Subject: On Topic: Sell your free software "lifestyle" business for nine figures
From: "David Kaufman" <>
Date: Wed, 19 Oct 2005 02:20:55 -0400

Yes, you too can sell your Free Software Business for hundreds of
millions of dollars.  All you need is a business model like this one.

Check Point to acquire Sourcefire for $225 million.

"Sourcefire is the company behind Snort, an open source network
intrusion detection system (IDS). Snort, first released in 1998 under
the GNU General Public License (GPL)... Sourcefire's founder and chief
technology officer Martin Roesch [and uh, author of snort] said in a
letter to users last week that Snort will remain free, as the software
continues to be distributed under the GPL. "The community continues, as
always, to be important to us as a group of people who use the code
pervasively throughout the entire Internet, report on problems and make
suggestions and contributions to the project.  Check Point is very
excited about continuing Sourcefire's involvement with the open source

I've posted on this list in the past about Sourcefire's clever
"separation" of the business from the free software project at the heart
of all of it's products, Marty's elusive, and how doesn't even link to or vice versa.

Sourcefire's "public-facing" business model would seem to be high-end
security hardware, but it's success is well known to be directly due to
it's use of snort at the core, and snort's author being it's CTO.  Some
here have criticized this approach as being, at best, "dependent on the
stupidity of the end user" and at worst just plain deceptive marketing.

This "business model" of selling way-overpriced hardware with our
software in the hopes that people won't understand where the software
ends and the hardware begins, some of us might feel, is a deceptive
trade practice that would be insulting to the end-users of any free
software product.

And it would be, if our would-be customers were typical participants in 
open source software projects.  But they're not.   That's us.  Customers 
are them.  Those that need us.  The thing is, as subscribers to this 
list, we should have figured out by now that to make practicing the art 
of Free Software creation into a profitable business, we're going to 
have to look outside of our comfort zone for customers.  Other software 
developers, our colleagues, employees of software companies and software 
hobbyists are not going to buy our products; they are not going to make 
us rich.  The guy who is willing to pay cash is the one who doesn't want 
to have to be bothered learning about it, talking about it with other 
customers, and contributing to the effort.  He wants the benefits, 
preferable instantly and with as little pain (=thought) as is humanly 
possible.  Our "users" on our mailing lists and bug trackers, they do 
what we do and therefore they don't really need our expertise, so much. 
Plus like us they're cheap as all hell.  They get to use free software 
for free by paying with their time and effort.  Customers pay us for the 
convenience of having neither to wait, nor to think.

To find customers we have to find a way to make the stuff we are so
close to (the software) that we're not be able to see it objectively,
appeal to people whose perceptions of *us* coders and what we do are as
unclear and downright distrustful as our perceptions of ...say,
graphic designers and advertising executives :-)  It's not rocket
science to make software sexy, to make it sell, to package it and market
it and make it appeal to the emotional needs of would-be end-users.
It's just distasteful to us as developers.  It's a sales thing.  It's
inherently dishonest and, as Sourcefire has been characterized
hereabouts, deceptive.

But is it?  The approach is an intriguing best-of-both-worlds scenario
where clueful software developers (and those who employ them) who are
interested, involved in the project, or simply not lazy can use snort
(note the intentionally geeky, unappealing brand name) in all it's glory
for free and with freedom, by simply downloading it, compiling it,
installing and operating it properly (four steps, of increasing
difficulty, especially for an intrusion detection system!)  They pay the
price of their time and effort, as they prefer.

Meanwhile those who require high-end security (purchases), prefer a
pre-packaged solution, want a hardware warranty too, need 24-hour
support, and/or are impressed by 1U rack systems sporting racy
iridescent colors, can pony up the 5-figure price tag for what is
essentially snort plus a commodity server and a web control panel.

Wait.  No, I take that back.  That's not a fair characterization of
*all* the customers who pay the 1000% markup for a free software package
installed on a server.  Many of them are smart enough to know what they
do not know.  Smart enough to know that any box running snort, installed
and administered properly is more secure than a proprietary product from
ahem, Checkpoint, Cisco or whoever else that sells their source-secret
IDS in red 1U shrink-wrap.  Other customers understand simply that their
go-to geeks all rave about how good Sourcefire is (for some reason) and
trust their judgment, word of mouth being the best advertising, right?
Yeah, yeah, ok so what's the point?

We all buy books based on their covers and good marketing people surely
advised Marty (rightly) that corporate IT Managers need to have a red
box with green blinking lights on it to show for their $25,000 security
upgrade expenditure.  It doesn't matter that snort provides the security
for free.  It matters that they can show their bosses what they bought,
that they can reassure the open-source nay-sayers that it is a "real"
commercial product with commercial-grade support, and that the
documentation doesn't have random omissions, misspellings, whimsical
humor or anything else that might prove to be job-threateningly
embarrassing, if (when) a security incident occurs and people are
Monday-morning-quarterbacking their choices.

So Sourcefire sells a really reliable piece of hardware, supported by a
really supportive hardware vendor that just happens to also be the
software engineering team that built (and still maintains) the
best-of-breed software for powering hardware like this to do this job.
It is painted red, and it has green lights on it and snort in the core.

I think it's neither deceptive nor derogatory to your users to adopt a
business model like this.  I think it might be a stroke of pure genius.

I also think if MySQL sold Big Blue (4U at least!) database servers
with big RAID arrays filled with hot-swappable drives, dual redundant
power supplies, and tens of gigs of RAM in them, combined with First
Class support as well as DBA software/admin support...?  Then! Then
Oracle, MS SQL Server *and* HP might have some problems on their hands.

The key attribute that makes Sourcefire, in my mind, neither deceptively 
marketed nor condescending to its customers is that it *is* the best IDS 
out there, and it is worth the money (to some).  The fact that we open 
source developers find it's true value in the (free) *software* while 
corporate suits and certain IT gearheads find its value in, well, the 
accountability of the company and quality of the machine, respectively, 
just tells us that Sourcefire has rounded out their product extremely 
well so that it appeals to that which is valued most by *all* of the 
likely stakeholders involved in the typical corporate purchasing 
decision for such a product.  The hardware guys, the software guys and 
the guys who just show their bosses the blinking lights in the server 
room all love it.  Marty's managed to engineer the quality of the 
hardware, and of the service, and of the *packaging* all to match the 
high quality of the software, which is simply masterful marketing.

You love your software?  Why then *wouldn't* you sell it in the 
over-powered fire-engine-red package on which is deserves to run? 
Anything less would be like selling Pioneer stereos and amps with tiny 
cheap speakers (or no speakers at all!)

Their money truly is far better spent on a Sourcefire box than on the
competition's offerings which are all either proprietary-software
publishing companies who happen to bundle hardware and make money on
selling you annual licensing upgrades, or hardware companies doing the
reverse... For a company that doesn't have a developer who could setup
and administer snort, Sourcefire's steep price buys Marty's company's
expertise in picking the right hardware for you, installing it right so
you don't have to, documenting how to use it, and holding your hand in
its proper care and feeding.

I'm looking for other Free Software Businesses that employ this 
snort/sourcefire style approach.  Businesses that do not deceive their 
customers about the source (or cost) of the software, but rather 
emphasizes some other bundled value that they've added.  That value-add 
doesn't *have* to be shiny hardware but it has to be something that the 
customers value as much or even more, something that is merely 
*strengthened* by being "powered by" the open source software.  My 
Linksys (cough, Cisco) wireless access point is probably a case in 
point.  I didn't know when I bought it that it ran Linux inside.  What I 
knew was that it was configured out of the box to do what I wanted done, 
had a web interface in case I need it to do something else (within 
reason), and that it did it non-stop, as reliably as hell.  Oh, it runs 
Linux?  Oh well that explains how great it's been.  I've since bought 
several more, because the fact that it runs Linux is just added 
justification for the simplicity, flexibility and reliability, and that 
is all I'm really willing to pay for.

Of course, few of us may even be able to recognize these cases in the
world around us, since we are so focused on the software, we see
packaging, pre-configuring, web-enabling and so on as merely things
which may *adorn* our software rather than the other way around... In
fact, a value-add that can make a free software business succeed can be
just about *anything* (as long as your target market isn't open source
software developers...), maybe professional services, convenient
packaging, stellar documentation, fanatical support or whatever
customers are buying...prestige would be interesting choice.  I'd really
like to compile a list of the secret sauces that make it acceptable, in
a capitalist corporation, to pay Real money for Free software?

Thanks in advance for more examples that support my new little
hypothetical world-view.  Examples to the contrary will be tolerated too