“Business Associate” relationship to exist between the developer and the “covered entity” (the company that makes/manages the medical system),
When working on long term projects, we generally will agree to work with only one company in 2
sven vertical market. For example, we are not available for work with other remote cardiac monitoring companies, although we are open for work with other kinds of medical labs, IoT, and telemedicine applications.
Our advisers include a technical investment banker and a few OS developers. One of our adiis-
cers is Stanley P. Hanks, the CTO of Columbia Ventures, which, uni recently, wholly-owned Hiberniabemia Networks, which in turn owns the highest-capacity and lowest-latency transatlantic cable
between Ireland and the US (NYC). Stanley was also the Inventor of Internet VPN’s while at MFS
Datanet then went on to become the CTO of Enron Communications (not the part of Enron that
was involved in the accounting scandal). At Enron he and his team co-invented CDN's independ cently from the team I was associated with at Sokol and Associates, described below, who also co-invented CDN's at the same time
Another adviser of ours is John L. Sokol, who, besides being my boss at the early streaming
video company DVBS in the mid-1990s, was a member of the team that originally put 386BSD up
on UseNet for people to download, back around 1990 or so. FreeBSD 2.0.5 was forked from this
late 1990s effort. The fist time I had heard of 3268S was when I Met Bill Jolt in a Berkeley bookstore in 1986,I had already been using BSD since 4.2 BSD at that point, since I grew up in
Berkeley.
[BSD Mag]: Tell us something about your open source products. Which open source solutions do you use and why?
[AF]: Our main open-source projects have the eventual goal of making an IaaS/PaaS framework
that can be used on the public Internet while meeting the end-to-end encryption requirements of
HIPAA and other high-security standards. Preliminary steps toward that goal include (1) 8 small
scale laa S framework, PetiteCloud, and (2) papi, a hierarchical AP/DB framework that allows full
encryption ofthe DB, as well 25 management of other kinds of resources,
As far as we know, there is no other AP/DB combo with a DB that encrypts entire fles. All other
solutions we know of use encrypted disks, SSL/TLS andlor encrypted DB fields, but NOT fully encrypted records or tables.
PetiteCloud, our IaaS framework, is now good enough for email-business in-house use but nat
yet good enough for data center use (29. itis not yet “lights out" capable, nor doss it currently
have the administrative interface needed for large stale deployment, nor doss it yet have the security features we plan to add soon) — although it is already much more robust, in some ways, than he pel eter ae pao,
For example, PetiteCloud can recover from power failures much more easily than, say, Open-
Stack, and we plan to keep it that way as we scale it up,
PetiteCioud is the only laaS effort we know that is based on FreeBSD and bhyve as is main buildinging blocks. The main design philosophy is to delegate as much as possible to the host OS, which
puts us in contrast to more heavyweight laaS's like OpenStack. We ate currently working on making PetiteCloud fully HIPAA-compliant and date-center-ready.
We are also creating a hierarchical APUDB framework called pAP!, which will become the foundation of our PaaS: thinStom. pAPI can manage heterogeneous collections of resources including,
among other things, records and tables of the aforementioned fully enerypted hierarchical DB.
Another open-source project of ours thet is more mature is thisTest, a Java unitesting frame-work similar to JUnit but much faster and lighter weight.
Since paid work takes priority over our open source work, for obvious reasons, progress on
PetteCloudithinstorm is not as fast as we wish. For that reason, we plan eventually to launch
something like the FreeBSD Foundation sround PetiteCloudthinStorm (and pAPI), and in that
way, enable faster progress without requiring FNWE to become 3 large fim (we want to stay relatively small),
We love the FreeBSD development model, in contrast to the Linux model. The FreeBSD model
allows for mote coherent and focused open-source work. Since we use the BSD license for our our open source work, we also welcome others to use it for their commercial products without
having to pay us royatis.
[BSD Mag]: Is your solution designed for banking and healthcare mostly or can it be used
in any industry?
[AF]: The next major version of PetiteCloudithinStorm will be designed for any cloud computing
applications that require true end-to-end encryption. The need for security is one of the reasons
we choose FreeBSD over other OS's. The other main reason is the legendary stability of
FreeBSD, both as a host and as 2 guest. PetieClouclthinStorm currently runs on both Linux and
FreeBSD as both host and guest (using QEMU on Linux and bhyve on FreeBSD). We will soon
be updating PetiteCloud to allow Windows quests to run under bhyve (it already runs fine under
(QEMU). We also plan to expand our hypervisor options to include VirtualBox.
As we are nearing the first sufficiently heterogeneous version of pAPI, we will be converting PetiteCloud over to it and making PetiteCloud truly end-to-end encrypted. This means it will be usableble in any secure setting, not just medical and banking. We will then turn our focus to thinStorm
to make the only open source PaaS designed for security from the ground up. It will run on hypervisors and not containers/iails, because the latter do not offer enough separation between the
host and guest for the security features we want.
-----
Another unique aspect of all our work is that, since we are not associated with any large hosting
company andlor data center, we are designing PetiteClouslthinStorm to be used outside of data
centers (as well as, eventually, in them). For example, the OpenStack documentation describes
power loss as “the worst possible disaster that can happen to a clouded data center (largely due
to using iSCSI instead of more fault tolerant network file systems ike NFS backed by a ZFS file
server). Since we run PetiteCloud in our non-purpose-built office, it routinely loses power due to
things like one of us kicking the power strip while cleaning the room. The only recovery needed,
typically, is just hooking the power back up. OpenStack, on the other hand, wil brick up if it loses
power for as little as one second.
All the above will make PetiteCloud an ideal private hybrid cloud needed for high security operations in small and medium businesses. For example, once all the security features are added, it
will be ideal for a small bank, law firm, medical clinic/small hospital, etc. We estimate that will enable it to be used by the 49% of the computing word that requires security better than what can
be offered with OpenStack or with commercial cloud providers (without contracting with them for
a private cloud). Since we plan to use PetiteCioudithinStorm to support HIPAA compliant custom
electronic medical records systems, it will mest PCI-DSS also if properly secured physically and
on on a private cloud.
[BSD Mag]: Do you have your favorite open source system?
[AF]: There is not a single system I like the best, but the combination of tools listed below give us an amazing foundation to bull our open source and custom systems on,
I am a FreeBSD fanatic and have used it since 2.0.5, so I would say that FreeBSD is by far my
favorite open source platform. OpenJDK is a close second, though, because Java is uniquely
well suited to the type of development we do. We like Java because it has the software engineering characteristics that allow us to avoid — or, if necessary, quickly debug — life-threatening bugs
in a life-vertical application, without compromising on the security (which is legal requirement for our clients),
Also in the interests of keeping bugs to a minimum, we believe that change management is of
critical importance in large systems. By change management, we mean not just version control
but also atomic change sets, with controlled access to the baseline/repository. For that reason,
our preferred development environment is a combination of devel/aegis (which I am the port maintainer of) and devel/cook (for which I've written a tutorial). Both these tools were developed by Peter Miller and are still, as far as I am aware, the only tools that satisfy all of his three laws of change management. His laws are
1, Without controlled access to the baseline, the number of interactions within a development
team is O(n), where is the number of developers android the number of ies in the source tree
whichever is larger. With controlled access to the baseline, it can be reduced to near O(n)
2. The baseline MUST always be in working order.
3. The software build construction process can be reduced to a directed acyclic graph (DAG),
as described in his paper ‘Recursive Make Considered Harmful
The first law addresses the main reason for change management systems, namely source-code
control. When you have too many people simultaneously interacting with the code, unless you
make sure each is working on local copies unt they ate ready to merge them back into the master copy, they will constantly step on each others’ feet
Then, there is the second law that only Aegis enforces. A good change management system
should make it difficult to check in buggy, non-working code and integrate it into the baseline.
This means atomic checking in of change sets, in contrast to the far less robust check-in procedures of ait and most other version control systems. I have been a strong advocate of the
FreeBSD base system switching over to atomic change sets vs. the git model. If it had, my estimate is that 11-RELEASE could easily have been on time instead of being almost six weeks late
[BSD Mag]: You have been participating in couple of projects and volunteer activities.
Have you ever been a part of open source community? Or is it security you are interested
in more than open source?
[AF]: I have been associated with several open source efforts and we plan to use that experience
to build a strong non-profit organization to handle the care and feeding of PetiteCloudithinStorm
in the long run, As stated above, I am also the maintainer of several FreeBSD ports. My main ar-
2 of interest are cloud computing and security currently, but I am also interested in other types
of open source projects as well
During the early and mid-2000s, I was one of the founders of the now-defunct Software Develop-
lets Cooperative (SDC) that sought to create a set of licenses that would not need dual licensing
to.use open source for commercial purposes. At the time, I had a false understanding of the BSD
license; I thought i, ke some other open-source licenses, forbade commercial use. Once this
misunderstanding was resolved, I cropped out of SDC and started using the BSD license exclusively for my open source work Around this time, I wrote several blogs that examined the problems GPL created for developers who do not get subsidized by their employers/schools for their open source work. The primary issue here is that, while the BSD license is both free beer and intellectual freedom, GPL is only free beer unless you happen to have 2 well heeled employer
behind you instead of making a living from your own work
For this reason, the model we will be using with PetiteCloud thinStorm is a fully free and open-
source core with commercial or FOSS add-ons made by competing groups. The core, though, will
be maintained by a single organization. The closest model is that of the FreeBSD base system
This is a specific example of a larger small business/open source business model we envision,
called neo-Jeffersonianism, which is intended to enable small companies to compete effectively
as clusters against even the largest and most entrenched competitors without losing their individual identities. We believe that, I properly structured, neo-Jeffersonianism could be one of the few
scalable sustainable economic growth models we know of.
“Thomas Jefferson wrote: “I hope we shall crush ints birth the aristocracy of our moneyed corpo-corporations which dare already to challenge our government toa trial by strength, and bid defiance to
the laws of our country.” We don't advocate getting rid of large corporations entirely, since there are many economic activities that can be done only by large corporations. But we believe that the
power of large corporations needs to be counterbalanced by organized clusters of small businesses. Jefferson envisioned a world in which the majority of families owned small farms. That
Particular goal is obviously outdated in today's world of mechanized agriculture, which has freed
Up the vast majority of people to do all manner of other things besides farming, but the next best
thing, consistent with Jefferson's goal of limiting the power of big corporations, is to encourage
the creation of organized business clusters that can enable small businesses to survive and
thrive without requiring huge monetary investments,
[BSD Mag]: You also have a patent! Tell us something about it.
[AF]: A small disclaimer: I am an un-named inventor on the patent, because I left the company
(Sokol and Associates) before the paperwork was complete and thus only John L. Sokol's name
appears on the patent itself, but he has given me credit in the original documentation and elsewhere.
“The patent is for a single threaded web server called AfterGumer, currently posted on Source-
Forge under the BSD lense. The idea is that, for static content (ve. stuff that does not need
backend), the maximum hit capacity of the web server can be cranked up much higher than with
2 threaded web server such as Apache or Tomcat. There are several current web servers based
on this design now, with the best known being thttpd
In testing the prototype of AfterBurner in 1894 and 1985, we were able to support, on a single
Pentium-20, almost the entire load that Yahoo! was reporting for their entire site, yet the CPU was
stil 20% idle. The same machine then maxed out four 1,000 Mbps Ethernet NIC's and was still
running only at 15% capacity. As far I Know, AfterBurner sill holds the raw performance record
{or any web server.
John Sokol and Terry Lambert later adapted the same model to create the first kemel queues implementation for BSD. My understanding is that a variant of this model is sill used in the
FreeBSD kernel
The other items I mentioned above as being the co-inventor of were judged to not be patentable
by Sokol & Associates IP attorney. I guess I will have to live with bragging rights only on them.
(Gee list of links for details.)
[BSD Mag]: What is Rent-a-CTO? Sounds like “Rent a Chief Technology Officer”
[AF]: One of the largest misconceptions many non-technical founders have is what exactly the
role and function of a Chief Technical Officer is, The standard assumption is that it is some kind of
super techie who can jump over tall buildings in a simple leap and can write code by just thinking
about it (no typing needed). The reality is that being 2 CTO is largely a business position rather
than a technical position, although it does require wide-ranging technical knowledge and experience.
The main jobs of 2 CTO are to develop coherent technical strategy, explain the technical aspects of the company to the non-technical stakeholders, and, ina start up, assemble the technical team that will do the R&D and then continued support of the company’s products and service.
This means that most small and startup companies don't need s CTO except when they are making & pivot from one phase of their life to another, and or when they grow. The rest of the time
they don't need a fulltime person in this role. What many small companies and startups do, is to have one fulltime person in the role of both CTO and lead developer. However, a wider
range of technical knowledge can be brought to bear if the company has both a full-time lead developer and a very experienced consultant acting as a parttime CTO. FNWE can provide either
development services or part time CTO services, as needed.
[BSD Mag]: What are the challenges your company is facing at the moment?
[AF]: The main challenge we face is how to balance the demands of our work for clients vs. our
open source work. We have a policy of not billing clients for open source work, even when their
Projects benefit from it
For this reason, we want to move to a non-profit foundation model for PetiteCloudlthinStorm. We
would, of course, be pleased if some of our clients, as well non-clients, made donations of their
time andlor money to the foundation. Sustaining members would have a say in the projects future direction without having to pay, individually, more than a small fraction of the cost. The main
90a of the foundation will be to allow a wider ownership of our open-source projects beyond just
FNWE, so we can get paid for at least some of our open-source work while continuing our policy
Cf not billing our clients for. We do hope, at some point in the future, that the foundation can support one or more full time project developers, since they would speed up development significantly.
Until then, our largest challenge is balancing the demand for immediate paid work with the long term investment needed to make PetteCloud thinStorm a realty
