Monday, August 28, 2006

Kawasaki Interviews MySQL CEO

Guy Kawasaki has an interesting interview with the CEO of MySQL where they touch on one of my pet theories regarding the value of open source development. From the article:

Question: How do you make money with an Open Source product?

Answer: We start by not making money at all— but by making users. The vast community of MySQL users and developers is what drives our business.

Then we sell an enterprise offering to those who need to scale and cannot afford to fail. The enterprise offering consists of certified binaries, updates and upgrades, automated DBA services, 7x24 error resolution, etc. You pay by service level and the number of servers. No nonsense, no special math. Enterprise software buyers are tired of complex pricing models (per core, per cpu, per power unit, per user, per whatever the vendor feels like that day)—models that are still in use by the incumbents.

At MySQL we LOVE users who never pay us money. They are our evangelists. No marketing could do for us what a passionate MySQL user does when he tells his friends and colleagues about MySQL. Our success is based on having millions of evangelists around the world. Of course, they also help us develop the product and fix bugs.

And the few times that they say that they hate MySQL, that helps us too because complaints usually contain some good suggestion for improvement.

Making money by creating users, some small percentage of which will eventually pay you money to solve the hard problems that they run into using your open source technology.

Back around the time that Nessus went to its new licensing model I got quite a few questions from people regarding the open source business model that Sourcefire operates under and whether they could expect us to follow suit and go to some non-OSI approved license. My response was always "No, we'd be crazy to do that".

The reason I say that is because I believe that the value of an open source technology is not the technology that it implements (beyond a certain point, it has to do something interesting and do it well). The value of an open source technology to the company that develops and supports it is the community that grows around it. It's pretty obvious that the community that grows around your project is your potential customer base, the thing that may not be obvious is that they are also a strong part of your marketing team. My observation is that open source users have a tendency to be evangelistic and that evangelism can go a long way towards getting your company in the door at their company, as well as at the companies of the friends that they have. Additionally, the guys who use open source tools when they're either young with no money (e.g. proverbial college students) or tasked with investigating a technology before getting into a formal deployment (e.g. proverbial IT security guys with hot tasking from on high) start with open source products and will stick with them if they have a good experience. Guys who learned Snort in college in 1999-2000 are IT directors/managers/VPs now and having them familiar with and (possibly) fond of the technology is a big deal for us at Sourcefire. Back in 2002 when Sourcefire was ~10 people and we'd lose a deal to open source Snort my philosophy was always that it was not a big deal, the customer would be back when the problems got sufficiently hard and they'd think of us first as the place to go for a solution if we continued to deal in an even handed fashion with the user community and continued to advance the product.

Advancing the product is a big deal too. Some have theorized that doing things like adding a new detection engine to Snort that could do gigabit speeds and then giving it away was a Bad Idea because it allowed our Snort-based competitors to have a more level playing field with which to compete against us. My opinion is that it keeps the ball moving forward and keeps people's eyes on what we're doing instead of letting them get bored and going off to check out some other more rapidly developing OSS technology or a commercial solution. Letting your technology get stagnant is almost as bad as closing the technology, once the community is bored they'll be looking elsewhere for something exciting. One important point to note in this regard (in a product company) is that just because you're releasing advances to the open source community at large doesn't mean that you are required to drive your differentiation from that technology to zero. If you want to be able to get people to want to pay for what you do, then having some sort of key differentiation is a must! At Sourcefire we did things like developing a complementary technology that allowed us to address one of the toughest problems in the intrusion detection world, false positives. If you can't maintain differentiation against your open source product or your competitors that use your open source technology, then you've got a problem that you need to get creative around, closing the technology isn't an acceptable answer in my opinion.

Once you've open sourced your technology then you have to approach its continued development as a community building exercise that works best by advancing the technology and trying to maintain community-friendly policies and programs. If you do this and try to be clueful about interacting with the open source users as the company grows (a whole different topic) then you have the foundation necessary to build a business of substance. That's the principle that I originally built Sourcefire on and so far it has worked pretty well.

Technorati Tags: , , ,

Tuesday, August 22, 2006

OS X Firewall: Give me transparency or give me... a GUI!

I had an "entertaining" time getting a handle on OS X's firewall last night on my newest Mac Mini. For those of you unfamiliar with the OS X firewall's inner workings, I suggest you take a look at Jay Beale's DefCon presentation.

Here's the basic problem with OS X's firewall and it's configuration: It's not transparent to the user. The OS X firewall configuration interface is highly simplified and accessible but omits critical information about ports that it is leaving open regardless of the state indicated by the configuration GUI. For security conscious users like myself, it is unacceptable for the system to lead me to believe that I've blocked all ports but SSH (for example) and "stealthed" the machine when in fact it has left several other service ports wide open for access by anyone on the network and not stealthed the machine in any credible manner.

Apple needs to take this seriously. I can understand hiding complexity in UNIX systems from the user in a consumer OS , but when I ask for Advanced configuration what I'd like to see is an honest summary of which ports are not being blocked on my network interfaces. It doesn't seem like too much to ask but for some reason you just can't get that information from your Mac unless you're willing to go out to the command line and punch in some ipfw commands yourself. As has been illustrated time after time, the cost of doing security right the first time is far less than fixing it later.

Once I achieved frustration with the transparency of Apple's firewall preferences panel, I figured that someone else must have had this problem in the past and solved it with a good and completely transparent firewall configuration GUI for OS X. I checked out Flying Buttress and it was pretty good, but it seemed to have issues with hanging from time to time and it was difficult to get the actual firewall status and configuration after a policy apply. It had further problems once I accidentally tried to explore Apple's FirewallTool and it reestablished the default configuration in addition to Flying Butress's, the worst of both worlds. I then tried out Firewall Builder but there was all sorts of flakiness with it in terms of the GUI display as well as its intuitiveness. Then it crashed on me, and since they wanted money for that version I decided to pass on working with it any further. I checked out a couple other interfaces but they all had issues with transparency, utility and functionality. Flying Buttress was the closest, but it was still hiding configuration options from me while not displaying all of the ports it was leaving open. It does have an "expert" display mode that shows the exact configuration used, but it seems to be impossible to reflect any changes made to the expert mode in the regular GUI mode.

This is the exactly the sort of thing that gets people to start Open Source Projects and normally I'd use this as the perfect lead-in to starting to do some work with Cocoa (which I am deeply interested in) but I have another project on the front burner right now (more about that later).

This is exactly the kind of thing that Apple excels at, making complexity accessible to users. If they can make real-time video editing, movie creation, music creation and the like as easy and accessible to users as they have, they certainly can take on a task like configuration of the firewall for both casual and advanced users in a way that will be useful for both the casual and pro crowds.

For the record, at the end of the day I located this post (which was derived from this article) and used the info to create my final firewall rule set manually with vi and some scripting. Not exactly Apple-simple, but it got the job done.

So, anyone want to make a real firewall GUI for OS X? Is this anyone else's Dream App?

Technorati Tags: , ,

Saturday, August 19, 2006

Airport Security: Meatspace Intrusion Detection

I flew last week for the first time since the "Hair-gel Bombers" news broke and greatly enjoyed the new additions to the security theater that TSA has so lovingly rolled out for the fall season. BWI had new signs up all over declaring that the threat of a terrorist attack was currently high. HIGH!! You had a good chance of having to fight terrorists to the death by getting on a plane last week, according to TSA. Enjoy your flight!

Imagine my surprise when I got home yesterday and found my 1/6th oz bottle of contact lens rewetting drops in one of the pockets on my laptop bag. I sailed through 2 security check points with this highly dangerous contraband too, this wasn't a one time event. Imagine the damage I could have done if that was filled with binary explosive liquids, I probably could have blown off a few fingers with it and suffered some temporary hearing loss.

Let's face facts people, airport security screening lines are the physical world equivalent of a classic intrusion detection system. We have traffic (people and luggage) analyzers (xray machines, metal detectors, explosive residue detectors) which use deterministic sets (bad things: guns, knives, gel bras) to produce information continuously about things that may or may not be bad which then must be contextualized by humans. Humans are notoriously lousy at doing this unless you can constrain the data set heavily or can somehow automate the contextualization process (like we do at Sourcefire). Guess what? The dedicated individual manning the xray machine has a life span of attentiveness when they're looking at bag after bag going buy on the screen. Has anyone else notice the ergonomic purgatory that xray screeners have to endure? Sit on an armless, backless stool and look up at a 20-45 degree angle at item after item sailing through the machine. How long before neck, back or shoulder pain affects the screener's attentiveness?

What are we to suppose is the duty cycle of a baggage screener in a typical American airport with a rate of data flow of 172 passengers per hour with two shoes and two carry-ons per passenger? The screener gets a whopping 5.2 seconds to pattern match for the entire set of bad things per item per passenger. I'm not taking account of time spent in spool up/spool down periods for starting/stopping the belt either, so we're probably talking about half that effectively. 2.6 seconds. My laptop bag currently contains a PowerBook, Airport Express, digital camera, airplane power adapter, iPod, EVDO PCMCIA card, cell phone, two laptop batteries, 80GB portable firewire hard drive, laptop power adapter and a bag filled with various wires and other widgetry to make it all plug together. Not to mention books, pens and other business stuff. 2.6 seconds to positively identify all of that as non-dangerous. Let's be generous and call it 3 seconds. If the set of things that need to be detected (signatures) is constrained to guns, knives and bomb materials, I'd say grudgingly that a motivated screener could maintain alertness through their entire period manning the machine to have a reasonable probability of detection of the things in the set of threats. Once you extend that signature set to, well, pretty much everything that's not paper or cloth you're going to have an analysts nightmare because you just did the equivalent of "alert ip any any -> any any (msg: "Something bad may have happened!!";)" in Snort.

In an environment like this with no automated analysis tools, the analyst is quickly overwhelmed by the level of noise (false positives) they have to deal with. Once the analyst is saturated, their ability to differentiate an iPod from a brick of C4 rapidly goes to zero, the brain gives up or goes on to think about other things. If the TSA wants screeners spending time looking for every tweezer, nail clipper and bottle of contact lens cleaner, they're asking for overload of their staff and reducing its ability to be effective. In the intrusion detection world we would call what they're doing "de-tuning the sensor", they're making it detect things much more frequently by increasing the number of things that will set it off with no regard for the effect that it will have on the human analysts and no tools to help them cope with the increased information flooding them.

This problem is well known in the network security world as the "boy who cried wolf" syndrome and its the problem that led to network intrusion detection as a technology being discredited back in 2002-2003. The root cause of this problem was insufficiently sophisticated sensing technology that relied completely on (bored/untrained/distractable) humans to deal with staggering amounts of data to make the technology useful. We've wised up since then and built technology to address this root cause by automating the contextualization of data sets and giving the intrusion detection engines the capability to be self-tuning without the need for human intervention (well, I'm still working on that part).

If we're going to increase the "number of signatures" in meatspace to include everything electronic, metal or liquid, we'd better find a way to have smart, automated contextualization of the data, otherwise we're doomed to failure and someday we'll see a report out of a newspaper or GAO office declaring "Airport Security Screening is Dead".

Technorati Tags: , , , , ,

Tuesday, August 01, 2006

Off to London

It's 100+ degrees here in the DC area today so getting on a plane to London (with highs in the high 60's this week!) doesn't seem like such a bad thing all of a sudden...

Technorati Tags:


I wrote my first Cocoa app for OS X a few months back when everyone (including me) thought Check Point was buying my company. Silly me.

The result is this nifty little program CtrlAltItsNeat. What's it do? Pretty simple, when you hit opt-cmd-delete on the keyboard, it pops up a little dialog that looks like this:

Look familiar? It should, it's essentially the same dialog that Windows pops up when you hit the ctrl-alt-delete key combo. What's the point? I hated having to move the mouse pointer down into the screen corner to do screen locks, I'm a UNIX guy and I like to use keyboard chords when possible to do simple tasks fast. Tasks like locking the screen, which is what this program does if you follow the initial chord up with the Enter key.

There are a few caveats with this program. First, it's a Universal app, so it should work on PPC and x86 Macs just fine. Second, I haven't implemented preferences yet, so you're stuck with the default hotkey chord to activate the dialog. Yes I know, lame.

I've thought of some obvious improvements that could made, such as assigning the buttons to any app or (possibly) system function, but for what it does it works well. I'm also thinking about open sourcing it, although I'd have to talk to Sourcefire legal before I could do anything like that. For now I'm just going to post it up where people can get at it and if I get some requests for improvements, I'll be happy to continue to release them for free for the time being.



Technorati Tags: , , ,

Missing BlackHat

I was supposed to attend the BlackHat Briefings this year for the first time since 2001, but I've been called away to London unexpectedly. I haven't been able to attend since then due to its proximity to my first daughter Molly's birthday and, finally, this year the conference was moved a week and I was going to attend.

Oh well, maybe next year I can try to speak, Snort 3.0 should be worth showing off by then. Hm, maybe I should try to go to WWDC next week instead...

Technorati Tags:

So, here we are...

Blogging! I've been on the fence for quite a while regarding starting my own blog but I decided it was about time to jump in since I find myself with quite a few thoughts about goings on in the circles in which I travel. So, hopefully this will be a pretty active blog and I'll keep it up to date and all of the other good things. If nothing else, it'll give me something to do when I'm on airplanes...