StillSecure, After All These Years

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.

By now you probably saw that Dean Drako and Barracuda have made an offer of $7.50 a share (in cash) for Sourefire. This values Sourcefire at about 200 million dollars and is a 13% premium over the Friday closing price. Of course this is well below Sourcefire's historical highs, but than again who is worth what they were a few months ago.  I have a chart on the left that shows stock prices.

So what is behind this deal? I think it is all about ClamAV and the Trend Micro suit.  As readers of my blog know, Trend Micro sued Barracuda a few months ago for patent violations around the way Barracuda uses ClamAV in its appliances.  I think Dean was looking to Sourcefire as the owners of ClamAV to step up and help in the defense of the suit.  I believe to date, that has not happened and Dean is upset with it.  In fact Dean actually mentions that suit and Sourcefire's lack of response on it as one of the two reasons why Barracuda's acquisition would make sense. For the other reason Dean takes a swipe at the Sourcefire management team, saying "We believe that the recent FIRE stock price reflects the execution challenges faced by the company’s management to date." 

I am not sure where Dean comes up with the 200 million to complete this deal, but assume he has lined up financing.  However, at this price I don't think this is more than a stunt.  If Barracuda goes beyond $7.50 a share to $10.00 a share or so, it gets real interesting.  Maybe this puts Sourcefire in play and someone else comes forward with another offer, who knows.  But right now I think Dean is just looking to stir the pot.

Update: As I expected, this morning Sourcefire rejected the Barracuda offer according to this article in BusinessWeek. The Sourcefire board said the 187.4 million dollar offer "is not in the best interests of Sourcefire and its stockholders".  Lets see what Barracuda does next.

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

Matt Asay has a blog up on "OLPC's capitulation to Windows...". In it Matt waxes poetic about what a mistake Nicholas Negroponte is making by embracing Windows for the OLPC laptop project. Matt points to Groklaw, Richard Stallman and the rest of the Redmond revolutionaries who want to see Negroponte tarred and feathered and question his vision. Hey, lets face it the "m" word is toxic to that crowd. But I really think Matt is just plain twisted about this and about what OLPC is really about. Here is what Matt has to say, "OLPC is rather about liberating developing nations from their vassal status that continually keeps them at the mercy of the pricing and licensing of Microsoft and other proprietary vendors." No Matt, that is not what OLPC is all about and that is what the problem is! OLPC is about getting a laptop in the hands of every kid in the world. It is about giving these kids a chance to learn and grow up to compete in the global economy with the same tools that kids in this country have. It has nothing to with your views of Microsoft being a 21st century imperialistic empire.

Matt both of my boys have OLPC laptops, I know what it is like using them. The Sugar interface is tough. As Negroponte says, it is a amorphous blob. The command line structure of the laptop made it hard for me to retrieve and install files. File names are truncated and kept in non-standard directories. When kids are learning windows in school, this is difficult for them. The laptops are a tool for them to learn, it shouldn't be about learning the tool. It needs to be more main stream for kids to be able to leverage it across the world. It needs to be more standards based. I don't care if it is open source standards or closed source standards but it has to be better. Windows will give it that.

But ultimately Matt, I feel that the OLPC project was hijacked by the open source movement as a "Trojan horse" to overthrow Windows. If that was your intention great. Me, I was a lot more humble and noble in what I thought it was. I thought was about getting a computer in the kids hands and having them learn and contribute.

Matt Asay has become rather predictible. Say anything negative at all about open source and out comes the Utah bulldog from the dog house straining to break free of his leash. Now Matt is saying that the McAfee folks have libeled open source in a recent white paper they released on botnets. Here is the quote in question:

Taking the bot controller offline may kill a botnet. As a result, many bots use a Dynamic Domain Name System (DDNS) or have a list of backup IP addresses to survive such an event. Bot technology is rapidly evolving, often aided and abetted, unfortunately, by the open-source movement. [Emphasis Matt's.]

So Matt does his due dilligence and cannot find any evidence to back up what McAfee says. On top of this Matt remembers that McAfee said in in a recent financial statement that open source licensing is a threat to its business (again these are Matt's words). From there Matt looks up botnets in Wikipedia or some other such place and finds out that botnets are mostly installed on Windows machines. Well that is all this open source watchdog needs to get him going! Of course Windows gets more botnets, after all it is not as secure or as good and the people who use it are not as smart as Linux, the darling of the open source crowd.

So here is my problem with Matt's positions. Number one on the white paper, I don't think McAfee was talking about Linux versus Windows at all (as much as Matt would like to think so). I think McAfee is referring to open source applications like dynamic domain name systems (DDNS) and other open source enabling technologies. There is more to open source than Linux Matt. McAfee is saying that hackers are using the same open source components and network enablers that many legitimate applications are using, to make more effective and dangerous malware. The open source crowd is not doing it on purpose, but it is being used. What is the big deal here. Matt don't you agree that people can use tools for good and bad. Just because it is open source does not mean it cannot be abused or used for malicous purposes. Stop being so sensitive Matt!

Further on McAfee's earlier statement about open source licensing being a threat. Come on guys. It was boiler plate provisions that some of the applications and products that McAfee itself sells contain open source components. Depending how and when a real court ever interperts OSI licenses like the GPL it could have a profound impact on McAfee's business. It could have a profound impact on a lot of businesses for that matter.

Bottom line Matt, I think you are barking up the wrong tree here. Why not head back to the doghouse and wait for the next unsuspecting stranger to walk by and who tries to say anything bad about open source. Me, I think I will appreciate all of the good that open source brings, but realize it can be used as an agent for evil as well.

Bob Walters from Untangle on his Untangling blog has an article about open source business models and how Untangle is utilizing multiple revenue streams as their business model because the software they use is open source and is inherently free. Bob calls the article "Money for nothin’ and Code for Free ".Not sure how big a music fan Bob is but I think he has Dire Straits (the band who did that song) spelled wrong, but that is not the only thing I think wrong with Bob's article. Bob lays out Untangles revenue models as this:

• Untangle makes money from software by selling proprietary, for-profit extensions to our core open source code. We have targeted these extensions to appeal to larger, commercial customers. Our core software is open-source, full-featured, and free. Period.
• Untangle optionally packages its software on Pentium-based server appliances. We sell these servers at “cost-plus,” and so this is deliberately positioned as a convenience to our customers and channel and not as a core money-making strategy.
• Untangle sells tech support services, primarily to larger commercial customers, but also some of the larger schools and non-profits

So lets have a look. First off, if you don't know Untangle has a UTM that is aimed squarely at the "S" in the SMB market. It is open sourced and free and is made up of modules based on open source security tools. I get the upsell of extensions or premium features for some modules and premium modules, that is a no brainer. I don't disagree with the off the shelf hardware justification either, though there are many companies selling off the shelf appliances for a significant mark up over cost and it is a profit center for them. Untangle seems to be writing that revenue stream off. Than Bob says they are selling tech support services to larger customers. Again there is nothing earth shattering on that. Maybe sharing the revenue with local implementation partners? Again sounds like a VAR play, nothing special.

Here is where I think Bob and Untangles model could be in trouble. Bob assumes that the underlying software Untangle uses will be free, because it is free to them. But Untangle is using a Heinz 57 mix of open source security software of which it owns little if any of the copyrights. Yes, much of the software is today open source under GPL. But what happens if the copyright holders of the software and the project owners decide that Untangle is profiting from their software and hard work. What happens if they decide to dual license the software to anyone repackaging it in a UTM or other commercial product or for profit entity. Than what does Untangle do? Their whole business model goes down the tubes. From what I know of Untangles downloaded user base and their conversion rate to paying customers and what they charge, I don't think they have the margin to pay for any software. They could fork the software and develop it themselves or hope to develop a community to continue development, but I haven't seen that pulled off very often, if at all.

To stay with Bob's money for nothin theme, if he does not protect against this, Untangle could find themselves in dire straits.

The billion dollar buy of MySQL is not the only financial news around open source these days. In fact financing and M&A around open source seems to be boiling over. George Dearing in this article in Information Week talks about recent funding of Alfresco and Automattic (the people behind WordPress). Then just a few days ago Nokia bought Trolltech for 150 million. As in any deal that involves open source companies being acquired by commercial entities the naysayers quickly questioned Nokia's commitment to the community and whether they would continue to offer and develop the open source products.  In this case Nokia and Trolltech put out a joint release reaffirming Nokia and Trolltechs commitment to open source, the community and the software.  Of course joint releases like that are as valuable as the paper they are written on and time will tell on this one.  Someone has to make money on that 150m price.

The latest open source deal is a little different. It involves one open source company buying another.  SpringSource has acquired Covalent.  SpringSource makes the Spring Framework for Java and Covalent of course are the developers of Tomcat, the Apache based Java application server.  We use Tomcat here at StillSecure, so this is one deal we will watch closely.  With both companies so closely aligned with their open source communities, i don't think too many people are worrying about the future of the projects. I didn't see any financial details disclosed for this one though. Here is one fact that caught my eye about these two companies though. SpringSource has more than 1,000 paying customers including 9 out of the top 10 largest banks in the world. Covalent has more than 3,000 paying customers and serves more than half of the Fortune 500.  Those numbers are pretty impressive.

In the meantime, when it comes to open source, the train keeps a rollin', all night and day long!

Following yesterdays post on the three biggest lies in open source I received a couple of emails asking whether I was grumpy when I wrote that article or was I getting down on open source.  Though yes I may have been grumpy (not unusual for me in the morning), I don't think that affected my article.  On the other hand, nothing could be further from the truth than saying I am down on open source.  I just call them as I see them.  I continue to think open source as a model is great way to get a software program into a tremendous amount of people's hands.  It is an efficient distribution model when done correctly.  It has proven that you can turn out enterprise class, quality software that competes favorably with the very best that commercial software vendors can develop.  But I try not to be so zealous in anything that I can't see the trees for the forest.  Open source has its cons as well.  I merely pointed out 3 that I have seen in my dealings.

During the past few years, as I have learned more about open source software, I have come to learn that open source has its own three big lies.  Recently the last of these lies was debunked by a program launched by the Homeland Security Department. In my mind the three big lies in open source are:

1. There are thousands of "little cyber-elves" our there who contribute the code to open source projects. Yeah right!  Fact is the overwhelming majority of open source projects have code contributed by 7% or less of the people using it.  The other 93% may contribute beta testing or feature requests and bug tests, but they don't contribute any code.

2. Open source is free.  BS on this one too.  Even if the code is free (and more often that not these days, some vital piece of the equation is not free. Whether it be signatures or rule updates or what have you), the total cost of ownership is often close to commercial software. In fact if you are running open source software in your enterprise environment without a commercial support contract, you are playing with fire and will get burnt sooner or later.

3. Open source code is less buggy than commercial software.  This myth is that with thousands of eyes on the code, bugs are found and corrected much quicker than in commercial products, resulting in higher quality software.  Well according to this TechWeb story detailing a program launched by the US Department of Homeland Security, that just ain't the fact jack. The study confirms that very similarly to commercial code, open source contains about one defect per 1,000 lines of code. The fact is that once you get your head around that only about 7% of users of open source actually contribute code, it follows that a similar number even look at the actual code for bugs.  Most bugs are probably found as a result of something not working with the product.

In any event, there you have it, the three biggest lies about open source.  Showing my age, I reflect back on my life and remember when the 3 biggest lies where: 1. the check is in the mail 2. Of course I will respect you in the morning and 3. Ugh, never mind ;-)

The OpenSEA alliance picked up two new members recently that bring some more size and depth to the roster of members. Aruba Networks has joined the alliance at the promoter level (I think that is the highest level, which means they forked over more bucks and will have more say in future plans). Also according to this article by Tim Greene, HP ProCurve has joined the alliance as well.

For those who aren't familiar with the OpenSEA alliance, it was started by Jon Otsik and some of the original founders were Extreme Networks, Symantec, Infoblox and 3Com.  What drove the alliance formation was that the control of the supplicants that are necessary for 802.1x functionality are currently in the firm grasps of Cisco (via their Meetinghouse acquisition), Juniper (via Funk acquisition) and Microsoft (native Windows).  When Cisco and Juniper started using their ownership of supplicants as a reason to use their 802.1x and NAC functionality, these other companies saw the need for an vendor-neutral, open supplicant.  Building on the x-supplicant open source project, the alliance wants to offer a best-of-breed supplicant to the market. As Tim points out in his article today, 802.1x NAC is a great and secure way to perform NAC (even though many NAC vendors stain their underpants when you press them on how they work in .1x).  In order to have .1x though, you need a supplicant.  Many people think the Microsoft supplicant is less than stellar (though I have not heard a lot of complaints myself on it) and of course Cisco and Juniper are trying to beat people about the head with their own supplicants. Having an open, available supplicant therefore is important as we see greater adoption of .1x networks.

My friend Tim Bardzil, over at Extreme Networks has kept me up to speed on the alliance and we are looking closely about whether StillSecure should join as an alliance member. With technology controlled by such small companies as Cisco and Microsoft it is always good to have an open alternative.

Michael Mimoso on Information Security Magazine has a good article reprinted on SearchSecurity.com that talks about how the view of "the community" is changing in open source security.

Michael laments about the days when tools like Snort and Nessus were free as in beer, including the rules and plug ins for them. But taking a realistic, mature view of business Michael acknowledges that these tools had to "grow up". Michael puts it in perhaps the clearest language I have seen yet on the subject:

Well, Nessus had to grow up; Snort too. They've been commercialized by those that built them, and that was inevitable. After all, this is a capitalistic society, and eventually the socialism that is the free software movement just doesn't pay the bills.

Free Software = Socialism?  Not sure I would go that far. But words like patent, copyright and license have invaded the communities and commercial providers of formerly open source and free tools try to walk a fine line between satisfying the user community and keeping a healthy bottom line. Taking the logic to the recent ClamAV acquisition, Michael says it is only a matter of time before the other shoe drops on that one (as I have said from day one). However, one thing I would like to point out is, I don't believe that deal has closed yet. I have heard rumors that there may be some roadblocks which need to be overcome.  I guess we will see.

Michael and I are again on the same page in talking about the impact this will have on UTM and other vendors who bundle these products into their own.  The guys at Astaro and Barracuda may play it off as no big deal, but they have to be already thinking about their options. I don't think it is going to be as easy as they make out and will certainly cost them more.

Finally, right in line with our strategy on Cobia licensing  Michael talks about vendors abandoning pure "open source" licenses in favor of a Cobia community type of license.  I think over time more and more of the open source tools you use will move to this hybrid model of licensing.

Jason Haislmaier is an attorney who has a good blog called Thinking Open.  Jason has a good article up called "let the games begin ...", noting that the first law suit ever filed in the US based upon a violation of the GPL has been filed in the US District Court for the Southern District of New York.  The suit has been filed by the Software Freedom Law Center and is again Monsoon Mulitmeida, Inc.  As far as violations of the GPL go, I think it is a rather tame one.  The plaintiffs allege the defendants did provide users of their product which contains open source software with access to the source code of the open source software.  The lawsuit is calling for monetary damages, fees and injunction against further distribution of the software.While I think there are much thornier issues that I would like to see the courts weigh in on around the GPL, I will be watching this one closely.

Making access to source code is an easy thing to do.  At StillSecure, we actually maintain a
page with all of the open source software we use in our products along with
links to the licenses themselves and the source code of the products. It would seem pretty open and shut to me, that anyone using open source software in their products should be doing the same according to the terms of the GPL.  My question is what about all of these security companies using GPL versions of Snort, Nessus, nMap, ClamAV, Samba, etc.  Are they making source code available.  I don't think they all are. In fact many as I have written before don't even have the decency to admit they use it. 

I would love to see the courts come down on the side of the SFLC here.  Then I would like to see some enforcement against all of the security companies out there who are guilty of this as well.  Then the fun and games would really begin!

I have been silent the past few days while I celebrated the Rosh Hashanah holiday with my family. For me the high holy days of the Jewish calendar are a time for reflection and prayer.  It represents a boundary from the old year to the new.  As a kid it always coincided with the new school year, so it did mean a new year. As I have gotten older, it has also become a time for me to think about how to improve as a dad, husband and person. Anyway, it was great spending some time with not only Bonnie and the kids but my extended family as well.  I will write more about that later, but what moved me to blog as the holiday ends is news that SCO has filed for Chapter 11 bankruptcy protection.

For many this represents SCO getting what it had coming to them.  They with what some claim was the financial backing and prodding from Microsoft tried to throw a monkey wrench in the Linux train.  For many years at many customers we had to put something in our agreements about what our liability and warranty would be if SCO was successful in their law suits.  Alas, the courts have spoken and have found SCO's claims to have little or no merit.  I for one am glad on several fronts.  Number one, was I always thought that this claim was bogus.  Secondly, I think the train has left the station with Linux and there was no way to put that genie back in the bottle. 

I hope this serves as a lesson to other companies to compete in the market and not in the courts.  I wonder if the few companies who actually signed licensing agreements with SCO will not put in a claim to get their money back?

Hot on the heels of the CapGemini announcement to offer and support Google Apps, comes word that IBM is officially joining the OpenOffice.org community. Big Blue will start contributing code to the project and tightly integrating their Lotus Notes applications with OpenOffice apps.  It seems this may have a lot to do with the recent ISO decision rejecting Microsoft's  Open XML format, while supporting OpenOffice's ODF format.

In any event, IBM's support of Linux was a pivotal factor in Linux gaining critical mass. Their support of OpenOffice could signal a new assault on the Microsoft Office franchise.  Certainly between Google and OpenOffice, Microsoft is fighting a two front war to maintain their Office suite market share going forward.

Well the FSF has responded to Microsoft's declaration that they are not bound by the "anti-Microsoft" provisions of the GPL v3.  Matt Asay writes about it in his blog and says that clearly the gauntlets have been thrown down.  Of course Matt being the open source evangelist says that there will be plenty of people coming forward to the help the FSF and that Microsoft, if they push this could be in a heap of trouble.  I am not so sure.  I am not sure if the FSF crowd really wants to see the courts finally rule on some of the theories wrapped up around the GPL.  Mitchell has a good article up on a recent ruling that could have implications in any potential legal ruling on this stuff.  Me personally, I would like to see the courts get their hands on this and get a definitive answer, rather than the perpetual pi$$*ng match that we currently operate under with this stuff.

Matt Hines my friend from InfoWorld (and a rabid Red Sox fan, but we all can't be perfect), has a good article up with more info on the ClamAV deal.  According to Matt, Wayne Jackson, CEO over at Sourcefire said:

While Sourcefire has promised to continue to distribute versions of ClamAv software that meet the parameters of the open source general product license (GPL), the OEM licensing model will not necessarily adhere to all elements of the GPL, Jackson said. The arrangement fits the same model Sourcefire has pursued with Snort.

I think this is pretty much exactly as I wrote on Friday and what many expected.  I am glad to see Wayne stand up and say it clearly.  This way let no one say later that the Sourcefire people were not up front about it from the get go.  Again, if you are bundling open source in your product, I think this is a clear call that you have to change your business model.

I have been doing some more thinking on the ClamAV acquisition by Sourcefire, some of the comments I have received and a couple of blog posts (here and here) that Matt Asay has done over at his C/Net Open Road blog. This has solidified for me that the open source game is very different than it was 7 years ago when we started StillSecure.  Back then many folks would work with open source tools and components, build functionality on top of them and sell into the market.  You could bundle them and put your work on top of it and a business was born.  Think about the UTM business.  Where would Astaro, Fortinet or any of the UTMs be without being able to bundle open source products?  Forget security, what about so many other products that are using open source databases, Linux and other open source tools and components.

The changing face of open source has thrown a monkey wrench into the works.  What we are seeing between new license "clarifications", acquisitions of open source projects and taking open source closed, is now more than ever plain to see. If you are going to use open source components in your product or service, you have to pay the piper.  The copyright owners of that open source  software are going to want you to commercially license that software.  No where is this becoming more apparent than MySQL. Matt thinks that there is a double standard between traditional software companies and true open source companies. He defends MySQL's latest moves to only make Enterprise code available to paying customers.  He says if IBM or another company made a version of their code available open source they would be universally applauded.  Matt is correct, but what he fails to realize is that these open source companies owe their success to people using it because they buy into the whole open source thing.  Companies like MySQL, Sourcefire and others have been only too happy to reap the benefits of open source.  Good will in the community, having others help with code, testing, bugs, etc.  Then when others seek to use the code, they turn the open source thing on its ear and use it as a shield to keep others out. And please don't give me they won't help us, that is why they can't use it stuff.  Commercial companies don't want help maintaining or developing their code.  They just want cash.

So this is exactly what is going to happen with ClamAV.  In fact as Matt writes here, Tim O'Reilly thinks that virtually every open source company will eventually be acquired by a commercial entity.  Matt says you can either pay your money or contribute code.  Matt that does not cover the overwhelming majority of users of open source and as I said earlier most commercial entities don't want your code contributed.  This would mean they don't own the complete copyright on it and so can't do what they want.  Unless Matt you advocate that code developers should sign their copyright over for the work they do to the commercial entity.  I think you would agree that this is not fair either. Also lets not fool ourselves, even licensing the software is going to get expensive, as the copyright holder is not going to let the licensee make more money then they are if they compete.

So do I think this is right?  My answer may surprise you.  Yes, I think it is right and the natural way of things.  It goes to exactly what we did with Cobia.  I am not hung up on the dogma of open source.  I believe people who do work developing code should be paid for it.  I don't think using open source as a shield is right though. I say be upfront about what is going on.  So when I look at the FAC for the ClamAV deal as one commenter suggested and see this:

"Will Sourcefire change the way that ClamAV open source software is offered? Sourcefire has no current plans to change the way the ClamAV software is offered to end-users. Sourcefire is committed to investing in and advancing the ClamAV technology, just as we have with Snort and Snort.org. Sourcefire is absolutely committed to the continued distribution of ClamAV and the ClamAV malware database as an open source solution under the terms of the GPL."

I think to myself, who are they kidding.  They are going to try and use the same "clarification" to change the terms and use under the license.  Using ClamAV in a UTM is going to take a commercial license.  Why not just say so. Anyone who thinks differently is either a shill for Marty and gang or really, really naive. Another question is why doesn't Sourcefire just come out and say what they mean here? I think we would all respect that  more.

So what are UTM and other vendors who use open source to do?  Great question.  What I would like to see for the good of open source communities everywhere, is that anytime a commercial entity makes a licensing move like this, other companies that are using that open source tool band together with others in the community and fork the project as is their right.  Often times there are plenty of commercial companies using an open source tool, as well as a sizable enough community to support a fork of the project that will remain truer to the ideals that many people have around the use of open source.  That will stop the use as a shield of open source and encourage others to join the community. Without one commercial entity owning the project, all can share and share alike without fear of having the rug pulled out from under them.  The challenge is can competing commercial entities put aside their differences for the common good.  That is the question.  I would love to hear some comments on it!

Saw the announcement today on Sourcefire buying ClamAV.  My first thought was why and how.  How do you buy an open source project.  But that became obvious reading the press release.  All of the copyright holders of the ClamAV project agreed to sell their rights in the software to Sourcefire.  You have to admit that it is a different kind of acquisition.  I did not bother doing the math, so do not know how much Sourcefire paid. 

For those who do not know ClamAV is an open source gateway AV project.  It is very widely used within many UTM solutions and MSSP offerings.  So how does Sourcefire monetize this?  What does this mean for ClamAV's customers.  If you are an individual or corporation using ClamAV as a stand alone product, it means you will still probably have free use of the AV engine.  However, any AV is only as good as its latest update.  We will see similar to what was done with Snort, a VRT certified, pay for AV signature update feed?  Will people not paying for the feed get updated AV signatures on a delayed basis?  What about all of these people using ClamAV in their UTMs?  Will we see a "clarification" to the ClamAV license that says they can't use it as part of UTMs?  Will Sourcefire now seek to commercially license the product to all of these UTM and MSSP vendors?  I don't know, but it seems likely, based upon their past moves.

AV is not exactly a cutting edge technology but it can be a cash cow.  There are lots of options in the AV market.  If I was a UTM provider or MSSP using ClamAV right now, I would be exploring my options, waiting for the other shoe to drop here. I think this once again shows that if you are incorporating open source tools into your technology as a vendor, unless you own the copyrights, do so at your own risk.

So it has been a while since I have had a good old fashioned blog war with Mike Rothman.  Though Mike is a good friend lets face it, we are two loud mouth NY'ers transplanted here in the south and we thrive on confrontation.  I guess Mike feels the same way.  Why else would he make the inane (Mike in case you need it, here is the definition of the word) statements he made about Snort licensing, other then he was looking to tweak my tail and engage me.  Though Mike acknowledges that he is no lawyer, I am afraid it goes deeper than that.  What Mike seems to know about Open Source license issues would not equal the clippings from a Richard Stallman haircut (hint: he doesn't cut his hair too often). 

In typical Rothman fashion, Mike makes its all about him and who his perceived audience is. After all, isn't Mikey the hero of the common working man.  In Mikes mind, he is sort of a Lenin-esque Robin Hood, looking out for the common proletariat end user and taking from the big bad vendors.  Anything not related to that and he quickly loses attention. In the Rothman world you are either paying for something or not.  If not, you don't get support and you can't make money off of it.  Anyone doing anything else are scumbags, cheats and scoundrels (hey, those are Mike's words not mine).  Great Mike, now wrap that big brain of yours around this:  What about if the software is licensed by something called the GPL and it gives you the right to use it?  You are equating licensing the software with a pay for commercial license.  This just does not equate with the whole GPL and FSF view of the universe.  I think this fundamentally shows that you truly don't understand the whole open source thing. It has nothing to do with being a lawyer or hiring one. It has to do with understanding what open source means and giving credence to the license software is released under.

Yes it may just matter to vendors, but that does not make it any less important.  Also it may surprise you Mike but in the most recent releases of Snort, Sourcefire did not write all of the code and there were lots of contributions by the Snort community with some members retaining copyright.  So put that in your pipe and smoke it before you go off calling people cheats, scoundrels and scumbags.  Sourcefire can do whatever they want with Snort. I never said differently. I just say be honest about what it is.  Don't use the GPL as a shield and claim the benefits of open source while using the same open source as a way of negating competition while garnering good will.  Either you are or you aren't.  Mike the subtly of that may be lost on you, but try to think about something other then you and your constituents.

In the interest of reporting all sides of the story (I just love this journalist stuff ;-)), I wanted to let you know that Marty Roesch clarified some of his comments which led to my blog article last night/this morning. Things Marty said that may alter what I believed when I wrote my article:

1. Q. Is it within Sourcefire's right to change the language in the source code preamble comments to lock the license at version 2 of the GPL?
A.  The new language that we incorporated for the 2.7.x release changes a notification provision that applies to the GPL, IT DID NOT CHANGE THE GPL.  This is a permissible change because it's modifying the suggested language for header preambles in Snort 2.7.x, not the license itself.  If you read the GPL you'll see that this language is suggested in the section that comes AFTER the Terms and Conditions of the license.  The new language follows one of these suggestions and specifies which version we want our licensees to follow.

I am not sure I wholeheartedly agree here, it sounds like a bit of legal hair splitting.  Marty and team say they did not change the license at all, it is still GPL, it just changes a notification provision.  Frankly, I don't think they had the right to change anything there without the owners permissions, but since I was not effected, I really can't say.  Would be interested in what others think.

2. Q.  Is Sourcefire addressing the concerns raised by Victor and Will from the Snort-inline project.
A.  Yes, we made some mistakes and have corrected them.  Today's release of 2.7 addresses the issues raised by Will and Victor.  If you have concerns regarding the headers or copyrights on code that you've contributed let us know and we'll take care of it.

This is good to hear and I am glad they did this.  Some of the "non-license changes" they changed were to code that was licensed under non-GPL, BSD licensed code.

3. Q.  Do the GPL v2 derivative works clarifications used in the Snort 3.0-alpha code base apply to the 2.x releases of  Snort?
A.  No, these clarifications apply only to Snort 3.0

So here, I just don't get it.  Marty clearly has said that the clarifications in the Snort 3.0 license just clarify what the GPL meant all along.  If so logic would dictate they apply to earlier versions as well, whether or not the clarifications were there or not.  If they don't, how is that clarification not a change.  It just doesn't make sense to me and is a I think a weakness in the argument here.

4. Q.  Does the "assumptive assignment" clause from Snort 3.0 apply to the 2.6/2.7 releases of Snort?
A. No, the assignment provisions in the Snort 3.0 license do not apply past contributions.  Sourcefire is in no way attempting to take ownership of the copyrights of past contributers.

I clearly misunderstood this and this is the way it should be.  People should know before hand about a "assumptive assignment" and make a decision on whether or not to contribute code based upon it.

5. Q.  Is Sourcefire claiming ownership of all contributed code?
A.  No.  The assignment clause in 3.0 will maintain your ownership of copyrights.  It is simply a licensing agreement granting us the right to modify and relicense to 3rd parties.

Again, I was not clear on this and am glad to see it. Of course in reality you are giving Sourcefire a pretty broad license to profit from your work and are you entitled to anything from it is a question to ask. But at least you still retain ownership.

6. Q.  Does this apply to past contributions?
A.  No.  Snort  3.0 is a completely new code base that is entirely developed and copyrighted by Sourcefire.  If we incorporate past contributions to the 2.x code base as work on the Snort 3.0 project continues they will maintain their original copyright and license.

So sounds to me like maybe this whole issue goes away as they are using only Sourcefire owned and developed code in 3.0.  That certainly make it less messy.

7. Q.  What is the practical effect of the derivative works clarifications?
A.  For end users there are none.  You are free to use and modify Snort as you do today.  For anyone that modifies and redistributes Snort *and* adheres to the terms of the GPL, there are none.  You may continue to modify and redistribute Snort as you do today.  The only impact is on organizations that redistribute Snort and fail to adhere to the terms of the GPL.

So this is where I think Marty is playing a bit fast and loose.  The *and* adheres to the terms of the GPL thing.  Is that the terms as Marty understands them.  The same terms that he says needs to be clarified otherwise they don't apply? Or is it the terms as I understand them.  Or for that matter how someone else understands them.  The devil is in the details on that one and I suspect will be the crux of my future conversations with Marty and the Sourcefire team.

Marty Roesch of Sourcefire/Snort put up a long blog post today explaining some recent actions by the Sourcefire team on the legal front in terms of GPL licensing and copyrights.  For those who remember, I have written here and here about what I believe is a change in the licensing of Snort with the forthcoming 3.0 version. For those who may also remember, I was taken to task by some for daring to question the infallibility and pure intentions of the Sourcefire folks.

Well in Marty's post today he talks about three recent events.  From Marty's blog here there are:

1) GPL v2 lock that we put in place on June 29th.
2) "Clarifications" in Snort's license language (Snort 3.0).
3) "Clarifications" with regard to assignments of ownership for contributed code (Snort 3.0).

Lets have a look at these. The first deals with the fact that with the release of GPL v3, Sourcefire put a caveat in place saying that Snort could only be distributed under version 2 of the GPL.  Frankly, they are perfectly allowed to do this for the code they own.  I have two issues with this though:

1. Instead of saying that they don't like the v3 of the GPL, Marty says that he got a heads up about people being able to change versions of GPL just 3 weeks ago and the Sourcefire folks have not had a chance to look at version 3 but they know Linus was not moving Linux too it.  I don't know about you, but if my code was released under the GPL, I probably would have been following it for at least the last year and the many draft releases that were sent out.  Its not like version 3 snuck up on anyone.  Sourcefire is a public company now, you would think they would be all over this. Is Marty really the only one watching this and until he found out no one there had a clue?

2. More importantly, it seems that Sourcefire does not own the copyrights to all of the code in Snort. In making the change prohibiting the use of GPL v3, Sourcefire took it upon themselves to change the source file header preambles of all the source for Snort, including parts they did not own.  Obviously some of the folks who owned and contributed the code were not made aware and did not give their permission.  Marty claims there was not time.  Again, it was not a secret that v3 was coming out, but he acknowledges this was a mistake and apologizes. Marty says they will fix this.

Next and most important to me is the changes in 3.0 licensing.  Marty comes out and says that plainly the "clarifications" they have made in the 3.0 license is aimed at "companies that are using Snort as a part of their product or service. Many of them seem to expect us to work on this technology and improve it continuously so that their offering is cutting edge but contribute nothing to the project and complain bitterly whenever we do something that might cost them some money to continue to use a best-of-breed technology like this."  Marty goes on to say that they are just clarifying what the GPL says all along.  I have already written on this.  I and the attorneys I have spoken to don't believe that. I think the clarification put forth by Marty and Sourcefire is plainly a change to the GPL.  I don't care if NMap has done it or anyone else for that matter.  It is a change. I do not begrudge Sourcefire the right to charge for their software.  I just say don't use the GPL as a shield. 

Marty and Sourcefire however are in a difficult position.  They are kind of stuck with the GPL because they took code from others under the GPL and now if they want to change the license away from a GPL license they are stuck with.  So they have no choice but to say the GPL means what they want.  In my mind this is no better than what Marty accuses others of, namely claiming the GPL gives them the right to do what they want. 

This is exactly the reason we did not use it with Cobia.  At the end of the day, what Marty and team are seeking to do is exactly what we wanted. That if you are not making money selling the product, it is yours to use for free and you get source code. If you are making money you should use a commercial license.  Bitch and moan all you want about open source or not, but Marty and we are trying to accomplish the same thing.  Marty is constrained by the GPL and we choose not to be.

Lastly Marty talks about something which has raised some comments on the snort list.  It seems if you contribute code to Sourcefire, they in essence "own" the code. I am not sure if this was always clear to everyone who contributed code in the past.  My impression is that it was not, based upon the reaction to this.  Again, I don't begrudge Sourcefire being able to do this and Marty gives some good reasons why they need to. I just think you need to be open and upfront about this from the beginning, like we are with Cobia, again. 

So what can Sourcefire and Marty do about this. I think they are faced with either paying the people who wrote code in the product and buying them out or rewriting portions of the code so they own it all.  Anything less is just plain messy.

In the meantime, Marty posted his comments to the Snort list.  I responded with my take on this. I am pleased to see that several other members of the list have responded as well.  So far they seem to agree with my take on it.  In fact one post actually used our Strata Guard Free as an example of what looks like a legitimate use of Snort under the GPL that Sourcefire would probably like to change.

So in spite of comments and admonitions of others, it would appear I was not so crazy after all.  I will keep an eye on this and write more about it as it happens.

Whenever Matt Asay roams beyond open source into security he usually shows that he speaks from his open source heart and not his head.  Matt wears his open source passion on his sleeve and consequently it colors everything he sees.  So when Jeff Jones, strategy director of Microsoft's security technology unit, shows that Windows users faced fewer days of security risks on average last year than users of Apple, Novell, Red Hat and Sun, Matt has a cow. How could the evil empire be more secure than his open source darlings, let alone his own OS of choice OSX. 

Matt's evidence to back this up is the fact (he tells us twice) that he has not had a single security risk (in his opinion I guess, I wonder if he was at CanSec West) or security breach in over 5 years.  He then runs the tired "if Microsoft had any record of security" stuff.  Hey Matt, take a good look around and take off the open source rose colored glasses.  Microsoft has been serious and working on security for some time and has built a record.  Ask Stephen "Steptoe" Toulose what record Microsoft has. BTW, Microsoft points to a Symantec executive who acknowledges the accuracy of Jones' data.

Frankly, I think there are arguments both ways over which OS is less of a security risk.  I don't mind an informed debate.  What I don't like is the knee jerk reaction of some in the media who are not even familiar with the facts, crucifying Microsoft.  In this case because he does not like their take on open source and what they are doing with the Linux vendors.  Matt, I don't agree with a lot of your views around open source but acknowledge your expertise there, but you have no standing to be speaking about security and tainting the facts with your prejudice against Microsoft.

Readers of my blog know that I have been involved in more than a few "debates" over what is open source.  So I was obviously very interested to see Michael Tiemann of the OSI fire a shot in this debate on his blog yesterday.  I was going to comment on Michael's article, but frankly the OSI site makes it so hard to leave a comment, I just skipped it (I think this might be a theme with the OSI). 

I must admit that I have been reading with some glee the raging debate going on over at Slashdot as a result of Michael's comments.  I would say that the overwhelming majority of people agree with my position that OSI does not own open source and that for the overwhelming majority of people, if the software is free and they get the source code, that is open source enough for them.

I also find it interesting that many of the OSI crowd lament the fact that these people on slashdot were not here back in the "90's when the "fight" for open source was going on and the principles of the OSI were laid down. Now they say, slashdot is all about appealing to geeks so the owners can make money(what a sin?). Sounds sort of like the hippies lamenting the promise of the "open society" of the 60's that was never realized.  I think most software users have moved beyond the OSI's artificial definitions and don't care or don't think the OSI has the authority to define what open source is.  Sure, there are people who say otherwise, but I think the majority is clearly of this opinion.

We have all read the announcements that Dell and Lenovo are starting to ship Linux desktop machines.  For more years than I care to remember, we have heard that this coming year could be the year that Linux makes the big push from the data center to the desktop.  However, it has just not happened.  Other than IT engineers and related geeks, you just don't see it.  In fact, if anything I see the Geeks now flocking to Apple.  So I was a bit surprised by John Halamka's article in ComputerWorld today saying that 2008 could be the year of Linux desktops.

John is right on about what Linux needs to be a viable alternative for desktops. John says Linux needs to:

1. Recognize video chip sets without any messing around
2. Recognize and connect with most wired/wireless networking hardware
3. Recognize and use most storage devices (including USB)
4. Include a browser, good email client, office productivity suite, photo editor and GUI tool for preferences.

I think this is a great list and by John's own admission he has not found anything that meets all of these criteria. John's view is that Linux desktop has to stop being a project and become a product. Where I don't agree is what makes him think 2008 is the year.  I still don't see any Linux tool that gets the plug-n-play config part right.  I would love to see it and would welcome the choice in the market, but I guess I am just not as optimistic as John is that the time has finally come.

As I mentioned in my article around open source yesterday, Ryan Russell made an excellent point in a comment to Thomas Ptacek's tirade against us.  He spoke about open source remorse. He means that some open source based commercial companies were only too happy to "use" the community to get where they are, but then wish to stifle competition using their products and change their licenses.  Ryan has done a full article on it on his blog and I highly recommend you read it.

I wanted to mention two things.  One in talking about remorse, is my own bloggers remorse. One of the nice things about blogging is I have made lots of friends in the blogosphere.  One of those people is Thomas Ptacek.  It bothers me that my post yesterday was aimed at him and perhaps more harsh then I intended.  I guess it was a case of him constantly harping on StillSecure and I, so I felt like I had to defend myself.  Kind of like, if I didn't stand up for myself, the bullying was going to continue.  I have traded some emails with Thomas and know he is upset that I was so personal.  Sorry if you all got in the middle of that and I really have no hard feelings regarding Thomas.

On the issue Ryan raises, we do not use Snort in Cobia.  If anyone wants to do a port of Snort to Cobia you are free to.  Under our community license, you are perfectly entitled to do so and Snort would still obviously be under GPL.  We don't steal anybodys code here and try hard to play by the rules.

ryanlrussell: Open Source Remorse

There are few things I dislike more than seeing a grown man whine. Thomas Ptacek has been on a whining spree for months now - whining on about how StillSecure’s use of open source software is "driving open-source projects underground". He has taken every opportunity to bad mouth, whine, throw mud, and stamp his feet about StillSecure. I have for the most part ignored him. This is the same tact I take with my 5 and 7 year old sons when they whine. In fact, we have a saying around here, “whiners get nothing”. Ignore it and my kids stop whining, but Ptacek just doesn't stop. Before he threatens to hold his breath until he turns blue, let’s look at what has Ptacek so agitated that he’s telling me to stop talking or writing about open source (and here I thought free speech was protected under the GPL or something).

1. Our Cobia license - We call Cobia a community, open source license. We said from the beginning that if your definition of open source is an OSI license, then Cobia does not meet that definition. We are not trying to fool anyone. However, we give the product away for free with the source code (from our vantage point, we believe Cobia is open source – but we fully understand those that disagree). The GPL leaves a lot to interpretation, and we wanted to be clear about what can and can’t be done with Cobia. So, we wrote our own license. If you are going to make money off of Cobia, we want to make money too. Same idea as any number of dual licensed, open sourced projects out there today. This got Ptacek in an uproar and he started a brouhaha about it. According to Ptacek, if you don't have either the GPL or another OSI license you are really not open source. I understand his feelings on it. So, I said fine, don't call it open source, call it “community source” or whatever you want, just don't call me late for dinner. And just to put this issue to rest, we are fine calling it community source – in fact, if you looked at our license its titled community source license! Evidently this was not enough for him though, so he continued whining about it in a Dark Reading article by Kelly Higgins Clark.

2. Snort 3.0 license - I speculated about possible licensing changes in the upcoming Snort v3.0. Marty Roesch who has a thing or two to say about Snort licensing responds. According to Marty, they are not changing the license; they are just "clarifying" what they think the derivative sections of the GPL mean. Truth be told, I was hoping to get a definitive answer on this from Marty. Now we can decide, whether we should continue being a Sourcefire partner or not (yes Thomas, we write Sourcefire a check, so don't give me the exploitation crap) and what it means for our business. 

So Ptacek, who at this point is all about badmouthing StillSecure, proceeds to blow up, saying I should stop talking about open source and Snort. In the world according to Ptacek, since we "don't give back" and "exploit" the poor guys doing open source, I should not have the right to talk open source and licensing. Now there is a great strategy to build dialog and understanding. Ptacek, maybe you should tackle the Middle East peace process next. With your open debating style, I bet we’d get that problem sewn up in no time and there may be a Nobel Peace Prize waiting. But before Ptacek solves all of the world’s problems, let’s get back to open source, giving back and exploiting. While Ptacek is making money for himself, we have been spending millions of dollars developing Cobia – which is FREE to end users. We also have developed our Strata Guard Free product – which again, is FREE to end users. We happen to think that is a form of giving back, but Ptacek says it isn’t because it doesn’t have an OSI license. Well, that’s Ptacek’s logic for you. Maybe you can ask the people that are using either product whether they think StillSecure has given back?

Next (this is a real beauty), I show him an article by Lawrence Rosen of Rosenlaw, a corporate secretary and general counsel for the very same OSI that Ptacek so vigorously defended earlier. It plainly calls bunk on Ptacek's view of derivative work. So what does Ptacek say? He says the lawyer is crazy of course. Of course he is, he doesn't agree with Ptacek. How can he be anything but crazy? After all, Ptacek has a much better handle on the complex legal issues around open source licensing than one of the preeminent legal authorities in the world on the subject.

3. Ptacek really gets desperate with this one. I write an article noting that the FSF released a "last call" draft of GPL v3. I state that I don't see the word derivative in there and say that we will have to wait for the courts and the lawyers to see what this will mean with regard to derivative works. So, Ptacek takes "artistic license" and writes an article titled "StillSecure Rejects Terms of GPL". Where did I say anything about rejecting GPL terms?  Who is blog whoring now?

Ptacek's whining about StillSecure's use of open source reminds me of baseball fans that complain about how much teams like the Yankees and Red Sox spend on players. How can the "small market" teams compete?  The Sox and Yankees don't make the rules, they just play by them. Same thing here, Ptacek. Frankly, who cares about what your view of open source licensing and derivative use is. We don't answer to you. We answer to our customers, investors, and the market.

On the issue of the game going on with open source commercial developers and "open source remorse", Ryan Russell summed it up perfectly in a comment to your post. Let me just paste most of it in here:

So who cares if StillSecure uses Snort? If they change the Snort code, they will give that away right? It’s Sourcefire that cares. Marty and company picked the GPL, and now they’ve got the open source remorse. Sourcefire doesn’t want anyone to commercialize it *but themselves*.

Sure, it’s their code, who is more deserving of commercializing it, right? Fine. But why did they pick the GPL then?

So who’s the bastard who took your GPL Snort, Nessus, and nmap away from you? Is it the Companies that compete with the commercial versions of those projects with their own code? Or is it those companies themselves that sucked up all the GPL goodwill, and now want to be the only ones to capitalize on it?

Did they drop the GPL because they don’t like competition? Did they drop it because “no one was contributing back”?

What did they have to do to be able to re-proprietize the code? They had to drop or swipe all the contributions from everyone else who thought they were contributing to a project that was GPL. Way to encourage contributions.

So who exactly are the ones screwing up the GPL?

Ptacek, why don't you reread Ryan's comments and worry about answering that rather than whining about how StillSecure does business. By the way, I think Ryan has hit the nail on the head here.  Take a good read of his comments and tell me how you disagree.

Ptacek, here is the bottom line. You don't like StillSecure, how we do business and you don't evidently like me. That is fine; you can't please everyone all the time. You are entitled to your opinions and I would never tell you to shut up (as you have told me repeatedly), however the potshots have gone on long enough. If you want to have a rational discussion on the facts, I’m happy to engage. If you want to throw mud at StillSecure have at it, but stop the whining, it is not becoming.