Re: Recording slow scans

["Donald Martin" <grey () usa net>]

I need to clarify something.  I should probably hold my tongue, but I want
to understand how this works.  I mentioned NFR to a client of mine several
months back at the earliest possible opportunity.  I had followed NFR on the
lists and examined the notes and such that came with the package I
downloaded from the web.

The client expressed an interest and I immediately contacted MJR via email
to ask about a commercial license.  The response was, that I could try NFR,
play with it a bit, possibly write some agents and such and if the client
wanted to purchase the product, I'd have to contact a certified NFR agency.
I asked, of course "How much does it cost to get certified?".

Here is my point... NFR is not free.  It costs money to become a certified
installer or to purchase the product for commercial use.  So, am I not
understanding something here?  In what way are you asking people to give
back to the community?  You are selling NFR and your charging an arm and a
leg to become certified in order that other people can sell your product
commercially.  Either we have a contradiction in terms of commercial use, or
I'm missing something.

If I write an agent, and give it to you, it's enhancing your product thereby
allowing you to possibly charge more for it or sell more products by
possibly being more competative.  Your only giving NFR away if people don't
intend to use it commercially.  I really didn't want to open my mouth as MJR
was very cool in my communications with him and I appreciated the
opportunity to play with NFR.  I really like NFR, and I think it's hot, but
these companies that can afford xxx dollars to become certified installers
aren't the folks that are going to spend their time writing agents and
giving back to the 'community'.  They are making $250/hour installing
security products and such.  It's people like me that would write those
agents, and I'm not going to give anything back to the 'community' that is
charging me a mint to become certified in order that I can sell the very
same product which I've helped to build.

This could very easily be taken out of context, please don't.  If there is
an opportunity for me to get involved with NFR more intimately and use it at
my clients sites without bringing some other network security organization
into the picture I'd be most pleased.  I actually *HOPE* I've mis-understood
something here... and it's been awhile since I've had any such
communications with MJR.

gg


-----Original Message-----
From: Marcus J. Ranum <mjr () nfr net>
To: Crispin Cowan <crispin () cse ogi edu>; Darren Reed
<darrenr () reed wattle id au>
Cc: spb () incyte com <spb () incyte com>; firewall-wizards () nfr net
<firewall-wizards () nfr net>
Date: Wednesday, October 14, 1998 3:23 PM
Subject: Re: Recording slow scans


> Crispin writes:
> > I don't see a whole lot of open-source IDS-ware floating around.  On the
> > other hand, there is a lot of commercial, closed-source IDS products out
> > there.
>
> As far as I'm aware, NFR is the only open source commercial IDS
> tool out there. There are a couple of other IDS systems that you
> can get source for, if you're in the gov't. But my impression is
> that you wouldn't want it once you had it. There are other good
> pieces of software out there (Bro, Argus, NNstat, tcpdump) which
> can be used to make IDS-ware. It's just a matter of putting your
> code where your mouth is.
>
> > If there was an IDS toolkit,
>
> there is.... That's what NFR *IS*
>
> ....then open source coders could write
> > cleaver new instruments, finte tune stuff, debug stuff, contribute
> > enhancements back into the community ... you know, that cool stuff that
> > open-source people tend to do if you let them.
>
> That *COULD* but they haven't been so far. NFR has been out for
> quite a long time and the amount of actual contributed stuff from
> the community (Hi Mudge! Hi Stuart!) has been disappointingly small.
> We've welcomed it all along, and have tried to encourage it - our
> approach of using an interpreted language means that the whole
> system is completely open to such things.
>
> The notion of people writing clever new stuff, fine tuning, and
> contributing back to the community sounds very nice in a kind of
> armchair pink sort of way but that's not the reality of how things
> are working at this point in the 'net's development. Especially
> not with something like IDS that is seen as so valuable. We know
> there are lots of con$ultants out there taking NFRs and writing
> IDS and monitoring tools and selling them to customers - not
> contributing back to the community or even to the folks who built
> the software they're making the money off of. :(   (*AND* they
> are violating our license by doing so)    So don't lecture about
> how sweet it'd be if everyone just pitched in - Everyone has had
> plenty of chances to just pitch in and as far as any of us can
> tell the majority are just sitting back and whining that it's not
> turnkey and doesn't have 8,000 attack signatures already.
>
> > This kind of open source development model seems particularly well-suited
to
> > the IDS problem, where you have the following characteristics:
>
> Of course I agree with you. That's why we made our software
> open source...
>
> >   * Needs lots of fine-tuning:  many hands can do that in parallel
>
> ....but they're not.
>
> >   * Data-dependent: different people have access to different data
sources
> Yeah, thought of that, too.
>
> >   * Different information streams:  IDS instruments can be inserted in
lots
> >     of places, if they can find a convenient fire-alarm to pull
>
> Yup.
>
> > An IDS-TK seems like a very fine thing indeed.  Is there one?
>
> We think so. BTW, NFR's license terms are basically the same as
> the firewall toolkit's were (Yeah, I did that, too). Fwtk was a
> big success. *BUT* don't give me a lot of crap about how much
> the community contributed there, either. There were a few patches
> and Wietse Venema contributed some assistance, but in general
> it was the same thing: whine, whine, whine, why don't you just
> give us a free firewall that does everything checkpoint does and
> more and by the way I need to have no clues to install it?
>
> I'm a big proponent of open source but I think that NFR is the
> last time I'm going to do that. Next time I develop a cool
> concept, it'll be patented 20 ways to sunday, venture-backed,
> 100% proprietary, and I'll start suing anyone who even talks
> about making a free product that remotely resembles it. :)
>
> I find it amusing that you're having this discussion with Darren,
> who also has done considerable good work in the community by
> making ip_filt available. I don't know if his experience matches
> mine, but I doubt he's gotten a whole lot of "pitching in" from
> all over the 'net. Tell me Darren, what's the whine-to-help
> ratio on ip_filt? For the fwtk, I'd put it at 100:1 and for
> NFR it's closer to 2000:1.
>
> But hey don't take my word for it. Write a GPL IDS toolkit for
> us, post it, and watch everyone make money off you while asking
> you to support them. It'll give you a warm feeling. :)
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr