Re: TRUST US? (Getting Source)

["S. Alexander Jacobson" <alex @ virtual . office . com>]

People here have been arguing over
1. Is it better to have source?
2. Do anybody need source?

A simpler and more complete way to phrase the question is:
"How valuable is source to each party involved in a software/firewall 
purchasing decision?"

There are basically two types of decision makers:
A. Those who in the end are responsible for network security
B. Those who pay them

B types don't care at all about source.  They just care that the job gets 
done.  They make a choice of hiring an internal tech guy, hiring a 
consultant, and purchasing shrink wrapped solutions.

Each A type doesn't want anyone else altering their setup.  It is their 
ass thats on the line and they want to know that they are only 
responsible for the decisions they make.  

*Shrink Wrap Vendors
Therefore the shrink-wrap vendors believe themselves to have final 
responsibility for security.  They don't want to be held responsible for 
screw-ups by end-user altering their software.  They have also innovated 
and want to earn revenue from their innovations. They have many customers 
so the needs of individuals customers aren't all that important.  They 
can force some to wait for fixes to various problems and for ports to new 
os's.

*External Consultants
Aren't doing much innovation. They are responsible for customization at 
the site, and need access to some configuration tools.  In essence, they 
value-add other parties packages.  They seek the safety of being able to 
blame the vendor.  They are most interested in the two layer (security, 
config) approach disscussed earlier.

*Internal IS
Knows that the real responsibility lies with them.  They are incredibly 
concerned about each detail of the software on their system.   They are 
doing the maintenance and know that their head is on the block if things 
break.  They feel the need to know everything that is going on and they 
need to have bug fixes yesterday.  It is Internal IS that most wants 
source.  

Given these needs how about a component solution:
Software vendors: Rather than packaging monolithic tools, vendors 
distribute small testable pieces.  They can show that each of these 
pieces works and can therefore avoid some blame for end-user 
configuration problems.  

Security Consultants are responsible for integrating the pieces (knowing 
that each is secure). Security consultants are responsible for keeping up 
with news relating to all security products and keeping their clients 
informed. 

Internal IS: Gets pieces they know work (thanks to the vendor), in an 
observable and (hopefully)reliable configuration thanks to the 
consultant.  The Internal IS and swap individual pieces as necessary 
because the pieces are functionally easy to understand.  They get updates 
about problems and prospective fixes.  Since the pieces are easy to 
understand, the consultants can replace them with other pieces as bugs 
are discovered.

-Alex-

_____________________________________________________________________________
S. Alexander Jacobson             Internet                Virtual Office Inc.
alex @
 virtual .
 office .
 com          Consulting          info @
 virtual .
 office .
 com
http://vo.com/people/alex/           **            http://virtual.office.com
1-212-799-2645 voice             Technology        gopher.virtual.office.com
1-212-799-1075 fax                Strategy         telephone: 1-800-TODAY-VO