ROME: INQ spent two days in the hotter-than-London splendour of Rome last week as the guest of Open Xchange, one of those companies that you may well use every day and not even know.
Open Xchange offers an open source alternative to the likes of G Suite and Microsoft Exchange, as well as a range of security products. All are available free of charge to companies and businesses alike and are used by some of the world's biggest telcos for their customer email offerings.
How does OX make money? Like many open source players, customers use the service gratis, but the big ones pay for support in making it work for them.
CEO of OX is Rafael Laguna, who will be familiar to regular readers as a man we regularly pester for his opinion on matters related to this sort of thing.
We caught up with him in the grounds of the Casina Valadier, nestled in the stunning Villa Borghese which played host to the Open Xchange Summit, a mix of outdoor keynotes and gritty deep dives into making the most of your installation.
We start by asking Rafael about the company and how the last year has been: "On the mail and productivity side of the house we've upped our market share of IMAP servers to 75 per cent - so that's 75 per cent of IMAP servers in the world using Dovecot, which gives us an active user list of about two billion."
That figure doesn't include the likes of Gmail and other ‘OTT' accounts which represent around half the overall market, but of the remaining half, that's three out of every four seats being filled using Dovecot, the open source server software which Open Xchange is a custodian of.
"We're getting reach, we're getting use cases we never even dreamed of, we're being bundled with all the distributions, with all the NAS servers and porting of it to Raspberry Pi type stuff - and that sample size gives us the best QA we can get, so we can probably safely say that we're the best IMAP server."
He's serious, but also very self-aware of how that may sound. It's worth remembering that all Open Xchange instances are unique to that customer so what seems like thousands of splintered services are in fact one big one, isolated, which means that hacking them at a "master level" is impossible. Plus as many companies run the software without any support from OX, there's loads of instances that the company can only suspect are out there.
"It's the best example of how open source works and how eventually open source is going to eat the software world. You heard Tim (O'Reilly) talk yesterday about the generosity of providers and how some are losing that generosity. Open source is still the best example of how to be generous in the software world". explains Laguna.
"At the moment we're only monetising around 50 - yes - five zero - out of six million servers deployed and that's the commercially critical platforms - the ISPs who are willing to pay us the big money to help them keep those platforms up and running. That money is being used to further develop the software from which other users benefit, so that's quite a generous model, isn't it?"
But it hasn't stopped the company getting bigger than the 40 or so that worked there when we first encountered Rafal a few years ago.
"At the same time it has allowed us to grow - we're now a company of 270 people, two-thirds of which are engineered, a lot of them from the community so we're now able to give them ‘bread' for their work. A lot of people say open source is lots of hungry engineers working for free. That's not true.
"Open source is a very good way of learning how to do engineering and when you're good, people will find out and start throwing money at you. It's a great independent model of going about your career."
There's always scope to talk about how great open source can be when you're chatting to Rafal. After all, that's his job. But the need to use peer-reviewing and create common standards goes way beyond your email. Take autonomous cars for example:
"I think many people are realising that making cars autonomous by making one car autonomous is not going to work. Because we're not even close to an AI that has a world view like we've got and can figure out what on earth is going on. Once we start networking the cars, and maybe even the people through their devices it becomes much simpler because we know where everyone is in relation to each other. At the moment we have lots of cars with competing protocols and nobody really knows how to go about it.
At this point he makes a proclamation: "The only way to do it is open source. Let's create the internet of cars!"
But of course, the only way that will work is if the system isn't owned by anyone who is charging huge licence fees to make it work. We live in a world of silos and it's going to take a lot of persuasion to make the big players play nicely.
We move on to talk about the newest addition to the OX family. OX Protect offers a more advanced way to deal with the nasties of the internet, by going to the heart of the matter, though something that can make people glaze over a bit. DNS.
"The main way that we provide an offering is through DNS. About 35-40 per cent of the world's workloads are through Power DNS which is probably the best standard out there at the moment.
"Now, on top of that, the next stage is filtering the DNS. Some of our customers are obliged by law - like in the UK, ISPs have to block sensitive content like violence and porn, but they also have to offer the option to switch that off because you don't want censorship. So we work with the list providers who provide the dynamic streams, almost, of bad domains and categorisations, and we provide a plug into DNS and Power DNS, and we provide APIs so the switching on and off can be pulled into applications.
"With OX Protect we're going one step further and providing middleware and an app ecosystem that does all that. It allows us the ‘head' of the family to control access to devices, it detects the devices, even IoT devices and says "Oh your cheap Chinese camera on your network wants to talk to twenty Chinese servers, do you want to allow that, yes or no?" or perhaps your daughter's iPhone, you can say, "right, I don't want violence on that device" ,
Laguna adds: "And once again the business model is from monetising the large providers for whom it is a large value add to their core service so when you get an internet service and it also allows you to control both outbound and inbound, that's something quite valuable to most people. "
We move on to talk about the wider topics at hand, and at this point, he makes one of those "obvious when you think about it" points that manages to shock, because - let's face it - we don't think about it.
"If you think about it, both Apple and Google have a database of every single wifi access point in the fucking world with usernames and password because we're putting our details in to log in to these networks on our phones which means all this user data flows into one database, and not only do they know which access points are being used. Is it just for location? No! They've got the data for every wifi point in the world. So we're all going "wifi security great, dah-dah-dah" when there's these databases out there that can access every network. "
Rafal doesn't swear much, but for this, it feels very called for. We ask if, in that case, he thinks it's too late to change things.
"Let's put it this way, you could write a novel that ends with dystopia end of the world because someone hacks Google and some bad actors get control and bring the world to a screeching halt, and it's not so far fetched, so you might say ‘yeah but Google has the best security guys in the world' but maybe there's legal access because you're Donald Trump and you have legal access under the patriot act, or maybe you're a little smarter and you're in China or Russia and have access to a few thousand guys who can just hack Google.
"So, can it happen? Yes, it can. Is it too late? It's going to be very hard to find alternatives to these silos that big companies have created. Is there a solution? It's always the same. Open Source, Federated, DNS.
So what's the solution?
"Someone could come up with a fully federated open source operating system for phones, where the data is stored for long enough to enhance services and then forgotten again. Of course I want my wifi password stored, because I don't want to have to keep typing it in every time, but that could just as easily be done and encrypted on my device, or even sent to a cloud using encryption that can be decrypted by anyone outside my device - so end-to-end - done. There's no barrier to this. It could happen. But these surveillance capitalists need it for their business model."
The paranoia causing a slight sweat (though that could be because the midday sun has moved from behind the trees) we turn back to OX. Because surely, if anyone can use the software, anyone with a mind to could also hack it? Laguna says no:
"First of all, due to the distribution that we have, a bad actor can only break in to one of the components, if they modify the code to break into everything, at least you can have a mechanism to avoid that. If you are using the software for something systems critical then of course you're not going to have the open SSL model where some tired hacker is adding code on 31 December which then ends up baked into the next release - that is stupid, and of course open source can do stupid things too, but we also have process release management and governance, quality assurance and so forth to ensure that we don't release crap. And we can do that in a much more intelligent way because we have more eyes looking at it.
"So yes, a bad actor can break in, but only to small badly managed nodes and not the whole thing. But its not like you're hacking a billion users, you're hacking a few thousand. It's much lower risk. It doesn't mean it's not going to happen, but it's a lot safer - you're not going to bring the world down any more."
We ask what would happen if Google decided that it was going to use Open Xchange, knowing what we know about them, if there's anything he could do:
"There are lots of companies that we know are using our software, that we don't officially know, including some big names (the tape goes off briefly at this point - sufficed to say, yes, very big). What we say is that we have principles and we won't do business with you, but that won't stop them finding someone else who will - it's open source. I don't think it's bad - I mean, at least they're using good software, and if that company is using it to spy on their users, hopefully the users find out and move to a platform that uses our software properly because now I know I have a choice and I don't have to use that particular deployment. Our users and our community take care of getting that message across."
So does it ever become necessary to step in when a company has made a complete hash of setting up their instance of OX? The short answer, Rafael explains, is ‘yes', but there's a plan in place for that:
"We try to avoid that using best practices and what we call ‘customer success services' and help a company that perhaps is migrating to us, how to convey that to our customers. For example Italia Online, which is the biggest email platform of Italy, and they're recently migrated 12m users from a consumer platform, to OX. And change is always bad, let's face it, people like what they know, but from those 12 million users, Italia Online only had an eight per cent rise in complaints during the transition which went back down to normal afterwards. In total it was something like 18,000 complaints, and that includes genuine bugs, because in a deployment that size, you're bound to create a few, but given the size of the change from a 20 year old mail app, that's super smooth. "
So that's the success. What about the failures?
"I can't name names, but we've had a couple of occasions where we've tried to dive in and save them, but remember of course - they don't have to listen to us. It's very sad, but some of the big deployments only use about 3 per cent of the features - because every feature they deploy is a support risk and so don't roll it out, but they're quite often missing the boat because people do get smarter, especially with younger people coming in who do know what over the top providers like GMail can do. It's often not where you're going, it's where you're coming from, and if you're migrating from a 20 year old email program to something that looks like a space station it can be too much for some users. "
Most of what OX exists for is to be an alternative to the big, closed source players. We ask if there's ever a problem keeping up:
"The open source model does a lot of work for us, so I feel comfortable that a lot of stuff, especially the back-end stuff, is better, it just is, in terms of security, flexibility, durability. As for the front end, we're really not trying to go into a ‘feature contest' with competitors, we're trying to listen to what users want, and of course different things are important to different people, but you find the twenty per cent that are most important in common and that's what we do.
"We have an Office suite for example, but the main feature of that is ensuring compatibility with Microsoft Office, so the 20 per cent that need features that we don't have can carry on using Microsoft, and collaborating with the 80 per cent who do not. "
Impressive. But how do you keep compatibility with one of the most notoriously closed-source companies in the world?
"One of the great things the EU has done is to force Microsoft to open its formats using a standard called OOXML - that's the .docx and .xlsx format. That allowed us to create our own Office suite with full compatibility. So if you can do that, why enforce that change. Stay agnostic. Make sure Microsoft stays true to its word. So we keep Microsoft honest, which the user doesn't get forced to use a data format they don't want to - and hardcore LibreOffice fans will hate me for that - but we chose to support both - we like the ODF initiative and format, but put it this way, we don't feel the need to force people on to it."
Lunch time is drawing near and we suspect that Rafael is going to have to go off and as we put it to him "do CEO things". With that in mind, we ask what he hopes will be the success stories over the next year.
"One of our big things for this year is Chat over IMAP, so I hope we release a version of Dovecot that supports it which can then lead to the liberation of realtime chat - a federated, open way of doing realtime chat because there's no technical or security reason why it has been siloed by those guys."
It's true. 10 years ago there was a common standard which meant that most Chat clients were intercompatible. Maybe Chat over IMAP could be the start of a return to a common standard. And speaking of common standards, OX is also working closely with an initiative that is designed to replace the likes of Facebook and Google becoming the quick (lazy) way to sign in to websites.
"The other one is the id4me initiative which is really close to my heart because that's hijacking of your login ID by those guys - that's kind of fun, we have no controlling stake in that but being part of the invention and using my network to win people over to start using it, that's very fulfilling. Its playing a part in keeping the internet open and if I did even a small part of that, I'll be very happy indeed.
And with that, we leave Rafael to "go do CEO things" and we get back to sunning ourselves under a tree. μ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal