The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Purchasing Policies That Create a Barrier to Computing Diversity


The role of diversity in helping computer security received attention when Dan Geer was fired from @stake for his politically inconvenient considerations on the subject.  Recently, I tried to “increase diversity” by buying a Ubuntu system—that is, a system that would come with Ubuntu pre-loaded.  I have used Ubuntu for quite a while now and it has become my favorite for the desktop, for many reasons that I don’t want to expand upon here, and despite limitations on the manageability of multiple monitor support.  I wanted a system that would come with it pre-loaded so as not to pay for an OS I won’t use, not support companies that didn’t deserve that money, and be even less of a target than if I had used MacOS X.  I wanted a system that would have a pre-tested, supported Ubuntu installation.  I still can’t install 7.04 on a recent Sun machine (dual opteron) because of some problems with the SATA drivers on an AMD-64 platform (the computer won’t boot after the upgrade from 6.10).  I don’t want another system with only half-supported hardware or hardware that is sometimes supported, sometimes not as versions change.  I suppose that I could pay up the $250 that Canonical wants for 1 year of professional support, but there is no guarantee that they would be able to get the hardware to play nicely with 7.04.  With a pre-tested system, there is no such risk and there are economies of scale.  Trying to get software to play nicely after buying the hardware feels very much to me like putting the “cart before the horse”;  it’s a reactive approach that conflicts with best practices.

So, encouraged by the news of Dell selling Ubuntu machines, I priced out a machine and monitor.  When I requested a quote, I was told that this machine was available only for individual purchase, and that I needed to go on the institutional purchase site if I wanted to buy it with one of my grants.  Unfortunately, there wasn’t and still is no Ubuntu machine available for educational purchase on that site.  No amount of begging changed Dell’s bizarre business practices.  Dell’s representative for Purdue stated that this was due to “supply problems” and that Ubuntu machines may be available for purchase in a few months.  Perhaps.  The other suggestion was to buy a Dell Precision machine, but they only come with Red Hat Linux (see my point about supporting companies who deserve it), and they use ATI video hardware (ATI has a history of having bad drivers for Linux).

I then looked for desktops from other companies.  System76, and apparently nobody else (using internet searches), had what I wanted, except that they were selling only up to 20” monitors.  When I contacted them, they kindly and efficiently offered a 24” monitor for purchase, and sent me a quote.  I forwarded the quote for purchasing.

After a while, I was notified that System76 wasn’t a registered vendor with Purdue University, and that it costs too much to add a vendor that “is not likely to be much of a repeat vendor” and that Purdue is “unwilling to spend the time/money required to set them up as a new vendor in the purchasing system.”  I was also offered the possibility to buy the desktop and monitor separately, and because then the purchase would be done under different purchasing rules and with a credit card, I could buy them from System76 if I wanted…  but I would have to pay a 50% surcharge imposed by Purdue (don’t ask, it doesn’t make sense to me).

Whereas Purdue may have good reasons to do that from an accounting point of view, I note that educational, institutional purchases are subject to rules and restrictions that limit or make less practical computing diversity, assuming that this is a widespread practice.  This negatively impacts computing “macro-security” (security considered on a state-wide scale or larger).  I’m not pretending that the policies are new or that buying a non-mainstream computer has not been problematic in the past.  However, the scale of computer security problems has increased over the years,  and these policies have an effect on security that they don’t have on other items purchased by Purdue or other institutions.  We could benefit from being aware of the unfortunate effects of those purchasing policies;  I believe that exemptions for computers would be a good thing.

Edit: I wrote the wrong version numbers for Ubuntu in the original.
Edit (9/14/07): Changed the title from “Ubuntu Linux Computers 50% More Expensive: a Barrier to Computing Diversity” to “Purchasing Policies That Create a Barrier to Computing Diversity”, as it is the policies that are the problem, and the barriers are present against many products, not just Ubuntu Linux.


Posted by Chris Walsh
on Sunday, September 9, 2007 at 05:21 AM

Man.  Those are some talented bureaucrats you have out there.

We in Chicago woulds see this as an awesome business opportunity. :^)

Set up a shell company which acts as a middleman for these “50%  markup” buys, but is on the approved vendor list since it would be “likely (!!) to be a repeat vendor”.  This forces purchasers to either pay retail+50% or retail + whatever your shell company wants to tack on.  Naturally, this has an upper bound of 50%, but you can vary the markup by product if you know how desperate purchasers are, thus maximizing your profit.

The fact that this has not already been done suggests that getting on the approved list is a hard problem, but with a bit of out of the box thinking (read: paying somebody who is already on it a “cross-marketing consulting fee”) this can be tackled.

Posted by Steven Clark
on Wednesday, September 12, 2007 at 09:06 PM

I imagine this is done to make it far less attractive to buy outside the capture, erm, contracts that Purdue has with certain ‘Preferred Suppliers’. It’s not the Ubuntu that’s the issue, but the contractual practices.

We have similar arrangements here. We can only buy outside our ‘Preferred Suppliers’ if and only if they do not carry, or cannot supply, something ‘similar’ to what we think we want. A whole lot of compromising goes on.

We have standard configuration boxes for classes of employees. CompSci academics desktops are the same config as SocSci. After all, what would we want with more hard drive space? or RAM? [We can get ‘above spec’ systems: but we still have to go through the ‘Preferred Supplier’ first.]

Technically, your headline is incorrect. It gives the impression that [computer + Ubuntu] is more expensive (in some way) than [some alternative]. What you’re really saying here is that because of the way ‘Preferred Supplier’ accounting works at Purdue, sourcing a machine from an alternate vendor is more expensive.

By-the-by: What’s Purdue’s take on Apple? We have a decent sprinkling of them about the place. Particularly as laptops.

Posted by Pascal Meunier
on Friday, September 14, 2007 at 02:53 AM

thanks Steven, I agree with your points.  I will change the title.  Apple laptops are quite popular here, both with students and faculty, and Apple is a preferred supplier. 

Leave a comment

Commenting is not available in this section entry.