NASA overspent $15m on Oracle software because it was afraid an audit could cost more NASA is rubbish at software asset management, has not implemented federal government guidance on how to address it, and as a result is spending too much on code it doesn't use – including $15 million on unused Oracle software alone, under a twelve-year-old license the space agency was afraid to examine. So says the aerospace …
I worked for the four-letter-acronym agency, and much as I cursed the extra work associated with the SAM requirements, I thought the group responsible for SAM (part of the NASA Shared Services Center) was extremely customer-focused, perhaps because the NSSC is staffed mostly by contractor personnel. It would be a shame if their excellent customer service (bringing on new software under license when requirements for such are demonstrated, negotiating reasonable license terms, &c.) were sacrificed to concentrating solely on the big-ticket items cited in this report. I know they helped the projects I worked on and many others to control costs and remain compliant with Agency requirements.
If was anything like my momentary experience, it's because changing the database is way beyond the skills of their typical contractors. One developer was intentionally creating SQL injection vulnerabilities because, the dev claimed, parameterized SQL queries hadn't been reviewed for approval. It was a mind-blowingly lazy excuse, being that I was the reviewer.
two entirely different concepts. a parameterized query is like, SELECT stuff FROM somettable WHERE id=$1; and the value of $1 is passed with the query as a parameter.
a stored procedure is a subprogram that runs inside the database server, usually written in a PLSQL style language, which is SQL with IF and other control structures as well as variable assignments, etc. stored procedures can also be written in Java or other languages, depending on the database server.
Yes. That's it. You have to be extremely weary of any, even small, change. The Oracle licenses are cat-puke-clear (and even from a distance have a similarly obnoxious smell). And they are this way on purpose (most feel). Having an audit will cost much more than just overspending on the licenses, they will "eventually" (i.e. they knew all along but waited) discover the "anomalies", and then incur back payments.
I really am curious: without an actual audit, how did they discover they were overspending? Were the people involved intimately familiar with the way Oracle licenses work? Do they know that you (well, more or less, there's some rules, some restrictions) pay for every single CPU that could potentially be used (so for the full server farm your VM could be running on)? 15M$ is not that much, in terms of Oracle licenses.
(and remind me again, how much does a single F35 cost really?)
They have customers because the incredibly high cost is usually something that is dealt with at upper levels of management where all the morons are. In many cases their software does not offer value to a business where the benefit of using it is worth its cost. I have managed to help people get Oracle instances moved to Postgre, with better results in terms of performance, TCO and supportability.
I will not have anything tainted by the red monster anywhere near me. No MySQL, no Java, and no Oracle DB. I accept that I am missing out on the one thing I would be interested in - VirtualBox, but that is the cost of descumming.
I'm not singling Oracle out here, MS is just as bad - and there are others.
As the cloud - sorry ,rent a server - market has taken off, and the big DB vendors move the goal posts in search of revenue, it's meant the end-user/org has become utterly confused.
Take MS licensing! SQL has been by Server, CPU, then it became per core, then it became per vCPU and god knows what else has slipped my mind - DTUs etc.
Give me a metric I can equate.
The problem here is that you can be licensed this year, and then not, because the goalposts moved.
Tracking this stuff is a career, understanding it is pointless. You can't even get a sensible answer out MS or their agents.
I can understand why the mindset becomes overlicensing 'just in case'.
Given that when you buy software or subscribe to use software, all you get is a guarantee that you have paid money to the vendor. All the legal waffle pretty much states that:
You have the right to use it
There is no guarantee it will do what you want
There is no guarantee it will work
You might be entitled to updates
For subscriptions, the service can be updated and changed at anytime
If it does break there is no liability on the part of the vendor
In fact the only guarantee you get is that whatever happens, you are screwed.
If you agree to purchase a version of SQL Server then your licensing terms are the ones agreed at the time you purchase, they don't change next year if you are still using the same version. Nor do they change if you upgrade using Software Assurance.
You can still license Server+CAL or by core (in packs of 2 minimum 4) it hasn't really changed much recently except for the addition of pay as you go option.
Well, Oracle should graciously refund the money then. If they don't, then I'm sure the government could just by pure coincidence decide to subject Oracle and Mr Ellison to a forensic tax audit, as well as commencing some essential roadworks involving the digging of large holes just outside his Hawaiian home.
Reminds me of of Good Omens..
“Along with the standard computer warranty agreement which said that if the machine 1) didn't work, 2) didn't do what the expensive advertisements said, 3) electrocuted the immediate neighborhood, 4) and in fact failed entirely to be inside the expensive box when you opened it, this was expressly, absolutely, implicitly and in no event the fault or responsibility of the manufacturer, that the purchaser should consider himself lucky to be allowed to give his money to the manufacturer, and that any attempt to treat what had just been paid for as the purchaser's own property would result in the attentions of serious men with menacing briefcases and very thin watches"
You missed off the next bit, which is just as applicable, as it's Oracle we're talking about:
"...Crowley had been extremely impressed with the warranties offered by the computer industry, and had in fact sent a bundle Below to the
department that drew up the Immortal Soul agreements, with a yellow memo form attached just saying: 'Learn, guys...'
Of course, the comparison is a little unfair. One is the blood-red-hued font of all evil and suffering in our lives, and the other is, um... Hell.
Because it's Oracle and they make their money through onerous licensing terms rather than producing reasonable quality software.
Many years ago I was on the receiving end of a gazillion page Oracle audit where I wanted to know why they'd included a line re support for software that we didn't (and never had) used and that because it was out of support would have been impossible for us to raise a ticket against even were we to use it. Their answer was the veiled threat of "You need to be careful" - I told them to sling their hook and because we were relatively small fry they gave up.
Posted anonymously in the unlikely event that Oracle's lawyers are watching - they really are that nasty a company.
Yeah, my first reaction to that line was "when was Oracle licensing ever *not* cumbersome and complex to manage?"
We're reducing our Oracle services after a failed project implementation. The best efforts of all of us in IT were not sufficient to work out which items on our quarterly bill were no longer needed.
"Software downloaded with privileged access is not tracked for license compliance and life-cycle management, and NASA does not have a consistent, Agency-wide process for limiting privileged access or using "least privilege" permissions, which gives users only the software permissions necessary for their job."
what is "privileged access" in the context of downloading software? Regular users have Administrator access on their workstations...?
NASA does not have a consistent, Agency-wide process for ...
NASA might not have a single, aka "consistent", process for monitoring these things, but that doesn't mean they don't have processes for monitoring these things. Multiple, differing processes implies political divisions, each doing things "their way". The relevant question is whether or not these multiple, differing processes work well enough for NASA to know with certainty whether or not they're in license compliance.
Executive(s) said, "No" to the above question, but executive decisions are not necessarily logic-based.
"The auditor estimates NASA "could have saved approximately $35 million over the past five years in fines and overpayments ($20 million in penalties plus $15 million in Oracle overspend)""
^ The moral of that tale is to avoid at all costs having any commercial ties with Larry and Oracle not least because you will be subject at some stage to the dreaded customer compliance audit which will never, ever be in your favour.
One of my clients is in the latter half of an 'exit-oracle' program. Everything and anything that is Oracle or Sun is on the way out.
Database, servers, orphaned ERPs, Tape, weblogic, JVMs, etc, etc. There are even program threads that is looking at embedded web code to verify that they're not using any sneaky oracle micro-components or even programming practices.
As others have noticed, one pushback is the need to stop using VirtualBox. That is going to be a problem as the reality of VMWares future becomes cloudy and 'scary'.
A MAJOR part of the program is obfuscating the goals and progress from Oracle. We are absolutely convinced that as soon as Oracle figures it out, they'll try to drop a massive software audit.
How are you using it? On end user devices or say on virtualisation servers?
To be totally honest since oracle has taken over it feels to me like vbox development has slowed to an absolute crawl. I used to be a huge advocate for it but my experience has only been going downhill.
It used to be that or vmware. Now there are loads of what were newcomers that are just as capable for 80-100% of use cases. KVM or Qemu on Linux. Hyperv (if you don't need h/w passthrough) on Windows (80%).
And I don't really see local user virtualisation going cloudy for vmware (a la workstation), just it becoming tighter integrated with, say, hyper-v on Windows and less focus on their own virt while vsphere stuff is looking less certain.
But I'm honestly clueless though so don't listen to me!
I'm sure I'm missing loads (xen still a thing?)
Between that and the uptick in containers taking on some workloads.. It wouldn't take much convincing for me these days, once their biggest fan, let's put it that way.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
