Microsoft wants to help fight legal claims against intellectual property (IP) in the cloud, according to its most recent announcement. With the rise of patent litigations pushing against Azure (and alternative cloud) customers, the tech giant is beginning to push back with a new initiative to fight these claims.

The Microsoft Azure IP Advantage program will encourage afocus on digital expansion and development, according to the Microsoft blog posted today.

1) Our best-in-industry intellectual property protection with uncapped indemnification coverage will now also cover any open source technology that powers Microsoft Azure services, such as Hadoop used for Azure HD Insight.

2) We will make 10,000 Microsoft patents available to customers that use Azure services for the sole purpose of enabling them to better defend themselves against patent lawsuits against their services that run on top of Azure. These patents are broadly representative of Microsofts overall patent portfolio and are the result of years of cutting-edge innovation by our best engineers around the world.

3) We are pledging to Azure customers that if Microsoft transfers patents in the future to non-practicing entities, they can never be asserted against them. We do not have a practice of making such transfers, but we have learned that this is an extra protection that many customers value.

Bloomberg Technology reports that Microsoft President and Chief Legal Officer Brad Smith describes the new program as creating a patent umbrella and we let our customers stand underneath it. Quite a big umbrella if the tech giants claim of 60,000 patents total is to be believed. But, they are only offering 10,000.

Microsoft has offered patent protection for its own technologies already, but this new initiative adds open source protections, as well.

Since this type of initiative is incredibly new to the cloud computing market, Microsoft is taking a step out of the comfort zone. Maybe it will even dissuade the increase of IP claims in the future. One thing is for certain, however, and that is that Azure is now offering a service that no other cloud provider offers. Yet.

Continue reading here:
Microsoft to offer patent protection for Azure customers using open source software - OnMSFT (blog)

Open source software is the norm these days rather than the exception. The code is being written in high volumes and turning up in critical applications. While having this code available can offer big benefits, users also must be wary of issues the code can present and implement proper vetting.

Josh Bressers, cybersecurity strategist at Red Hat, emphasized this point during a recent talk with InfoWorld Editor at Large Paul Krill.

InfoWorld: Why is Red Hat getting on the soapbox about open source security?

Bressers: We've been on this soapbox for a long time. Fundamentally, there's a supply chain with software. In the past, you've not really thought of software using the supply chain concept. [In the past, it was thought of as] some dude writes software, and that's how it is. We're realizing now that there are vendors, and vendors provide you with a thing that goes into your product and obviously it's designed in a way that with a supply chain if you use low-quality parts, by definition, you're only going to get a low-quality product out the other side.

I think we're starting to recognize that if you're just grabbing any piece of software you find from a commercial vendor or from the open-source community and you don't know what it is or it's not vetted and you don't know the quality, you put your final product's quality at risk.... You have developers going out to GitHub, going out to Stack Overflow, and they are downloading code. They're not necessarily paying attention to what they're getting and how it's being taken care of.

Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.

InfoWorld: Where do you go from here?

Bressers: Fundamentally, what it comes down to is you need to understand where your software came from, which means in the open source context, you have to think of open source as a third-party vendor, which means who's paying attention to it? From an organizational perspective, you need either a team paying attention and taking care of this, or you need to find a vendor to work with who will be your representative here and will do all the heavy lifting in terms of vetting the software, understanding what's good, what's bad, keeping it updated, making sure you understand what that means.

That's the piece that's missing today. There's lots of organizations that have developers that will go out, find what they need in the open source universe, pull it in, and then they don't think about it a second time. Obviously, if you do that, if you never update this stuff, eventually there's going to be some sort of problem that you have to deal with in the software. Think of something like Heartbleed. It's a great example where people had literally just pulled this OpenSSL version into their applications, and a lot of them didn't even realize it was there.

InfoWorld: So what do you do about this situation?

Red Hat: I can tell you what Red Hat does, and every organization will be different. We have a team that's dedicated to paying attention to the open source universe, and they watch for security issues. This is where open source is unique compared to some of the third-party, typical software vendors, we could say, is there's a very understood relationship there where essentially they have a product, you pay them for the product, and the expectation is they will maintain it and you will go to them for help and support. In open source, it doesn't exactly work like that. You have two choices.

Number one is you go to a vendor that specializes in essentially productizing open source. [That is] the traditional software vendor relationship. However, there's the alternative option now where you can actually treat open source as your vendor, but it doesn't work in the same way now because you have to pay attention to the community and you probably have to get involved.

I would say if you have an organization that's concerned about this and they are using open source, they need people in-house who can work with the community, who can understand what's being used, and then they can engage at the appropriate level depending upon what's being used. The other side of this coin is you have to make sure that your developers aren't just pulling any random piece of stuff they find. You have to actually have a vetting process to ensure that the software you're using is accounted for so there are no surprises. [And] it has to be high-quality.

InfoWorld: What kind of vetting do you do of the Linux kernel?

Bressers: At Red Hat, obviously, we're known for Red Hat Enterprise Linux but even Red Hat Enterprise Linux is literally hundreds of other open source components put together. It's not just the Linux kernel. The Linux kernel is a big piece of it. Granted, a very important piece. Even though we have tons of kernel expertise, we still have people who focus on the security of the Linux kernel and making sure that we understand what's going on in these kernels: Does this stuff make sense, what are the security issues that we're seeing? What do we do with them, how do we fix them, what's going on?

Heartbleed affected the OpenSSL library, and that was included in Red Hat Enterprise Linux, but we also included it in some of our middleware products, for example, for shipping web servers. We had various other products that used the OpenSSL from Red Hat Enterprise Linux embedded into their own product like an image that could ship them. We pay attention to all of these pieces, and we have teams dedicated to just paying attention to this stuff to make sure that we're using good software that's being vetted.

InfoWorld: What processes do you use at Red Hat, and what do you recommend for others?

Bressers: This is going to depend on, team size, maturity level and just talent to some degree. We fuzz-test certain libraries and applications inside Red Hat. We do automated source code scanning. We do some level of manual scanning. We have a bunch of internal tools that will look at the artifacts that we build, which are making sure we're not making obvious mistakes or making sure that, for example, when you have an RPM package that installs the application or library onto the system, is it putting things in places that make sense? We have dedicated build systems so we understand what's being built, how it's being built.

InfoWorld: Would you say open source software today is more secure than it was five years ago? Is it more secure than proprietary software?

Bressers: Open source is not more secure than proprietary software nor is it less secure. The concept of proprietary software doesn't really exist anymore because virtually every organization has open source inside of the products they're building.

You also asked, is open source more secure today than it was five years ago? There isn't good information on this, necessarily. I would hesitate to say we're more secure. But I think we better understand a lot of the problems, I'm willing to say. Because we have various groups, and Red Hat is one of these and there are also various bug bounties that exist. There are security groups in places like Google that are doing a bunch of testing. There's all these organizations now that everybody is using open source, they're starting to give back. I suspect that as long as things continue the way they are, the future will be better than the past but, of course, it's up to us to make sure we get there because if people stop contributing back to the community, the power of open source is lost. That's the key here around security. You can't just take it and use it. You have to be involved and be a part of it.

InfoWorld: What's next for securing open source software?

Bressers: The big thing that's happening now is this concept of open source needs to be part of your supply chain. The message is starting to get out there, but I don't feel like it's where it needs to be yet because I still think there are a lot of organizations that are treating GitHub or Stack Overflow as a bunch of free software they can just take and that's fine, you never have to worry about it again. But it's not like that. My comparison here would be, what do you think would happen if a car manufacturer literally found some parts in the warehouse? They didn't know where they came from, they didn't know who made them but they're like, "They look great, let's just use those." That would end horribly. That's kind of where we're at in some of these instances where you've got developers just like, "That looks great, I'll take that." We're reaching a point now where we need organizations using this stuff to start understanding their supply chain with open source as part of it.

This story, "Open source users: Its time for extreme vetting" was originally published by InfoWorld.

Read more here:
Open source users: It's time for extreme vetting | CIO - CIO

Eight years ago, the CyanogenMod project exploded onto the mobile device software scene. The Android-based open source mobile operating system quickly caught the attention of developers, Android fans and investors, and attracted interest from tech giants including Microsoft and Google. But at the end of last year the project imploded spectacularly. Today the CyanogenMod project is no more, but the arc of its story offers fascinating insight into the world of open source software development.

The project started out innocently enough following the discovery, in 2008, of a way to root mobile phones running Google's Android operating system, allowing modified firmware to be installed on rooted devices. One such piece of firmware was created by a developer called Steve Kondik, whose online handle was Cyanogen a colorless toxic gas made by oxidizing hydrogen cyanide. The modified firmware was known as CyanogenMod.

[ What CIOs don't know about open source software ]

Developers are able to create modified firmware because Android is, at its heart, an open source operating system, and pretty soon CyanogenMod became a project with a community around it. At the center of this was a core group of software hackers who became known as Team Douche. The project was hosted on GitHub, had regular releases, and versions were built to support an increasing number of Android devices.

One hiccup the open source project encountered at the tail end of 2009 was a potentially serious legal problem. Android firmware for most mobile devices includes the open source Android operating system as well as a group of proprietary Google apps (collectively known as GApps), including Gmail, Google Maps, YouTube, and Google's Android app store (which is now called Google Play.) Google licenses these GApps for inclusion in vendors' firmware, but they are not freely available for inclusion in modified firmware such as CyanogenMod, as Google explained in a blog post at the time.

As a result, Kondik received a "cease and desist" letter from Google asking that the GApps be removed from CyanogenMod. That was a serious problem because the ability to run those GApps is a significant part of the attraction of Android. Without them, and particularly without Google's app store, an alternative firmware distribution is severely diminished.

It's worth considering at this point that Google's approach to Android isnt unique, although it is slightly different. Many commercial organizations offer free open source software and also sell a product based on that open source code that includes proprietary add-ons that extend the functionality, as well as additional services, such as support. A good example is Kubernetes, a Google-incubated container management and orchestration tool that forms the basis of many commercially available container management systems such as CoreOS's Tectonic platform. Where the situation with Android differs is that Google doesnt sell its GApps to monetize Android. (Instead, it uses Gmail and YouTube to generate advertising revenue, for example.)

In the face of criticism from developers and others in the open source community, Google changed tack and said that the proprietary GApps could be backed up from a phone's original firmware and then reinstalled with CyanogenMod. (Today, an app called OpenGApps, which, ironically, is available on Google Play, makes it easy to install GApps onto a modified firmware that does not include them.)

Then, in 2013, Kondik decided a change of approach was needed for CyanogenMod to continue to thrive. He started a venture-backed business he called Cyanogen Inc. as a vehicle to commercialize CyanogenMod. Seventeen employees were based at two offices: one in Seattle and the other in Palo Alto.

Kondik outlined his motivation in a blog post:

"What we have with CM (CyanogenMod) could not have happened any other way a huge community came together and created something awesome that did not exist before, because it was needed."

"We have had some serious growing pains though, and scaling with this kind of growth has been incredibly hard. What could we build if all the barriers were removed and we could dedicate our time to it?"

The backer that put up $7 million in the Series A funding round for Cyanogen Inc. was Benchmark Capital, a company that also backed such well-known open source companies as Red Hat and HortonWorks, a company that sells a commercial version of the open source big data analysis project Hadoop.

Now, Red Hat and HortonWorks appear to have built thriving businesses based around open source software, but it's not clear that Cyanogen Inc. was able to generate significant revenues in the first months of its existence from its commercial product, Cyanogen OS. This was a firmware distribution based on CyanogenMod but with additional proprietary apps such as Google Play and a collection of its own apps including AudioFX, Gallery, Theme Chooser and Themes Store, known collectively as C-Apps.

That's despite CyanogenMod boasting a user base in excess of 10 million and forging licensing deals with Chinese phone makers Xiaomi, OPPO, and OnePlus (which is connected to OPPO) to use Cyanogen technology. Now here's where things get slightly bizarre. In October 2014 it was reported that Cyanogen Inc. had rebuffed overtures from Google about a possible acquisition. Instead, Cyanogen was valuing itself at close to $1 billion and was seeking investment from major tech firms.

Then, at the start of 2015, The Wall Street Journal reported that Microsoft was about to invest in Cyanogen, leading to speculation that Microsoft was planning to abandon its failing Windows-based mobile platform and use something based on CyanogenOS as the basis for possible new Android-based Microsoft phones.

This never happened, but Microsoft did launch an initiative to get its applications and services running on Android, and in April 2015 Cyanogen announced a partnership with Microsoft which involved Microsoft apps and services being integrated into Cyanogen OS. Later, (following the 12.11 update) Cyanogen OS started suggesting Microsoft apps and services in the "open with" menu when the operating system encountered file types it couldn't already handle.

In the meantime, the partnership with OnePlus evaporated due to a reported clash of personalities at the two companies, as well as a fiasco in India caused by Cyanogen Inc. signing an exclusive deal for the sub-continent with low-cost smartphone manufacturer MicroMax. This resulted in sales of OnePlus handsets powered by Cyanogen OS being temporarily banned in India.

But in 2016 things rapidly went downhill. In the middle of the year a large number of staff were made redundant, and the Seattle office was closed. CEO Kirt McMaster stepped down, and Kondik was removed from the board. In November he officially left the company, and has not responded to a request for comment for this article.

Finally, on December 23, Cyanogen Inc. released a curt notice that read: "As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally."

The result is that CyanogenMod as an active project is no more in name at least. The good news for users is that they have not been completely abandoned, because it is a simple matter to switch to an actively maintained alternative firmware or a device's stock firmware. (That contrasts favorably with the situation that can arise if a business relies on an open source project when the sponsor walks away and no obvious alternatives exist.)

[ What CIOs need to know about open source forking ]

Of course in that situation it is always possible for a company to take the source code and take on the development task itself (or pay someone else to do so), or hope that someone else will take over the project.

And that, in fact, is what has happened with CyanogenMod. The code has been forked and a new project, called LineageOS, has been started by some in the CyanogenMod community to continue the CyanogenMod project under a new name, independent of Cyanogen Inc.

Continuing a project after it is abandoned by a commercial organization is not without precedent. The LibreOffice project was forked off when OpenOffice was abandoned by Oracle; SuiteCRM emerged after SugarCRM stopped releasing open source versions of its CRM product; and Nautilus (now Gnome Files), the file manager for the Gnome Linux desktop environment, is still thriving long after Eazel went out of business. And something similar happened when MySQL was acquired by Oracle, but in that case it was the developers who abandoned Oracle rather than the other way around, preferring to continue a parallel project called MariaDB.

What does the LineageOS project hope to achieve by continuing the CyanogenMod work? It's hard to say for sure as a request for information received no response at the time of writing.

One problem that the LineageOS may face is that CyanogenMod was a very complex project, and one that had the benefit of at least a proportion of the estimated $100 million in venture funding. That means that it may struggle unless it finds a commercial organization to sponsor it, says Greg Soper, CEO of SalesAgility, a company that backs the SuiteCRM open source project. "You need expertise, and the will and desire to continue a project (after it is abandoned)," says Soper. "But can a project like LineageOS continue without a commercial organization to help develop it? I have my doubts. I think that the LineageOS project may wither on the vine unless people put money into it."

Can a project like Lineage survive and thrive with nothing more than a dedicated community of enthusiasts? Time will tell.

Originally posted here:
Lessons from the rise and fall of an open source project - CIO

oxford Entrepreneur Harley Garrett has an intriguing idea that deserves consideration by our state leaders: Use a portion of Mississippis technology budget to promote university-based start-ups using open source code.

Mississippi spends $250 million a year on software to run its government. Much of this software is proprietary code with big national companies. We get locked in to the software. Switching becomes impossible. Steep price increases follow. Taxpayers lose.

Garrett proposes a better way. Working with our university computer departments, the Legislature should create a Center for Collaborative Software Development. A portion of our state IT spending should be set aside to support this. Student teams could design and compete for state software contracts using open source under university supervision. The winners could go on to found successful software companies based in Mississippi.

By using open source software, competition will always be assured and state agencies will save money. The money would stay in the state and fund Mississippi technology companies that could then expand nationwide.

We have brilliant computer gurus at our top universities. But the employment opportunities are greatly limited in Mississippi. So we suffer brain drain. Our best students have to leave the state and work elsewhere for somebody else. Imagine if we could harness this talent, fund Mississippi-based software companies, and lower Mississippis massive and inflating IT expenditures all at the same time.

This would require cooperation of state and university leaders, but it can be done with leadership. Other states have done this. We should too.

In the early days of software, everything was proprietary. The software company owned the code. Once you got locked in, it was almost impossible to switch without massive re-training costs. This allowed big proprietary software companies to impose steep price increases.

That situation has been changing with the advent of open source software. Open source software is not proprietary. A new company can acquire the code and compete with the old company. The result is more innovation at a much lower cost.

Last year the federal government began requiring 20 percent of new software to be open source. The policy statement states, This collaborative atmosphere makes it easier to conduct software peer reviews and security testing, to reuse existing solutions and share technical knowledge.

I can give you a personal example. Emmerich Newspapers used to buy proprietary software for our websites. Every time we wanted a minor change, we had to pay through the nose. We had big annual software fees. Innovation was slow.

Several years ago, an open source website software came into existence. Its called Drupal. The software is free. It is modular. We can buy features from thousands of programmers and just plug them into the

Drupal framework. We own our own servers and have complete control. Competition is maximized. Innovation is maximized. Costs are minimized.

Even better, we can now employ Mississippi programmers instead of paying some big out-of-state company. Its a win-win.

This same scenario can be played out on a gigantic scale using the $250 million Mississippi IT budget. Top computer programmers at our universities can compete to write state software as part of their education. Upon graduation they can bid and win state contracts and found new companies. They wont have to leave the state to get a job.

The first step would be for the Legislature to pass enacting legislation to establish this collaborative center. The center should include the computer department heads of our major universities, Mississippi software experts and state agency heads. State agencies could be directed to allocate 10 percent of their software budget to this collaborative open source software initiative.

All software budgets would be open source. Special efforts would be made to link our skilled programmers on university campuses to the tasks at hand. It would be an incubator.

Virginia offers Mississippi a model. The Virginia Economic Development Partnership coordinates with the states 21 two-year and four-year colleges to promote technology start-ups.

Oregon State is another leader. Its Open Source Lab is a nonprofit organization working for the advancement of open source technologies.

Its website states: The lab, in partnership with the School of Electrical Engineering and Computer Science at Oregon State University, provides hosting for more than 160 projects, including those of worldwide leaders like the Apache Software Foundation, the Linux Foundation and Drupal.

Together, the OSLs hosted sites deliver nearly 430 terabytes of information to people around the world every month. The most active organization of its kind, the OSL offers world-class hosting services, professional software development and on-the-ground training for promising students interested in open source management and programming.

By enabling innovative projects and distributing software to millions of users globally, the lab is working to accelerate the growth of high-impact open source software projects and promote an open source culture of accessibility and increased productivity around the world. The lab partners with industry leaders and policy makers to bring open source technologies to new sectors, including education, health and government.

I challenge our university and state leaders to create a similar open source lab in Mississippi, working in conjunction with our state agencies.

See the original post here:
Open source code could save money, spur tech growth - Northside Sun