Fw: Nmap 3.81 Released; Pr0n; License Non-changes

Myles Green rmg57
Tue Feb 8 17:28:10 PST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmm, the response from Tenable (Renaud Deraison <deraison at nessus.org>)
seems to clear things up. Looks like it is/was a case of mistaken
assumptions. Somebody has egg all over their face! 8o

Myles

On Tue, 08 Feb 2005 07:40:30 -0500
Matthew Carpenter <matt at eisgr.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I don't understand what's up with the Tenable folks.  I know that many
> vendors were integrating their tools into their own (in fact,
> basically
> using Nessus completely *as* their tool).  I can understand how
> Tenable
> needs to be able to make money.  If they licensed using the GPL, those
> offchutes would be forced to use the GPL as well.  The viral effects
> ;)
> 
> Granted, that's not as easy as restricting quite fully, but that just
> suxx.

Begin forwarded message:

Date: Tue, 8 Feb 2005 08:24:02 -0500
From: Renaud Deraison <deraison at nessus.org>
To: nmap-hackers at insecure.org
Subject: Re: Nmap 3.81 Released; Pr0n; License Non-changes



Hi List and Fyodor,

On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote:
> In other news, some users have expressed concern about the new Nessus
> license.  If you want to use Nessus and all its plugins for
> consulting, you are now required to fax Tenable a signed license
> agreement requesting permission.  

This is correct. The issue is that in legalese-speak, it's difficult to
distinguish between a consultant and a Managed Security Services
Provider (MSSP), and some of them have blatantly abused Nessus in the
past by claiming they "invented the technology", so we had to find a way
which :

 a) Makes the use of Nessus free for consultants ;
 b) Allows us to prevent such companies from using it if they lie in
    their claims ;

In the same vein that in real life you have to use annoying keys to lock
your door to prevent a minority of bad guys from breaking into your
house, we had to set up some measures to prevent a minority from abusing
the project.

> You must also promise not to redistribute or reverse-engineer the
> plugins
> (http://www.nessus.org/plugins/index.php?consultant=1&email=c&product
> =).
> They also instituted a $1200/year charge for the latest plugins ( a
> delayed feed is available free with registration for certain limited
> uses).  


The registred plugin feed (which is _free_) allows you to scan the
network of your workplace or home, with all the plugins that have ever
been written,although there is a 7 day delay between the time we write
the pluginsand the time you receive them. If members of the open-source
communitysubmit a given plugin, then it's available under the GPL with
no delay.
Same thing with consultants and MSSPs: you can get the plugin feed 
for _free_ but you need to ask for authorization only once. We do NOT
use the gathered data for commercial purposes. Actually, we don't even
keep a digital copy of the authorizations, since we're talking about a
fax, so we do not have a database of consultants and/or MSSPs.

Finally, if you have some kind of religious stance regarding the use of
non-GPL software, there is a 100% GPL plugin feed which contains 
over 2,000 plugins.

> They also now claim that many of the existing Nessus plugins
> were never open source.  At the same time, they rewrote the Nessus web
> page to emphasis that Nessus is "<i>the</i> open-source vulnerability
> scanner".

Nessus is an engine, and it is released under the GPL license. A great
number of plugins is released under the GPL license. I think that
qualifies for "open-source".


[...]
> They argue that this change is neccessary to maintain quality and
> satisfy sharholders

We have never claimed that we clarified the license to satisfy
shareholders. We are privately funded and not dependant on VCs.

What we've claimed is that setting up an environment to react in real
time to new vulnerabilities (instead of reacting "whenever I have
time"), and hiring people to work full time on new security checks (and
QA them) requires more than goodwill, especially when you see that these
checks are thenbeing used by our competitors. If the community had
submitted more plugins, maybe this would not have been necessary, but
when you look back and see that Tenable contributed over 80% of the new
plugins in 2004, then there is a problem.

It turns out that when people think of "open-source", most of them think
of a million of person writing one line of code each, and this is
absolutely false.

Just a quick recap :

  + 100% of the Nessus Engine  : Michel Arboi and Renaud Deraison
(Tenable)
  + 95%  of the Nessus Plugins : Michel Arboi, David Maciejak, Noam
Rathaus,    Digital Defense Inc., George Theall and Tenable.


I recently explained the rationale behind the license change 
in a lengthy email, available at :

 <http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html>


We also have some sort of FAQ regarding the license change :

 <http://www.tenablesecurity.com/products/direct-examples.shtml>


If you have any question, don't hesitate to send them to me.

Thanks,

				-- Renaud

- --
Renaud Deraison
http://www.nessus.org

- --------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help at insecure.org . List archive: http://seclists.org



- -- 
Myles Green <rmg57 at telus dot net> Calgary AB Canada
Ubuntu Linux 5.04 "Hoary Hedgehog" Dev. Branch 
http://www.ubuntulinux.org/
GnuPG public key (9D02F338)  http://keyserver-beta.pgp.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCCTzfBKXLA50C8zgRAmYiAJwMqrM3tJH816l3qpvcKoTxUd+AiQCfTAjG
lHBV26phcZ4Qwf/FyQ/hZJY=
=Alqu
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list