Tuesday, October 28, 2008

Does Open Source Save You Money?

I ran across an interesting question a while back on LinkedIn.  The author addresses the age old... well... at least ten year old question... does using open source software save you money?  Granted, the question is not phrased as such.  "Are enough IT departments exploring open source as a potential way to reduce costs," is the way he put it.  Reading further into the question,  I find it interesting that the person believes that using open source software saves a company money is a foregone conclusion.  It is also interesting to note the tactic of reminding everyone that times are tough.

First off, let me just say that there are definitely times to use freeware.  From what I have seen, the best places to use freeware are where the fewest people need to change how they do their jobs.  You probably can save money on your IT budget by going with a mail service provider  based on freeware instead of exchange.  As long as it all ties into your other infrastructure who cares.  You're buying the service in this case, not the software.  As long as those services solve your problems to the same extent, go with the cheaper one.  Or, if you are introducing a new system of a type few of your employees have used before.  Again, if the features solve your business problems better than other solutions, learning curve is really not an issue in this case.

However, there are many myths about open source software.  It is more than arguable that using open source software does not necessarily save you money in the long run. For that matter open source software does not necessarily save you money on licensing costs.  Fine, I'm picking nits on this one, but open source does not mean the software costs no money to obtain.  Open source means that the source code is readable and distributed with the software.  You may do what ever you want with the source code within the limits of the license under which you obtained it.  Open source products can cost money.  

Fine, that's not what many people mean when they say open source.  I understand that a good number of open source applications can be obtained free of charge under licenses such as the GNU GPL and the GNU LGPL to name a couple.  In these cases, the software really does cost less to obtain.  Today, at face value, off the shelf, without any bulk discounts, the most expensive version of Microsoft Office costs $680 per license.  Ouch.  That alone would scare many people into feeling like they should start looking for a zero dollar solution.  

So they download some freeware, spend some time installing it and turn it loose on their employees.  Depending on the size of your company, creating new images and installing the software on existing computers will start costing you the money you would have spent on licenses.  How many hours will it take for the workers to get up to speed?  How much do those employees make per hour?  Even after they learn the new software over a few days (at best), people will still lose time every day for quite a while until they grok the ins and outs of the new software the same as the old.  Not only that, but the long-term, small frustrations will add up even if only subconsciously and can affect overall productivity. 

What do you do when software breaks?  If your paid license includes some level of support, and most do, you can just call the experts at the company that wrote your software.   If not, well...  Sure, there are people that support open source solutions.  Those services are not free.  Hard to believe, I know.  And such services really do exist and some are really good at what they do, they are just not as abundant or it can be hard separating the wheat from the chaff.  This means you spend more time finding and evaluating them.  If you are afraid of losing them because they were so hard to find, you may also end up paying them more.  And that cost is usually an ongoing fee or salary instead of the one time cost of a license.

Why aren't there that many people out there to support your open source package?  Part of it is just inertia.  Not as many people know it, so not as many people use it, so not as many people learn it, etc., etc.  Maybe the world will get past this someday, but it is powerful.  Another reason though is that open source projects are notoriously prone to forking.  People can only specialize in so many pieces of software.

Let's take a look at that forking issue from another angle.  How sure are you that the next versions of all of your open source applications, the ones that finally have those much needed features, are going to work with the next version of your operating system when there are so many application-OS permutations that need to be tested?  I still don't entirely trust that any of my software will work on any given future version of the Apple operating system and only one company was ever working on each of those.  I'll stick with the relatively few companies whose software will most likely work on the next operating system they put out until they let me down, thanks.

When it comes down to it, open source products really only have one guaranteed strategic business advantage over proprietary software.  If they don't work for you, you can make them work.  You have all of the code and you can make them do whatever you want so they will play nice with all of your other software.  If your business needs this sort of flexibility and has the resources (notice the concept of total cost rearing its head again) open source is the way to go.

In general, I think it is important to be honest about all of the costs and pain points you are addressing when considering a software package.  If open source really addresses the most issues, by all means, use it and be happy with it.  But if you are just trying to get some freeware to save money up front, remember that all those other little pains that you leave unsolved for your company and your individual employees add up a lot faster than the price of software.

Built On More Technology

I have seen comments by other developers claiming ASP.NET is not a good technology because, "It abstracts reality away from you and produces troves of developers who don't understand the basics of a simple form post."  It cannot be argued that ASP.NET helps abstract away some of the aspects of the technologies it is built on. It is also true that many developers that begin their careers by learning ASP.NET might never fully understand the technologies that it is built on top of.  But I would not say that the ASP.NET technology "sucks" because of this.

Building easier to use abstractions on top of older systems is more or less how computers and software have improved in their short history so far.  Third generation languages are built on top of assembly languages and those are built on top of machine code.  The machine code runs on computers that are made of enough components that are changing frequently enough that many developers don't know how to put a computer together.  Even people that build their own computers would be hard pressed to fully understand the inner workings of each of those components let alone be able to manufacture or even just modify one of them.  Or take a look at the web and how popular JavaScript libraries are that abstract away the differences between the various web browsers.

Hiding lower level abstractions makes writing software more accessible to to more people.  When more people are able to use technologies, they are able to solve larger problems for less.  Isn't that the purpose of technology?  Isn't this how progress is made?  I'm sorry that the old skills are not in as much demand, but that is the nature of computers.  I was told many times in school that as a developer, it would be necessary to constantly be learning in order to keep up with the systems I would be building software on.  You either need to take that to heart or relegate yourself to being a master of older and less used technologies as time goes on.

Just because developing is easier for more people though, having knowledge of the lower levels systems is by no means useless.  No abstraction is perfect and when they break, some of the gory details of the lower levels are exposed for all to see.  Having knowledge of those lower levels allows a developer to fix those problems or work around them when they occur.  People that haven't worked with the lower level technologies will need to scour the internet for the information needed to understand what is happening and then develop a solution.  In the end that is simply the difference between an experienced developer and a junior developer.  That is the reason why experienced developers are paid more money.

To the experienced developers that say that this situation "sucks" I say that it is part of your job to enlighten the less knowledgeable.  To those that don't  see the need to learn new technologies I would say that you don't need to as long as you don't mind being pigeonholed into technologies that will be used less and less as time goes on.  Even though abstractions can leak for a while, the holes tend to get filled eventually and you will probably need to learn something new.  

Earlier I stated that for the most part, computers have largely improved by building new technologies on top of old.  When progress is instead made by recreating  those systems from the ground up, developers will have even more skills that they will need to relearn. To me these complaints seem to indicate people that prefer the status quo for fear of having to learn new tools as technology changes.

Friday, October 24, 2008

Cloud Security

The biggest legitimate concerns I can think of for using applications hosted outside of the corporate infrastructure are integration, privacy and security.  Integration points might not be there yet, but they probably will be.  Getting locked in to any one service is not a great selling point.  As far as I can tell, privacy is mostly an issue that will take time for our legal systems to catch up with, if they ever do.  But the one that I just had an interesting thought about is security.

In general, a hosted service should probably be able to handle security better than an individual company.  They hold the data for all of their customers and their data centers will end up being huge, storage wise anyway.  They need to understand security and spend the resources on it to make sure it is up to the task.  But even large companies these days that know they need to have secure systems fail at this from time to time.  I tend to just start forgetting about the last 130,000 social security numbers that were leaked when news of a shipment of untold numbers credit card records disappears.

I was reflecting about how one reason why there are so many known security vulnerabilities in Microsoft products is because that is where people look for them because there are more computers to take advantage of those flaws on.  If more people used Macs, the world would be trying to break into OSX.  And don't kid yourself, viruses do exist for the Mac.  The Mac may really be more secure making it harder to find the flaws.  But as more people start using them, the viruses and other attacks will follow.  It reminds me of the Willie Sutton (mis)quote, "...because that's where the money is."

I also had been reading a bit about about cloud computing and I thought to myself, "Boy, won't all that centralized data be a tempting target."  Don't get me wrong I know that such services will have far fewer security vulnerabilities than the average business network.  But it only takes one flaw in your system found by one person of the many that will likely be heavily scrutinizing your network to bring it down.  

But I'm not saying that I feel this is a significant enough concern right now to keep me from using such services.  The flip side of that logic is that small networks won't get hacked as often simply because they will not be the focus of much attention.  To my nose, that just reeks of the security through obscurity principal.  It only takes one flaw out of the many your system might have to be found by the single person that happens to take a passing interest in your network to bring it down.

Most modern security practices make it unlikely that the whole system of a company so heavily invested in data and security would be disrupted, damaged or compromised all at once.  But every now and then a SQL Slammer is created that can affect computers across a system even as large as the internet.  Are the ingredients for such a fiasco likely to be present at the same time?  Not at all.  But let's just say that, if those circumstances should arise, the fallout of the first data service to get royally hacked could be spectacular. 

It was just a thought I had.

Thursday, October 23, 2008

Genuine Advantage

If many hundreds of thousands of other people had not already done so, I would be more than willing to be the first person to admit that the advantage in Microsoft's Genuine Advantage program is almost entirely Microsoft's.  Oh, Microsoft can try to spin the moniker in such a way that there is a huge advantage to each and every user knowing that their own copy of Windows is really, really licensed by Microsoft.  But even I know that the real advantage of the program is that Microsoft gets to try and collect more of the license fees that they are owed.

I will also admit that the best approach to take may not be to temporarily disable a user's computer as a result of a first time failure when the genuine advantage tool is run on a computer.  Effectively shutting down the OS in such cases does not build the best relationships with customers.  However, it is a right that they have.  If you use Windows on your computer, you have an agreement with Microsoft that you will abide by the licensing terms that come with their software.  If they feel the best results in preventing pirated copies of Windows are gained by blanking the screen of computers running illegal copies, it is their prerogative.  I can't say I necessarily agree with the business logic, but I would guess they have spent more time thinking about it than I have.

Recently, strong emotions are rising again to the latest changes in how the Genuine Advantage software enforces licensing.  I just don't happen to agree with most of the people voicing their opinions.  "Why is Microsoft  automatically connected to my computer?  The computer is mine!"  When it comes down to it, Microsoft is not automatically connected to your computer.  You made the decision to buy a computer with Microsoft software on it.  Microsoft would not be connected at all if you bought an Apple or installed any one of the flavors of 'nix.  When you use Microsoft software, you are subject to the terms of their licenses and one of the terms of using their software updater is that you must have a legitimate copy of Windows and run Genuine Advantage to verify it.

"Microsoft has no right to control my hardware without my agreement." Um, now that you mention it, that is the exact purpose of an operating system and software, to make the hardware do useful things.  You agreed to let the software control the hardware when you bought the computer or installed the operating system.  You don't seem to mind that Microsoft is controlling your hardware when your business tools, internet applications and games are all working.  That may be a bit flip, but if you don't take the time to verify you are running a legitimate copy of Windows, why should that software perform it's job for you?  Countless pieces of software in the world shut themselves down if they are not bought in a certain amount of time.  What gives users the right to expect anything different from Windows?

"If the price of genuine software was lower than the fake one, who would buy the fake one?"  The total cost of copying of an operating system, even one that needs to be modified in order to work without a license, is such a small fraction of a percentage of creating the operating system in the first place that to match the monetary price of a fake, the OS would need to be given away for free.  Some organizations do just that.  If you want a free operating system, feel free to download any one of the many that are available.  Unfortunately there are many reasons why Microsoft can not give away their operating system at the moment.

"If, when I am programming, the computer screen goes black, that will probably cause some important information to be lost.  Who will pay me for my loss then?"  I had a few different responses to this one.  As a professional developer writing my own software, I feel this person can't be a very good programmer if when his computer stops, he loses a lot of work.  He should save early and often, use source control, make backups, have a disaster recovery plan, etc. etc.  Microsoft should be the least of your worries when it comes to losing work.  On a less critical note, the speaker may be expecting the software to issue a warning, give the user a chance to save and then slowly start reducing functionality.  This goes back to the argument that blanking the screen might not be the best approach for dealing with users that came by their unlicensed version of Windows unwittingly. Taken yet another way the statement could possibly be the most hypocritical I have seen on this topic.  A programmer expecting to be paid for his time and work complaining that another software company can not take measures to ensure that they receive what is due to them.

There are even some lawyers that want to get something out of this.  A surprise, I know.  I also know that not all lawyers are greedy and evil, but hey, it's the stereotype.  "[Microsoft is the] biggest hacker in China with its intrusion into users' computer systems without their agreement or any judicial authority...  Microsoft's measure will cause serious functional damage to users' computers and, according to China's criminal law, the company can stand accused of breaching and hacking into computer systems."  Microsoft is not hacking into your computer.  You installed the software or bought the computer of your own free will.  The software was already there, it did not need to be hacked.  Furthermore, Microsoft is not damaging the computer in any way whatsoever, they are just making Windows show a black screen.  You can buy a legitimate copy of Windows and install it or you can uninstall Windows and install another operating system and your computer will continue to work fine.

Many better informed individuals do understand that Microsoft does have the right to protect its intellectual property, but they feel that such tactics can harm users who turn out to be the victims of less scrupulous resellers offering fakes disguised as originals.  To this they say that Microsoft should be going after the distributors.  And while I agree, it seems naive to expect Microsoft to be able to do this without the end user's help.  And evidently users are not helping or else the problem would not be so rampant in parts of the world that Microsoft feels the need to resort to such tactics.

On a day when my belief in the general good nature of people is at a low, I would say that all of these arguments are flimsy justifications from people that deep down are just trying to get something for nothing.  Like it or not, Microsoft is in the operating system business and so they charge money for their product.  There are many discussions that can be had about whether or not paying for operating systems at all is a concept past its time.  But for now, if you want to gain the benefits of using the operating system that has the largest ecosystem of supported hardware, software publishers and users; legally obtaining the licenses to do so requires that you pay for them.

On a good day, I see these reactions coming from people that are ignorant of how computers work, ignorant of where their software came from, or ignorant of how to fix the problem.  But even on a good day, I sense these people don't seem to care to become knowledgeable.  Microsoft does try to inform people in less invasive ways that give you a chance to fix the problem before the operating system is rendered useless.  When an activation key is mistyped, Windows shows links to information.  A simple Google search quickly lands you on the Genuine Advantage website.  The Genuine Advantage tool gives more information before it even runs.  All of these places contain information with straight forward instructions on how to test your OS and what to do if that test fails.  Despite all of this information, people would rather blame Microsoft than take responsibility for their lack of information, their choice in software or their choice in computer vendors.

Thanks to Reuters for the original story.

Saturday, October 18, 2008

Wisdom of the Crowds in the Enterprise

People have been talking a lot lately about enterprise 2.0. Heck, people have been talking about Enterprise 3.0 and we haven't even taken advantage of 2.0 yet. And I don't know if we ever fully will. When people talk about Web 2.0 features, I see them fall into two broad categories; technology and social design.

On the technology side of Web 2.0 we have AJAX and RIA frameworks. These new tools have allowed designers and developers to create much more inviting, intuitive and responsive web applications. While they may have been around in some form or another before Web 2.0 they first started catching on at the same time as the social features of Web 2.0. That's mostly just a timing issue. The new technologies would have caught on eventually, but the idea of social networking just happened to come about at the same time. The technologies are spreading through enterprise applications now and have been for a few years, but what about the social aspects?

When I first start thinking about the social aspects of public web sites, I think about the specific features. There is tagging to organize data. There are the communication mediums of blogs, comments on everyone and everything. You can rate the content to let others know if you like it. Most importantly is that by using those features together the group will benefit as a whole by identifying the best content available and making it better. Tagging allows other people to find content faster. Comments, blogs and other communication conveys new ideas to others on how to improve existing and new content and allow anyone in the community to create content. Ratings tell other people which content is worth while and which can be ignored. We use the wisdom of other people to create better content for our communities which attracts more people to those communities. Wash, rinse, repeat.

Most of us knew that already and, yes, some of the ideas of social networking have made it into enterprise applications. Tagging is a better way of organizing information. Blogging has helped many companies become more transparent. Even ratings have been introduced to try to help organize business information. And while the systems have been implemented, I have found more often than not, they are nowhere near as effective as the same features in public facing web sites. The truth is that those systems in the enterprise are not benefiting from the wisdom of the crowds anywhere near as much as the same features in the wild. What I have seen is that policies or habits of the work place prevent workers from taking advantage of 2.0 features.

The reasons are many. One is that only authorized people should be allowed to make changes because that is their job. Another is that employees don't feel that their work should be rated and visible to all. Some companies have policies geared to keep clients ignorant of the deals they each get so as to maximize sales. They go on and on but the commonality is that barriers are built up that keep the crowds from convening.

Maybe the problem is that businesses just aren't ready to be transparent. Companies try to maximize their sales by not publishing information so they can segment their clients. But, the crowds will only gather when as much information is available for clients to speak about. I find it naive to think that a company can keep people that ignorant in this day and age. The worst case will be that the crowd forms anyway outside of the watchful eye of the company that is the focus for the group.

Individuals and environments inside the companies also need to change. When employees are more worried about how their poor performance will be judged instead of jumping at the chance to receive feedback, improve their work, and then shine; I can only think that either people are lazy or that the corporate atmosphere is just all wrong. Maybe they are one and the same. If you are only hiring lazy people, it may be time to raise the bar just a little. Lower performing people are not necessarily bad to have, people that do not improve are.

And that is the real problem. Companies need to change to take advantage of these technologies. Where the bottom line is concerned, I don't know that a change will necessarily be better than the old ways of running companies. But I suspect it will be; look at where the old way has gotten us. I also have a strong suspicion that a half and half approach will yield the worst results. Community tools without communities seem to have the same problem as healthy cupcakes to me.

Friday, October 3, 2008

Reading ClientConfig values in Silverlight

This turns out to not be too difficult.  It's just a bit nonobvious since there are no configuration reading classes included in the Silverlight runtime as there are in the full CLR.  Since I have seen the question posted from time to time, I figured I would explain why you might need to do this and how it is done.

While writing our new Silverlight application, we ran into a problem with authentication.  I have a whole other blog post about that, but one of the issues that needed to be resolved was how to read the WCF service addresses from the client configuration file.  The solution to our authentication problem required that we instantiate our service clients with the constructor overload that accepts a ChannelBinding and an EndpointAddress.  Since we needed to provide the address as a string to the EndpointAddress constructor, we needed a way to read the values from the configuration file.

The approach requires just a few short lines of code.

private static EndpointAddress ReadAddress(string contract)
{
EndpointAddress result = null;

var streamInfo = Application.GetResourceStream(new Uri("ServiceReferences.ClientConfig", UriKind.Relative));
var config = XDocument.Load(streamInfo.Stream);
var endpoints = from endpoint in config.Descendants("endpoint")
where endpoint.Attribute("contract").Value == contract
select new { Address = endpoint.Attribute("address").Value };

foreach (var endpoint in endpoints)
result = new EndpointAddress(endpoint.Address);

if (null == result)
throw new InvalidOperationException(string.Format("Cannot create endpoint for contract {0}.", contract));

return result;
}

Obviously, you can change the file name and create your own settings files, and the LINQ query can be tailored to any XML schema you come up with.  This piece of code specifically extracts an endpoint address from the ServiceReferences.ClientConfig file.  We wrapped this method in a factory that is used to create all of our message level authenticated service clients.  We also cache the values so that we only read them from the file the first time.