Tuesday, January 29, 2013

How FLOSS Software Became More Easily Accepted at Work

This was a long time ago now, but it was at a time when things were really starting to get big in the place where open source / free software and the Internet collided. It was also the time that we were looking to replace our in-house built, desktop based, bug tracking system.

It wasn't great, but it did the job. Even so, I started looking at a web-based bug tracking system that just happened to be licensed under the GPL.

I understood the requirements that were on us. I knew what it meant for us to use and change the code, and I knew what our obligations were for doing so.

Even still, a few people had concerns and I wasn't able to persuade them that we were OK. I suggested that we run the license past our (very technical) legal guy: if he knew what we intended to do, he would also know what was expected of us. My theory was, if he approves the license for our use case, then who really could argue differently?

The use of the GPLed software was approved and we went on our way. If the story ended there, it wouldn't be much of a story, though.

As time went on, we found ourselves gravitating to software licensed under GPL. But why? Quite simply, we knew two things: (a) legal had approved it; and more importantly (b) because the GPL itself is copyrighted, the very fact that legal had already approved that license meant that we didn't have to worry about fine print anymore!

All of a sudden, we didn't have to wonder "does this randomly drawn license for this particular software package allow us to do what we want?" and we didn't need to get 're-approved' to use the GPL (assuming we stayed within the parameters that we were given to begin with).

It was a weight off of our shoulders: almost overnight, we were confident that our understanding of the license requirements was correct, as we knew exactly what that license represented. We no longer had to try and understand hundreds of lines of legal terminology... we'd already done that once!

As time went on, we got a better understanding of a few more licenses (especially LGPL and MIT) and with that, we were able to make better and faster decisions about the libraries of code that we were looking at using.

It all really came down to the simple fact that because the licenses we were looking at were themselves copyrighted, any project that claimed to be using that license was not going to have some strange 'twist' to the license.

Yes, there were the odd times that the project tried to add a rider to the license, but even then, we were no worse off as legal would have had to look at it anyway.

To cut a long story short, these licenses made our lives easier because we all knew what we were able to do without ever really having to specifically analyse the license, simply because we knew that it couldn't have been modified from what we already understood.

And that made us happy.

Friday, January 11, 2013

Where's Lad Vampire and Muguito When You Need Them?

Another week, another call from "Windows IT Support" trying to get me to download some malware. I do my best to keep them on the line for a few minutes at least, but all it does is upset me, which leads to me calling them names and then fuming for a bit :)

Artists Against 419 is an awesome site that maintains a database of fake bank sites. Along with actively reaching out to the hosting companies etc., trying to get them to take the sites offline, they also used to have an application called Lad Vampire that was (I believe) replaced by another application called Muguito. These applications participated in what were called "virtual sit-ins". Basically they continually downloaded images and so on from the websites, helping to diminish the available bandwidth to the site and therefore making it less likely that a victim will actually be able to use it.

Some people may call it a DDoS, and to be perfectly honest, I might too. It didn't stop me running it though.

After my last call with "random IT support company" I wondered: at some point in the process of them 'helping' you, there must be something downloaded from somewhere. I'm not talking about the remote access software, but the malware that is intended to run in the background.

So where is the list of the servers that are hosting these files and where's the tool to continually download them? Unfortunately I'll never have the self control to get far enough into one of those calls to find out, but I tell you right now: if there's one use of my fibre-op connection I could get behind, it's downloading that malware as often and as quickly as possible.

For what it's worth, I know that random three letter acronym agencies are trying to deal with these companies, but in the meantime, surely there's something else we can collectively do?