Open Source Software: Just So Darned Good

August 9, 2019

The Trump administration’s proscription against doing business with Chinese tech company Huawei has cast a wide net, and one blogger suspects such a net may soon ensnare one of our favorite things. Bunnie’s Blog warns, “Open Source Could Be a Casualty of the Trade War.” The writer checked out Executive Order 13873, and considers how the incredibly broad text could be used to target just about any tech company around the world. They also extensively criticize the technique of weaponizing supply chains and its unintended consequences, so navigate to the blog post to delve into that reasoning.

One of those consequences, they fear, may be the very existence of open-source projects. Huawei, as our immediate example, has contributed significantly to the Linux Foundation. Linux has, so far, escaped the Huawei blacklist net because of a license exemption; however, Bunnie writes:

“Should Huawei be designated as a ‘foreign adversary’ under EO13873, it greatly expands the scope of the ban because it prohibits transactions with entities under the direction or influence of foreign adversaries. The executive order also broadly includes any information technology including hardware and software with no exemption for open source. In fact, it explicitly states that ‘…openness must be balanced by the need to protect our country against critical national security threats’. While the context of ‘open’ in this case refers to an ‘investment climate’, I worry the text is broad enough to easily extend its reach into open source technologies.

We noted this statement too:

“There’s nothing in Github (or any other source-sharing platform) that prevents your code from being accessed by a foreign adversary and incorporated into their technological base, so there is an argument that open source developers are aiding and abetting an enemy by effectively sharing technology with them. Furthermore, in addition to considering requests to merge code from a technical standpoint, one has to also consider the possibility that the requester could be subject to the influence of Huawei, in which case accepting the merge may put you at risk of stiff penalties under the IEEPA (up to $250K for accidental violations; $1M and 20 years imprisonment for willful violations).”

The beauty of open source is, well, its openness. Bunnie argues that if the government gets to decide what entities can contribute and which cannot, the freedom that underpins open source software will vanish.

Cynthia Murrell, August 9, 2019

Capital One and Surprising Consequences

August 4, 2019

DarkCyber noted the ZDNet article “GitHub Sued for Aiding Hacking in Capital One Breach.” According to the “real news” outfit:

While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted some of the stolen information on the code-sharing site.

Github (now owned by Microsoft) allegedly failed to detect the stolen data. Github did not block the posting of Social Security numbers. These follow a specific pattern. Many text parsing methods identify and index the pattern and link the number to other data objects.

What law did Github violate? Management lapses are not usually the stuff that makes for a good legal drama, at least on “Law and Order” reruns. The write up reports:

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

DarkCyber thanks ZDNet for including a link to the complaint.

Lawyers, gotta love ‘em because we have a former Amazon employee, a financial institution with a remarkable track record of security issues, and a company owned by Microsoft. What about the people affected? Oh, them. What if Github is “guilty”? Perhaps a new chapter in open source and public posting sites begins?

Stephen E Arnold, August 4, 2019

Open Source: No Handcuffs, Freedom, and Maybe Problems

July 26, 2019

DarkCyber has noted the use of open source technology in policeware (software and systems for law enforcement) and in intelware (software and systems for intelligence professionals). The reasons mentioned to me when I get a demonstration include avoiding the handcuffs clicked on when one licenses proprietary software, the ability to get bug fixes and enhancements without waiting for the proprietary software vendor to get around to these adjustments, and a bigger pool of technical talent from which to draw. “12 Challenges Businesses face when Using Open-Source Software” does a good job of identifying some issues to consider when adopting open source code.

Let’s look at three of these which I have encountered in the last few months. I won’t name the vendors of the policeware and intelware systems, and if you want the other nine “challenges”, please, navigate to the original article.

Here are the three “challenges”, which in some cases may be deal breakers:

Cost. Note that the article pegs cost last in the list of 12 issues. My thought is that cost in the number one consideration. I have heard, “Our software is more value centric because we use open source software.” My response is, “So the license fees is reduced, but what about the cost of support, training, and coding special widgets to get the system working to meet our specifications?” No policeware or intelware system is “cheap.” Less expensive than another product, sure. But in terms of headcount, direct and indirect system costs, and time — vendors often understate costs and licensees say “Wow, I’ll go with you.”

Compatibility. Because a chunk of code or a system is open source and perceived as open, the software may not be compatible with one’s existing code. More problematic, the assumption that open source can happily ingest whatever “common” or “database” content one wants to have the open source software process. Think in terms of finding, licensing, or writing “filters,” “import routines,” or “file conversion” routines. Vendors of proprietary software may not have what you need, but you can buy filters from a cheerful sales professional or directly from the company. Working out “compatibility” can be expensive and slow down the process.

Mystery Sources. Open source is perceived as one way for a developer to demonstrate his open sourciness and his expertise. However, intelligence agencies in some countries create or contribute code to open source projects. Assuming that what looks like a benign tool may prove to be somewhat problematic. How problematic? Data about compromised open source software are elusive. In the US, third parties who use open source software for projects sub contracted by a prime contractor can be a vector for backdoors, exploits, and malware. Paranoiac project managers and contracting officers may wish to ponder this issue. Legalese will not reduce the aperture for fancy dancing.

Is open source inherently more risky than proprietary solutions? No, risk is about equal. Proprietary software is fraught with problems. So is open source. That’s a point of fact that is often glossed over.

Stephen E Arnold, July 26, 2019

Spy on the Competition: Sounds Good, Right?

July 11, 2019

DarkCyber noted this consumer and small business oriented write up about spying. Navigate to “7 ways to Spy on Your Competitor’s Facebook Ads [2019 Update].” The update promises to add some nifty new, useful methods to the original story.

What are the methods? Here’s a run down of four of them. You will have to navigate to the original story for the other three, or you could just not bother. Spoiler: None of the methods reference commercially available tools and services available from specialist vendors. Who’s a specialist vendor? Attend one of our LE and intel training sessions, and we will share a list of 30 firms with you.

Here are four methods we found interesting:

  1. Use services which report about a firm’s online advertising activities.
  2. Use services which report about a firm’s online advertising activities.
  3. Use services which report about a firm’s online advertising activities.
  4. Use services which report about a firm’s online advertising activities.

There you go. The spying methods.

DarkCyber wants to point out that these methods are different from the persistent tracking bug data some vendors helpfully install on one’s Internet connected device.

Plus, these methods are quite different from the approaches implemented in commercial OSINT and intercept analysis systems.

My next relatively public lecture will be in October in San Antonio. After the session, look me up. I might share a couple of solutions. Better yet write darkcyber333 at yandex dot com and sign up for a for fee intelligence systems webinar.

Stephen E Arnold, July 11, 2019

Short Honk: NLP Tools

March 26, 2019

Making sense of unstructured content is tricky. If you are looking for opens source natural language processing tools, “12 Open Source Tools for Natural Language Processing” provides a list.

Stephen E Arnold, March 26, 2019

RedMonk and Its Assessment of IBM as an Open Source Leader

March 24, 2019

I read “The RedMonk Programming Language Rankings: January 2019.” The analysis was interesting and contained one remarkable assertion and one probably understandable omission. The guts of the report boiled down, in my opinion, to a reminder to job hunters. If you want to increase your chances of getting hired, know:

1 JavaScript
2 Java
3 Python
5 C#

But the surprising statement in the write up was this one:

IBM remains at the forefront of open source innovation.

Now the omission. If IBM is in the forefront, where is Amazon? The company has made an effort to support most of the widely used open source software. Plus, the company appears to be taking tactical steps to close or capture open source.

From my vantage point, Amazon is taking a more “innovative” approach to open source. Granted Amazon’s “approach” may be a milestone in the company’s enhanced walled garden approach to core software systems. IBM’s approach seems little more than Big Blue’s attempt to give back and convince the open source community that it is not the IBM of its mainframe heritage.

Stephen E Arnold, March 24, 2019

When Free Fails the Doers, the Dreamers, and the Disillusioned

February 17, 2019

My team and I worked for several “open source software companies,” before I decide to hang up my Delta Million Mile Club name tag. (Weird red tags those puppies are.)

I read “Free Labor of Open Source Developers. Is That Sustainable?” The question caused me to chuckle. The answer is fairly straightforward.

Nope. Not for individuals. For outfits like Amazon, yep.

Under specific conditions, open source software does “work”. Now “does work” translates as “makes money, delivers fame, and/or makes those participating [a] happy, [b] feel like the effort is sticking it to the “man”, [c] proves that a person can actually write code which mostly works, and/or [d] builds a psychic bond with a community.

Some big companies do the open source “give back” and “contribution” and “support” dance. For these outfits, open source software is a part of a business model. Usually the practitioners of this type of marketing and sales offer for-fee widgets, add ins, and digital gizmos. Then the customer who downloads and uses the open source code has the opportunity to use the software and [a] buy engineering services, [b] buy training, [c] pay for “enhanced support,” and/or [d] attend conferences for insiders. I find Microsoft’s embrace of open source amusing.

For individuals, a pet project can provide satisfaction and a job maybe.

The write up does a good job of explaining the idealistic roots of open source software. I must admit, however, that I do not drink alcohol, so the analogy “like free beer” does not make any sense to me. The roots of open source software seem to be anchored in a desire to have software which did not [a] cost money to use, [b] could be modified; that is, not put the users in handcuffs, and [c] was updated on a calendar often wildly out of sync with the needs of the licensees. Proprietary software meant “bad” and the new open source software meant good with hints of revolution and “I just can’t take proprietary software anymore.”

The write up reviews a popular paper about the economics of open source software. I did not spot a reference to a later study which suggested that large companies were the biggest adopters of open source.* If that research were correct, the reason boils down to [a] big companies want to trim their costs for proprietary software’s license fees, mandatory upgrades, mandatory maintenance, and contractual limits on what changes a licensee of proprietary software can make. The researchers pointed out that large companies had [a] the staff and [b] the money to make open source software work for their use cases.

Flash forward to 2016. The Ford Foundation’s Roads and Bridges** makes clear that software development performed for free has a built in flaw. Developers can quit. Dead end? Maybe. Large companies can step in and embrace the project and, of course, the community. Outfits using this method range from the Amazons to the smaller firms which allow employees to work on projects. The open source approach can be overwhelmed or a victim of abandonment.

I am not sure I am convinced that the open source community exists. There are factions and many of them are at war. Consider Lucene/Solr’s contentious history. I also am not keen on the simile comparing open source to a religious community. Once again there are fanatics, and there are those whom the fanatics would like to either [a] imagine roasting in hell or [b] actually burning alive after a presentation at an open source meet up.

Net net: Amazon has crafted a new chapter in the lock in playbook. The approach borrows from IBM’s FUD to the more New Age methods of being famous and getting a “real” job.

If you are tracking the world of open source software, the write up is a useful addition to one’s library of analyses. One suggestion: Keep in mind that “free” open source software is a lure in certain circumstances. Think of it as a form of digital phishing, particularly for marketing oriented outfits.

Stephen E Arnold, February 17, 2019



* Diomidis Spinellis and Vaggelis Giannikas, “Organizational Adoption of Open Source Software,” Journal of Systems and Software, March 2012, page 666-682, and Stephen E Arnold’s The New Landscape of Search, June 2011.

** See

Ignoring Amazon: Risky, Short Sighted, Maybe Not an Informed Decision

January 15, 2019

I read “AWS, MongoDB, and the Economic Realities of Open Source.” The write up does a good job of explaining how convenience can generate cash for old line businesses.

The essay then runs down the features of a typical open source business model; namely, money comes from proprietary add ons, services, training, etc. Accurate and helpful is the discussion. Few people recognize the vulnerability of this type of open source model for companies not in a “winner take all position.” A good example is Elastic’s success, and the lack of success of other open source search systems which are in most cases pretty good.

The discussion of Amazon explains that Amazon is in the service business; specifically, the software-as-a-service business. That’s mostly correct. I have given two or three talks about Amazon’s use of AWS in the law enforcement and intelligence sector, and I have to be honest. Few understood what I was emphasizing. Amazon is a disruption machine. I call it the Bezos bulldozer.

The write up draws parallels with the music business case with which the Stratechery essay begins. I understand the parallel. I agree with this statement:

AWS is not selling MongoDB: what they are selling is “performance, scalability, and availability.” DocumentDB is just one particular area of many where those benefits are manifested on AWS. Make no mistake: these benefits are valuable.

The point of the write up is mostly on the money as well. I noted this statement:

…the debate on the impact of cloud services on open source has been a strident one for a while now. I think, though, that the debate gets sidetracked by (understandable) discussions about “fairness” and what AWS supposedly owes open source. Yes, companies like MongoDB Inc. and Redis Labs worked hard, and yes, AWS is largely built on open source, but the world is governed by economic realities, not subjective judgments of fairness.

There are several facets of Amazon’s system and method for competition which may be more important than the inclusion of open source software in its suite of “conveniences.”

At some point, I would welcome conference organizers, MBAs, and open source mavens to address such questions as:

  1. What is the ease of entry or implementation for open source services on AWS?
  2. What is the future of training developers to use the AWS system? Who does the training?
  3. What is the short term benefit to Amazon to have developers use open source and the AWS platform to create new products and services?
  4. What is the long term benefit to Amazon to have new products and services become successful on the AWS platform?
  5. What is the mid term impact on procurements for commercial and government entities?
  6. What is the shape of the Bezos bulldozer’s approach to lock in?

I was recently informed by a conference organizer that no one had interest in Amazon’s disruption of the policeware and intelware sector.

Do you think that the organizer’s conclusion was informed? Do you think open source is more than the digital equivalent of a gateway drug?

I do. For information about the DarkCyber briefing on Amazon’s policeware and intelware “play,” write benkent2020 at yahoo dot com.

Stephen E Arnold, January 15, 2019

Big Companies Launch Open Source Safe Data Initiative

November 21, 2018

Huge corporations usually do not support open source code, because it harms their bottom line. Qrius shares how some of the biggest tech companies are behind a new initiative for an interesting change of pace, “Facebook, Google, Twitter, Microsoft To Launch Open Source Initiative For Safe Data Transfer.”

Facebook, Twitter, Microsoft, and Google have teamed up in an endeavor to make data transfer across various platforms easier and safer. The new initiative is called the Data Transfer Project (DTP) and it is an open source project that helps users seamlessly transfer data across multiple online services without facing privacy issues. It sounds like a fantasy superhero team up. How will the DTP will do:

“According to Damien Kieran, Data Protection Officer at Twitter, most of the online services we use right now do not interact with each other in a coherent and intuitive fashion. Formed in 2017, the DTP is expected to bridge this gap and introduce service-to-service data portability through its open-source platform.

The project is expected to roll out in phases, starting with ensuring data portability from one service to another with encrypted signups, said Steve Satterfield, Privacy and Public Policy Director at Facebook.”

The DTP is a great idea, because how many times do you need to upload, download, reupload, and change file formats with your data? Transfer fluidity across many platforms is a must, especially with mobile technology, but privacy is even more important as users share their data across a wider physical and digital expanse. There are also new data protection laws, such as ones introduced in the EU, and the DTP will hopefully write the necessary legal jargon to protect the user and prevent the companies from breaking the laws.

It is a great accomplishment that these four companies are working together. Hopefully it is for good and not the all mighty dollar.

Whitney Grace, November 21, 2018

IBM Lock In Approach Modified and Given New Life

September 20, 2018

I read “Alphabet Backs GitLab’s Quest to Surpass Microsoft’s GitHub.” The write up explains that Microsoft bought GitHub. Google invests in GitLab. Plus:

It’s the latest major deal in the so-called DevOps market. Broadcom Inc. agreed to buy CA Technologies for $19 billion earlier this year; Atlassian Corp. bought OpsGenie Inc. for $295 million; and Salesforce Inc. spent $6.5 billion to purchase MuleSoft Inc.

From my point of view, these are open source oriented deals.

These deals are part of a revitalization of the old school IBM type of vendor lock in. The way that once worked was:

Buy our big iron

Use our software

Use our preferred partners


Good luck getting those mainframe puppies to behave.

Now the trajectory is to embrace open source, support anyone who codes something semi useful, add proprietary bits, and lock in the platform users.

In short, the lock in play is undergoing a renascence.

How about that open source credo? But where’s Amazon? If you want our take on Amazon’s tactics, contact benkent2020 at yahoo dot com and ask about our for fee briefing on this subject.

Stephen E Arnold, September 20, 2018

Next Page »

  • Archives

  • Recent Posts

  • Meta