Notifications
Clear all

Licensing

25 Posts
5 Users
0 Reactions
1,339 Views
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
Topic starter  

So far no-one has raised any objections to the licensing structure that I have proposed. Any further debate on the topic ?

I would suggest that we follow the same licensing as the OSSTMM does. This is basically a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. http//creativecommons.org/licenses/by-nc-nd/3.0/ with the following addendum.

Open Methodology License (OML)
Copyright (C) 2002 Institute for Security and Open Methodologies (ISECOM).

PREAMBLE

A methodology is a tool that details WHO, WHAT, WHICH, and WHEN. A methodology is intellectual
capital that is often protected strongly by commercial institutions. Open methodologies are
community activites which bring all ideas into one documented piece of intellectual property
which is freely available to everyone.

With respect the GNU General Public License (GPL), this license is similar with the exception for the right
for software developers to include the open methodologies which are under this license in commercial
software. This makes this license incompatible with the GPL.

The main concern this license covers for open methodology developers is that they will receive proper
credit for contribution and development as well as reserving the right to allow only free publication
and distribution where the open methodology is not used in any commercially printed material of
which any monies are derived from whether in publication or distribution.
Special considerations to the Free Software Foundation and the GNU General Public License for legal
concepts and wording.

TERMS AND CONDITIONS

1. The license applies to any methodology or other intellectual tool (ie. matrix, checklist, etc.) which
contains a notice placed by the copyright holder saying it is protected under the terms of this Open
Methodology License.

2. The Methodology refers to any such methodology or intellectual tool or any such work based on the
Methodology. A "work based on the Methodology" means either the Methodology or any derivative
work by copyright law which applies to a work containing the Methodology or a portion of it, either
verbatim or with modifications and/or translated
into another language.

3. All persons may copy and distribute verbatim copies of the Methodology as are received, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and creator or creators of the Methodology; keep intact all the notices that refer to
this License and to the absence of any warranty; give any other recipients of the Methodology a copy
of this License along with the Methodology, and the location as to where they can receive an original
copy of the Methodology from the copyright holder.

4. No persons may sell this Methodology, charge for the distribution of this Methodology, or any
medium of which this Methodology is apart of without explicit consent from the copyright holder.

5. All persons may include this Methodology in part or in whole in commercial service offerings, private
or internal (non-commercial) use, or for educational purposes without explicit consent from the
copyright holder providing the service offerings or personal or internal use comply to points 3 and 4 of
this License.

6. No persons may modify or change this Methodology for republication without explicit consent from
the copyright holder.

7. All persons may utilize the Methodology or any portion of it to create or enhance commercial or free
software, and copy and distribute such software under any terms, provided that they also meet all of
these
conditions

a) Points 3, 4, 5, and 6 of this License are strictly adhered to.

b) Any reduction to or incomplete usage of the Methodology in the software must strictly and explicitly
state what parts of the Methodology were utilized in the software and which parts were not.

c) When the software is run, all software using the Methodology must either cause the software, when
started running, to print or display an announcement of use of the Methodology including an
appropriate copyright notice and a notice of warranty how to view a copy of this License or make
clear provisions in another form such as in documentation or delivered open source code.

8. If, as a consequence of a court judgment or allegation of patent infringement or for any other
reason (not limited to patent issues), conditions are imposed on any person (whether by court order,
agreement or otherwise) that contradict the conditions of this License, they do not excuse you from
the conditions of this License. If said person cannot satisfy simultaneously his obligations under this
License and any other pertinent obligations, then as a consequence said person may not use, copy,
modify, or distribute the Methodology at all. If any portion of this section is held invalid or
unenforceable under any particular circumstance, the balance of the section is intended to apply
and the section as a whole is intended to apply in other circumstances.

9. If the distribution and/or use of the Methodology is restricted in certain countries either by patents or
by copyrighted interfaces, the original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.

10. The Institute for Security and Open Methodologies may publish revised and/or new versions of the
Open Methodology License. Such new versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
NO WARRANTY

11. BECAUSE THE METHODOLOGY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
METHODOLOGY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE METHODOLOGY "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE IN USE OF THE METHODOLOGY IS WITH YOU. SHOULD THE
METHODOLOGY PROVE INCOMPLETE OR INCOMPATIBLE YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY USE AND/OR REDISTRIBUTE THE METHODOLOGY
UNMODIFIED AS PERMITTED HEREIN, BE LIABLE TO ANY PERSONS FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
TO USE THE METHODOLOGY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY ANY PESONS OR THIRD PARTIES OR A FAILURE OF THE
METHODOLOGY TO OPERATE WITH ANY OTHER METHODOLOGIES), EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Boring, I know, sorry, but hopefully getting this out of the way now, leaves space and time for the discussion of other, more relevant things !

In a nutshell

use it till you go blue in the face
feel free to make money from using it
just don't sell it, only the results you obtain from it
don't claim it as yours (unless you are actually involved in it … We can -) )
don't change it - submissions for edits need to be submitted through the proper channels …

For those of you that skipped over it ( and I don't blame you ) Clause 1 is the one that says we can use the license if we want, so long as we include it in full.

Any comments on licensing ?


   
Quote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

Just wanted to encourage everyone to add their thoughts on this subject, even if they're clearly just playing devil's advocate. I think it's important to get the foundation right if an open methodology is to be of practical use.

Please feel free to pass criticism on the licence as displayed above, it won't be seen in a negative light.

Jamie


   
ReplyQuote
 ddow
(@ddow)
Reputable Member
Joined: 21 years ago
Posts: 278
 

Creative Commons with open use and attribution might be another good choice. I don't see an issue as along as all contributors recognize they're "giving up" any intellectual rights they may other wise have for the greater good.


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
Topic starter  

debaser_ the license is for controlling the publication of any resulting outputs of the project to protect the rights of the submitters and ensure the quality of the end result. There is also a moral objection from my perspective about other people selling work that we are giving away for free …

I hope that this clears up the question ?


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

Further background here.

Jamie


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
Topic starter  

Playing devil's advocate to my own suggestions - what about the GPL ?

http//www.gnu.org/copyleft/gpl.html

…. Open source is open source ….

… it is a very good point … -)


   
ReplyQuote
(@nysalsa)
Eminent Member
Joined: 18 years ago
Posts: 20
 

Maybe GPL without allowing modifications not accepted by the editor board in order to keep control of the contents and protect this work from malicious upgrades/copies/extensions.
cheers
Rob


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
Topic starter  

Unfortunately it seems that the GPL is a bit of an "all or nothing" concept

http//rakaz.nl/item/why_modifying_the_gpl_is_bad

I agree with Rob in that

without allowing modifications not accepted by the editor board in order to keep control of the contents and protect this work from malicious upgrades/copies/extensions

is what we should ultimately aim to gain from our choice of licence. This is for quality control reasons - not megalomania !

-)


   
ReplyQuote
 ddow
(@ddow)
Reputable Member
Joined: 21 years ago
Posts: 278
 

I suspect everyone agrees that quality control is the primary reason for any "Licensing" on the material. I equally suspect we all see what were doing as for the good of the profession, not self. A problem with computer forensics is a lack of commonly accepted methods (generally), certificates, etc. So, a couple of specific questions for the group?

Does GPL give sufficient quality control?

Does Creative Commons give sufficient quality control?

Does OML give sufficient quality control?

Why or why not?


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
Topic starter  

GPL, as it stands, gives _no_ quality control as it permits modification provided that the original authors are cited.

Creative Commons in the "no derivs" clause, means that it is unchangeable, and that is the key point. The "attribution" clause means that the authors get credit similarly. "no commercial" is interesting - it prevents the work from being used for profit - the trouble is that this license was more designed for things like photographs - so you can't make a poster and sell it, or print it on a mug and sell it. I think though that this would prohibit the use of the methodology in a commercial organisation though if they were to use it to generate revinue. It is this that I think that the OML counters, it is, I feel an addendum to the CC license that states that, while we still object to it being printed on a poster and sold, you can use it for commercial work to derive results.

If we use the CC with "attrib" and "no_derivs" ( as suggested by, looking back you, Dennis … ) we remove the need for the addendum, but open up the possiblity of SANS ( picking a name from the top of my head - no slander intended ) or any other, printing it out and charging £50 for the copy when they run a forensics course.

That just narks me -)


   
ReplyQuote
Page 1 / 3
Share: