Will someone please put a bullet in the tired subject of the 'top influencers in security'!?
Christ I'm seriously beginning to sympathize with Mark Curphey!
Put it to rest already and get back to bickering over the usefulness of NAC or something, lol.
Thomas Ptacek
· 2 years ago
It's right there on the Cobia blog! I just listened to Alan tell me he was irritated with his marketing team for playing it up!
BTW: count the NAC posts here. Eh?
Thomas Ptacek
· 2 years ago
Also: what do you think: Cobia, open source or not?
alan shimel
· 2 years ago
Thomas thanks for bringing up the open source issue. It is one we thought a lot about over the last year. To answer both of your questions would have been too long a comment. Instead I have I hope fully answered your questions over on my blog at: http://www.stillsecureafteralltheseyears.com/as...
Hope that clears it up for (it probably won't, but I tried)
Joe
· 2 years ago
Alan : "Open Source" is a trademark which belongs to OSI, so it's not really up to you to decide what kind of license fits or not.
Also, looking at it looks like your company sells waaaay outdated stuff ! Snort 2.4.1 ? Nmap 3.75 ? Nessus 2.2.4 ? Hello ? Are we in 2002 or what ?
Are you guys seriously selling the packaging around stuff that was created over two years ago ?
With regards to the code StillSecure supposedly has contributed to the open-source projects you guys are using, I'm not seeing any evidence. The most work I can see is packaging some existing Open Source applications as an RPM for your own needs.
Naturally, you can always insinuate that you're the top#3 company in open source contributions but the fact is that what I can gather is the following :
- No contribution to Snort whatsoever - One minor bug fix in jcifs in 2005 (http://lists.samba.org/archive/jcifs/2005-Janua...) - No contribution to Nmap whatsoever - No contribution to MySQL whatsoever - etc...
So Alan, could you please shed a light and help us here ? What have you guys contributed back to the projects you are using ?
Thomas Ptacek
· 2 years ago
Unfortunately, "open source" is not actually a trademark of OSI. They apparently gave up on that one.
alan shimel
· 2 years ago
So wrong on who owns open source and wrong on what we are using in our products. Go have a closer look at what we are actually using for Nessus. You will see it is a customized version we changed ourselves and is GPL. Also many of our engineers have done work for open source stuff under their own names.
Frankly though, this is not about that. We have chosen to distribute Cobia under our definition of open source. Ultimately the users will decide if they agree with it or not. We make no bones about the fact that we are a commerical, for profit venture.
Thomas Ptacek
· 2 years ago
It's pretty misleading to use the term "open source", which is perhaps one of the most aggressively "defined" terms in our industry (see: the Open Source Definition), for a license that would not get the approval of the OSI.
Alan, about your engineers: I believe you. Give us a list of their names so we can ask them how much StillSecure work time you guys give them to work on their projects. You should be proud of this stuff, so I don't expect you to be circumspect.
alan shimel
· 2 years ago
Thomas I don't think it misleading. I think open source business models and licensing have undergone significant changes over the last few years. It is about the community of users and what they think. People who aren't going to use Cobia because they dont think it true open source, are not going to contribute or participate and we are OK with that.
On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don't follow the engineers time closely
Thomas Ptacek
· 2 years ago
Alan, come on. There's an "Open Source Definition" at the "Open Source Initiative" at "Open Source Dot Org", which for all intents and purposes invented the term.
It's a VERY SHORT definition, and inside of its very few words are multiple numbered license attributes (they call them "traps", as in, StillSecure is trying to "trap" people) that you guys contravene.
Call it something else besides "open source". Microsoft calls it "shared source". That works!
Tyler Reguly
· 2 years ago
I have to say that when I first saw Mitchell post the white paper on UNP I was a little stumped... I haven't yet booted the product but the concept alone was enough to give me a laugh.
An Open Source Operating System - Linux Modular Plugins - Software OTS hardware - Any Home Computer
Sounds to me like it's Ubuntu/Debian with Apt. Seriously I throw in a Ubuntu CD and it installs quite easily on OTS hardware (and it doesn't require a 2Ghz PC). Then using Apt I can easily install most of what is offered with Cobia (if not all of it) and most of them will also have some sort of GUI for ease of use.
So in the end they're charging for a Linux system running a GUI with a package management system. I definitely see the open source in all of that.
This page basically sums my theory up (http://download.stillsecure.com/Cobia/src/). However I will be writing more on the subject once I've had a chance to properly play with the software.
ivan
· 2 years ago
I'd like to point out that at RSA 2007, more precisely at the UTM panel, Alan Shimel publicly pounded Alex Quinonez, VP of Sales @ Astaro (now a direct competitor to Shimel's company) demanding him to list the specific open source projects to which Astaro contributes, Alex failed to comply, which did not make Astaro look good and was certainly embarrassing.
So now I think it is fair to ask Alan for the list of specific projects to which StillSecure -the company, not individual developers- contributes, and I'm sure Astaro will be happy to hear about that too..
joe
· 2 years ago
@alan: you wrote : >
Fair enough -- I actually went to your website, and downloaded your copy of Nessus[1]. If by "contribution" you mean "violating the GPL", then I guess you guys are really contributing to a lot of GPL software !
For instance, your changes link libnasl to a file called 'winreggie.c' which seems to be a glue between samba and libnasl, and which has the following header :
--- Begin header --- Copyright (C) 2004, 2005 Lockdown Networks, Inc. All rights reserved by Lockdown Networks, Inc. and its licensors ("Lockdown"). This source code and the methodology disclosed by it constitute the proprietary and confidential information of Lockdown Networks, Inc. and its licensors ("Source Code"). By using this Source Code, you agree to be bound by these terms and conditions of use. Further, use of this Source Code is governed by the terms and conditions of license agreement with Lockdown, which is incorporated herein.
Use of the Source Code is permitted only for partners of Lockdown Networks, Inc. under written agreement and for no other purpose. The Source Code may not be disclosed to or used by anyone other than your employees or contractors working on Lockdown product development projects. Any other disclosure is expressly prohibited. Any product developed using the Source Code may be distributed, displayed, licensed, sold, or used in object code format only as specified in a written license with Lockdown permitting such distribution, display, license, sale or use.
--- End header ---
Now, I frankly do not care about what your definition of "Open Source" is. However, what I know is that linking a GPL software against a non-GPL library is a pure violation of what the GPL. It's even covered in the GPL faq[2].
Do you have authorization for doing such a thing, or are you openly violating the copyright of the Nessus and Samba folks ?
Did you guys "contribute" to any other GPL tool as well ? Maybe the copyright owners should be notified about your doing, what do you think ?
I'd just like to point out that Snort is *still* fully open source and distributed under the GPL and that we continue to work on it with a dedicated engineering team over here. In fact once we get final sign off you should be seeing Snort 2.6.1.4 released today.
Additionally, we announced the release a new open source program yesterday (Daemonlogger) and the first Snort 3.0 alpha should see the light of day this week.
Sourcefire isn't like anyone else doing "open source" security products out there, we still develop significant technologies under GPL licenses and give them away for free. If you've got issues with our content licensing I'm happy to debate that, but our core technology is open source.
My next project is going to be getting on the "top influencers" list!
Random Guy Claiming To Be Mitc
· 2 years ago
The GPL is a very complicated license to understand. I run in to people left and right that simply don't understand it or its limitations. Have you even read it? What does it mean? You should watch out before you accuse someone of violating it! My cat smells like cat food!
alan shimel
· 2 years ago
Thanks for your 2 cents Marty. On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them. That is their copyright header and we would not remove it, even if we thought it was wrong. We do make the code available though and I have personally sent the source code to Tenable and we comply with the licensing requirements on it.
Joe, obviously you are very passionate about open source licensing. If Cobia being called open source bothers you so much, you don't have to use it or contribute to it. Other than that, not much either of us can do but continue to disagree
alan shimel
· 2 years ago
Hey Thomas, I just spoke to Mitchell and he did not post the comment before mine. His name is not even spelled right. Thomas, what is going on with the comments. Did Marty really post? Is Joe just your alter ego ;-) Just kidding but wanted to set the record straight.
joe
· 2 years ago
@mitchel:
I have read the GPL, and I advise you to do the same.
Your modified version of Nessus contains portions which are not released under the GPL but under a proprietary license (that you are also violating by the way, since it says that Lockdown does not grant you redistribution rights).
To make things simple :
- FACT: Nessus is released under the GPL - FACT: All the modifications you make to Nessus are to be made under the GPL - FACT: Your modified version of Nessus links to the file winreggie.c which is NOT under the GPL
@alan: "On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them."
It does not work this way. Your company is distributing code which is in violation of the license, your company is also liable for it.
Jason
· 2 years ago
I was about to jump in here and defend StillSecure on their usage of 'open source'. First, 'open source' is not 'Open Source', just like an engineer is not an Engineer.
But upon a second read of their community license, there are some items that just don't sit well even for 'open source'. A much better term would be something like 'community source' in my opinion (which is worth nothing).
alan shimel
· 2 years ago
Joe, first of all that was not Mitchell Ashley that posted the comment. Second, it is our position that the code we are distributing with VAM is under the GPL. I personally think Lockdown is wrong and so we distribute it pursuant to GPL terms.
Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support? I am not looking to pull your tail or anything, but since you don't leave any contact info, there is no way of knowing who you are, what your motives are or anything else about you. So instead of being just another "joe" come out and introduce yourself. If you would like to continue this discussion with your real identity in private you can do so by emailing me at alan (at) stillsecure dot com. I promise to keep whatever communication we have between us. I can also talk alot more openly that way.
Thomas Ptacek
· 2 years ago
"Community Source" sounds fine with me.
Look, Alan, you guys didn't launch a "unified network platform". You launched an "OPEN SOURCE unified network platform". It's right there in the branding. It's a central part of your positioning.
Your use of the term is totally, completely fair game. Also, I'd like to see you address Ivan Arce's point here; I'm tempted to post it on the front page as an open question. Did you really call Astaro out in front of an audience at RSA for not being open-source enough?
Martin Roesch
· 2 years ago
Alan,
I wasn't piling on, I was just mentioning that I didn't think Sourcefire should be termed as a "used to be open source" company in Thomas' orignal post, we're still very much into advancing our open source technologies for everyone to use.
joe
· 2 years ago
@alan: "Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support?"
No frenzy and I don't care, just curious about companies claiming to do a lot for Open Source but not being very well known for it.
I'll download Cobia now and I'll contact you by email if I have any further questions.
alan shimel
· 2 years ago
Thomas, I may not get to some of this all today, will have to wait. Open Source is a central part of our positioning. You want to call it community source and that makes you feel better, go for it. The bottom line, is I think the market in general is just not as wrapped up on this as you guys are. We developed Cobia for the market in general and I think they will be fine. The ultimate judge will be how many people use it and what other companies will develop solutions that support it.
On the Astaro thing, there is a fundamental piece of the story missing. The Astaro guy stood up and said that they are big supporters of open source and support lots of projects. So I called him on it and asked him which ones. Turns out the guy on the panel for them, did not have an answer. I mean he could not give one example. He was probably the wrong guy for that panel. But to be fair, since then I have been in touch with Astaro folks and they do in fact contribute quite a bit to open source (at least they convinced me).
The difference is I am not saying we are big contributors to other open source projects. If we have something to give back we do. If we can help in some way that is in line with our own objectives we do. Most importantly, we try very hard to comply with all licensing requirements. For instance someone mentioned MySQL. We pay MySQL their license fees, However, for Safe Access we choose to use another DB that was also open.
Thomas Ptacek
· 2 years ago
The market totally isn't wrapped up in open source. That's a problem, because open-source developers are often outside the market, getting exploited by it. And I mean, whatever, that's fine; just don't act like it's noble to do it.
Ron Gula
· 2 years ago
Alan, you've never sent Tenable source code. I've had to ask you to get your NASLs and list of source code changes updated on your web site. Also, when I looked at them, I was looking at them from a Tenable code point of view, which I didn't see any glaring evidence that you were directly copying .nasls from our Registered or Direct Feeds. I didn't have each of them tested for Tenable fingerprints in the NASLs and I also didn't audit your code from a GPL violation point of view.
As far as chatting with folks anonymously, good luck. We have 1000s of gmail, yahoo, hotmail or otherwise anonymous users on the Nessus mailing list, posting to slashdot, .etc. Many of these are either competitors of Tenable or folks who don't want to pay for support or folks who want to debate licensing.
-- Ron
alan shimel
· 2 years ago
Thomas excellent point, so by being upfront and saying what we intend to do and how we are going to sell this, we are seeking not to exploit anyone. If a developer does not want to get involved because of our licensing, we are OK with it. I think that is better than changing licensing mid-stream with a new release. I don't want to reach critical mass on other peoples work and then change the rules. We are setting our rules right now for everyone to know. What is bad about that?
"Is Cobia open source? The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."
Replace that with:
"Is Cobia open source? No."
That will make a lot of people happier.
alan shimel
· 2 years ago
Richard, but not the people we are trying to make happy. We believe what we said there on the cobia site. You and others may have a different opinion, but the overwhelming majority of users do not.
Thomas Ptacek
· 2 years ago
Alan: you're not being straightforward about it.
Do a Google search for "Is * open source?" and "* is not open source" and you'll find many tens of companies coming out and saying that, even though they provide source code, they don't fit the definition of open source. Even qmail, which by any reasonable definition is not only open source but also free software, disclaims itself.
Thomas Ptacek
· 2 years ago
The overwhelming majority of users won't care. The overwhelming majority of developers and thought leaders do. Also: be careful about what you imply about your users. Some of them do pay attention and are proud of that.
This is so easy to fix that I don't understand why you don't just fix it. Just strike the word "open source" and replace with something equally marketing-friendly.
Jordan Wiens
· 2 years ago
Since outgoing trackbacks aren't apparently working for me right now, I'll just manually link to my post. Of course, I needn't have bothered based on everybody else commenting here making much of the same points. I think the bottom line I agree with most strongly is Thomas' last comment -- end users might not care what Open Source is or isn't, but the folks that you'd presumably most want to be involved with a project like this most certainly do.
Sorry Alan, I'm not trying to add to the... uhh, fecal weather patterns... you're experiencing, and though I was originally really intrigued with Cobia, finally paying attention to the details of the license was disappointing compared to what I was expecting with all the hoopla about open source. I'm obviously not the only one.
Chris_B
· 2 years ago
@alan
Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.
I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.
Supposedly Mitchel Ashley
· 2 years ago
"On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don’t follow the engineers time closely"
Oh, come on Alan! You don't follow us much, but you're the henchman that gives us the "pep talks" when we don't have enough "respect" to work more? Don't lie. We know you're on a conference call before each post anyways, what does Rajat want you to post here? Yeah, you don't pay attention. Should we just ignore you next time?
Thomas Ptacek
· 2 years ago
Alan told StillSecure engineering that they didn't have enough "respect" to work harder?
ExStillsecure-OneOfMany
· 2 years ago
I can lend support for "Supposedly Mitchel Ashley" and her post about Alan giving us a talk about respect. An e-mail was sent Friday, July 7th, 2006 late in the afternoon (3:45PM) about the quarterly meeting for Monday, July 10th, 2006 at 8:00AM.
Now, most of the engineers usually come in around 9:00 AM, some earlier, and some later. There were a good number that didn't make the 8:00AM quarterly meeting, and afterward, Alan had our VP of Engineering, James Brown, schedule a 15 minute meeting for 10:30 AM on the 10th. In this meeting, Alan proceeds to discuss the lack of respect for the engineers missing the quarterly meeting. In this short 15 minute meeting, he writes on the whiteboard the word "Respect", and then goes onto talk about respect, and the lack of it shown by the engineers.
My own take on it: Alan doesn't know how to manage engineers. You don't talk to engineers and berate them for lack of respect and expect them to stay around. I know of at least one engineer who resigned the next month and cited Alan's 15 minute meeting as the primary motivation for him moving on. I know it was a contributing factor when I left Stillsecure as well.
Chris_B
· 2 years ago
Looks like alan is just gonna wait out this little boiling kettle till everyone has forgotten about it and then the Marketologists can get on with selling their opensawrus
Thomas Ptacek
· 2 years ago
It seems like they've corrected their positioning. Good for them!
All Comments
Christ I'm seriously beginning to sympathize with Mark Curphey!
Put it to rest already and get back to bickering over the usefulness of NAC or something, lol.
BTW: count the NAC posts here. Eh?
Hope that clears it up for (it probably won't, but I tried)
Also, looking at it looks like your company sells waaaay outdated stuff ! Snort 2.4.1 ? Nmap 3.75 ? Nessus 2.2.4 ? Hello ? Are we in 2002 or what ?
Are you guys seriously selling the packaging around stuff that was created over two years ago ?
With regards to the code StillSecure supposedly has contributed to the open-source projects you guys are using, I'm not seeing any evidence. The most work I can see is packaging some existing Open Source applications as an RPM for your own needs.
Naturally, you can always insinuate that you're the top#3 company in open source contributions but the fact is that what I can gather is the following :
- No contribution to Snort whatsoever
- One minor bug fix in jcifs in 2005 (http://lists.samba.org/archive/jcifs/2005-Janua...)
- No contribution to Nmap whatsoever
- No contribution to MySQL whatsoever
- etc...
So Alan, could you please shed a light and help us here ? What have you guys contributed back to the projects you are using ?
Frankly though, this is not about that. We have chosen to distribute Cobia under our definition of open source. Ultimately the users will decide if they agree with it or not. We make no bones about the fact that we are a commerical, for profit venture.
Alan, about your engineers: I believe you. Give us a list of their names so we can ask them how much StillSecure work time you guys give them to work on their projects. You should be proud of this stuff, so I don't expect you to be circumspect.
On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don't follow the engineers time closely
It's a VERY SHORT definition, and inside of its very few words are multiple numbered license attributes (they call them "traps", as in, StillSecure is trying to "trap" people) that you guys contravene.
Call it something else besides "open source". Microsoft calls it "shared source". That works!
An Open Source Operating System - Linux
Modular Plugins - Software
OTS hardware - Any Home Computer
Sounds to me like it's Ubuntu/Debian with Apt. Seriously I throw in a Ubuntu CD and it installs quite easily on OTS hardware (and it doesn't require a 2Ghz PC). Then using Apt I can easily install most of what is offered with Cobia (if not all of it) and most of them will also have some sort of GUI for ease of use.
So in the end they're charging for a Linux system running a GUI with a package management system. I definitely see the open source in all of that.
This page basically sums my theory up (http://download.stillsecure.com/Cobia/src/). However I will be writing more on the subject once I've had a chance to properly play with the software.
So now I think it is fair to ask Alan for the list of specific projects to which StillSecure -the company, not individual developers- contributes, and I'm sure Astaro will be happy to hear about that too..
>
Fair enough -- I actually went to your website, and downloaded your copy of Nessus[1]. If by "contribution" you mean "violating the GPL", then I guess you guys are really contributing to a lot of GPL software !
For instance, your changes link libnasl to a file called 'winreggie.c' which seems to be a glue between samba and libnasl, and which has the following header :
--- Begin header ---
Copyright (C) 2004, 2005 Lockdown Networks, Inc.
All rights reserved by Lockdown Networks, Inc. and its licensors ("Lockdown").
This source code and the methodology disclosed by it constitute the proprietary
and confidential information of Lockdown Networks, Inc. and its licensors
("Source Code"). By using this Source Code, you agree to be bound by these
terms and conditions of use. Further, use of this Source Code is governed by
the terms and conditions of license agreement with Lockdown, which is
incorporated herein.
Use of the Source Code is permitted only for partners of Lockdown Networks, Inc.
under written agreement and for no other purpose. The Source Code may not be
disclosed to or used by anyone other than your employees or contractors working
on Lockdown product development projects. Any other disclosure is expressly
prohibited. Any product developed using the Source Code may be distributed,
displayed, licensed, sold, or used in object code format only as specified in
a written license with Lockdown permitting such distribution, display, license,
sale or use.
--- End header ---
Now, I frankly do not care about what your definition of "Open Source" is. However, what I know is that linking a GPL software against a non-GPL library is a pure violation of what the GPL. It's even covered in the GPL faq[2].
Do you have authorization for doing such a thing, or are you openly violating the copyright of the Nessus and Samba folks ?
Did you guys "contribute" to any other GPL tool as well ? Maybe the copyright owners should be notified about your doing, what do you think ?
[1] download.stillsecure.com/CommonOsBuild/RPMS/rpms/nessus-2.2.4-ss13.i386.rpm
[2] http://www.gnu.org/licenses/gpl-faq.html#Linkin...
Additionally, we announced the release a new open source program yesterday (Daemonlogger) and the first Snort 3.0 alpha should see the light of day this week.
Sourcefire isn't like anyone else doing "open source" security products out there, we still develop significant technologies under GPL licenses and give them away for free. If you've got issues with our content licensing I'm happy to debate that, but our core technology is open source.
My next project is going to be getting on the "top influencers" list!
Joe, obviously you are very passionate about open source licensing. If Cobia being called open source bothers you so much, you don't have to use it or contribute to it. Other than that, not much either of us can do but continue to disagree
I have read the GPL, and I advise you to do the same.
Your modified version of Nessus contains portions which are not released under the GPL but under a proprietary license (that you are also violating by the way, since it says that Lockdown does not grant you redistribution rights).
To make things simple :
- FACT: Nessus is released under the GPL
- FACT: All the modifications you make to Nessus are to be made under the GPL
- FACT: Your modified version of Nessus links to the file winreggie.c which is NOT under the GPL
Ergo: FACT: you in violation of the GPL.
See also : http://www.gnu.org/licenses/gpl-faq.html#MoneyG...
"On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them."
It does not work this way. Your company is distributing code which is in violation of the license, your company is also liable for it.
But upon a second read of their community license, there are some items that just don't sit well even for 'open source'. A much better term would be something like 'community source' in my opinion (which is worth nothing).
Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support? I am not looking to pull your tail or anything, but since you don't leave any contact info, there is no way of knowing who you are, what your motives are or anything else about you. So instead of being just another "joe" come out and introduce yourself. If you would like to continue this discussion with your real identity in private you can do so by emailing me at alan (at) stillsecure dot com. I promise to keep whatever communication we have between us. I can also talk alot more openly that way.
Look, Alan, you guys didn't launch a "unified network platform". You launched an "OPEN SOURCE unified network platform". It's right there in the branding. It's a central part of your positioning.
Your use of the term is totally, completely fair game. Also, I'd like to see you address Ivan Arce's point here; I'm tempted to post it on the front page as an open question. Did you really call Astaro out in front of an audience at RSA for not being open-source enough?
I wasn't piling on, I was just mentioning that I didn't think Sourcefire should be termed as a "used to be open source" company in Thomas' orignal post, we're still very much into advancing our open source technologies for everyone to use.
"Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support?"
No frenzy and I don't care, just curious about companies claiming to do a lot for Open Source but not being very well known for it.
I'll download Cobia now and I'll contact you by email if I have any further questions.
On the Astaro thing, there is a fundamental piece of the story missing. The Astaro guy stood up and said that they are big supporters of open source and support lots of projects. So I called him on it and asked him which ones. Turns out the guy on the panel for them, did not have an answer. I mean he could not give one example. He was probably the wrong guy for that panel. But to be fair, since then I have been in touch with Astaro folks and they do in fact contribute quite a bit to open source (at least they convinced me).
The difference is I am not saying we are big contributors to other open source projects. If we have something to give back we do. If we can help in some way that is in line with our own objectives we do. Most importantly, we try very hard to comply with all licensing requirements. For instance someone mentioned MySQL. We pay MySQL their license fees, However, for Safe Access we choose to use another DB that was also open.
As far as chatting with folks anonymously, good luck. We have 1000s of gmail, yahoo, hotmail or otherwise anonymous users on the Nessus mailing list, posting to slashdot, .etc. Many of these are either competitors of Tenable or folks who don't want to pay for support or folks who want to debate licensing.
-- Ron
"Is Cobia open source?
The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."
Replace that with:
"Is Cobia open source?
No."
That will make a lot of people happier.
Do a Google search for "Is * open source?" and "* is not open source" and you'll find many tens of companies coming out and saying that, even though they provide source code, they don't fit the definition of open source. Even qmail, which by any reasonable definition is not only open source but also free software, disclaims itself.
This is so easy to fix that I don't understand why you don't just fix it. Just strike the word "open source" and replace with something equally marketing-friendly.
http://www.networkcomputing.com/blog/dailyblog/...
Sorry Alan, I'm not trying to add to the... uhh, fecal weather patterns... you're experiencing, and though I was originally really intrigued with Cobia, finally paying attention to the details of the license was disappointing compared to what I was expecting with all the hoopla about open source. I'm obviously not the only one.
Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.
I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.
Oh, come on Alan! You don't follow us much, but you're the henchman that gives us the "pep talks" when we don't have enough "respect" to work more? Don't lie. We know you're on a conference call before each post anyways, what does Rajat want you to post here? Yeah, you don't pay attention. Should we just ignore you next time?
Now, most of the engineers usually come in around 9:00 AM, some earlier, and some later. There were a good number that didn't make the 8:00AM quarterly meeting, and afterward, Alan had our VP of Engineering, James Brown, schedule a 15 minute meeting for 10:30 AM on the 10th. In this meeting, Alan proceeds to discuss the lack of respect for the engineers missing the quarterly meeting. In this short 15 minute meeting, he writes on the whiteboard the word "Respect", and then goes onto talk about respect, and the lack of it shown by the engineers.
My own take on it: Alan doesn't know how to manage engineers. You don't talk to engineers and berate them for lack of respect and expect them to stay around. I know of at least one engineer who resigned the next month and cited Alan's 15 minute meeting as the primary motivation for him moving on. I know it was a contributing factor when I left Stillsecure as well.