SMART - Student-Managed Access to Online Resources

The Business of Open Source

lukaszmoren — Mon, 19 Dec 2011 20:52:51 +0000

“I’ve experienced quite a bit about how open source works. It’s been a wonderful learning experience for me and definitely turned me from someone who thought open source code and developers were somehow not as good as closed source equivalents into a person who knows that the opposite is most definitely the case!”(Mark Little, Red Hat, blog)

Indisputable fact of today’s worlds is an existence of many IT companies that based their success on the Open Source. Talend, Alfresco, Cloudera, Mozilla and last but not least: Red Hat/JBoss (How JBoss did it!) are great examples of that.

Many more, Google, Facebook, Microsoft and Yahoo and many more, provides commercial services, and are not entirely based on open source projects, but helps their communities, seeing obviously support business model in there. Growing popularity of cloud computing has been giving birth of new open source cloud platforms, high performance distributed computing, decentralized and scalable databases. Many of these solutions does not have comparable closed ones and all of them in some way constitute of the revenue for the enterprises.

Even though, many businesses are constantly striving for using closed source software provided by “big vendor’s”, with very expensive and professional marketing machine. Good, that there is slow, but visible movement towards open products build within communities. Benefits of that movement are getting more and more visible, followed by many successful stories. That is caused by many advantages of the Open Source.:

No vendor lock-in

There is no need to depend on any software vendor. Open source projects are free, and publicly available for everyone without requirement to sign purchase agreement. Take it and use it is the only rule. That gives high flexibility for any organization. If product does not suit your requirements you can simply change it without breaking contract and loosing money.

In more advanced cases you may want to have professional support for the open source product from external company that knows well this particular solution. Most of the times you can choose from at least few companies. Sometimes vendors provide a commercial version of open source projects. Using them make sense if you need very stable product, 24h support, SLA or customized functionality. Even if it looks like traditional vendor lock-in it is common practice that you require from them continuous compatibility with open source version, e.g. every feature requested by you that is added to commercial version is contributed back to the community. Then, you can always resign from their services and choose open source stack.

Continuity

If you purchase closed product you take the risk that vendor will not bankrupt or shutdown project while you use it. You may easily end up with “black box” product, not developed anymore with potential bugs and security issues that you cannot fix. Replacing solution with competitive one is not usually easy way either even if both are standard compliant. With Open Source you never come across that. In the blackest scenario you have source that you can modify, add new features, fix bugs or train developers to expand it further.

Companies competition

In most cases every mature open source products have several companies that provides professional services or commercial version of it. This provides to much healthier market than in single, monopoly vendor situation. Companies supporting clients has to compete with price, better adherence to the standards and services quality – often employees of these companies are commiters to open source projects and knows them very well.

Zero entry cost

It is always good practice to try out several solution, to choose most suitable one before deploying it within your organization. You can test several open source projects without any cost and choose one that best matches you requirements.

Reduced overall costs

From the business perspective what matters the most is TCO (Total Cost of Ownership) that determines direct and indirect costs of purchased software. There is plenty of arguments in Open Source favour:

Zero purchase fee.
No license fees, e.g. for every product user (does not increase cost when you organization grows)
No organizational administrative costs to purchase software, updates etc.
Competition in the markets keeps lower support costs and quality services
Eliminated risk of closing project by the vendor or vendor bankruptcy

Security and quality

Open source projects code is publicly available and may be seen by anyone. This causes that many developers from all over the world, browse actual source code, find bugs or security breaches and contribute patches. All they have different background, specialties, education so they focus on different aspects of the product. That makes overall open source software very reliable, consisting best practices of software engineering.

Open source software engineers produces much better code than in closed projects as code visible to their colleagues, random programmers or potential future employers.

Engineers are happy

That is what marketing and business people does not usually understand. Most of the engineers love to work for companies that has interesting and creative projects and uses “cool” technologies. Job then allows them not only to pay bills but as well fulfill their ambition, get chance to exhibit themselves in absorbing tasks and have satisfaction from what they are building. I’ve talked with few developers that were ready to agree to the lover salary in favor of working on more interesting projects.

Using and contributing to open source projects allows developers to interact with many different people from around the world, even if it is usually just through an email conversation. Developers may fix bugs add new features in whole community benefit. Their work is then visible for public and done in cooperation with other project members. Comparing to the internal team or particular customer. That makes them happy and encourages work. It’s completely not different from other technologist professions. The best enjoyment for an architect is to see that bridge he designed helps thousands of people, every day to move side to side.

Easier to add new features

Open Source gives you another benefit. Faster changes introduction comparing to the closed source software. It may take long time before your “big software vendor” gives you feature you requested. That depends how much money your organization pays for support and SLAs. Release proccess in community projects is much flexible and in the critical situations you can introduce change on your own.

Benefit from each other

If software is build by the community, many people and companies contributes to that. Not every functionality that your organization wants to use has to be implemented by your software vendor. In open source very often you get it for free, just because somebody else within the project community had similar problem to you. On the other hand, code contributed by your organization may be used by others. It’s a mutual benefit.

Have influence on a standard

Very often reference implementation of the standard specification is implemented as open source project. It allows all involved in the standard parties to work on the development to fulfill all theirs priorities. Even more often happens that implementation is done beforehand standardization. If your organization is one of its creators, you can influence the way that standard goes.

This article is a mix of our thoughts and discussions over last ApacheCon NA 2011 in Vancouver, BC that SMART project was able to attend. Thanks very much for TAC team for the support.

User eXperience & Trusted Claims for UMA – New presentations!

Maciek — Mon, 25 Jul 2011 15:21:13 +0000

Our colleague Domenico Catalano has just finished his stay at Newcastle University. During his stay Domenico has given two presentations – one on Exploring Visualization Techniques to Enhance Privacy Control UX for User-Managed Access and the other on Extending the UMA Protocol to support Trusted Claims.

The first presentation is an attempt to enhance the graphical interface by use of visualizations in order to make the interface more self-explanatory and intuitive for the end-user.

The other presentation on Trusted Claims explains the concept of Claims-based Access Control and its role in UMA. The brief summary of his contribution can be seen here:

According to this approach the decision to grant access to a protected resource is made based on the requesting party information such as name, age, email address, role, location or credit score. In the presentation two user scenarios are shown: Enterprise class scenario and social/web class scenerio.

OAuth 2.0 Implementation in Python

maciejmachulak — Sat, 23 Jul 2011 21:44:39 +0000

The SMART team has just released a new OAuth 2.0 implementation in Python. You can find the source code here and the documentation for the library is available here. The library in Python has been developed entirely by Jacek Szpot (with a little help from the SMART team). Jacek joined SMART around 4 weeks ago and we are very excited about this first release.

The OAuth 2.0 Python library has been released under the Apache 2.0 license and we plan to continue further development. As always, we very much appreciate feedback and we’re open to suggestions on how to make the library better!

SMART Mobile – Coming Soon!

Maciek — Fri, 22 Jul 2011 10:31:14 +0000

Very soon, we are planning to release a mobile version of the SMART Authorization Manager, called SMART Mobile. This application has been designed to work with Android devices (> 1.5) but it will work on iPhone and other smartphones too. Each app user needs to register at www.smartam.net and generate the API KEY using the provided API. This API KEY has to be then copied to the settings form of SMART Mobile. This applications allows the user to view a log of access history and access requests on his or her smartphone. This way as an owner of protected resources, you can always track and have more control of your data on the Web.

To obtain an API KEY you need to log into your account at www.smartam.net. Go to an account page, and generate your API KEY.

Domenico & Jacek join SMART

maciejmachulak — Thu, 30 Jun 2011 14:55:34 +0000

We are extremely happy to announce that the SMART Team has 2 new members – Domenico Catalano (Oracle Corp., Italy) and Jacek Szpot (Wroclaw University of Technology, Poland). Domenico’s theoretical knowledge and real-world experience in the areas of security, usability and software development will help with addressing issues and concerns raised in the initial UX study of SMARTAM. Jacek, on the other hand, is gaining experience in the areas of software development and Web security and will help with progressing with development of the UMA/j framework. Stay tuned for more exciting news!

SMARTAM with History log and Access Requests log

maciejmachulak — Thu, 30 Jun 2011 11:05:36 +0000

We have just launched a new release of SMARTAM at www.smartam.net. Apart from fixing a few bugs, this release comes with two brand new features:

History log
Access requests log

History log is a list enabling you to see who accessed your resources and when. This way you are given even more control over protection of your resources and you are always able to follow what happens to your data. The other feature - Access requests – is a list of notifications from your friends who have heard about your data (e.g. newly uploaded photos) and have sent you a request to be able to access this data. You can then easily grant access to the requested data (according to your preferences!) instantly as this feature is located in the sidebar on almost all the pages of SMARTAM. This way you will be always sure that you didn’t missed anybody while setting security and privacy settings for your resources! Read more to see example screenshots!

SMARTAM v2.0 – Public Beta

Maciek — Fri, 27 May 2011 16:09:39 +0000

SMARTAM v2.0 (http://www.smartam.net) is a user-managed authorisation manager for aggregating, sharing and protecting your online data. It allows you to register any kinds of Web resources (e.g. documents, photos, videos, etc) and share them with people from the contact list. As a user of the authorisation manager you can store various resources at different Web applications, in this version: Facebook, Picasa, and Gallerify.me!. Then, you can share these pictures by defining who can access them. All in one place, using a simple and friendly UI!

The current version of the SMARTAM application it is integrated with Gallerify.me! – an online photo gallery service and, as such, it allows you to protect and share your photos. What you can do is store your photos at gallerify.me (or Picasa and Facebook!). Then, by simply clicking on the ‘share’ button, you can set up sharing permissions and choose contacts form your Facebook list. It’s that simple! Others can then access your photos (in a secure way!) using the Gallerify.me application. However, they can also use external applications, such as Smartfetch. Or they can even build their own applications against the Gallerify.me Web API.

You can find out more here. We very much appreciate your feedback – in case you find any bugs or would if you’d like to suggest new features and improvements – let us know by using the built-in feedback system (provided by BetaEasy) or by sending us an email at smart ncl.ac.uk

Internet Identity Workshop 12

Maciek — Thu, 26 May 2011 12:21:02 +0000

At the beginning of May 2011, the SMART team attended the Internet Identity Workshop in Mountain View, CA. This was a great opportunity to present our work and to discuss it with other people from the community. The team scheduled to give three presentations  and a demo of the newly released SMARTAM application. During our presentations, we talked about User-Managed Access (UMA) and SMARTAM (an UMA-based Authorisation Manager).

We described the current situation and explained why protecting online resources with the UMA protocol is a better solution over the existing ones. We mentioned our   OAuth Leeloo and UMA/j framework. We showed how it fits into identity management and social networking. We discussed the flow of the protocol using our system – host, authorisation manager and reguester applications. Acting both as Alice and Bob, we showed how to control data (yes! YOU should be in control of YOUR data). We also described our user interface (UI) of the Authorisation Manager and presented the UX Research Study that we conducted some time ago at Newcastle University. Plus we had a lot of fun meeting and listening to other people. We received a lot of feedback that we greatly appreciate!

Along with presenting our own work, we also attended presentations by other contributors. We attended the Google’s presentation on their Identity Toolkit. An avant garde login solution allowing the user to choose their favourite identity profile such as Gmail, Yahoo or AOL account. Google Identity Toolkit (GIDT) is a free component for web developers, for those who ask their users to login with their e-mail and password.
It allows to replace that pattern with federated login. GIDT is used at Google to allow users to login to their services, it also supports login with Yahoo, Hotmail and AOL accounts. GIDT is available as a javascript widget and either a Java or a PHP library.

Yahoo presented their Relying Party experience piloted at Flickr – a step in work on OpenID single sign-in. As a Relying Party, if you turn on your Yahoo account for OpenID access, Yahoo will allow users to register at different OpenID parties with their Yahoo account. It will simply assert to any OpenID-enabled application that you are who you claim to be at Yahoo. If the user has a Yahoo account, they suggest the user link the OpenID account and the Yahoo account.

Apart from technical presentations there were also a few discussions on the concept of identity and personal data. Venessa Miemis led a talk on Identity as selective pressure on biology. The discussion was devoted to the awareness that the data we produce is held by other parties, such as the government, banks, insurance companies and we pressume this information is private and protected. We’re generating our digital identity along with our context of space and time. Our private chats with friends, as well as shopping habits are stored and hosted somewhere, yet we don’t really access that data. The importance is if we realize how much is revealed, and whether by privacy we mean protection of sensitive data or rather concerns how vulnerable are our secrets.

Personal Data Ecosystem’s team was wondering what’s the state of today’s personal data. The discussion was if it is stored and controlled with accuracy. Participants were discussing if the data is transparent while it is passing between different hosts as well as what are the rights of data owners. In conclusion the necessities for the future were defined, as there is a requirement to conduct more user research, finding methods for data visualization. All participants agreed that trust frameworks are essential to establish relationship among technology, law and data management.

Identity Deployment of the Year (IDDY) 2011 Award

maciejmachulak — Sat, 19 Feb 2011 20:05:33 +0000

We’re pleased to announce that the SMART project has won the prestigious Identity Deployment of the Year (IDDY) 2011 award, in the Emerging Applications/Proof of Concept Category. The IDDY is awarded yearly by the Kantara Initiative, for deployment and development of identity management software. Previous winners include Google, US DoD, Vodafone, NTT and Oracle. This year’s winners were US National Institute for Health and Newcastle University. The Newcastle award was presented to Maciej Machulak during the Identity Collaboration Day in San Francisco.

“With the increased amount of services available on the Web, the end user is no longer able to easily control access to their distributed data and is often paying the price in both privacy and convenience,” said Maciej Machulak, who leads the SMART project. “User-Managed Access and SMART aim to provide a solution to this problem. These approaches allow people to apply the necessary security and privacy controls to their personal data while retaining all the benefits of social interactions and data sharing that the Web environment offers.“

Read more about the award and this year’s winners at the official Kantara Initiative website here. UPDATE: More press coverage available here, here, and here.

smartam. v2.0

Maciek — Mon, 14 Feb 2011 18:54:28 +0000

The totally new smartam. is soon to be released as one of our User-Managed-Access Web applications. It will be based on the newly designed and developed UMA/j framework. It will allow its users to share their online resources from various cloud-based Web applications and fully-control the level of sharing policies. Sign up for notifications about the release at http://www.smartam.net.