OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Re: [cti] versioning

    Posted 02-12-2016 03:10
      |   view attached






    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)  




    ...Here's an interesting concept to consider:




    {from:1388534400000,to:9223372036854775807}





    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/






    Note:  Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)







    Patrick Maroney
    Office:  (856)983-0001
    Cell:      (609)841-5104






    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053









    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date: Thursday, February 11, 2016 at 7:48 PM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] versioning





    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer.  And every object that gets created by a producer will start with serial_number "1".  Then as they update the TLO, the producer will just
    incase the serial_number.  


    I want to get the discussion started as I know some have very strong opinions on how it should work.  But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty quickly.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 


















  • 2.  Re: [cti] versioning

    Posted 02-15-2016 13:30
      |   view attached
    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone? I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/ ) implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object. On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed" ? I am just spitballing. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Patrick Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int From: Patrick Maroney <Pmaroney@Specere.org> To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date: 02/11/2016 11:10 PM Subject: Re: [cti] versioning Sent by: <cti@lists.oasis-open.org> Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an interesting concept to consider: {from:1388534400000,to:9223372036854775807} http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/ Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-) Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 President Integrated Networking Technologies, Inc. PO Box 569 Marlton, NJ 08053 From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@bluecoat.com > Date: Thursday, February 11, 2016 at 7:48 PM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: [cti] versioning What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will start with serial_number "1". Then as they update the TLO, the producer will just incase the serial_number. I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty quickly. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."


  • 3.  Re: [cti] versioning

    Posted 02-15-2016 13:46
      |   view attached




    I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object.



    More spitballing.    Scenarios



    scenario 1:   Originator
    discovery  of new information that results in revision /revocation


    scenario 2:  Non-or iginator references  previously shared information that

    - provides additional information on that topic including identification of errors.?

    - indicates they are requesting revocation (from the originator)



    ?Then the Originator revises or revokes  previously shared information based on non-originator feedback
     – and includes referenc es   to  the non-originator’s input.   This assumes that the originator is and remains the  authoritative  source.
     If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take over as a new Originator of a new object, I guess.


    Pam Smith
    JHU/APL




    From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
    Sent: Monday, February 15, 2016 8:29 AM
    To: Patrick Maroney
    Cc: Jordan, Bret; cti@lists.oasis-open.org
    Subject: Re: [cti] versioning
     


    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone?


    I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/
    ) implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object.


    On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed"
    ?

    I am just spitballing.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown


    Patrick
    Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int

    From: Patrick Maroney <Pmaroney@Specere.org>
    To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
    Date: 02/11/2016 11:10 PM
    Subject: Re: [cti] versioning
    Sent by: <cti@lists.oasis-open.org>





    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)


    ...Here's an interesting concept to consider:


    {from:1388534400000,to:9223372036854775807}



    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/



    Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)


    Patrick Maroney
    Office: (856)983-0001
    Cell: (609)841-5104



    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053

    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date: Thursday, February 11, 2016 at 7:48 PM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] versioning

    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will start with serial_number "1". Then as they update the
    TLO, the producer will just incase the serial_number.

    I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty quickly.



    Thanks,

    Bret



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."












  • 4.  Re: [cti] versioning

    Posted 02-15-2016 14:14
      |   view attached




    If we want the community collaborating on intelligence, then we need to either allow for suggesting of updates to the original object, some sort of derived intelligence relationship, or both.


    I am a fan of both approaches. Only the author can revision the original document. However, anyone else can create a new object with a relationship between the new and old objects and the type of “suggested-update”. A suggested-update could include revised
    facts or even a recommendation for revocation. 


    As for Bret’s original question, I am trying to figure out if this replaces a revision field, or is this in combination with one?


    Aharon








    From: < cti@lists.oasis-open.org > on behalf of "Smith, Pamela A." < Pam.Smith@jhuapl.edu >
    Date: Monday, February 15, 2016 at 8:45 AM
    To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >
    Cc: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] versioning






    I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object.



    More spitballing.    Scenarios



    scenario 1:   Originator
    discovery  of new information that results in revision /revocation


    scenario 2:  Non-or iginator references  previously shared information that

    - provides additional information on that topic including identification of errors.?

    - indicates they are requesting revocation (from the originator)



    ?Then the Originator revises or revokes  previously shared information based on non-originator feedback
     – and includes referenc es   to  the non-originator’s input.   This assumes that the originator is and remains the  authoritative  source.
     If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take over as a new Originator of a new object, I guess.


    Pam Smith
    JHU/APL




    From:
    cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent: Monday, February 15, 2016 8:29 AM
    To: Patrick Maroney
    Cc: Jordan, Bret; cti@lists.oasis-open.org
    Subject: Re: [cti] versioning
     


    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone?


    I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/
    ) implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object.


    On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed"
    ?

    I am just spitballing.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown


    Patrick
    Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int

    From: Patrick Maroney < Pmaroney@Specere.org >
    To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Date: 02/11/2016 11:10 PM
    Subject: Re: [cti] versioning
    Sent by: < cti@lists.oasis-open.org >





    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)


    ...Here's an interesting concept to consider:


    {from:1388534400000,to:9223372036854775807}



    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/



    Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)


    Patrick Maroney
    Office: (856)983-0001
    Cell: (609)841-5104



    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053

    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date: Thursday, February 11, 2016 at 7:48 PM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] versioning

    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will start with serial_number "1". Then as they update the
    TLO, the producer will just incase the serial_number.

    I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty quickly.



    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."















  • 5.  Re: [cti] versioning

    Posted 02-18-2016 01:54
    Aharon Chernin wrote this message on Mon, Feb 15, 2016 at 14:13 +0000: > If we want the community collaborating on intelligence, then we need to either allow for suggesting of updates to the original object, some sort of derived intelligence relationship, or both. > > I am a fan of both approaches. Only the author can revision the original document. However, anyone else can create a new object with a relationship between the new and old objects and the type of “suggested-update”. A suggested-update could include revised facts or even a recommendation for revocation. I like the idea of suggested-update. We should add an optional field to the information-source object that provides a URL that someone can submit updates too. If we don't, then it becomes harder to share information. Obviously, it could become a spam trap, but if the org says, only signed suggestions are allowed, and maybe some mechanism for proving your signature isn't a spam bot, this could be a powerful feature... -- John-Mark


  • 6.  Re: [cti] versioning

    Posted 02-18-2016 05:38
    Some may want feedback and others may not.  We have talked about adding a URL fields in the information source object so that you could lookup their TAXII server in DNS.  Just FYI. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 17, 2016, at 18:53, John-Mark Gurney < jmg@newcontext.com > wrote: Aharon Chernin wrote this message on Mon, Feb 15, 2016 at 14:13 +0000: If we want the community collaborating on intelligence, then we need to either allow for suggesting of updates to the original object, some sort of derived intelligence relationship, or both. I am a fan of both approaches. Only the author can revision the original document. However, anyone else can create a new object with a relationship between the new and old objects and the type of “suggested-update”. A suggested-update could include revised facts or even a recommendation for revocation. I like the idea of suggested-update.  We should add an optional field to the information-source object that provides a URL that someone can submit updates too.  If we don't, then it becomes harder to share information. Obviously, it could become a spam trap, but if the org says, only signed suggestions are allowed, and maybe some mechanism for proving your signature isn't a spam bot, this could be a powerful feature... -- John-Mark --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 7.  Re: [cti] versioning

    Posted 02-15-2016 18:23
    These are great work flow examples.  We need to enable valid work flows, but we need to be careful that we do not enable bad behavior that will make parsing and organizing the data hard.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 15, 2016, at 06:45, Smith, Pamela A. < Pam.Smith@jhuapl.edu > wrote: I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object. More spitballing.    Scenarios scenario 1:   Originator   discovery  of new information that results in revision /revocation scenario 2:  Non-or iginator references  previously shared information that - provides additional information on that topic including identification of errors.? - indicates they are requesting revocation (from the originator) ?Then the Originator revises or revokes  previously shared information based on non-originator feedback    – and includes referenc es   to  the non-originator’s input.   This assumes that the originator is and remains the  authoritative  source.  If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take over as a new Originator of a new object, I guess. Pam Smith JHU/APL From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com > Sent:   Monday, February 15, 2016 8:29 AM To:   Patrick Maroney Cc:   Jordan, Bret;   cti@lists.oasis-open.org Subject:   Re: [cti] versioning   Question - who is allowed to revision an object? Can only the originator revision, or can anyone?   I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/   ) implies that anyone can version an object so long as it is sufficiently unchanged . I think that will lead to a lot of confusion if anyone can revision an object.   On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like versioning_allowed ? I am just spitballing. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown   <graycol.gif> Patrick Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int From:   Patrick Maroney < Pmaroney@Specere.org > To:   Jordan, Bret < bret.jordan@bluecoat.com >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Date:   02/11/2016 11:10 PM Subject:   Re: [cti] versioning Sent by:   < cti@lists.oasis-open.org > Although I suspect I'm banned from using the term Timestamp for at least a year ;-)   ...Here's an interesting concept to consider: {from:1388534400000,to:9223372036854775807} http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/ Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-) Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 <0C160672.gif> President Integrated Networking Technologies, Inc. PO Box 569 Marlton, NJ 08053 From:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@bluecoat.com > Date:   Thursday, February 11, 2016 at 7:48 PM To:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   [cti] versioning What would people think about a versioning concept where each TLO had a serial_number field that was of type integer. And every object that gets created by a producer will start with serial_number 1 . Then as they update the TLO, the producer will just incase the serial_number.   I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some coming to middle ground we could solve this pretty quickly.   Thanks, Bret Bret Jordan CISSP   Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 8.  Re: [cti] versioning

    Posted 02-15-2016 20:09




    FWIW versioning would be a great scenario to try to build a reference implementation on top of. If we want to make sure it works, as with patterning and data markings, I think we have to. Preferably we’d have two independently developed prototypes and
    have them exchange versioned content following the use cases that Pam outlines below.


    John








    From: < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Monday, February 15, 2016 at 1:23 PM
    To: pam smith < Pam.Smith@jhuapl.edu >
    Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject: Re: [cti] versioning





    These are great work flow examples.  We need to enable valid work flows, but we need to be careful that we do not enable bad behavior that will make parsing and organizing the data hard.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 15, 2016, at 06:45, Smith, Pamela A. < Pam.Smith@jhuapl.edu > wrote:





    I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object.





    More spitballing.    Scenarios





    scenario 1:   Originator   discovery  of
    new information that results in revision /revocation




    scenario 2:  Non-or iginator references  previously shared information that

    - provides additional information on that topic including identification of errors.?

    - indicates they are requesting revocation (from the originator)



    ?Then
    the Originator revises or revokes  previously
    shared information based on non-originator feedback    –
    and includes referenc es   to
     the non-originator’s input.   This assumes that the originator is and remains the  authoritative  source.
     If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take over as a new Originator of a new object, I guess.




    Pam Smith

    JHU/APL




    From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
    on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent:   Monday, February 15, 2016 8:29 AM
    To:   Patrick Maroney
    Cc:   Jordan, Bret;   cti@lists.oasis-open.org
    Subject:   Re: [cti] versioning
     


    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone?  

    I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/   )
    implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object.  

    On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed"
    ?

    I am just spitballing.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security     www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown  


    <graycol.gif> Patrick Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int

    From:   Patrick Maroney < Pmaroney@Specere.org >
    To:   "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Date:   02/11/2016 11:10 PM
    Subject:   Re: [cti] versioning
    Sent by:   < cti@lists.oasis-open.org >





    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)  

    ...Here's an interesting concept to consider:


    {from:1388534400000,to:9223372036854775807}



    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/



    Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)


    Patrick Maroney
    Office: (856)983-0001
    Cell: (609)841-5104

    <0C160672.gif>

    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053

    From:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date:   Thursday, February 11, 2016 at 7:48 PM
    To:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject:   [cti] versioning

    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will start with serial_number "1". Then as they update
    the TLO, the producer will just incase the serial_number.  

    I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty
    quickly.  


    Thanks,

    Bret



    Bret Jordan CISSP  
    Director of Security Architecture and Standards Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  


















  • 9.  Re: [cti] versioning

    Posted 02-15-2016 21:46



    I think this is a brilliant idea.  


    Bret 

    Sent from my Commodore 64

    On Feb 15, 2016, at 1:09 PM, Wunder, John A. < jwunder@mitre.org > wrote:





    FWIW versioning would be a great scenario to try to build a reference implementation on top of. If we want to make sure it works, as with patterning and data markings, I think we have to. Preferably we’d have two independently developed prototypes and
    have them exchange versioned content following the use cases that Pam outlines below.


    John








    From: < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Monday, February 15, 2016 at 1:23 PM
    To: pam smith < Pam.Smith@jhuapl.edu >
    Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject: Re: [cti] versioning





    These are great work flow examples.  We need to enable valid work flows, but we need to be careful that we do not enable bad behavior that will make parsing and organizing the data hard.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 15, 2016, at 06:45, Smith, Pamela A. < Pam.Smith@jhuapl.edu > wrote:





    I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object.





    More spitballing.    Scenarios





    scenario 1:   Originator   discovery  of
    new information that results in revision /revocation




    scenario 2:  Non-or iginator references  previously shared information that

    - provides additional information on that topic including identification of errors.?

    - indicates they are requesting revocation (from the originator)



    ?Then
    the Originator revises or revokes  previously
    shared information based on non-originator feedback    –
    and includes referenc es   to
     the non-originator’s input.   This assumes that the originator is and remains the  authoritative  source.
     If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take over as a new Originator of a new object, I guess.




    Pam Smith

    JHU/APL




    From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
    on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent:   Monday, February 15, 2016 8:29 AM
    To:   Patrick Maroney
    Cc:   Jordan, Bret;   cti@lists.oasis-open.org
    Subject:   Re: [cti] versioning
     


    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone?  

    I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/   )
    implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object.  

    On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed"
    ?

    I am just spitballing.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security     www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown  


    <graycol.gif> Patrick Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int

    From:   Patrick Maroney < Pmaroney@Specere.org >
    To:   "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Date:   02/11/2016 11:10 PM
    Subject:   Re: [cti] versioning
    Sent by:   < cti@lists.oasis-open.org >





    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)  

    ...Here's an interesting concept to consider:


    {from:1388534400000,to:9223372036854775807}



    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/



    Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)


    Patrick Maroney
    Office: (856)983-0001
    Cell: (609)841-5104

    <0C160672.gif>

    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053

    From:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date:   Thursday, February 11, 2016 at 7:48 PM
    To:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject:   [cti] versioning

    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will start with serial_number "1". Then as they update
    the TLO, the producer will just incase the serial_number.  

    I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming to middle ground" we could solve this pretty
    quickly.  


    Thanks,

    Bret



    Bret Jordan CISSP  
    Director of Security Architecture and Standards Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  



















  • 10.  RE: [cti] versioning

    Posted 02-16-2016 10:23




    I would strongly recommend that we only allow object creators to administer the lifecycle of the objects they create. The reason is
    this… each object published is an assertion of truth that the Organization has made. It is the creating Organization saying ‘we think this:….’. They are effectively putting their reputation on the line to describe something that they as an Organization believes
    to be true.
     
    For this reason, we need to ensure that they are the only ones able to modify, change or retract their assertions – after all it’s
    their assertions. In fact, we need to eventually work out a way to cryptographically be
    sure that it really is their assertion and not an imposter… but that’s a problem for a different day.
     
    We also, as Pam rightly points out, need a way for third-parties with more information to provide that information, and we need a way
    for third-parties to demonstrate their disagreement with an assertion that someone else has made. Both of these are important within STIX v2.0 to allow consumers to make up their own minds about what information they choose to trust.
     
    For this reason, we previously proposed three mechanisms to handle these scenarios:
     
    The relationship object:

    This allows a third party to make an assertion between two objects that they haven’t created themselves. In Pam’s scenario 2 if Org
    A released a relationship object of high confidence that Bigbank attack was part of the FancyPanda Campaign, yet Org B disagreed, Org B will now be able to send out own relationship object with a really low confidence that the Bigbank attack was part of the
    FancyPanda Campaign. Consumers will see the two relationships, one which is high and one which is low, and should go…huh. They can then draw their own conclusions.
     
    The opinion object:

    This is another useful object. The opinion object is a way for a third party to comment on another organizations assertion. In Scenario
    2 Org B could additionally send out an Opinion object that referes to the OrgA relationship object and that flags that Org B ‘strongly disagrees’ with the relationship object that Org A sent out earlier.
     
    The Suggested-update relationship:

    If Org B is feeling extra generous, they could also sent out their own assertion of the correct details, with a separate relationship
    object with a relationship type of suggested-update. The suggested-update mechanism would allow third-party organizations to create the object they believe is ‘corrected’ and push that out to the community. The original object creator can (if they desire)
    take that information and check it, and if they want to, can revoke or modify the information in the originally released object.
     
    That’s 3 different ways that third-parties can communicate their disagreement or dissatisfaction with another Organization’s assertion.
    That’s a huge improvement for STIX v2 over STIX v1.x and something that I know others have been looking for a long while.
     
    Cheers
     

    Terry MacDonald
    Senior STIX Subject Matter Expert
    SOLTRA   An FS-ISAC and DTCC Company
    +61 (407) 203 206
    terry@soltra.com
     

     


    From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
    On Behalf Of Jordan, Bret
    Sent: Tuesday, 16 February 2016 8:46 AM
    To: Wunder, John A. <jwunder@mitre.org>
    Cc: cti@lists.oasis-open.org
    Subject: Re: [cti] versioning


     

    I think this is a brilliant idea.  


     


    Bret 

    Sent from my Commodore 64



    On Feb 15, 2016, at 1:09 PM, Wunder, John A. < jwunder@mitre.org > wrote:





    FWIW versioning would be a great scenario to try to build a reference implementation on top of. If we want to make sure it works, as with patterning and data markings, I think we have to. Preferably we’d have two independently developed
    prototypes and have them exchange versioned content following the use cases that Pam outlines below.


     


    John



     


    From:
    < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Monday, February 15, 2016 at 1:23 PM
    To: pam smith < Pam.Smith@jhuapl.edu >
    Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject: Re: [cti] versioning


     



    These are great work flow examples.  We need to enable valid work flows, but we need to be careful that we do not enable bad behavior that will make parsing and organizing the data hard.  







     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Feb 15, 2016, at 06:45, Smith, Pamela A. < Pam.Smith@jhuapl.edu > wrote:

     


    I agree that it would cause a lot of confusion if anyone can revision an object.   Also, I think anyone should be able to provide suggested revisions to any object.


     


    More spitballing.    Scenarios


     


    scenario 1: Originator   discovery of new information that results in revision/revocation


     


    scenario 2: Non-originator references previously shared information that



    - provides additional information on that topic including identification of errors.?


    - indicates they are requesting revocation (from the originator)


     


    ?Then the Originator revises or revokes previously shared information based on non-originator feedback    – and includes references to
     the non-originator’s input.   This assumes that the originator is and remains the authoritative source.  If the Originator does not maintain their own material in the face of a lot of input from others, then in some Darwinian fashion, someone else will take
    over as a new Originator of a new object, I guess.

     


    Pam Smith


    JHU/APL

     







    From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
    on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent:   Monday, February 15, 2016 8:29 AM
    To:   Patrick Maroney
    Cc:   Jordan, Bret;   cti@lists.oasis-open.org
    Subject:   Re: [cti] versioning


     




    Question - who is "allowed" to revision an object? Can only the originator revision, or can anyone?  

    I presume that many people assume that only the originator can revision an object - if that is so we should call this out explicitly. The current STIX versioning description ( http://stixproject.github.io/documentation/concepts/versioning/   )
    implies that anyone can version an object so long as it is "sufficiently unchanged". I think that will lead to a lot of confusion if anyone can revision an object.  

    On the other hand, if we want to get to the world of widespread object re-use and non-duplication, then third parties have to be able to revision objects. But what if I want to be the authoritative source? Should there be an attribute like "versioning_allowed"
    ?

    I am just spitballing.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security     www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown  


    <graycol.gif> Patrick Maroney ---02/11/2016 11:10:17 PM---Although I suspect I'm banned from using the term Timestamp for at least a year ;-) ...Here's an int

    From:   Patrick Maroney < Pmaroney@Specere.org >
    To:   "Jordan, Bret" < bret.jordan@bluecoat.com >,
    " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Date:   02/11/2016 11:10 PM
    Subject:   Re: [cti] versioning
    Sent by:   < cti@lists.oasis-open.org >







    Although I suspect I'm banned from using the term Timestamp for at least a year ;-)  

    ...Here's an interesting concept to consider:
    {from:1388534400000,to:9223372036854775807}
    http://iansrobinson.com/2014/05/13/time-based-versioned-graphs/
    Note: Ian Robison uses uses epoch time in this example, so that may buy me some cover ;-)

    Patrick Maroney
    Office: (856)983-0001
    Cell: (609)841-5104

    <0C160672.gif>

    President
    Integrated Networking Technologies, Inc.
    PO Box 569
    Marlton, NJ 08053

    From:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    on behalf of Bret Jordan < bret.jordan@bluecoat.com >
    Date:   Thursday, February 11, 2016 at 7:48 PM
    To:   " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject:   [cti] versioning

    What would people think about a versioning concept where each TLO had a "serial_number" field that was of type integer. And every object that gets created by a producer will
    start with serial_number "1". Then as they update the TLO, the producer will just incase the serial_number.  

    I want to get the discussion started as I know some have very strong opinions on how it should work. But I also think, that with some good back and forth dialog, and some "coming
    to middle ground" we could solve this pretty quickly.  


    Thanks,

    Bret



    Bret Jordan CISSP  
    Director of Security Architecture and Standards Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."