Re: Pentest Criteria

[Pete Herzog <lists () isecom org>]

Ulisses,

On 9/8/2010 7:18 PM, Ulisses Castro wrote:
> Pete, why did you insist saying that is "Open Source"?

Because it is. For one, OSSTMM 2.2 is there, free and available around 
the world. I can Google for it and it's there and always has been. 
Anybody can take it and read it and use it and distribute it.

Where I think you get confused is with OSSTMM 3. So I'll make this a 
bit clearer for you- as far as the world is concerned, the "written 
manual" OSSTMM 3 does not exist yet. It is merely a book still being 
written. Much like partially written, nonworking code on the desktop 
of a programmer's bench, until that code is provided to the world, no 
license nor stipulation is necessary. Sure some of the people the 
programmer knows and discusses coding stuff with might see it and help 
but it's not done enough yet to do anything with. It's merely a concept.

Now where I think you really get even more confused is that we make 
the ideas of the OSSTMM 3 available to some. Yes it's an idea that we 
share openly among those who choose to help us build this object. We 
even choose to share our ideas with those who don't work on it but 
they need to then pay to come see it.

Once OSSTMM 3 is released, it will carry the CC attribution-noderivs 
license. So it will be free to use, read, and distribute same as 
OSSTMM 2.2. The no-derivs because it's applied as a standard and there 
shouldn't be multiple versions of the same standard. That would just 
be confusing.

One other point of note- the OSSTMM contains no Source Code. So the 
"source" which is open, is the methodology, the algorithms, and the 
work process-- all of which have already been released for some time 
and constantly updated to reflect changes in the OSSTMM 3's 
development. Go ahead and look. It's there. Check osstmm.org and 
isecom.org/ravs. Also check isecom.org/scare and isecom.org/hsm which 
explain the OSSTMM 3 research as applied to other useful areas. Also 
check our news page as well and get presentations which explain the 
methods step by step as well. Maybe you knew of this though and that's 
what you refer to that as the "marketing shit". We put it out there 
for feedback. Some of the feedback we got on Mastering Trust (how to 
apply the new trust metrics) into the written OSSTMM 3 manual and we 
added those people as contributors. For me that's open source. I 
published a piece of source (a method) and we got feedback to improve 
it. The method got updated. How is that different from publishing 
unfinished, unworking source code for feedback and comments?

I'm sorry but I can't give you a written manual because it's NOT Done 
yet. So if you're saying it's really still not open source as you know 
it the would you prefer we release nothing and say nothing until the 
written manual for each version is completely done?

-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------