RE: Nessus no longer open source

From: Ted Mittelstaedt (tedm_at_toybox.placo.com)
Date: 10/06/05

  • Next message: Joe S: "Re: vsftpd watch problem"
    To: <gayn.winters@bristolsystems.com>, <freebsd-questions@freebsd.org>
    Date: Thu, 6 Oct 2005 12:57:59 -0700
    
    

    This happened with the SAINT scanner also, however they didn't have the
    decency to keep an older release train going under GPL. SAINT was a
    rework of SATAN which was released open source, making that a
    particularly
    bitter pill. I believe when SAINT did this, that was what gave the
    impetus to
    Nessus to become popular.

    Security scanning as an esoteric field and not a lot of people are true
    experts
    however there's a huge demand for it from some very deep pockets. Thus
    this kind of thing is inevitable.

    One of the duties of the OSS market is to serve as a spawning ground for
    commercial software packages. There was a huge amount of commercial
    software born from the BSD code, and in fact a number of the BSD
    networking
    utilities made it into Windows - including their BSD copyright notices in
    fact.

    Consider also that the military would almost certainly not want to use an
    open source scanner because that gives the enemy a list of what
    vulnerabilities
    you know about, and what ones you possibly don't. I can think of a
    number
    of other deep pockets like VISA that are the same way. Closing the
    source
    for Nessus 3 will open it up to consideration by a number of customers
    who
    would have been prevented from using it. Almost certainly the research
    in the
    vulnerabilities that go into Nessus 3 will trickle into Nessus 2
    eventually. So
    this move, far from being a blow to OSS, actually strengthens it. If you
    want
    to bitch about something then bitch about SAINT.

    Ted

    >-----Original Message-----
    >From: owner-freebsd-questions@freebsd.org
    >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gayn Winters
    >Sent: Thursday, October 06, 2005 9:04 AM
    >To: freebsd-questions@freebsd.org
    >Subject: Nessus no longer open source
    >
    >
    >One of the highest rated open source security programs, nessus, will no
    >longer be open source. Quoting from an email from Renaud Deraison
    ><rderaison@tenablesecurity.com> to nessus-announce@lists.nessus.org,
    >
    >"Nessus 3 will be available free of charge, including on the Windows
    >platform, but will not be released under the GPL.
    >
    >"Nessus 3 will be available for many platforms, but do understand that
    >we won't be able to support every distribution / operating system
    >available. I also understand that some free software advocates won't
    >want to use a binary-only Nessus 3. This is why Nessus 2 will
    >continue to be maintained and will stay under the GPL."
    >
    >I'm not sure if Nessus 3 will be supported as a FreeBSD package.
    >
    >Apparently the folks at Tenable feel that they have been supporting the
    >open source community but have been getting little back in plug-ins and
    >vulnerabilities and virtually nothing back on the scanning engine for
    >over six years. In fact, they have been slowly tightening their
    >licensing (cf.
    >http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and
    >it would appear that they can and will continue to tighten it over time.
    >
    >Fyodor's analysis
    >(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that
    >the open source community should take heed. He provides a list of ways
    >to contribute to open source software projects. While the list is
    >excellent, there are no new ideas in it. The thing that seems germane
    >to the FreeBSD community is that ports, even extremely popular ones, are
    >vulnerable, since under the GPL the AUTHOR of the code is not bound by
    >the same restrictions that the users are. I'm not a lawyer, but as I
    >understand it, the author can create a derived work of something under
    >the GPL and license the derived work (a "rewrite" in the case of nessus
    >3) and arbitrarily restrict it. Given Renaud's claim that no one
    >contributed to the scanning engine, he seems to have every right to
    >create a new and closed version of it.
    >
    >The moral here, if there is one, is that if you really like a port, then
    >you should contribute to it one way or another!
    >
    >Comments?
    >
    >-gayn
    >
    >
    >
    >_______________________________________________
    >freebsd-questions@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    >To unsubscribe, send any mail to
    >"freebsd-questions-unsubscribe@freebsd.org"
    >
    >--
    >No virus found in this incoming message.
    >Checked by AVG Anti-Virus.
    >Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:
    >9/30/2005
    >

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


  • Next message: Joe S: "Re: vsftpd watch problem"