Nessus Closes Source 394
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
GPL Considered Dangerous? (Score:4, Informative)
Re:hmm (Score:5, Informative)
Hardly a "loophole" (Score:5, Informative)
In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.
Fair enough (Score:5, Informative)
That's not a loophole, that's how it's supposed to work.
He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.
His code, his rules. As long as he's not including code that others contributed under the GPL, that is.
The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?
Re:GPL Kool-aid (Score:2, Informative)
Along with the MOSSAD aquisition of Snort/Sourcefire.
Re:hmm (Score:5, Informative)
While they can't "take back" the versions that are already out there, but the copyright owners themselves can make a variation and not release the source of the variation.
Re:So what's left?? (Score:4, Informative)
Yes they can (Score:3, Informative)
Re:Definitely worse (Score:2, Informative)
1. They get no more free code, since people can't hack on it and improve it for themselves. It appears that this has been the case for the last 6 years. Maybe the switch away from the GPL would cause people who only improve it for themselves to say "Hey, I'll participate if you let me back in!" If the people who actually do play with the source code keep the modifications to themselves, then the company might see little to no change in a year because they apparently weren't benefiting much from being open source anyway.
Moral of this Story and Nmap Response (Score:5, Informative)
I responded [seclists.org] for the Nmap Security Scanner [insecure.org] project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.
I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest [seclists.org] a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.
Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.
-Fyodor [insecure.org]
They can do it, but forks inevitable (Score:4, Informative)
Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.
For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.
This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.
GPL Screws Tenable and Tenable Screws GPL (Score:5, Informative)
When the 2.2.5 version of Nessus [nessus.org] was released, Brian Weaver (formerly of OpenNMS [opennms.org] fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security [tenablesecurity.com], the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus [spellweaver.org]. With stunts like this, would you trust Tenable to protect your network?
Re:Selling or Renting Appliances? (Score:3, Informative)
Selling or distributing an appliance is not against the license. You are selling the hardware with the free software installed on it. You can even make changes to the software so long as you release the modified code. This is exactly how the Cobalt RAQ servers were sold. They sold hardware and a proprietary web based GUI wrapper that configured the GPL'd web server applications. Nothing illegal about it.
There are tons of appliances (firewalls, anti-virus, anti-spam, intrusion detection etc.) that are nothing but Linux servers with a custom web gui running open source apps. Just like Mac OS X can include Apache as the web server and not release the code for the GUI app that controls it.
Re:They can't "close the source" (Score:1, Informative)
Nessus dead. Long live Hindmost (Score:5, Informative)
I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.
I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.
Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.
I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost [larryniven.org] (for all the Ringworld fanatics out there).
*scoove*
He's right about contributions from community (Score:3, Informative)
Why?
In all honesty - because of the reason I went out of "security business". It became a business, where every idiot would try to take a "piece of security cake", even if they were complete idiots without clue about anything related to security. Or more precise - "it became a business".
Although I adore Nessus, and used it on few occasions (prefer to do things "by hand"
I admire Renaud for actually surviving this long with GPL license, and I sure admire his dedication to Nessus.
He is right for doing this, and I wish him all the best.
Re:The choice was probably about cost... (Score:2, Informative)
Somebody didn't learn to read. He *can't* make his produce better
Somebody else didn't learn to read, either. Or, did you not know the difference between "Make" and "Market"? How about "produce" vs. "product"? When criticizing somebody's ability to read, it's important to be sure you read it, yourself. If you criticize spelling, make sure your spelling is good. Otherwise, you just come out looking like a dumbass