[Owasp-testing] OSSTMM manual, followup by Pete about OSS

Matteo G.P. Flora mf at matteoflora.com
Mon Jan 22 07:48:54 EST 2007

Hi all,

sorry for the long message, but as I told you all I was asking Pete  
to respond to the questions that were on the list...

Here there is.
Please, take in account that there are PETE ideas ;)

Hope this help a bit and have a good week!


> Matteo G.P. Flora wrote:
>> Pete, we're talking about OSSTMM on the OWASP list. Since you're  
>> in charge of ISECOM  is on the OWASP list.
>> Can you comment? I'll post on OWASP your reply!
>> Thanx!
> Thanks for sharing this and giving me a chance to respond.  I'll do  
> so below, inline. I'm snipping headers and such to improve clarity....
>>> This mail might sound harsh, but I just want to get the facts  
>>> straight for everyone interested. I sincerely think that OWASP  
>>> would be better off collaborating with Information Systems  
>>> Security Assessment Framework (ISSAF) than with ISECOM's OSSTM.  
>>> But, then again, it's not my call.
> I will not try to sell you on an ISECOM collaboration.  I just want  
> a chance to explain what has happened.  Be prepared because there's  
> a lot to say here and I never really talked about all of it in one  
> place before.  I mean, there's no forum or support group I found  
> that really understands me ;)  But sure, all of the stuff I write  
> here has been said by me before.
>>> Does OSSTM really use an OSS license? I'm sorry I'm going to be  
>>> the one that dissapoints you, but the answer is a very big NO.
>>> Here are the facts:
> While I will be responding on these comments, I am not discounting  
> their perception, views, or opinion.  I am only sharing my version  
> of what and why we are doing what we do.  You may disagree with me  
> but do understand this is only my viewpoint. And I am always  
> interested to see other viewpoints of what we do here at ISECOM.
>>> * Version 2.0 (released february 2003) refered to the GPL but had  
>>> this statement in the front page of the document: "Any  
>>> information contained within this document may not be modified or  
>>> sold without the express consent of the author."
> We were informed early on in 2002 that the GPL does not handle  
> copyright of documents.  So we added the copyright to allow that  
> nobody would exploit us by copying and selling the OSSTMM as a  
> book.  Remember even in 2003, the concept was all very new and we  
> were forging the way for ourselves.  I still hear stories from  
> people who first got involved with ISECOM through the OSSTMM where  
> they copy/pasted much of some sections and re-sold it to clients as  
> documentation.  Maybe you know others who did as well?  But I knew  
> that would happen and just I needed to prevent it from happening on  
> a huge scale.  At the time, it was the only way we could conduct  
> the growth of the OSSTMM and try for longevity.  It's also a  
> strategy we changed in 2006.
>>> * Version 2.2 (released november 2006) [1] (c)footer states "Any  
>>> information contained within this document may not be modified or  
>>> sold without the express consent of ISECOM. OSSTMM for free  
>>> dissemination under the Open Methodology License (OML) and CC  
>>> Creative Commons 2.5 Attribution-NonCommercial-NoDerivs"
> For the update, we chose to go with the CC copyleft because now, as  
> a standard, we had to make sure the document didn't fork.  We had  
> to prevent more than 1 standard of the same methodology out there  
> and we had to assure that any forking which occurred, would be  
> shared back with us so we could provide them publicly.  This has  
> happened already and because of our requirements, the projects did  
> come back for us to host.  Most all of them are available in our  
> project collaboration site.
>>> * The "Open Methodology License" is *not* an open source license  
>>> (or an open document license for that matter), please read http:// 
>>> www.isecom.org/oml.shtml
> The Open Source in the document title was never meant to reflect  
> the document.  It was meant to address this "secret" methodology so  
> many security companies proclaimed in the early part of this  
> decade.  We wanted a methodology that was free and freely available  
> for use by anyone. However a collaborating lawyer volunteered a  
> little piece of info early on: a methodology is considered a Trade  
> Secret and NOT protected by the GPL. So I did the best I could to  
> outline what we really meant.  That became the OML.  It's an Open  
> Trade Secret.  We did this to prevent others from classifying it  
> and legally defending it as THEIR trade secret.
>>> * The CC Creative Commons 2.5 with NoDerivs and NonCommercial  
>>> attached to it is *not* an open source license
> Okay, but we did have a valid reason for this as I explained  
> above.  While we want the method to be open and free, we don't want  
> some middleman putting the OSSTMM DOCUMENT somewhere for commercial  
> distribution without our permission.  You'll see that we never stop  
> non-commercial distribution such as on Live Linux CDs like Local  
> Are Security (LAS) and others.
> So yes, the methodology is freely distributable even by commercial  
> organizations.
>>> They are not open source because nobody (besides ISECOM) can:
>>> - make new versions of the OSSTMM
> Yes they can but then only if it comes back to us to share out  
> freely again.  I would LOVE it if somebody else sat down and  
> hammered out a brand new OSSTMM that improves everything!!  It  
> would go immediately to public download for peer review!  I know  
> that won't happen but we did have 1 guy who made a policy  
> management handbook out of the OSSTMM for his company which was  
> really a new version of the OSSTMM but with identical look, feel,  
> and methodology.  I still have it but we didn't post it publicly as  
> a project because it actually wasn't very good.  So we folded it  
> into the BIT project where that guy is a collaborator now.
>>> - use OSSTMM for commercial purposes (including packaging it and  
>>> selling it in a book)
> Not true.  It can be used for ALL commercial purposes except to  
> sell or distribute the document commercially for profit and  
> personal gain.  That is something that I think is unfair.
>>> - nobody can make commercial software based on the OSSTM (without  
>>> violating the OML)
> Of course they can make software based on the OSSTMM.  We just want  
> to be in the loop on it.  There's some commercial, OSSTMM-focused  
> software out there and more coming all the time.  Not all of it I  
> think is okay but none of it we profit from right now.  But we can  
> at least be in the development and QC process to make sure they  
> don't take short-cuts and put our logo on garbage just for sales  
> and marketing purposes.  It's no secret that the OSSTMM has become  
> a brand therefore we need to assure quality.  It's also no secret  
> that there's a lot of people who try to use our brand for their  
> sales but have nothing to do with us or the OSSTMM.
>>> OSS licenses (See www.opensource.org) do allow commercial use of  
>>> the work and, indeed, is one of the pillars of open source. See  
>>> the Open Source Definition (http://www.opensource.org/docs/ 
>>> definition.php) specifically:
>>> - "1. Free Redistribution"
>>> - "3. Derived Works"
> I agree with those things, especially for software.  Again, a  
> methodology isn't software and special measures need to be made to  
> open it and guarantee it remains open.
>>> I repeat: something that does not allow for somebody else to  
>>> profit from it (yes, even if he did not contribute) is *not* open  
>>> source. It is "gratis" source (i.e. it's "free" beer but not  
>>> "free" speech).
> So what do you call a methodology that does let others profit from  
> it commercially even if the paper it's wrapped in is not?  So if I  
> give away the methodology for a thorough security test so anyone  
> can use it and make it and sell it to others who can't do it  
> themselves, what do you call that?  I think it's pretty open and  
> free.  You keep focusing on the document and not the methodology.
>>> Further proof of ISECOM no longer providing an OSS product is the  
>>> fact that its community has really faded away. The activity on  
>>> the public mailing lists has been fading since the license change  
>>> and is now esentially cero.
> Actually, our community has moved mostly to the collaboration web  
> site for discussion.  We have 146 active participants as of right  
> now not counting partners, grad students, trainers, subscribers, EU  
> consortium members, and email-based contributors.  Our news lists  
> reach over 30,000 people at the moment.  We keep all this together  
> with myself, 1 other full-time worker and 2 part-time workers we  
> hired in the middle of 2006.
> I will agree with you that keeping volunteers motivated and helpful  
> is getting harder but I hear that it's like that all over-- new  
> generation maybe?  We are trying to address this through using a  
> project collaboration site and now through a website redesign that  
> makes better use of web technology so we can have multiple editors  
> for maintaining project updates, translations, and news pages.  But  
> as some of you know, it's the infrastructure that gets the least  
> attention when you're busy.
> Hopefully we will have this addressed early this year.
>>> ISECOM certainly does not follow the "release early, release  
>>> often" model, and has a tight control of version distributions.   
>>> The current OSSTMM (2.2) has more or less the same contents as  
>>> the one released three years back (2.0).
> Ouch!  Well, I only have myself to blame.  What you don't see is  
> that the updates in 2.2 reflect 3 years of security metrics  
> research.  So you download it and read it and think, eh, so what?   
> But in reality, there were hundreds of revisions to those metrics  
> and to all the terminology and supporting documentation that went  
> into it.  There's also hundreds of pages of supporting material  
> that doesn't fit because it either doesn't work or because it's too  
> early to introduce such concepts into the marketplace. For example,  
> to get to the RAV metrics, we also devised Trust metrics.  We have  
> a means and an algorithm to compute Trust without human input.  So  
> ebay does not need to let buyers and sellers judge each other  
> alone, it can also compute Trust values on each member based on the  
> facts it has.  But this will not be introduced into the OSSTMM even  
> though the research came from it.  It will go into AVIT however,  
> which is the methodology for Trusted Computing as a means for the  
> user to have the computer self-calculate current trustworthiness in  
> the OpenTC project (opentc.net).
> The other problem with releasing the OSSTMM early is that as a  
> standard it is criticized if it is incomplete.  If it is incomplete  
> it cannot be used by the government agencies or many of the larger  
> commercial entities who need to rely on something solid for their  
> boards. If it's incomplete, smaller companies have trouble  
> defending it to the other companies they sell tests to based on  
> that methodology.  Some countries depend on it as a standard for  
> all government work.   So we need to make sure it's solid. With 3  
> being a completely new methodology backed by all new research it  
> was clear it would take time and money to develop. See, it's  
> different from 1.0 when we just correlated good ideas about testing  
> or 2.0 when we added detail to 1.0.  In 3 we researched everything  
> from the ground up and found better ways to classify vulnerability  
> types, defined controls, analyzed possible error types, and  
> everything else where we really gave the security auditor a book of  
> facts to launch operational security audits from.
> Yes, we have subscribers who have access to the OSSTMM alphas and  
> betas. But so do all the collaborators.  I thought it wasn't fair  
> that those who actively worked had the same access to the project  
> as those who didn't help at all.  So we found subscriptions to be a  
> good way to maintain the project while maintaining fair balance.
> Believe me, I am NOT delaying the release of the OSSTMM.  It truly  
> isn't done and I am extremely embarrassed about it.  It is a very  
> sore point for me because I am exhausted with it.  Every time I  
> thought it would be ready for release, another improvement was  
> identified to be written into it.
>>> esn't it sound strange to you that 3.0 is not yet in a  
>>> "releasable" state and, at the same time, ISECOM has been (since  
>>> 2004) providing "OSSTMM 3.0 Certification classes"? (for OPST and  
>>> OPSA)
> It sounds strange when you don't know what you learn in those  
> classes but both are certifications to prove skills required by the  
> OSSTMM networking section.  For OSSTMM 3.0, we already knew what  
> those skills would have to be.  Of course writing all the  
> background on those skills as well as having the correct  
> terminology is much more work.  So yes, we knew since 2004 what  
> skills we would to be sure all testers and analysts would need to  
> have to do their jobs correctly and apply the OSSTMM.  Skills you  
> can mirror before you can describe them.  It's like the difference  
> between knowing what kind of tropical-diseases doctor you want to  
> go to and actually writing his tropical-disease treatment text  
> book.  You can say, he should know how to take a blood sample  
> efficiently without contaminating it so you be sure to teach him to  
> take a blood sample.  You say what he needs to look for in that  
> blood sample so you teach him that.  And you adjust with the times  
> and the tools.  If there are better, safer, faster, cleaner ways to  
> take blood, you adjust and show them.  But none of that will change  
> the fact that the book you write on it will require him to take a  
> blood sample in most circumstances.
> So no, I don't think it's strange and neither do most of our  
> students.  I know because I do get reports of all feedback comments  
> from all courses world wide.
>>> Other projects which have turned "commercial" (which is not a bad  
>>> thing in and of itself) have done it wrong and have taken similar  
>>> steps to try to close access to contents they produce and control  
>>> the commercialisation (sp?) of their work. Eventually, all of  
>>> them have turned into non-open-source projects and the community  
>>> that started helping them out eventually left for greener pastures.
> ISECOM is not commercial and we are not doing any controlling for  
> commercial reasons.  Our reasons are quality and standardization.
>>> I've made my share of contributions to the OSSTMM, reviewing,  
>>> providing content and translations (for the website and the  
>>> texts). I even contributed a full "XML security module" (for SOAP  
>>> testing) back in 2002 which has yet to be made public and I'm  
>>> pretty sure it's part of the contents of 3.0 (promised to be  
>>> released in 2004). I finally
> Yes you did help and I still have that.  It didn't make it into 3.0  
> because it didn't fit.  It does fit into 2.0 but when we decided to  
> scrap that method for many many reasons, we didn't have a place for  
> it.  I have many modules and parts like this, especially for  
> specific app tests, that we are now working to integrate into  
> specialty versions of the OSSTMM where we re-write them into the  
> new methodology with new modules.  But that hasn't happened yet.   
> But you will get attribution for the work you did. We've never  
> stolen work from anyone.
>>> left the project when it started taking a route I did not like  
>>> (and I'm not alone in this decission). Neither me nor many other  
>>> previous contributors are credited any longer in recent versions  
>>> of the manuals even if the text we contributed is still  
>>> (verbatim) there.
> This is news to me.  The 3 draft has no contributors listed because  
> we do that at the end just before the release.  If you are  
> referring 2.2 then I need to investigate this.  It was clearly an  
> oversight and the right thing for you to do would have been to  
> address it to me with the part in there you wrote and was not  
> attributed.  It certainly was not malicious.  Same goes for all  
> those other contributors.
> We got thousands of submissions and they come and go through peer  
> review. Sometimes, we make mistakes and leave in someone whose work  
> was removed and remove someone whose work got marked to be deleted  
> but then stayed in.  I'm truly and sincerely sorry.
> Of course, the truth is Javier that I remembered you as a  
> contributor and if you would have asked me for the latest version  
> of the OSSTMM for review, I would have sent it to you in confidence  
> to not redistribute until it was complete.  I guess now it might  
> have been stupid seeing how you seem to really think about us.
>>> PS: Feel free to show me wrong in any of the above statements.  
>>> Maybe the project has taken a different route differently and  
>>> I've missed it.
> I do hope you understand now how we did keep the methodologies open  
> and free and why it is the way it is at ISECOM.  Remember, on top  
> of all this, I have a family and a life where my daughter thought  
> my full name was "Pete from ISECOM" when she turned 2 because  
> that's what she heard me say on the phone meetings all the time.
> Sincerely,
> -pete.
> -- 
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.isestorm.org
> -------------------------------------------------------------------
> ISECOM is the OSSTMM Professional Security Tester (OPST),
> OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
> Teacher certification authority.

Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
Privacy & Security Consultant | Forensic Examiner | SEO Expert
Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20070122/f0da8c80/attachment-0001.bin 

More information about the Owasp-testing mailing list