Matasano Chargen - Latest Comments in Questions for StillSecure About Cobia

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Fri, 06 Apr 2007 00:49:43 -0000

It seems like they've corrected their positioning. Good for them!

Re: Questions for StillSecure About Cobia

Chris_B — Thu, 05 Apr 2007 23:19:52 -0000

Looks like alan is just gonna wait out this little boiling kettle till everyone has forgotten about it and then the Marketologists can get on with selling their opensawrus

Re: Questions for StillSecure About Cobia

ExStillsecure-OneOfMany — Wed, 04 Apr 2007 16:57:59 -0000

I can lend support for "Supposedly Mitchel Ashley" and her post about Alan giving us a talk about respect. An e-mail was sent Friday, July 7th, 2006 late in the afternoon (3:45PM) about the quarterly meeting for Monday, July 10th, 2006 at 8:00AM.

Now, most of the engineers usually come in around 9:00 AM, some earlier, and some later. There were a good number that didn't make the 8:00AM quarterly meeting, and afterward, Alan had our VP of Engineering, James Brown, schedule a 15 minute meeting for 10:30 AM on the 10th. In this meeting, Alan proceeds to discuss the lack of respect for the engineers missing the quarterly meeting. In this short 15 minute meeting, he writes on the whiteboard the word "Respect", and then goes onto talk about respect, and the lack of it shown by the engineers.

My own take on it: Alan doesn't know how to manage engineers. You don't talk to engineers and berate them for lack of respect and expect them to stay around. I know of at least one engineer who resigned the next month and cited Alan's 15 minute meeting as the primary motivation for him moving on. I know it was a contributing factor when I left Stillsecure as well.

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Wed, 04 Apr 2007 01:09:52 -0000

Alan told StillSecure engineering that they didn't have enough "respect" to work harder?

Re: Questions for StillSecure About Cobia

Supposedly Mitchel Ashley — Wed, 04 Apr 2007 00:03:33 -0000

"On engineers, I would point you to Brad Doctor on our team who be more knowledgeable about that kind of stuff. Truthfully, living in Florida, i don’t follow the engineers time closely"

Oh, come on Alan! You don't follow us much, but you're the henchman that gives us the "pep talks" when we don't have enough "respect" to work more? Don't lie. We know you're on a conference call before each post anyways, what does Rajat want you to post here? Yeah, you don't pay attention. Should we just ignore you next time?

Re: Questions for StillSecure About Cobia

Chris_B — Tue, 03 Apr 2007 21:35:12 -0000

@alan

Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.

I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.

Re: Questions for StillSecure About Cobia

Jordan Wiens — Tue, 03 Apr 2007 17:09:00 -0000

Since outgoing trackbacks aren't apparently working for me right now, I'll just manually link to my post. Of course, I needn't have bothered based on everybody else commenting here making much of the same points. I think the bottom line I agree with most strongly is Thomas' last comment -- end users might not care what Open Source is or isn't, but the folks that you'd presumably most want to be involved with a project like this most certainly do.

http://www.networkcomputing.com/blog/dailyblog/...

Sorry Alan, I'm not trying to add to the... uhh, fecal weather patterns... you're experiencing, and though I was originally really intrigued with Cobia, finally paying attention to the details of the license was disappointing compared to what I was expecting with all the hoopla about open source. I'm obviously not the only one.

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Tue, 03 Apr 2007 13:10:44 -0000

The overwhelming majority of users won't care. The overwhelming majority of developers and thought leaders do. Also: be careful about what you imply about your users. Some of them do pay attention and are proud of that.

This is so easy to fix that I don't understand why you don't just fix it. Just strike the word "open source" and replace with something equally marketing-friendly.

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Tue, 03 Apr 2007 13:09:11 -0000

Alan: you're not being straightforward about it.

Do a Google search for "Is * open source?" and "* is not open source" and you'll find many tens of companies coming out and saying that, even though they provide source code, they don't fit the definition of open source. Even qmail, which by any reasonable definition is not only open source but also free software, disclaims itself.

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 13:05:55 -0000

Richard, but not the people we are trying to make happy. We believe what we said there on the cobia site. You and others may have a different opinion, but the overwhelming majority of users do not.

Re: Questions for StillSecure About Cobia

Richard Bejtlich — Tue, 03 Apr 2007 12:33:55 -0000

http://cobia.stillsecure.com/?q=node/132

"Is Cobia open source?
The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."

Replace that with:

"Is Cobia open source?
No."

That will make a lot of people happier.

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 12:14:54 -0000

Thomas excellent point, so by being upfront and saying what we intend to do and how we are going to sell this, we are seeking not to exploit anyone. If a developer does not want to get involved because of our licensing, we are OK with it. I think that is better than changing licensing mid-stream with a new release. I don't want to reach critical mass on other peoples work and then change the rules. We are setting our rules right now for everyone to know. What is bad about that?

Re: Questions for StillSecure About Cobia

Ron Gula — Tue, 03 Apr 2007 12:12:27 -0000

Alan, you've never sent Tenable source code. I've had to ask you to get your NASLs and list of source code changes updated on your web site. Also, when I looked at them, I was looking at them from a Tenable code point of view, which I didn't see any glaring evidence that you were directly copying .nasls from our Registered or Direct Feeds. I didn't have each of them tested for Tenable fingerprints in the NASLs and I also didn't audit your code from a GPL violation point of view.

As far as chatting with folks anonymously, good luck. We have 1000s of gmail, yahoo, hotmail or otherwise anonymous users on the Nessus mailing list, posting to slashdot, .etc. Many of these are either competitors of Tenable or folks who don't want to pay for support or folks who want to debate licensing.

-- Ron

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Tue, 03 Apr 2007 12:09:52 -0000

The market totally isn't wrapped up in open source. That's a problem, because open-source developers are often outside the market, getting exploited by it. And I mean, whatever, that's fine; just don't act like it's noble to do it.

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 11:58:58 -0000

Thomas, I may not get to some of this all today, will have to wait. Open Source is a central part of our positioning. You want to call it community source and that makes you feel better, go for it. The bottom line, is I think the market in general is just not as wrapped up on this as you guys are. We developed Cobia for the market in general and I think they will be fine. The ultimate judge will be how many people use it and what other companies will develop solutions that support it.

On the Astaro thing, there is a fundamental piece of the story missing. The Astaro guy stood up and said that they are big supporters of open source and support lots of projects. So I called him on it and asked him which ones. Turns out the guy on the panel for them, did not have an answer. I mean he could not give one example. He was probably the wrong guy for that panel. But to be fair, since then I have been in touch with Astaro folks and they do in fact contribute quite a bit to open source (at least they convinced me).

The difference is I am not saying we are big contributors to other open source projects. If we have something to give back we do. If we can help in some way that is in line with our own objectives we do. Most importantly, we try very hard to comply with all licensing requirements. For instance someone mentioned MySQL. We pay MySQL their license fees, However, for Safe Access we choose to use another DB that was also open.

Re: Questions for StillSecure About Cobia

joe — Tue, 03 Apr 2007 11:51:14 -0000

@alan:
"Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support?"

No frenzy and I don't care, just curious about companies claiming to do a lot for Open Source but not being very well known for it.

I'll download Cobia now and I'll contact you by email if I have any further questions.

Re: Questions for StillSecure About Cobia

Martin Roesch — Tue, 03 Apr 2007 11:48:45 -0000

Alan,

I wasn't piling on, I was just mentioning that I didn't think Sourcefire should be termed as a "used to be open source" company in Thomas' orignal post, we're still very much into advancing our open source technologies for everyone to use.

Re: Questions for StillSecure About Cobia

Thomas Ptacek — Tue, 03 Apr 2007 11:42:28 -0000

"Community Source" sounds fine with me.

Look, Alan, you guys didn't launch a "unified network platform". You launched an "OPEN SOURCE unified network platform". It's right there in the branding. It's a central part of your positioning.

Your use of the term is totally, completely fair game. Also, I'd like to see you address Ivan Arce's point here; I'm tempted to post it on the front page as an open question. Did you really call Astaro out in front of an audience at RSA for not being open-source enough?

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 11:39:32 -0000

Joe, first of all that was not Mitchell Ashley that posted the comment. Second, it is our position that the code we are distributing with VAM is under the GPL. I personally think Lockdown is wrong and so we distribute it pursuant to GPL terms.

Joe, here is the fundamental question though, if we want to distribute something via our own definition of open source, why does it throw you into such a frenzy and what difference does it make to you what other open source projects we support? I am not looking to pull your tail or anything, but since you don't leave any contact info, there is no way of knowing who you are, what your motives are or anything else about you. So instead of being just another "joe" come out and introduce yourself. If you would like to continue this discussion with your real identity in private you can do so by emailing me at alan (at) stillsecure dot com. I promise to keep whatever communication we have between us. I can also talk alot more openly that way.

Re: Questions for StillSecure About Cobia

Jason — Tue, 03 Apr 2007 11:35:35 -0000

I was about to jump in here and defend StillSecure on their usage of 'open source'. First, 'open source' is not 'Open Source', just like an engineer is not an Engineer.

But upon a second read of their community license, there are some items that just don't sit well even for 'open source'. A much better term would be something like 'community source' in my opinion (which is worth nothing).

Re: Questions for StillSecure About Cobia

joe — Tue, 03 Apr 2007 11:29:08 -0000

@alan:
"On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them."

It does not work this way. Your company is distributing code which is in violation of the license, your company is also liable for it.

Re: Questions for StillSecure About Cobia

joe — Tue, 03 Apr 2007 11:26:51 -0000

@mitchel:

I have read the GPL, and I advise you to do the same.

Your modified version of Nessus contains portions which are not released under the GPL but under a proprietary license (that you are also violating by the way, since it says that Lockdown does not grant you redistribution rights).

To make things simple :

- FACT: Nessus is released under the GPL
- FACT: All the modifications you make to Nessus are to be made under the GPL
- FACT: Your modified version of Nessus links to the file winreggie.c which is NOT under the GPL

Ergo: FACT: you in violation of the GPL.

See also : http://www.gnu.org/licenses/gpl-faq.html#MoneyG...

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 11:25:53 -0000

Hey Thomas, I just spoke to Mitchell and he did not post the comment before mine. His name is not even spelled right. Thomas, what is going on with the comments. Did Marty really post? Is Joe just your alter ego ;-) Just kidding but wanted to set the record straight.

Re: Questions for StillSecure About Cobia

alan shimel — Tue, 03 Apr 2007 11:17:27 -0000

Thanks for your 2 cents Marty. On the GPL, first of all, we are not Lockdown Networks, they developed the linked library you refer to, so you should take it up with them. That is their copyright header and we would not remove it, even if we thought it was wrong. We do make the code available though and I have personally sent the source code to Tenable and we comply with the licensing requirements on it.

Joe, obviously you are very passionate about open source licensing. If Cobia being called open source bothers you so much, you don't have to use it or contribute to it. Other than that, not much either of us can do but continue to disagree

Re: Questions for StillSecure About Cobia

Random Guy Claiming To Be Mitc — Tue, 03 Apr 2007 11:13:25 -0000

The GPL is a very complicated license to understand. I run in to people left and right that simply don't understand it or its limitations. Have you even read it? What does it mean? You should watch out before you accuse someone of violating it! My cat smells like cat food!