There's been plenty of debate over whether open source software is more or less secure than proprietary software and it now seems to have mostly died down as people realize that "it depends" is the correct answer. OSS camp points to Apache and other packages and the proprietary camp points out the vast improvement in IIS.

I read a recent editorial on esecurityplanet.com that made me think more about why "it depends".

Sure enough, OSS source code is available for all the world to scrutinize. The problem, though, is that all the world doesn't do that. Take, for example, the ill-fated Sardonix project. It was a DARPA-funded project to provide a public forum for vetting OSS software and making the results available to the world. But 'build it and they will come' wasn't quite what happened. The project languished due to lack of interest and it was eventually scrapped.

Making source code available to the world does little, if anything at all, to advance the security of the software.

I think this a poor analogy, IMO. I think think that the main reason why open source software can be considered secure is that it gets deployed and tested. I don't know anyone who has looked at the actual iptables code, but I know lots of people that will vouch that it's a great, secure firewall for lots of situations. They will do so because they have been running it and testing it for a long time and watching it get better over time.

People can say the same thing about IIS, that it has gotten much more secure. The key difference is in the economics of it. If you take snort as an example, it has a great reputation in the open source world because a large number of users - for the most part highly sophisticated technicians used it for free and provided feedback to Martin Roesch who was able to improve the product. He then went on to found Sourcefire to offer support services and add-ons.

What would the cost of that testing been if it was proprietary software? It's very hard to say, but think of it this way: 5 higly qualified QA testers, plus hardware, rent, benefits etc, I would estimate at $100,00 per year. I'm guessing that snort was out for at least 1 year before Sourcefire was founded, so that's $500,000 for product testing alone. Now add your cost of capital (assuming you can get it at all without a product, deployments and customers) at the standard VC rate of 50% per year and you're at $750,000.

That's big savings. It's valuable feedback from the best set of testers you could want. The users benefit from the use of the software. I look at it as price discrimination - or yield management. The developer is capturing the value of the feedback and testing in exchange for free software. There is a potential problem with free riders, but over all that is minimal as the main target market will pay for support and or add-ons if the product justifies it. It's not truly price discrimination because paying customers are paying for something else, but you get the picture.

If you need proof that the open source business model provides economic benefits consider that the CEO of a prominent Atlanta-based OSS company has two nannies..

WiKID is pleased to announce that we've released an open source version of WiKID. We've been working on this for the last few months. We needed to replace the Ntru encryption packages we use with open source 1024-bit RSA encryption and we needed remove the proprietary Radius server we had embedded into the WiKID server.

Here is what we have released:

> The WiKID Strong Authentication OSS server
> A J2SE WiKID token client
> Initial validation scripts (ASP) for automating new user additions
> The windows dll network client component
> The java network client component
> Example jsp script for use writing your own WiKID protected jsp pages
> TACACS+ and Openldap network clients - with more on the way

The WiKID Strong Authentication Systems is a robust, flexible, scalable and secure two-factor authentication platform. Features include:

> Easy to use web-based management
> Replication for fault-tolerance
> Highly scalable architecture
> Each server supports multiple security domains pointed at difference network resources
> Each client supports of multiple domains - across multiple servers
> Each user can have multiple clients in different locations
> Configure passcode lifetime, PIN length, max bad PIN attempts and max bad passcode attempts by domain
> Automated user validation based on existing trusted credentials
> No hardware token required; can be run from a USB token
> Easier to use and more extensible than, yet as secure as a key fob token
> More secure and easier to implement than client certificates
> Extensible across multiple enterprises
> Perfect for web-based applications, remote access and non-employee strong authentication
> Open source, with commercial support available.

Why did we open source WiKID?
1. Passwords stink
We believe that passwords are past their prime. In order to make a dent in the password problem, we felt we needed to have an open source version that people could implement for free. Hopefully, this will make it economically worthwhile to use WiKID for some services where any cost would be prohibitive. Since a single WiKID client can support multiple relations with mutliple servers and since WiKID is simpler and more secure than passwords, we hope people will take advantage of it.
2. Open source is good
We like open source. We are especially interested in getting some good user feedback and suggestions for improving the system. We think this move will help various open source projects have been compromised by trusted path attacks (as discussed here). We hope that our code will get a lot of in-depth review and that will add its security.
3. It is a good business move
We think there will still be an excellent market for support and automated updates as well as for our commericial wireless clients for J2ME, Blackberry, Palm and PocketPC which use the incredibly fast Ntru encryption. Additionally, there is a potential for partnerships with companies that want to emded the WiKID server, network clients or token clients into their applications.

We have set up www.wikidsystems.net as our open source home page and a sourceforge project page as well. If you manage multiple servers in multiple locations and use the same passwords for all of them, you should really check out WiKID. Enjoy!

Business Week has great round up of their open source stories for 2005 along with predictions for '06.

Here's my favorite quote:

"It took them a long time to realize if you don't open-source and you're not a market leader, you're dead," says Peter Yared, CEO of open-source startup Active Grid and a former Sun executive.

I have one beef, which is a constant in financial reporting:

On Dec. 22 it announced stellar third-quarter earnings, with revenues up 43.6%, to $73.1 million, and profits up 114%, to 12 cents per share.

Why switch from total revenue to earnings per share? How do you find out the margins they are making? Up 114% from what? Per share? Did the numbers of share increase or decrease? Argh!

Dana Blankenhorn has written about picking winners in open source that starts with a reference to Secretariat. I love horse racing. I spent two summers in my youth as a hot-walker in southern California for a trainer named Willard Proctor. A hot walker walks horses around in a circle, either just to get them out of the stall or to cool them down after they come off the track. It's the lowest position in the backside of any track. The best trainers still use people though and not machines. Our barn was next to Charlie Whittingham's.

Gambling is what makes racing go and picking winners is always nice, but in reality, the best handicappers wouldn't bet on Secretariat in the Belmont. They might bet an exacta or a tri-fecta, but more than likely, they would stay out of the race. Many like to bet on two-year old races where the horses are unknown, unless you go the track in the mornings to see the work-outs. Many also hedge their bets by 'boxing' - placing multiple bets on a single race. To box and exacta, you pick the best two horses and make two exacta bets. As long as both horses come in first and second, you win the exacta.

Trainers certainly love to have a 'big horse' like Secretariat. Every year they have some horse aimed at the big stakes, but they often make more money on claiming horses. In a claiming race, the horses can be bought for the price stipulated in advance. Trainers claim horses that they think they can move up in class. If they claim a horse for $15k and move it up a class and sell it for $50k or even better, get a stakes win for it, they makes some solid money for themselves. Trainers typically get 10% of the winnings, by owning a claimer, they get a piece of the action.

So, besides enjoying writing a post about a past life (not too much horse racing in Atlanta), what's the point? (Well, it's a bit of stretch.)

I fundementally agree with Dana's contention that opensource projects with companiess behind them are good bets, after all, WiKID stands behind our open source version. But there are also plenty of ways to hedge your bets, the easiest of which is to get involved in the success of the project. You don't have to commit code. You can offer endorsements, write documenations, participate in forums and mailing lists. Essentially, you can hedge your bets and help make a project a succesful - 'claim' the project.

I have been reading about how IE7 will be more secure than previous versions. My thoughts: too little too late.

Bruce Schneier has a nice wrap up of the new security features in IE7. They are all good, unfortunately (for Microsoft) they require Vista and essentially remove the ties between IE and Windows, once again leveling the playing field for other browsers.

In the meantime, Opera and Firefox have added significant functionality, in particular, widgets and extensions. There are a number of Firefox extensions focused on increasing security. Opera has had the fewest security related bugs of any browser. Opera is adding Widgets to 9.0 and has plug-in capabilities.

The ability to add functionality via widgets and extensions will allow Opera and Firefox to rapidly add functionality, sometimes targeting the masses, sometimes smaller markets that will add up to larger markets (the so-called "longtail"). If this added functionality can be done without a corresponding loss in relative security, then IE will see a drastic drop in market share.

There is also the possiblity of the market splintering. Already there are speciality browsers apprearing based on the Firefox architecture. Ubrowser and Songbird are two that came to my attention just this week.

I am extremely excited about a potential open source Blackberry replacement.. I have a Blackberry and I love/hate it. I love the push email, but I don't think the email client is very good. Also, I run FC4 on my work laptop, so I don't synch with my calendar or address book. We do run a BES server, but only because we had to when testing the WiKID Blackberry sotware token. Yet, to do that we had to run Exchange and the BES on yet another box.

I also wonder if unlimited data will be cheaper than the Blackberry service (except I can't figure that out from T-Mobile's cryptic website).

I'll post an update once I get it tested.

I really need to spend more time thinking about identity and focusing on what WiKID needs to do in the identity space. You'll have an identity no matter how you authenticate, but the more you rely on your identity the more important it becomes and the more secure it should be. But I think most of the identity players are focused on making identity easier - i.e. fewer logins.

In my research, I came across an interesting post on http://www.xmlgrrl.com that is the best round-up of the identity space I have seen in a while.

WiKID will have a couple of announcements in this general area shortly (after my vacation :). Our focus continues to be ease of use for consumer/web authentication and integration with additional applications and protocols. Once done with that, we will do some more work on the open source release.

Adam has made a couple of posts about patents.

I think of patents like insurance. They are insurance against someone suing you for violating your patents. You get to countersue and hopefully everything becomes a draw and you do a cross-licensing deal.