[Owasp-testing] OSSTMM manual, followup by Pete about OSS
Matteo G.P. Flora
mf at matteoflora.com
Mon Jan 22 07:48:54 EST 2007
sorry for the long message, but as I told you all I was asking Pete
to respond to the questions that were on the list...
Here there is.
Please, take in account that there are PETE ideas ;)
Hope this help a bit and have a good week!
> Matteo G.P. Flora wrote:
>> Pete, we're talking about OSSTMM on the OWASP list. Since you're
>> in charge of ISECOM is on the OWASP list.
>> Can you comment? I'll post on OWASP your reply!
> Thanks for sharing this and giving me a chance to respond. I'll do
> so below, inline. I'm snipping headers and such to improve clarity....
>>> This mail might sound harsh, but I just want to get the facts
>>> straight for everyone interested. I sincerely think that OWASP
>>> would be better off collaborating with Information Systems
>>> Security Assessment Framework (ISSAF) than with ISECOM's OSSTM.
>>> But, then again, it's not my call.
> I will not try to sell you on an ISECOM collaboration. I just want
> a chance to explain what has happened. Be prepared because there's
> a lot to say here and I never really talked about all of it in one
> place before. I mean, there's no forum or support group I found
> that really understands me ;) But sure, all of the stuff I write
> here has been said by me before.
>>> Does OSSTM really use an OSS license? I'm sorry I'm going to be
>>> the one that dissapoints you, but the answer is a very big NO.
>>> Here are the facts:
> While I will be responding on these comments, I am not discounting
> their perception, views, or opinion. I am only sharing my version
> of what and why we are doing what we do. You may disagree with me
> but do understand this is only my viewpoint. And I am always
> interested to see other viewpoints of what we do here at ISECOM.
>>> * Version 2.0 (released february 2003) refered to the GPL but had
>>> this statement in the front page of the document: "Any
>>> information contained within this document may not be modified or
>>> sold without the express consent of the author."
> We were informed early on in 2002 that the GPL does not handle
> copyright of documents. So we added the copyright to allow that
> nobody would exploit us by copying and selling the OSSTMM as a
> book. Remember even in 2003, the concept was all very new and we
> were forging the way for ourselves. I still hear stories from
> people who first got involved with ISECOM through the OSSTMM where
> they copy/pasted much of some sections and re-sold it to clients as
> documentation. Maybe you know others who did as well? But I knew
> that would happen and just I needed to prevent it from happening on
> a huge scale. At the time, it was the only way we could conduct
> the growth of the OSSTMM and try for longevity. It's also a
> strategy we changed in 2006.
>>> * Version 2.2 (released november 2006)  (c)footer states "Any
>>> information contained within this document may not be modified or
>>> sold without the express consent of ISECOM. OSSTMM for free
>>> dissemination under the Open Methodology License (OML) and CC
>>> Creative Commons 2.5 Attribution-NonCommercial-NoDerivs"
> For the update, we chose to go with the CC copyleft because now, as
> a standard, we had to make sure the document didn't fork. We had
> to prevent more than 1 standard of the same methodology out there
> and we had to assure that any forking which occurred, would be
> shared back with us so we could provide them publicly. This has
> happened already and because of our requirements, the projects did
> come back for us to host. Most all of them are available in our
> project collaboration site.
>>> * The "Open Methodology License" is *not* an open source license
>>> (or an open document license for that matter), please read http://
> The Open Source in the document title was never meant to reflect
> the document. It was meant to address this "secret" methodology so
> many security companies proclaimed in the early part of this
> decade. We wanted a methodology that was free and freely available
> for use by anyone. However a collaborating lawyer volunteered a
> little piece of info early on: a methodology is considered a Trade
> Secret and NOT protected by the GPL. So I did the best I could to
> outline what we really meant. That became the OML. It's an Open
> Trade Secret. We did this to prevent others from classifying it
> and legally defending it as THEIR trade secret.
>>> * The CC Creative Commons 2.5 with NoDerivs and NonCommercial
>>> attached to it is *not* an open source license
> Okay, but we did have a valid reason for this as I explained
> above. While we want the method to be open and free, we don't want
> some middleman putting the OSSTMM DOCUMENT somewhere for commercial
> distribution without our permission. You'll see that we never stop
> non-commercial distribution such as on Live Linux CDs like Local
> Are Security (LAS) and others.
> So yes, the methodology is freely distributable even by commercial
>>> They are not open source because nobody (besides ISECOM) can:
>>> - make new versions of the OSSTMM
> Yes they can but then only if it comes back to us to share out
> freely again. I would LOVE it if somebody else sat down and
> hammered out a brand new OSSTMM that improves everything!! It
> would go immediately to public download for peer review! I know
> that won't happen but we did have 1 guy who made a policy
> management handbook out of the OSSTMM for his company which was
> really a new version of the OSSTMM but with identical look, feel,
> and methodology. I still have it but we didn't post it publicly as
> a project because it actually wasn't very good. So we folded it
> into the BIT project where that guy is a collaborator now.
>>> - use OSSTMM for commercial purposes (including packaging it and
>>> selling it in a book)
> Not true. It can be used for ALL commercial purposes except to
> sell or distribute the document commercially for profit and
> personal gain. That is something that I think is unfair.
>>> - nobody can make commercial software based on the OSSTM (without
>>> violating the OML)
> Of course they can make software based on the OSSTMM. We just want
> to be in the loop on it. There's some commercial, OSSTMM-focused
> software out there and more coming all the time. Not all of it I
> think is okay but none of it we profit from right now. But we can
> at least be in the development and QC process to make sure they
> don't take short-cuts and put our logo on garbage just for sales
> and marketing purposes. It's no secret that the OSSTMM has become
> a brand therefore we need to assure quality. It's also no secret
> that there's a lot of people who try to use our brand for their
> sales but have nothing to do with us or the OSSTMM.
>>> OSS licenses (See www.opensource.org) do allow commercial use of
>>> the work and, indeed, is one of the pillars of open source. See
>>> the Open Source Definition (http://www.opensource.org/docs/
>>> definition.php) specifically:
>>> - "1. Free Redistribution"
>>> - "3. Derived Works"
> I agree with those things, especially for software. Again, a
> methodology isn't software and special measures need to be made to
> open it and guarantee it remains open.
>>> I repeat: something that does not allow for somebody else to
>>> profit from it (yes, even if he did not contribute) is *not* open
>>> source. It is "gratis" source (i.e. it's "free" beer but not
>>> "free" speech).
> So what do you call a methodology that does let others profit from
> it commercially even if the paper it's wrapped in is not? So if I
> give away the methodology for a thorough security test so anyone
> can use it and make it and sell it to others who can't do it
> themselves, what do you call that? I think it's pretty open and
> free. You keep focusing on the document and not the methodology.
>>> Further proof of ISECOM no longer providing an OSS product is the
>>> fact that its community has really faded away. The activity on
>>> the public mailing lists has been fading since the license change
>>> and is now esentially cero.
> Actually, our community has moved mostly to the collaboration web
> site for discussion. We have 146 active participants as of right
> now not counting partners, grad students, trainers, subscribers, EU
> consortium members, and email-based contributors. Our news lists
> reach over 30,000 people at the moment. We keep all this together
> with myself, 1 other full-time worker and 2 part-time workers we
> hired in the middle of 2006.
> I will agree with you that keeping volunteers motivated and helpful
> is getting harder but I hear that it's like that all over-- new
> generation maybe? We are trying to address this through using a
> project collaboration site and now through a website redesign that
> makes better use of web technology so we can have multiple editors
> for maintaining project updates, translations, and news pages. But
> as some of you know, it's the infrastructure that gets the least
> attention when you're busy.
> Hopefully we will have this addressed early this year.
>>> ISECOM certainly does not follow the "release early, release
>>> often" model, and has a tight control of version distributions.
>>> The current OSSTMM (2.2) has more or less the same contents as
>>> the one released three years back (2.0).
> Ouch! Well, I only have myself to blame. What you don't see is
> that the updates in 2.2 reflect 3 years of security metrics
> research. So you download it and read it and think, eh, so what?
> But in reality, there were hundreds of revisions to those metrics
> and to all the terminology and supporting documentation that went
> into it. There's also hundreds of pages of supporting material
> that doesn't fit because it either doesn't work or because it's too
> early to introduce such concepts into the marketplace. For example,
> to get to the RAV metrics, we also devised Trust metrics. We have
> a means and an algorithm to compute Trust without human input. So
> ebay does not need to let buyers and sellers judge each other
> alone, it can also compute Trust values on each member based on the
> facts it has. But this will not be introduced into the OSSTMM even
> though the research came from it. It will go into AVIT however,
> which is the methodology for Trusted Computing as a means for the
> user to have the computer self-calculate current trustworthiness in
> the OpenTC project (opentc.net).
> The other problem with releasing the OSSTMM early is that as a
> standard it is criticized if it is incomplete. If it is incomplete
> it cannot be used by the government agencies or many of the larger
> commercial entities who need to rely on something solid for their
> boards. If it's incomplete, smaller companies have trouble
> defending it to the other companies they sell tests to based on
> that methodology. Some countries depend on it as a standard for
> all government work. So we need to make sure it's solid. With 3
> being a completely new methodology backed by all new research it
> was clear it would take time and money to develop. See, it's
> different from 1.0 when we just correlated good ideas about testing
> or 2.0 when we added detail to 1.0. In 3 we researched everything
> from the ground up and found better ways to classify vulnerability
> types, defined controls, analyzed possible error types, and
> everything else where we really gave the security auditor a book of
> facts to launch operational security audits from.
> Yes, we have subscribers who have access to the OSSTMM alphas and
> betas. But so do all the collaborators. I thought it wasn't fair
> that those who actively worked had the same access to the project
> as those who didn't help at all. So we found subscriptions to be a
> good way to maintain the project while maintaining fair balance.
> Believe me, I am NOT delaying the release of the OSSTMM. It truly
> isn't done and I am extremely embarrassed about it. It is a very
> sore point for me because I am exhausted with it. Every time I
> thought it would be ready for release, another improvement was
> identified to be written into it.
>>> esn't it sound strange to you that 3.0 is not yet in a
>>> "releasable" state and, at the same time, ISECOM has been (since
>>> 2004) providing "OSSTMM 3.0 Certification classes"? (for OPST and
> It sounds strange when you don't know what you learn in those
> classes but both are certifications to prove skills required by the
> OSSTMM networking section. For OSSTMM 3.0, we already knew what
> those skills would have to be. Of course writing all the
> background on those skills as well as having the correct
> terminology is much more work. So yes, we knew since 2004 what
> skills we would to be sure all testers and analysts would need to
> have to do their jobs correctly and apply the OSSTMM. Skills you
> can mirror before you can describe them. It's like the difference
> between knowing what kind of tropical-diseases doctor you want to
> go to and actually writing his tropical-disease treatment text
> book. You can say, he should know how to take a blood sample
> efficiently without contaminating it so you be sure to teach him to
> take a blood sample. You say what he needs to look for in that
> blood sample so you teach him that. And you adjust with the times
> and the tools. If there are better, safer, faster, cleaner ways to
> take blood, you adjust and show them. But none of that will change
> the fact that the book you write on it will require him to take a
> blood sample in most circumstances.
> So no, I don't think it's strange and neither do most of our
> students. I know because I do get reports of all feedback comments
> from all courses world wide.
>>> Other projects which have turned "commercial" (which is not a bad
>>> thing in and of itself) have done it wrong and have taken similar
>>> steps to try to close access to contents they produce and control
>>> the commercialisation (sp?) of their work. Eventually, all of
>>> them have turned into non-open-source projects and the community
>>> that started helping them out eventually left for greener pastures.
> ISECOM is not commercial and we are not doing any controlling for
> commercial reasons. Our reasons are quality and standardization.
>>> I've made my share of contributions to the OSSTMM, reviewing,
>>> providing content and translations (for the website and the
>>> texts). I even contributed a full "XML security module" (for SOAP
>>> testing) back in 2002 which has yet to be made public and I'm
>>> pretty sure it's part of the contents of 3.0 (promised to be
>>> released in 2004). I finally
> Yes you did help and I still have that. It didn't make it into 3.0
> because it didn't fit. It does fit into 2.0 but when we decided to
> scrap that method for many many reasons, we didn't have a place for
> it. I have many modules and parts like this, especially for
> specific app tests, that we are now working to integrate into
> specialty versions of the OSSTMM where we re-write them into the
> new methodology with new modules. But that hasn't happened yet.
> But you will get attribution for the work you did. We've never
> stolen work from anyone.
>>> left the project when it started taking a route I did not like
>>> (and I'm not alone in this decission). Neither me nor many other
>>> previous contributors are credited any longer in recent versions
>>> of the manuals even if the text we contributed is still
>>> (verbatim) there.
> This is news to me. The 3 draft has no contributors listed because
> we do that at the end just before the release. If you are
> referring 2.2 then I need to investigate this. It was clearly an
> oversight and the right thing for you to do would have been to
> address it to me with the part in there you wrote and was not
> attributed. It certainly was not malicious. Same goes for all
> those other contributors.
> We got thousands of submissions and they come and go through peer
> review. Sometimes, we make mistakes and leave in someone whose work
> was removed and remove someone whose work got marked to be deleted
> but then stayed in. I'm truly and sincerely sorry.
> Of course, the truth is Javier that I remembered you as a
> contributor and if you would have asked me for the latest version
> of the OSSTMM for review, I would have sent it to you in confidence
> to not redistribute until it was complete. I guess now it might
> have been stupid seeing how you seem to really think about us.
>>> PS: Feel free to show me wrong in any of the above statements.
>>> Maybe the project has taken a different route differently and
>>> I've missed it.
> I do hope you understand now how we did keep the methodologies open
> and free and why it is the way it is at ISECOM. Remember, on top
> of all this, I have a family and a life where my daughter thought
> my full name was "Pete from ISECOM" when she turned 2 because
> that's what she heard me say on the phone meetings all the time.
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.isestorm.org
> ISECOM is the OSSTMM Professional Security Tester (OPST),
> OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
> Teacher certification authority.
Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
Privacy & Security Consultant | Forensic Examiner | SEO Expert
Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2472 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20070122/f0da8c80/attachment-0001.bin
More information about the Owasp-testing