Nessus Closes Source

JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.

GPL Considered Dangerous?

[(1+-sqrt(5))*(2**-1)]

To that end, I've become an early adopter of the Artistic License 2.0 [perl.org], Perl 6's upcoming license. From the preamble:

This copyright license states the terms under which a given free software Package may be copied, modified and/or redistributed, while the Originator(s) maintain some artistic control over the future development of that Package (at least as much artistic control as can be given under copyright law while still making the Package open source and free software).

Re:hmm

[Nichotin]

People haven't contributed anything special to the scanning engine. They would have to strip that out, but as already mentioned, it was no biggie. They hold the rest of the copyright, and are legally allowed to change the licence, but they cannot restrict any usage of previously released source code.

Hardly a "loophole"

[spitzak]

The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.

In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.

Fair enough

[overshoot]

A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL.

That's not a loophole, that's how it's supposed to work.

He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.

His code, his rules. As long as he's not including code that others contributed under the GPL, that is.

The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?

Re:GPL Kool-aid

[Philip K Dickhead]

It is a plot.

Along with the MOSSAD aquisition of Snort/Sourcefire.

Re:hmm

[Jeff DeMaagd]

I think you misunderstand. It is their program. The owner of the program can have multiple licences. The GPL gives non-owners specific rights and specific requirements, none of those licences necessarily have the same effect on the owner as it does the user.

While they can't "take back" the versions that are already out there, but the copyright owners themselves can make a variation and not release the source of the variation.

Re:So what's left??

[Kelson]

SARA [www-arc.com] (Security Auditor's Research Assistant) is based on the old SATAN design.

Yes they can

[sterno]

Keep in mind that the GPL is assigning a license, not the copyright itself. The original copyright owner on any copyright code can assign a new license to the code at any time. So long as all code that was contributed has had it's copyright assigned to them, they can do what they want. Otherwise they'd either have to obtain copyrights to that code now or gut that code from the product.

Re:Definitely worse

[negative3]

I'm not trying to start an argument, but from TFA: "The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license. 'Virtually nobody has ever contributed anything to improve the scanning engine over the last six years,' he wrote, noting that there had been minor exceptions."

1. They get no more free code, since people can't hack on it and improve it for themselves. It appears that this has been the case for the last 6 years. Maybe the switch away from the GPL would cause people who only improve it for themselves to say "Hey, I'll participate if you let me back in!" If the people who actually do play with the source code keep the modifications to themselves, then the company might see little to no change in a year because they apparently weren't benefiting much from being open source anyway.

Moral of this Story and Nmap Response

[fv]

I responded [seclists.org] for the Nmap Security Scanner [insecure.org] project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.

I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest [seclists.org] a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

-Fyodor [insecure.org]

They can do it, but forks inevitable

[Random BedHead Ed]

Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.

For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.

This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.

GPL Screws Tenable and Tenable Screws GPL

[Anonymous Asskicker]

A month ago I submitted a story (rejected, alas) about Tenable intentionally breaking the GPL version of Nessus:

When the 2.2.5 version of Nessus [nessus.org] was released, Brian Weaver (formerly of OpenNMS [opennms.org] fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security [tenablesecurity.com], the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus [spellweaver.org]. With stunts like this, would you trust Tenable to protect your network?

Re:Selling or Renting Appliances?

[snuf23]

"Considering that in EACH of those cases, the software IS distributed, they could have went after the offenders."

Selling or distributing an appliance is not against the license. You are selling the hardware with the free software installed on it. You can even make changes to the software so long as you release the modified code. This is exactly how the Cobalt RAQ servers were sold. They sold hardware and a proprietary web based GUI wrapper that configured the GPL'd web server applications. Nothing illegal about it.
There are tons of appliances (firewalls, anti-virus, anti-spam, intrusion detection etc.) that are nothing but Linux servers with a custom web gui running open source apps. Just like Mac OS X can include Apache as the web server and not release the code for the GUI app that controls it.

Re:They can't "close the source"

[Anonymous Coward]

Your also wrong. GPL DOES NOT make code go public domain. You also 'own' copyright over your own code under the GPL and have every right to change your licence. For a lawyer, you certainly dont understand law.

Nessus dead. Long live Hindmost

[scoove]

The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.

I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.

Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.

I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost [larryniven.org] (for all the Ringworld fanatics out there).

*scoove*

He's right about contributions from community

[X.25]

He even had to contact people around (who found security bugs) and ask them to check if Nessus check was valid for certain vulnerability. He did contact me twice, and I did test/review the check, but I never contributed anything to Nessus.

Why?

In all honesty - because of the reason I went out of "security business". It became a business, where every idiot would try to take a "piece of security cake", even if they were complete idiots without clue about anything related to security. Or more precise - "it became a business".

Although I adore Nessus, and used it on few occasions (prefer to do things "by hand" :), I simply never wanted to make it easier for those idiots to perform tasks they were not intended to do, in the first place.

I admire Renaud for actually surviving this long with GPL license, and I sure admire his dedication to Nessus.

He is right for doing this, and I wish him all the best.

Re:The choice was probably about cost...

[mcrbids]

> 3) Market your produce better than the competition.

Somebody didn't learn to read. He *can't* make his produce better ...

Somebody else didn't learn to read, either. Or, did you not know the difference between "Make" and "Market"? How about "produce" vs. "product"? When criticizing somebody's ability to read, it's important to be sure you read it, yourself. If you criticize spelling, make sure your spelling is good. Otherwise, you just come out looking like a dumbass ...