RE: Nessus no longer open source

From: Ted Mittelstaedt (tedm_at_toybox.placo.com)
Date: 10/06/05

  • Next message: Joe S: "Re: vsftpd watch problem"
    To: <gayn.winters@bristolsystems.com>, <freebsd-questions@freebsd.org>
    Date: Thu, 6 Oct 2005 12:57:59 -0700
    
    

    This happened with the SAINT scanner also, however they didn't have the
    decency to keep an older release train going under GPL. SAINT was a
    rework of SATAN which was released open source, making that a
    particularly
    bitter pill. I believe when SAINT did this, that was what gave the
    impetus to
    Nessus to become popular.

    Security scanning as an esoteric field and not a lot of people are true
    experts
    however there's a huge demand for it from some very deep pockets. Thus
    this kind of thing is inevitable.

    One of the duties of the OSS market is to serve as a spawning ground for
    commercial software packages. There was a huge amount of commercial
    software born from the BSD code, and in fact a number of the BSD
    networking
    utilities made it into Windows - including their BSD copyright notices in
    fact.

    Consider also that the military would almost certainly not want to use an
    open source scanner because that gives the enemy a list of what
    vulnerabilities
    you know about, and what ones you possibly don't. I can think of a
    number
    of other deep pockets like VISA that are the same way. Closing the
    source
    for Nessus 3 will open it up to consideration by a number of customers
    who
    would have been prevented from using it. Almost certainly the research
    in the
    vulnerabilities that go into Nessus 3 will trickle into Nessus 2
    eventually. So
    this move, far from being a blow to OSS, actually strengthens it. If you
    want
    to bitch about something then bitch about SAINT.

    Ted

    >-----Original Message-----
    >From: owner-freebsd-questions@freebsd.org
    >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gayn Winters
    >Sent: Thursday, October 06, 2005 9:04 AM
    >To: freebsd-questions@freebsd.org
    >Subject: Nessus no longer open source
    >
    >
    >One of the highest rated open source security programs, nessus, will no
    >longer be open source. Quoting from an email from Renaud Deraison
    ><rderaison@tenablesecurity.com> to nessus-announce@lists.nessus.org,
    >
    >"Nessus 3 will be available free of charge, including on the Windows
    >platform, but will not be released under the GPL.
    >
    >"Nessus 3 will be available for many platforms, but do understand that
    >we won't be able to support every distribution / operating system
    >available. I also understand that some free software advocates won't
    >want to use a binary-only Nessus 3. This is why Nessus 2 will
    >continue to be maintained and will stay under the GPL."
    >
    >I'm not sure if Nessus 3 will be supported as a FreeBSD package.
    >
    >Apparently the folks at Tenable feel that they have been supporting the
    >open source community but have been getting little back in plug-ins and
    >vulnerabilities and virtually nothing back on the scanning engine for
    >over six years. In fact, they have been slowly tightening their
    >licensing (cf.
    >http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and
    >it would appear that they can and will continue to tighten it over time.
    >
    >Fyodor's analysis
    >(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that
    >the open source community should take heed. He provides a list of ways
    >to contribute to open source software projects. While the list is
    >excellent, there are no new ideas in it. The thing that seems germane
    >to the FreeBSD community is that ports, even extremely popular ones, are
    >vulnerable, since under the GPL the AUTHOR of the code is not bound by
    >the same restrictions that the users are. I'm not a lawyer, but as I
    >understand it, the author can create a derived work of something under
    >the GPL and license the derived work (a "rewrite" in the case of nessus
    >3) and arbitrarily restrict it. Given Renaud's claim that no one
    >contributed to the scanning engine, he seems to have every right to
    >create a new and closed version of it.
    >
    >The moral here, if there is one, is that if you really like a port, then
    >you should contribute to it one way or another!
    >
    >Comments?
    >
    >-gayn
    >
    >
    >
    >_______________________________________________
    >freebsd-questions@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    >To unsubscribe, send any mail to
    >"freebsd-questions-unsubscribe@freebsd.org"
    >
    >--
    >No virus found in this incoming message.
    >Checked by AVG Anti-Virus.
    >Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:
    >9/30/2005
    >

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


  • Next message: Joe S: "Re: vsftpd watch problem"

    Relevant Pages

    • Nessus no longer open source
      ... One of the highest rated open source security programs, nessus, will no ... "Nessus 3 will be available free of charge, ... continue to be maintained and will stay under the GPL." ... the open source community should take heed. ...
      (freebsd-questions)
    • Re: [Full-disclosure] Call to participate: GNessUs security scanner
      ... >> Nessus has been open source for a long time. ... >> contributions have come from a very small amount of people. ... Not all of 2.2 is GPL. ...
      (Full-Disclosure)
    • does this multi-value product exist?
      ... Obviously I am a GPL fan and to the best of my knowledge there is ... So the Open Source community feels helpless to fight the M$ cash pile ... > His choice of words was awkward but OpenQM _is_ only Open for Linux ... >>as GPL infection. ...
      (comp.databases.pick)
    • Re: Richard Stallman is responsible for the shrinking economy
      ... others had released under the GPL - they claimed that since they owned ... the other possibility for why it is rarely done is that valuable copyrighted code rarely ends up in serious open source projects without the owner's permission - major open source projects are very careful about who contributes and where the code comes from. ... I'm sure there are lots of cases of sections of copyrighted code ending up in open source code under a different license, but only in rare cases is it worth pursuing that sort of infringement. ... For those with other programming jobs, it makes sense to clarify the position with your employer before contributing to open source projects. ...
      (comp.arch.embedded)
    • Re: Copyleft and embedded Forth
      ... It is NOT a valid argument against the open source ... It would probably be a good idea for you to read the full GPL license ... logically and mechanically separate GPL parts. ...
      (comp.lang.forth)