On 8/3/05, Matt Garman <[EMAIL PROTECTED]> wrote: > I think everyone on this list has done a wonderful job explaining > why an OpenBSD box will beat the D-Link practically hands-down. > > The cynical side of me thinks that managers, no matter how great the > reality of OpenBSD, are likely to reject it based on a fear > and/or ignorance of open source, or with logic like, "Well if it's > so good, how come I've never heard of it?"
In security I don't see this problem too often, most of the best projects are so esoteric or so expensive that people don't expect to have heard of them, even in the trade rags. OTOH, I've actually had management explain that one vendor was a better choice than another because even though nobody had really heard of either company, the more expensive vendor and product had a name that "sounds more professional". This is why we buy "Intel Pro/1000" instead of "SysKonnect", "Dell PowerEdge" instead of "Soekris", etc. > I don't know if this thin rationale could be applied to the router > situation, but there's always the standard line of, "If it breaks, > who's going to support/fix it?" I doubt D-Link offers this kind of > warranty, but some manager might think, "Well if it breaks, it then > becomes D-Link's responsibility to fix it, and their liability for > any down time and/or security breaches." I'd venture *every* commercial vendor has a warranty and EULA specifically excluding any liability for downtime, security breaches, etc. In big corporations, many managers and directors carry the meme that having a big name vendor behind a project or deployment provides somebody to take the fall (Nobody gets fired for buying IBM^H^H^HCisco), and that in general buying the "name brand" is an effective CYA move. When things go south, it's easier to stand in front of the board explaining how a "Cisco" router crashed (in generic terms) than to be justifying any choice that isn't a household word. The day after a major outage is not a good time to be called before the board to explain what exactly an "OpenBSD" is, and why "free" means there's nobody to sue. I'm not saying this is a valid argument, just an effective one. I will admit that when you have an entire Cisco-based network lock up at 2AM, it doesn't take long for the vendor to get their grief counselors on an conference call to fill your ears with reassurances of how their engineers are working fervently in the lab to recreate and resolve your problem. This is one area where the big vendors have OpenBSD beat hands down. > Another cynical view is that managers don't like having their > employees knowing more then them or any kind of non-commodity > knowledge (aka "intellectual capital). E.g., with OpenBSD, it's not > "common knowledge", and expertise in that system might make you, as > an employee, not replaceable or not easily outsourced. I believe this to be very common subliminal belief among managers, not something they are comfortable revealing to front line staff. OTOH, I've used this "all employees must be readily replaceable" idea to OpenBSD's advantage, citing the widespread deployment of OpenBSD (as documented by the bsdcertification.org "task" report) to not only justify using OpenBSD for production, but also to include OpenBSD as a requirement on our open position postings. Kevin Kadow (P.S. If you still feel up to dealing with megacorporation management after reading the above, I can be contacted off-list. This is a senior full-time staff position in Chicago, no paid relocation, must have an IT degree and/or extensive experience in corporate IT security. Expect a lot of Cisco questions.)
