Re: Re: Some clarification?: GPL/Open Source: Naieve Question

[Martin Roesch <roesch () sourcefire com>]

On Monday, August 18, 2003, at 03:20  PM, Yurgi Branktoff wrote:

> While, I'm not a lawyer either. I am a second year law student, 
> studying "cybercrime" (yeah, I know).
>
> There are a couple of things I think are silly about the legal 
> statements on the "Snort.org" site, for what it's worth.
>
> > "Sourcefire and Snort are trademarks or registered trademarks of
> > Sourcefire, INC. patents pending."
>
> Anyone can claim a trademark on anything, that's when the (tm) is 
> used. The use of the line "trademarks or registered trademarks" almost 
> universally means that at least one of the registrations   for the 
> trademarks has not yet been approved by the USPTO. This usually takes 
> up to 6 months or more to complete.
>
> Should they obtain the registered trademarks, other than for the 
> Sourcefire name, it really doesn't mean a whole lot. The only time it 
> should come into play is if another security project is started that 
> is not directly based on Snort, but which also uses the name Snort. 
> Anything based directly on Snort, such as a third party branch of the 
> code tree, could still be denoted as Snort or Snort based without 
> violating any trademarks, since it was in common use for years before 
> being trademarked, in addition to many other factors.

There are a few reasons for getting trademarks on and around Snort and 
Sourcefire.  The first is as you state above, to prevent 
misappropriation of the name from a competing company or project.

Another reason to do it is to prevent situations like the Linux 
trademark dispute of 1996/1997 from happening to the Snort project.  
Check out the following link if you've never heard of that before: 
http://www.linuxjournal.com/article.php?sid=2425.  The basic idea is 
that someone who had no association with Linux gained a trademark on 
the name and then started demanding money from everyone that was 
selling Linux.

The third reason for doing it is that we have investors now and 
investors require us to perform due diligence in our operations 
surrounding Sourcefire to make sure that their investment is being used 
wisely.  This includes things like asserting our trademarks.

> > So is Snort really distributed as an open-source/GPL distribution or 
> > is
> > Snort.ORG actually the marketing and distribution arm of Sourcefire,
> > Inc.? If patents are pending then are we all users be required to pay
> > royalties at some point? Isn't this all in conflict with the open 
> > source
> > and GPL? I am bit confused now.
>
> The GPL license, would superceed any patents concerning use of the 
> Snort code base. However, it is theoretical that they could apply for 
> and possibly hold patents on certain implementations of technology 
> used within Snort, so that if a third party were to "reinvent the 
> wheel" -- so to speak, and create their own implementation, then there 
> could potentially be a patent violation. It would be pretty difficult 
> to prove though, since it would have the possibility of becoming a 
> common code element -- either implied or in actual use -- because it 
> is licensed under the GPL. Also, I'd like to point out that it is very 
> odd to write "patents pending." on a website footer legal notice, 
> particuarly without proper capitalization.

Heh, yeah that needs to be fixed.  Snort.org is still maintained single 
handedly by Brian Caswell (who is also a Sourcefire employee) with the 
occasional input from myself. Much like Snort development at 
Sourcefire, we maintain "separation of church and state" on the 
corporate and open source web sites.

> That said, it is my own personal feeling that they are possibly 
> feeling a bit regretful over their own licensing policies, and may be 
> seeking out ways to have the best of both worlds in order to appeal to 
> their investors. Patents and trademarks are common for all companies 
> to obtain, however it does seem a bit extraneous on the "Snort.org" 
> website. Naturally, it would be horrendous PR for them to pursue any 
> trademark infringments of the "Snort" name and any patent war chest 
> they may be building based on code they've released under the GPL 
> would certainly put them in the same light as SCO is currently in.

Unless someone is trying to steal from the Snort project.  One of the 
things that patents do for us is allow Sourcefire to pursue GPL 
violators using patent law, which has quite a bit more case law 
surrounding it than the GPL does.  This not only protects Sourcefire 
from misappropriation of technology that we've developed and put into 
Snort as open source, it also protects the "investment" that the open 
source community has contributed as well by allowing giving us a strong 
legal framework to work within if anyone decides to "take off' with 
Snort and use it as the foundation of a "proprietary" product.

> Once again, IANYAL (I am not yet a lawyer), but I do believe I have 
> been factually correct.

I think you're pretty close to the mark.  I used to work for Thomson 
Legal Publishing before I got into security and while there I learned 
how to read legal documents and how the law "worked" (e.g. the 
difference between tort law and case law, etc) and I've been over the 
GPL a few times and looked how trademarks and patents interact with it.

> Since there has been some obvious radio silence from Sourcefire on an 
> answer to this, for everyone's clarity, maybe they could definitively 
> answer a few questions.

My fault exclusively, been busy busy busy.  By and large many 
Sourcefire people want to let me handle this sort of thing because it's 
somewhat touchy.

> 1) Are there any patents or trademarks in the works that would limit 
> in any way how people are currently able to use Snort?

Nope!  I've said over and over again, Snort will always be free for the 
Snort community, we're just trying to make sure that all the external 
corporate entities that are intent on using Snort in some way play by 
the "rules" and respect the spirit of the GPL and Snort and 
Sourcefire's names.

> 2) Marty Roesch once said on the mailing list "we [Sourcefire] just 
> provide the data management, GUIs, ease of use, deployability, etc 
> that you get with our product line".
>
> Is Sourcefire still giving the community *all* of the core Snort 
> technology, and is the Sourcefire product line limited to that which 
> surrounds the publically accessible Snort version?

Yes!  We use the *exact* same Snort source code to build the Snort 
binary on our appliances that is available at snort.org and in CVS.  
There was a brief divergence in the codebase before we put out our 
gigabit product but we found that it was a terrific pain in the ass to 
maintain two branches of Snort code and the merge after that was a pain 
too.  The stuff that we were doing to get to gigabit was fairly 
radical, Snort would have been pretty broken while we were getting it 
ready, so we developed it in-house and then released it when it went 
out in the product.

The same thing happened with stream4 back in 2001, I developed it 
in-house for a few weeks before unleashing it on the world because it 
broke a lot of stuff in early versions.  Some would say it still 
does... :)

> 3) Will you begin pursuing consultants and other Snort based 
> enterprises from using the Snort name and/or the GPL'd version of 
> Snort, regardless of the legal pitfalls?

No, although it'd be nice if they didn't strip out proper attribution 
of where Snort comes from (i.e. me and Sourcefire)

> 4) What are your intentions for the future of the GPL based Snort? 
> Will it eventually be cut off?

Yeah, that worked pretty well for NFR...

I think I've only said it about a million times, Snort is now and will 
always be free.  The Snort you can download today will be available for 
download tomorrow.  We are committed to making Snort better, faster, 
more capable, harder to defeat, smarter and a whole bunch of other 
things.  Quite frankly, I have a vested interest in using Sourcefire's 
resources to make Snort as good as possible, it shows the world that 
we're building serious systems and that we're committed to advancing 
the state of the art in IDS and doing it in a way that doesn't have an 
admission fee to see how good it is.  I want to make Snort as good as 
possible so that people don't get bored with it and start looking at 
other NIDS out there.  I want to make Snort as good as possible so I 
don't have to walk around at security conferences and see the hollow, 
sunken hopeless eyes of all the people that had to transition to Cisco 
because Snort was left to its fate.

Sourcefire would be crazy to abandon Snort or encumber its use by the 
open source community for a number of reasons:

1) Our customer base is largely formed by the Snort user community, 
pissing them off == Bad Idea.

2) It'd be impossible to get Snort "off the net" and unmaintained NIDS 
technology doesn't age gracefully.  NFR abandoned the open source 
version of its system around version 2 and for years after people were 
thinking that it was representative of their shipping product.

3) All the good ideas that we have for making IDS better would have to 
be wrapped in expensive marketing campaigns instead of just letting 
people use the system for free and seeing how good it is for themselves.

4) As sensor technology becomes commoditized, the open source 
development methodology will prove to be superior  for continued 
evolution of this kind of technology without having to dedicate the 
kind of resources that are required to build IDS in a closed 
environment.  Open source projects tend to build the things that people 
are actually interested in instead of what marketing departments 
identify as important which in turn leads to product that's on-target, 
secure and well tested.

I like to joke around that Sourcefire doesn't sell intrusion detection, 
we sell everything else.  Closing Snort would serve us no practical 
purpose except to make it harder for people to compete with us using 
our technology, but we don't emphasize IDS sensing technology at the 
expense of all the other stuff we do because there's so much that we do 
outside of and around Snort.  When I started Sourcefire the idea was 
"ok, we're going to sell something that's free, there better be a lot 
of value add", and that's exactly what we built.  We added a number of 
enhancements to Snort to make it more enterprise ready and scalable, 
but we also built all the infrastructure around it that you need to 
deploy NIDS successfully and THAT is our primary value add and that's 
what people are will to pay considerable sums of money for.

I've made a commitment to keeping Snort free ever since starting 
Sourcefire, I don't intend to go back on that.

> I'm sure we'd all like to know once and for all.

I hope that answers your questions satisfactorily and I hope that this 
clears the air for the user community.

     -Marty


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Enterprise-class Snort-based IDS Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users