pre-computed the information necessary to break the encryption on an ssh2 stream.

    The above is a quick sketch of the arguments for why ssh1 and ssh2 are broken, together with some highly cynical suggestions for why they might be built that way. Go do some real research before you pick crypto to trust with anything you care about.

  • by mwdib ( 56263 ) on Wednesday February 14, 2001 @02:55AM (#433766)
    I find it interesting that the descriptive paragraph that introduces this letter describes it as "demanding" the name change. Interesting what a word can do. Viz:

    - actually reading the letter doesn't give the impression that the author is "demanding" the name change. He states he is "asking" twice. Yet the comments from slashdot readers are talking about "litigation," "demands," etc.

    - The discussion of this letter on Linux Today, where there is no editorial introduction, just the text of the letter, is far more reasoned and moderate.

    - Gee, he contacted the developers and they did not address the issue. Did he immediately sue? Nope. Is this a cease and desist order? Nope. Is this a demand . . . I hardly think so and I doubt that it deserves the characterizations it is receiving in some of these posts.

    I think this points out what journalists know and some have yet to learn: the description of the content is as - or even more significant - than the content itself.
  • by mindstrm ( 20013 ) on Wednesday February 14, 2001 @02:58AM (#433770)
    in that he seems to have been 'lenient'. Unfortunately, in trademark law, you CAN'T be.

    If you don't enforce your mark, you lose it. If you allow it to come into common use by others, and don't defend it at all, then you can't come back later when you think it's a threat and try to enforce it. It's not like Patents, that can be selectively enforced.

    If he admits he originally left them alone, *even though they were in violation of his mark*, then he can't come back later and enforce it, period. It won't hold up in court.

To communicate is the beginning of understanding. -- AT&T

Working...