BCS: Can open source be secure?

Advogato’s Leighton raised a lot of interesting points in the fallacy of  “security through obscurity”. However, his attack on BCS’s article about Open Souce Security is, in my opinion, misguided.

The BCS’s article, like my writing and unlike Leighton’s, is disorganized and lack focus. How exactly this pass the editorial process of BCS is a puzzle. [At least I have the excuse of not having an editor.] I cannot decide whether the article is about Open Source Security, using Open Source in Business or the hurdles (read commercial support) in using Open Source in business.

The other big disappointment is the shallowness of the article. I expected more from a security expert, especially if he is writing in a publication by an organization that calls itself ‘The Chartered Institute for IT’ [Full disclosure: I am working on professional registration in another Chartered Institute, i.e., The IET]. There is no analysis of the situation, no citation to back the assertions and I cannot even say the author skimmed through the subject. I expected deeper (but not too intimate) analysis of the situation, followed by the author’s opinion and perhaps, a few lines on the authors’ experience with open source. What I get is superficial treatment of claims recycled from elsewhere, and not a very good one at it.

Apple did the right thing, but perhaps the wrong way

You would had known by now that Apple “cough up” to the antenna problem, and decided to pay everyone off by offering free case.

Or, unless you read TheRegister, which follow the Apple’s official line by saying “There is no antenna problem. But have a free case anyway”.

No, there is no Antennagate. But yes, the issue is serious regardless of whether is it real or not. When you buy something that expensive you don’t expect problems like this. And if there was, you expect Apple to make good promptly.

Why I said it did it the wrong way? I do not see any need to bash other handsets. That makes others unhappy (See this TheRegister article). Do I believe Job description? Yes and no. Yes, holding your phone will alter the signal strength, but one has to take the “demos” on other handsets with a pinch of salt: Given the correct facility and the time to do it, I  can always reproduce the videos.

Like everything Steve Job’s announcement, that announcement last week was a PR stunt. Look carefully and you will find that there are less substance in the speech than that met the eye. Sure, they have a lot of brilliant people, and spent a fortune on antenna testing, but that is no guarantee that there will be no problem with the antenna. Things like business decision to place the antenna a certain way despite engineers’ advice made any investment you put in facilities goes down the drain immediately.

NHS and Microsoft showdown

This news from TheRegister about the National Health Service in UK losing its rebate to Microsoft software looks to me like a showdown. Frankly, I can see Steve Ballmer repeating what Bill Gates did the last time this happened: Paying the NHS IT chief a visit to resolve the problem.

Both sides has to lose from discontinuation of the Microsoft’s NHS contract. For Microsoft, in the short run, it will be a extremely negative signal to its other customers that a big UK outfit finds alternatives to Microsoft palatable. In the long run, it is going to lose the incumbent advantage.

For NHS, the cost of retraining staff to use alternative software, the lost of productivity and the need to audit all computers for compliance is going to cost them more than the GBP 20 millions payment to Microsoft, i.e., Microsoft’s incumbent advantage above.

How does the present purse tightening in UK affects the position of both sides? I don’t know. NHS is going to use this as a stick to get Microsoft to reduce the price. Microsoft is going to press home the financial cost to switch away from it, using fantastic figure like “GBP 85 milllion for GBP270 million worth of software” which has to be taken with an extremely large pinch of salt. I mean, quite frankly, why would one of the best business mind in the business give someone a massive 70% discount?

The PR is also going to be spin by both sides to their advantage. If they did the deal, they will be singing on the same page: Both are going to tout that the NHS saved <insert large amount here> by sticking with Microsoft. In the unlikely event they did not, expects both sides to sling mud at each other. Microsoft is likely to launch a PR blitz, using Freedom Of Information Act if necessary, to portray the NHS as wasting money on conversion to alternative software, while NHS will trumpet the “saving” in licensing cost and claim that even if it spent more initially, it is projecting even bigger saving in the long run.

Sorry mate, you do not qualify as “Open Core”

The debate on the net for the past few days are about “Open Core”, for which the best coverage is here by Simon Phipps. Phipps coverage trumphs PJ’s of Groklaw. This is in itself no mean feat, considering PJ is always still the best after you take away her GPL-rant and this time, she tone it down significantly.

My first reaction is a bit of a puzzle. I do not see any need for the word “Open Core”. What is described as “Open Core” is something we had for a very long time. Proprietary software, including Windows, always had some open source component in it. The BSD experiences shown that a lot of downstream developers, including proprietary ones, do prefers to contribute modification/enhancement to upstream development effort. My own experience says that as a developer become more and more sophisticated in a particular software, a time will come when he will, by necessity, contribute back because he is pushing beyond the envelope of the software he is working on.

Where proponent of “Open Core” says it is different from closed source is the extend of which things are open sourced. They says they give you everything, but the glue that makes everything join together in a usable product. I finally understood it as like writing a complex mathematical algorithm where what you do is to write a shell script that glues together several algorithms from GNU Scientific Library, but instead of giving everything, including the shell script, out as open source, you simply say I am not going to give you the script but instead I will refer you to  the GNU Scientific Library. Furthermore, I am not going to tell you how I constructed the shell script.

Am I doing anything open source? No. That is why proponent of “Open Core” has to coin the term. They will argue that unlike me, they do contribute to open source because unlike me, they wrote the replacement of the GNU Scientific Library and post that as open source. And because they wrote the replacement, and their proprietary shell script is just a very small proportion of their proprietary offering, their product is “Open Core”.

The way I see it is, this is no difference from distributing a “developer library”. Microsoft, Apple and IBM will ship you a copy of their developer library on request and you can use it to construct a simple “Hello World” application. Most, if not all, will then allow you to redistribute your “Hello World” software in whatever licensing terms you choose. Does that qualify your software as “Open Core”? Or even better, can Microsoft, Apple and IBM insist you call your “hello world” program Open Core?

There is no pretense that Open Core is unusable by any users who downloaded it out of the box. For this, as Simon Phipps and others correctly point out, means it fails the open source philosophy when it comes to shipping “working” software. Therefore, in my book, they should not link “Open Core” to open source at all.

As for “Open Core” as a way to fund the development of the open source component in the “Open Core” software? I leave it to the people who wants to pursue this business model. My heart says it will not work, but I had been wrong quite a few times, and the world favour the brave.

That’s not a fix, that’s sweeping it under the carpet

Every people designing equipment and the like know that one way to cheat is to tamper with the gauges display.

That is what Apple is trying to do with its “software fix” for iPhone. Do I believe that it is a software glitch? Nope. Otherwise Job would not had sent out the now infamous “don’t hold it that way” letter, nor the fact that Apple did come out with a Help article explaining how not to hold your iPhone.

They are just trying to sweep the issue under the carpet. Out of sight == out of mind.