Nessus no longer open source

Ted Mittelstaedt tedm at toybox.placo.com
Thu Oct 6 12:58:18 PDT 2005


This happened with the SAINT scanner also, however they didn't have the
decency to keep an older release train going under GPL.  SAINT was a
rework of SATAN which was released open source, making that a
particularly
bitter pill.  I believe when SAINT did this, that was what gave the
impetus to
Nessus to become popular.

Security scanning as an esoteric field and not a lot of people are true
experts
however there's a huge demand for it from some very deep pockets.  Thus
this kind of thing is inevitable.

One of the duties of the OSS market is to serve as a spawning ground for
commercial software packages.  There was a huge amount of commercial
software born from the BSD code, and in fact a number of the BSD
networking
utilities made it into Windows - including their BSD copyright notices in
fact.

Consider also that the military would almost certainly not want to use an
open source scanner because that gives the enemy a list of what
vulnerabilities
you know about, and what ones you possibly don't.  I can think of a
number
of other deep pockets like VISA that are the same way.  Closing the
source
for Nessus 3 will open it up to consideration by a number of customers
who
would have been prevented from using it.  Almost certainly the research
in the
vulnerabilities that go into Nessus 3 will trickle into Nessus 2
eventually.  So
this move, far from being a blow to OSS, actually strengthens it.  If you
want
to bitch about something then bitch about SAINT.

Ted

>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Gayn Winters
>Sent: Thursday, October 06, 2005 9:04 AM
>To: freebsd-questions at freebsd.org
>Subject: Nessus no longer open source
>
>
>One of the highest rated open source security programs, nessus, will no
>longer be open source.  Quoting from an email from Renaud Deraison
><rderaison at tenablesecurity.com> to nessus-announce at lists.nessus.org,
>
>"Nessus 3 will be available free of charge, including on the Windows
>platform, but will not be released under the GPL.
>
>"Nessus 3 will be available for many platforms, but do understand that
>we won't be able to support every distribution / operating system
>available. I also understand that some free software advocates won't
>want to use a binary-only Nessus 3. This is why Nessus 2 will
>continue to be maintained and will stay under the GPL."
>
>I'm not sure if Nessus 3 will be supported as a FreeBSD package.
>
>Apparently the folks at Tenable feel that they have been supporting the
>open source community but have been getting little back in plug-ins and
>vulnerabilities and virtually nothing back on the scanning engine for
>over six years. In fact, they have been slowly tightening their
>licensing (cf.
>http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and
>it would appear that they can and will continue to tighten it over time.
>
>Fyodor's analysis
>(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that
>the open source community should take heed.  He provides a list of ways
>to contribute to open source software projects.  While the list is
>excellent, there are no new ideas in it.  The thing that seems germane
>to the FreeBSD community is that ports, even extremely popular ones, are
>vulnerable, since under the GPL the AUTHOR of the code is not bound by
>the same restrictions that the users are.  I'm not a lawyer, but as I
>understand it, the author can create a derived work of something under
>the GPL and license the derived work (a "rewrite" in the case of nessus
>3) and arbitrarily restrict it.  Given Renaud's claim that no one
>contributed to the scanning engine, he seems to have every right to
>create a new and closed version of it.
>
>The moral here, if there is one, is that if you really like a port, then
>you should contribute to it one way or another!
>
>Comments?
>
>-gayn
>
>
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>--
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:
>9/30/2005
>



More information about the freebsd-questions mailing list