Epiphany: Free Software = Lower Entry Barrier = Greater Risk of Project Failure

Discussing with a friend lead me to this epiphany: the reason why Free/Libre/OpenSource software is not used enough in traditional companies is that they invest too little in it. Not in money, but in time, thought and human resources.

Since FLOSS has a very low entry barrier (starting from just zero, up to prime class paying service from companies such as IBM), it tends to attract people and companies that want to invest very little in it. That's why they fail to make a great use of it.

Mem: I think there's a business model in just selling GPL software, without any added value, with the argument that the buyer will be more motivated to implement it well ;-)

Been doing some reverse engineering

I've been reversing a Win32 PE executable lately, something I haven't been doing since I was 15. I found it quite easy. Much easier, indeed, than a few years ago. What's changed since then?

• The tools have changed. At the time, I used to master WinDASM and SoftICE, which are no more fashionable. It even seems that WinDASM has disappeared from the market. This time, I used HeavenTools' PE Explorer, which is a clear improvement on the latter.
• The PE format has not changed. Or, at least, nothing that matters in debugging.
• Windows is more stable than at the time, saving you many reboots ^^
• The compilers have not changed much. It seems that I could learn to recognize compilation styles of various compilers in very little time.
• Most of all, I've not changed. I can now remember very precisely why I quit reverse engineering software back then: because I prefer working with the source code and I prefer working in design or implementation modes rather than in debugging mode. I can now remember that I quit reverse engineering software approximately the same time as I started using GNU/Linux on my desktop.
  

I can clearly validate this view years later: though I'm happy to be able to reverse a binary, I think programming is more rewarding.

Transparency the Next Big Topic? I Don't Think So :-(

Here is a recent Bruce Schneier interview "If you don't understand the people you'll never understand security, says Schneier". I really appreciate Bruce Schneier for his stick_to_the_fact and be_smart_not_an_automate approaches.

However, when he says during that interview that the next big topic for security will be transparency, I think it's more of a wishful thinking. I can see three main reasons why the move to transparency will be very slow:

1. Good transparency requires transparency from both the vendor and the buyer. I think the buyer will never see the point of publishing data about (in)security. Even if that's more or less a kind of corporate social responsibility...
2. Some major players among vendors and some managers in whatever buyer's hierarchy do not want to play the game by the rules. They prefer it the way it is, especially if they have a good ROI/good wages and not too much stress. So, unless there is some interventionism, I think they will do their best to slow the move.
3. If you're going to publish things transparently, you might think of it as a possible bad advertisement for your company. And the weak point is: most companies, buyers or vendors, do not know where they stand among peers on the criteria of IT security. So they will not want to make the first move and risk publishing what might be seen as bad results.
   

To my mind, the whole business of IT security transparency is, as most of corporate social responsibility issues, a wicked problem. For this reason, it will require some good leaders to design new models and, probably, some interventionism from States and big corporate players. That is: it will move slowly (decades, to my mind).

Why Windows 7 will not crush Linux

Sorry, just a rant against a nonsensical piece "Why Windows 7 will crush Linux" from Ron Barret who, surprisingly, usually has good technical articles and a few interesting non-technical articles.

This one piece shows, very clearly, a lack of knowledge of how things work outside the Microsoft world. Let me comment point by point, before I make more general statements further down. Quotes are in italic.

Okay it is no secret that Linux has not been able to crack the desktop, either at the home or at the workplace. Not to ignored either is that Windows lost some desktops last year (a little over 3%),but let’s not panic just yet, Windows still owns over 88% of all the desktops according to leading research.

Why does Ron Barret concentrate on "crushing" Linux when he could attack the main marketshare grabber: Apple? Does he really think of panicking or is that just an expression?

[...]Windows 7 installs easier, has simpler configuration of user settings, greater availability of software, support (you could argue that all support is awful, which is probably true) Windows support is easier to get when you need help. Gaming, MP3’s,… I could go on and on.

• Windows 7 installs easier, but by the installation you get only the OS, not the office suite, the usual programs, the good media players, the image manipulation programs, etc.
• Windows 7 has simpler configuration of user settings. But simplicity isn't the only question since you can get the MacOSX perverse effect : too many hidden options, which makes that anything a little more complicated than usual cannot get done from the interface, you have to go commandline. So my question is quantity of settings VS simplicity VS good explanation VS automation of whatever can be automated. And here, if whoever has any precise comparison list, I am listening carefully.
• Windows 7 has greater availability of software. Depends on what you want to do. When my WAMP solution claims that a WAMP is only for testing and that a production tool should be a LAMP, what should I do? I am also a firm believer in centralized depots, and I find that the way to install software under Linux (like Synaptic) is much more modern and efficient than Windows software install.
  

To real Linux die hards… terminals rule.

Yeah, conquering die hards is the crucial problem when you're getting after marketshares!?

So Powershell presents an interesting argument for Windows adoption by the Linux user.

The very idea that an experienced Linux user could switch from the Unix philosophy to the Windows philosophy "disguised" as a command line drains tears of laughter from my eyes. Words or icons are just means, but the Unix philosophy that transpires through bash, csh or perl is a cement stronger than any interface tool.

Some people want free software (even if support is limited or non-existent).

RedHat sales are going higher and higher, is that a coincidence or does support just exist?

Applications like Firefox, Open Office, MYSQL, GIMP… wait all these applications are now available for Windows.

OK but with the exception of Firefox, most of them still run better and integrate better under Linux than under Windows.

Moreover, they are easier to install in Windows then they are in Linux.

Complete idiocy: once you have installed Ubuntu, the applications like Firefox, OOo, GIMP... are already installed. Concerning MySQL, you just have to go to Synaptic, check the "mysql" checkbox and click "install". Far easier than under Windows.

Windows 7 has solved a long-standing thorn in Microsoft’s side, How to deliver a feature rich OS without killing resources?

Okay, so Ron Barrett just confesses that Windows has long lagged behind competitors in terms of resource usage. Fine. Thanks.

Linux users have no reason to hold back anymore. Windows 7 is well placed to crush and put an end to the penguin.

Except complete programming station, polyvalent kernel that puts it everywhere from DVD players to car computers to mainframe servers, freedom from unwanted "home calls", complete view on the software from the kernel to the application, ready and working middlewares such as Apache, very good support (with full source access) like those of RedHat, IBM, HP and others...

Now that I could calm down, seriously, why would anything change about Linux users? There are two major situations:

• Those who were fed up with Microsoft or wanted specific freedom and they will not change anything because of Windows 7.
• Those who use Linux because it's at work or because they have a specific technical reason and they will not change either. At best they will consider changing, but whether that will be worth the migration, I doubt.
  

Cloud Computing Too Costly in the Long Term?

I welcomed the IDC study of the elevated cost of cloud computing in the long run (article at linuxfoundation.org).
There are a lot of articles about cloud computing, its cost and its risks, however, I would like to underline a single point that makes a lot of difference to me between cloud and non-cloud: cloud computing is a backward step for fair competition in IT services delivery.

I think that most of the savings made in the last years by the IT services of companies have been possible because of web 2.0. Not only because of the fact it helped interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web (Wikipedia def) but essentially because it forced companies to use open*, not vendor-specific, technologies.

This helped create a true fair competition between software developers, between hosting providers and between system integrators. They all shared a single range of technologies and could not justify high prices or low quality services just because of the technology itself.

PHP comes to my mind as a brilliant example of this fair competition revolution. It's very interoperable. They even made it capable of running on MS IIS servers! It's simple and free to use. It's improvable upon and its developers were very careful to listen to requests for improvements. And now see what it has become:

The thing is: big companies like those making cloud services today do not live on perfect competition, they live on the one hand on monopolies and on the other hand on market niches. And that's their business and I am very fine with that.
They cannot survive in a true perfect competition system, yet they want to participate in the web market which has been the number one development and services source in the past years and still will remain, I guess. Cloud computing is their attempt to build monopolies on the web and they sell it with three kinds of arguments.

1. The economical argument. They promise good services, for cheap price, and you pay by your fidelity. Okay, as long as they do provide it.
2. The ecological argument. I am a very skeptical environmentalist. Not skeptical about ecology but rather about first-movers on the corporate side of ecology. Seems like a lot of green paint.
   
3. The technological argument. They sell the idea that all hosted applications are harmonized to a single technology and that this means it will all be cheaper. VERY TRUE.

Awfully true. It will be cheaper, for them. But as soon as you get dependent on them, since each of them has completely different technology from the other (think not only programming languages but also file formats, database formats and associated skills), they will be able to increase prices without any competitor. If you want to take the data back, you will be unable to feed it to the next cloud provider.

I think it's time "interoperability" gets into corporate policies alongside integrity, confidentiality and availability.

EDIT 10/26/2009: When I say open, I mean that corporate players cannot close the market by artifacts. This means, among other things: ASCII, not binary programs, opensource languages because the developers are so much more productive, free common libraries to build upon, a unique network to share data and software, etc.

EDIT 11/5/2009: Bob Sutor also speaks about cloud interoperability.

Yahoo! and Microsoft

Yesterday, Microsoft released GPL code, and we now know that there was nothing altruistic in that. Today, they ally with Yahoo! What now?

...

Search on the web is a wicked problem, so one typical methodology is to build multiple attempts of solution to the problem and let them evolve, compare... That was the case with multiple search engines.
Now we will have only two major ones: Google and Microsoft. I don't know if I should rejoice because the evolution has come to an end, or if I should cry because monopoly problems get in the way of solving the websearch problem.

...

Anyway, if Yahoo! ditch BSDs to favor Redmond technologies, they get onto my list of companies to avoid as much as possible.

Geekonomics - Reasons for the States NOT to invest in opensource

Third of the series of articles inspired by David Rice's Geekonomics. This article is not directly related with matters from the book, yet I got the idea while reading the book.

FLOSS = Free/Libre Open Source Software (as abbreviated by the European Union)

If you're like me and enjoy, use and promote FLOSS, you might be wondering why some States do not favour FLOSS in the public infrastructure.

Well, they do use FLOSS, as a matter of fact, because you can't build a whole infrastructure made only of proprietary software and if you tried, it would be extremely expensive [and potentially disastrous for compatibility issues]. So, you might be wondering why some States do not favour FLOSS more than they do, in the public infrastructure.

So far as I can understand it, most States are running a race to be in the first positions of wealth, military strength and fame. Things can be different for the top one, which would only want not to lose its rank. And things can be different for the bottom ones, who simply have too many matters to address before they will concentrate on a worldwide competition.

So, let's assume we speak about the countries in the top thirty of this world, except the very first ones. This group is made of countries like France, Italy, Germany, Russia, Brazil, India, South Africa... Why do these countries not publicly favour FLOSS more than they do?

To favour it more, they could:

• Ask for documented, free to implement, data formats. This way, wars fought by software makers on purposeful incompatibility would be avoided.
• Ask for more FLOSS inside all public agencies.
• Ask for more education in FLOSS in the public education system.
• Invest directly into FLOSS development, or make a policy that some public developments will be made FLOSS after some time.

All this would favour FLOSS, but all this would not necessarily favour the race of the State to wealth, military strength and fame. It would, of course, improve wealth, military strength and fame. But my point is: FLOSS does not improve the rank of a State in the international competition, because every improvement is available to all competitors as well.

• By asking for documented, open, data formats, or by asking for FLOSS inside public agencies, the State would agree to spend money on a shift, that would probably be beneficial, yes, but the economic developments involved (more developers, maintenance contracts, etc) could be beneficial to people or companies located anywhere on Earth, because of the very nature of FLOSS. On the contrary, when a State signs with a precise, well-known, software maker, it knows where the profits will go.
• By asking for more education geared toward FLOSS, a State agrees to turn its youth to an uncertain future. While the future is obviously uncertain, there is more certainty in teaching the youth how to use what's majority and paying than in teaching them what's still minority and looks like not-so-well rewarding. So, short-sighted politicians might see education in FLOSS as a bad investment for youth.
• By investing into FLOSS developments, the State agrees to spend money on its own, while the fruit of this investment can be eaten by all. In a competition, it's bad invested money. It is more interesting, as a State, to invest in a proprietary development by a local company and see the licenses be paid by other countries.

All of these seem good reasons for a politician not to favour FLOSS when they seemingly can. Of course, on the long run, that's detrimental to us all :-(

Geekonomics - Criticism of Chapter 6 on opensource software

Second of the series of articles inspired by David Rice's Geekonomics.

I am not totally satisfied with David Rice's take on opensource software in his Chapter 6: Open Source Software: Free, But at What Cost?

While he definitely has good points as a whole, and while I see his description of some of the hidden defects of opensource projects as accurate, I am sad that he forgets to mention about real big companies taking a part in opensource developments. Companies like IBM, Sun (now Oracle) or Apple all make some opensource developments, and you cannot tell that they act as beginners or non-professionals in their development methodologies.

And I am also a little surprised to see that the author compares opensource development projects to an "idealized" proprietary development project. For instance, he says it is possible that a part of an opensource software will go unmaintained because of a lack of interested people and forgets to say that even in big proprietary developments, such things also happen, because of mediocre management or because of periods of deep stress.

I would say that Chapter 6 holds some good points but my conclusion be:

• Opensource software is not a radical change from proprietary software in the methodologies.
• Opensource software is not radically more secure or of better quality than proprietary software by essence.
• The "given enough eyeballs, all bugs are shallow" argument is valid, and those opensource software which have a high number of both users and developers actually get an improvement of their quality and security.
  

Is Windows 7 closed-source?

It seems easy for the people allowed to test Windows 7 to leak it. My question now: how easy is it for some insider to leak the source or parts of it? I would rather say it's quite possible for a project this size and a company this size.

Now, what about the argument of secrecy? Has security through obscurity twilight a meaning?

The French police* reduces IT staff by 17% by using opensource

*not exactly police, here we speak about the "gendarmerie", which is a military body of 105,000 gendarmes ("men-at-arms") dedicated to protection missions, in France mainland, in the overseas areas, and also abroad.

With agreement from the original author, Xavier Guimard, Lieutenant Colonel in this army, I translated into English the presentation he gave in Utrecht, Netherlands, about this shift in policy and its results.

The original presentation, in French, can be found here.

Please read the document itself, but to make it short, the change was deep, it was motivated by cost reduction, and it produced outstanding results. The document also quotes logging, good integration with a SSO and open standards as factors for the overall excellent security.

Kill Microsoft and you don't need to virtualize

Yeah, sometimes, I lose my tempers at Microsoft. But I'm not the only one. Today a colleague told me that the day Microsoft was removed, we would not need virtualization anymore.

:-?

"Yeah. Of course!
Look, why do we virtualize? To reduce the costs of having so many machines and reinstalling them.
Why do we have so many machines? Because they are different, we can do different things on each of them. Yet, we need to do a little of each of these things.
Why are they so different? Because one player: Microsoft, doesn't play the game of compatibility, but plays the game of anti-compatibility."

"So, take the problem in reverse order", he said
"If Microsoft disappears, almost only Unix-like players remain. They can homogeneize their differences very quickly. If they don't, small layers of compatibility can be added quickly, because the root differences are small.
If we can do very similar things on these different systems, we will choose those we need for the things we need. We will not be forced to have all of them.
Then we can have fewer machines. Regroup small tasks on a single computer. Without virtual machines! No need neither to buy a specific system nor to run a virtual machine in order to implement a specific software.
Goodbye VMWare, goodbye Java, goodbye wine!"

That's, of course, very optimistic. But it's nice to hear someone optimistic these times. When I come to think of it... remove SQL Server incompatibilities, and you can run almost any application choosing the database you will use! And with the broad (in average) compatibility of C and C++ software, you can use the same software whatever the OS... That's what I call saving money.
Sounds promising. When do we start?

My first virus under Linux [joke]

I just experienced my first virus under Linux. In a virtual machine running Windows XP. Of course, it was just for testing purpose... I installed a fresh Windows XP, tried to share files between the real machine and the virtual machine through Samba. To ease the configuration, I deactivated the firewall of Windows. I didn't use Internet Explorer at all.

And the result was there in less than five minutes. Multiple windows popped-up out of nowhere, proposing to install sex software, false anti-virus software... and I don't want to think of the things that happened without displaying a pop-up window.

There was a statistic a few months ago, saying that a non-secured Windows box alone in the wild was compromised in a few minutes. I can confirm.

ODF vs OOXML: Being impartial, and having people work

I was recently confronted with the question of having my users open any kind of office files they would receive as attachments. It gave me an occasion to review the whole controversy on Office Open XML, the new Microsoft format. And I didn't get any further by reviewing it :-(
As matter of fact, rather than focusing on solutions like ODF, OOXML, or their implementations in MS Office or OpenOffice.org or others, I think the good way to take the question is to focus on the problems we have to address and define them better.

• Why did we need to change? What were the problems in the previous formats of Microsoft Office?
  

1. Vendor lock-in: because the format was not publicly documented, competitors could not implement it. They could not write competing software, resulting in a slow down of quality and support from Microsoft.
   
2. Bad support of previous versions: some files created with older versions of Microsoft Office cannot be opened with newer versions. This is especially true of Powerpoint slideshows. Even when a file can be opened, it is very common that the layout of elements doesn't look the same on different MS Office versions or different Windows versions.
   
3. Viruses: because the format was binary, and not publicly documented, it was easy to hide viruses in it, and hard to detect them. Lots of botnets have been created because of the funny powerpoints that are forwarded from employee to employee.
4. Heavy and limited format: the format inherited incoherences from its previous implementations, making it heavy to implement, and resulting in heavy files.

• What makes the best format?

1. Vendor lock-in: ODF suffers no limitations, the standard evolves, and can be implemented freely. Microsoft have said they will let competitors implement OOXML freely and they will publish modifications to the standard. Yet we have historical reasons to doubt this will be their policy.
2. Viruses: ODF is a complete XML format, which can easily be scanned against viruses. OOXML allows for binary parts in the documents, thus enabling viruses.
3. Weight of the format: Both are mostly text based and use a zip compression, obtaining comparable results for the size of files. ODF makes re-use of other standards such as HTML or SVG, allowing for cheaper implementation, whereas OOXML starts all from the ground up.
4. Implementations: Currently, OOXML is completely supported only in Microsoft Office 2007. ODF is completely supported in OpenOffice.org, StarOffice, Symphony, KOffice, Google Docs and others.

From a technical point of view, ODF is by far superior to OOXML.

• What do we face now?
  

1. Both ODF and OOXML have been promoted as ISO standards (26300:2006 for ODF and 29500:2008 for OOXML.)
2. Some companies have updated to Microsoft Office 2007, which saves by default as OOXML. Some companies have turned to OpenOffice.org which works natively with ODF.
3. So the result is that company users receive daily legacy binary .doc, .xls, .ppt and ODF documents and OOXML documents.
4. The most common Office suite is still Microsoft Office 2003, which works neither with ODF nor with OOXML.
5. Many companies don't have enough Microsoft licenses for all their workstations and implement OpenOffice.org where they don't have license.

• To the point: what do we need now?

1. Have both formats work with MS Office 2003, or pay and have them work with MS Office 2007. This seems to be possible with a "conversion environment" from Microsoft (to open OOXML) and a plugin from Sun (to open ODF).
   
2. Have both formats work with OpenOffice.org, where Microsoft licenses are not available. ODF is natively supported, and the implementation has started for OOXML. OOo should have working OOXML in short time.

As a conclusion, after spending quite a few hours on the question, I can tell that ODF is a technically far better solution, and that it should be possible to maintain people working through this cacophony with additional plugins for MS Office.
Of course, as usual, implementation will be the most important part. I will post about the implementation of plugins when I have results.