Slashdot Mirror
Smuggling Open Source Past The Boss
Saint Aardvark writes: "CNN has an article on software engineers sneaking
open source software past the boss -- and how the smart boss doesn't look
too closely." A nicely balanced article (originally from Computer World).
I don't think there are clear ethical guidelines in many of these situations. If the boss has stated flatly "NO OPEN SOURCE TO BE USED", then it's clearly unethical.
Why? Ignoring bosses' orders can be ethical in a lot of cases. Company's policy has very little to do with ethics, and it's still a moral choice of a person to follow or to reject it. The key is the responsibility -- if a person can be responsible for his action, does not want to push that responsibility to the boss and can defend his decision, he can do whatever he thinks is better.
Contrary to the popular belief, there indeed is no God.
Then, there are all those woooonderful "easter eggs" that delight and amuse pointy-haired bosses around the world. Any one of those could be adding back-doors by the thousand, and you'd never know until someone opened one.
The point of Open Source is that it doesn't matter how good the engineer is. Under the licence, any other engineer can examine the source, locate such security economies and obliterate them with a 200 lb. sledge-hammer. With closed-source, you can't do that.
"But with closed-source, nobody can add such features, either!"
BEEP! Wrong. Binary patches aren't as easy as source patches, but they can be written. Gnutella is a good example of this. If an engineer was good ENOUGH, and had closed-source binaries, he or she could STILL add back-doors, only now they are exponentially harder to locate.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If these people are worried about the reliability of sendmail, then Exchange is going to be about the worst move they make.
OTOH, it sounds like the "single mail message lost" thing is more of an excuse than anything else. Sendmail can be a pain to manage.
I've just implemented a mail solution for escorting mail safely from the Internet to an internal Exchange Server using Postfix and LDAP. It's actually quite easy; everything works well, and can be administered from a Windows box with a GUI. (Admittedly, the GUI is a bit clunky, but it's still usable until better alternatives become available.) Users can have Internet ability granted or revoked, groups can be set up, and mail can be forwarded. The system even does virus checking on inbound E-mail!
In short: you don't have to sacrifice the reliability of Linux/*BSD in order to get ease of maintenance.
In most cases it's not requested as "I want an NT mail server". It's usually "I want one of those email thingies so I can send stuff. Make one."
:) Nobody knew about the change until one of the graphics guys tried to install Premiere on it and found a text logon. He literally jumped away from the console. I laughed, I cried... it was better than Cats.
In my opinion and my case the boss not knowing about what exactly the servers are doing is a good thing. If I tell him how I'm filtering email for ILOVEYOU we need to have a meeting and talk about it and explain it and think about it and.... meanwhile ILOVEYOU is still running around. Instead, I put the filter in and when he panicked because of the news at 11 I simply said "Oh, that cant come through our system".
Another example: I was told that I HAD to get the file servers (which were NT SP1 at the time) to stop going down. I said okay and stayed overnight. Moved one to Linux and Samba serving about 66 gigs. It stopped going down. I vaguely described patches
Now, you are correct about being transferred and leaving behind a mess. They all know about the Linux servers now and they serve 550 gigs over SMB. What I am doing is making an "If this is opened I had better be DEAD" kit with passwords, services running, conf files, custom scripts, documentation, etc. along with phone numbers of people who can deal with the same stuff I did. I am going to explain how to move to NT servers as well. I have also explained that if they get a MCSE monkey in there they can move back to NT and get him to handle it. If you are in a standardized office that uses Exchange in corporate mail mode, duh... you have to run Exchange on your end too. I've been helping with a massive NT network at a freelance job, and while Linux and SMB and Sendmail would be better for some of this stuff, there is way too much staff rotation for me to even consider it.
Yes -- if all of you agreed to follow the letter of the memo and immediately sent a counter-memo detailing what you'd done and why. CC everyone else important in the company on the memo.
:-)
The funny thing is, if we actually *HAD* complied, we wouldn't have been able to send that memo; the mail system would have been non-functional.
Not that they'd have noticed, because they wouldn't have been able to connect to it anyway, since the DNS servers would have been down.
--
Ok, I'll present you with a situation where exactly that happened, and you tell me:
The CIO of the Fortune 50 company for whom I work issued a memo to all employees that no Open Source would be used on any system in any manner.
However, we did not immediately disable all systems company-wide and shut the whole thing down to remove the many Unix-standard tools that happen to be Open Source, and that run standard system services on every single Unix machine in the entire company. We just ignored him.
Should we have shut down a few thousand Unix servers immediately, pending the approval of new non-Open replacement tools? Would that have been the ethical thing to do?
--
I can just see the article.
We talked to an engineer. We'll call him "Jim". Jim works at a major Linux vendor. He explains, "We had no downtime to speak of. Whenever something was wrong, it was because one of our staff screwed up. We had nothing to point fingers at."
Jim converted crucial parts of the company's network to run on the NT operating system. On the company's web page, crucial CGI scripts were given filenames like "webcgi.exe" and "download.dll".
"People stopped complaining," says Jim. "They saw a filename that clearly told them this was an NT system, and they assumed that they'd just have to try their transactions again."
Jim's boss wasn't aware of the NT system at press time, but knew that Jim had done something to reduce complaints. "It cost a lot more than whatever we used to have, but I don't really care."
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Well said. I want more articles that give an unbiased opinion about both Linux and *BSD. I'm a Linux user myself, having never really used *BSD, but I, too, know that we are in the same boat; if, for example, FreeBSD, is successful, it benefits the free software movement as a whole.
Well.. it's possible. This can probably not be compared to the horrors of the people who ran the mail systems at my former employer (it was MS Mail). Legends spoke of lost emails and messages that were days or even weeks late. They upgraded it, though... to MS Exchange ;) I have no idea how it fares nowadays.
Well, what can I say :) Let those incompetent MCSE monkeys run the mail systems...
The problem may come to when something goes kablooie (even unrelated to the open source software) and the headhunters come flocking to put someone on the chopping block. If the software was from a large, dominant provider, the boss and anyone else who ought to be taking responsibility can just shrug and say 'Oh well, buggy as usual' and go on. If there's a "new" and "untried" thing sitting around it's an instant magnet for finger pointers. So a manager who's more worried about his job & perqs will either outlaw open source or go for the 'plausible deniability' solution by not looking too closely.
Ultimately, if you're working in a culture where blame and firings are the way problems are addressed, then you take your fine resume' and your marketable skillset and go on to the next job. You do have that, right, because you're smart enough to choose the right solution instead of the safe one.
Still, he says that his company is thinking seriously about converting its mail server back from Linux to Windows NT. Group Logic has documented several cases where the sendmail program running on the Linux server lost an e-mail message. While it's had few other problems with Linux, he says the software is still difficult for much of the staff to manage; Windows NT is just easier for most of them to use and reconfigure. According to Newberry, saving the cost of a Windows NT license just isn't worth it.
Switching from Linux/Sendmail to NT/Exchange to improve reliability!? What are they thinking? I've dealt with Exchange/NT environments and they are unreliable under high load. I've NEVER had similar problems with sendmail based systems, and I've been admining for over a decade. Someone needs to stop listending to the MS marketing hype. If the really want to go to a proprietary mail system, put in HP OpenMail at least.
Thad
The Bolachek Journals
I'm glad to see someone asking ethical questions.
That being said, what are the ethics involved? Remember that ethics are only those generally accepted codes of behavior.
I don't think there are clear ethical guidelines in many of these situations. If the boss has stated flatly "NO OPEN SOURCE TO BE USED", then it's clearly unethical. In the article the situations usually weren't so clear-cut.
Technical people should be allowed to perform their duties with the best tools for the job. Management can raise valid concerns against using Open Source (like, if the people who implemented it locally quit or died, who services this solution). These concerns can, today, be addressed, I think.
It might be unethical for management to dictate solutions without a good justification. If the "approved" solution is unnecessarily expensive and complex, requiring it may be a breach of management's responsibility to the shareholders or upper management. Of course, the fact that management is acting unethically doesn't justify unethical behavior on the part of others.
It's often discussed here and I'd like to see it discussed more. Technicians/Engineers/Programmers are badly in need of codified ethics. Does anyone know anywhere on the Net where this is discussed? Or proposals for what a code of ethics would contain?
-Jordan Henderson
>several cases where the sendmail program running on the Linux server lost an e-mail message.
Huh? Ok, does anyone have PROOF it was sendmail's fault?
What in sendmail caused the messages to be lost? Or was it a problem with the POP, IMAP, the local users (lusers), or even Linux?
Anyone care to provide some 'proof' of this?
If it was said on slashdot, it MUST be true!
if you're lucky enough to have a less than intelligent boss i'm sure you could make them believe anything. I did it with my boss and this is what took place.
"and here is an operating system that i created last night, its called "sco-unix" can i have a raise?"
"get out of my sight"
now i'm learning that cat food is a good source of fibre and energy. Thumbs up to can openers!
Be you Admins? nay, we are but lusers!
I don't understand this attitude. If one package is broken you don't install a whole different OS! Get a mail server that guarantees mail delivery, like QMail!
Matt. Want XML + Apache + Stylesheets? Get AxKit.
It seems rather risky. Deliberately hiding stuff from your boss just isn't a good way to run a business.
It's one thing if s/he takes the attitude if it works, he doesn't care about the guys. It's another thing when he says, "I want an NT mail server" and you give him a Linux server, you're asking for trouble. In the really large organizations I've worked in, there is usually a push to standadize stuff. What happens when you get transfered and some MCSE suddenly has to maintain your BSD box?
On the whole though, I like the article. It seemed much more like actualy reporting than hyping one thing or another.
Dana
Open Source is good for both developers and users alike. It's good for developers when they need to write programs or applications and might need to know how certain things work, or if they need to change or extend certain things in the open source software. It's good for users because of all the common reasons that we hear about all the time, about how it is secure because a backdoor would be spotted and how bugs can be spotted easily because the source is available.
But the story also talked about how someone in IT decided to use open source software, sometimes without knowledge of their supervisors and the company at large, to provide a solution. While it sounds like heroics, it also trigger thoughts of potential problems.
Imagine if one of these guys was a programmer who was able to put in a backdoor in the software source that was consequently compiled and put into production. Granted, someone with that kind of access would have other ways of putting in backdoors, not just in programs. But I think that to some extent this may be an issue. Companies may buy software from closed source vendors secure in the knowledge that at least the software doesn't have backdoors in it that was put in by someone who may have specific interest in doing so to break the company's security.
Put another way, if there's a security problem like a backdoor, it's better that it's a disinterested third-party than an employee who may or may not remain within the company, and many times, may even end up at a rival company. Besides, with a backdoor, who's liable? If it's closed source, it's obvious. With open source, there wouldn't be backdoors, but depending on the company's policy, there may be backdoors put in that they wouldn't know about, sometimes they wouldn't even know who might have put it in.
Granted, the potential of such a scenario is small if the company's IT policies are consistent and clear and actions well-documented. But, I still think that such things can and may have happened, and it's due to the availability of source.
So all I'm saying is, the company must decide clearly what they are going to do and strictly enforce it. If better solutions are available, they should be clear about all the possibilities. Politics, of course, will just throw it off completely. But IT professionals 'sneaking' open-source into their company just doesn't jive too well with me, even if the open source philosophy produces superior software.
I work for a mid-sized company of about 100 employees. The contract house I worked for had produced a Windows-based web site for them; I started with a Linux-based system that did a small part of their site.
The owner of the company noticed that I was far more responsive than the other people at the contract house, so he hired me as a programmer/manager to straighten things out.
The first thing I did was to propose that we change the web site from Windows to Linux. The original site was taking 4.5 seconds to pull up a page with no load. I did a demonstration that was instantaneous, and Windows' doom was sealed.
I will treasure the moment forever where I was in the room with my former boss and the owner of the company. The FB was claiming that I could get my neck wrung if Linux wasn't good enough for the job. I said that I'd used it elsewhere, and I knew it was. "Microsoft provides a level of acceptable mediocrity," saith the FB in a tone that made it clear that this was something good.
The owner exploded: "Our company does not seek mediocrity."
We've been running the Linux system for about a month, and so far it's exceeded company expectations and I've become a corporate hero for the first time in my life.
So don't underestimate bosses. Sometimes you can convince them to do the right thing.
D
----
I once tried to get a Linux box past the boss through "legit" channels, and had a major success. We were replacing an older-than-god Sun mail server, and I suggested a Linux box. At the time I think it was Slackware. Got it all set up, we moved it inot the network, and it worked fine. However, the boss decided to cover his ass, and bought an NT server and a commercial mail program that will remain nameless (you'll see why in a bit). I was miffed, but rather than sulk or smuggle, I got out the hex editor and disassembler. Two hours later, I had found 10 unbounded str* functions that lead to buffer overflows. Wrote up an exploit, and showed it to the boss. He didn't really believe it, but let me run the thing, and sure enough, it worked. Two hours and a little help from me and the now-classic AlephOne article later, he had written his own exploit on a different hole. At that point he sent the mail program back, demanded a refund, and there's a linux server there to this day.