Questions for StillSecure About Cobia

Thomas Ptacek | April 2nd, 2007 | Filed Under: Industry Punditry, Uncategorized

StillSecure, home of 3 of the top 12 influencers in security (topping John Thompson, Jayshree Ullal, Michal Zalewski and DVD Jon, according to StillSecure evangelist Martin McKeay), launched “Cobia”, their “open-source” network/security convergence product. I have two questions:

  1. Is StillSecure going to stop calling Cobia “open source”, or is it going to comply with the Open Source Definition? It seems like an either-or thing. The Cobia license restricts redistribution to noncompetitive, noncommercial use. That’s not “open source”.

    Of course, I have an opinion: if they want to solicit outside contributors, they should drop the pretense of “owning” it and open it up for real. As it stands, what incentive do outsiders have to do anything with this code?

    Yes, this is a similar situation to Snort/SourceFire and Nessus/Tenable. But both of those projects gained critical mass as pure open-source projects, licensed under the GPL. There was tremendous incentive to contribute to them as they “grew up”. Now there’s virtually none (at least to the “trunks” of the projects, and that’s OK, because they’re mature products with strong commercial backing.

    And of course, once GPL, always GPL. A problem StillSecure has avoided by not open-sourcing anything.

  2. Is there anything more to Cobia than a Java web-app wrapper around the Linux “security stack”? I see iptables, and predict Snort and Nessus (StillSecure’s IPS and VAM stacks, respectively). Xorp may be in there too.

A company making a genuine attempt at an open-source network platform is Vyatta. The difference, as I see it, between Vyatta and StillSecure is that Vyatta is staffed with core contributors to the “engine-level” software they’re shipping. StillSecure seems to be doing what Astaro did.

A correction I’d love to get from StillSecure: the list of open-source projects StillSecure has an ongoing commitment to. Does StillSecure staff full-time engineers on projects like iptables, or Xorp, or even RRDTool, which provides their graphs? If so, they should play that up.

PS: Alan, if you really agree that it’s laughable to say that you’re among the top 12 influencers in security, can you get your team to stop repeating that? It’s one thing for your marketing people to do it. I guess. But that was Martin McKeay I quoted.

Viewing 39 Comments

    • ^
    • v
    Will someone please put a bullet in the tired subject of the 'top influencers in security'!?

    Christ I'm seriously beginning to sympathize with Mark Curphey!

    Put it to rest already and get back to bickering over the usefulness of NAC or something, lol.
    • ^
    • v
    It's right there on the Cobia blog! I just listened to Alan tell me he was irritated with his marketing team for playing it up!

    BTW: count the NAC posts here. Eh?
    • ^
    • v
    Also: what do you think: Cobia, open source or not?
    • ^
    • v
    Thomas thanks for bringing up the open source issue. It is one we thought a lot about over the last year. To answer both of your questions would have been too long a comment. Instead I have I hope fully answered your questions over on my blog at: http://www.stillsecureafteralltheseyears.com/as...

    Hope that clears it up for (it probably won't, but I tried)
    • ^
    • v
    Alan : "Open Source" is a trademark which belongs to OSI, so it's not really up to you to decide what kind of license fits or not.

    Also, looking at it looks like your company sells waaaay outdated stuff ! Snort 2.4.1 ? Nmap 3.75 ? Nessus 2.2.4 ? Hello ? Are we in 2002 or what ?

    Are you guys seriously selling the packaging around stuff that was created over two years ago ?

    With regards to the code StillSecure supposedly has contributed to the open-source projects you guys are using, I'm not seeing any evidence. The most work I can see is packaging some existing Open Source applications as an RPM for your own needs.

    Naturally, you can always insinuate that you're the top#3 company in open source contributions but the fact is that what I can gather is the following :

    - No contribution to Snort whatsoever
    - One minor bug fix in jcifs in 2005 (http://lists.samba.org/archive/jcifs/2005-Janua...)
    - No contribution to Nmap whatsoever
    - No contribution to MySQL whatsoever
    - etc...


    So Alan, could you please shed a light and help us here ? What have you guys contributed back to the projects you are using ?
    • ^
    • v
    Unfortunately, "open source" is not actually a trademark of OSI. They apparently gave up on that one.
    • ^
    • v
    So wrong on who owns open source and wrong on what we are using in our products. Go have a closer look at what we are actually using for Nessus. You will see it is a customized version we changed ourselves and is GPL. Also many of our engineers have done work for open source stuff under their own names.

    Frankly though, this is not about that. We have chosen to distribute Cobia under our definition of open source. Ultimately the users will decide if they agree with it or not. We make no bones about the fact that we are a commerical, for profit venture.
    • ^
    • v
    It's pretty misleading to use the term "open source", which is perhaps one of the most aggressively "defined" terms in our industry (see: the Open Source Definition), for a license that would not get the approval of the OSI.

    Alan, about your engineers: I believe you. Give us a list of their names so we can ask them how much StillSecure work time you guys give them to work on their projects. You should be proud of this stuff, so I don't expect you to be circumspect.
    • ^
    • v
    Thomas I don't think it misleading. I think open source business models and licensing have undergone significant changes over the last few years. It is about the community of users and what they think. People who aren't going to use Cobia because they dont think it true open source, are not going to contribute or participate and we are OK with that.

    On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don't follow the engineers time closely
    • ^
    • v
    Alan, come on. There's an "Open Source Definition" at the "Open Source Initiative" at "Open Source Dot Org", which for all intents and purposes invented the term.

    It's a VERY SHORT definition, and inside of its very few words are multiple numbered license attributes (they call them "traps", as in, StillSecure is trying to "trap" people) that you guys contravene.

    Call it something else besides "open source". Microsoft calls it "shared source". That works!
    • ^
    • v
    I have to say that when I first saw Mitchell post the white paper on UNP I was a little stumped... I haven't yet booted the product but the concept alone was enough to give me a laugh.

    An Open Source Operating System - Linux
    Modular Plugins - Software
    OTS hardware - Any Home Computer

    Sounds to me like it's Ubuntu/Debian with Apt. Seriously I throw in a Ubuntu CD and it installs quite easily on OTS hardware (and it doesn't require a 2Ghz PC). Then using Apt I can easily install most of what is offered with Cobia (if not all of it) and most of them will also have some sort of GUI for ease of use.

    So in the end they're charging for a Linux system running a GUI with a package management system. I definitely see the open source in all of that.

    This page basically sums my theory up (http://download.stillsecure.com/Cobia/src/). However I will be writing more on the subject once I've had a chance to properly play with the software.
    • ^
    • v
    I'd like to point out that at RSA 2007, more precisely at the UTM panel, Alan Shimel publicly pounded Alex Quinonez, VP of Sales @ Astaro (now a direct competitor to Shimel's company) demanding him to list the specific open source projects to which Astaro contributes, Alex failed to comply, which did not make Astaro look good and was certainly embarrassing.

    So now I think it is fair to ask Alan for the list of specific projects to which StillSecure -the company, not individual developers- contributes, and I'm sure Astaro will be happy to hear about that too..
    • ^
    • v
    @alan: you wrote :
    >

    Fair enough -- I actually went to your website, and downloaded your copy of Nessus[1]. If by "contribution" you mean "violating the GPL", then I guess you guys are really contributing to a lot of GPL software !


    For instance, your changes link libnasl to a file called 'winreggie.c' which seems to be a glue between samba and libnasl, and which has the following header :

    --- Begin header ---
    Copyright (C) 2004, 2005 Lockdown Networks, Inc.
    All rights reserved by Lockdown Networks, Inc. and its licensors ("Lockdown").
    This source code and the methodology disclosed by it constitute the proprietary
    and confidential information of Lockdown Networks, Inc. and its licensors
    ("Source Code"). By using this Source Code, you agree to be bound by these
    terms and conditions of use. Further, use of this Source Code is governed by
    the terms and conditions of license agreement with Lockdown, which is
    incorporated herein.

    Use of the Source Code is permitted only for partners of Lockdown Networks, Inc.
    under written agreement and for no other purpose. The Source Code may not be
    disclosed to or used by anyone other than your employees or contractors working
    on Lockdown product development projects. Any other disclosure is expressly
    prohibited. Any product developed using the Source Code may be distributed,
    displayed, licensed, sold, or used in object code format only as specified in
    a written license with Lockdown permitting such distribution, display, license,
    sale or use.


    --- End header ---


    Now, I frankly do not care about what your definition of "Open Source" is. However, what I know is that linking a GPL software against a non-GPL library is a pure violation of what the GPL. It's even covered in the GPL faq[2].

    Do you have authorization for doing such a thing, or are you openly violating the copyright of the Nessus and Samba folks ?


    Did you guys "contribute" to any other GPL tool as well ? Maybe the copyright owners should be notified about your doing, what do you think ?


    [1] download.stillsecure.com/CommonOsBuild/RPMS/rpms/nessus-2.2.4-ss13.i386.rpm

    [2] http://www.gnu.org/licenses/gpl-faq.html#Linkin...
    • ^
    • v
    I'd just like to point out that Snort is *still* fully open source and distributed under the GPL and that we continue to work on it with a dedicated engineering team over here. In fact once we get final sign off you should be seeing Snort 2.6.1.4 released today.

    Additionally, we announced the release a new open source program yesterday (Daemonlogger) and the first Snort 3.0 alpha should see the light of day this week.

    Sourcefire isn't like anyone else doing "open source" security products out there, we still develop significant technologies under GPL licenses and give them away for free. If you've got issues with our content licensing I'm happy to debate that, but our core technology is open source.

    My next project is going to be getting on the "top influencers" list!
    • ^
    • v
    The GPL is a very complicated license to understand. I run in to people left and right that simply don't understand it or its limitations. Have you even read it? What does it mean? You should watch out before you accuse someone of violating it! My cat smells like cat food!
    • ^
    • v
    Thanks for your 2 cents Marty. On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them. That is their copyright header and we would not remove it, even if we thought it was wrong. We do make the code available though and I have personally sent the source code to Tenable and we comply with the licensing requirements on it.

    Joe, obviously you are very passionate about open source licensing. If Cobia being called open source bothers you so much, you don't have to use it or contribute to it. Other than that, not much either of us can do but continue to disagree
    • ^
    • v
    Hey Thomas, I just spoke to Mitchell and he did not post the comment before mine. His name is not even spelled right. Thomas, what is going on with the comments. Did Marty really post? Is Joe just your alter ego ;-) Just kidding but wanted to set the record straight.
    • ^
    • v
    @mitchel:

    I have read the GPL, and I advise you to do the same.

    Your modified version of Nessus contains portions which are not released under the GPL but under a proprietary license (that you are also violating by the way, since it says that Lockdown does not grant you redistribution rights).

    To make things simple :

    - FACT: Nessus is released under the GPL
    - FACT: All the modifications you make to Nessus are to be made under the GPL
    - FACT: Your modified version of Nessus links to the file winreggie.c which is NOT under the GPL

    Ergo: FACT: you in violation of the GPL.

    See also : http://www.gnu.org/licenses/gpl-faq.html#MoneyG...
    • ^
    • v
    @alan:
    "On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them."

    It does not work this way. Your company is distributing code which is in violation of the license, your company is also liable for it.
    • ^
    • v
    I was about to jump in here and defend StillSecure on their usage of 'open source'. First, 'open source' is not 'Open Source', just like an engineer is not an Engineer.

    But upon a second read of their community license, there are some items that just don't sit well even for 'open source'. A much better term would be something like 'community source' in my opinion (which is worth nothing).
    • ^
    • v
    Joe, first of all that was not Mitchell Ashley that posted the comment. Second, it is our position that the code we are distributing with VAM is under the GPL. I personally think Lockdown is wrong and so we distribute it pursuant to GPL terms.

    Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support? I am not looking to pull your tail or anything, but since you don't leave any contact info, there is no way of knowing who you are, what your motives are or anything else about you. So instead of being just another "joe" come out and introduce yourself. If you would like to continue this discussion with your real identity in private you can do so by emailing me at alan (at) stillsecure dot com. I promise to keep whatever communication we have between us. I can also talk alot more openly that way.
    • ^
    • v
    "Community Source" sounds fine with me.

    Look, Alan, you guys didn't launch a "unified network platform". You launched an "OPEN SOURCE unified network platform". It's right there in the branding. It's a central part of your positioning.

    Your use of the term is totally, completely fair game. Also, I'd like to see you address Ivan Arce's point here; I'm tempted to post it on the front page as an open question. Did you really call Astaro out in front of an audience at RSA for not being open-source enough?
    • ^
    • v
    Alan,

    I wasn't piling on, I was just mentioning that I didn't think Sourcefire should be termed as a "used to be open source" company in Thomas' orignal post, we're still very much into advancing our open source technologies for everyone to use.
    • ^
    • v
    @alan:
    "Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support?"

    No frenzy and I don't care, just curious about companies claiming to do a lot for Open Source but not being very well known for it.

    I'll download Cobia now and I'll contact you by email if I have any further questions.
    • ^
    • v
    Thomas, I may not get to some of this all today, will have to wait. Open Source is a central part of our positioning. You want to call it community source and that makes you feel better, go for it. The bottom line, is I think the market in general is just not as wrapped up on this as you guys are. We developed Cobia for the market in general and I think they will be fine. The ultimate judge will be how many people use it and what other companies will develop solutions that support it.

    On the Astaro thing, there is a fundamental piece of the story missing. The Astaro guy stood up and said that they are big supporters of open source and support lots of projects. So I called him on it and asked him which ones. Turns out the guy on the panel for them, did not have an answer. I mean he could not give one example. He was probably the wrong guy for that panel. But to be fair, since then I have been in touch with Astaro folks and they do in fact contribute quite a bit to open source (at least they convinced me).

    The difference is I am not saying we are big contributors to other open source projects. If we have something to give back we do. If we can help in some way that is in line with our own objectives we do. Most importantly, we try very hard to comply with all licensing requirements. For instance someone mentioned MySQL. We pay MySQL their license fees, However, for Safe Access we choose to use another DB that was also open.
    • ^
    • v
    The market totally isn't wrapped up in open source. That's a problem, because open-source developers are often outside the market, getting exploited by it. And I mean, whatever, that's fine; just don't act like it's noble to do it.
    • ^
    • v
    Alan, you've never sent Tenable source code. I've had to ask you to get your NASLs and list of source code changes updated on your web site. Also, when I looked at them, I was looking at them from a Tenable code point of view, which I didn't see any glaring evidence that you were directly copying .nasls from our Registered or Direct Feeds. I didn't have each of them tested for Tenable fingerprints in the NASLs and I also didn't audit your code from a GPL violation point of view.

    As far as chatting with folks anonymously, good luck. We have 1000s of gmail, yahoo, hotmail or otherwise anonymous users on the Nessus mailing list, posting to slashdot, .etc. Many of these are either competitors of Tenable or folks who don't want to pay for support or folks who want to debate licensing.

    -- Ron
    • ^
    • v
    Thomas excellent point, so by being upfront and saying what we intend to do and how we are going to sell this, we are seeking not to exploit anyone. If a developer does not want to get involved because of our licensing, we are OK with it. I think that is better than changing licensing mid-stream with a new release. I don't want to reach critical mass on other peoples work and then change the rules. We are setting our rules right now for everyone to know. What is bad about that?
    • ^
    • v
    http://cobia.stillsecure.com/?q=node/132

    "Is Cobia open source?
    The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."

    Replace that with:

    "Is Cobia open source?
    No."

    That will make a lot of people happier.
    • ^
    • v
    Richard, but not the people we are trying to make happy. We believe what we said there on the cobia site. You and others may have a different opinion, but the overwhelming majority of users do not.
    • ^
    • v
    Alan: you're not being straightforward about it.

    Do a Google search for "Is * open source?" and "* is not open source" and you'll find many tens of companies coming out and saying that, even though they provide source code, they don't fit the definition of open source. Even qmail, which by any reasonable definition is not only open source but also free software, disclaims itself.
    • ^
    • v
    The overwhelming majority of users won't care. The overwhelming majority of developers and thought leaders do. Also: be careful about what you imply about your users. Some of them do pay attention and are proud of that.

    This is so easy to fix that I don't understand why you don't just fix it. Just strike the word "open source" and replace with something equally marketing-friendly.
    • ^
    • v
    Since outgoing trackbacks aren't apparently working for me right now, I'll just manually link to my post. Of course, I needn't have bothered based on everybody else commenting here making much of the same points. I think the bottom line I agree with most strongly is Thomas' last comment -- end users might not care what Open Source is or isn't, but the folks that you'd presumably most want to be involved with a project like this most certainly do.

    http://www.networkcomputing.com/blog/dailyblog/...

    Sorry Alan, I'm not trying to add to the... uhh, fecal weather patterns... you're experiencing, and though I was originally really intrigued with Cobia, finally paying attention to the details of the license was disappointing compared to what I was expecting with all the hoopla about open source. I'm obviously not the only one.
    • ^
    • v
    @alan

    Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.

    I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.
    • ^
    • v
    "On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don’t follow the engineers time closely"

    Oh, come on Alan! You don't follow us much, but you're the henchman that gives us the "pep talks" when we don't have enough "respect" to work more? Don't lie. We know you're on a conference call before each post anyways, what does Rajat want you to post here? Yeah, you don't pay attention. Should we just ignore you next time?
    • ^
    • v
    Alan told StillSecure engineering that they didn't have enough "respect" to work harder?
    • ^
    • v
    I can lend support for "Supposedly Mitchel Ashley" and her post about Alan giving us a talk about respect. An e-mail was sent Friday, July 7th, 2006 late in the afternoon (3:45PM) about the quarterly meeting for Monday, July 10th, 2006 at 8:00AM.

    Now, most of the engineers usually come in around 9:00 AM, some earlier, and some later. There were a good number that didn't make the 8:00AM quarterly meeting, and afterward, Alan had our VP of Engineering, James Brown, schedule a 15 minute meeting for 10:30 AM on the 10th. In this meeting, Alan proceeds to discuss the lack of respect for the engineers missing the quarterly meeting. In this short 15 minute meeting, he writes on the whiteboard the word "Respect", and then goes onto talk about respect, and the lack of it shown by the engineers.

    My own take on it: Alan doesn't know how to manage engineers. You don't talk to engineers and berate them for lack of respect and expect them to stay around. I know of at least one engineer who resigned the next month and cited Alan's 15 minute meeting as the primary motivation for him moving on. I know it was a contributing factor when I left Stillsecure as well.
    • ^
    • v
    Looks like alan is just gonna wait out this little boiling kettle till everyone has forgotten about it and then the Marketologists can get on with selling their opensawrus
    • ^
    • v
    It seems like they've corrected their positioning. Good for them!

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus