…and more in this week’s compilation of open source news!
Explaining a Complex Legal Triangle
Intellectual Property lawyer, Dr. Kalyan Kankanala, has provided a good summary of the GPLv2 case involving Versata, Amirprise and XimpleWare. He outlines some potential outcomes such as the importance of choosing an appropriate licensing model as well as the effect the case may have on patents in open source software. Read Dr. Kankanala’s summary here, or our summary (including a demystifying infographic) here.
Trust Facebook to Select the Right OSS
You want to use open source in your next project? Great. But which OSS will you choose? There are close to a million open source projects out there (we know these things- we collect them). To address this problem, Facebook has recently announced a new project called Talk Openly, Develop Openly, or TODO, which seeks to make it easy for organizations to discern mature and reliable open source projects from the multitude of projects that exist today. TODO will also facilitate the discussion for open source deployment tips among organizations. Read more at Computer World.
Breaking Down Messaging Walls
A Gmail user can send an email to a Microsoft Outlook user, but a Google Hangouts user can’t send an instant message to a Skype user. A new open source project called Matrix is set to change that. The founders of the 2 week old project hope that Matrix will allow people to send instant messages to one another regardless of what app they are using. There is a catch though- that app must support Matrix. Read more at Cite World, or take a look at the code on GitHub.
Open Up and Encrypt
Worried about your online privacy? Pretty Easy Privacy (PEP), built upon OpenPGP, is a newly launched open source project that simplifies the encryption of messages sent through online communication tools such as Microsoft Outlook, Facebook, Android , Twitter and more. The project is open source, will be released under the GPLv3. Read more at PCWorld.
Getting Paid to Write Free Code
A study conducted by computer science professor Dirk Riehle has found that as much as 50% of open source code is contributed between 9am and 5pm. Although some may be the result of overzealous programmers goofing off at work, most are written by those actually doing their job. Read more of the study’s results at Tech Republic.
What Makes An Open Source Project Successful?
If you believe Linux Foundation’s Jim Zemlin, the success of an open source project can be measured by its ability to “inspire someone to think, to question, to imagine”. And of course there are other more mundane metrics such as market share or an active contributor base. Read more of Zemlin’s thoughts here.
Some quick tips on managing open source vulnerabilities
We recently published our top 10 tips for managing open source vulnerabilities. Take a look at the slideshow in CIO Magazine.
For a few years now, we’ve heard about Google Glass, wearable technology that essentially brings the functionality available on a smartphone to a pair of eyeglasses.
Users of the $1,500 glasses experience augmented reality, or enhancement of the real world with digital elements. For example, say you are studying an ancient sculpture at a museum. While wearing the glasses, simply look at the artwork and a variety of pertinent facts about it will appear on your glasses in real time, enhancing your learning experience.
It remains to be seen whether Google Glass adoption will become mainstream. While some research seems to indicate customers might not be interested in the product—being that it’s a new and untested device—other studies predict more than 800,000 pairs of glasses will be ordered this year. Fast forward to 2018, and that number explodes to 21.1 million.
One detractor from Google Glass usage could be that, despite the fact that Google likely knows quite a lot about us from our previous use of its products, some customers might be reluctant to allow the company deep visibility into their lives—from where they go, to with whom they speak , to what they’re seeing at any given time.
Wanting to take advantage of the promise of Google Glass, one Indian inventor put together some wearable tech of his own. Arvin Sanjeev built a Raspberry Pi-powered Google Glass knockoff—his “Smart Cap”—using open source technologies. The instructions to Sanjeev’s project can be seen here.
While it’s probably safe to say that the smart cap isn’t the sleekest looking piece of technology, it might be a pretty good alternative to Google Glass for those who want to maintain their privacy, enjoy challenging projects and not spend $1,500 on the technology anytime soon.
Sanjeev’s smart cap speaks to the power of open source: figuring out how to build or create something and then sharing those plans with the world. As such, we can expect to see someone figure out how to make the Indian inventor’s project slightly better, a process we hope will continue.
Some open source projects make it very simple to understand what license applies to the published works. Unfortunately, not all projects are created equal.
Despite all of the best intentions to share with the world, determining what licensing terms apply to an open source file or project is sometimes a lot more complicated than just looking for the one license file.
Protecode COO Norm Glaude will explore copyright and license declarations in open source code, packages and projects, and how these may apply to your final product.
When:September 24th 2014 at 9am EST
Repeat: September 24th 2014 at 2pm EST
What you will learn:
- A breif over view of open source license and copyright declarations
- The implications of using open source in your product
- A step by step process for uncovering hard to find license and copyright information in your product
- Steps to take to ensure your product is compliant
Who should attend:
- CTO’s and CIOs
- Technology Managers
- Corporate IP lawyers
- Licensing Managers
- Product Managers
- Quality Managers
- Software Developers
Over the past few years, we’ve seen more drones being used in more ways than ever before. With uses in the military, real estate, retail and everything in between, there’s no shortage of applications for drones.
Because they are connected to the Internet, these unmanned flying apparatuses pose quite the security threat should an unauthorized individual figure out how to hack into one of the machines’ networks and gain control of it from a remote location.
Seeking to provide drones with comprehensive security, NICTA, a research center in Australia, released its security project as open source in July. In doing so, governments and businesses are now able to tweak the code as they see fit, using it however they’d like.
In a video released by NICTA that showcases the power of the security software, viewers are exposed to two drones: one with the open source security measures and the other without it. Viewers see how the drone equipped with the security solution is able to maintain a normal flying pattern while the other drone can’t withstand the attack and plummets to its demise.
“What we are demonstrating here is that if one of the ground stations is malicious, and sends a command to the drone to stop the flight software, the commercially available drone will accept the command, kill the software and just drop from the sky,” explains June Adirondack, a senior researcher at NICTA.
NICTA claims that its software is bug-free, and by releasing the code to the open source community, hopes that it can be tweaked to become an even more formidable security solution.
As the prevalence of drones increases, the need for robust security solutions becomes that much more pronounced. Programmers certainly understand this, which is why we can expect to see stronger iterations of NICTA’s code in the future, thanks to the open source community.
It’s hard to believe that in 2014, there are still a lot of healthcare providers that have not yet fully transitioned to using Electronic Health Records (EHRs) to keep track of their patients’ medical histories. But despite the federal government offering financial incentives to healthcare providers that digitize their medical records, many businesses have yet to jump into the 21st century.
According to a recent survey on EHRs commissioned by Medscape, 83 percent of healthcare providers have transitioned to the new filing system, with an additional 4 percent currently transitioning to one. (Two years ago, 74 percent of providers were using such a system, with 8 percent in the process of installing one.)
As you could imagine, migrating paper-based records into the digital world is a painstaking process for any healthcare provider. But for Dr. Jay Kinsman, a healthcare provider in Colorado Springs, that process isn’t being made any easier thanks to the prevalence of many different EHR systems.
“Do we really need 250 different EHRs, and 30 fairly widely used ones and 15 really big ones?” Kinsman asks in a recent Kaiser Health News article. “Could we get by with one? Would we do better with just one product?”
The EHR market is extremely fragmented to say the least, and there is no shortage of software that healthcare providers can choose as they migrate to digital systems. But according to that same study, one system, the VA’s Computerized Patient Record System—also known as VistA—might be their most attractive option.
Built on a foundation of open source software, VistA doesn’t have licensing fees. The solution is the only one of its kind with a national footprint, as it has to cover veterans across the country. While the software lacks licensing fees, businesses will still have to foot the bill for installation, hardware and maintenance.
Still, healthcare businesses are employing the technology because they stand to save millions on licensing fees. What’s more, they can also change the software’s code to accommodate their unique business needs.
Because of the affordability and versatility open source solutions afford, it’s not surprising to see healthcare providers view VistA as favorably as they do. As such, we can expect to see VistA adoption rates increase in the near term.
When Heartbleed was uncovered earlier this year, many businesses scrambled to figure out how to better protect their networks from exploitation by this Internet bug. The fact that the vulnerability existed in OpenSSL, a commonly used component for encryption on the Internet, surely meant that other flaws would be found elsewhere—right?
Well, probably—as with proprietary code too. Programmers aren’t infallible. But even if Heartbleed scared some business owners away from open source, the fact remains that open source has become pervasive to the point where you really can’t avoid it altogether. And as such, business owners need to make sure they know exactly what’s in their open source code to manage any possible security vulnerabilities.
Luckily, doing so is quite easy. With the help of an intellectual property software audit, you can find out all of the pieces of code that are in your code base. At Protecode, our solutions constantly cross-reference the National Vulnerability Database, meaning that you will find out the exact weak spots in your code the minute they are uncovered and added to the catalog.
In today’s fast-paced business world, you need to work quickly to keep up with the speed of innovation. This means you might not have enough time to thoroughly assess your code base on your own. As such, you need to leverage tools that will help you pace your projects to meet industry best practices.
Very often, programmers copy open source code and paste it into their own projects. Effectively managing that code manually while ensuring its security is a time-consuming process.
But that process duration can be shortened when you employ modern tools to examine code move projects forward with confidence. Click here to learn more.
Earlier this year, a serious security flaw in Internet Explorer was revealed, allowing hackers to figure out ways to remotely commandeer computers that were running Microsoft’s pervasive proprietary Web browser. On top of that, last month researchers concluded that Google’s Android open source operating system contained similar security vulnerabilities, which if exploited, would allow intruders to gain access to all sorts of sensitive information—from payment histories to emails to credentials.
Though there’s a never-ending conversation surrounding whether open source code or proprietary code is more secure, these two documented situations should lead readers to the same conclusion: Regardless of whether code is open source or proprietary, it’s imperative that businesses work to manage all vulnerabilities in their code base.
Proponents of proprietary code will argue that solutions developed inside the walls of an organization are more secure because staff works hard to ensure protected software. After all, a company’s name is on the line with each release. On the other hand, proponents of open source say a community of dedicated programmers works tirelessly to ensure that the code they produce is impenetrable as well.
No matter which perspective you most support, the flaws in Android and Internet Explorer highlight a basic premise: Humans are not infallible. It’s only a matter of time before there’s a flaw in some of the code your business uses—whether that code is proprietary or open source.
To ensure your company is protected from exposure to vulnerabilities, decision makers should strongly consider leveraging tools that work to reveal security gaps. Such tools can also help companies see whether their software contains any third-party code and, if so, whether that code is properly licensed.
Click here to learn more about how your business stands to benefit from performing an intellectual property software audit with Protecode Certified.
…all this and more in this week’s compendium of open source news!
Two Steps Forward, One Step Back
Sounds like a Strauss Waltz? Almost. After 10 years the city of Munich’s love affair with open source may be coming to an end. Despite saving $16 million by using the custom Linux distribution LiMux, the city is considering switching back to Windows due to user complaints. Read more about the motives surrounding the discussion at Network World.
Governments on GitHub
Governments across the globe have long been dabbling with open source software. Use of Open Source products like OpenOffice, Linux and Drupal are becoming commonplace. To further this trend, many governments are beginning to open source their own code as illustrated by the 10,000 active government users on GitHub. You could argue that since it is our taxes, then the code should be open. Read more about this growing trend at InfoWorld.
You Want Privacy? Google & Yahoo Are Here to Help
As a response to privacy concerns Google and Yahoo will be collaborating on end-to-end encryption for their respective webmail systems. The code will then be open sourced and safe, because the larger community can help search for bugs, backdoors, etc. Read more at Tech News World.
Who Are You Going To Sue?
At the recent Black Hat security conference, In-Q-Tel’s CIO Dan Greer laid out this thoughts on software security and liability. Greer believes that in the future software manufacturers will be held responsible for any problems caused by their software. By open sourcing all software Greer thinks it will be easier to pinpoint and remedy security problems. You can read his full rationale here.
GPL For House Design, Apache for Cars?
Well, it had to happen. The world is going gaga with open source. After open source plants and open source drugs, we have open source cars and open source houses! Paperhouses and a dozen other companies now offer architectural plans for a variety of dwellings. In the automotive industry, Local Motors thinks open source hardware can help accelerate the car design process allowing for transparency into what works and what doesn't work. And of course Open source seems poised to dominate automotive software.
Some sage advice…
If you’re curious about how open source vulnerability management fits into quality testing processes take a look at what our COO Norm Glaude has to say in a recent issue of Professional Tester Magazine.
There’s no shortage to the benefits open source software provides. Though the technology is certainly not without its criticisms—for example, depending on the product, you might run into a lack of quality support—lately, its proponents have been eying a new application for open source: compliance.
In a recent presentation, security professionals unveiled a proposed Payment Card Industry (PCI) Data Security Standard (DSS) compliance model that is based on open source technology. The system is designed, they said, to help reduce expenses, enhance scalability and make it easier to manage the technological infrastructure that supports PCI compliance.
The PCI standards are a set of protocols developed by major credit card companies that were designed to enhance data security. Should businesses fail to be PCI-compliant and then have their systems breached, they face significant fines and could even lose their merchant accounts. As such, it’s imperative that businesses consistently adhere to PCI standards.
There are open source alternatives available that support PCI compliance. For example, to meet the PCI DSS requirement that businesses use a consolidated log server and that the server be monitored with regularity, businesses can leverage a variety of open source tools like fluentd and logstash. As is the case with any piece of technology, companies will need to fine tune these tools to their precise specifications.
The question as to whether a business should adopt open source or proprietary solutions is one that has to be answered internally. With open source, when new needs arise, source code can be augmented to support those needs. But it could take some time to do that, so businesses need to decide whether the benefits of open source outweigh the costs.
Is open source positioned to become the next mode of standardization in the virtualization world?
It appears that might very well be the case following the European Telecommunications Standards Institute (ETSI) Network Functions Virtualization (NFV) Industry Specifications Group’s decision to move forward with an open source project designed to meet that end. The group hopes that open source solutions can be leveraged to provide businesses with the interoperability in their data centers that previously resulted from standardization.
The group’s project—Open Platform for NFV—would fall under the umbrella of the Linux Foundation. As OpenDaylight, a similar open source project, took an open source approach to the SDN controller, Open Platform for NFV, like its name suggests, aims to develop an open source platform for NFV.
During a panel discussion about the changing role of standards at the Big Telecom Event, Neela Jacques, executive director of OpenDaylight, said that open source is simply a more efficient way of solving complex problems, and because of that, programmers are increasing turning toward the technology.
“What you need is a common code base,” he said. “We dovetail very well with standards efforts – the fact is open source solutions are becoming de facto standards.”
Open source solutions aren’t out to put all proprietary companies out of business, according to Prodip Sen, CTO at Hewlett-Packard. At the end of the day, businesses still want to be able to call someone when there’s a problem with their hardware or software.
“The way we look at open source is that it is a way to create a sub-strata of interoperability, and a way we get to interoperability and standardization without waiting for a long, drawn-out standards process,” Sen explained.
Still, it appears we are a few years from NFV becoming pervasive in the data center. That’s because operations need to catch up, as every organization and employee has different needs and skills sets. But thanks to open source, that education might be finished sooner than later.