The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database – Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008.
Attrition.org’s Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project’s core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records.
DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. “We’ve worked hard to research, gather, and make this data open to the public,” says Kelly Todd, one of the project leaders for DataLossDB. “Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information.”
The Open Security Foundation’s DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. “For a data set as dynamic as this, it made sense to build it into a more user-driven format.”, states David Shettler, the lead developer for the Open Security Foundation. “With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers”.
The DataLossDB’s mail list will continue to be available to over 1,500 current subscribers and will accept new subscriptions under the Attrition.org banner until a migration to OSF has been completed. RSS feeds will also be available under the OSF banner for timely alerts about new and updated data loss events. We expect this transition to be completed in the coming months without impact to current subscribers.
Open Security Foundation’s DataLossDB is an open source community project that strives to provide a clear understanding of data loss issues and needs your support. Assistance can be provided through database updates, project leadership, word-of-mouth promotion, financial donations, and sponsorship to assist with the ongoing maintenance of the project. “The DataLossDB project provides a critical service that enables detailed analysis on the true impact of data loss.”, says Jake Kouns. “The Open Security Foundation is in a perfect position to support the expansion of the DataLossDB project.” Any entities interested in licensing the database for commercial ventures are encouraged to contact OSF.
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide the information for statistical analysis of web applications security incidents.
The WHID is an interesting new database that seems to be a cross between a database of site specific vulnerabilities (something OSVDB has considered maintaining) and the Attrition Dataloss page.
OK, OSVDB is not really closing. But based on my experience with running and participating in projects and sites, the second you announce a valuable resource is going away, people come out of the woodwork to volunteer or support the project to keep it going. When the Attrition.org Defacement Mirror closed, I received several dozen mails asking, begging, even demanding that the project keep running. So why didn’t these same people help out for the years prior to the announcement? If a project or resource is that helpful and that valuable to you, why not support them?
Without going into a full rant or debate on the nature of open source (OS), one of the most prevalent arguments for OS is that the community can help. For OS code, it is argued that anyone can look at the source code and find bugs.. but they rarely do. For OS projects, it is argued that volunteers work on projects for the love of it, not because it’s a source of money for food and shelter.. but they often don’t.
That said, OSVDB could substantially benefit from one or two developers before any such closing. Ideally we need a couple folks with solid PHP coding experience, PostgreSQL database manipulation, and the willingness / desire / time to work on the project. We can promise you fortune and fame! OK not really. What we can offer you:
- The ability to develop and enhance the project in a leadership role (we’ll even call you ‘god’ if you want)
- The chance to significantly change the vulnerability database landscape (yes, really)
- Work on a number of long term development projects (we have ideas, you have skills!)
- The freedom to work when and how you want, with little to no supervision (go wild)