Do I need to worry about source code that may be on my system? How would i find it?

We do not own source, but with patches and baan support we end up with some source here and there. We never worry about it, but I wished we owned source code.

Is the source that stays behind from patches and stuff all Ok from a license point of view? I would like to track down what is there...

As far as I am concerned - yes. You might want to check with Baan - your PMC's should not include source, but I do think sometimes they include source. I also know some of the Baan techs have put source out there to help us.l I used to have a program that looked out in the UNIX directory to see if source existed but that was lost in one of our migrations or upgrades. I really do not even worry about it.

I just heard the other day that SSA is auditing existing customers in Europe. They hired a UK company to install some sort of spyware at existing sites, which then reports the presence of source code, the actual number of licenses used, named users, etc.
After they gather this information, they then offer to correct your system according to the license agreement (for a fee of course).

What surprises me most of all, is that there are apparently companies that agree to this.

Anyway, I don't have the facts. If anybody knows more then please share. I am sure the US market will get hit next.

They are auditing our company right now (in the US). We checked with SSA and no, this is not optional. They will get to you also. Just wait.

Hi,

This issue is nothing new and the auditing has been going on for sometime now.
See also this thread: http://www.baanboard.com/baanboard/showthread.php?t=26446.

Interestingly: ... There is a rumour going on that in Italy SSA even used the police to enter a customer's facility to have the tool check that customer's BAAN environment.

So, good luck with your own audit(s) and please do cooperate because "recistance is futile".

Regards,

The Borg

The police?? Are they out of their minds??!! Anyone more info about this??

And I don't mean to restart an old discussion, but to add my 2 cents to the existing debate....

If I were responsible for a computer system running SSA software, I would not allow the installation of software that I didn't ask for. If I wanted that, I would run a Microsoft environment :D

I don't know what the legal consequences are in this matter, but to my mind it sounds as if I should allow my baker to search my house whenever he wants, because the fact that I purchased his bread puts me under suspicion of stealing his pastries. I would love to see this go to court.

Do I need to worry about source code that may be on my system? How would i find it?

To find your sources, look for objects (files) starting with the letter p anywhere in you $BSE/application directory. These are your source files.

Burn them to a CD labeled 'NOT for SSA auditors' and you will have nothing to worry about :D

As far as I am concerned - yes. You might want to check with Baan - your PMC's should not include source, but I do think sometimes they include source. I also know some of the Baan techs have put source out there to help us.l I used to have a program that looked out in the UNIX directory to see if source existed but that was lost in one of our migrations or upgrades. I really do not even worry about it.


I agree, best to check with SSA.

From my experience, PMC delivers source for sessions, libs, etc. however they are all unuseable since they all have various includes that are required to compile them - which are never delivered.

So, I think you're fine audit wise. Also it's the functionality of the PMC product, I don't think they'd expect you to remove sources that they are delivering. (For example - if they wanted to - they could write a PMC patch to clean it up based on your license info)

I've been audited by Microsoft, Oracle and SSA. It's a common software company practice, I try not to take it personally =). Sure, the Oracle auditors might come out, personally, buy your whole team dinner and mink stoles for everyone. But I guess I'd rather have SSA spending what little money they have on improving the product.

Dave

Well I can see us letting them Audit license usage, but trying to charge us to fix their problem would cause some problems. And yes I could see that ending up in court - that is what our legal department is for. I mean the Baan techs have provide us source code so we could debug their problems. The Baan techs have also left source code on our system - and yes most is unusable because of the includes. As far as I am concerned we do them favors by helping to locate and fix problems. I think we have a "good working relationship" with SSA at this point.

I just heard the other day that SSA is auditing existing customers in Europe...

If this is not a hoax then Baan is in much worse shape than I thought.

Sounds like a desperation reflex to me. Wringing the last drop of licence/support income from the dying product sounds like a terminal strategy that will just prolong the agony. The company needs a sales and marketing team (and strategy) whose task it is to make sales.

It will be interesting what Infor have in mind. Whether they keep the baan product alive (which will necessitate continuing development activity) or whether they will be more interested in the miriad of other products that SSA have collected.

I fount the source file starting with p under $BSE/application, but the date seems a little old. Because as I know the contrators finished the installation 4 months later. So the source codes are not the final codes?
What is the normal SSA audit schedule? annually or semi-anual or? Does it count for a copy on Development environment?

chi

What is the normal SSA audit schedule? annually or semi-anual or? Does it count for a copy on Development environment?

There is no audit schedule that I know of and I am not sure what they do about development companies. All I know is we use one license server to serve all of our companies.

My boss just informed us today that some that was subcontracted by Baan to perform audits has contacted her. She called them the SLAM group (not sure if I heard correct or not) out of England. She has not actually talked to anyone and is waiting for a phone call. So far all she said was they want her to down load some program and run it to create an encrypted file for her to send to them. Will have to find out more about this - I think our legal department would have major problems with this. Will be interesting to see what happens. I think the company would not have a problem with them auditing the license file - but not through something encrypted.

Hi everybody,

we have a saying in Germany, which roughly translated reads like this: Nothing is eaten as hot as it is cooked.

This applies spüecifically for the whole SSA Audit scare. Look at it like this:

a) Check your Baan contract for anything related to the topic. In some contracts SSA actually write, that they are entitled to do such an audit and then apply something like a "charge-by-use" model.

b) If your contract does not mention anything, then in most contries SSA/Infor is still entitled to check the proper use of the granted license. This does normally NOT include the installation of a tool to sniff your network at your own expense and risk. But it might as well include sending over a team to personally check the use of the Baan license.

In Germany the topic of the audit is an old story and the whole thing was delayed for many month by playing a cat-and-mouse game:

- the customers requested the file format to be explained and all collected data to be described. This took month to answer by SSA
- the customers requested a written statement by SSA to cover all created costs, if the SW to be installed would cause any harm (slow down the network etc.) . This stopped many of the audit attempts
- the customers requested SSA to cover the cost to hire a third party to check the audit tool by a third party and also cover the actual installation costs.
- the customers refusedany installation and offered politely, that somebody of SSA comes in person to double check. Due to the number of customers involved, this happened only a few times.


In the end, I got the feeling the audit procedure, was a means to scare existing customers to buy some additional licenses. To be fair, if a baan customer is using more licenses then he actually bought, then he should buy. If not, then nothing will happen anyway.

I also have a pretty low opinion on the genius, who came up with the whole idea at SSA from the beginning. It would have been dead easy to change the license daemon in such a way to properly monitor named users where applicable and not concurrent. It would also have been easy to incorporate the audit tool as a daemoon in the next portingset. They did none of this. So I assume the intention was a different one from the beginning. In my whole history with Baan the whole audit issue ranks highest in annoying customers.


Regards

Markus

P.S.: Like always the above is just my personal opinion and does not constitute legal advise. If you want to go head-to-head with SSA/Infor, then seek proper legal advise from a qualified lawyer.

It would seem that the string that started with source code issues has grown into one regarding the whole audit process that SSA have been conducting for years. I am reliably informed that all the software suppliers we have, who audit us, have rights to do so under International law and common law of my country. They can protect their IPR. We consider the whole excercise as one that helps us to maintain compliance, we are following a SOX compliance discipline, and our external auditors want to see us clean up. We also feel that if there are people out there not paying their dues then the others, us, suffer by paying more or we all lose out on future development of the product we have invested millions of dollars in.
The reply about the Police in Italy should have been given more thought, if the police were involved in one case out of the thousands who must have been audited, then does that not tell you something was very wrong?
We get audited by everyone, we don't mind it helps us, we pay our way. The last reply from Germany sounds like it took up as much of your time as it did SSA's. I can't see the purpose unless you have something you did not want seen. You must install all kinds of software without seeing the code, like Baan!! Unless you do have the source.
Now the original topic, source code. We have been trying to develop a validation routine, its not so easy as just listing files. We just can't spare the resource to do it, business gets first priority. We would like a tool to do it, does anyone have one; or heard of one available. Maybe SSA auditors would like to provide one? We would gladly buy it so that we are in control. What we really object to is SSA and others offering consultancy services to come in and clean up source and when they find we have used it (or our external consultants did), they offer us additional maintenance agreements to cover the modified code, and just because an external consultant put source on your box, did they have the right to the source, on YOUR box. Its licenced to a machine is it not?
If anyone has heard of a tool please let me know. We hear that North America is going to be the next continent for the source code search!!

It would seem that the string that started with source code issues has grown into one regarding the whole audit process that SSA have been conducting for years...Now the original topic, source code...

There are some aspects of this issue that I do not fully understand.
(1) Why would any viable company want to use a product or licence seat that it is not legally entitled so to do? (and risk the legal consequences)
(2) How the Baan licence daemon can allow a user logons that are not licenced?
(3) Why does baan bother to go to the trouble of obsuring access to source code that for about three quarters of its customer licence base is 10 or more years old and written for an archaic architecture?
(4) What revenue would baan lose (or gain) if source code was viewable for all implementations? (Would it be consultant/partners who would be impacted?)

It will be interesting to see how Infor approach business and especially whether baan will continue to be regarded as a legacy licence/support Milch Cow or whether it is is regarded as a (elderly) strategic software product that will receive additional investment to maintain/extend its life and market potential.

Terry

I have followed a few related posts to see if I can get a concensus. Your question about why would anyone want to use licences they have not paid for? well I would say that my IT management/developers they have little time to spend on anything but delivering to user demands. I know we should control user numbers but it gets put back down the to do list. I believe that there are some who would deliberately not wantto pay, but for most of us it is by default not desire. The audit wil help us in our compliance program. Thanks SSA.
One post says that the licences are based on different user types but the licence deamon (do you know it works correctly!) only checks for concurrent sessions. If your licence is for named then it is names that you have to count. I don't believe the daemon is meant to be a contractual measure, its just a measure.
I am sure that the age of the software has little to do with the IPR laws, most ERP software has base code that was created 20 years ago!!
Baan source code is viewable, you just have to buy it. The previous posts that indicate the 'leaving behind' of code is a worry, we always trust Baan and third parties to remove when they are finished. It seems they don't. I would try to put myself in the position of the software designer, owner. If it was yours and you needed revenue to stay around, would you not want all users paying you for your product.
The source code issue is the one we are concerned with, we want to tidy up. we want to know what we have. We can look at licence management later.

Frankly I don't even care if SSA is in its right or not. There are some aspects of the matter that bother me, and not just me.

1. I don't want third parties installing spyware on my systems. Not even if these third parties are contracted by my software vendor and not even if this is done with the best intentions. It is simply 'not done'.

2. As always, SSA services don't come for free. It is my understanding that they will charge to make you compliant. If someone gets charged, or risks getting charged, by having source code that was put on their system _by SSA/Invensys/Baan_ then this practice produces a less than pleasant odor.

3. Baan's licensing system has always been time consuming, cumbersome and clumsy. Instead of annoying their customers with this exercise, they would be taken a lot more seriously if they developed a decent license monitor as part of their product. I understand that this is impacted by the many different porting sets that are out there, but that is THEIR design and therefore THEIR problem.

Overall, SSA is shooting themselves in the foot with this. Maybe they gain a few license fees here and there, but I doubt those will pay for the cost of this operation and I am certain that it will not be worth the goodwill from their loyal customers that is trashed in the process.

Francesco, wel said!!

If they didn't change the process the audit is like I've written in a thread before:

http://www.baanboard.com/baanboard/showthread.php?t=26446

Ok, we own many sources and have written much more by ourself. Sources haven't been part of the audit.

Regards
csecgn

You guys seem to be getting a bit mixed up. You do have to care if SSA are right, its like saying I am sorry officer but I don't care if I was speeding, I don't like your radar trap!!
I called the guys at the audit company in the UK, nice young lady sent me a description of the software. Spyware its not.
I asked to buy the audit software, sorry not for sale. BUT I was told confidentially that I should look at www.bansource.com.
Your comment about SSA charging you for being non-compliant, I was told by the audit company that this is not true IF the source has been left behind, and IF I have not used it then it is smply a matter of tidying up. IF however I have used it then I have been 'speeding' and need to pay. Seems a reasonable thing to do.
The licensing system is clumsy, we have looked at it and it just does not control as per our licence. There is a wonderful product out there that monitors any application on your servers, its for iSeries only but I am reliably told a UNIX version is under development for release later this year.
As far as shooting themselves in the foot is concerned and few licence fees here and there, well I also asked the audit company how much they had found in dollars for SSA that related to illegal use of the IPR, I swore to not repeat it, but a few dollars its not!!
The moral of the events, just ask the auditors, they will tell you all you need to know. No secrets. I also got transferred to their helpline techies who gave me a lot of interesting detail on how audit software works. IT SEEMS TO NOT ACTUALLY FIND SOURCE CODE. IT FINDS WHERE IT HAS BEEN USED. So, if you have not used it no worries.

...There is a wonderful product out there...The moral of the events, just ask the auditors, they will tell you all you need to know. No secrets...

Can we excuse the cynics for thinking that this thread may be a subliminal advertisement for the audit software ?

Other than the 'moderators', csecgn and myself, none of the corresponents to the thread have disclosed there location details.

Spyware its not.Any program that collects information on my system and sends it to a third party is concidered spyware.
I asked to buy the audit software, sorry not for sale. BUT I was told confidentially that I should look at www.bansource.com. I'm glad you shared that bit of confidential information with us.
Your comment about SSA charging you for being non-compliant, I was told by the audit company that this is not true IF the source has been left behind, and IF I have not used it then it is smply a matter of tidying up. IF however I have used it then I have been 'speeding' and need to pay. Seems a reasonable thing to do.And exactly HOW do they determine all those IFs? I can think of a number of scenarios where (legally or unlegally) modified source code ends up on a system without knowledge of its administrator. Besides, some Baan systems are 20 years old and many of their customers do not have the change control in place to know where their customizations derived from.
The licensing system is clumsy, we have looked at it and it just does not control as per our licence. There is a wonderful product out there that monitors any application on your servers, its for iSeries only but I am reliably told a UNIX version is under development for release later this year.Great! And I can download that for free.....where?
As far as shooting themselves in the foot is concerned and few licence fees here and there, well I also asked the audit company how much they had found in dollars for SSA that related to illegal use of the IPR, I swore to not repeat it, but a few dollars its not!! I understand you can not disclose confidential information (twice). Specially not from such a reliable and impartial source.
The moral of the events, just ask the auditors, they will tell you all you need to know. No secrets. I also got transferred to their helpline techies who gave me a lot of interesting detail on how audit software works. IT SEEMS TO NOT ACTUALLY FIND SOURCE CODE. IT FINDS WHERE IT HAS BEEN USED. So, if you have not used it no worries.
I am not worried. I do not own or manage a Baan system at this time. My customers are pissed however and I can't blame them. Many Baan companies are currently in the market for an ERP upgrade. As is evident from the low number of implementations, LN is not the obvious or only path that these companies can take. If you think that this is a wonderful method, then good for you. Unfortunately the SSA customers that I speak perceive this a little different.

What Francesco said!!!! He did not even touch on the security issue. Since we are an A&D site I can not see us running software that sends encrypted data to a foreign entity. I know we stay within our licenses - but we have bought changes from other Baan partners. It will be interesting to see if they push us to run the software.

You are right of course. The issue is whether the mods were from a partner who had the right to the source, or you are in need of clarification from SSA, and of course do you have the source on your machine. If yes just find it and tidy up, as previous post said.

Have you thought of asking for an unencrypted copy? or maybe asking if you can see the analyis, maybe on line with the auditors. MAybe work with them

Try
www.sarbanes-oxley.com
www.justasksam.co.uk
www.fast.org.uk
www.ecpweb.com/ibsma_home.html
www.siia.net/piracy/
www.bsa.org

Sorry Francesco. whats th LN reference about?

The software for iSeries, does not seem to be your field, unless you are an AS400 expert as well. You comment about download for free is about as sensible as suggesting we should not pay our license fees. I am sure that when the UNIX version is available, if ever, it will be a useful tool to consider.

If you want to know how to determine the ifs, it is fairly obvious IF you know UNIX and Baan. Why don't you ask the audit company. I can think of many ways.

Spyware by definition is secretly gathering information. Look up spy in the dictionary. In this case you are being told whats happening, can get a full definition of the process and get the results when you ask for them I like encryption, it is required to maintain security of data whilst being transmitted. Ask for a non-disclosure agreement, as I am sure you do with all your IT suppliers and Consultants.

Always an answer to gain benefit, rather than conflict.

If yes just find it and tidy up, as previous post said.

I can give a resounding "NO" on this. SSA themselves have left source code on our system, provided source to us and that is where we stand. As for an unencrypted copy - we were told "not available". At this point I am not too worried about any of it.

In this case you are being told whats happening, can get a full definition of the process and get the results when you ask for them I like encryption, it is required to maintain security of data whilst being transmitted.
Sorry, but just telling me what it does is not sufficient it the defense industry(or really anywhere). Lots and lots of other company and industry restrictions.

Look up US law on copyright and possession.
We used to think the same until we had legal advice.
Did you know that copyright is criminal law as well as civil? Rules are different

And that is why we have a legal department. It will be interesting to see what happens.

Welcome back, we close most of August, go to beach. Takes until now to get some spare time.
We recieved a mailer with offer of 35% discount. Bought Sourcerer. Its great, we now have clean system, inventory and created a change management process around the product. www.bansource.com Tool allowed a less senior person to manage whole process. Time saved greater than cost fo product
If you want the discount code let me know, if you found a better discount let us all know.
manbod@npunit.com