Scanner Spots Open Source Installations

Mike writes "Information security firm OpenLogic has begun letting users download 'Discovery,' an application that scans Windows, Linux, and Solaris machines and attempts to identify open source software. The Discovery application claims to identify more than 5,000 versions of the top 900 open source packages. The scanning engine is able to detect open source installations whether they were installed explicitly or bundled with other software products. Kim Weins, vice president of marketing, says 'We developed it in response to customers not knowing what open source programs they were using.' I can't help but think that this a move to slyly demonize FOSS by scaring businesses into thinking they don't know what's on their PCs."

Doh

[nokilli (759129)]

You know, given the Vista experience, we're getting to the point where you know there's open source software afoot if the scanner simply runs without crashing something.

--
Censored by Technorati [blogspot.com]

Re:Doh

[jshriverWVU (810740)]

3) home basic edition. Considering that the bulk of sales are home basic edition, that is why it leaves an overall bad taste in the consumers mouth. How many computers can you buy from BB, Target, Walmart, Circuit City that has Vista Ultra Super Server edition loaded vs Home edition. As the name alone implies it's used for the home user and that is the biggest buyer.

So if it sucks, then the bulk of Vista users are going to think it sucks.

Re:

[Artifakt (700173)]

So in effect, you're saying it's just that 80% minority of Vista licences that give the other 20% majority a bad name? :-)

Re:

[Hijacked Public (999535)]

I agree with you 100%.

Why anyone would bother to specify the Basic version when they could, with less effort, impugn the entire suite of versions, is beyond me.

Re:

[smitty_one_each (243267)]

everyone hated it for a few days and then got used to it.

s/got used to it/reverted to 'classic' interface/
Objectively, if you had never used any prior version, the new stuff might make more sense.
However, the switching cost of figuring out where they, for example, they squirreled away the interface for changing an environment variable, is too high. "Retro or NO!," say I.

Two options

[h2oliu (38090)]

1) It can be used to help companies ensure that they are being compliant with the various licenses [good].

2) It can be used to "root out" those 'evil' open source applications [bad].

Unfortunately I agree that option 2 is most likely as it is really used to search for applications and not code. Why you would want to search for explicitly open source, vs. just knowing what is on a corporate PC doesn't make a lot of sense to me.

Re:Two options

[freeweed (309734)]

Why you would want to search for explicitly open source, vs. just knowing what is on a corporate PC doesn't make a lot of sense to me.

Because many companies have explicit policies forbidding open source, period.

I've seen it get so stupid as to call it "shareware", ie: unlicensed software. The lack of a vendor really freaks out a lot of PHBs, and heck, a LOT of older IT folks who still are scared by open source. Don't forget, OSS is less secure because everyone can see the source code, and it's less reliable because you don't have a multi-billion dollar vendor backing you when things go wrong. (not sure if I really need the sarcasm tag with that last sentence or if it's obvious enough)

Re:

[vux984 (928602)]

The lack of a vendor really freaks out a lot of PHBs, and heck, a LOT of older IT folks who still are scared by open source. Don't forget, OSS is less secure because everyone can see the source code, and it's less reliable because you don't have a multi-billion dollar vendor backing you when things go wrong. (not sure if I really need the sarcasm tag with that last sentence or if it's obvious enough)

Yeah, I know what you mean! I really need a multi-billion dollar vendor backing my users 7zip and filezilla.

Re:Two options

[jotok (728554)]

I work for a major security firm.

All of our stuff is designed to run on 2k, 2k3, and Redhat, which as you are aware is essentially no different from Fedora (well, strictly speaking, it's no different from CENTOS) except that you buy support for it. That support is important. Large companies who pay $100m for a contract do not want to hear you say "I'll have this issue remedied just as soon as someone replied to my post on FedoraForums.org."

I happen to think that, for instance, sourcefire has a superior IDS solution to ours. I know a lot of competent guys with that company. I like those guys. So without any malice I can tell you that when we had a bake-off with them, the deciding factor was that we knew how to deploy and manage a thousand-node sensor grid and they had not clue one.

I say this just to illustrate that for, large corporate environments, it doesn't matter that FOSS solutions are "better." A lot of them are great, and I can think of plenty of situations where some Ubuntu workstations running OOo would suffice over Vista Business and Office 2007...except then you know down the road that company is going to want something out of left field, like encrypted home directories or , only, none of the techs they can afford know anything about setting it up. But they know that 5 years from now if they want some weird solution, probably one of the big vendors will be around to sell it to them, along with a consultant to walk the Remedy monkeys through troubleshooting it.

I do not think that most of the people cheerleading for FOSS appreciate this. They just know that $DISTRO is neat, so obviously everyone who doesn't agree that it's perfect for a 10,000 seat enterprise network must be an "idiot." Le sigh!

Re:

[DreadfulGrape (398188)]

Check this page:

http://www.openlogic.com/partners/index.php [openlogic.com]

Clearly OpenLogic has certain ideas about what constitutes "good" open software.

Re:

[also-rr (980579)]

The perception that open source software is not business friendly is a common, but mistaken, one. I have recently been trying to write a five minute, commercial biased [revis.co.uk] presentation in order to help correct that.

Re:

[jrumney (197329)]

The only use I can see for this is in conjunction with a similar application that lists everything installed, where this application is used to eliminate programs from the list of potential licensing problems. In my experience, the single biggest liability for any company is unlicensed copies of WinZip and other "shareware" or "free for non-commercial use" closed source software that users download and install.

Just what I'd want...

[benhocking (724439)]

Then I could get rid of everything that's not open source. :)

The Backfire.

[twitter (104583)]

FTFA:

Customers would guess that they had 15 or 20 open source products on their networks only to discover that workers were using 200 or more open source applications, she said.

Knowledge is your friend. If their intention is to root the applications out, they will discover how expensive non free software really is. Awareness always leads to more free software use.

Free download but a form to fill prior download

[Lord Satri (609291)]

I'm probably not alone curious and wanting to download this free app to (re)discover which OSS is installed on my computers... You can download it from here: http://www.openlogic.com/discovery/new_download_re gister.php?ls= [openlogic.com] and you need to give your name, email, location and some more before downloading the beast.

Re:Free download but a form to fill prior download

[$RANDOMLUSER (804576)]

Sure, and while you're there, check out their page about "indemnification".

Why Is Indemnification Important?
There are many benefits to using open source software, but in some cases there are lingering legal concerns around deploying open source in the enterprise. In order for enterprises to fully embrace a broad range of open source software, they need to be able to deploy, manage and control open source while limiting the associated legal and compliance risks. For the first time, enterprises can now access indemnification coverage for a broad range of open source products from a single vendor.

Let's try to make some money from FUD, eh?

Re:

[CastrTroy (595695)]

I've never seen an open source license that controls how a person uses the software. The license only comes into effect once you start to modify and distribute said software. Why are people afraid of running open source software? It's not like you are going to get sued just for running GIMP.

Re:Free download but a form to fill prior download

[$RANDOMLUSER (804576)]

Sure, but the PHBs have heard Steve Balmer calling OSS/GPL "a cancer". Imagine the BSA kicking down your door and busting you for all those illegal copies of Firefox.

Re:

[hazem (472289)]

I've never seen an open source license that controls how a person uses the software.

I have to disagree with you there. The installer for many windows versions of OSS software have a clickwrap style page where you have to agree to the conditions of the GPL before you can install the software.

As you said, the GPL (and others) only apply when you want to distribute the code. You shouldn't have to "accept" the GPL to merely use the software. At least that's how I understand it.

Re:Free download but a form to fill prior download

[hazem (472289)]

Actually, you're spreading a bit of FUD yourself.

You can use OSS all you want and your IP is safely yours. It's only when you want to incorporate OSS software and code in your own code that you are then bound by the OSS terms.

For example, you can:
use OpenOffice to write all your documents
use Gimp to do your image processing
use vi/emacs to edit your source code
use gcc to compile your program (be careful what you link to)
use PDFMaker to generate PDFs from your programs
use Firefox to browse the web
use Thunderbird to handle your e-mail
use apache to serve your web pages
and so on

and your code and works are still completely your own, free to distribute in any way you see fit.

You are free to use OSS in any way and for any purpose. It's only when you want to redistribute it in some way (including incorporating it into your own work) that you incur any restrictions.

I refer you to:
http://www.gnu.org/licenses/gpl-faq.html#GPLOutput [gnu.org]
and
http://www.gnu.org/licenses/gpl-faq.html#TOCWhatCa seIsOutputGPL [gnu.org]

Crickey

[also-rr (980579)]

I have 12,000 violations on my laptop. I better make out a check to the EFF before the bang the door down... what's the annual licensing fee on GPL software again?

Inventorying OSS can help OSS

[MSTCrow5429 (642744)]

"I can't help but think that this a move to slyly demonize FOSS by scaring businesses into thinking they don't know what's on their PCs."

Looks to me that this is just a simple inventory tool so business has an idea of what's on their machines, and perhaps if they see that people, having appropriate account permissions on the PC, are voluntarily installing open source alternatives, say OpenOffice instead of MS Office, businesses may be more conducive to migrating to OSS, or at least openly accepting it.

Business have no clue what's on their machines. That's why you have staff workers running around as admin all the time, and picking up literally thousands of instances of spyware/adware/malware. They just can't get enough toolbars and cute fluffy pointers.

Re:

[Pedrito (94783)]

"I can't help but think that this a move to slyly demonize FOSS by scaring businesses into thinking they don't know what's on their PCs."

To add to what the parent poster said, I actually think this could help OSS. Businesses might be surprised to find out how much FOSS software they're using and to realize how dependent they already are on it. That might actually ease some of their concerns about choosing FOSS options in the future.

I agree.

[WindBourne (631190)]

Back in the 80's, it was obvious just by walking by a desk as to wether they were running dos or a mainframe terminal. Most companies have NO clue how much OSS is in their company. Some will no doubt use this to root it out. Others will start down that path and find out that it is being used heavily, and start supporting it.

Re:

[MenTaLguY (5483)]

Alternately, if they find an unapproved Open Source application on a lot of people's machines, they might ban it and forcibly remove it from people's PCs if it's found. That happened about a year ago with Firefox where I work; fortunately they don't know to look for Seamonkey yet so I can still use that for web development instead (though I still miss out on some stuff like Firebug).

If they started using that scanning tool here, I'd probably resign; I rely on Open Source tools pretty heavily to do my job.

Re:

[Fastolfe (1470)]

I wonder what businesses would say if you actually put something like that on your resume:

* Low Slashdot UID

Re:

[OrangeTide (124937)]

I think the tool would be far more interesting if it also could detect commercial software installations as well. Because you don't need to scare businesses, they already are well aware that they have only a vague idea what software is installed on their systems.

What's with the paranoia?

[The Iso (1088207)]

Why the accusatory last sentence? Open Logic is a company that provides services for open source products, and the impression I get from this tool is that it shows managers how much they already depend on open source.

Re:What's with the paranoia?

[kindbud (90044)]

Yeah, right.

Why Is Indemnification Important?
There are many benefits to using open source software, but in some cases there are lingering legal concerns around deploying open source in the enterprise. In order for enterprises to fully embrace a broad range of open source software, they need to be able to deploy, manage and control open source while limiting the associated legal and compliance risks. For the first time, enterprises can now access indemnification coverage for a broad range of open source products from a single vendor.

http://www.openlogic.com/products/indemnification. php [openlogic.com]

They're selling indemnification insurance. Open Logic is a capitalist enterprise, not some FOSS charity. They're in the business of monetizing FUD.

Bad wording

[jshriverWVU (810740)]

The way they worded it made is sounds like FOSS was malware or a virus. "Scan your computer to detect a set of programs that you may not know exist in the system". Plus what is the point in having a Linux scanner as it is all (nearly all OSS). Solaris I'm sure has a good bit of FOSS in it now adays (apache, php, sql, etc). As for windows, what is it's purpose (Hey you're running gaim, firefox, etc) Once you have a list what does that imply? You must delete them? The only reason I can see doing this is for

On the more useful side

[IPFreely (47576)]

It could also scan for and find Open Source software that was installed by a third party without proper compliance with the GPL. Install as much third party junk as you can, then scan to see who is using GPL software without compliance.

Re:

[Laur (673497)]

It could also scan for and find Open Source software that was installed by a third party without proper compliance with the GPL. Install as much third party junk as you can, then scan to see who is using GPL software without compliance.

Are you just spreading FUD? You don't have to agree to anything to simply download and use GPL software. The GPL only kicks in if you distribute the software.

I could've used this the other day...

[oldosadmin (759103)]

You know, the interesting thing is, so many people are trolling this, but if you are, you must have never been through VC funding.

I had to make a list of /ALL/ open source software used ANYWHERE in the company. Yeah. Sounds like fun, right? It sure was. Either way, this app could've made my life a lot easier. :(. Too bad I see it NOW!

More interested in a scanner for proprietary stuff

[jimicus (737525)]

I've looked into software to do software auditing before - most of it fell into one of two camps:

1. Free AND lousy - many only checked the "Add/remove programs" list in Control Panel, which is practically useless if a package was installed just by copying to c:\program files.
2. Expensive AND horrific license - most of the commercial software auditing tools which claim to do everything but make the tea seem to be licensed with rather nastier licenses than the software they're meant to be auditing.

Is there

Who needs a scanner?

[quantum bit (225091)]

Why do I need this software? It's easy enough to figure out without downloading random stuff from the internet.

$ uname -rs
FreeBSD 7.0-CURRENT
$ pkg_info | wc -l
1630

So, subtract 1 for nvidia-driver. Subtract 1 for linux-flashplugin. Subtract 1 for acroread7. That's still a helluva lot of open-sores software... I hope the BSA doesn't come after me!!!

Re:

[BlueParrot (965239)]

$ dpkg-query --list | wc -l
1100

Now I feel inferior... Maybe I should pull in KDE or GNOME to compensate...

can see it now!

[jshriverWVU (810740)]

CEO: we need to start scanning now!
IT Guy: which computers should we start with?
CEO: Start with the people who file the most computer complains and go downward
..
..
..
(IT guy comes back next day)
IT Guy: Sir all of the Vista machines who had problems reported 0 infections, and at the bottom of the list the department running OS X and Linux development machines. They had tons of the stuff.

Doesn't seem like anti-open source to me

[rhombic (140326)]

Seems like this will be a great tool to "out" companies using & abusing open software in their packages for Windows. Will be interesting to see who starts to find bits & pieces of GPL'd stuff hanging about various binary-only installations that don't come with source code for the app.

another use of this...

[pohl (872)]

...you could run this, take the output, do set-subtraction from the set of all software on the computer, and have an excellent closed-source software detector!

Could be a Good Thing

[yancey (136972)]

I know in my own organization that management barely knows what the proprietary software does for them, much less the open source software. So this could be a really good thing if it causes IT managers, CIOs, CTOs, etc. to wake up and realize just how much of their business really runs on open source software. They might start treating it with a little more respect, even though much of it does not appear on their budget reports.

the irony ...

[petes_PoV (912422)]

so you can download a package that tells you what packages you've downloaded.

I wonder if it detects itself?

This is a GOOD thing

[boyfaceddog (788041)]

First, I like FOSS products. I suggest to users that they install OpenOffice, Gimp, Inkscape, and other products INSTEAD of applying to our IT purchasing dept and costing the company hundreds of dollars.

BUT I know users don't stop there. Everytime I touch a user's laptop I find some extra software I don't want to support. Most of the time I don't remove the software, I just deliver the customary warning: "If this software causes a problem with your system I will reimage your PC rather than waste time diagn

Free Scanner to eliminate Free Software?

[Cassini2 (956052)]

Okay. Let me see if I have this straight:

We can use a free scanner to eliminate free software inside my anti-free software organization???

How does it know?

[halcyon1234 (834388)]

How does it even know what is open source and what isn't? Does it have a master database of programs? How does it match it? Against an MD5 hash? What if I download a Firefox trunc source code, change a line and recompile it? Will it find it?

And what about something like this:

/* Released as open source. Free to copy, redistribute or whatever you want */
#include iostream.h

main()
{
int myint;
cout << "Enter a number: "
cin >> myint

p0f Anyone?

[mpapet (761907)]

This service sounds suspiciously similar to running p0f. http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]

OT Question: is p0f the cat's meow or has it been bested?

Why not ....

[PPH (736903)]

... build a scanner that inventories ALL software and catagorized it as OSS, unknown or proprietary/licensed? Odds are its the latter two that will come back and bite corporate IT departments in the *ss if not properly licensed.

VRMS would not approve.

[croddy (659025)]

croddy@localhost $ vrms
               Non-free packages installed on localhost

doom2-wad                 IWAD from ID Software's DOOM 2 computer game
iozone3                   Filesystem and Disk Benchmarking Tool
nvidia-glx                NVIDIA binary Xorg driver
  Reason: Proprietary license
nvidia-glx-dev            NVIDIA binary Xorg driver development files
  Reason: Proprietary license
openlogic-discovery       Tool for locating installed open-source software packages
  Reason: Who needs this - when you've got me?

  5 non-free packages, 0.3% of 1519 installed packages

Since they quoted me..

[Kim weins (1127269)]

I just want to let you know OpenLogic is a big fan of source. Our mission is to enable companies to use more open source software. Our whole business is built around that proposition, so we are definitely not trying to get companies to remove FOSS. The reality is that enterprises we work with are already using lots of FOSS -- whether they realize it or not. However, the corporate legal, compliance, IT and architecture folks want to know that they have certain policies and procedures in place around open source -- especially for software that's going outside the company or software that's going into production. By getting certification, support and indemnification from OpenLogic, it allows the corporate compliance types to feel MORE comfortable about FOSS and therefore be more willing to let developers use FOSS. The reason that we developed this free tool is that when we talked to companies, they weren't really sure what FOSS they were using. For many companies, the asset management tools that they already have in place can not necessarily detect open source software. We wanted a simple tool that would let them create that inventory. As far as registration, we have been debating that internally and have some changes planned to reduce the barriers -- so stay tuned on that front. Kim Weins

Some outfits disallow Open Source applications.

[itomato (91092)]

Even among the companies that will allow just any ol' user to install applications, there are some who have policies against applications that don't come from above.

This could just as easily work in favor of Open Source applications. If typical scans reveal popular apps, and those popular apps are the ones people use with great success, and there are eyes that open to the fact that they too, use Open Source applications, that they are among their favorites, and exactly what Open Source applications are.

In the event that a corporate IT manager looks at some such report, and says to a CTO, "Look, CTO - I told you our Open Source software initiative would work". "Our users are spending 75% of their sanctioned computer time in such applications as Open Office, Thunderbird, and GAIM." "The supplemental reports I have generated show the remaining 25% divided between other Non-Open applications; iTunes, Spybot Search and Destroy, AdAware, ClickMeFun2000.exe, Solitaire.exe, and these commercial products to allow Windows users to our UNIX services."

That's a conversation I'm looking forward to having, because I'm anxious to deliver the punchline!

Persistant home folders on a SAN, with an imaged Linux Desktop! Yes, we can even have anti-virus..

Re:

[The MAZZTer (911996)]

Or you can append a tag onto your e-mail. IE name@domain becomes name+sometag@domain. Then if it gets sent around as spam you know who did it... plus you can filter it out!