From jonkman at jonkmans.com Mon May 4 22:13:35 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 May 2009 22:13:35 -0400 Subject: [Discussion] Positions Available Message-ID: <49FFA0CF.6010408@jonkmans.com> I'm happy to announce that we're ready to start hiring and coding for the new OISF IPS Engine!! Funding is coming around and work is set to begin. We have a great deal to do, so we're soliciting a number of positions. Some are full time, some part time, and some project/task based. How each fits is partly up to the the person we find with the prerequisite skills, and what fits into their schedule. Please contact us at team at openinfosecfoundation.org if you or someone you know might fit into the following positions and has some availability this year: Coders: Some IPS and/or network coding experience preferred, but we welcome cross-discipline (i.e. high speed computing, multi-threading, etc) experience as well. There will be a number of positions from full time through the entire project (1-2 years) to part time and task based work. If you're interested please contact us! (If you've already committed to work please shoot me a line and let me know how your near-term schedule looks) Project Manager: We need the consulting services of a professional project manager. This will preferably be a part time consulting role to assist in plan design and high level oversight. More positions will be coming around very soon so please stay tuned! The Open Information Security Foundation Team! -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun May 10 12:47:27 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 10 May 2009 12:47:27 -0400 Subject: [Discussion] Consortium Bylaws Draft Available! Message-ID: <4A07051F.8040608@jonkmans.com> We're happy to announce with the assistance of the Software Freedom Law Center (http://www.softwarefreedom.org/) a draft version of the bylaws for the OISF. This draft is open for public comment. All comments and questions are encouraged to be made publicly on the OISF Mailing lists, but may also be made privately to team at openinfosecfoundation.org. We welcome all ideas and comment, the charter we intend to adopt must govern this organization for years to come allowing it to both produce effective public products and grow to encompass new ideas and projects. The text of this draft is available here: http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt Please take the time to read and comment. Watch for the discussion on this OISF mailing list Once the ideas and process is agreed upon by the community in general we'll generate the actual legal documentation and commit that to record. Our primary funding is nearly available, and we're set to start major development in the next few weeks. We'll be scheduling an initial planning meeting in the Washington DC area in the next 2 weeks. Attendance will be open to the public, we encourage you to attend! The OISF Team -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun May 10 12:51:02 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 10 May 2009 12:51:02 -0400 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <4A07051F.8040608@jonkmans.com> References: <4A07051F.8040608@jonkmans.com> Message-ID: <4A0705F6.1080003@jonkmans.com> Corrected link: http://www.openinfosecfoundation.org/bylaws_draft_v0.1.txt Matt Matt Jonkman wrote: > We're happy to announce with the assistance of the Software Freedom Law > Center (http://www.softwarefreedom.org/) a draft version of the bylaws > for the OISF. This draft is open for public comment. All comments and > questions are encouraged to be made publicly on the OISF Mailing lists, > but may also be made privately to team at openinfosecfoundation.org. > > We welcome all ideas and comment, the charter we intend to adopt must > govern this organization for years to come allowing it to both produce > effective public products and grow to encompass new ideas and projects. > > The text of this draft is available here: > > http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt > > Please take the time to read and comment. Watch for the discussion on > this OISF mailing list Once the ideas and process is agreed upon by the > community in general we'll generate the actual legal documentation and > commit that to record. > > Our primary funding is nearly available, and we're set to start major > development in the next few weeks. We'll be scheduling an initial > planning meeting in the Washington DC area in the next 2 weeks. > Attendance will be open to the public, we encourage you to attend! > > The OISF Team > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From brectanu at gmail.com Sun May 10 14:46:54 2009 From: brectanu at gmail.com (Brian Rectanus) Date: Sun, 10 May 2009 11:46:54 -0700 Subject: [Discussion] [Oisf-announce] Consortium Bylaws Draft Available! In-Reply-To: <4A0705F6.1080003@jonkmans.com> References: <4A07051F.8040608@jonkmans.com> <4A0705F6.1080003@jonkmans.com> Message-ID: Hi Matt. See below... On Sun, May 10, 2009 at 9:51 AM, Matt Jonkman wrote: > Corrected link: > http://www.openinfosecfoundation.org/bylaws_draft_v0.1.txt > > Matt > > Matt Jonkman wrote: >> We're happy to announce with the assistance of the Software Freedom Law >> Center (http://www.softwarefreedom.org/) a draft version of the bylaws >> for the OISF. This draft is open for public comment. All comments and >> questions are encouraged to be made publicly on the OISF Mailing lists, >> but may also be made privately to team at openinfosecfoundation.org. >> >> We welcome all ideas and comment, the charter we intend to adopt must >> govern this organization for years to come allowing it to both produce >> effective public products and grow to encompass new ideas and projects. >> >> The text of this draft is available here: >> >> http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt >> >> Please take the time to read and comment. Watch for the discussion on >> this OISF mailing list Once the ideas and process is agreed upon by the >> community in general we'll generate the actual legal documentation and >> commit that to record. I like the text. It is simple, fair and to the point. One addition you may consider is a clause in the Advisory Board that allows exchange of continued contributions in lieu of the membership fees for organizations. This may make it easier for individuals working in smaller organizations (such as myself) to join in with the ability to contribute some of their "corporate time" to OISF as the organization would be benefit by receiving some recognition in return. That being said, it may be a moot point depending on what the fees are. Any idea what these fees may be? >> Our primary funding is nearly available, and we're set to start major >> development in the next few weeks. We'll be scheduling an initial >> planning meeting in the Washington DC area in the next 2 weeks. >> Attendance will be open to the public, we encourage you to attend! I'd love to attend if scheduling allows. later, -B From jonkman at jonkmans.com Sun May 10 16:19:40 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 10 May 2009 16:19:40 -0400 Subject: [Discussion] [Oisf-announce] Consortium Bylaws Draft Available! In-Reply-To: References: <4A07051F.8040608@jonkmans.com> <4A0705F6.1080003@jonkmans.com> Message-ID: <4A0736DC.7040308@jonkmans.com> Brian Rectanus wrote: > I like the text. It is simple, fair and to the point. One addition > you may consider is a clause in the Advisory Board that allows > exchange of continued contributions in lieu of the membership fees for > organizations. This may make it easier for individuals working in > smaller organizations (such as myself) to join in with the ability to > contribute some of their "corporate time" to OISF as the organization > would be benefit by receiving some recognition in return. Very good point. That's a definite goal of ours is to allow any kind of contribution. Cash is useful, but a company that can contribute code, tehcnology, or give their interested coders time to chip in is even better! We're hoping to have interested consortium members able to give for example 5 hours a week of some of their coders. That's worth more to us in many cases than financial donations as it allows us to tap the expertise that might not normally be available, or may only be necessary for short portions of the development process. I'll reword that to be more clear there for the next draft. > > That being said, it may be a moot point depending on what the fees > are. Any idea what these fees may be? Not certain yet, but we strive to keep them low. Especially the first year or two as our costs are well covered by the DHS grants coming available to us in the next week or two. As our gov't funding slows in the next couple years we'd look for more support. But we hope to have major development completed before funding runs out, so the consortium members would then only need to share the burdens of code maintenance and any new features they were interested in getting added. > >>> Our primary funding is nearly available, and we're set to start major >>> development in the next few weeks. We'll be scheduling an initial >>> planning meeting in the Washington DC area in the next 2 weeks. >>> Attendance will be open to the public, we encourage you to attend! > > I'd love to attend if scheduling allows. I will get this set up and announced in the next week or so. We will also be scheduling featureset/milestone creation meetings in west coast and midwestern US locations in the near term. European and South American venues if the interest is there as well. We'll do our best to have these meetings open to conference bridges or video. Thanks for the comments Brian! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun May 10 16:23:04 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 10 May 2009 16:23:04 -0400 Subject: [Discussion] [Oisf-announce] Consortium Bylaws Draft Available! In-Reply-To: References: <4A07051F.8040608@jonkmans.com> <4A0705F6.1080003@jonkmans.com> Message-ID: <4A0737A8.7030408@jonkmans.com> It is mentioned earlier that contributions are not limited to financial. But wasn't clear under the advisory board paragraph. How does this sound: Advisory board member organizations pay an annual fee or provide other non-trivial support which helps support the operations of OISF. Advisory Board members are entitled to receive a version of the OISF Engine under more permissive terms for a period of one year. Such period may be renewed so long as the company remains a contributing Advisory Board member, subject to the approval of the Board of Directors. Brian Rectanus wrote: > Hi Matt. See below... > > On Sun, May 10, 2009 at 9:51 AM, Matt Jonkman wrote: >> Corrected link: >> http://www.openinfosecfoundation.org/bylaws_draft_v0.1.txt >> >> Matt >> >> Matt Jonkman wrote: >>> We're happy to announce with the assistance of the Software Freedom Law >>> Center (http://www.softwarefreedom.org/) a draft version of the bylaws >>> for the OISF. This draft is open for public comment. All comments and >>> questions are encouraged to be made publicly on the OISF Mailing lists, >>> but may also be made privately to team at openinfosecfoundation.org. >>> >>> We welcome all ideas and comment, the charter we intend to adopt must >>> govern this organization for years to come allowing it to both produce >>> effective public products and grow to encompass new ideas and projects. >>> >>> The text of this draft is available here: >>> >>> http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt >>> >>> Please take the time to read and comment. Watch for the discussion on >>> this OISF mailing list Once the ideas and process is agreed upon by the >>> community in general we'll generate the actual legal documentation and >>> commit that to record. > > I like the text. It is simple, fair and to the point. One addition > you may consider is a clause in the Advisory Board that allows > exchange of continued contributions in lieu of the membership fees for > organizations. This may make it easier for individuals working in > smaller organizations (such as myself) to join in with the ability to > contribute some of their "corporate time" to OISF as the organization > would be benefit by receiving some recognition in return. > > That being said, it may be a moot point depending on what the fees > are. Any idea what these fees may be? > >>> Our primary funding is nearly available, and we're set to start major >>> development in the next few weeks. We'll be scheduling an initial >>> planning meeting in the Washington DC area in the next 2 weeks. >>> Attendance will be open to the public, we encourage you to attend! > > I'd love to attend if scheduling allows. > > later, > -B -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun May 10 16:33:30 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 10 May 2009 16:33:30 -0400 Subject: [Discussion] Consortium Bylaws Draft Available! Message-ID: <4A073A1A.2040200@jonkmans.com> We're happy to announce with the assistance of the Software Freedom Law Center (http://www.softwarefreedom.org/) a draft version of the bylaws for the OISF. This draft is open for public comment. All comments and questions are encouraged to be made publicly on the OISF Mailing lists, but may also be made privately to team at openinfosecfoundation.org. We welcome all ideas and comment, the charter we intend to adopt must govern this organization for years to come allowing it to both produce effective public products and grow to encompass new ideas and projects. The text of this draft is available here: http://www.openinfosecfoundation.org/bylaws_draft_v0.1.txt Please take the time to read and comment. Watch for the discussion on this OISF mailing list Once the ideas and process is agreed upon by the community in general we'll generate the actual legal documentation and commit that to record. Our primary funding is nearly available, and we're set to start major development in the next few weeks. We'll be scheduling an initial planning meeting in the Washington DC area in the next 2 weeks. Attendance will be open to the public, we encourage you to attend! The OISF Team -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From todd.helfrich at us.ibm.com Mon May 11 16:15:19 2009 From: todd.helfrich at us.ibm.com (William T Helfrich) Date: Mon, 11 May 2009 16:15:19 -0400 Subject: [Discussion] AUTO: Helfrich, William T is out of the office. (returning 05/19/2009) Message-ID: I am out of the office until 05/19/2009. I am currently out of the office on vacation (05/09-05/18), returning 5/19. I will be monitoring email and phone calls intermitantly. If your matter is urgent, please contact one of the following individuals based on your need. Jeff Ennis - IBM-ISS Federal SE Manager jennis2 at us.ibm.com 202-437-6703 Chris Cardran - IBM-ISS Federal SE ccardran at us.ibm.com 703-395-8551 Rob Hernandez - IBM-ISS Federal SE robertoh at us.ibm.com 919-696-5210 Laura Cleverly - IBM-ISS Federal Operations lcleverly at us.ibm.com 703-322-5472 Carrie Jennings - IBM-ISS Federal Inside Sales cjenn at us.ibm.com 678-455-7533 John Lammers - Business Development Manager PSS Services jlammers at us.ibm.com 856-355-2369 Richard Schenck - IBM-ISS Federal PSS Delivery rschenck at us.ibm.com 732-926-2212 Bobby Hodes - IBM-ISS Federal Channel Mgr. rhodes2 at us.ibm.com 703-946-3540 Monica Davis - IBM-ISS Federal Contracts and Negotiations davisma at us.ibm.com 520-219-3271 Note: This is an automated response to your message "Discussion Digest, Vol 8, Issue 2" sent on 5/11/09 12:00:05. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090511/17c30040/attachment.html From ivan.ristic at gmail.com Fri May 15 15:05:23 2009 From: ivan.ristic at gmail.com (Ivan Ristic) Date: Fri, 15 May 2009 21:05:23 +0200 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <4A07051F.8040608@jonkmans.com> References: <4A07051F.8040608@jonkmans.com> Message-ID: <1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com> Hi Matt, A few comments: > All committers must complete a copyright assignment to OISF. I think you should consider giving shared copyright to committers. I think that would enourage people to contribute significant chunks, as there will be no danger that the code will be given away and possibly "lost". > Advisory Board members are entitled to receive a version of the > OISF Engine under more permissive terms for a period of one year. This isn't clear enough: do you mean that they get a perpetual licence for the code but no updates after one year, or that all their rights are terminated after one year? > A 75% vote of all of the Committers can override a Board decision. > The bylaws may be amended by a 75% vote of all the Committers. In that case you'll need to ensure that you don't get too many Committers from the same organisation (or related organisations). On Sun, May 10, 2009 at 6:47 PM, Matt Jonkman wrote: > We're happy to announce with the assistance of the Software Freedom Law > Center (http://www.softwarefreedom.org/) a draft version of the bylaws > for the OISF. This draft is open for public comment. All comments and > questions are encouraged to be made publicly on the OISF Mailing lists, > but may also be made privately to team at openinfosecfoundation.org. > > We welcome all ideas and comment, the charter we intend to adopt must > govern this organization for years to come allowing it to both produce > effective public products and grow to encompass new ideas and projects. > > The text of this draft is available here: > > http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt > > Please take the time to read and comment. Watch for the discussion on > this OISF mailing list Once the ideas and process is agreed upon by the > community in general we'll generate the actual legal documentation and > commit that to record. > > Our primary funding is nearly available, and we're set to start major > development in the next few weeks. We'll be scheduling an initial > planning meeting in the Washington DC area in the next 2 weeks. > Attendance will be open to the public, we encourage you to attend! > > The OISF Team > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Discussion mailing list > Discussion at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > -- Ivan Ristic From jonkman at jonkmans.com Tue May 19 16:08:32 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 19 May 2009 16:08:32 -0400 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com> References: <4A07051F.8040608@jonkmans.com> <1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com> Message-ID: <4A1311C0.90101@jonkmans.com> Ivan Ristic wrote: >> All committers must complete a copyright assignment to OISF. > > I think you should consider giving shared copyright to committers. I > think that would enourage people to contribute significant chunks, as > there will be no danger that the code will be given away and possibly > "lost". How do you mean? How would the code be lost? you mean if the foundation chose to closed source it or something? > >> Advisory Board members are entitled to receive a version of the >> OISF Engine under more permissive terms for a period of one year. > > This isn't clear enough: do you mean that they get a perpetual licence > for the code but no updates after one year, or that all their rights > are terminated after one year? > There's a very good question. Our goal is to keep the vendors involved and supporting maintenance. So the original intent was if they did not intend to remain and support maintenance that they'd lose rights. I know that sounds harsh, but once we get to a stable codebase we wouldn't want to then see all the supporters just wander off and use what they had at the moment. But conversely, we don't want to scare everyone by thinking if they get into this they're in for some major commitment for the long term. Any ideas to make this more suitable for all? > >> A 75% vote of all of the Committers can override a Board decision. >> The bylaws may be amended by a 75% vote of all the Committers. > > In that case you'll need to ensure that you don't get too many > Committers from the same organisation (or related organisations). Very true. I expect we'll have a large commiter base once things are going so we wouldn't have the issue. But maybe we need a clause that if a majority of commiters are from a single organization other commiters could challenge that and have their voting power reduced somehow. I'll check with our lawyers for ideas there, and if that's a legal/advisable thing to do. Thanks for your comments Ivan! Matt > > > On Sun, May 10, 2009 at 6:47 PM, Matt Jonkman wrote: >> We're happy to announce with the assistance of the Software Freedom Law >> Center (http://www.softwarefreedom.org/) a draft version of the bylaws >> for the OISF. This draft is open for public comment. All comments and >> questions are encouraged to be made publicly on the OISF Mailing lists, >> but may also be made privately to team at openinfosecfoundation.org. >> >> We welcome all ideas and comment, the charter we intend to adopt must >> govern this organization for years to come allowing it to both produce >> effective public products and grow to encompass new ideas and projects. >> >> The text of this draft is available here: >> >> http://www.openinformationsecurityfoundation.org/bylaws_draft_v0.1.txt >> >> Please take the time to read and comment. Watch for the discussion on >> this OISF mailing list Once the ideas and process is agreed upon by the >> community in general we'll generate the actual legal documentation and >> commit that to record. >> >> Our primary funding is nearly available, and we're set to start major >> development in the next few weeks. We'll be scheduling an initial >> planning meeting in the Washington DC area in the next 2 weeks. >> Attendance will be open to the public, we encourage you to attend! >> >> The OISF Team >> >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Discussion mailing list >> Discussion at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From ivan.ristic at gmail.com Thu May 21 14:31:59 2009 From: ivan.ristic at gmail.com (Ivan Ristic) Date: Thu, 21 May 2009 20:31:59 +0200 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <4A1311C0.90101@jonkmans.com> References: <4A07051F.8040608@jonkmans.com> <1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com> <4A1311C0.90101@jonkmans.com> Message-ID: <1f9222b70905211131qb0e55b9h36aec7b6622547b0@mail.gmail.com> On Tue, May 19, 2009 at 10:08 PM, Matt Jonkman wrote: > Ivan Ristic wrote: >>> All committers must complete a copyright assignment to OISF. >> >> I think you should consider giving shared copyright to committers. I >> think that would enourage people to contribute significant chunks, as >> there will be no danger that the code will be given away and possibly >> "lost". > > How do you mean? How would the code be lost? you mean if the foundation > chose to closed source it or something? Yes, for example; or it goes bust. The bottom line is when someone gives away his or her copyright the control over the code is out of their hands. Similarly, what would happen if someone wanted to donate a significant chunk of code? At the moment, he woould have to assign the copyright over it to the foundation, but what if the author wants to keep it for himeself? >>> Advisory Board members are entitled to receive a version of the >>> OISF Engine under more permissive terms for a period of one year. >> >> This isn't clear enough: do you mean that they get a perpetual licence >> for the code but no updates after one year, or that all their rights >> are terminated after one year? >> > > There's a very good question. Our goal is to keep the vendors involved > and supporting maintenance. So the original intent was if they did not > intend to remain and support maintenance that they'd lose rights. > > I know that sounds harsh, but once we get to a stable codebase we > wouldn't want to then see all the supporters just wander off and use > what they had at the moment. But conversely, we don't want to scare > everyone by thinking if they get into this they're in for some major > commitment for the long term. > > Any ideas to make this more suitable for all? I think it's too much to expect from a business to commit to paying a yearly fee forever. For example, what happens if you slow down development to a crawl? In general, I think that it's going to be difficult for you to predict what licensing terms will be suitable to your licensees. Thus, I think you should remain flexible and be prepared to tweak your licensing model as you go along. -- Ivan Ristic From tomb at byrneit.net Thu May 21 16:22:31 2009 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Thu, 21 May 2009 13:22:31 -0700 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <1f9222b70905211131qb0e55b9h36aec7b6622547b0@mail.gmail.com> References: <4A07051F.8040608@jonkmans.com><1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com><4A1311C0.90101@jonkmans.com> <1f9222b70905211131qb0e55b9h36aec7b6622547b0@mail.gmail.com> Message-ID: <70D072392E56884193E3D2DE09C097A91F3F3A@pascal.zaphodb.org> Personally, I would be unwilling, and in general, unable, due to other licensing requirements and the needs of private investors, to surrender copyright and/or patent rights on any intellectual property contribution. Most of us have other businesses that will be using the IP we would like to contribute to the efforts of OISF, and need to have those businesses able to use what we create independent of OISF. What makes more sense is that the committers give OISF a worldwide, unrestricted, sublicensable and assignable license to their IP, provided it remains within the construct of OISF. An example of what the current regime seems to allow is that some patent troll could get a hold of OISF, stop doing any real work, and just use it as a licensing house. One other thing we don't want to happen is for Some Big Company to come along and take over OISF, take our IP, close it off, and profit for very little cash from all our efforts. -----Original Message----- From: discussion-bounces at openinfosecfoundation.org [mailto:discussion-bounces at openinfosecfoundation.org] On Behalf Of Ivan Ristic Sent: Thursday, May 21, 2009 11:32 AM To: Matt Jonkman Cc: discussion at openinfosecfoundation.org; oisf-announce at openinfosecfoundation.org Subject: Re: [Discussion] Consortium Bylaws Draft Available! On Tue, May 19, 2009 at 10:08 PM, Matt Jonkman wrote: > Ivan Ristic wrote: >>> All committers must complete a copyright assignment to OISF. >> >> I think you should consider giving shared copyright to committers. I >> think that would enourage people to contribute significant chunks, as >> there will be no danger that the code will be given away and possibly >> "lost". > > How do you mean? How would the code be lost? you mean if the > foundation chose to closed source it or something? Yes, for example; or it goes bust. The bottom line is when someone gives away his or her copyright the control over the code is out of their hands. Similarly, what would happen if someone wanted to donate a significant chunk of code? At the moment, he woould have to assign the copyright over it to the foundation, but what if the author wants to keep it for himeself? >>> Advisory Board members are entitled to receive a version of the OISF >>> Engine under more permissive terms for a period of one year. >> >> This isn't clear enough: do you mean that they get a perpetual >> licence for the code but no updates after one year, or that all their >> rights are terminated after one year? >> > > There's a very good question. Our goal is to keep the vendors involved > and supporting maintenance. So the original intent was if they did not > intend to remain and support maintenance that they'd lose rights. > > I know that sounds harsh, but once we get to a stable codebase we > wouldn't want to then see all the supporters just wander off and use > what they had at the moment. But conversely, we don't want to scare > everyone by thinking if they get into this they're in for some major > commitment for the long term. > > Any ideas to make this more suitable for all? I think it's too much to expect from a business to commit to paying a yearly fee forever. For example, what happens if you slow down development to a crawl? In general, I think that it's going to be difficult for you to predict what licensing terms will be suitable to your licensees. Thus, I think you should remain flexible and be prepared to tweak your licensing model as you go along. -- Ivan Ristic _______________________________________________ Discussion mailing list Discussion at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/discussion From jonkman at jonkmans.com Wed May 27 11:55:58 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 27 May 2009 11:55:58 -0400 Subject: [Discussion] Programmers and an Update Message-ID: <4A1D628E.4090709@jonkmans.com> We're grateful for all the applications to date for the coding and project management positions. We have the PM slot filled and many programmers. We're making the final programmer hiring decisions for the initial team next week, so please send a resume if you haven't yet and are interested. Again this will be remote contract work at a good rate, part time to full time. Thanks all! We're just about to really get rolling! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed May 27 15:48:56 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 27 May 2009 15:48:56 -0400 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <70D072392E56884193E3D2DE09C097A91F3F3A@pascal.zaphodb.org> References: <4A07051F.8040608@jonkmans.com><1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com><4A1311C0.90101@jonkmans.com> <1f9222b70905211131qb0e55b9h36aec7b6622547b0@mail.gmail.com> <70D072392E56884193E3D2DE09C097A91F3F3A@pascal.zaphodb.org> Message-ID: <4A1D9928.3090102@jonkmans.com> Hey Tom, good comments, thanks for taking the time. apologize for the reply delay. I sent your email and some of the other questions over to our lawyers to make sure we were going the right direction. I've plagiarized some of their responses to help explain, as I couldn't do it more accurately than they. We are going to make some changes to the bylaws and get them back out for comment. More inline: Tomas L. Byrnes wrote: > Personally, I would be unwilling, and in general, unable, due to other > licensing requirements and the needs of private investors, to surrender > copyright and/or patent rights on any intellectual property > contribution. > > Most of us have other businesses that will be using the IP we would like > to contribute to the efforts of OISF, and need to have those businesses > able to use what we create independent of OISF. > > What makes more sense is that the committers give OISF a worldwide, > unrestricted, sublicensable and assignable license to their IP, provided > it remains within the construct of OISF. Our lawyers recommended we do this but we got lost in the discussion and didn't express that clearly. (the idea that the contributor would retain copyright as well) We're getting that portion re-worded and will get that out to the community asap. > > An example of what the current regime seems to allow is that some patent > troll could get a hold of OISF, stop doing any real work, and just use > it as a licensing house. A quote from our lawyers: "OISF is a 501(c)(3) nonprofit. It will be obligated to promote its nonprofit purpose. It's actually a fairly safe proposition to entrust a free software nonprofit with the copyrights - it is restricted by law to only undertake activities that promote and support free software. Any elected directors will have a duty of loyalty, duty of care and a fiduciary obligation to the organization and its nonprofit mission. The worst that could happen is probably that interest in the organization would dwindle and become inactive - the software would remain freely licensed, though, and held in the public interest (there are also rules about how nonprofits can dispose of their assets so they couldn't just let a proprietary software company take control of them)." Well put I think, and reassures me about the safety of entrusting the foundation. Does that make sense and/or reduce your concerns? > > One other thing we don't want to happen is for Some Big Company to come > along and take over OISF, take our IP, close it off, and profit for very > little cash from all our efforts. Since nonprofits have no shareholders, they cannot be bought by big companies. 501(c)(3)s cannot be used to benefit private individuals or businesses. And I believe the rules about how a non-profit can dispose of it's assets (they have to go to charitable use, can't be sold for profit as I understand) cover us there as well. Comments? We're working up a new draft to cover the first point on copyright assignment and will get that out asap! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From tomb at byrneit.net Thu May 28 13:47:03 2009 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Thu, 28 May 2009 10:47:03 -0700 Subject: [Discussion] Consortium Bylaws Draft Available! In-Reply-To: <4A1D9928.3090102@jonkmans.com> References: <4A07051F.8040608@jonkmans.com><1f9222b70905151205n56e1e291u2f27e3bf89e1486b@mail.gmail.com><4A1311C0.90101@jonkmans.com> <1f9222b70905211131qb0e55b9h36aec7b6622547b0@mail.gmail.com> <70D072392E56884193E3D2DE09C097A91F3F3A@pascal.zaphodb.org> <4A1D9928.3090102@jonkmans.com> Message-ID: <70D072392E56884193E3D2DE09C097A91F3FD2@pascal.zaphodb.org> Glad to contribute. Since I'm in the middle of working on licensing at the moment, I have some direct experience of the various terms. More below. >-----Original Message----- >From: Matt Jonkman [mailto:jonkman at jonkmans.com] >Sent: Wednesday, May 27, 2009 12:49 PM >To: Tomas L. Byrnes >Cc: discussion at openinfosecfoundation.org >Subject: Re: [Discussion] Consortium Bylaws Draft Available! > >Hey Tom, good comments, thanks for taking the time. apologize for the >reply delay. I sent your email and some of the other questions over to >our lawyers to make sure we were going the right direction. I've >plagiarized some of their responses to help explain, as I couldn't do it >more accurately than they. We are going to make some changes to the >bylaws and get them back out for comment. > >More inline: > >Tomas L. Byrnes wrote: >> Personally, I would be unwilling, and in general, unable, due to other >> licensing requirements and the needs of private investors, to >surrender >> copyright and/or patent rights on any intellectual property >> contribution. >> >> Most of us have other businesses that will be using the IP we would >like >> to contribute to the efforts of OISF, and need to have those >businesses >> able to use what we create independent of OISF. >> >> What makes more sense is that the committers give OISF a worldwide, >> unrestricted, sublicensable and assignable license to their IP, >provided >> it remains within the construct of OISF. > >Our lawyers recommended we do this but we got lost in the discussion and >didn't express that clearly. (the idea that the contributor would retain >copyright as well) We're getting that portion re-worded and will get >that out to the community asap. > > [TLB:] [TLB:] Great. >> >> An example of what the current regime seems to allow is that some >patent >> troll could get a hold of OISF, stop doing any real work, and just use >> it as a licensing house. > >A quote from our lawyers: > > > >"OISF is a 501(c)(3) nonprofit. It will be obligated to promote its >nonprofit purpose. It's actually a fairly safe proposition to entrust a >free software nonprofit with the copyrights - it is restricted by law to >only undertake activities that promote and support free software. Any >elected directors will have a duty of loyalty, duty of care and a >fiduciary obligation to the organization and its nonprofit mission. The >worst that could happen is probably that interest in the organization >would dwindle and become inactive - the software would remain freely >licensed, though, and held in the public interest (there are also >rules about how nonprofits can dispose of their assets so they couldn't >just let a proprietary software company take control of them)." > > [TLB:] > [TLB:] I have a lot of experience with the non-profit industry, having run Grantsmart.org for several years (It's back up, being run by Nozasearch.com, and looks like they're still using the code we wrote ), and I can tell you that there are plenty of cases where the 501(c)(3) structure is simply a way for people to do what they want free from taxes, and the oversight of an outside BOD. 501(c)(3) organizations, especially operating foundations, are free to do all the same things that any normal business can (as long as they are usual and customary for their purpose). The only real difference is that they can't be bought or sold in a traditional sense. However, there can easily be a contractual quid pro quo for someone who steps out of an operating role getting a nice fat long term contract as a board member or "consultant", in exchange for ceding operating control to someone else. You wouldn't believe how much $$ the board members of various foundations get paid, especially for things like hospitals. You can find all the tax returns of the foundations @ www.grantsmart.org and nozasearch.com to get a feel for what I mean. I'm not saying that is what OISF is now, or even the intent, but there are plenty of ways for the unscrupulous to use the structure to meet the letter of the law, while perverting its purpose. >Well put I think, and reassures me about the safety of entrusting the >foundation. Does that make sense and/or reduce your concerns? > > [TLB:] [TLB:] As with anything else, it's the quality of the BOD and the dedication of the BOD and the staff to the cause that will make the real difference. However, cash crunches can lead to problems in a non-profit just as quickly as they do in a for-profit, and present opportunities for an "Angel" who later turns out to be not so angelic. >> >> One other thing we don't want to happen is for Some Big Company to >come >> along and take over OISF, take our IP, close it off, and profit for >very >> little cash from all our efforts. > > > >Since nonprofits have no shareholders, they cannot be bought by big >companies. 501(c)(3)s cannot be used to benefit private individuals or >businesses. > > > [TLB:] [TLB:] See above: the board can be "taken over" by a large Donor as a quid pro quo for the donation. >And I believe the rules about how a non-profit can dispose of it's >assets (they have to go to charitable use, can't be sold for profit as I >understand) cover us there as well. > [TLB:] Depends on the foundation. An operating foundation can sell its assets to raise cash for its operations. That's exactly what happened to Grantsmart, as JC Downing wanted to focus on health care for vineyard workers. >Comments? > >We're working up a new draft to cover the first point on copyright >assignment and will get that out asap! > [TLB:] Great. If you want some help with experience in the matter, I'd be happy to be involved. >Matt > > >-- >-------------------------------------------- >Matthew Jonkman >Emerging Threats >Phone 765-429-0398 >Fax 312-264-0205 >http://www.emergingthreats.net >-------------------------------------------- > >PGP: http://www.jonkmans.com/mattjonkman.asc > From gurvinde at stud.ntnu.no Sat May 30 01:19:40 2009 From: gurvinde at stud.ntnu.no (Gurvinder Singh) Date: Sat, 30 May 2009 07:19:40 +0200 Subject: [Discussion] The approach to detect proxybots Message-ID: <4A20C1EC.9040709@stud.ntnu.no> Hi, First of all thanks to matt for introducing me to the open information security foundation. I was in touch with matt and he suggested me to put the concept in discussion list to get feedback on it from team. If possible we can implement this concept to a preprocessor of the new engine (read message from matt below). The approach is based on Interarrival Packet Time (IPT). The IPT is the difference between current packet arrival time and the last packet arrival time from the sender under current session. The IPT is recorded from incoming packets at the receiving end. Consider the following scenario (200ms) (50ms) Spammer ------------> Proxybot -------------> Mail server The spammer starts a session by sending a command to a bot. The bot initiates a connection with the mail server and establishes a connection. The mail server responds with greeting message and the bot relays this message to the spammer. After receiving the greeting message, the spammer sends HELO message to the bot and bot will relay message to the server. The server will receive message after delay of 250ms or higher which is the total delay on connection between mail server and spammer. If the bot system is the real originator of message request, then the HELO message will be received in 50ms by mail server. This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.) received from bot at server end. There is a probability that the delay can be due to congestion on the network. But in above case server will receive an ACK message from bot system after 50ms which signifies the lack of congestion on the network. I tested the approach for different protocols and find it working on FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP. I will be happy to answer any question regarding above approach and looking forward to hear from you about feedback on the concept. The above concept is result of my master thesis work. If possible, I would like to join the team. P.S. The code can be released under GPL. Thanks for your time. Best Regards, Gurvinder Singh > > Matt Jonkman wrote: >> Forgot to mention that this code will all be GPL. :) >> >> matt >> >> Matt Jonkman wrote: >> >>> Hello Gurvinder! Your timing couldn't be better. >>> >>> I'm fascinated by the concept, that would help in a lot of things we >>> are >>> currently challenged in with IDS. >>> >>> The timing is perfect because we've received US Dept of homeland >>> security funding to build a new next generation IDS. We're about to get >>> the bulk of our funding and begin development work. >>> >>> I'd like to talk to you about applying this concept to a >>> preprocessor of >>> the new engine. If you're interested I'd like to introduce you to the >>> rest of the team. We're having our final planning and hiring meeting >>> late next week. So this couldn't be more perfect. >>> >>> More information about us at http://www.openinfosecfoundation.org >>> >>> If you hop on the discussion mailing list we could bring the idea up >>> and >>> see what the community thinks about it as well. >>> >>> Thanks for contacting me! >>> >>> Matt >>> >>> Gurvinder Singh wrote: >>> >>>> Dear Matt Jonkmans, >>>> >>>> I am Gurvinder Singh, master student at Department of Telematics, >>>> NTNU, >>>> Trondheim, Norway. Currently i am working on my master thesis on topic >>>> tittled "Detection of Intermediary Hosts through TCP latency >>>> propagation". I performed experiments for different protocols and >>>> find a >>>> method to detect the intermediary hosts. After reading your article i >>>> realize that my approach can be used to detect the spam coming from a >>>> proxy system which is actually sent by some other system behind it. In >>>> the scenario like this >>>> >>>> Spammer ----> ProxyBot ------> Mail Server or Relay >>>> >>>> at Mail server or relay we can detect the message is relayed via proxy >>>> bot and thus server can drop the message and if the behavior is >>>> persistent the IP address of Proxybot can be added to blacklists. I >>>> was >>>> wondering if you have some live traces of communication during arrival >>>> of spam messages at mail server from proxybot, then i can have real >>>> world data not just data from my lab. If yes, can it be possible to >>>> share with me? I would appreciate any comment from you in this regard. >>>> >>>> Thanks for your valuable time. >>>> >>>> Best Regards, >>>> Gurvinder Singh >>>> >> >> > > From nick at rogness.net Sat May 30 13:45:21 2009 From: nick at rogness.net (Nick Rogness) Date: Sat, 30 May 2009 11:45:21 -0600 Subject: [Discussion] The approach to detect proxybots Message-ID: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server. Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection. Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system. I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works. -----Original Message----- From: Gurvinder Singh Sent: Friday, May 29, 2009 11:19 PM To: discussion at openinfosecfoundation.org Subject: [Discussion] The approach to detect proxybots Hi, First of all thanks to matt for introducing me to the open information security foundation. I was in touch with matt and he suggested me to put the concept in discussion list to get feedback on it from team. If possible we can implement this concept to a preprocessor of the new engine (read message from matt below). The approach is based on Interarrival Packet Time (IPT). The IPT is the difference between current packet arrival time and the last packet arrival time from the sender under current session. The IPT is recorded from incoming packets at the receiving end. Consider the following scenario (200ms) (50ms) Spammer ------------> Proxybot -------------> Mail server The spammer starts a session by sending a command to a bot. The bot initiates a connection with the mail server and establishes a connection. The mail server responds with greeting message and the bot relays this message to the spammer. After receiving the greeting message, the spammer sends HELO message to the bot and bot will relay message to the server. The server will receive message after delay of 250ms or higher which is the total delay on connection between mail server and spammer. If the bot system is the real originator of message request, then the HELO message will be received in 50ms by mail server. This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.) received from bot at server end. There is a probability that the delay can be due to congestion on the network. But in above case server will receive an ACK message from bot system after 50ms which signifies the lack of congestion on the network. I tested the approach for different protocols and find it working on FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP. I will be happy to answer any question regarding above approach and looking forward to hear from you about feedback on the concept. The above concept is result of my master thesis work. If possible, I would like to join the team. P.S. The code can be released under GPL. Thanks for your time. Best Regards, Gurvinder Singh > > Matt Jonkman wrote: >> Forgot to mention that this code will all be GPL. :) >> >> matt >> >> Matt Jonkman wrote: >> >>> Hello Gurvinder! Your timing couldn't be better. >>> >>> I'm fascinated by the concept, that would help in a lot of things we >>> are >>> currently challenged in with IDS. >>> >>> The timing is perfect because we've received US Dept of homeland >>> security funding to build a new next generation IDS. We're about to get >>> the bulk of our funding and begin development work. >>> >>> I'd like to talk to you about applying this concept to a >>> preprocessor of >>> the new engine. If you're interested I'd like to introduce you to the >>> rest of the team. We're having our final planning and hiring meeting >>> late next week. So this couldn't be more perfect. >>> >>> More information about us at http://www.openinfosecfoundation.org >>> >>> If you hop on the discussion mailing list we could bring the idea up >>> and >>> see what the community thinks about it as well. >>> >>> Thanks for contacting me! >>> >>> Matt >>> >>> Gurvinder Singh wrote: >>> >>>> Dear Matt Jonkmans, >>>> >>>> I am Gurvinder Singh, master student at Department of Telematics, >>>> NTNU, >>>> Trondheim, Norway. Currently i am working on my master thesis on topic >>>> tittled "Detection of Intermediary Hosts through TCP latency >>>> propagation". I performed experiments for different protocols and >>>> find a >>>> method to detect the intermediary hosts. After reading your article i >>>> realize that my approach can be used to detect the spam coming from a >>>> proxy system which is actually sent by some other system behind it. In >>>> the scenario like this >>>> >>>> Spammer ----> ProxyBot ------> Mail Server or Relay >>>> >>>> at Mail server or relay we can detect the message is relayed via proxy >>>> bot and thus server can drop the message and if the behavior is >>>> persistent the IP address of Proxybot can be added to blacklists. I >>>> was >>>> wondering if you have some live traces of communication during arrival >>>> of spam messages at mail server from proxybot, then i can have real >>>> world data not just data from my lab. If yes, can it be possible to >>>> share with me? I would appreciate any comment from you in this regard. >>>> >>>> Thanks for your valuable time. >>>> >>>> Best Regards, >>>> Gurvinder Singh >>>> >> >> > > _______________________________________________ Discussion mailing list Discussion at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/discussion From scheidell at secnap.net Sat May 30 13:49:46 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sat, 30 May 2009 13:49:46 -0400 Subject: [Discussion] The approach to detect proxybots In-Reply-To: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> References: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> Message-ID: <4A2171BA.5050105@secnap.net> Nick Rogness wrote: > This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server. > > Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection. > > Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system. > > I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works. > > > we run a managed anti-spam service, as well as sell appliances, and, yes, we do funky things with delays in between helo and data session. I would not count on any 'accident' but RFC compliant behavior. p0f is still a good source of passive os detection, and from the smtp side, why do I want windows 95 machines running smtp servers :-)? you might want to get with Lawrence Baldwin (mynetwatchman) he has some interesting data on DNS lookup timing and zombies. in fact, he might be a good one to get involved in this project -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090530/b81e4122/attachment.html From gurvinde at stud.ntnu.no Sat May 30 14:22:27 2009 From: gurvinde at stud.ntnu.no (Gurvinder Singh) Date: Sat, 30 May 2009 20:22:27 +0200 Subject: [Discussion] The approach to detect proxybots In-Reply-To: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> References: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> Message-ID: <4A217963.3040007@stud.ntnu.no> Nick Rogness wrote: > This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server. > > The approach work near to spam originating point. If ISP of the spam originating point(proxybot) employ this approach at its IDS then decision about message sender can be made suggesting whether the sender is proxy system or legitimate one. Once the spam enters into network then mail relays will forward it using store and forward method and the approach is not useful in that scenario. Most of the spam filters mainly rely on content inspection, the described approach is independent of contents and works near to originating point, and avoid unwanted use of network resources too. > Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection. > > To avoid this method they need to change socks proxy to behave as store and forward relay. Otherwise spammer can not send data early on a network, he can only delay it which will result in better chances of detection :) > Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system. > > I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works. > > Unfortunately i am running out of time, it took a lot of time to come up with the idea and now deadline of submitting thesis is on my head (15th June). But still i have plan to implement the approach in Bro IDS. If i will be able to do it in time, you will get the code for sure. Thanks for giving feedback !! -Gurvinder > to detect proxybots > > Hi, > > First of all thanks to matt for introducing me to the open information > security foundation. I was in touch with matt and he suggested me to put > the concept in discussion list to get feedback on it from team. If > possible we can implement this concept to a preprocessor of the new > engine (read message from matt below). > > The approach is based on Interarrival Packet Time (IPT). The IPT is the > difference between current packet arrival time and the last packet > arrival time from the sender under current session. The IPT is recorded > from incoming packets at the receiving end. Consider the following scenario > (200ms) (50ms) > Spammer ------------> Proxybot -------------> Mail > server > > The spammer starts a session by sending a command to a bot. The bot > initiates a connection with the mail server and establishes a > connection. The mail server responds with greeting message and the bot > relays this message to the spammer. After receiving the greeting > message, the spammer sends HELO message to the bot and bot will relay > message to the server. The server will receive message after delay of > 250ms or higher which is the total delay on connection between mail > server and spammer. If the bot system is the real originator of message > request, then the HELO message will be received in 50ms by mail server. > This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.) > received from bot at server end. > > There is a probability that the delay can be due to congestion on the > network. But in above case server will receive an ACK message from bot > system after 50ms which signifies the lack of congestion on the network. > > I tested the approach for different protocols and find it working on > FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP. > I will be happy to answer any question regarding above approach and > looking forward to hear from you about feedback on the concept. The > above concept is result of my master thesis work. If possible, I would > like to join the team. > > P.S. The code can be released under GPL. > > Thanks for your time. > > Best Regards, > Gurvinder Singh > > >> Matt Jonkman wrote: >> >>> Forgot to mention that this code will all be GPL. :) >>> >>> matt >>> >>> Matt Jonkman wrote: >>> >>> >>>> Hello Gurvinder! Your timing couldn't be better. >>>> >>>> I'm fascinated by the concept, that would help in a lot of things we >>>> are >>>> currently challenged in with IDS. >>>> >>>> The timing is perfect because we've received US Dept of homeland >>>> security funding to build a new next generation IDS. We're about to get >>>> the bulk of our funding and begin development work. >>>> >>>> I'd like to talk to you about applying this concept to a >>>> preprocessor of >>>> the new engine. If you're interested I'd like to introduce you to the >>>> rest of the team. We're having our final planning and hiring meeting >>>> late next week. So this couldn't be more perfect. >>>> >>>> More information about us at http://www.openinfosecfoundation.org >>>> >>>> If you hop on the discussion mailing list we could bring the idea up >>>> and >>>> see what the community thinks about it as well. >>>> >>>> Thanks for contacting me! >>>> >>>> Matt >>>> >>>> Gurvinder Singh wrote: >>>> >>>> >>>>> Dear Matt Jonkmans, >>>>> >>>>> I am Gurvinder Singh, master student at Department of Telematics, >>>>> NTNU, >>>>> Trondheim, Norway. Currently i am working on my master thesis on topic >>>>> tittled "Detection of Intermediary Hosts through TCP latency >>>>> propagation". I performed experiments for different protocols and >>>>> find a >>>>> method to detect the intermediary hosts. After reading your article i >>>>> realize that my approach can be used to detect the spam coming from a >>>>> proxy system which is actually sent by some other system behind it. In >>>>> the scenario like this >>>>> >>>>> Spammer ----> ProxyBot ------> Mail Server or Relay >>>>> >>>>> at Mail server or relay we can detect the message is relayed via proxy >>>>> bot and thus server can drop the message and if the behavior is >>>>> persistent the IP address of Proxybot can be added to blacklists. I >>>>> was >>>>> wondering if you have some live traces of communication during arrival >>>>> of spam messages at mail server from proxybot, then i can have real >>>>> world data not just data from my lab. If yes, can it be possible to >>>>> share with me? I would appreciate any comment from you in this regard. >>>>> >>>>> Thanks for your valuable time. >>>>> >>>>> Best Regards, >>>>> Gurvinder Singh >>>>> >>>>> >>> >>> >> > > > _______________________________________________ > Discussion mailing list > Discussion at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > > > > From gurvinde at stud.ntnu.no Sat May 30 14:29:04 2009 From: gurvinde at stud.ntnu.no (Gurvinder Singh) Date: Sat, 30 May 2009 20:29:04 +0200 Subject: [Discussion] The approach to detect proxybots In-Reply-To: <4A2171BA.5050105@secnap.net> References: <4a21709d.0504c00a.3bcc.ffff860d@mx.google.com> <4A2171BA.5050105@secnap.net> Message-ID: <4A217AF0.3070204@stud.ntnu.no> Michael Scheidell wrote: > > > Nick Rogness wrote: >> This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server. >> >> Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection. >> >> Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system. >> >> I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works. >> >> >> > > we run a managed anti-spam service, as well as sell appliances, and, > yes, we do funky things with delays in between helo and data session. There is a possibility to detect use of proxybots based on the inter arrival packet time of data packets. This will add up to have small false negative rate :) > > I would not count on any 'accident' but RFC compliant behavior. > > p0f is still a good source of passive os detection, and from the smtp > side, why do I want windows 95 machines running smtp servers :-)? > you might want to get with Lawrence Baldwin (mynetwatchman) he has > some interesting data on DNS lookup timing and zombies. > will it be possible for me to get access of data from proxybots. ? It would be great for me, as i am planning to write a paper and it will help me to provide proof from real world data not just from lab :P > in fact, he might be a good one to get involved in this project > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 > > *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * 2008-9 Hot Company Award Winner, World Executive Alliance > * Five-Star Partner Program 2009, VARBusiness > * Best Anti-Spam Product 2008, Network Products Guide > * King of Spam Filters, SC Magazine 2008 > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ >