As some of you know, over the past 9 months, I’ve been heavily involved in the establishment of Humbug. For those who may not know, Humbug is a Call Analytics and Fraud Analysis SAAS. Now, differing from many of the current telephony SAAS projects, we are not based on Amazon EC2 or some other public cloud infrastructure, we build our own cloud environment. Why do we build our own cloud? simple, we need to keep your data secured and confidential. At Humbug, we see ourselves as a cross between Google Analytics – in our ability to analyze and handle data and Verisign – in our security and confidentiality requirements and methodologies.

Question be asked, why do people trust Verisign to provide SSL certificates around the world. What makes Verisign’s CA better than a privately owned CA – the answer is simple, it’s a third party 2 entities can entrust at the same time. Humbug aims to provide the same lever of trust, simply because we regard your data as sacred and valuable.

Since about 2 months ago, we’ve been contacting various Asterisk integrators around the world, inviting them to evaluate Humbug services. Now, while some integrators and vendors were somewhat reluctant, others were more than happy to join. We now have over 250 monitored systems around the world, with system being monitored and analyzed in Israel, USA, UK, Brazil and more.

The thing that amazed me in regards to some of the integrators who decided not to participate was that they claimed: “we provide our customers our own brew of fraud analysis service, we don’t require your SAAS”. Now, while I can accept the fact that an integrator would offer such a SAAS as an in-house service, I can’t see why a customer would rely on these services. In my view, relying on your integrator to provide fraud analysis services is like relying on the integrator of your alarm system to provide hired guard services – it just doesn’t make any sense to me. Why doesn’t it make sense? in Hebrew we say: “Go prove that you have a sister”. Imagine that your PBX integrator offer you such a service, then, in some obscure manner, your PBX gets hijacked and you get slammed with 50K$ worth of phone calls to Somalia. Now, your integrator would say: “Hmmmmm… that’s odd, we didn’t even get those CDR events to our system… you really got hacked bad…” – sure, if you only rely on CDR records to do your analysis (which is what 99.9% of integrators do). There is much much much much more to fraud analysis than just CDR analysis – if it all began and finished with CDR analysis, then by far Cvidya, Verint, NICE and many others would have been made redundant.

Allowing your integrator to provide you with fraud analysis SAAS is like putting the fox to guard the hen house, when things louse up (and they may), he’s the first one to bail out saying: “It’s not my fault”.

Humbug takes a totally different approach to fraud analysis, specifically, in the way we regards the various PBX systems and integrators. We are vendor agnostic and integrator agnostic – we will provide you with the clear and concise information you require in order to make an educated decision as to how you were de-frauded (if de-frauded) and provide you a faster alerting and response time. Our recent adventures had lowered our fraud alert response time from 60 minutes, down to 14 minutes in some cases. Most fraud analysis system carry a 24-36 hour turn around time, by that time, you can be out of 50K$ – our aim is to lower that number to no more than a 100$ in the worst case. Ambitious? yes, down right crazy? probably so, but we always say: “Aim for the moon, you’ll land on a star!” – so we know we’ll get there.

Over the years I’ve seen many scams running on the net. Ranging from the ever annoying chain mails to the ever popular Nigerian Sting – Internet fraud is all around us. Lately, I’ve been hit by a new type of fraud attack, a domain registration fraud attack – mainly located in China and Hong-Kong.

As you may know, I’m the owner and CEO of a company called GreenfieldTech, dealing with Asterisk and VoIP application and platform development. Now, we operate world wide and render services to some of the world biggest brand in the telecom industry. So, we take our copyright and brand very seriously, when we receive an indication that someone is or may be infringing our copyright or brand, we take a stand for it.

So, today I’ve received this email:

Dear CEO, 

We are a domain name registrar centre in HongKong,and in charge of the registeration in
Asia, We have something important need to confirm through your company. 

We received a formal application from a company called "Hempus International Holdings
Ltd" applying to register 

Internet keyword :     greenfieldtech 

Domain names :

 greenfieldtech.asia    
 greenfieldtech.cn    
 greenfieldtech.com.cn    
 greenfieldtech.hk    
 greenfieldtech.in    
 greenfieldtech.mobi    
 greenfieldtech.net.cn    
 greenfieldtech.tw

In China and also in Asia on January 21 2010. During our auditing procedure we find out
that the alleged "Hempus International Holdings Ltd" has no trade mark,Intellectual
property, nor patent even similar to that word. As authorized anti-cybersquatting
organization we hereby suspect the alleged "Hempus International Holdings Ltd" to be a 
domain grabber. Hence we need you confirmation for two things:

First of all, whether this alleged "Hempus International Holdings Ltd" is your business
partner or distributor in China.

Secondly, Whether do you need to protect the intellectual property right which should have
belonged to you?. (The alleged "Hempus International Holdings Ltd" will be entitled to obtain
a domain not needed by  original trademark owner.)
If you are not in charge of this please transfer this email to appropriate dept.in order to
deal with this issue better, please let someone who is  responsible for trademark or domain
name contact me as soon as possible.
_____________________________________________________________________________________________
 Confidentiality Notice: This is a letter for confirmation. If the mentioned third party is
 your business partner or distributor in China please DO NOT reply.  We will automatically
 confirm application from your business partner after this audit procedure.we have to notify
 you,and our registration organization are  not responsible for any dispute questions about
 trade mark,intellectual property nor patent after they succeed in registration.hope you can
 understand.thank you.
 ____________________________________________________________________________________________

Sincerely,
  kaka.xu

Sponsoring Registrar:sk holdings company ltd 
 Web:www.sk-dns.org/www.asia-gov.com
 Tel:00852-95660489 / 00852-95660103 
 Fax:00852-30696940

Email:kaka.xu@skdns.org/

Address: 3A, Units 20/F, Far East Consortium Bldg, 121 Des Voeux Road, Central, Hong Kong

kaka.xu

2010.01.21

So, this is obviously a scam, as when I searched the alleged company, I couldn’t find anything. However, the term “International Holdings Ltd.” had produced many scam alerts and related information popped up everywhere. Now, bear in mind that this is the 10th time them past 2 months that I’m receiving such emails. So, I’ve formulated the following response to them, and you are welcome to use it:

Dear Kaka,

Thank you for contacting us in regards to this matter, to be completely frank with you,
we’ve received over the past 2 months a similar request/demand from various Asian registrars
in China/Hong-Kong. Through our contacts in the far-east, we’ve concluded that your
request/demand is fraudulent, and that the company you indicated doesn’t even exist.
Please note that your approach to us claiming that someone wants to infringe our copyright
and brand had been noted and passed to our legal department. In addition, we’ve forwarded your
email and general company information to various SPAM, Abuse and Security teams that are in
contact with us around the world (mainly, [Mention your really BIG business partners and
large customers here - also through in some ISPs in the far-east, specifically China). Should
your company register ANY of the below mentioned domain names or keywords, following this email,
we shall be forced to follow legal actions in accordance to the laws of the state of [Put your
country here] and other countries where our company has representatives or local business
engaged partners.

P.S.

[Always add a personal note - and refer to something in the mail they sent, for example]

On a personal note, when sending emails to anyone in Israel, I would suggest that you choose a
different name, other than Kaka. Kaka in Hebrew is directly related to the bodily function of
purging waste – also known as taking a dump in the toilet.

Last night I met with a friend of mine, Mr. Doron Ofek. For those of you not familiar with the Open Source market in Israel, Doron is the one person most affiliated with RedHat in Israel, as Doron championed the adaptation of RedHat Linux servers in various enterprises and government offices in Israel. Doron is currently heavily involved in the OpenMoko project and its adaptation and promotion in Israel.

We spent a great deal of time last night, talking about the various aspects of Open Source training in Israel – as both us provide various training services to this market sector. While I’m mostly focused on Asterisk Training, Doron is focused on Linux and XEN training. Both of us have some our training routes knee deep in Israel’s computer/IT training companies, namely Matrix, Hi-Tech College and John Bryce. We both talked about our discontent with their inability to promote and market Open Source training courses, simply because they have no idea what these are.

For example, while Hi-Tech college were incapable of signing up a single person for an Asterisk Bootcamp course, I had signed up 10 people to a my first bootcamp – without any marketing or sales budget, simply by putting out the word in the right places. Now, Hi-Tech college has a list of over 5000 people who studied Linux and other Open Source and networking subjects in their college – should have they been able to gather up at least 10 people as well (less then 0.5% of their entire customer base)? the answer is a definite yes, why were they unable to do so? simply because they have no idea what Asterisk is, how it can be marketed, how it can sold and how the customer should be approached.

Doron had indicated a similar issue with both John Bryce and Matrix – however, due to other reasons. However, Doron had managed to sell quite a few training courses for Linux on his own – without any help from the big boys – how did that happen? how is it possible that Doron and I succeeded where the other colleges had failed? how can that be? – then we both realized why eventually, proprietary software will die and the Open Source movement, over the course of time, will simply negate the presence of proprietary software – simply because Open Source people provide for better marketing strategies and methodologies.

Did we learn how to do marketing on school? are we marketing people by nature? the answer is NO – we learned how to market our belief in the Open Source initiative over the course of time. We championed Open Source in various enterprises, events, public speakings and other places. We were the “soap box” speaker at Hide Park’s Speakers Corner, we were that crazy man on the street screaming: “The world is coming to an end, repent!” (well, you know what I mean) – but all in all, as time progressed we learned how to market the Open Source initiative and our belief – the large enterprises are stuck in their own belief and stagnant marketing strategies and plans. As time progressed, the various “champions” left the large enterprises, simply because they got fed up with the wrongful methodology of these and followed their own path – and doing so with moderate success.

In my belief, as time will progress, the large enterprises will surely migrate to the Open Source, and I won’t be surprised if within a period of 5-6 years Microsoft will be shipping out a version of Windows that is based on the Linux Kernel – or another Open Source distibution methodology. Call me crazy, call me chaotic, call me a dreamer – but mark my words – this will happen.

OK, saying that the Tux pengiun is cute and fuzzy, and saying that it is one of the cutest mascots in the world is one thing. But using it as the logo of a company that manufactures “Fever Pads”, now that’s something completely different.

The following image was taken using my cell phone, when I was visiting “Super Pharm”, in Eilat. For all the people not from Israel, “Super Pharm” is the Israeli equivalent to the American “Duane Reede” (NYC) or CVS (world wide) or the UK based Boots.

Linux based Fever Pads

So, what do you think, are these guys using Linux as an integrated part of their “Fever Pads”?

As an Open Source consultant and evangelist, I’m sometimes amazed at the sheer GPL violations companies do, in the persuit of an exit. First of all, let us understand that general aspects of utilizing a GPL product:

1. You are FREE to download, use and modify any given source code.
2. In case you re-distribute your modified code, one of the following MUST apply:
   • You must re-distribute your code in source form to your customer, and/or
   • You must contribute your modifications to the main source code of the project, and/or
   • You must obtain a proper license/permission from the original author of the open-source code you are using.

These are more or less the basics, in lamen’s terms – without getting into the legal stuff that is usually some acustomed to these issues. So, in general, the basic limitations about using Open Source in a commercial products are mainly related to re-distribution. Modifications for personal-commercial usage (as long as no-distribution is performed) is permitted.

My work mainly involves the Asterisk Open Source PBX project. The world PBX market is a multi-billion dollar market, thus, for a company to infringe on the Asterisk GPL code may be a highly lucrative violation.

I’ve recently learned that 4 different comanies in Israel, all operating within the office PBX market, are violating the Asterisk GPL code. One company had embedded Asterisk as an auto-attendant and voicemail, while another had embedded it as a smart call-routing engine. Now, in general, if they would have used Asterisk as-is, that wouldn’t have been a problem. However, they had performed modifications to the Zaptel drivers, to work with their proprietary cards, they had modified the Asterisk code to work with various processors (mainly ARM) – and when asked for the modified code, their immediate claim would be: “Sorry, that is proprietary information”.

My main concern here is different, as companies will always be companies. All these modifications are performed by Open Source consultants and evangelists. Question be asked, why would an Open Source aware consultant enable this? the answer is simple, he needs to EAT! For the sake of making a living, sometimes (usually most of the times), a consultant will put aside his belives and idiology and will perform a violation knowingly. He would usually explain the violation to the customer, in such a way, that makes him feel good about himself and will pass the responsibility to the customer.

While the above may pass the responsibility to the customer, the consultant is as guilty (from my POV) as the customer. A consultant permitting the violation of GPL code can’t be considered a true Open Source conultant and Evangelist. Open Source is not only a way to earn some money, it is a way of life and a methodology of behavior – if one truely believes in it, one should stick to it all the time. If you know that a project you are about to take is a GPL violation, you should do the following:

1. Don’t accept the project, till the customer had given you a written proof that they are aware of the GPL violation, and their commitment to contact the original authors to obtain a proper license to the code.
2. Don’t accept the project, till the customer had given you a written proof that they are aware of the GPL violation, and their commitment to release the modified version of the code to the public or to the up-stream project.
3. Don’t accept the project, till the customer had given you a written proof that they will re-distibute the modified source code to their customer.

 If one of the above is not met, simply DON’T TAKE THE PROJECT!