Tom Petrocelli's take on technology. Tom is the author of the book "Data Protection and Information Lifecycle Management" and a natural technology curmudgeon. This blog represents only my own views and not those of my employer, Enterprise Strategy Group. Frankly, mine are more amusing.

Tuesday, April 25, 2006

When Is Open Source Not Open Source?

Now there's a truly odd question, don't you think? It's almost a Clintonesque phrase. The truth is that much so-called open source software is not really open source.

There are three ways that open source is not really open source. First, when you have proprietary software built on an open source platform. In this case, open source is only a marketing claim. The software only uses open source components or stacks like LAMP, but is otherwise no different than software built on proprietary stacks like Microsoft server products. As long as the software vendor doesn't change the actual open source part of the software, the "open" part doesn't apply. The term "open source" may indicate that the software runs in a certain environment but is not in of itself open source. It's more of a marketing thing. It makes the sour taste sweet!

The second way that open source is not really what it sounds like is when the open software is a brain damaged and you have to pay to get the real version. It's very clever marketing. Let others develop the core application but keep the value added (in other words really important) features for paying customers. It a bit like Wal-Mart. Bring in the crowds with a stripped down, cheap version of a product but immediately steer them to an upgraded version. Smart but not really what open source is about. This is not the same as selling open source to entice someone to buy something else entirely. Even if the purpose behind Sun or IBM's open source push is to get people to buy their servers, that doesn't necessarily mean that the software isn't open source. It's like offering free bananas when you buy milk (which supermarkets do).

Finally, open source is not open source when the copyright can be sold and made closed. There are a lot of concerns that Mozilla may end up like this. By looking for revenue through licensing, the fear is that one day the best Mozilla products will suddenly close. I personally don't share that fear but it's not unprecedented. JasperSoft also appears heading in this direction. While it would seem that this is impossible under the various open source licensing schemes, it's actually fairly easy. Simple start out offering a basic and advanced version, one free and the other not, and then slow or stop development on the free version. Sounds like Red Hat a little, eh?

In any event, none of these are bad business models. Unless someone makes money from these projects, development will eventually stall when the people developing them get real work to do. It's important, however, to go into open source with eyes wide open. Open source is evolving as a model. The purist vision of community developed, free software, for the masses (masses of geeks anyway... and I'm one of them) is not sustainable. Open source is a marketing come-on. A loss leader. It works great for experiments and small stuff but not for real enterprises. It's one thing to view open source as an alternative to other software. It's quite another thing altogether to see it as free and open.

Wednesday, April 12, 2006

Security Built into Tape Drives

While I'm on the subject of security (see previous post), I did want to mention encryption and tape drives. Okay, I can hear lots of you out there (the few who read this anyway) saying, "who cares?" Tapes are going the way of Homo Neanderthalensis - a dead branch on the evolutionary tree. While it's true that disk-based backup systems are spreading like nuclear ambitions in the third world, tape is by no means history. If nothing else, there will always be the need to move data offsite, either to archive or as primary backup. Tape is, for the foreseeable future, the best way to do that. It's fast enough and cheap enough and for many, that's enough.

The problem with tape is that it has a tendency to, shall we say, wander off. Sometimes it simply gets lost in transit for a few days (thank you ABN-AMRO Mortgage for adding a special kicker to everyone's already heightened sense of paranoia). Other times it gets lost permanently. You can ask Iron Mountain about that. Tapes that go on walkabout often have help from us humans types as well. Sometimes it's just stupid human tricks but other times it's theft with a purpose.

So the obvious thing to do is to encrypt the data that goes on a tape. While I just finished railing about the need to do that, the truth is that encrypting data can slow down a system and for some people, that's unacceptable. Since everyone should be doing encrypting tapes, shouldn't it be a feature of the tape drive? Something, like parity checking, that happens automatically. Like breathing. And built into the hardware. That way encrypting tapes would be fast and ubiquitous.

Well, it's coming and none-to-soon. Chips that encrypt data quickly have been around for eons. It would seem that this is something that would have been stuck onto a tape drive before. I suppose it adds some small cost and tape drive vendors worry that it will become a checklist feature i.e. something people will expect but not want to pay extra for. Oh well. That's life in the technology game.

So to you tape drive folks. I know you are trying to make money pennies at a time but you are going to have to add this feature. As soon as one of does, all of you will have to. You'll have about a year when you can charge extra for it then, no more. Might as well be the first on your block and win new customers.

Monday, April 10, 2006

Encypt Everything!

Encryption is the encoding of information in such a way that it is useless to use. It renders plain text impossible to read. This is a very good thing if:

  • You have sensitive information you don't want anyone to see. Some examples might be contracts, design drawings, new product information, or bookmarks of web sites that your wife would not approve of.

  • Really believe that someone might be able to see this sensitive information.

  • It is even remotely possible any one who could see your sensitive information would care enough to look at it.

In all seriousness, there is a lot of information floating around that is not for public consumption. Let's be honest, most of us have a list of passwords around. Those who say they don't either use only one password for everything (dangerous!) or are lying. One of the things I find highly amusing is when companies have extravagant document control processes in place and don't bother to encrypt said documents when they sit on someone's hard drive. So much for watching your assets...

Encryption is an interesting way to secure information. It does nothing to keep the bad folks from getting to your data. Instead, it makes the data unviewable and unuseable. It is no longer worth the hacker's time or energy to try and get at something important. Why go through the effort when you can't read the file? Even if the hacker is lame enough to take something, they can't see it or use it so it doesn't matter. In fact, while some idiot hacker is spending time looking at data that they can't use, your network security wizards are tracking the fool down and reporting him to the FBI. Ha ha ha! You can tell, I don't have a lot of respect for hackers but that's another subject.

It is imperative that mobile devices use encryption. It's just too easy for someone to lose a flash drive or CD. If you are transporting confidential information, encryption is a must. This is especially true for backup tapes. If I have to read one more report of backup tapes being lost and data not encrypted, I'll scream. How many times do we have to get hit in the head before we decide to wear a helmet? Many times apparently.

Every time another company reports losing unencrypted backup tapes it makes us all look like idiots. Earth to IT. Come in please. Encryption is a cheap (or free) feature and a checkbox in the software. If your backups are too slow for encryption then they are too slow period and you need to rethink your backup strategy. It's criminal not to use encryption.

The same is true for desktop files. There are lots of good solutions for encrypting files, either individually or through an encrypted drive. Encrypted drives are the easiest. The software creates a file, makes it look like a disk drive and - voila - encrypts anything sent to it. It is so easy that even your average end-user can figure out how to use it. Of course, you usually need to remember a password. Oooohhhh my gawd! How hard is that?

Many of the solutions are pretty inexpensive too. One software package that I like is TrueCrypt. It works great and it's free open source software. That's right friends - Free! It even comes in Windows and Linux flavors. You mount a file, partition, or entire device (like a flash drive hint-hint) and everything is encrypted. Safe. As in "no worries".

So, there are no more excuses left. Either encrypt or be made the fool. And let's be honest, who wants to have to say to the CEO "Um, sir. About those backup tapes..."