StillSecure, After All These Years

Saw this story today about Citrix leading a $10 million dollar round of investment in Vyatta.  This is on top of the $18m they had raised previously.  While I think an open source router that runs on x86 platform and can be virtualized and run along side security apps is a great idea (Can you say Cobia?), I am not sure what would drive Citrix to this.  Are they so incensed about the Cisco/VMware relationship that they think that Vyatta is actually an option? Why not go strike a deal with Juniper and save the money?  Maybe because Xen has its roots in open source, so Vyatta is a nice compliment?

On the other hand, getting a company to make a strategic investment in this climate is not an easy thing, so good for Vyatta. Could this be the opening move in Citrix buying Vyatta and building in routing to the Xen virtual environment and some of their Netscaler stuff?  Time will tell.

Bill Snyder over at InfoWorld wrote an article about the fight over open source leeches. In it he says that":

Open source is supposed to be all about community, but as commercial open source becomes the norm, fewer developers are giving back. Is that hurting open source?

The article quotes several open source advocates who variously blame technology companies who use open source as part of their products, but don’t “give back” to the community, enterprise IT shops who don’t contribute back code they developed and other developers who are not “good community” members as being leeches on the open source movement.

Snyder though also reports on some differing views. Some of these are that the whole notion of community is not all its cracked up to be.  That with the advent of commercial open source companies, the community can be co-opted for the benefit of the commercial company.

This is where I come in. I think it is terribly naive to think that commercial entities are going to be altruistic enough to do something for the good of another or even competitive commercial entity for the “good of the community”. I think it goes against human nature and the principles of capitalism.   By the way< i think this applies to individual developers. They don’t mind contributing their work, but not for the profit of a commercial entity and not their own.

If you are going to support the GPL, you have to support the good with the bad. You can’t expect people or corporations to do things against their own self-interests unless they are specifically compelled to.

So when we look at the who the leeches are in the open source world and what has spoiled the idyllic notions of Richard Stallman and the rest, perhaps commercial open source providers do a fair amount of blood sucking of their own?

We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

Image via Wikipedia

And in the streets: the children screamed,
The lovers cried, and the poets dreamed.
But not a word was spoken;
The church bells all were broken.
And the three men I admire most:
The father, son, and the holy ghost,
They caught the last train for the coast
The day the music died.

And they were singing,
"bye-bye, miss american pie."
Drove my chevy to the levee,
But the levee was dry.
And them good old boys were drinkin' whiskey and rye
Singin', "this'll be the day that I die.
"this'll be the day that I die."

They were singing,
"bye-bye, miss american pie."
Drove my chevy to the levee,
But the levee was dry.
Them good old boys were drinkin' whiskey and rye
Singin', "this'll be the day that I die.";
"this'll be the day that I die."

            - Bye, Bye Miss American Pie, Don McLean

One of my favorite songs as a kid, it is what I was reminded of reading Stuart Cohen's special report in Business Week, Open Source: The Model is Broken. I think Stuart has laid out for everyone to see, that after all of the money poured into open source business models over the last few years, the fact is that just thinking that adding support and services to open source software is a good business is in fact a flawed model and increasingly difficult for a company to be successful with.  You need to add some other value beyond servicing the open source software to make it.

This is a huge turn around from the conventional wisdom of years past.  Too many people looked at Red Hat and pointed to their support for Linux as the reason for their success.  But as Stuart points out, Red Hats success is in providing software that works on top of the stable Linux kernel.  If Red Hat had to subsist on just supporting Linux, it would be no where near the company it is today.  Of course Red Hat is just one example.  There are many, many other companies that embraced the software is free, sell them support model and it remains to be seen if they will fail or succeed.

Even the normally viewed as a success MySQL is not a lock to return the billion dollars that Sun invested in it.  Software, whether it be open or closed source, according to Stuart is a commodity.  What a company does on top of this is where it gets interesting Cohen says. Collaboration is the real key for Cohen. He says that aspect of open source development is what is really valuable.

I agree with Stuart. I think SaaS is the new open source. I also think that eventually we will see the same thing with SaaS.  Just hosting the software for the customer is not going to be enough. You have to add value over and above that as well.

These tough economic times are going to be brutal on marginal business models.  Nice to have is not going to cut it. If you can't show why what your company has is a must have and they must have it from you, you are going to have trouble surviving. In the meantime, the good old boys were drinking whiskey and rye, singin' ....

Related articles by Zemanta

• The tanking economy and OSS
• Open source as corporate joint venture
• Open Source Value Addition in SaaS
• Open Source as a Business Model
• Open Source Business: Model or Tactic?
• The waning of pure play open source
• Open Source: The Model Is Broken (Stuart Cohen/Business Week)

I was reading Steven J Vaughn-Nichols column the other day entitled, "Sun: Dead company walking". Vaughn-Nichols laments that Sun is probably doomed and too bad, just when it realized that it is truly an open source company and given the chance could be so successful, but it is probably too late. Of course realize that Vaughn-Nichols is an open source bigot who thinks open source is the answer to all things and that Microsoft is the anti-Christ incarnate. 

All of the doom and gloom surrounding the recent bad news at Sun got me to thinking. When I was early in my tech career a Sun server running the latest version of Solaris was the baddest game in town.  Yes, if you were doing media maybe a Silcon Graphics box was hotter but Sun owned the data center.  Utlra Sparc's were our web server of choice in those days. The web was owned by Sun gear. Even though LInux was there, it was not as secure, stable or as scalable as Solaris.  Sun seemed to have the world on a string and was even able to tweak Bill Gates nose.  So where did it go wrong? 

Some like Vaughn-Nichols will say Sun was too late in adopting open source like LInux and such. I say the opposite, I think Sun went wrong trying to be too much and too open to too many people. I think trying to make Solaris work on Intel as well as it did on Sun CPUs was a mistake.  I think making Linux work on SPARC as well as Solaris was a mistake.  Yes the platform was proprietary, but it rocked.  Rolls Royce engines don't run in Chevys and Ford parts don't fit onto a Bentley. 

When Sun tried to appeal to the every man, instead of being the Geeks hot rod, things started to unravel.  I think their business at the high end was a sustainable model.  No they were not going to over take Microsoft, but they would not be in the place they are today either.

Related articles by Zemanta

• Sun Microsystems to cut 5,000 to 6,000 jobs
• Sun readies Web stack featuring choice of OSes
• Solaris exec touts Unix platform's strengths
• Sun Solaris going on Fujitsu's Intel servers
• Sun launches OpenSolaris, inks deal with Amazon

I love the idea that you can use software for free.  I am a big fan of open source software being made available to people.  I am also a big fan of commercial companies with an open source business model.  I am not a big fan of irrational exuberance though. Maybe that is a result of living through the dot com bubble and Alan Greenspan.  Maybe it is the recent housing/mortgage/credit bubble. In any event I was reading an article in InfoWorld today on Untangles "re-router" software.

The gist of the article was that Untangle has taken its open source router/UTM Linux based software and made it run on a Windows XP PC.  Great!  I assume they are running a virtual instance of their Linux server with the apps on top of it.  I don't think that is rocket science, but having played a bit with this myself, my first question was what is the throughput and usability like.  From what I know unless the laws of physics have been circumvented, you are not going to get a lot of performance running a UTM on that type of platform.  Sure enough Untangle's CTO acknowledges that this solution is really aimed at the under 25 user crowd.  Untangle claims this same customer would have to use several boxes otherwise for similar functionality.  The company sees this appealing to companies who don't have the money to buy the hardware and/or the resources to configure the apps.

OK, first of all there are plenty of low budget UTM's that can do this job and do it cheaply.  eSoft is one I know, our own Cobia is another and there are plenty of others.  So Untangle is talking about saving the cost of one low end box?  A few hundred dollars?  Is setting up the Untangle software going to be any easier than any of the commercial solutions? Open Source stuff is free, but generally not easy.  But here is my real problem with this from a business perspective.  Untangle is going to give this away for free and seeks to run their company from the percentage of these users who will sign up for support and higher end services.  There are lots of open source business models that work like this.  But if the customer is too small to afford to buy a server costing a few hundred dollars, what makes you think they can afford to pay for a service to manage it?  If they do need a service they need an MSSP type of product.  At the end of the day is Untangle an MSSP?  I don't think so.  Fundamentally, I think that is where the problem here lies.  How can Untangle generate enough revenue from a market sector that they say is too poor to pay for anything? 

If they did this to build presence while pursuing a higher market segment to pay the bills, that would make sense.  But I don't see that.  So at the end of the day, virtualizing your software for the SOHO crowd is dandy.  But how do you put food on the table?

By now you probably saw that Dean Drako and Barracuda have made an offer of $7.50 a share (in cash) for Sourefire. This values Sourcefire at about 200 million dollars and is a 13% premium over the Friday closing price. Of course this is well below Sourcefire's historical highs, but than again who is worth what they were a few months ago.  I have a chart on the left that shows stock prices.

So what is behind this deal? I think it is all about ClamAV and the Trend Micro suit.  As readers of my blog know, Trend Micro sued Barracuda a few months ago for patent violations around the way Barracuda uses ClamAV in its appliances.  I think Dean was looking to Sourcefire as the owners of ClamAV to step up and help in the defense of the suit.  I believe to date, that has not happened and Dean is upset with it.  In fact Dean actually mentions that suit and Sourcefire's lack of response on it as one of the two reasons why Barracuda's acquisition would make sense. For the other reason Dean takes a swipe at the Sourcefire management team, saying "We believe that the recent FIRE stock price reflects the execution challenges faced by the company’s management to date." 

I am not sure where Dean comes up with the 200 million to complete this deal, but assume he has lined up financing.  However, at this price I don't think this is more than a stunt.  If Barracuda goes beyond $7.50 a share to $10.00 a share or so, it gets real interesting.  Maybe this puts Sourcefire in play and someone else comes forward with another offer, who knows.  But right now I think Dean is just looking to stir the pot.

Update: As I expected, this morning Sourcefire rejected the Barracuda offer according to this article in BusinessWeek. The Sourcefire board said the 187.4 million dollar offer "is not in the best interests of Sourcefire and its stockholders".  Lets see what Barracuda does next.

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

Matt Asay has a blog up on "OLPC's capitulation to Windows...". In it Matt waxes poetic about what a mistake Nicholas Negroponte is making by embracing Windows for the OLPC laptop project. Matt points to Groklaw, Richard Stallman and the rest of the Redmond revolutionaries who want to see Negroponte tarred and feathered and question his vision. Hey, lets face it the "m" word is toxic to that crowd. But I really think Matt is just plain twisted about this and about what OLPC is really about. Here is what Matt has to say, "OLPC is rather about liberating developing nations from their vassal status that continually keeps them at the mercy of the pricing and licensing of Microsoft and other proprietary vendors." No Matt, that is not what OLPC is all about and that is what the problem is! OLPC is about getting a laptop in the hands of every kid in the world. It is about giving these kids a chance to learn and grow up to compete in the global economy with the same tools that kids in this country have. It has nothing to with your views of Microsoft being a 21st century imperialistic empire.

Matt both of my boys have OLPC laptops, I know what it is like using them. The Sugar interface is tough. As Negroponte says, it is a amorphous blob. The command line structure of the laptop made it hard for me to retrieve and install files. File names are truncated and kept in non-standard directories. When kids are learning windows in school, this is difficult for them. The laptops are a tool for them to learn, it shouldn't be about learning the tool. It needs to be more main stream for kids to be able to leverage it across the world. It needs to be more standards based. I don't care if it is open source standards or closed source standards but it has to be better. Windows will give it that.

But ultimately Matt, I feel that the OLPC project was hijacked by the open source movement as a "Trojan horse" to overthrow Windows. If that was your intention great. Me, I was a lot more humble and noble in what I thought it was. I thought was about getting a computer in the kids hands and having them learn and contribute.

Matt Asay has become rather predictible. Say anything negative at all about open source and out comes the Utah bulldog from the dog house straining to break free of his leash. Now Matt is saying that the McAfee folks have libeled open source in a recent white paper they released on botnets. Here is the quote in question:

Taking the bot controller offline may kill a botnet. As a result, many bots use a Dynamic Domain Name System (DDNS) or have a list of backup IP addresses to survive such an event. Bot technology is rapidly evolving, often aided and abetted, unfortunately, by the open-source movement. [Emphasis Matt's.]

So Matt does his due dilligence and cannot find any evidence to back up what McAfee says. On top of this Matt remembers that McAfee said in in a recent financial statement that open source licensing is a threat to its business (again these are Matt's words). From there Matt looks up botnets in Wikipedia or some other such place and finds out that botnets are mostly installed on Windows machines. Well that is all this open source watchdog needs to get him going! Of course Windows gets more botnets, after all it is not as secure or as good and the people who use it are not as smart as Linux, the darling of the open source crowd.

So here is my problem with Matt's positions. Number one on the white paper, I don't think McAfee was talking about Linux versus Windows at all (as much as Matt would like to think so). I think McAfee is referring to open source applications like dynamic domain name systems (DDNS) and other open source enabling technologies. There is more to open source than Linux Matt. McAfee is saying that hackers are using the same open source components and network enablers that many legitimate applications are using, to make more effective and dangerous malware. The open source crowd is not doing it on purpose, but it is being used. What is the big deal here. Matt don't you agree that people can use tools for good and bad. Just because it is open source does not mean it cannot be abused or used for malicous purposes. Stop being so sensitive Matt!

Further on McAfee's earlier statement about open source licensing being a threat. Come on guys. It was boiler plate provisions that some of the applications and products that McAfee itself sells contain open source components. Depending how and when a real court ever interperts OSI licenses like the GPL it could have a profound impact on McAfee's business. It could have a profound impact on a lot of businesses for that matter.

Bottom line Matt, I think you are barking up the wrong tree here. Why not head back to the doghouse and wait for the next unsuspecting stranger to walk by and who tries to say anything bad about open source. Me, I think I will appreciate all of the good that open source brings, but realize it can be used as an agent for evil as well.