From: "David Kaufman"
Date: 19 October 2005 8:20:55 AM
To: "fsb"
Subject: On Topic: Sell your free software "lifestyle" business for
nine figures
Yes, you too can sell your Free Software Business for hundreds of
millions of dollars. All you need is a business model like this one.
Check Point to acquire Sourcefire for $225 million.
http://business.newsforge.com/article.pl?sid=05/10/14/1927228&from=rss
"Sourcefire is the company behind Snort, an open source network
intrusion detection system (IDS). Snort, first released in 1998 under
the GNU General Public License (GPL)... Sourcefire's founder and chief
technology officer Martin Roesch [and uh, author of snort] said in a
letter to users last week that Snort will remain free, as the software
continues to be distributed under the GPL. "The community continues, as
always, to be important to us as a group of people who use the code
pervasively throughout the entire Internet, report on problems and make
suggestions and contributions to the project. Check Point is very
excited about continuing Sourcefire's involvement with the open source
community."
I've posted on this list in the past about Sourcefire's clever
"separation" of the business from the free software project at the
heart
of all of it's products, Marty's elusive www.snort.org, and how
Sourcefire.com doesn't even link to snort.org or vice versa.
Sourcefire's "public-facing" business model would seem to be high-end
security hardware, but it's success is well known to be directly due to
it's use of snort at the core, and snort's author being it's CTO. Some
here have criticized this approach as being, at best, "dependent on the
stupidity of the end user" and at worst just plain deceptive marketing.
This "business model" of selling way-overpriced hardware with our
software in the hopes that people won't understand where the software
ends and the hardware begins, some of us might feel, is a deceptive
trade practice that would be insulting to the end-users of any free
software product.
And it would be, if our would-be customers were typical participants
in open source software projects. But they're not. That's us.
Customers are them. Those that need us. The thing is, as subscribers
to this list, we should have figured out by now that to make
practicing the art of Free Software creation into a profitable
business, we're going to have to look outside of our comfort zone for
customers. Other software developers, our colleagues, employees of
software companies and software hobbyists are not going to buy our
products; they are not going to make us rich. The guy who is willing
to pay cash is the one who doesn't want to have to be bothered
learning about it, talking about it with other customers, and
contributing to the effort. He wants the benefits, preferable
instantly and with as little pain (=thought) as is humanly possible.
Our "users" on our mailing lists and bug trackers, they do what we do
and therefore they don't really need our expertise, so much. Plus like
us they're cheap as all hell. They get to use free software for free
by paying with their time and effort. Customers pay us for the
convenience of having neither to wait, nor to think.
To find customers we have to find a way to make the stuff we are so
close to (the software) that we're not be able to see it objectively,
appeal to people whose perceptions of *us* coders and what we do are as
unclear and downright distrustful as our perceptions of ...say,
graphic designers and advertising executives :-) It's not rocket
science to make software sexy, to make it sell, to package it and
market
it and make it appeal to the emotional needs of would-be end-users.
It's just distasteful to us as developers. It's a sales thing. It's
inherently dishonest and, as Sourcefire has been characterized
hereabouts, deceptive.
But is it? The approach is an intriguing best-of-both-worlds scenario
where clueful software developers (and those who employ them) who are
interested, involved in the project, or simply not lazy can use snort
(note the intentionally geeky, unappealing brand name) in all it's
glory
for free and with freedom, by simply downloading it, compiling it,
installing and operating it properly (four steps, of increasing
difficulty, especially for an intrusion detection system!) They pay
the
price of their time and effort, as they prefer.
Meanwhile those who require high-end security (purchases), prefer a
pre-packaged solution, want a hardware warranty too, need 24-hour
support, and/or are impressed by 1U rack systems sporting racy
iridescent colors, can pony up the 5-figure price tag for what is
essentially snort plus a commodity server and a web control panel.
Wait. No, I take that back. That's not a fair characterization of
*all* the customers who pay the 1000% markup for a free software
package
installed on a server. Many of them are smart enough to know what they
do not know. Smart enough to know that any box running snort,
installed
and administered properly is more secure than a proprietary product
from
ahem, Checkpoint, Cisco or whoever else that sells their source-secret
IDS in red 1U shrink-wrap. Other customers understand simply that
their
go-to geeks all rave about how good Sourcefire is (for some reason) and
trust their judgment, word of mouth being the best advertising, right?
Yeah, yeah, ok so what's the point?
We all buy books based on their covers and good marketing people surely
advised Marty (rightly) that corporate IT Managers need to have a red
box with green blinking lights on it to show for their $25,000 security
upgrade expenditure. It doesn't matter that snort provides the
security
for free. It matters that they can show their bosses what they bought,
that they can reassure the open-source nay-sayers that it is a "real"
commercial product with commercial-grade support, and that the
documentation doesn't have random omissions, misspellings, whimsical
humor or anything else that might prove to be job-threateningly
embarrassing, if (when) a security incident occurs and people are
Monday-morning-quarterbacking their choices.
So Sourcefire sells a really reliable piece of hardware, supported by a
really supportive hardware vendor that just happens to also be the
software engineering team that built (and still maintains) the
best-of-breed software for powering hardware like this to do this job.
It is painted red, and it has green lights on it and snort in the core.
I think it's neither deceptive nor derogatory to your users to adopt a
business model like this. I think it might be a stroke of pure genius.
I also think if MySQL sold Big Blue (4U at least!) database servers
with big RAID arrays filled with hot-swappable drives, dual redundant
power supplies, and tens of gigs of RAM in them, combined with First
Class support as well as DBA software/admin support...? Then! Then
Oracle, MS SQL Server *and* HP might have some problems on their hands.
The key attribute that makes Sourcefire, in my mind, neither
deceptively marketed nor condescending to its customers is that it
*is* the best IDS out there, and it is worth the money (to some). The
fact that we open source developers find it's true value in the (free)
*software* while corporate suits and certain IT gearheads find its
value in, well, the accountability of the company and quality of the
machine, respectively, just tells us that Sourcefire has rounded out
their product extremely well so that it appeals to that which is
valued most by *all* of the likely stakeholders involved in the
typical corporate purchasing decision for such a product. The
hardware guys, the software guys and the guys who just show their
bosses the blinking lights in the server room all love it. Marty's
managed to engineer the quality of the hardware, and of the service,
and of the *packaging* all to match the high quality of the software,
which is simply masterful marketing.
You love your software? Why then *wouldn't* you sell it in the
over-powered fire-engine-red package on which is deserves to run?
Anything less would be like selling Pioneer stereos and amps with tiny
cheap speakers (or no speakers at all!)
Their money truly is far better spent on a Sourcefire box than on the
competition's offerings which are all either proprietary-software
publishing companies who happen to bundle hardware and make money on
selling you annual licensing upgrades, or hardware companies doing the
reverse... For a company that doesn't have a developer who could setup
and administer snort, Sourcefire's steep price buys Marty's company's
expertise in picking the right hardware for you, installing it right so
you don't have to, documenting how to use it, and holding your hand in
its proper care and feeding.
I'm looking for other Free Software Businesses that employ this
snort/sourcefire style approach. Businesses that do not deceive their
customers about the source (or cost) of the software, but rather
emphasizes some other bundled value that they've added. That
value-add doesn't *have* to be shiny hardware but it has to be
something that the customers value as much or even more, something
that is merely *strengthened* by being "powered by" the open source
software. My Linksys (cough, Cisco) wireless access point is probably
a case in point. I didn't know when I bought it that it ran Linux
inside. What I knew was that it was configured out of the box to do
what I wanted done, had a web interface in case I need it to do
something else (within reason), and that it did it non-stop, as
reliably as hell. Oh, it runs Linux? Oh well that explains how great
it's been. I've since bought several more, because the fact that it
runs Linux is just added justification for the simplicity, flexibility
and reliability, and that is all I'm really willing to pay for.
Of course, few of us may even be able to recognize these cases in the
world around us, since we are so focused on the software, we see
packaging, pre-configuring, web-enabling and so on as merely things
which may *adorn* our software rather than the other way around... In
fact, a value-add that can make a free software business succeed can be
just about *anything* (as long as your target market isn't open source
software developers...), maybe professional services, convenient
packaging, stellar documentation, fanatical support or whatever
customers are buying...prestige would be interesting choice. I'd
really
like to compile a list of the secret sauces that make it acceptable, in
a capitalist corporation, to pay Real money for Free software?
Thanks in advance for more examples that support my new little
hypothetical world-view. Examples to the contrary will be tolerated
too
:-)
-dave