Ssh! Don't use that trademark

SSH Communications and open-source developers are battling over the company's attempt to prevent the use of its trademarked term.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
For security-conscious system administrators, three letters have become a household word when it comes to securing remote computers: SSH.

SSH, which is derived from the term "secure shell," is a set of standards for encrypting the commands and data sent to a server from an administrator's PC. It is widely used by Linux administrators and others in the open-source community.

Yet the three letters also describe the original program developed by Tatu Ylonen in 1995 and trademarked in March 1998. Now, as the founder of SSH Communications Security, Ylonen wants others to stop using it.

"The use of the SSH trademark...is in violation of my company's intellectual property rights, and is causing me, my company, our licensees, and our products considerable financial and other damage," Ylonen, chairman of SSH Communications, wrote in a letter posted to a developer mailing list in mid-February.

That letter has open-source developers and executives girding for a what could become a battle that helps define one of the prickly issues surrounding open-source computing: How does a company retain control over its products and still participate in the open-source programming world? The same programmers whom SSH Communications is trying to woo are the ones who, in its mind, are trying to co-opt its name.

In the end, both sides could lose if access to an important component of Internet security and the good will toward SSH Communications become casualties, say open-source and intellectual property experts. It's also not a problem that seems destined to go away quietly.

"SSH has become a very important part of the Internet. It is required. It is necessary," said Liz Coolbaugh, a founder and managing editor of the Linux Weekly News, which follows the open-source community surrounding the Linux operating system.

While she stressed that many in the community can understand the issues that SSH Communications may have with several open-source projects using the moniker, others are appalled. That's because the open-source community has put a lot of time and effort into helping Ylonen develop the program, Coolbaugh said.

"Open source is the biological environment in which their ideas were produced, tested and debated," she said.

Enemy No. 1
Helsinki, Finland-based SSH Communications maintains two versions of its SSH Secure Shell product, one it sells and one it gives away free. But they carry neither the GNU public license nor one of many other public licenses, which would make them open source.

The largest open-source project--and Enemy No. 1 for SSH Communications in the trademark battle--is OpenSSH, an effort to create a free open-source version of the product.

"The first time we heard about this issue was the beginning of February," said Niels Provos, a graduate student at the University of Michigan and a developer on the OpenSSH project.

Although the project has only been around since late 1998, OpenSSH has based much of its work on a version of SSH that Ylonen released as source code in 1995. Provos asserts the 1995 release came with a public license, allowing it to be co-opted by open-source developers for use in their projects. That was the same year Ylonen created SSH Communications and a year before he even filed for a trademark.

"We are a bunch of people that do this for fun and to give people a more secure way to access the Internet," Provos said. "We didn't expect to get dragged into a trademark war."

SSH Communications hopes that such open-source projects will continue, just without SSH in their name, said George Adams, CEO of SSH Communications.

"We are not interested in killing any (project) or stopping e-commerce," he said. "We are just protecting our trademarks."

Yet SSH Communications' enforcement may be too little, too late.

"Trademarks are like patents," said Wyatt Starnes, co-founder and CEO of security software firm Tripwire. "They are only as good as your ability to defend them. If you are not careful, they can lapse into a quasi-public domain."

Least of its worries
Tripwire should know. In many ways, the company's flagship product, also known as Tripwire, has a similar lineage. Created at Purdue University in 1992, the data-integrity software was released freely in the past. But when it was, the open-source community always understood that Purdue, and then Tripwire, owned the intellectual property, Starnes said.

"There were (outside) people who helped write the code in the Purdue process," he said. "But there was explicit ReadMe code that stated that both the trademark and the intellectual property were owned."

That confusion over the history of the enforcement of the trademark may be the least of SSH Communications' worries. What could be a worse indicator for the company is that many administrators use the term "SSH" for any command-line interface that securely accesses another computer.

"Regardless of its origins, the word has become the generic description for this type of software," said Michael Bednarek, an intellectual property attorney at Washington, D.C.-based law firm Shaw Pittman. "As far as I can tell, there is no other name for it."

Bednarek asserts that SSH Communications inadvertently let the name slip into the public domain, similar to how Bayer lost the trademark to "aspirin" in the United States. "In many countries, Bayer has the trademark for aspirin. But here they don't because it became the generic term."

That could be a nail in the coffin for the SSH trademark, he said. "If this were the type of thing that was litigated, SSH would have an uphill battle."

Is it too late?
SSH Communications said it wasn't aware of the confusion in the marketplace until the company recently started selling SSH Secure Shell itself. Originally, SSH Communications used another company, F-Secure, to sell the product.

But since SSH Communications took over sales of SSH Secure Shell, the company asserts that it quickly became apparent that customers were confused, thinking that the OpenSSH project was somehow affiliated with the company.

"When this came to our attention, we realized we needed to properly enforce our trademarks," Adams said. "I don't think it's too early or too late."

Adams added that one organization that SSH Communications has convinced is the Internet Engineering Task Force, the group responsible for setting technical standards on the Net.

"They have agreed to show proper attribution," Adams said, adding that the task force has adopted a non-infringing name, SecSH, for its working group developing secure shell standards.

Yet others in the open-source community still call the standard by the original "SSH" moniker.

And those open-source developers have been prolifically developing software using the name "SSH." There's KSSH, a front-end to SSH for the KDE desktop; ScanSSH, a network scanner using the SSH scanner; FreSSH, a newer implementation of SSH; Nifty Telnet SSH, an SSH client for the Macintosh; and SSHBuddy, a password manager for SSH.

All could be infringing the company's trademark.

But winning the battle could be a worst-case scenario for SSH Communications, said OpenSSH's Provos.

"Tatu is a very respected person in the community because he provided SSH for free and helped make the Internet more secure," Provos said. "Now, no matter what the outcome, he loses a lot of public image."