Nessus 3.0 Released 108
duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
Comment removed (Score:5, Insightful)
To be fair... (Score:4, Insightful)
I mean, seriously, it's been GPL all these years, the developers were putting in the hours and the hard work (And don't give me that c*ap about community contributions, because in relative terms, there wasn't really any).
And they were suffering because people were essentially taking their work and simply rebranding it and selling it as their own. Isn't it only fair that Tenable themselves should now have the opportunity to sell what is, after all predominantly their work?
I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.
Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of
cya,
Victor
Typical Hippies/Commies Slashdot Mentality (Score:1, Insightful)
Where do you people get off with this entitlement? the application was free for a long time!!! Did any of you tards bother to help them out? the version 2 is still out there. free! you don't like Tenable changing the liscense. Go freaking fork the version 2 and do something usefull other than bitching on someone's else hard work!!!
what a bunch whiners.
Re:Yeah, but there's also... (Score:4, Insightful)
If your OSS business model relies on someone else not slapping their logo on it and selling it, then you have the wrong business model. It is not a fault with the GPL, and I'd be very worried if the GPL started making demands on when or if you could fork a project. I can sell "Mynix computers with Mohawk web server, YourSQL database and MyHP scripting language" (= LAMP) any day of the week, I doubt anyone would buy it. As long as the rebranders were respecting the GPL, it is Nessus' fault for not getting through to their customers about who is the source of this tool, and whom to support if they want it to continue. If you can't make any money other than on product sale, perhaps OSS is not for you. I'd much rather accept that than to see the GPL expand to become something like a "look, but don't touch" model.
Re:Yeah, but there's also... (Score:3, Insightful)
So it's crap because of the licence? I don't buy that
You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus with inferior detection. (Of course if Gnessus takes off and becomes better, great stuff, I'd prefer that).
Which is? The two page press release said nothing.It did say they were gaining very little benefit from being open source, very little code had been contributed, and when it happened, i remember reading it was about rebranding.
Wrong. They chose the license and if they wanted they could've had a variant of GPL with whatever branding exceptions they wanted.When you go into making a product like this, you like to keep the nature of free software open, you don't go about assuming that people will take your product and rebrand it, thereby stealing your custom
Except for the license.I won't, I'll be using the forked open source version.
So you're willing to settle for inferior security for the sake of a licence? A nicety only, security is the most important thing to their systems, you can't afford to skimp based on licence.
The license is part of the feature set of the program. Different people regard different features as important. Some people regard a quality license as important. No surprises there.Naturally people will see different features as important, but i would say it was safe to assume that in security, effectivemess at creating security is the best thing, and so nessus would win out over gnessus. Of course I'm here purely thinking from the point of view that I want my servers to stay standing for the forseeable future...
I don't know the situation but just as likely it's Nessus' fault for not controlling their brand with the appropriate license, open or closed, and/or providing a service that consumers would prefer over the rebranders.What can you provide to a free/beer product that makes it more valuable than rebrands? You can't pull closed source here because you're claiming the main fault with nessus is it's closed source. As for another open source licence, I agree this should have been done in the first place, but c'est la vie.
More likely Nessus is going closed source because they've got mindshare now and they think they can make more money closed source. It's happened before. Open source for them was simply a loss leader to get free advertising.It would be interesting to take a look at their accounts and find out if this is indeed true.
Sometimes it does, sometimes it doesn't. There are many motivations besides money for creating code and with 6,500,000,000+ people in the world all it takes is 0.0001% coding to get something happening.Yes, but there is the small fact of having to live, and 100 hours a week is hard to fit around a job providing sufficient income to live.
Depends on the individual and whether they regard an open license as a negative, unimportant, important or essential.Very few people would be in the negative group, and i would say it's about a 45 each on unimportant and important. Not so many regard it as essential, like you might think. There are those groups who would sacrifice security for openness, however, but they are the minority.
Really Lousy Use of Security Lexicon (Score:3, Insightful)
"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
1.) Outside of a box infected by a Worm, how can it find a threat?
Does it actually track down the human or natural threats?
2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?
3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?
Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.
Oh, well, at least they aren't claiming to find "risk".
Re:There's also the itsy bitsy license change... (Score:5, Insightful)
Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform. You also, by extension, have to hope they never go out of business, especially if their product incorporates some sort of time-locked licensing. If they wake up one morning and decide that it's no longer economically viable to continue building their product for your platform, you're screwed. Never mind that you may have built your entire infrastructure around a certain technology, and it's not economically viable for you to jump ship to whatever the flavour of the month is; if you want to continue running closed source product X, you have to dance to the beat of the developers' drum.
Re:There's also the itsy bitsy license change... (Score:1, Insightful)
Well, it seems like you were before anyhow because no one else was fucking contributing to the project! Who's running the GPL fork now? Are they maintaining and updating it to the standard that the original was? If not, do you really want to use that as the basis for your security, or do you want to use the best tool available? What's the use of their being a GPL fork if no one is maintaining it, or doing it well???
Re:There's also the itsy bitsy license change... (Score:2, Insightful)
Re:Who is Tenable anyway? (Score:1, Insightful)
You are entitled to NOTHING. Given how the community has put very little back into the project, I can understand their posistion. I can't understand yours.
Re:Yeah, but there's also... (Score:3, Insightful)
You're probably right. Only the terminally paranoid will refuse to run a closed source vulnerability finder on their network.
Then again, the terminally paranoid are pretty much the only audience for this software. People with trusting natures don't tend to become security auditors in the first place, and even if they do, they don't tend to make a career out of it (mainly because they lack the mindset to be truly great at it).
GPL bullshit (Score:2, Insightful)
As you can see on their CVS servers, there are barely any external contributions. Isn't that the whole point of GPL? Everybody profits from everybodies changes. That didn't happen, so YOU may be using Nessus 2.x without giving anything back. It's not a bad thing, but these people do this for their living. All the bitching about the moral of the whole GPL stuff, why isn't there any bitching about ripping off Nessus? It's the same thing for me as Cherry OS - which ripped off the wine project. The only difference was, the nessus rip-offs provided the source code, written by Tenable and were open about it. What's the difference? They openly say "I'm a parasite, and I admit it", and it's ok by the GPL, so no problem. I would not have a problem with it when those people contributed to the nessus project, and I'm a absolutely confident that it would still be GPL'd if this would have been the case - but it isn't. Sorry - if you make money out of a project like that, the least you could do is contribute in some way to it.
I think there's a huge difference between company-driven OSS programs, and "hobby" projects in this regard. If I would be the CEO or responsible for a company, and I suddenly see the profit go down because your biggest competitors are guys simply copying all your hard work, without giving anything back and having no development costs at all, I wouldn't hesitate for a second what to do. Do something that gives me the advantage back - and they did. Even legally, I would have to, simply to protect the rights of the share-holders, because that's the world we live in, not some kind of GPL fairy-tale.
Now it is forked, which is an old version which is 1 a 2 years behind the current Nessus release. If nobody contributed in the first project, do they really believe that anybody will contribute to the "GPL" fork? Maybe in the beginning, but when all the buzz is over, forget it. The project will be burried in a few years. Most companies like plug-and-play security-scanners, but paying someone to help writing one? Don't forget, Nessus isn't targettet at the hobbyist's network at home, but at large enterprise-size networks. This means, companies, not people who use and profit from it - either way. Why do you think there aren't any other large GPL'd network intrusion/monitoring systems? Because the geek with his 20 computer-network doesn't need a tool like Nessus, but companies do. GPL is about freedom for the people for me, companies are there to make money, and if they use a tool to ensure they can make money, I think it would be perfectly normal to charge them for it in some way. GPL doesn't provide anything like this, too bad, but I perfectly understand the decision they made, no hard feelings. If I'd be in their shoes, I'd do the same thing.
I also bet most of the ones bitching about it not being GPL anymore never contributed to any GPL project in some way. Stop critisizing, and start contributing to the GPL-fork, but no, prolly no-one will do it anyway, spending time posting bullshit on
Compare it to someone who makes doors for friends, they just need to pay the materials, he does the work for free cause he likes it. Then he sees that a lot of people he knows want doors. He still makes them for free, but charges something to install them. Suddenly other people go fetch doors he makes for free, and start charging for installing them also, but no-one offers to help him making the doors. Doesn't that sound plain wrong to you? To me it does... If he then starts charging for a new kind of doors which are more silent, but the old-ones would still be for free, would you bitch about it?
Peo