The game is changing for appliance users too - preaching to the Cobia choir

Eric Ogren has a good article up on his ComputerWorld blog about recent advances by Intel/AMD that make it "increasingly harder to justify large engineering investments in custom-built ASICs or hardware that is not built on a standard platform."  Amen brother!  This is exactly what we have been saying with Cobia from the beginning.  Todays multi-core processors with virtualization technologies offer exponentially greater computing power than have ever been available before from off the shelf products.  To the point that justifying custom silicon hardware in most cases does not make sense.  The good news is that following Moore's Law, this advantage is only going to continue to grow.  Yesterdays dual core lead to todays quad core, who knows what tomorrow.

A couple of points of fact bring home the reality of this for me.  First is the results I have seen with deep packet inspection on these new systems with optimized software.  Though up to this point (as a comment points on Erics article points out) we have only seen sub-Gbps speeds, I have good reason to beleive that this barrier will be passed like the sound barrier in airplanes long ago.  Supersonic deep packet inspection on off the shelf hardware will be a reality in the market within a few months!  The second point of fact is a conversation I had with a security director at a large media company in NY.  He told me that just 2 months he visited a data center his company has over in NJ. The place was cavernous and mostly empty.  He returned just two months later and the center was filled to the brim with Dell servers and they are looking to build another data center.  But they are also mandating to move any and every application possible onto virtual servers.

I am not the first blogger to say that virtualization will revolutionize the data center.  But between virtualization and these powerful new processors, there is a revolution going on.  Check out Cobia and see the performance that these trends are putting in your hands without expensive silicon.  We are just at the dawn of the brave new world, but it promises to continue the computer revolution to empower us to do more for less!

Isn't dual licensed open source software a hybrid?

Matt Assay is probably one of the most vocal zealots in the "religious right" of the Open Source movement.  Matt's views which are well documented, are that if it is not an OSI approved license, it is not open source, Microsoft is the evil empire and that eventually all non-open source software (as he defines it) is headed for the junk pile or museum. So it is no surprise then that he takes issue with Microsoft's Clint Patterson comments:

"The open-source development model has yet to demonstrate the ability
to support profitable software businesses that can drive the
coordinated research and testing necessary to sustain innovation. Many
in the open-source software community have shifted to hybrid business
models. They are making the same business decisions as any commercial
software company in terms of what products and services to give away,
what intellectual property to protect, how to generate revenue, and how
to participate in the community."

Matt then proceeds to do a lawyer like point by point rebuttal. Of course though Matt claims all of Patterson's claims are false, even he admits that most of them are at least partially true.  Beyond that though, Matt's arguments are the usual zealots type of drivel.  Whether we were talking about open source software or religious extremism, extreme zealots arguments have certain consistencies across the board.  Here is one:  When responding to this:

"The open-source development model has yet to demonstrate the ability
to support profitable software businesses that can drive the
coordinated research and testing necessary to sustain innovation"  Matt says while it may be true, who is Microsoft to talk about innovation. Matt that does not answer the question at hand. And Matt, forgive me for bringing this up, but when you are driving the kind of revenue Microsoft is I don't think they are as quite concerned with it as you are.  They have already done their foundational work Matt.  When you have that kind of market cap, you can get away with it.

But my bigger problem is Matt denying that hybrid models are not the trend in open source. Matt narrowly defines hybrid models as cases where source code is not entirely released under an open source license.  I don't think that is the issue. I think dual licensed software, which almost every commercial open source vendor is using now (including us here at StillSecure) is a hybrid model.  It is the future of open source.  The days of wild eyed hippies preaching free love, free sex and free software are over. Commercial entities how distribute software under an open source license need to be able to monetize their investment in the IP and dual licensing is a way to do it.  Also, companies who license their software under GPL, but only make it available to paying customers are violating the spirit if not the letter of the open source license as well.

The bottom line is extremism is a bad thing in just about everything.  There are no absolutes and you can't let your emotions get in the way of common sense when looking at open source software.

Do users care about the licensing model?

It's interesting to watch Michael Tiemann lay claim to the one, true definition of 'open source': only projects  complying completely with the OSI license are open source.  If this were a legal issue and the definition was argued in court, the OSI might have a chance.  But when it comes to trying to freeze the definition of a term in common usage, they don't stand much of a chance. 

My own experience with talking to end users about licensing mirrors those of Mitchell Ashley and the audience of Slashdot:  most people just care that the software is free and open, not which licensing model is used.  The majority of the people I've talked to face to face at events understand why a company wouldn't want to use the OSI license.  As long as the impact on the end user is the same in the end, meaning if they get the software for free and can look at the source code themselves, they aren't too concerned with the license.  There have been exceptions, people who are hard line OSI or BSD license advocates and I respect those people for their opinions.  But they've been in the minority.

Cobia's license isn't OSI complaint.  But our source code is open and the software is free.  Call it open source, community source or something else, the effect on the end user is the same.

Smart move by IBM

IBM's purchase of Watchfire sounds like a good idea to me.  It's probably cheaper for IBM to purchase a company like Watchfire that does auditing and assessment software than develop the same capabilities in house.  If they can save money by using Watchfire's resources internally as well as selling the product, it should work out well.

Using Watchfire's expertise and security evaluation products to take a look at their own software should make the next generation of software from IBM much more secure.   And if the Joseph Feiman at Gartner is to be believed, the market for Watchfire's services may quadruple in the next two years.   It sounds good, but I'm always a little leery of analyst hype.

GPL costs

I'm not much of one for getting into fights in the blogosphere.  It's just not my style.  When I get confronted by someone who's single minded and won't listen to any other viewpoint, I usually back out of the conversation and walk away.  But, as I mentioned yesterday, Alan isn't the same type of person I am and fights back when confronted.  Luckily, with a few hours to cool down, Thomas and Alan appear to be communicating again, with Alan even apologizing.

I think the issues of GPL licensing, the Cobia Community license and Sourcefire's interpretation of the GPL are all issues that need to be discussed, and I'm glad Ryan Russell has done such a good job of it in his article, Open Source Remorse.  The price of being GPL complaint has been high for Sourcefire, with other people making money off of their efforts.  By trying to re-interpret the GPL, Marty Roesch and  Sourcefire are trying to recapture some of that revenue.  Nothing wrong with that, it's what a company is supposed to do.  The real question is, will they be successful.  I'm interested in seeing what other people have to say about Ryan's post.

As I see it, this all boils down to cost benefit analysis; the cost of making Cobia GPL complaint was more than the cost of having our community source license.  Sourcefire decided the possible downside of their interpretation of the GPL license is bad publicity and angering the open source community.  They're willing to take the risks of community disfavor to regain lost revenues. 

Ron Gula at Tenable told me that the downside to making Nessus 3.0 close sourced and leaving the GPL license behind was less than he'd originally feared; there was some, but it subsided quickly.  It was a move he felt needed to be made to keep his company going.  I'm sure Marty Roesch and the folks at Sourcefire feel the same. way. 

No, we're not OSI complaint

It's no secret that Cobia isn't using the GPL or OSI license model.  We've created our own community license that gives out the source code, allows you to use it in your business or personal network for free.  The license is only invoked if you want to resell, repackage or redesign Cobia for profit.  This allows us to retain control of our code, while making it available to as many people as possible for use.   And our modular approach means you can develop for Cobia without losing control of your own code.

We knew this move was going to be a problem for end user who are open source purists.  But the majority of people we've talked to are mainly concerned with the fact that the code base is open for review, that it's free to use and that it's a great product.  The specifics of the license aren't that important to most people I've met.

Alan Shimel does a much better job of explaining this than I can in his argument with Thomas Ptacek.     We'll call Cobia community source if it makes people feel better, but the license isn't going to change.  I know there are some people who won't use it because of the license, but long term the control of the license is worth more than becoming GPL compliant.  Tenable learned this with Nessus, Sourcefire is learning the same with Snort.

Is this a major issue?  For some people, it is, but not to me.  It'll come up from time to time, we'll talk about it and you'll make your own decision.  That's good enough for me.

No such thing as guaranteed security

It made me think about whether or not it matters if the security controls we put into place are essentially illusory as long as they bring us some level of comfort.

Diana - Security Curve Weblog

As I was reading Diana's article and this one sentence jumped out at me. Does anyone in the security field still have any illusions that we can make a network or company completely secure?  If they've been in security for more than a couple of years, I hope they know better. We're never completely secure, there are too many aspects of our enterprise to cover to be certain we've taken everything into account. There's always going to be a vulnerability somewhere, it's a fact of life.

We can't afford to have too many illusions as security professionals.  We have to see our network for what it is so that we can take the appropriate steps to safeguard our resources.  We often have to do the best we can with the resources at hand, because proving the threat/risk to cost ratio to management is difficult in the best of situations.  We have to hope that what we've done is good enough to keep the bad guys out of our network.

I guess this is the illusion Diana was really talking about.  Not that our network is truly secure, but that our security measures are 'good enough'.  Because if our security is 'good enough', it'll be someone else's company that will end up on the front page of Slashdot because of a compromise.  But sometimes it's this illusion that allows us to get to sleep at night. 

Michael Dahn blogged recently  about continuous security and PCI recently (my response) and I think this relates well to Diana's thoughts on compliance illusions.  Meeting with a compliance framework such as HIPAA or PCI is part of a security stance, but neither of these will make your enterprise secure without a lot of extra safeguards. 

We have to have illusions to live our lives.  As long as we pick the right ones, either by luck or design, our networks can stay secure. But if we choose to believe the wrong illusion, we could suffer from a compromise. 

Welcome to a little Monday morning philosophy.  Now I have to go rent Pan's Labyrinth.