License? about dejavu HOT 6 CLOSED

Thanks @bhdresh for adding a license.

I also agree with @anantshri that the lack of code in the repository is a serious red flag. It will prevent contributions and does not fall in line with the expectancy people have when something is claimed to be open source (like in README.md).

I think the discussion raised by Anant is fair and might be worth to be considered within your project team. A security solution should not be relying on secrecy. For the success of the project, it may also help if the code is available. This way people can learn about it, contribute, fork, etc.

from dejavu.

Thanks for reviewing the tool. We have added the licence information.

Please let us know if any other information is required.

from dejavu.

@mboelen i would argue that the code itself is not opensource. I had a quick chat with author's during arsenal and they claimed its available you can do whatever you want fork or update but the github repository is empty with no code at all.
the claim is that

1. since there are multiple setup steps required hence ova is only format which we will distribute.
2. we don't want to take an any contributions and we will maintain code on our own hence no point pushing it out. This was in response when i suggested if they open code to public they can get contributions.
3. the other claim is opening the code will defeat the purpose of deception as everyone will know about how code works.

putting this out here coz this seems to be the only place where discussion might take place

Note: I am yet to evaluate the actual file its 1.79GB zip with 5.56GB VDI inside.

from dejavu.

@anantshri, thank you for your comments, would like clarify few points,

Open source does not mean having code in a specific format or package, as long as the code is public it is considered open source. In case of Dejavu source code is available within image itself.

We have got many great feedback/suggestions during Blackhat and Defcon and would implement those in coming days, one of them was to come up with documentation to provide better understanding of the code structure and check feasibility to release code as package.

Secondly, we will also open a Trello/Slack channel for collaboration, until that time please feel free to reach us on [email protected] or [email protected] if you have any suggestions/feedback/update.

It seems there is some misunderstanding about point 3, we don't see opening code as a risk to deception capabilities + code is already available on the disk anyway.

Having said that, we see this as a journey to make Dejavu a comprehensive open source deception platform and committed to make necessary changes as we go.

Hope this has helped, kindly feel free to reach us if you have any further query or suggestions.

Thanks a lot.

Regards,
-Bhadresh

from dejavu.

@mboelen, thank you for your comments, absolutely agree with what you are highlighting, in coming days, we will be working on documentation to provide better understanding of the code structure and check feasibility to release code as package.

Also, would like to emphasis that project is open source and we don't see opening source code as a risk to Dejavu's deception capabilities.

from dejavu.

Thanks for clarifying @bhdresh - Issue can be closed for me.

from dejavu.