SolarWinds Outputs Information: Does Anyone Other Than Microsoft and the US Government Remember?
October 3, 2024
I love these dribs and drops of information about security issues. From the maelstrom of emails, meeting notes, and SMS messages only glimpses of what’s going on when a security misstep takes place. That’s why the write up “SolarWinds Security Chief Calls for tighter Cyber Laws” is interesting to me. How many lawyer-type discussions were held before the Solar Winds’ professional spoke with a “real” news person from the somewhat odd orange newspaper. (The Financial Times used to give these things away in front of their building some years back. Yep, the orange newspaper caught some people’s eye in meetings which I attended.)
The subject of the interview was a person who is/was the chief information security officer at SolarWinds. He was on duty with the tiny misstep took place. I will leave it to you to determine whether the CrowdStrike misstep or the SolarWinds misstep was of more consequence. Neither affected me because I am a dinobaby in rural Kentucky running steam powered computers from my next generation office in a hollow.
A dinobaby is working on a blog post in rural Kentucky. This talented and attractive individual was not affected by either the SolarWinds or the CrowdStrike security misstep. A few others were not quite so fortunate. But, hey, who remembers or cares? Thanks, Microsoft Copilot. I look exactly like this. Or close enough.
Here are three statements from the article in the orange newspaper I noted:
First, I learned that:
… cyber regulations are still ‘in flux’ which ‘absolutely adds stress across the globe’ on cyber chiefs.
I am delighted to learn that those working in cyber security experience stress. I wonder, however, what about the individuals and organizations who must think about the consequences of having their systems breached. These folks pay to be secure, I believe. When that security fails, will the affected individuals worry about the “stress” on those who were supposed to prevent a minor security misstep? I know I sure worry about these experts.
Second, how about this observation by the SolarWinds’ cyber security professional?
When you don’t have rules to follow, it’s very hard to follow them,” said Brown [the cyber security leader at SolarWinds]. “Very few security people would ever do something that wasn’t right, but you just have to tell us what’s right in order to do it,” he added.
Let’s think about this statement. To be a senior cyber security professional one has to be trained, have some cyber security certifications, and maybe some specialized in-service instruction at conferences or specific training events. Therefore, those who attend these events allegedly “learn” what rules to follow; for instance, make systems secure, conduct routine stress tests, have third party firms conduct security audits, validate the code, widgets, and APIs one uses, etc., etc. Is it realistic to assume that an elected official knows anything about security systems at a cyber security firm? As a dinobaby, my view is that these cyber wizards need to do their jobs and not wait for non-experts to give them “rules.” Make the systems secure via real work, not chatting at conferences or drinking coffee in a conference room.
And, finally, here’s another item I circled in the orange newspaper:
Brown this month joined the advisory board of Israeli crisis management firm Cytactic but said he was still committed to staying in his role at SolarWinds. “As far as the incident at SolarWinds: It happened on my watch. Was I ultimately responsible? Well, no, but it happened on my watch and I want to get it right,” he said.
Wasn’t Israel the country caught flat footed in October 2023? How does a company in Israel — presumably with staff familiar with the tools and technologies used to alert Israel of hostile actions — learn from another security professional caught flatfooted? I know this is an easily dismissed question, but for a dinobaby, doesn’t one want to learn from a person who gets things right? As I said, I am old fashioned, old, and working in a log cabin on a steam powered computing device.
The reality is that egregious security breaches have taken place. The companies and their staff are responsible. Are there consequences? I am not so sure. That means the present “tell us the rules” attitude will persist. Factoid: Government regulations in the US are years behind what clever companies and their executives do. No gap closing, sorry.
Stephen E Arnold, October 3, 2024
Russian Crypto Operation: An Endgame
October 3, 2024
![green-dino_thumb_thumb_thumb_thumb_t[2]](https://arnoldit.com/wordpress/wp-content/uploads/2024/09/green-dino_thumb_thumb_thumb_thumb_t2-2.gif "green-dino_thumb_thumb_thumb_thumb_t[2]")
This essay is the work of a dumb dinobaby. No smart software required.
The US Department of the Treasury took action to terminate “PM2BTC—a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov)—as being of “primary money laundering concern” in connection with Russian illicit finance.” The DOT’s news release about the multi-national action is located at this link. Fogint has compiled a list of details about this action.
The write up says:
Today, the U.S. Department of the Treasury is undertaking actions as part of a coordinated international effort to disrupt Russian cybercrime services. Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing an order that identifies PM2BTC—a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov)—as being of “primary money laundering concern” in connection with Russian illicit finance. Concurrently, the Office of Foreign Assets Control (OFAC) is sanctioning Ivanov and Cryptex—a virtual currency exchange registered in St. Vincent and the Grenadines and operating in Russia. The FinCEN and OFAC actions are being issued in conjunction with actions by other U.S. government agencies and international law enforcement partners to hold accountable Ivanov and the associated virtual currency services.
Here’s a selection of the items which may be of interest to cyber crime analysts and those who follow crypto activity.
- Two individuals were added to the sanctions list: Sergey Ivanov and Timur Shakhmametov. A reward or bounty has been offered for information leading to the arrest of these individuals. The payment could exceed US$9 million
- The PM2BTC and Cryptex entities has worked or been associated with other crypto entities; possibly Guarantex, UAPS, Cryptex, Hydra, FerumShop, Bitzlato, and an underground payment processing service known as Bitzlato
- Among the entities working on this operation (Endgame) were Europol, Germany, Great Britain, Latvia, Netherlands, and the US
- In 2014, the two persons of interest want to set up an automated (smart) service and may have been working with PerfectMoney and Paymer
- The activities of Messrs. Ivanov and Shakhmametov involved “carding” and other bank-related fraud
Russian regulations provide wiggle room for certain types of financial activity not permitted in the US and countries associated with this take down.
Several observations:
- The operation was large, possibly exceeding billions in illegal transactions
- The network of partners and affiliated firms illustrates the appeal of illegal crypto services
- One method of communication used by PM2BTC was Telegram Messenger.
- “The $9 Million US reward / bounty for those two Russian crypto exchange operators wanted by US DOJ is a game changer due to the enormous reward,” Sean Brizendine, blockchain researcher told the FOGINT team.
Additional information may become available as the case moves forward in the US and Europe. FOGINT will monitor public information which appears in Russia and other countries.
Stephen E Arnold, October 3, 2024
Big Companies: Bad Guys
October 3, 2024
Just in time for the UN Summit, the International Trade Union Confederation is calling out large corporations. The Guardian reports, “Amazon, Tesla, and Meta Among World’s Top Companies Undermining Democracy—Report.” Writer Michael Sainato tells us:
“Some of the world’s largest companies have been accused of undermining democracy across the world by financially backing far-right political movements, funding and exacerbating the climate crisis, and violating trade union rights and human rights in a report published on Monday by the International Trade Union Confederation (ITUC). Amazon, Tesla, Meta, ExxonMobil, Blackstone, Vanguard and Glencore are the corporations included in the report. The companies’ lobbying arms are attempting to shape global policy at the United Nations Summit of the Future in New York City on 22 and 23 September.”
The write-up shares a few of the report’s key criticisms. It denounces Amazon, for example, for practices from union busting and low wages to sky-high carbon emissions and tax evasion. Tesla, the ITUC charges, commits human rights violations while its majority shareholder Elon Musk loudly rails against democracy itself. And, the report continues, not only has Meta severely amplified far-right propaganda and groups around the world, it actively lobbies against data privacy laws. See the write-up for more examples.
The article concludes by telling us a little about the International Trade Union Confederation:
“The ITUC includes labor group affiliates from 169 nations and territories around the world representing 191 million workers, including the AFL-CIO, the largest federation of labor unions in the US, and the Trades Union Congress in the UK. With 4 billion people around the world set to participate in elections in 2024, the federation is pushing for an international binding treaty being worked on by the Open-ended intergovernmental working group to hold transnational corporations accountable under international human rights laws.”
Holding transnational corporations accountable—is that even possible? We shall see.
Cynthia Murrell, October 3, 2024
FOGINT: New Lingo for Crypto Laundering
October 2, 2024
“Moving Bricks: Money-Laundering practices in the Online Scam Industry? uses a number of interesting terms. These may be of value for those who monitor bad actors’ behavior when crypto payments are laundered. The terms which caught FOGINT’s attention were:
Bricks. A block of crypto to be laundered.
Channel. A “gateway” through which laundered money flows.
Frozen. A dead bank account.
Gateway. A channel thorough which the crypto flows.
Motorcades. Bank account providers.
Money farm. A traditional or modern money laundering operation.
Moving bricks. The business process of laundering crypto.
Pankou. Scam groups preying on money laundering businesses and individual operators.
Right buyers. Entities which would receive funds to be laundered.
Risk control risk. The friction of anti-money laundering efforts by law enforcement.
Sellers. Entities which provide accounts set up to launder crypto.
Telegram. The next-generation stock exchange, a ready-made technology platform.
Trading groups. Private groups on Telegram working in money laundering.
Trading rules. Guidelines the laundering service provider enforces.
Water house. Another terms for a company which maintains and accesses bank accounts.
As we notice other terms, the FOGINT team will post them.
Stephen E Arnold, October 2, 2024
Hamster Kombat: Does It Matter?
October 2, 2024
![green-dino_thumb_thumb_thumb_thumb_t[2]_thumb_thumb](https://arnoldit.com/wordpress/wp-content/uploads/2024/09/green-dino_thumb_thumb_thumb_thumb_t2_thumb_thumb-3.gif "green-dino_thumb_thumb_thumb_thumb_t[2]_thumb_thumb")
This essay is the work of a dumb dinobaby. No smart software required.
The Fogint team pays attention to crypto plays like Hamster Kombat. Those engaged in cyber fraud investigations, analysis, and research may want to take a quick look at what is called a “click to earn” game. I was asked the question at a recent lecture to cyber fraud professionals, “Why should I care about Hamster whatever?” This free, public blog is not the place for a detailed answer. However, I am willing to share several observations offered by Coin Telegraph.
First, check out this chart. From zero users in late March 2024 to a few weeks ago. The hockey stick is what is reported at 300 million users. Anecdotal information suggests that one third may be agentic; that is, bots. And “only” 100 million are people looking to make a quick buck on a crypto play.
Note that the chart only shows growth through June 2024. The number cited above is derived by normalizing user estimates from a range of sources which the Fogint team has compiled and reviews on a daily basis.
Second, the word game does not convey exactly what Hamster Combat and similar “games” offer their users. Cointelegraph.com reports that an expert named Sébastien Borget uses the phrase “play to earn games.” The question some may pose is, “What is a play to earn game?” The clicks on icons or the actions of the user generate money in the form of crypto for those who play them. The easiest way to understand the business model is to get a burner mobile phone, a pay-as-you-go SIM, a disposable email address, and the Telegram app. Search for Hamster Kombat and “play.” If you cannot figure out the interface, ask a mobile-dependent teen.
Third, this facet of Telegram is one that helps differentiate its “games” from those available on other platforms. Everything in Hamster Kombat is about revenue generation, the belief that the HMSTR coin will be increasingly valuable, and the addictive nature of clicks, buying software items from Hamster Kombat, and becoming “addicted” to or dependent upon the Open Network, a “spin off” or “spin up” from Telegram and its plumbing.
The Fogint team believes that Telegram itself will be monitoring more closely than the fate of Pavel Durov (Telegram’s founder who is possibly enjoying the ministrations of the French bureaucracy) how the TON blockchain handles validation. This process is not going to be explained in this blog post, but for those who are curious, just email benkent2020 at yahoo dot and a Fogint professional will respond with options for getting more information about what is likely to be a significant digital fraud event in 2025. “INDOAX Exchange the first Exchange to list Hamster Kombat coin does not allow US residents to open accounts,” Sean Brizendine, blockchain researcher told the FOGINT team.
When this post becomes public, the mining of HMSTR coins will be underway. Hamster Kombat is a combination of old-fashioned online games, crypto mining, and human enthusiasm to get rich quick. And what does one need to join in the craze? The Telegram application and the mini app Hamster Kombat.
Stephen E Arnold, October 2, 2024
Phishing and Deepfakes Threaten to Overwhelm Cybersecurity Teams
October 2, 2024
Cybersecurity experts are not so worried about an impending takeover by sentient AI. Instead, they are more concerned with the very real, very human bad actors wielding AI tools. BetaNews points to a recent report from Team 8 as it reveals, “Phishing and Deepfakes Are Leading AI-Powered Threats.” Writer Ian Barker summarizes:
“A new survey of cybersecurity professionals finds that 75 percent of respondents think phishing attacks pose the greatest AI-powered threat to their organization, while 56 percent say deepfake enhanced fraud (voice or video) poses the greatest threat.
The study from Team 8, carried out at its annual CISO [Chief Information Security Officer] Summit, also finds that lack of expertise (58 percent) and balancing security with usability (56 percent) are the two main challenges organizations face when defending AI systems.
In order to address the threats, 41 percent of CISOs expect to explore purchasing solutions for managing the AI development lifecycle within the next one to two years. Additionally, many CISOs are prioritizing solutions for third-party AI application data privacy (36 percent) and tools to discover and map shadow AI usage (33 percent).
CISOs identify several critical data security concerns that currently lack adequate solutions — insider threats and next-gen DLP (65 percent), third-party risk management (46 percent), AI application security (43 percent), human identity management (40 percent), and security executive dashboards (40 percent).”
The survey also found over half the respondents are losing sleep over liability. Nearly a third have acted to limit their personal risk by consulting attorneys, upping their insurance coverage, or tweaking their contracts. It seems pressure from higher-ups may be contributing to their unease: 54% reported increased scrutiny from their superiors alongside larger budgets and widening scopes of work. Team8 managing partner Amir Zilberstein emphasizes the importance of taking care of one’s CISOs: They will need all their wits about them to navigate a cybersecurity landscape that is rapidly shifting beneath their feet.
Cynthia Murrell, October 2, 2024
Smart Software Project Road Blocks: An Up-to-the-Minute Report
October 1, 2024
![green-dino_thumb_thumb_thumb_thumb_t[2]_thumb_thumb](https://arnoldit.com/wordpress/wp-content/uploads/2024/09/green-dino_thumb_thumb_thumb_thumb_t2_thumb_thumb-2.gif "green-dino_thumb_thumb_thumb_thumb_t[2]_thumb_thumb")
This essay is the work of a dumb dinobaby. No smart software required.
I worked through a 22-page report by SQREAM, a next-gen data services outfit with GPUs. (You can learn more about the company at this buzzword dense link.) The title of the report is:
The report is a marketing document, but it contains some thought provoking content. The “report” was “administered online by Global Surveyz [sic] Research, an independent global research firm.” The explanation of the methodology was brief, but I don’t want to drag anyone through the basics of Statistics 101. As I recall, few cared and were often good customers for my class notes.
Here are three highlights:
- Smart software and services cause sticker shock.
- Cloud spending by the survey sample is going up.
- And the killer statement: 98 percent of the machine learning projects fail.
Let’s take a closer look at the astounding assertion about the 98 percent failure rate.
The stage is set in the section “Top Challenges Pertaining to Machine Learning / Data Analytics.” The report says:
It is therefore no surprise that companies consider the high costs involved in ML experimentation to be the primary disadvantage of ML/data analytics today (41%), followed by the unsatisfactory speed of this process (32%), too much time required by teams (14%) and poor data quality (13%).
The conclusion the authors of the report draw is that companies should hire SQREAM. That’s okay, no surprise because SQREAM ginned up the study and hired a firm to create an objective report, of course.
So money is the Number One issue.
Why do machine learning projects fail? We know the answer: Resources or money. The write up presents as fact:
The top contributing factor to ML project failures in 2023 was insufficient budget (29%), which is consistent with previous findings – including the fact that “budget” is the top challenge in handling and analyzing data at scale, that more than two-thirds of companies experience “bill shock” around their data analytics processes at least quarterly if not more frequently, that that the total cost of analytics is the aspect companies are most dissatisfied with when it comes to their data stack (Figure 4), and that companies consider the high costs involved in ML experimentation to be the primary disadvantage of ML/data analytics today.
I appreciated the inclusion of the costs of data “transformation.” Glib smart software wizards push aside the hassle of normalizing data so the “real” work can get done. Unfortunately, the costs of fixing up source data are often another cause of “sticker shock.” The report says:
Data is typically inaccessible and not ‘workable’ unless it goes through a certain level of transformation. In fact, since different departments within an organization have different needs, it is not uncommon for the same data to be prepared in various ways. Data preparation pipelines are therefore the foundation of data analytics and ML….
In the final pages of the report a number of graphs appear. Here’s one that stopped me in my tracks:
The sample contained 62 percent user of Amazon Web Services. Number 2 was users of Google Cloud at 23 percent. And in third place, quite surprisingly, was Microsoft Azure at 14 percent, tied with Oracle. A question which occurred to me is: “Perhaps the focus on sticker shock is a reflection of Amazon’s pricing, not just people and overhead functions?”
I will have to wait until more data becomes available to me to determine if the AWS skew and the report findings are normal or outliers.
Stephen E Arnold, October 1, 2024
FOGINT: Telegram Changes Its Tune
October 1, 2024
![green-dino_thumb_thumb_thumb_thumb_t[2]_thumb](https://arnoldit.com/wordpress/wp-content/uploads/2024/09/green-dino_thumb_thumb_thumb_thumb_t2_thumb-2.gif "green-dino_thumb_thumb_thumb_thumb_t[2]_thumb")
This essay is the work of a dumb dinobaby. No smart software required.
Editor note: The term Fogint is a way for us to identify information about online services which obfuscate or mask in some way some online activities. The idea is that end-to-end encryption, devices modified to disguise Internet identifiers, and specialized “tunnels” like those associated with the US MILNET methods lay down “fog”. A third-party is denied lawful intercept, access, or monitoring of obfuscated messages when properly authorized by a governmental entity. Here’s a Fogint story with the poster boy for specialized messaging, Pavel Durov.
Coindesk’s September 23, 2024, artice “Telegram to Provide More User Data to Governments After CEO’s Arrest” reports:
Messaging app Telegram made significant changes to its terms of service, chief executive officer Pavel Durov said in a post on the app on Monday. The app’s privacy conditions now state that Telegram will now share a user’s IP address and phone number with judicial authorities in cases where criminal conduct is being investigated.
Usually described as a messaging application, Telegram is linked to a crypto coin called TON or TONcoin. Furthermore, Telegram — if one looks at the entity from 30,000 feet — consists of a distributed organization engaged in messaging, a foundation, and a recent “society” or “social” service. Among the more interesting precepts of Telegram and its founder is a commitment to free speech and a desire to avoid being told what to do.
Art generated by the MSFT Copilot service. Good enough, MSFT.
After being detained in France, Mr. Durov has made several changes in the way in which he talks about Telegram and its precepts. In a striking shift, Mr. Durov, according to Coindesk:
said that “establishing the right balance between privacy and security is not easy,” in a post on the app. Earlier this month, Telegram blocked users from uploading new media in an effort to stop bots and scammers.
Telegram had a feature which allowed a user of the application to locate users nearby. This feature has been disabled. One use of this feature was its ability to locate a person offering personal services on Telegram via one of its functions. A person interested in the service could use the “nearby” function and pinpoint when the individual offering the service was located. Creative Telegram users could put this feature to a number of interesting uses; for example, purchasing an illegal substance.
Why is Mr. Durov abandoning his policy of ignoring some or most requests from law enforcement seeking to identify a suspect? Why is Mr. Durov eliminating the nearby function? Why is Mr. Durov expressing a new desire to cooperate with investigators and other government authority?
The answer is simple. Once in the custody of the French authorities, Mr. Durov learned of the penalties for breaking French law. Mr. Durov’s upscale Parisian lawyer converted the French legal talk into some easy to understand concepts. Now Mr. Durov has evaluated his position and is taking steps to avoid further difficulties with the French authorities. Mr. Durov’s advisors probably characterized the incarceration options available to the French government; for example, even though Devil’s Island is no longer operational, the Centre Pénitentiaire de Rémire-Montjoly, near Cayenne in French Guiana, moves Mr. Durov further from his operational comfort zone in the Russian Federation and the United Arab Emirates.
The Fogint team does not believe Mr. Durov has changed his core values. He is being rational and using cooperation as a tactic to avoid creating additional friction with the French authorities.
Stephen E Arnold, October 1, 2024
Surveillance Watch Maps the Surveillance App Ecosystem
October 1, 2024
Here is an interesting resource: Surveillance Watch compiles information about surveillance tech firms, organizations that fund them, and the regions in which they are said to operate. The lists, compiled from contributions by visitors to the site, are not comprehensive. But they are full of useful information. The About page states:
“Surveillance technology and spyware are being used to target and suppress journalists, dissidents, and human rights advocates everywhere. Surveillance Watch is an interactive map that documents the hidden connections within the opaque surveillance industry. Founded by privacy advocates, most of whom were personally harmed by surveillance tech, our mission is to shed light on the companies profiting from this exploitation with significant risk to our lives. By mapping out the intricate web of surveillance companies, their subsidiaries, partners, and financial backers, we hope to expose the enablers fueling this industry’s extensive rights violations, ensuring they cannot evade accountability for being complicit in this abuse. Surveillance Watch is a community-driven initiative, and we rely on submissions from individuals passionate about protecting privacy and human rights.”
Yes, the site makes it easy to contribute information to its roundup. Anonymously, if one desires. The site’s information is divided into three alphabetical lists: Surveilling Entities, Known Targets, and Funding Organizations. As an example, here is what the service says about safeXai (formerly Banjo):
“safeXai is the entity that has quietly resumed the operations of Banjo, a digital surveillance company whose founder, Damien Patton, was a former Ku Klux Klan member who’d participated in a 1990 drive-by shooting of a synagogue near Nashville, Tennessee. Banjo developed real-time surveillance technology that monitored social media, traffic cameras, satellites, and other sources to detect and report on events as they unfolded. In Utah, Banjo’s technology was used by law enforcement agencies.”
We notice there are no substantive links which could have been included, like ones to footage of the safeXai surveillance video service or the firm’s remarkable body of patents. In our view, these patents represent an X-ray look at what most firms call artificial intelligence.
A few other names we recognize are IBM, Palantir, and Pegasus owner NSO Group. See the site for many more. The Known Targets page lists countries that, when clicked, list surveilling entities known or believed to be operating there. Entries on the Funding Organizations page include a brief description of each organization with a clickable list of surveillance apps it is known or believed to fund at the bottom. It is not clear how the site vets its entries, but the submission form does include boxes for supporting URL(s) and any files to upload. It also asks whether one consents to be contacted for more information.
Cynthia Murrell, October 1, 2024
Open Source Versus Commercial Software. The Result? A Hybrid Which Neither Parent May Love
September 30, 2024
This essay is the work of a dumb dinobaby. No smart software required.
I have been down the open source trail a couple of times. The journey was pretty crazy because open source was software created to fulfill a computer science class requirement, a way to provide some “here’s what I can do” vibes to a résumé when résumés were anchored to someone’s reality, and “play” that would get code adopted so those in the know could sell services like engineering support, customizing, optimizing, and “making it mostly work.” In this fruit cake, were licenses, VCs, lone-wolves, and a few people creating something useful for a “community” which might or might not “support” the effort. Flip enough open source rocks and one finds some fascinating beasts like IBM, Microsoft, and other giant technology outfits.
Some hybrids work; others do not. Thanks, MSFT Copilot, good enough.
Today I learned their is now a hybrid of open source and proprietary (commercial) software. According to the “Some Startups Are Going Fair Source to Avoid the Pitfalls of Open Source Licensing” states:
The fair source concept is designed to help companies align themselves with the “open” software development sphere, without encroaching into existing licensing landscapes, be that open source, open core, or source-available, and while avoiding any negative associations that exist with “proprietary.” However, fair source is also a response to the growing sense that open source isn’t working out commercially.
Okay. I think “not working out commercially” is “real news” speak for “You can’t make enough money to become a Silicon Type mogul.” The write up adds:
Businesses that have flown the open source flag have mostly retreated to protect their hard work, moving either from fully permissive to a more restrictive “copyleft” license, as the likes of Element did last year and Grafana before it, or ditched open source altogether as HashiCorp did with Terraform.
These are significant developments. What about companies which have built substantial businesses surfing on open source software and have not been giving back in equal measure to the “community”? My hunch is that many start ups use the open source card as a way to get some marketing wind in their tiny sails. Other outfits just cobble together a number of open source software components and assemble a new and revolutionary product. The savings come from the expense of developing an original solution and using open source software to build what becomes a proprietary system. The origins of some software is either ignored by some firms or lost in the haze of employee turnover. After all, who remembers? A number of intelware companies which off specialized services to government agencies incorporate some open source software and use their low profile or operational secrecy to mask what their often expensive products provide to a government entity.
The write up notes:
For now, the main recommended fair source license is the Functional Source License (FSL), which Sentry itself launched last year as a simpler alternative to BUSL. However, BUSL itself has also now been designated fair source, as has another new Sentry-created license called the Fair Core License (FCL), both of which are included to support the needs of different projects. Companies are welcome to submit their own license for consideration, though all fair source licenses should have three core stipulations: It [the code] should be publicly available to read; allow third parties to use, modify, and redistribute with “minimal restrictions“; and have a delayed open source publication (DOSP) stipulation, meaning it converts to a true open source license after a predefined period of time. With Sentry’s FSL license, that period is two years; for BUSL, the default period is four years. The concept of “delaying” publication of source code under a true open source license is a key defining element of a fair source license, separating it from other models such as open core. The DOSP protects a company’s commercial interests in the short term, before the code becomes fully open source.
My reaction is that lawyers will delight in litigating such notions as “minimal restrictions.” The cited article correctly in my opinion says:
Much is open to interpretation and can be “legally fuzzy.”
Is a revolution in software licensing underway?
Some hybrids live; others die.
Stephen E Arnold, September 30, 2024
-
- Subscribe to Beyond Search
Feature archive
News archive
-
