StillSecure, After All These Years

Many thanks to Thomas over at Matasano for getting the "open source" issue around Cobia right out from the get go.  I just wish he didn't do it on the first night of Passover, as I had to wait until all of our guests left and I helped clean up, but hey it is only 1am, the night is still young. 

So easy stuff first.  Thomas, as to Martins blog post, you know how I feel about this stupid list already.  I don't honestly think that I am the 2nd most influential person in IT security.  But I am not responsible for the IT Security.com list nor am I responsible for what Martin writes. One of the things when we hired Martin was that explicitly we do not control what he writes, within reason. Obviously we don't want him exposing us to any liabilities. So, Thomas take that up with Martin.  Thomas I know this is a push your button issue for you, but try to separate that from the rest of your article which makes some great points I want to respond to.  You ask two fundamental questions.  Let me answer them:

1. Is Cobia open source?  The not so short answer Thomas, is that if you are a strict constructionist and believe all open source must have an OSI approved license, than I guess you can say it is not open source.  Me personally, I don't like strict constructionists in my Supreme Court judges and I don't deem software open source or not by a strict construction of whether or not an OSI approved license is in place.  Thomas, I  don't say this flippantly either. We thought long and hard about licensing and this issue around Cobia.  Here is the story.  We believe and our research proves it, most people consider software open source if the product is free to use and it includes the source code.  I think only purists will get hung up about the OSI stuff.  Only people looking to make money off of it will get hung up about the dual license.  Go ask Ron Gula about it, he will tell you. Most people when they download software that is "open" look for it to be free.  In a minority of cases they may even look at the source code.  The only time they look closely at the license is if they are going to do something with the product such as distribution.

Thomas, todays commercial open source business model isn't the open source model you grew up with.  I am glad you brought up both Snort and Nessus.  Go ask Ron and Marty if they were starting today if they would do it under GPL from the beginning again. If they are being truthful, they would tell you no way. The idea we are trying to get across here is that if you are using Cobia for your own use in your network and not reselling it or packaging it for profit, it is free and open.  If you are going to use it for profit, why should we not share in this?  Someone has to pay the bills here.  We are not releasing it under GPL, only to pull out key parts later on.  We think that is much less respectful of the people who may contribute than telling them upfront what our intentions are.  For the 8% of people who do something with the code (that is how many people do in the average open source project), we do have provisions for them to share in Cobia.  We also will be seeking more ISV's who develop to the Cobia platform.  We already have some lined up. Stay tuned for announcements around this. The incentive Thomas is that as more people use Cobia in their network, wouldn't it be good for their product to run on top of it.  We will also be contributing non-open modules for Cobia in the future. 

Bottom line on this issue Thomas, is I believe it is open source. It is free and you get the source code. You want to make money on it, we want to make money too. Take a look outside of security and you will see lots of similar business models out there. That is open source to the overwhelming majority of the market.  To those that do not consider this open source and get wrapped around the axle on it, so be it. It is, what it is.

2. Is Cobia a pretty face on some open source with a Java web-app wrapper.  Another great question and again I am afraid, not a short answer. First off, please don't judge Cobia by what is currently available in the beta. It is the first beta, there is a lot more planned for it. Secondly, yes we used some of the Xorp stuff, but it needed a lot of work.  Xorp is under BSD license I believe BTW. 

Thomas, we have been working with open source at StillSecure for years.  We are very well versed on open source. One thing I can tell you is that we will comply to the letter of the licenses involved.  I am glad you brought up Astaro as an example of a company that does not contribute in your opinion.  Go have a look at which companies contributed the most new code in the latest Linux kernel.  You will find Astaro pretty high on the list.  By the same token Thomas because we have not yet blown our own horn about what we have done in open source, don't mistake that for us not doing anything.  We have quietly contributed a lot of code back to open source projects for a long time.  Have a look at http://www.stillsecure.com/opensource if you would like to see what we use and what our SAT has done.  Many times we will improve code and contribute it back to the community or make it available under GPL without putting out a press release or something like that. We are a sponsor and help out with Bleeding Ege and have in the past had engineers on the SANS Storm Center.

So maybe Thomas our marketing team has been too busy playing up that Martin, Mitchell and I were on that list, instead of playing up our contributions to open source projects.  But, we are very sure in our beliefs about what the market wants and that Cobia is going to fill a very critical need out there. We welcome people giving it a try and hope that it solves an issue in your network.  We welcome feedback on what you would like to see in it and want people to be active Cobia community members.