Martin Winter's presentation from the January '15 Bay Area Open Source Meetup: An inside look from the Open Source community More details here: meetup.com/Bay-Area-Open-Source-Meetup/

1. 1
Licenses, Contributions, Support or
the lack thereof
An inside look from the Open Source community
Martin Winter
Network Device Education Foundation

2. Who am I?
‣ Who is NetDEF / Open Source Routing ?
• 501(c)(3) Non-Profit Organization
• Mostly Working on Quagga Routing Daemon
(OpenSourceRouting.org)
‣ Who is Martin Winter ?
• 4 yrs @ Exodus Network Architecture (and Router Testing)
• 4 yrs @ Cisco trying to build better IOS
• 5 yrs @ Cisco working with ISPs on testing routers
• And now trying to ignite the open source routing revolution
- Working on Quagga for “only” 3½ years
- Working Group Chair for Open Source with RIPE
2
Believer in real innovation will be driven by Open Source

3. Why Open Source?
4
A few reasons to at least start thinking about Open Source
Money
Could be much cheaper. Why develop on your own
or buy it, if it’s already there for $0 (only “unusual”
license)
Education,
Research
Research needs platforms to build on for new
features and proof of concepts.
Your
Features
Missing a feature? Need a special feature to
distinguish from the competition? You have access
to the source code. No more begging the vendor
Support
Not just one company is setting the schedule on
what the fix and when you get the software fix. Do
it yourself or find someone to match your requests

4. 5
Open Source Licenses (*)
Battle between giving everything away for free
without restriction and keeping the project alive
* This talk ignores the non-free “Open Source Licenses” where the software is traditionally sold and full/partial
source is available under NDA or severe restrictions

5. Main license restrictions
6
And their potential reasons
Attribution
required
Publishing
Changes &
Source
Patent
Protection
• Getting awareness for project (helps funding)
• Getting awareness for author (great for resume!)
• Is it really that hard to publically “thank” someone
in exchange for free help?
• We help you, you help us…
• Limiting ability to sell something you got for free
(and profit from it)
• Very few donate money, so at least help with code
• Don’t steal its ideas and sue others out of existence
if they have a better product than your commercial
code

6. Aren’t these all “hobby” projects?
‣ Most of the maintained projects have people
dedicated part or full time
• Individuals often passionately dedicated to the cause
• Learn to work with each specific community
‣ Many projects require highly specialized knowledge
and lots of time
• Not your average student
‣ Infrastructure (Testing!) can cost $$$$$
7
“I assumed this is collective work done in ‘spare’ time”

7. What does it take for Open Source
8
Same as for any software and much more than just a few
lines of code
Write new code
Write Bug fixes
Code Review
Testing
Support
Percentage may vary between
projects. This is just an example

8. What does it take for Open Source
9
Write new code
Write Bug fixes
Code Review
Testing
Support
Percentage may vary between
projects. This is just an example
How are YOU giving back
to the project in exchange
for the code?
$ Money

9. 10
Please respect the licenses!
It’s your choice to use Open Source and you
depend on the projects to survive.
Or even better: Convince your company to
acknowledge the use and give back in some way
Back to Licenses
at least

10. 11
An example for the future to avoid
Remember Heartbleed?

11. 12
‣ OpenSSL project donations
before it happened:
• $2000 per year
‣ OpenSSL users:
• Everyone. Nearly every product
with SSL used the library
Remember Heartbleed?
Did we learn from it?

12. 13
Remember Heartbleed?
Martin,
I hope this email finds you well. I am reaching out from Vasco Data Security to discuss
how we can help you and your users cope with the aftermath of the Heartbleed Bug.
MYDIGIPASS, Vasco’s cloud based solution utilizes enterprise-grade Two-Factor Authentication
(2FA) and One-Time Passwords (OTPs) to add a necessary level of security while maintaining a
simple and familiar sign-on process. Since OTPs can only be used once, and for a limited amount
of time, the MYDIGIPASS system provides the ultimate tool for Heartbleed mitigation and ongoing
end user account security.
I would appreciate a few minutes to set up a very brief discovery call with you or one of your team
members to discuss how VASCO can help you and your users minimize Heartbleed damage and
address future security risks. Please let me know if you have 15 minutes for a call this week or
the next.
I look forward to hearing back from you,
- XXXXXX YYYYYY
XXXXX YYYYYY | Sales Representative | Vasco Data Security | XXXXX.YYYYY@vasco.com
O: XXX-XXX-XXXX | www.mydigipass.vasco.com | www.vasco.com

13. 14
Remember Heartbleed?
Martin,
I hope this email finds you well. I am reaching out from Vasco Data Security to discuss
how we can help you and your users cope with the aftermath of the Heartbleed Bug.
MYDIGIPASS, Vasco’s cloud based solution utilizes enterprise-grade Two-Factor Authentication
(2FA) and One-Time Passwords (OTPs) to add a necessary level of security while maintaining a
simple and familiar sign-on process. Since OTPs can only be used once, and for a limited amount
of time, the MYDIGIPASS system provides the ultimate tool for Heartbleed mitigation and ongoing
end user account security.
I would appreciate a few minutes to set up a very brief discovery call with you or one of your team
members to discuss how VASCO can help you and your users minimize Heartbleed damage and
address future security risks. Please let me know if you have 15 minutes for a call this week or
the next.
I look forward to hearing back from you,
- XXXXXX YYYYYY
XXXXX YYYYYY | Sales Representative | Vasco Data Security | XXXXX.YYYYY@vasco.com
O: XXX-XXX-XXXX | www.mydigipass.vasco.com | www.vasco.com
Why this is just wrong...
• The product uses OpenSSL as well and was affected by it.
• They did NOT support OpenSSL before
• They did NOT even talking about supporting OpenSSL after this incident, but
instead talk about making more money in their own pocket based on a bug
in a core component in their own software which they got for free.
• The bug affected hijacking (encryption) and not authentication. All the 2FA
and OTP are nice buzzwords, but have no meaning here

14. 15
Martin Winter mwinter@netdef.org
Thank you / Questions ?
OpenSourceRouting (Quagga)
www.opensourcerouting.org
Network Device Education Foundation
(NetDEF)
www.netdef.org