 Well, I'm I'm Chuck Willis and as you can see on my presentation here this talk is called trends and licensing of security tools Sorry, I'm gonna try to keep speaking into the mic if you can't hear me or anything Just you know give me one of these or just say something I want to make sure that you guys can hear what I'm saying and and I also want to hear what you're saying You know this is meant to be an interactive presentation and and in a way. It's good We've got a small crowd here that we can Maybe people will feel more free to talk a little bit about this because I I certainly don't intend to come up here and say that I have all the answers. It's really just more of a kind of my slides are gonna try to Provoke some thoughts from you all and it give kind of what my thoughts on are as far as Where licensing is going and security tools and and what might be some problems with that so Anyway, as I mentioned I'm Chuck Willis These slides are a little updated from what's on your CD. So you can go to my website and download them if you want There's nothing real substantial in the way of changes and just In case you couldn't figure it out from the title So what we're gonna be doing is I I want to discuss the trends as far as the kind of the changes that I've seen in licensing of security tools and and also talked about how that affects the security community and I also want to discuss, you know, how licensing could be improved if necessary I mean, maybe maybe you all think there's not a problem with what's going on and and also it's kind of a Kind of a secondary thing that you I expect that, you know Maybe some of you all will learn something about security tool licenses in that there's a lot of tools that I'm gonna talk about that You think are free open-source tools that that really aren't and Again, this this is meant to be interactive So I'm gonna ask a lot of questions and I hope that you all will we'll have some some thoughts and share share those with us Just a few disclaimers here I am gonna talk about specific tools that have restrictions in their licenses and this is not meant to be like just ragging on these people or you know Trying to talk bad about people But I just think it makes the talk much more interesting if you've got concrete examples to talk about rather than a bunch of abstract stuff And and I do think that the authors of those tools have done a service to the community by releasing them under the license that they're under I mean they could a lot of the tools that I'm gonna mention could easily be you know strictly commercial tools that you have to spend thousands of dollars for so Certainly the authors are to be commended for what they've done and also I wouldn't be talking about the tool If I didn't think it was a useful tool that people people use so I'm not gonna be talking about real obscure stuff I don't think and Finally the licenses may have changed since I put these slides together Licenses change all the time. So this is the just to just claim her there that stuff might have changed since I put this together and the You need to go out and read the license if you're gonna use these tools You know this don't just rely on what I'm gonna tell you Okay, so a little bit about me I I work for a government contractor I don't work for and yeah, the reason I say that is I don't work for a consulting firm or software firm Which is who releases most of the security tools as far as companies and then a lot of security tools are released just by Individuals that do it in their spare time So I think I'm a bit independent in that sense. I'm not a free software zealot I'm not gonna come up here and say that everything should be gpl Because I don't think that's the case and I use commercial software Along with open-source software and all sorts other software and and again. I'm not a lawyer. This is not legal advice so But I do think I'm a pretty typical security tool user I mean I I use a lot of tools in my work and also at home when I'm messing around with stuff and And I kind of wanted to illustrate this to show that You guys I think our typical security tool users as well But we're different from normal software users, you know I I use both Linux and Windows. I occasionally use other Unix variants, but You can't say that certainly about standard software. Most people just run Windows And and also I'm not a full-time programmer So I don't necessarily have access to all the programming tools visual studio and all that kind of stuff and and also I'm I can I can think around with stuff, but I'm not necessarily someone that wants to spend all day coding But I but I compile tools. That's certainly something that we can all do We can debug compilation issues if you've ever had to port something from Linux to Windows under like the Saigwin APIs or to BSD or something like that I'm I'm sure that's something that's pretty typical for people here and I like to build little tools and scripts to automate things I hate doing busy work, you know So I like to be able to do that kind of stuff and I also I modify tools that if I download a tool from the Internet or from something that someone has posted to a mailing list I'm gonna take it and start tweaking it if it's not doing exactly what I want and I also like to share my tools and modifications with other people. So if I if I do something I think is cool I post it onto a mailing list So anyway, I I wanted to just mention that because again I think this kind of fits everyone that's here, but it's definitely different than normal software users So my motivation here was that I I use a lot of security tools as I mentioned and and I actually read the licenses Which maybe not everybody does but I've actually been quite surprised by some of the stuff I found a lot of tools that I thought were open source really aren't and a lot of tools that Just have some very strange license restrictions that I that kind of surprised me and and over the years I've noticed some trends that you know, it seems like more tools are going to a more restrictive license So I wanted to talk a little bit about that so here's a quick example here and So since posts with two tool, it's a it's a Windows version of a nick to kind of it it's got some other features actually that have built onto a nick to does some recursion and it's also a Connects in with the Google APIs and all that so anyone here use that tool find it useful Yes, no, okay good. Are any of the contributors here? I definitely know they're here at the conference I sat in on sense post top earlier. I don't see any of them in the room here Well, you're lucky. They're not in the room because if you look at the license for wik2 You'll see that it starts off with the the full GPL license and then it adds this extra restriction that Basically, if you find the software useful, you're supposed to buy them a drink So I expect you all to go out and find them after the sessions over and make sure you live up to that Excuse me Wik2 it's a web. It's a web application scanner web server scanner So and just in case anyone was wondering I don't think that's enforceable, but I'm not a lawyer So you'll have to talk to your legal about that Well, it certainly is a violation of the GPL in the sense of Well, it's not a violation of the GPL, but it's not the GPL You can't say that something is GPL and then add extra restrictions onto it I don't think the real the two really match, but if you also if you notice the wording there It says, you know, it's kind of vague in the wording too. So it's to be honest It's probably a joke So I don't think they actually expect anyone to do that But it's just one of those little nuggets that you'll see sometimes in reading licenses So the just a little bit about the scope that the main thing I'm interested in when I'm talking about these licenses is being able to use the tool for what I want to do and Perhaps modify the tool and be able to you know send those modifications to other people So in particular, I'm not trying to take someone else's tool and build my own tool that I want to sell and make a million dollars So for that's much more difficult as far as licensing obviously GPL restricts that in a lot of ways The BSD license or other licenses like that can allow that but that's kind of a different issue for me So that's what we're gonna talk about So let's start off with the trends that I've noticed and there's quite a few of them here But there's two kind of overwhelming ones that we start off with and the the first one is that there's a lot of great open source Tools out there that that are under an OSI certified license. That would be usually the GPL or a BSD license and Y'all can read the list. I'm sure you've heard heard and heard about and use a lot of these tools You know the end map in ethereal and the Metasploit framework is written in pearl almost all tools that are written in pearl are released under pearls license the artistic license, which is Basically, you know, it's an open-source license. Oh, it's high certified So I think these people deserve a lot of credit for what they've done and everyone who's written open-source software contributed to open-source software that They've done a lot of great service for the community here And I just wanted to say this up front to make so that when I start talking about all the other tools later That doesn't sound like you know, everything's a problem. There's certainly a lot of great truly open-source software out there and But I do see that more security tools are strictly commercial and when I say strictly commercial I say that basically if you want to use the tool, you've got to pay money They may have some sort of free version that allows you to download and try it out for 30 days or on a certain number of IP addresses Or something but for the most part it's a it's a commercial tool and and unfortunately those commercial tools restrict many of the things that security tool security tool users want to do and That's really one of the things we're going to talk about for this session is a lot of those restrictions And so I guess I'll just kind of throw the question out there. Is is there a place for commercial? Security tools you guys think yes. No shake your head Lot of blank stares. Well, I do I don't like I said, I'm not an open Free software zealot. I think that there's a place for commercial security tools Especially when there's not an open-source equivalent if people are willing to pay money for it then then that makes sense, but My other question would be should commercial security tools be licensed differently from other software Yes or no Again more blank stares and I think definitely yes I think commercial commercial security tool users are much different than others tool users or other software users So I think that the license can allow the kind of things that we want to do and some tools do have pretty Pretty I'd say less restrictive licenses IDA pro for example allows you to reverse engineer it Which is kind of funny because it's a reverse engineering tool but I guess they kind of saw that that was kind of a Something that a lot of commercial software doesn't allow you to do and and also if you look at some of the vulnerability Penetration testing tools like core impact or canvas that those are Commercial software that you have to pay for but they come with all the source code So you can go ahead and modify the tool if you want to which is a which is a nice thing And it's certainly something that security tool users want to do and The other kind of overarching theme that I've seen is that a lot of tools are released with what I call a custom license Which is basically Somewhere between commercial and open source so there's a it permits some users without cost usually it means that if it's You know for personal use or for non-commercial use it'll say you can use it But it usually requires either payment or something like that for something else And it restricts some of the other things that we want to do that will get into later And that's really what I'll talk about for the rest of this session is is those restrictions and and tools that have them and And and just as kind of an aside that many of these tools that are kind of somewhere between open source and commercial are released by companies and not individuals and that's because The companies have put money into developing this tool and they want to use it either They're gonna sell it to people or they want people to know that it came from them that they don't want other people Releasing modified versions of the tool and that sort of thing. Yes a bait and lure How do you mean that? Oh, certainly some some tools are like that like they'll have a More restricted version that maybe only works for up to a certain number of IP addresses or whatever And even even if you look at something like Nessus, which I'll get into more a little later Nessus is a great vulnerability scanner But it doesn't necessarily scale real well and one of the things that tenable the company that that is pretty much in Charge of Nessus now that they they have some like web interfaces and other consoles that they'll sell you That allow you to manage Nessus scanners So yeah, certainly it is part of it It's really marketing is what it comes down to a large extent that a lot of these companies the consulting type companies You know they release free tools because they want to draw people to their website and and be able to then sell them Consulting services and software and all that sort of stuff Okay, so now let's get a little bit more into the specifics and and the first one is just basically that that you sometimes you have to pay to use these tools and And usually these are tools like I said that can be used for free in some situations and then in other situations you've got to pay and Sometimes they the license will say that the tool is for like personal use or non-commercial use But there's it doesn't say anything about if you want to use it commercially how to buy it or how much it costs And there's no information on their website or anything and that it's very confusing for users that it kind of To me it's like if you're gonna If you want to charge money or you don't want people to use your software for commercial use You should make it easy for them to stay within the law you should make it easy for them to buy the software if they want to buy it and So that's kind of confusing and also here's some examples of that and you can read through those THC's are you there and is a is a tool that requires? Permission it doesn't you don't have to pay for it but it does require permission and I love payment and permission together because I Kind of think that if you require permission for people to use it for commercial use then you're kind of leading up to maybe you're going to start charging for it later and And it's really comes down to the same the same issues Foundstone's free tools are that way that they their license says it's for personal and non-commercial use But it doesn't say anything about how to purchase it for commercial use the registered plugins for Nessus and also the VRT certified rules for snort are Are that way as well that you you need to register in order to be able to download these both of them We use very similar business models in that day The rules will be about five days out of date If you're going to use the free of cost version And then if you want to pay, you know, I think it's for Nessus. It's like 1200 a year I don't know for snort how much it costs to buy the immediate download so that you know as soon as a new rule comes out You can get it And then another tool is HTTP print, which is just a little neat little web server fingerprinting tool so Anyway, any questions there any other thoughts as far as other tools that are kind of in this vein or People think this is a big problem or not. I don't know Yeah, go ahead Yeah, that just for people who didn't hear that basically the idea I think what you're saying is that Basically violating the license of these tools that if it says it's only for non commercial use and you use it commercially That's the same as you know downloading, you know windows from the internet, you know, I'm bit torn or whatever It's it's piracy and the BSA can come after you for it Exactly and that kind of illustrates why I put this whole thing together is that you know in my job I was downloading a lot of tools and I wanted to make sure that we were following the license I didn't want to get my employer or our customers in trouble. So Yeah, it's definitely one of those things that you need to be paying attention to the licenses of the tools that you're using Okay, another another feature that I've seen in a lot of licenses is that more more than a restricting redistribution and Basically that means that you can only get the tool from the author that you know You can only download the tool from their website, which is fine I guess until the the author disappears, you know, if it's a company and it you know goes bankrupt or if the author Unfortunately dies or decides he doesn't want to deal with it anymore It makes it difficult that you know, maybe a friend of yours has a copy of the tool But then you the license says you can't redistribute it So it's one of those things that it's it's kind of a gray area It'd be it'd be nice if people would put in their license that you know if you're going to restrict redistribution You know allow it if the case of that people can't find it from you anymore And just some examples of those as far as tools that you might have used the system turnals tools are a lot of like little Windows tools that will show your processes that are running in that people use them in incident response net stumbler actually restrict redistribution And then again the found stone tools the and Nessus and start plug-ins So that's the next the next thing that I've seen a lot of is tools that restrict or prohibit modification and reverse engineering and That's really it's it's a problem because this is It prevents us from being able to fix the tool that you know, even especially if the tools like Nessus the Nessus plug-ins restrict modification, but It's it's just a script You know, you've got the source code right there You could easily go in there and fix things if you wanted to but the license doesn't allow you to and Not some other examples of that cane enable and also the found stone tools again and that stumbler This is like you can see mostly an issue with with Windows tools that you know if you don't have the source code It makes it difficult, but some of them like I said Nessus. It is still an issue And that's kind of the next issue is that a lot of tools don't come with the source code so if you don't have the source code it makes it very difficult to make any changes and Well, it's so strictly it's not a license issue in the sense of it's not in the license But usually these tools that don't come with source code also have a license that restrict redistribution or restrict modification So it's pretty much the same issue again, and and without the source code It's it's very difficult to make modifications to the tool and improve the tools try to fix them ourselves You know a lot of times if you're using a tool on a client site and something's being buggy Or you're seeing that the output is weird and you want to be able to try to fix it You know, you can't do that if you don't have the source code and And also the source code is valuable just for learning purposes that if you want to learn how this tool is working and how you know What kind of protocols it's using especially if it's some sort of a like a vulnerability scanner or a pen testing tool You want to know what you know, how is it connecting to the remote system? What exactly responses are we getting back? Maybe try to weed out some false positives and that sort of thing Well, that's that's very difficult if you don't have the source code to know, you know What the thing is is doing and and obviously source code is also necessary if you want to port it to another platform So if you've got a Windows tool that's running, you know standard C++ compiled program and well, you've got a Want to port that over to Linux and that's not really not possible without the source code and Even even in some supposedly portable languages like Java and net there You'll a lot of times run into little issues between platforms that you need the source code in order to kind of convert things Especially if the original programmer didn't consider reporting that you know Maybe they're using some windows specific API's that aren't available in the net framework for for Linux and OS 10 and that sort of thing and Again, this is mostly Windows tools although occasionally you'll see it on other tools I don't use Macs, but probably Mac tools have some of that as well And here's a bunch of examples and some of them Some of them I'm not sure if it was intentional that they didn't include the source code Some of them you may be able to email the author and get it from them But these are just the ones that I saw that weren't you know readily available on their website and some of the new ones here You know Achilles well Achilles is an old tool, but we haven't talked about it yet Brutus Sam spade and Odysseus Achilles and Odysseus our web Proxies and there's actually a couple tools Fortunately only two so far that require credit in the consulting reports So if you use THC a map or THC Hydra as part of a penetration test for other sort of commercial Consulting, you know assessment that you're doing there's actually a clause in the license that you have to give them credit in the consulting report I don't know how many people actually do that or not. I don't know if I'm glad like I said that only a couple tools are doing this so far because if it becomes real common It could be real troublesome to start to remember well which tools that I use in this consulting and you know trying to get all the Credits in there and making sure the customer doesn't get kind of confused as to why you've got all this stuff in your report So is that new to anybody? I mean just do I did anybody use that tool that didn't know about that? No one wants to admit it anyway Okay, well another another issue I've run into is that sometimes tools have a lot of these restrictions in their license But then they kind of will tell you in mailing lists or or other places that well don't worry about it You know we really didn't mean that I guess And that's a little bit confusing So sometimes in these couple examples the website is different from what comes with the tool So you download the tool and inside the tar ball or inside the zip file is a license That's different than what you see on the website when you download the tool One example is you know THC Hydra and a map the license is only slightly different, but there's a little difference in the I think it's actually in the clause that I just showed you that the the credit is different that I think one of the licenses it says you have to include the tool name version and Authors and in the other one it says you only have to include the name and the version or something like that and Another more significant one is a found stone recently released a tool called WS digger. I believe it's a web services scanning tool I'm but don't quote me on that The license on the website is the standard found stone license which we've been talking about which is very restrictive You know personal and non-cursional use only know reverse engineering all that other stuff But when you download the tool inside the tool distribution is the Apache 2.0 license Which is an open source license which allows you to do all those things that we want to do So which license are you supposed to follow? I don't know but from what I've seen on that when they announced the tool that it's meant to be under the Apache license there's just some sort of miscommunication on their website Another example is that Sometimes the author like I said on a mailing list or something will contradict the tools license So when you have a found stones hack me bank and they're hack me books tools Are great great tools to learn about web web applications and do some pen testing against them in a lab environment and all that And but again the license says that they're personal and non-commercial use so I emailed them because I wanted to set it up on our internal network at my company and They said oh, yeah, no problem to use it on an internal lab You know that they they didn't want other people going out and you know teaching classes Which is part of you know how they make money using these tools because they put a lot of work into them But they don't mind you using them, you know at work personally and then that's something will Another issue that I've seen is that you know a lot of times people say personal use or non-commercial use But they don't define that and and different different companies have different definitions I know it's not a security tool, but a Google toolbar It defines personal use as if you download it yourself. It's okay So I can use Google toolbar at work as long as I install it myself But my system administrator can't install it on every single machine I Don't know it's just it's one of those things that it's different companies have different definitions So if you're not defining it, then it's hard to hard to enforce it and then another example is the the ton of the Registered plugins for Nessus. Yes, go ahead right. Yeah, that's a that's a good point for if you guys didn't hear He basically said that if like the found stone tools that they were written by people at found stone But found stone owns the copyright. They're the copyright holder for those tools so they decide the license and The authors of those tools don't necessarily have the authority from their employer to wave that license or change the license So you need to be aware of that As far as who who actually owns the tool and are you actually getting permission from the right people? The registered plugins for Nessus is another tool that's a little strange because the license is very restrictive it doesn't allow you to change the plugins or Reverse engineer the plugins which is a bit a bit strange because there's some problems with their plugins You know, they always have problems with false positives or typos and descriptions of that and nothing bad It's just they've got 6,000 of the things So there's inevitably there's gonna be problems that show up and they've also they frequently have problems with versions of Of services that they're scanning that you know that when a new version comes out They're gonna give you back something strange that it's not expecting So anyway, the license prevents you from making those changes yourself or distributing them But on the mailing lists that the owner of tenables, which I think is authorized to make this statement said oh, yeah No problem, you know You can you can make changes to the plugins and you can post it back to the the Nessus mailing list so that other people can see them So that's another one of those things where it's like well, who do you really follow? I mean, I would guess that you know if they've said that publicly and I know people have done that and no one's gotten sued So it's probably okay, but it's just a little confusing for the users that they really should straighten that out and The other really big issue that I've seen is a lot of tools just don't have a license that they are you know You just can't find it and maybe the it's I don't know there maybe you know some of these there that I'm gonna mention maybe the tools and maybe the license in the tool Distribution it's just hard to find I have seen ones where The binary that gets compiled or is distributed doesn't have any license at all associated with it But if you look at like the comments in the source code files, it'll say you know This tool is under the GPL or this tool is under whatever license Which is really not sufficient. You're supposed to include the full GPL in there rather than just saying it's supposed to be Supposed to be under the GPL And then sometimes the tool is just not present at all, you know You just can't find it and and this is also a big problem if you can't figure out who the author was if you know Maybe you've got an email address. It doesn't work anymore or something like that So then it's kind of who knows and then the other thing is that a lot of times there if there is a license It might be there But it's pretty incomplete that it just basically says something real simple like oh use it for whatever you want or Something like that. Well, that isn't really a full license in the sense of it Doesn't talk about all the different things that we want to be able to do with tools and give us permission for it Again, I'm not a lawyer But my understanding of copyright law is that pretty much if the license doesn't say you can do it Then you're not supposed to do it and a lot of times This is a this is a problem with small Exploits and scripts and stuff that are posted to I call them online forums here just to include everything But mailing lists news groups, you know, if you look at full disclosure or bug track mailing lists hardly any of the exploits that are posted there have any sort of license associated with them and Again, it'd be it'd be nice if if we could say well if you post something in a forum like that and don't include a license It's it was meant to be you know in the public domain or something like that But I don't think that's the way the law works. But again, I'm not a lawyer Here's just some examples here A bind views a new tool. I wasn't able to find a license for it Hobbits original netcat. There was no license associated with that John the Ripper I think what happened was solar designer the guy who wrote the tool Incorporated some other code that he wasn't sure about the license into the tool So that's why there is no license because he he doesn't even know what the license is But he has said that the next version 1.7 is going to be released under the GPL But I have no idea when that's going to happen. I mean 1.6 has been out forever So I don't I don't know when that's going to happen And some other tools that I saw on sequel security comm has a lot of sequel tools that I didn't see any license for And some other ones that we've already talked about So, okay, where are we at in time? Okay, we're we're in good shape So do you guys agree that this exists? You know, I've talked a lot about you know I think more tools are going to this kind of More restrictive licenses. Do you guys agree disagree? What's what's your thoughts? Yeah, go ahead right the comment was a lot of tools seem to be But there it's almost like the bait bait and bait and hook method that someone else mentioned that they have like free tools To kind of hook you in and then they try to get you to to pay for Other tools or a more expanded version or something like that and definitely that's that's been the case in software for a long time But in security tools, it's I think it's more of a recent trend, you know Yes, go ahead Yes, I think that's definitely true Just to repeat for people who may not have heard is that the authors of the tools a lot of times will Will either clarify the license if it's not there or they'll give you the source code That you know usually that if you can get a hold of them They're they're pretty nice about it They like to hear that people are using the tools and definitely that's that's one of my Recommendations that we'll get to later on is you know, yeah work work with those people to see what the what the license is if it's not If it's not clear, but uh, yeah, I agree Yeah, go ahead. I I'm not a lawyer. I don't know I Would say no just off hand that you know again if someone posts something to full disclosure or bug track with no license Attached I'm assuming he means people can use it for something at least but I don't know And that let's actually something we'll get into in a little bit, but what's your thoughts? Yeah, that's that's a good point. Just real quick summary was that you know That there there may be an implied license there that if someone has released a tool where anyone in the world can get to it You know on a mailing list or a website that you could make the argument that they Intended for people to be able to use it for for things again talk to your lawyer And it made it probably depends a lot on what country you're in Again, I'm not a lawyer, but my my understanding is that a License is similar to a contract and just because you and I sign a contract doesn't necessarily mean that everything is enforceable I don't know all the exact caveats, but I know for instance I can't sign a contract saying that I'll be your slave for the rest of my life that that is not a legally enforceable contract, so Anyway Let me move on to another question So and I think we kind of covered this but I'll ask it more specifically is is there a problem with this and we have a Certainly identified a problem of you know if stuff doesn't have a license And it's kind of in limbo that it'd be good to have some clarification there But we're in reference to the other trends that we've seen as far as more more tools requiring payments and Permission for uses and all that is it does that is that a problem for the security? Security community Yes, no Yeah, go ahead. Yeah, that's it. That's a good point and The quickly a summary of it was that yeah That some some tools out there even security tools that are restricting reverse engineering and crypt analysis of them That really causes a problem for us that want to be able to evaluate these tools and decide are they good or bad? To deploy into our companies or to recommend to our customers and that sort of thing so that that certainly is a problem Okay, next question was well, what what can we do to improve security tool licensing? I've got my own thoughts that that I'll talk about in a little bit, but I just want to hear what you guys have to say Anyone got any suggestions? Yeah, go ahead Make a new license Yeah, well and and that was that's that's definitely one of my points that I'll talk about later Is that yeah, if you it would be great if people want an open-source product make it an OSI approved license Don't make up your own license because it'll run into a lot of these problems and it makes it confusing for the users that yeah It's hard especially because of the nature of security tool work that we end up using a lot of little tools to do our work and it's very It's a pain to be able to try to keep track of the licenses of all these tools and make sure that we're not You know doing something that we're not supposed to be doing Any other suggestions before mine? Yeah, go ahead Yes, that's that's definitely a good point the point was that if you're buying a security product or even if you're using it for free it But mostly if you're buying it is you know talk to the authors or whoever tried to sell this to you and and tell them You don't like the license tell them that you want a different license Especially for as much money as we pay for a lot of security products that it's amazing that the kind of restrictions That they want to put on what we can do and the fact that people just accept them You know and just kind of treat it like any other piece of software that they're gonna well We just got to live with it. Well, no, you don't have to live with it Especially a lot of these smaller companies are selling these things that you know They want your business and they're willing to make concessions and especially if they Can understand that what they're trying to restrict is really not It's it's it's restricting what we want to do with the tools and and it really comes down to I think don't treat Your users like criminals, you know if you're you're not giving them source code and you're preventing them from Reverse engineering the tool. Well, you're kind of assuming that oh, they want to do something bad to us Well, no, we just want to be able to use the tool is what it comes down to and being able to use it in the most efficient way That we know how Okay, I got ten minutes left Okay, any any other suggestions Okay, I'll run through what I have on here and it's really just kind of my own You know thoughts feel free to disagree or or whatnot Few few issues for tool users Well, obviously read and follow the licenses, you know, you can't just ignore ignore the issue and if you don't like that if you don't like the License don't use the tool or at least go back to the author and say hey Can we get this changed? but don't just ignore it and kind of go on and do whatever you want and I'd also say I I call it legal trickery, but just be don't Use the don't follow the letter of the license while violating the spirit of the license and a lot of that comes down to You know how you define, you know commercial use and that kind of thing, you know, if you don't don't get into that it would be my recommendation and Again work with the right at the tool writers to clarify if there's a problem and and the key there is politely Because tool tool writers have a lot of times, you know, because if they're writing it on their own, you know They're they're not getting paid to do it They have a lot of people emailing them with bugs and stuff like that and you know You don't want to make demands of them, but just talk to them and usually they'll be pretty accommodating and also encourage them to remove the license restrictions, which is a Good for everybody and also if you if you make changes to a tool Whether it be an open-source tool or any other tool, you know share the changes You know allow all of us to work together on these things so that everyone's not out, you know reproducing the same, you know events Okay, well tool writers. Well, you just obviously you need to follow the license for any software that you're incorporating into your tool In particular, you know, if you've got like GPL software or something you can't cut cut and paste that into a commercial product Choose choose a license and include it with every tool That's kind of self-explanatory and and remember, you know if the copyright holder can add another license at any time So just because I release a tool under the GPL today doesn't mean that every version of that tool is always gonna be GPL I can release the next version of it under a completely different license That's that's not a problem because I own I own the work And if your employer holds the copyright then encourage them to use a less restrictive license or just a standard open-source license That that can go a long way to just you're telling your boss, you know Hey, this is what we want to what users are gonna want to be able to do with this tool And we think it'll be helpful in the long run because especially if the company is trying to release the tool as you know Marketing and and being able to draw people to their site. Well more people that use the tool the better it is for them Just a quick a quick note of don't make a don't make a some complicated restrictive license for a pretty simple tool You know if it's if it's a simple tool just release it under, you know BSD license or or GPL or something real simple and and also say say what you mean and mean what you say when you're Licensing the tool. Don't don't do this kind of well the license says you can't do it But then I'm gonna email people and say that they can and And and again if you if you want it to be open-source just use an OSI standard license Don't make up your own and if you're gonna require payments Well, obviously you need to make the cost reasonable or people aren't gonna buy it make it make it easy for the people to Buy the tool that they can find it on your website that you've got a link that people can do it with secure form Put in their credit card information and download the tool You know you're gonna get more people buying it that way than if they've got an email you and try to figure out What's going on and that's pretty much what's there And obviously, you know make sure you tell people, you know what what upgrades are gonna be included what support and all that and And that's just kind of also a disclaimer that you know, that's what users are gonna expect if they're paying for a tool they're gonna expect some upgrades and support and I also consider bundling perhaps the tool with other tools or other authors because Sometimes people will release that you know a little small tool that's kind of useful and I'll say oh, it's you know $5 or something well $5 is nothing as far as payment But it's a huge pain in the butt for people that work at a large company or work in the government Because there's a lot of paperwork that goes into buying tools or buying anything So if if you're gonna make it one of those kind of real cheap tools They may be bundled with some other stuff so that people can buy it more easily And then if you're gonna require payment, you know make sure you define what you mean by you know Non-commercial use or commercial use or whatever and there's all sorts of things to consider You know there's development and testing and internal use and consulting use and educational institutions government entities All this stuff. So you need to make sure you clarify what you mean by all those terms and And again, I recommend you know, don't don't just allow you know redistribution entirely It's nice to you know allow users to email it to their friends or other people They think might be users and you know if and in the case that the Website is gone forever then now that people redistributed it more widely And and again a lot make the source code available regardless of whether it's a commercial product or not You know give give people the users the source code and allow them to make modifications for internal use at least and That's so they can you know fix things Allow users to distribute the modifications to one another that you know if you've got if it's a commercial tool Maybe you should set up an internal type mailing list just for tool users and that they can email stuff to each other And and if you're going to distribute the source code obviously make sure it's complete You've got all the build files and libraries and stuff like that and just give a quick how-to of you know Hey, this is a visual studio project. This is how to compile it and Again make the tool the license clear post it on the website It's a lot of tools that I noticed that you couldn't find figure out what the license was until after you've already downloaded the thing Well, if it's a if it's a several megabyte file, then it's kind of a waste of time to have to download it Just to figure out what the license is and you know if you're if you're going to release in News item or post something on a mailing list about the new tool that's available just include a quick summary of you know It's a GPL or it's you know free for non-criminal use or whatever You know include the copying or license file or something like that in the distribution And in the online help again put a little summary there And if you're going to go to a conference like death counter black cat or whatever, you know tell people when you're presenting and That's important so that people don't get all excited about something and then figure out that it's well it's under some strange license and and just for the record black hat and death counter actually really good about that that I Don't think you're allowed to present tools at these conferences without it being free for at least the conference attendees but not all conferences are like that and That's just kind of just here. I'll go through this real quick is you know make sure that if you're running a conference You make sure that people know what the licenses are at least and and consider making it like like death con and black hat that If you're going to present a tool it has to be free for at least the attendees and Then the the big one that I think that we were talking about earlier is that if the people that run online forums That's mailing lists or news groups or whatever, you know Again, I'm not a lawyer But I would think that you could you know come up with like a default license that you know If stuff is posted to this mailing list without any other license attached It's going to fall under this license and I'd recommend making that you know the BST license or an MIT license It's something that basically says you can use it for whatever you want. Don't sue me if it breaks something and And if people are going to patch or post patches to existing tools Then it probably makes sense to dual dual license those under the forums license and also the existing tools license because If that way if the person who wrote the original tool wants to incorporate that into their tool, then they can do that with no problem And and also you want to decide, you know, are you going to let people post things under some different license? In particular people are making up their own license. It doesn't allow redistribution than mailing lists archives and stuff get screwed up and Just you know make it clear to members when they join the mailing list or on the website or for the web forum or whatever Or in an FAQ that that that's what the license is So that's all I have yes, go ahead Okay, yeah, I understand what you're saying there I guess The his second point was that some tools especially very expensive tools They don't want to post the price on their website because you can't just download it You know, you need to talk to them You need to negotiate a contract which usually support that involves but you know That's for tools that are in the thousands of dollars. I'm thinking about tools that are you know in the you know, tens or hundreds of dollars Well again, it's like you know You got to define what you mean by that and all that but yeah You know, there's a lot of you're especially a lot of the security tools that we use You know little command line things that they shouldn't cost a lot of money And what was your first point you said something about cross posting? Yeah, how do you determine who the original author is? Yeah, that's definitely a problem that if stuff has been posted especially if it's gone through like an anonymous Remailer or something like that or an email account that doesn't work anymore. Yeah Sometimes you can't even figure out who the original author was so I don't know how to fix that But I'm hoping that you know, maybe we can get some forward Some forward thinking into this that in the future this won't be a problem If there is some sort of default license that things will fall under but again, I'm I'm assuming that can be done I'm again. I'm not a lawyer, so Any other comments or questions we got a couple we're done. Okay. Okay. Well, thanks if anyone else has any comments see me