Forgot your password?
typodupeerror
Security GNU is Not Unix

Nessus Closes Source 394

Posted by CmdrTaco
from the say-it-ain't-so dept.
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
This discussion has been archived. No new comments can be posted.

Nessus Closes Source

Comments Filter:
  • by (1+-sqrt(5))*(2**-1) (868173) <1.61803phi@gmail.com> on Thursday October 06, 2005 @05:03PM (#13734137) Homepage
    To that end, I've become an early adopter of the Artistic License 2.0 [perl.org], Perl 6's upcoming license. From the preamble:
    This copyright license states the terms under which a given free software Package may be copied, modified and/or redistributed, while the Originator(s) maintain some artistic control over the future development of that Package (at least as much artistic control as can be given under copyright law while still making the Package open source and free software).
    • by Nasarius (593729) on Friday October 07, 2005 @12:31AM (#13737020)
      the Originator(s) maintain some artistic control over the future development of that Package (at least as much artistic control as can be given under copyright law while still making the Package open source and free software).

      Is it just me, or is this bafflingly ambiguous? I'm sure if I read the whole thing it would be clear, but I have no idea what that sentence is trying to say. I'll just stick with BSD for now.

  • by Anonymous Coward
    No, fork.
  • How well an OSS product fares as a closed source product. Bets are on: better or worse a year from now?
    • I can't see how distributing binary only will help themm, as opposed to a non-business use only license change. It'll be very interesting to see where this goes from here.
    • by sterno (16320)
      They weren't getting any notable contributions from the community so they don't lose anything there. On the other hand, if they can eliminate their competition they can make more money, hire more developers, etc.
  • Competitors (Score:4, Funny)

    by SpaceAdmiral (869318) on Thursday October 06, 2005 @05:07PM (#13734181) Homepage
    If their competitors were just repackaging their software, they should have put some massive bugs in it.

    • Maybe there are... and they're going to fix them for v3 and share all the details of the v2 bugs.

      And all those companies would be scrambling since they didn't write it in the first place and therefore probably have little understanding of the underlying code.
      • Re:Competitors (Score:4, Interesting)

        by vladkrupin (44145) on Friday October 07, 2005 @01:39AM (#13737289) Homepage
        Yes, they will (and are) scrambling. But not because they have little understanding of the underlying code. No, that's trivial. The real value is in all the updates, signatures, definitions of various vulnerabilities, etc. People come up with them all the time, and nessus always has the latest & greatest, and everyone else seems to be weeks, if not months behind. Unless, of course, they are building on top of nessus as the engine, in which case they are always up to speed.

        I am have some firsthand familiarity with this. I know of a company that essentially built their whole business around nessus as the core of their product. They added tons of bells and whistles to it, packaged it nicely, made it user-friendly, and shipped it. For a lot of money. Sounds silly, but I think they had a good product -- it actually made network security manageable. Just knowing what is vulnerable on your network is not good enough. In fact, if the network is of any appreciable size, that's not good at all. You need to filter out tons of noise -- false positives, things that you know are vulnerable but you do not care about for one reason or another, need to do some basic triaging, and be able to monitor trends and tendencies over time. So, there's a great need for a good presentation layer on top of nessus, and several companies recognized that need and built their business models on that. And that was good, it was really, really needed.

        Then, a couple of years ago it became harder to get nessus updates. Nessus started detecting scrapers that were getting latest nasl updates and banning them. Then they started licensing those updates differently, I think, so it was harder for closed-source companies to use them. So, that company started rewriting newer NASLs in a "clean room" environment to stay in the legal clean waters. While the practice was silly, it made sense -- it was either that, or GPL the whole thing, and they could not figure out how to build a viable business plan if they were to GPL their whole product. I must admit that this is a very challenging, and at times an impossible task. I must say that I applaud them for going through all that extra effort to stay clean and respect the GPL -- a lot of other people do not do so.

        So, has nessus just droppped a bombshell on all those companies that were building their stuff on top of its enine? Not really. The change has been coming for quite some time. Recent NASLs haven't been available for a while under a liberal license. In fact, I think that new software features and bugfixes in version 3 are not even all that important or needed. Signatures and definitions for newer vulnarabilities are. So, all those companies had ample time to change, if they wanted to. The company I was referring to did a good job, as far as I know -- they added a bunch of features beyond what nessus provided -- various network discovery, some windows-specific stuff, etc. I do not know much about what they are doing now, but I know that they worked hard to shift from a nessus-wrapper to a product that could stand on its own. And, to the best of my knowledge, they succeeed. Some others did not see the writing on the wall. So, they wasted time and this change of license will be the latest nail in their coffins. Stuff happens. Don't feel sorry for them. Nessus departing from the GPL is a sad fact of life, but... it's understandable. They can do it. And freeloaders deserve little compassion.

        just my 2c...
  • by nanop (155318) on Thursday October 06, 2005 @05:07PM (#13734192)
    So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".
    • He raised the possibility that the community could "fork" version 2 of the software--that is, start developing a divergent version of Nessus from the one officially supported by Tenable.

      It would be interesting if this happens. It would certainly make the developers statement in need of a second look (the statement above was not the developers statement):
      The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

      So,
      • Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement.

        Or maybe the community couldn't give a damn about helping until it's an underdog project competing against an evil proprietary product? Some people are more motivated by zealotry than improving the world...
      • by Principal Skinner (56702) on Thursday October 06, 2005 @06:05PM (#13734793) Homepage
        "So, if it does fork and the open source fork gets a lot of development that would mean of two things. Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement."

        A developer who wants community involvement really has a lot going against him. There are only a handful of Linuxes, Mozillas, and KDEs, out of the hundreds of thousands of OSS projects out there. Probably only a single-digit percentage of OSS projects get any significant community help. To get in that percentile, you have to have an interesting, high-profile project AND be VERY good at drumming up support.

        Properly stated, there's a third possible interpretation of a successful fork: the maintainers were doing a fine and dandy job and no one from the community had an itch to scratch, until the gravy train stopped.
      • by scoove (71173) on Thursday October 06, 2005 @07:17PM (#13735390)
        The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

        I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.

        I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.

        Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.

        I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost [larryniven.org] (for all the Ringworld fanatics out there).

        *scoove*
    • So a project which was getting very little contribution from the OSS community is going to be forked into a different project that will get all sorts of support from the OSS community? Good luck with that.
      • by robla (4860) * on Thursday October 06, 2005 @05:39PM (#13734514) Homepage Journal
        > So a project which was getting very little contribution from the OSS community is going to be forked into a different project that will get all sorts of support from the OSS community?

        Yup. Funny how that works. It happened that way with SourceForge/GForge. It sorta happened with NCSA httpd -> Apache. Probably a handful of other examples out there.

        It'll probably evolve from the needs of the Debian package maintainer needing an "upstream" [debian.org] for security patches, etc. Or maybe Gentoo, Fedora, etc. You get the idea. I use Debian as an example because of they'll need something that continues to satisfy the DFSG [debian.org]. Thus, if Nessus is still going to remain, it'll eventually need to be updated.
    • If it were me, I'd name the fork of Nessus "Known Space". Great name for a tool of discovery, that expands on the "Nessus" idea.
  • So what's left?? (Score:5, Interesting)

    by eno2001 (527078) on Thursday October 06, 2005 @05:09PM (#13734203) Homepage Journal
    SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.
    • Re:So what's left?? (Score:4, Informative)

      by Kelson (129150) * on Thursday October 06, 2005 @05:17PM (#13734305) Homepage Journal
      SARA [www-arc.com] (Security Auditor's Research Assistant) is based on the old SATAN design.
    • by fv (95460) * <fyodor@insecure.org> on Thursday October 06, 2005 @05:38PM (#13734504) Homepage

      I responded [seclists.org] for the Nmap Security Scanner [insecure.org] project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.

      I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest [seclists.org] a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

      Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

      -Fyodor [insecure.org]

      • by scoove (71173) on Thursday October 06, 2005 @11:41PM (#13736743)
        I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

        Fyodor, what can those of us out here do to help make that a possibility? One of my common frustrations is that much of the open source community thinks at a very low level and rejects broader perspectives because the initiators of the projects are often exceptional programmers (at the expense of not being exceptional documentation writers, analysts, managers, communicators, etc.). Some will want to shoot me for saying it, but every technology project needs a hell of a lot more than software developers to make it go. A project needs the help of great documentation writers, testers, managers, analysts, evangelists, etc. to make it, and more importantly, needs to have a culture of taking criticism and evaluating it objectively in order to have a chance at success.

        Nessus's rejection of a system vulnerability database was unfortunate but not unexpected - I smell a VC in a room with a bunch of programmers (and nothing in between), plus a bunch of sensitive "Not Invented Here" egos. Nessus needed to integrate with its user community because its success was very dependent upon their feedback. Nmap has succeeded perhaps because it is a more concise tool with a focused objective and I've seen you take feedback out there and honestly respond to it.

        I agree that this is not a good trend, and the question is how to reverse it.
        Success in the open source community is still a rather unpredictable, undocumented (and too often, unrepeatable) event. Successful projects like nmap have happened through their founder's exceptional ability in demonstrating more than just coding ability, yet the community does little to document, educate and communicate this aspect. Projects tend to continue to make the same mistakes. Perhaps a start would be a FAQ on successful open source project methodologies that explains that brilliant code is only one of a dozen components required for success and details the others - perhaps building upon the best practices of the community's successful projects? If Nessus and others are to make it as viable open source, we need to build upon the understanding that it takes more than great code to succeed.

        *scoove*

    • Re:So what's left?? (Score:5, Interesting)

      by tgd (2822) on Thursday October 06, 2005 @07:04PM (#13735316)
      One can only hope this one disappears. Anyone who has been on the receiving end of a security audit done by some dork who lives in his parents basement who hung out a shingle as a security analyist and basically only runs Nessus without any interpretation can tell you what a HUGE false-positive rate its got. I know how much time *I* waste responding to them, its staggerirng to think how much time throughout the industry is wasted because of them.

      Security tools like SATAN and NESSUS (and even tools like NMAP) are a poor substitute for someone who knows what they're doing, and just make being secure harder for everyone who has to deal with them.
  • by temojen (678985) on Thursday October 06, 2005 @05:09PM (#13734210) Journal
    Or rather, using the GPL as it was intended, to prevent vendor lock-in.
    • Insightful?

      The GPL can prevent vendor lock-in because people can study the code and resolve compatibility issues if any.

      Not in the sense that anyone can pick up the code and be a competitor - although it is also permitted under the GPL, it is not what prevents vendor lock-in.

  • Fork? (Score:4, Interesting)

    by bcmm (768152) on Thursday October 06, 2005 @05:10PM (#13734223)
    This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?
  • by cowbutt (21077) on Thursday October 06, 2005 @05:10PM (#13734225) Journal
    As someone who encouraged a former employer to pay for a Nessus support contract when it voluntary, someone who personally contributed a minor enhancement to the engine, and as someone who actually used Nessus professionally (i.e. manually verifying the results it gave, rather than selling the reports as-is to customers), I've been pretty disgusted by the way competitors have abused Renaud's generosity.

    Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.

  • Hardly a "loophole" (Score:5, Informative)

    by spitzak (4019) on Thursday October 06, 2005 @05:11PM (#13734233) Homepage
    The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.

    In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.
    • Equating "being able to see the source" with "GPL" is a bit of FUD.

      Not at all - the GPL requires that they provide the source to anyone who purchases the software. It's one of the key components of the GPL.

      Other than improvements to the software, I assume that the other key benefit to making the source code available is for many eyes to see it to provide security and functional updates. But if all that's happening to the source is that competitors are taking it and repackaging it under another name and n
    • It's not a loophole, but it's quite clear that it's not what they thought they were getting into. Ultimately the benefit of the GPL to a business is being able to share the development cost. IBM is only paying for a portion of Linux as is RedHat, etc. Thus their ultimate cost is lower for the product they deliver.

      It's clear here that there's no sharing of the work here. They do all the work and get little benefit. What's interesting about this though is what happens to the previous Nessus release. You
    • by Sycraft-fu (314770) on Thursday October 06, 2005 @06:35PM (#13735081)
      This is one of the counter-arguments used against the GPL. When people start crying "Everything should be OSS", here's a case to point to of it not working.

      The GPL does create problems for commercial viability in many cases. You spend tons of time and money developing something, others then market the solutions for it, you get squat in return. This is a problem. The "Well make money selling support" argument doesn't work when others are selling the support better than you can.

      Now, perhaps you are inclined to think this is fine. They are better at it, so they should make the money right? Except the only reason they can, is that you put in the up front investemant to actually make the software.

      What this will lead to is people deciding that open source is not the way to go, or at least GPL-style open source. If it just leads to other people making money off of your hard work, it'll really turn people off to it.
  • Fair enough (Score:5, Informative)

    by overshoot (39700) on Thursday October 06, 2005 @05:11PM (#13734237)
    A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL.

    That's not a loophole, that's how it's supposed to work.

    He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.

    His code, his rules. As long as he's not including code that others contributed under the GPL, that is.

    The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?

  • by RevDigger (4288) <haroldpNO@SPAMinternal.org> on Thursday October 06, 2005 @05:14PM (#13734278) Homepage
    This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.

    Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.

            - H

  • by Svartalf (2997) on Thursday October 06, 2005 @05:16PM (#13734291) Homepage
    Considering that in EACH of those cases, the software IS distributed, they could have went after the offenders. Perhaps they can't afford lawyers to do so- I DID mention in numerous threads before that Copyright, etc. is only as good as the legal effort you can muster to defend your IP rights.

    I don't buy this as a reason, mind- because the people in question are still infringing and making it free as in beer won't change the situation any more than it is now. You have to go after them for their infringements- licenses don't change this. If it were the case, MS (or any other BSA members, for that matter) wouldn't be so worried about piracy of their products...
    • "Considering that in EACH of those cases, the software IS distributed, they could have went after the offenders."

      Selling or distributing an appliance is not against the license. You are selling the hardware with the free software installed on it. You can even make changes to the software so long as you release the modified code. This is exactly how the Cobalt RAQ servers were sold. They sold hardware and a proprietary web based GUI wrapper that configured the GPL'd web server applications. Nothing illegal a
  • What did happen to xfree86 project when they changed thier licensing?
    Well, I just assume the same will happen with nessus, except if there is no interest in nessus when there was on an X server.
  • Sad day (Score:3, Interesting)

    by Cally (10873) on Thursday October 06, 2005 @05:17PM (#13734297) Homepage
    Dang, I just submitted this. Ah well, perhaps I'll get a dupe... it'll take a few hours to get to the top of the submissions stack, perhaps Taco will be posting by then ;)

    Anyway, speaking as a long-term user of Nessus, I have had direct personal benefit from it being Free; it enabled me to get familiar with it on my home network which (along with snort, nmap, ipf, tcpdump and a load of other Free stuff) enabled me to move into network security five years ago. Of course, it's Renaud's code and it's his right to release it under whatever licence he wants; but it's a shame. Let's hope someone's prepared to fork the GPL'd v2 codebase and start adding the improvements it needs.

    Of course, I'm assuming that all the plug-in authors are happy with this. When Tenable released a closed-source Windows port (NEWT) I queried the position on a mailing list somewhere, I forget the outcome but it seemed odd to me. It seems really unlikely that Tenable would do this without the plug-in authors' agreement,.. anyone got info on that?

    With my 'Free s/w zealot' hat on, I have to say that it'll be interesting to see how the community responds to this. In my copy of the FSZH (FS Zealot's Handbook... version 2 or later :) it says that a benefit of GPL licensing is that the community can pick up and continue with the remaining GPL'd source. Are there any coders out there interested and motivated enough to pick up the GPL'd project? It'll be interesting to see. Fingers crossed....

  • by ShatteredDream (636520) on Thursday October 06, 2005 @05:19PM (#13734323) Homepage
    Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.

    Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?

    It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.

    Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.
    • I recently heard a statistic that the majority of programming jobs are for code that will only ever be used internally to the company. General Mills, Hormel, etc. - All sorts of big companies have internal programming teams. For these people, OSS isn't so much detrimental as irrelevant.
    • The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?

      Welcome to a disruptive technology. Guess what? New things happen.

      • by aafiske (243836) on Thursday October 06, 2005 @06:10PM (#13734838)
        I'm not sure why rude, off-base replies like this get modded up. You seem to have missed the point, adrift in a sea of cliches as you were. The grandparent poster was saying that the OSS approach will not work very well for software that cannot be supplied as a service. There is no incentive for a company such as that to open source at all. If the company meets competition in the form of OSS developers, then yes, the free market will decide who will survive. I believe it is the grandparent's contention that overall, closed-source will win these battles because in the end, people would like to make a living doing what they're doing and as such, the good engineers will end up with the companies.
    • However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence.

      The money is made in doing custom modifications of the software.

      Anyway, nothing prevents FOSS and proprietary software, sans software patents, from coexisting stabily.

      The GPL isn't necessarily the best license for all software, as well. Non-commercial use/commercial dual licensing might have been better for the project.
    • There is some merit to what you say. I believe that open source as a sound development process has been way over hyped by ESR (Eric Raymond), who has done a terrific job in convincing business persons ad developers alike with his papers and thanks to his eloquence and enthusiasm. In practice, very few open source users contribute code, partly because it's very hard to understand code written by other which most of the time undocumented, or simply because they lack time, or have other priorities. Nearly all
  • Then by the terms of the GPL, they no longer have any permission from the copyright holder to copy the software at all, except for purposes commensurate with what is allowed by "fair use copying". It does not seem to me that fair use would qualify in this case.

    Such copying of copyrighted works without permission is copyright infringement, and is, I'm afraid, quite against the law. The copyright holders can press charges for infringement at their leisure, and could probably win (since there is now docum

  • by ivoras (455934) <(ivoras) (at) (fer.hr)> on Thursday October 06, 2005 @05:24PM (#13734368) Homepage
    Why isn't anybody looking at it from *their* perspective: A small, young-ish company tried to make a great product but failed to remain financially viable with the GPL license. Free-as-in-speech code is all well and great but at the end of the day, philosophy doesn't pay the bills.

    Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)

    • Considering that... (Score:3, Interesting)

      by Svartalf (2997)
      They have a batch of closed-source product offerings like NeWT (Closed, for NT/XP only...), NeVO, etc. that are priced at rather HIGH pricings so that people just simply can't afford the damn stuff unless they're as big as someone like IBM, TI, etc., it's no small wonder that they're hurting financially.

      Sentiments aside, they look to be a small player that priced themselves out of the overall market, hoping to score support contracts for an Open Source project that was to showcase their abilities and hoping
  • by r2q2 (50527)
    How long until a fork of the currently released nessus source code becomes available? Closing it's source is absolutly ludacrist when a deriviative project could easily become available.
  • They gave it away already. They can create a proprietary branch, but taking something out of the public domain requires large bribes to congress. It amazes me that folks still use the GPL. I attribute it to mental laziness and hokey religeons (w/ ancient weapons).

    Perl's Artistic License [perl.org] and the Apache License [apache.org] are better licenses.

    BTW - I am a lawyer and this is personal opinion, NOT a legal opinion.
  • by Random BedHead Ed (602081) on Thursday October 06, 2005 @05:39PM (#13734516) Homepage Journal

    Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.

    For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.

    This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.

  • by Anonymous Asskicker (6554) on Thursday October 06, 2005 @05:44PM (#13734560) Homepage
    A month ago I submitted a story (rejected, alas) about Tenable intentionally breaking the GPL version of Nessus:

    When the 2.2.5 version of Nessus [nessus.org] was released, Brian Weaver (formerly of OpenNMS [opennms.org] fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security [tenablesecurity.com], the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus [spellweaver.org]. With stunts like this, would you trust Tenable to protect your network?

    • With stunts like this, would you trust Tenable to protect your network?

      No.

      As I've already mentioned [slashdot.org], Renaud has never considered his project to be under the GPL. Oh sure, he knew it was under it, but flaming anyone and everyone that he suspected of "working at a company" or "using nessus for profit" or "doing anything that didn't meet Renaud's fancy" was not exactly uncommon.

      The reason that there's not a serious community around nessus is Renaud.
  • by EraserMouseMan (847479) on Thursday October 06, 2005 @05:47PM (#13734596)
    Yep, this is just one real-life example of why Open Source can only work for some situations but simply does not make sense for others. At the end of the day developers have to eat and have shelter (and provide such for their spouse/children) too.

    Most people understand this principle. But the OSS activists seem to believe that smart developers can donate forever and should be totally selfless. Why is it only the developers? Developers who spent many years of their lives learning to be experts at their complex trade (programming) are expected to donate. Yet the typical help-desk types are "allowed" to charge for their consulting services when they pop a CD in a drive and install the OSS software for a client.

    I'll admit, I'm a software developer. But, I know OSS activist guys who charge companies $100/hr consulting fees to implement OSS solutions that they don't pay a dime for. These guys are walking in to a firm, spending a day setting up a PHP server (or whatever) and walking out with a fat-ass paycheck.

    But when a developer wants to charge for the software he writes the OSS community of activists starts hissing at him and brand him with some sort of corporate greed type crap.

    Can somebody please explain this OSS-mentality inconsistency????
  • open source killer (Score:4, Insightful)

    by mikers (137971) on Thursday October 06, 2005 @05:55PM (#13734683)
    What some open source zealots, and the vast majority of open source "consumers" don't recognize is that programmers need to eat to. Until these "consumers" stop taking advantage of open source, and start paying... Open source will stay in Microsoft's (and other big corporations) shadow, and very likely even shrink.

    Nessus is not the first, and not the last. Even Hans Reiser has this problem:
    See here... [kerneltrap.org] Hans Reiser: Doing GPL work is doing charity work [...] That should be and could be changed, but for now it is so. I have done my share of charity, and I would not have a problem doing proprietary work. I think people should keep their lives in balance, and that includes balancing charity work and better paid work. ... It is not an easy life, I am $200k or more in debt and drive a 1989 CRX Si.

    Here is another: Mute file sharing [sourceforge.net]. Not sure how long this experiment will last.

    And one more: Daniel Robbins founded Gentoo linux, went bankrupt, got job at Microsoft [gentoo.org]

    Either help these programmers feed themselves and their families, or expect other big and large profile projects to disappear and become pay-for-play.

    I love open source, and contribute money to many projects -- but open source will just prove to be a fad that will start to wear thin on programmers as they get into debt and can't feed their families. The business case for open source software longterm survival is weak, unforunately.

    m

    • What some open source zealots, and the vast majority of open source "consumers" don't recognize is that programmers need to eat to. Until these "consumers" stop taking advantage of open source, and start paying... Open source will stay in Microsoft's (and other big corporations) shadow, and very likely even shrink.

      The problem is not the GPL, or free software, the problem is one company with a business model that didn't work.

      Saying that a piece or software can't be good unless you throw money at it is j
  • by swmccracken (106576) on Thursday October 06, 2005 @07:01PM (#13735290) Homepage
    At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:

    http://silverstr.ufies.org/blog/archives/000864.ht ml [ufies.org]

    Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.

    [In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."

    • by Zaurus (674150) on Thursday October 06, 2005 @11:24PM (#13736636)
      I'll give you THE REASON why there wasn't much of a community around nessus:

      Renaud

      Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:

      A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).

      Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)

      Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.

      Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.

      I say, GOOD RIDDANCE NESSUS.
  • Sussen? (Score:3, Interesting)

    by samj (115984) * <samj@samj.net> on Thursday October 06, 2005 @07:12PM (#13735361) Homepage
    I was about to go kick off Sussen [sussen.org] but it seems MMG Security [mmgsecurity.com] have beaten me to it:

    Created On:24-Dec-2004 01:24:29 UTC
    Last Updated On:26-Sep-2005 11:55:35 UTC
    Expiration Date:24-Dec-2006 01:24:29 UTC

    They've just released on 26 September 2005; hopefully it's a fork of Nessus rather than an unimaginative name for a new project, but I suspect the latter.

    Who the fsck are Tenable anyway? I haven't heard of them before today and with any luck I won't hear of them again. If they didn't like the license they should not have released their Intellectual Property under it, and then someone else would have and they wouldn't have enjoyed the free publicity. Have they not seen how well MySQL is doing off the back of an Open Source product? Sounds to me like the problem isn't with the license...

    This raises an interesting question about vulnerability scanning though... who could really care less about the scanning engine or how long it takes - the patterns are where it's at; so long as we keep the patterns up to date security doesn't suffer at the hands of this greedy company.

    Incidentally, I like the way they're still advertising Nessus as 'THE Open Source Vulnerability Scanner' on their site [tenablesecurity.com].
  • by X.25 (255792) on Thursday October 06, 2005 @08:51PM (#13735929)
    He even had to contact people around (who found security bugs) and ask them to check if Nessus check was valid for certain vulnerability. He did contact me twice, and I did test/review the check, but I never contributed anything to Nessus.

    Why?

    In all honesty - because of the reason I went out of "security business". It became a business, where every idiot would try to take a "piece of security cake", even if they were complete idiots without clue about anything related to security. Or more precise - "it became a business".

    Although I adore Nessus, and used it on few occasions (prefer to do things "by hand" :), I simply never wanted to make it easier for those idiots to perform tasks they were not intended to do, in the first place.

    I admire Renaud for actually surviving this long with GPL license, and I sure admire his dedication to Nessus.

    He is right for doing this, and I wish him all the best.
  • A little background (Score:5, Interesting)

    by brennz (715237) on Friday October 07, 2005 @05:05AM (#13737855)
    I think many of us in the security community have always had the feeling that Tenable was less than forthcoming about their plans. I can remember many a security colleague mentioning things to me about the people behind Nessus. It was that sort of hushed tones, something is wrong kind of thing. Being the skeptic, I initially discounted those conversations.

    Later on, Tenable started to make commercial only modifications. The truth started to come out.

    Lets get this straight - the only reason why many of us chose Nessus was because it was Free & OSS. We could have just as easily chosen other tools to use instead. The commercial vulnerability scanners of the earlier era were far better at that time.

    Now they want to change? Good luck.

    I'm looking forward to whatever OSS tool takes the place of Nessus.

    Oh and another thing too, on setting the record straight. Tenable might be the sole authors of the core scanning engine, but they definitely benefited *GREATLY* from external plugin authors.

I'm a Lisp variable -- bind me!

Working...