Open Source and the New Economy

The Story Behind CVE-2006-4244 and LedgerSMB

2006-09-07T17:53:00.000-07:00

In general, one would think that when the author of software would fix major security issues as soon as possible. However, this is not always done. This entry shows my experience in the area of security disclosure when things go horribly wrong and when outright lies are told about people who work tirelessly to help ensure the security of their customers. In this latter category I find myself along with a couple others. It is hoped that others will find it easier to avoid some of the mistakes that I have made in approaching what became a very volitile situation. Furthermore, I would normally leave private emails private, but when public attacks are made on me, I do not feel the obligation to keep the attackers' emails private.

About a year ago, I discovered what I thought was a dangerous but contained exploit in SQL-Ledger. I promptly filed a bug report with the maintainer privately via the web site for which I received no reply. At the time, I suggested I would create a patch on my own and submit the report to Bugtraq if it was not fixed within 30 days. The only problem was that I didn't have any time, so the patch never got written. I didn't want to go to Bugtraq and simply cause many people to have horribly exposed systems so I kept silent. However, I was no longer happy with the way the application was maintained and I informed my customers of what they could do to minimize exposure to attack.

In April, I received a number of very hostile emails from the maintainer of the software for my efforts to build community-maintained documentation. I made the mistake of trying to get him to address my security concerns. He stated that he was not interested in fixing the problem.

On April 17th I wrote:

Session id's are not tracked by login on the server, allowing session
hijacking or even logging on once the user's .conf file exists without a
password.  The old password authentication was therefore more secure
than the current system.
To which he replied:

try it, crack it, hack it. server side cookies are a big security risk,
not client side cookies. The onus is on the user to log out, why should
the server babysit.
This reply indicated to me that he simply didn't understand the problem.  The issue is that one simply cannot trust a client that the administrator may have no control over more than the server.  At the time, I was not yet aware of the entire scope of the problem.    Indeed on a cursory code review, I would find that the session id was simply the UNIX epoch timestamp (or the return value from the Perl time function).  At this point, the full issue struck me and I was faced with a serious decision to make: whether to continue to trust Dieter or not with the security of my customers.  After discussing the matter for a while with others, I reluctantly decided that the only thing I could do was fork the software, especially .  This decision was made in early June, but at the time, I did not have the resources to seriously pursue creating such a fork.  And so things remained for another couple of months.

The catalyst for change came when I was approached by Josh Berkus and asked a number of questions about the viability of the SQL-Ledger community.  Josh introduced me to Chris Murtagh with the idea that we might be able to collaborate on a fork.  While I think that Josh's main interest was in having a fork, my main interest was in getting a security solution for my customers.  Within a day, Chris had created a basic patch which needed some tuning but corrected the problem relatively nicely by tracking random session id's in the database.  While this patch is not perfect, it actually provides an authentication system that is at least up to industry standards.  At that point we notified the list and Bugtraq did some further development and notified the list.  Chris sent the email to the list and I sent the email to Bugtraq.

At that point things got ugly.  Dieter's initial reply to Chris for the posting included this tidbit:
Now if you want to scare everyone start with how unsafe Windows is,
heck even Linux and tell everyone that if you don't lock this or that
anyone can attack you. Will it serve any purpose? NO!

Again, one must eventually conclude that Dieter did not understand that this was a fundamental design flaw in the authentication system of his application.  It is simply not possible to lock this problem out.  After another day we fully tested the patch and sent it to Dieter.  In the mean time, I got this nice email from Dieter:
Then fix it and submit a patch. It serves no purpose to fearmonger.

Did you ever wonder why Microsoft does not just buy out SQL-Ledger? It
would be drop in the bucket for them to get rid of the competition but
guys like you do it for them, and at no cost to them to boot.
Menschenskind how stupid is that?

Think what you do. It affects you just as it affects me, you more so
because if you force me to go proprietary you get no more code. Maybe you
think this will be a service to the general public to keep my code and the
code from other contributors out of the public protecting them from
"vulnerabilities" which are easily squashes if a person does the right
thing. THINK ABOUT IT, not scare the public!
The morning after we sent the patch, we got the following email:

Did you ever ask yourself how a user could get in if he does not have a
shell account. No shell account, no way to create a cookie file.

What you are doing is false sense of security because you believe it is
now safe for a user to have a shell account but in fact you just exposed
your system more so than before.

Think about it!

Your house is safe if you throw away the key. By not giving the user shell
access you throw away the key.
This email was so odd, it almost defies a response...  I suppose that in some exotic environments shell access might be required to create a cookie, but in the vast majority of environments (including essentially all Windows and Mac environments and most Linux and UNIX environments), shell access doesn't make a difference.

But by that point we were already working on our fork.  Since that point, Dieter has publically stated that it is a very technical issue which is not a serious problem.  Yet the National Vulnerability Database gives it a severity rating of 7 (high).

Preparing the fork took Chris and I about a week and a half of nearly sleepless nights.  Both of us are fathers of young children.  We both have families and other time commitments.  This has been an unbelievably exhausting time.  And in the end, we were publically attacked for our efforts.

A couple points to repeat for emphasis:

We created the security patch before starting work on the fork.
The release LedgerSMB took more than another week.
SQL-Ledger *still* has no official patch over a week
Dieter still suggests it is not a big deal despite the fact that nearly every private security company acknowledges that it is a serious problem.

Now, if I could do some things differently, I would. I have learned a number of valuable lessons from this experience.

I would not have confronted the maintainer of the software when he was already upset at me.
I would have gone to Bugtraq even without a patch in hand. In the end, perhaps this could have been avoided and the problem fixed a year ago had I followed through with my original plan.

Yet to my knowledge this vulnerability has not yet been exploited. I guess that as rough as this has been, it might save some people problems,

An example of an Open Source Business

2006-01-30T15:33:00.000-08:00

My business has been doing a fair bit of work on an open source accounting package called SQL-Ledger. In particular, we have built a wiki for community documentation and have created a package of enhanced point of sale features for this software. In the end, this has accounted for arround 20% of our revenue in 2005.

Naturally, everything we do is contributed back to the community. Many of our design changes have been accepted and merged into the main source tree for SQL-Ledger, but many have not. THis is because some of our changes are not considered relevant to all deployments, and some are considered to be difficult to impliment automatically in Windows environments. This means that for our work, we have a better platform to add even more features, and yet people who want a full-featured retail management environment based on Free/Open Source Software still cannot get it out of the box and have to come to us. Hence our costs are reduced, and we get help from across the community in maintaining some of our core features.

So if you are trying to start a business regarding Free/Open Source Software, it doesn't hurt to make an add-on for an existing software project that meets some specific need.

Diversion into politics

2005-07-12T09:09:00.000-07:00

Well, Karl Rove is now the talk of the nation. I try not to use this blog to discuss my political views, so this will be as far removed from partisan politics as possible.

It is clear to me that Bush's only responsible choice would be to fire Rove. Bush isn't stupid-- he is a brilliant propagandist and someone who has been remarkably successful at pushing through his agenda items (both foreign and domestic). If Bush has a failing here, it is in his aquiescence to scandal within his administration. It would have certainly been better politically for him to fire Rumsfeld after Abu Ghraib and try to put that matter behind the administration.

In international law (IANAL) there is a concept called "Command Responsibility." Under this concept, a leader is responsible for the conduct of those who report to him. These responsiblities include the requirement that the leader appropriately discipline subordinates who act in violation of such laws (this has been a large part of the case against Milosevic). The idea is that the failure to provide such discipline when the leader knew or should have known about the offense actually means that the leader was aquiescent to the offence (sort of the "Don't violate the law, now" wink, wink, nudge, nudge approach).

Bush owes it to his administration, his party, and ultimately his country to appropriately discipline those who are responsible for wrongdoing within his administration. He has publically stated that whoever was involved in the Plame leak would be fired, and backing off from that position now would be ultimately damaging to his administration and his party. It would also help the Democrats cement their opposition to the Bush agenda.

In politics, nothing works better than an enemy to mobilize forces. I wonder how well right-wing politicians would like it if Roe v. Wade was overturned as this would significantly dampen their propaganda capabilities. I say right-wing because there are many Republicans who support abortion rights (along with the majority of Americans). Similarly, I wonder if the Democrats (this is largely a partisan issue) would really like it if the Bush administration did fire Rove, as this would reduce their propaganda capabilities. Bush has nothing to lose from firing Rove. His party has nothing to lose. And Bush has everything to gain by stating that he will not tolerate such behavior even from those in the most privileged positions of his administration.

Why McVoy is wrong about Open Source

2005-05-26T16:57:00.000-07:00

Forbes Magazine posted an article where they summarize Larry McVoy of Bitmover. Larry made the following points:

Open Source is unsustainable.

Open source can't make enough money to produce the next generation of software

This article will demonstrate why Larry is fundamentally wrong in both these assertions.

Sustainability of Open Source Software

McVoy does have a minor point in that it can be somewhat difficult to begin work on the next generation of an open source program and spread out the cost of development in a reasonable way. Completely rewriting software is a difficult proposal in Open Source software.

However, this does not mean that it cannot be done. One basically has two choices: either one can charge enough for services (including further development services) on the current generation of the software to be able to facilitate the development of the next version or you have to break up your improvements such that they can be done by a large number of non-intrusive patches. In reality most projects rely on a combination of both approaches.

Secondly McVoy seems to feel that the primary market for Open Source in companies is in support services. While Red Hat has certainly shown that such support services can be valuable and profitable, and while many companies have run into trouble doing customized solutions, I still think that custom development is often overlooked as a potentially major source of revenue. Such custom development is difficult to get right-- it requires an eye for features which others can use too, and an ability to write them so that they are generally useful and can be contributed back to the main project for the next release. Also custom development revenue is beneficial because it can allow you to build a truely customercentric project.

Innovation and Open Source

Innovation is a marketing term which has lost most or all of its original meaning. That is not to say that there is no innovative software out there, but most software that is marketed as innovative isn't. Real innovation from a user's perspective doesn't come from having a large number of paid developers working on a difficult problem, as the result will almost certainly be hidden from the user. Instead it comes from a single person saying "Wouldn't it be great if..." And in the world of software, very very few programs continue to develop innovatively beyond the first few versions.

Open source software is no different, but they are more likely to add new innovative features during future versions. This is because one enlists the user (who is more likely to be buying services rather than being paid) into this process. The user often has a direct channel to the developers, especially if development services are sold. The user can then be free to say "This would work better for me if... or Wow, I wish it had this feature-- that would revolutionize my life/business/whatever." Indeed the ability for the user to innovate and pay developers for features that they dream up not only pushes the innovation forward in open source software but it also provides a powerful selling point for custom development services.

Larry McVoy is categorically wrong about the economics of open source. He represents a common but myopic view of how money can be made and overlooks a large number of factors which discredit his argument.

Obstacles to Open Source

2005-02-17T16:34:00.000-08:00

Linux shipped on 5% of desktops last year. This article looks at the obstacles regarding customer adoption of open source in general. It should be noted that most of the systems that ship with Linux include proprietary software and the distributions are not reproduceable in their entirity.

Difference in Solutions And Customer Expectations

Most customers enter the Linux world with expectations informed by their experiences with Mac OS and Windows. This can create a few usability issues, but the larger issue is that of software procurement and solution building. Most desktop systems sold with Linux (Xandros, Linspire, etc) ship with proprietary, commercial software similar to the way in which it is sold for Windows and MacOS. This is an important observation because the same trend used to old in the server markets as well but as the market matured, these players (anyone remember Caldera?) have more or less disappeared.

People new to Linux think that there is a lack of available software. In reality, there is a huge variety of software available to suit all needs. They range from arcane command-line tools to simple graphical tools and even sophisticated office suites. There is indeed at least as much variety of software on Linux as there is on Windows.

But the software is fundamentally different in nature and how it is best procured. With Windows, you normally go to the store, pay a few hundred dollars for a tool, and go home and install it. With Linux, often you may either do your own research or pay a consultant a comparable fee to determine which tools are best, download them, and set them up so that you have a complete system. This can go for simple CD mastering and burning software to complex aggregates of software like those for doing e-commerce fulfillment systems. Contrary to popular it does not usually cost any more to run Linux software even including services than it does for Windows. But because this solution is still foreign to many users, they are afraid to use it.

Question of Ownership

When a complete solution is purchased from a company, there is a perception that the vendor owns the solution in terms of support, fitness for a purpose, etc. even though responsibility for these issues is usually expressly denied in the End User License Agreement (EULA). Instead, if the solution is put together via many small pieces by a consultant, the business who uses that owns the product and may need to rely on outside support for maintenance and software support.

One area where this is a real issue is in support but in larger business systems this is less of an issue because these systems tend to be often aggregate systems as well (which is why open source is hitting the server area first).

However, in most cases, the desktop tools are simple enough to make this effectively a non-issue. With good error reporting, it should be easy for any third-party consultant to troubleshoot the systems. For example, take the tool known as File-roller (similar to Winzip but with more functionality). Fileroller requires various command-line utilities such as tar, gzip, zip, ar, and more. If one of these tools is missing or not working, it is easy to determine which one and replace it. This is certainly no worse than the sort of DLL-Hell that exists on Windows anyway.

Cost of Migration

The final issue that causes issues for Linux adoption is that of cost of migration. Linux is generally less costly for new deployments in which there are no legacy application requirements for. However, for those organizations already dependent on Windows, it can take years to get to the point of being able to migrate the actual operating systems. This is rather a strategic goal and something that companies might move towards than something that they generally do. So we will probably not see mass migrations for the next 3-4 years.

These obstacles are not ones which say that companies can never adopt Linux on the desktop but rather indicates why growth is slow and why it is happening primarily in proprietary software bundles at the moment.

Wave of the future?

2005-02-16T13:59:00.000-08:00

I had a customer call me and tell me he wanted to try OpenOffice because he thought it would be the wave of the future. At the same time he did not understand what open source is or is about.

The timing of this call is very interesting. I will be covering open source and what it means for the future of computing tomorrow at the Chelan Valley Computer Users Group. I will also be covering IBM's strategy regarding the Power architecture and how this may eventually have an impact on how all products we consume are developed.

It is clear by now that FOSS is now an ascendent force even in the desktop market including Linux, the Firefox web browser, and even OpenOffice. And it is an interesting observation that although I am the only one in my area that supports Macs, I have more customers running Linux in some form than OS X.

The largest obstacle in my estimation to the adoption of open source in mainstream desktop markets has more to do with solution building processes rather than raw capabilities. People think that Linux has less software available than Windows because they don't see boxed packages at the store. However, the fact that Linux has at least as much and that this software is fundamentally more flexible is lost on most individuals because they don't see it.

Some time ago, my mother needed a cd burning solution for her suzuki violin teaching business. I was able to put something together which was powerful, efficient, and easy to use for a reasonably small fee (including training). I did this by combining a set of free tools. THe same could be done for desktop publishing, and many other tasks. I have not yet found anything that I could not do adequately on Linux. But then there are obstacles to FOSS in small business markets. These will be a subject of a later post.

Globalization and Open Source

2005-01-30T23:22:00.000-08:00

Open source has become a global enterprise. I am reminded of this by the fact that I now have an international customer base. Customers from other countries are often quite willing to pay me to customize software so that it meets their needs. This is very differnet, however, from the type of globalism that causes Microsoft and Dell to move their call centers to India in an effort to reduce the amount of money they lose by providing technical support, or the drive to pay people next to nothing in underdeveloped countries so as to increase profits in the US.

The user and developer communities of most open source projects ignore national lines. As a case in point, the first contribution I had for one of my open source projects (FWReport) was by a man from Brazil. This is not a fact of global corporate trade but rather a fact of the global information network known as the Internet. Today, programmers can collaborate across the world, and a global user base can share their ideas, wishes, and experiences with the developers. Today, it is even true that the communities can span otherwise hostile national boundaries. For example as both Iran and Israel move in the direction of open source, the users from both countries will be collaborating in the process of making the software better.

In the end, a pattern emerges, and Open Source seems to be a benefitical force in the trend of globalization. Especially if similar trends evolve in other industries, it may begin to allow globalization to live up to its promise. Indeed a trend emerges: The rise of capitalism weakens nations as multinational corporations emerge. But the role of multinational corporations weakens as open source communities emerge because the corporations become bound to that community.

On the slow death of UNIX and the rise of Linux

2004-08-14T14:45:00.000-07:00

Background:

Commercial UNIX variants arose from AT&T UNIX (first released in 1979). The market became dominated primarily by high-end RISC-based hardware manufacturers, such as DEC, IBM, SGI, and Sun. A number of companies did also release versions for the the Intell architecture including Microsoft for a while (they sold that division eventually to the Santa Clara Operation, or SCO, now Tarantella). Eventually, Novell gave the UNIX trademark to the Open Group which now certifies various operating environments to be "UNIX compliant."

Each UNIX vendor has pursued an aggressive strategy of differentiation and tied their operating systems to their hardware. This methodology, while perhaps necessary to remain competitive, has lead to much higher cost for UNIX-based systems. This is because the marginal cost for the operating system is nearly 0, while the research and development cost is quite high.

With the release of MS-DOS 1.0, Microsoft began what was to be a very successful coup in the operating system indistry. They established an operating system which for the first time could run on several different vendor's computer systems and the result was a collapse in prices both of software and of hardware. For a while, the more reliabel UNIX servers were immune and the real causalties were the Commodore Amiga, Apple, IBM, and others in the low-end markets. DOS lacked any capabilities to handle multi-process or multi-user environments so it was completely unsuitable for any server operations of any sort. DOS was, however, wildly successful because it lead to inexpensive and ubiquitous computers.

In 1991, Linus Torvalds began working on what was to be the Linux kernel. Initially, his motivation was exclusively leasure-oriented (as indicated by his mention that it would not be big and professional like GNU). Over time, the development of Linux has accellerated damatically, and now often has support for emerging hardware standards before Windows.

Microsoft Windows NT was designed to be Microsoft's answer to DEC VMS and UNIX, though Microsoft had earlier attempted to write their own UNIX varient called Xenix (later sold to SCO). Windows NT and Linux have become the engines which are causing the slow collapse of UNIX.

This discussion does not attempt to discuss the BSD's and their role in this process.

What makes UNIX vulnerable?

As mentioned before UNIX vendors have generally sold vertically integrated solutions, and there is a large issue of economy of scale in the software industry. Therefore, selling a lower-volume solution is not likely to be successful of a higher-volume solution exists which is good enough.

As Linux and Windows NT have matured and become both more stable and more scalable, they have become good enough for a range of applications which were previously the domain of UNIX, Netware, and VMS. These operating systems have suffered notably and have become much less profitable. Additionally, the cost has gone up. Price increases combined with margine decreases is not a sign of long-term viability. As can be expected, market shares have dropped substantially, and are continuing to drop of every year, according to the IDC.

UNIX Vendor Reaction

I think it is clear that most vendors are aware of the problem and are seeking solutions. For example, IBM has becoming increasingly vocal regarding their aim of replacing AIX with Linux in such a way as to avoid leaving their customers stranded. SGI seems to be pursuing a similar strategy.

Sun, on the other hand is trying to win Linux customers by offering interoperability but are trying to lock customers into their operating system. They are, however, conceding lower-end systems to thei rival and offer low-end servers running Linux. Of the major vendors, they are the only which does not seem to be pursuing a strategy of migrating customers to the commodity solution.

The SCO Group (formerly Caldera Linux) has actually moved the other direction. They have stopped selling Linux, sued various Linux contributors and users under a variety of claims (all with little success) and continued to sell OpenServer and other products. However, there is no indication that they will ever become profitable, and the IBM countersuit casts dark shadows over most of their continued operations.

Winners and Losers

I expect that Linux vendors and the hardware vendors that support them (particularly IBM) will be the large winners. I expect Sun and SCO to be the immediate losers. Perhaps the BSD varients will be winners as well. In the end, this struggle will lead to a more direct and heated struggle between Linux and Microsoft Windows (NT-based). Stay tuned!

Thoughts on an Upcoming Patent War

2004-08-13T10:33:00.000-07:00

There seems to be growing speculation that Microsoft and others may be preparing a patent war against Linux. While I think that this is not nearly as imminant as some have argued, I think it will happen at some point. In the end, I think that open source will not only weather the storm but actually be stronger as a result. I am not a lawyer, of course, and nothing here should be construed as legal analysis or advice. However, this is a strategic document regarding the obstacles that using patents to stop open source and how we can be successful.

Market Considerations

Until now, Microsoft has had every incentive not to press for patent claims against competing products. First, they have been convicted of antitrust activity, and such action may lead to court-mandated licensing to competitors. But more importantly, such news could be taken by the industry as acknowledgement of the legitimacy of competition. By this thinking, suing over patent infringement in Linux would be good for Linux and bad for Microsoft. Such suits could therefore actually lead to marketshare losses for Microsoft.

It is true that things are changing. Such a suit today would not necessarily boost Linux's stature in the server market where it is already established, but it would require suing Microsoft customers for migrating away from Microsoft products. Additionally the court-mandated licensing concerns would still apply. So, it is still a lose-lose proposition for Microsoft as they would possibly be losing control over intellectual property and would certainly lose goodwill. So such a suit today would continue to boost Linux's market share at the expense of Windows.

The current Microsoft strategy appears to be that of providing moral and sometimes financial support to parties which litigate over Linux. Currently, the only party to do this, SCO, has had very little success in the courts, and my reading of their complaints has lead me to believe that they are not litigating at all over allegations of intellectual property in the Linux kernel itself, regardless of their press releases. Their lawsuit against Daimler-Crysler has been largely dismissed, their slander of title lawsuit over ownership of the relavent copyrights against Novell has been dismissed once and may be dismissed again. Their other suits notable in that they are not claiming ownership of any code in the Linux kernel in their actual complaints. If, as I expect, SCO loses the IBM counterclaim 10 (non-infringement of IBM's Linux activities), then I would expect Linux to benefit both from the focus that the suits have given and the vigorous defence of Linux by IBM, Novell, Red Hat, etc.

So copyright litigation does not seem to be a threat to Linux, at least not at the moment. What about patent litigation?

Patents and Licensing regarding Antitrust Law

Again, I am not a lawyer. If you really need analysis of this issue, hire an attourney.

In the past, the courts have generally held that patents cannot be used by a monopoly to prevent vital competition or to further activity prevented in antitrust activities. Thus one possible result of a suit by Microsoft is that it may be possible to force Microsoft to license such patents in terms compatible with the GNU General Public License (royalty-free, perpetual for all users of software under this license). This would be a more likely scenario in an interoperability project like Samba than in the Linux kernel.

For the Linux kernel, it may be possible to simply rewrite portions of the code to avoid the patents, and prevent Microsoft from being able to seek damages from users under antitrust laws. Also, prior art may be usable to weaken, narrow, or even overturn certain patents held by Microsoft.

Other Roads to Interoperability

Even if certain products, such as Samba, become problematic for patent reasons, there are other ways to enforce interoperability. In my opinion, such encumberances would be more likely in the event that Microsoft has already lost substantial marketshare on the desktop (or perhaps in countries which recognize software patents but are unwilling to force licensing in response to antitrust violations).

Interoperability can be achieved in any of three ways. The first is to provide network services on open source platforms which interoperate with windows-native services. This is the most dangerous approach, patent-wise, but it is often necessary because it allows one to add open source software to their network without any costly migrations. Samba embodies this approach.

The second approach can be the development of clients on Windows which utilize open standards (such as NFS). Microsoft Services for UNIX takes this approach. This is most useful when integrating Windows systens into existing UNIX or Linux networks.

A varient of these two strategies is the development of gateways which can allow clients using one method to use resources using a different one. For example, SFU provides a NFS gateway service and it is possible to do something similar using Samba.

The third strategy is fundamentally different. It is quite possible to develop methods for accessing network resources, such as files and printers, which are designed to be cross-platform from the beginning. OpenAFS, for example, provides distributed, fault-tolerant, secure file access across different platforms.

Assuming we don't see patent encumbrances killing open source interoperability products before Linux gains substantial marketshare on the desktop, such litigation in an attempt to force people to use Microsoft software may instead force people to consider larger migrations away from Microsoft software. Even if such a campaign were to be begun now, I think that it would still force companies to more seriously consider using open source software in larger roles.

How we should react as a community:

There are several things we can do to, in my opinion, to help protect ourselves from this upcoming patent war. Most of these are already underway.

The first is to attempt to actively challenge Microsoft patents which are important to open source software. Current work on this direction does include Pubpat's petition to get the USPTO to re-examine the patent on certain aspects of Microsoft's FAT filesystem. We continue to review such patents and challenge them where appropriate.

Secondly, we need to develop an infrastructure for a communal response to litigation in general. Groklaw has already served to demonstrate that such an infrastructure is not only possible but effective. Such a community resource can be used to facilitate distributed searches for prior art, a forum for legal discussion (where lawyers and non-lawyers can converse), and many other such things. Although Groklaw is extremely valuable, it is run by one person (Pamela Jones). Ideally, we need a foundation-based service which will allow such an infrastructure to be owned by the community in general. Private sites, such as Groklaw would become the extremities of the distributed system rather than the core, as it is today in the SCO battles.

In the end, I do not think that Microsoft or anyone else can win a patent war against Linux (think of the result of Unisys's statements regarding patents and GIF format). In the end, we will end up with something more powerful and better engineered, and with better marketshare.

How to get ahead with open source

2004-08-12T11:21:00.000-07:00

What will the new economy be like?

The basic name of the game in capitalism is control of capitalism. The basic name of the game in feudalism is the control of land. The unit of control in feudalism is the state, while the unit of control in capitalism is the person (natural person or corporation). So the state attempts to control land while the person attempts to control capital. As societies progress, these units and goals do not go away. So in capitalist societies, we still have states which control land, but this becomes less important than it did for a feudal society. I.e. capitalist societies are probably less likely to go to war to annex land than their feudal counterparts. States still require land, but expansion and control are less important goals than they were in the past.

Similarly, corporations and individuals in the new economy will still require capital just as states still require land. However the control of capital of the market as we know it today will be lower priority. Expansion will still be important but may take on a different tone. For example, today, the United States is not interested in exanding its borders, but the expansion has taken on a new dimension where the sphere of influence both culturally and militarily are the current replacements for annexing land.

Today, the state exists primarily as a support mechanism for the economy and personal wealth (including corporate wealth), and to provide basic services such as emergency response, law enforcement, etc. These roles will of course remain unchanged.

However, corporations will become support mechanisms for the communities. Today we already see this with major successful open source projects, such as PostgreSQL, Mozilla, Linux, and Apache. Such corporations provide support, further development, and other services for the other members of the community. This is not that different from the current situation where corporations offer services for support of social communities today, except that the community is actually the entity which engineers the goods. Thus actual control over the market must be foregone in favor of control over the direction of development.

How to get ahead:

When controlling the direction of development, a company can attempt to expand the services they offer to existing customers, cut their costs, etc. To understand how this is done, lets look at the structure of the community (as applicable to old economy as new economy thinking).

The community exists as a collection of persons (including corporations) with a single person or small group in the center. Mere users exist on the fringes of the community (think of users being the perimiter of a circle with the core group or person in the middle). The various service providers exist in relation to others within the circle. Service providers which rely on a vendor's services or products exist between the users and those who they rely on.

In this framework, influence is defined by the arc length around the perimeter which exists in the shadow or influence of the entity.

Another way to look at this is to imagine a somewhat conical hill, with the core at the top, and the users encircling the hill. The other suppliers forming a chain between them. These conceptualizations only provide a way of looking at a single moment in the community and neither the circle nor hill metaphores are static.

Gaining influence requres offering services which build a sub-community around one's services. These can include support, feature development, etc. The object of the game is to influence as many users in the community by getting them to use your features. Such influence leads to demand. Demand leads to revenue. The more influence one can have, in general, the more demand there will be for one's services.

What is different about this new economy is that one has the opportunity to influence the development of products to maximize one's revenues in ways which simply are not possible with proprietary products.

Business Value of Open Source

2004-08-11T08:39:00.000-07:00

There is an interesting article on business value and open source software on Linuxworld.

The article is an interesting look into why one should consider participation in open source communities. There are a few things I would add though.

The first is that businesses which even use open source software, and whose sysadmins participate on the email lists, are influencing the development of the software in ways which are not possible with closed source software. Indeed the wall which exists in closed source software between support and research and development does not exist in open source projects. The core developers help with technical support, and such feedback allows them to make future versions better. This work also largely replaces market research in determining which features need to be included in the product. I.e. discussions on the email lists allow people to determine what the current users or would-be users need. This also allows successful open source projects to better meet the needs of their users.

Open source promotes a sort of community economy which is fundamentally different from the consumer economy it replaces. Personally I disagree with Richard Stallman regarding the dangers that closed source poses to open source. Indeed I cannot think of any instance where a closed source product has successfully replaced a dominant open source product in an established market. Yet there are plenty of examples where open source products have successfully challenged proprietary applications in certain markets.

Take for example Apache. The combined market share of Apache and the open source NCSA web server (which it replaced) has always been high, but not in all web server markets. Indeed, until recently, Apache was not considered a strong contender for web application servers (this market was held by Sun, Netscape, and Microsoft web application servers). However, in recent years, companies have begun to use Apache in this roll in increasing numbers. Apache is the clearest rebuttal to the concerns that open source is threatened by closed source appropriation of its source code because the license explicitly allows this. Yet none of the commercial versions are able to touch the marketshare of the original project.

A second, weaker, example is that of open source UNIX workalikes. This includes the BSD's as well as Linux, and have always been prevailent in environments where technical skills have been more prevailent than financial resources (such as servers for ISP's, and niche uses in such agencies as NASA). However, in recent years, Linux has moved into the mainstream server market, helping to marginalize Netware and proprietary UNIX. BSD varients are continuing to grow, though more slowly. Linux has also moved into embedded devices to threaten such operating systems as QNX, Embedded Windows XP, and possibly even Windows CE in the smartphone market.

Thus, the shift from closed source to open source, like the shift from feudalism or communism to capitalism, is a one-way process and cannot likely be reversed once the new system is established.

Open Source and the New Economy

2004-08-10T08:36:00.000-07:00

What is Open Source and Free Software?

Open Source and Free Software is released under licenses which allow others to redistribute modified and unmodified copies of the software as well as derivative works. Some licenses require that these copies and works be distributed under the same or similar licenses, while others will allow the licenses to be changed.

The most successful open source software is developed and maintained by large communities or self-regulating networks of developers. This process decentralizes research, development, and engineering. Thus it creates an environment of collaborative development where many corporations and individuals participate.

Why does this challenge our notions of capitalism?

In traditional capitalism, natural persons and corporations get ahead by controlling as much capital as possible. Therefore one tries to maximize intellectual property, human and other resources, and working capital in order to obtain more leverage in a given market. In capitalism, the large corporations are the powerhouses of production, and nobody else can compete with them on their scale.

Decetralizing software development doesn't get rid of corporations, rich people, or other complaints that a few people have regarding capitalism, but it fundamentally changes the rules of the game. Indeed, the community gains much more market leverage than any one corporation due to the fact that even if it has no formal organization (such as a non-profit corporation), it still posesses vast intellectual property and human resource reserves which can marginalize competitors. This phenominon can exist regardless of whether the open source software can be resold under standard commercial licenses, as the Apache Web Server has shown. Therefore this is not a phenominon of one license, but rather a phenominon of the processes.

If open source methodologies spread to other fields of engineering, this may radically reshape our technology firms. For example communities of engineers could be designing computer chips, kitchen appliances, perhaps even jumbo jets. Such development practices would undermine much of the dominance that large corporations have in the markets today. For example, although a computer chip or a jumbo jet would probably require a large corporation to manufacture it, the actual design would be less dominated by the corporations and more by customers and users.

If Open Source is post-Capitalist then is it Communist?

In Soviet communism, the State owned and ran everything. Therefore I have often referred to it as "Feudalism backed by Marxist Propaganda." It was never a danger to societies where democracy and capitalism had become established. Indeed in the end, the Soviet Union fell and moved on to capitalism, and such market reforms are also underway in China (which seems to be in a transition into a capitalist economy).

The move from communism or feudalism to capitalism is the move from state control to corporate control. Rather than reversing this trend, open source and free software continue to the move towards more abstract and agile organizational methods. The communities which maintain the most successful open source software projects are continuously evolving in an organic way. The core developers may remain constant and continue to have final say regarding what goes into the project, but the community which uses and provides feedback and contributions to the project is dynamic and so the ability of community-driven open source projects to innovate massively outpaces even that of the largest software vendors, such as Microsoft.

This is an economic shift towards something new.