Slashdot Mirror
Nessus Closes Source
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.
So.. are they ripping everything else out, or are they rewriting from scratch?
And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.
.
So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".
SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?
# cat
Damn, my RAM is full of llamas.
Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.
This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.
Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.
- H
Anyway, speaking as a long-term user of Nessus, I have had direct personal benefit from it being Free; it enabled me to get familiar with it on my home network which (along with snort, nmap, ipf, tcpdump and a load of other Free stuff) enabled me to move into network security five years ago. Of course, it's Renaud's code and it's his right to release it under whatever licence he wants; but it's a shame. Let's hope someone's prepared to fork the GPL'd v2 codebase and start adding the improvements it needs.
Of course, I'm assuming that all the plug-in authors are happy with this. When Tenable released a closed-source Windows port (NEWT) I queried the position on a mailing list somewhere, I forget the outcome but it seemed odd to me. It seems really unlikely that Tenable would do this without the plug-in authors' agreement,.. anyone got info on that?
With my 'Free s/w zealot' hat on, I have to say that it'll be interesting to see how the community responds to this. In my copy of the FSZH (FS Zealot's Handbook... version 2 or later :) it says that a benefit of GPL licensing is that the community can pick up and continue with the remaining GPL'd source. Are there any coders out there interested and motivated enough to pick up the GPL'd project? It'll be interesting to see. Fingers crossed....
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.
Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?
It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.
Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.
Click here or a puppy gets stomped!
They have a batch of closed-source product offerings like NeWT (Closed, for NT/XP only...), NeVO, etc. that are priced at rather HIGH pricings so that people just simply can't afford the damn stuff unless they're as big as someone like IBM, TI, etc., it's no small wonder that they're hurting financially.
Sentiments aside, they look to be a small player that priced themselves out of the overall market, hoping to score support contracts for an Open Source project that was to showcase their abilities and hoping to sell at least a handful of this other stuff at an unrealistic $9-10k per instance. The closest thing that competes in price is only $4k and there's other solutions that ARE cheaper.
The reality is that Nessus will probably be forked, Tenable will keep sliding into the hole not because of the GPL but because of their own pricing themselves out of the market, and life will probably just go on all the same.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
They gave it away already. They can create a proprietary branch, but taking something out of the public domain requires large bribes to congress. It amazes me that folks still use the GPL. I attribute it to mental laziness and hokey religeons (w/ ancient weapons).
Perl's Artistic License and the Apache License are better licenses.
BTW - I am a lawyer and this is personal opinion, NOT a legal opinion.
What? Me? Sig?
Of course it is possible for a small startup to make money from GPLed software. Martin Roesch of SourceFire/Snort fame just made $225 million thanks to the GPLed Snort software that he developed. Also, Renaud at Nessus claims that all these other small companies and startups are making money from Nessus by selling and renting appliances, thereby depriving him of the revenue.
But, the thing to remember is that while any company could make money, not every company will make money. In fact the vast majority of startups fail regardless of whether they rely on selling GPLed software or selling hamburgers. We only hear about the successful ones because the losers are not interesting and then mistakenly extrapolate this into thinking that all or most startups are successful. It isn't like that and it has nothing to do with the GPL.
Renaud's company has failed so far but, he cites his loophole exploiting competitors as the cause. One must therefore ask, why didn't Renaud sell/rent appliances? Why didn't Renaud use the fact that he developed the software and has greater expertise to distinguish his company above the others? Why does Renaud only want to sell software that, up until now, was free? And finally, why make the binary version available for free but close the source when the competitors can still sell/rent appliances with the free binary versions?
The scary thing about this is a risk that has been pointed out in the past. The risk is that a GPLed project will use the resources of the community to develop an application for a company which will then close the source and reap the rewards of other peoples' work. This is a risk that is countered by the GPL folks by saying well they can't take away GPLed code. This is true, of course. But, the companies can take away the meaningful development work and disrupt the project so badly that it stagnates and dies. This is what is happening with Nessus and Snort right this very moment.
I consider security software to be drop-dead boring, but a necessity. If others think like me, then that can explain lack of community involvement.
At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:
t ml
http://silverstr.ufies.org/blog/archives/000864.h
Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.
[In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."
Nonthing; Tenable is a software dev house, not a marketing firm. So to set themselves apart, they decided to no longer allow the competition to use their code. Sounds like a sensible business plan to me.
While I love the GPL, it's not for everything. There are some cases where it's just not profitable to give away your main product. This appears to be one of them. If you can come up with a better business plan that involves leaving the product GPLed, I'd be glad to hear it.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
I was about to go kick off Sussen but it seems MMG Security have beaten me to it:
Created On:24-Dec-2004 01:24:29 UTC
Last Updated On:26-Sep-2005 11:55:35 UTC
Expiration Date:24-Dec-2006 01:24:29 UTC
They've just released on 26 September 2005; hopefully it's a fork of Nessus rather than an unimaginative name for a new project, but I suspect the latter.
Who the fsck are Tenable anyway? I haven't heard of them before today and with any luck I won't hear of them again. If they didn't like the license they should not have released their Intellectual Property under it, and then someone else would have and they wouldn't have enjoyed the free publicity. Have they not seen how well MySQL is doing off the back of an Open Source product? Sounds to me like the problem isn't with the license...
This raises an interesting question about vulnerability scanning though... who could really care less about the scanning engine or how long it takes - the patterns are where it's at; so long as we keep the patterns up to date security doesn't suffer at the hands of this greedy company.
Incidentally, I like the way they're still advertising Nessus as 'THE Open Source Vulnerability Scanner' on their site.
That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.
I guess they didn't gain anything from Linux, libwhisker, nmap, Bugzilla (MPL, I know - but they use it, and the argument still works), or any of the countless other open source projects. Why is it that coders always feel they don't get their just rewards? Why ever release under the GPL to begin with? Didn't gain anything... pfft.
Nessus gained a reputation as a premier vulnerability scanner because it was open and free -- period. Nessus isn't terribly more special than Retina or ISS Internet Scanner. Look up "vulnerability scanner" in google and your first hit is Nessus because it was free AND open. Had it just been free it never would have gotten off the ground. Seems to me Linux probably wouldn't have gotten very far either. Hey its their code (I guess), so they can do what they want with it. I guess they just weren't making enough of their own black box implementation - but they'll need to have some insane tricks up their sleaves if they think they'll make money against whoever forks Nessus 2.x and keeps it free.
Hell the only reason anyone buys ISS's scanner is because it ties in with their whole SiteProtector line.
*shrug*
Some people do manage to make some money from their open source projects... SourceFire. Odd day in open source security land.
http://windows.scares.us
I'll give you THE REASON why there wasn't much of a community around nessus:
Renaud
Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:
A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).
Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)
Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.
Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.
I say, GOOD RIDDANCE NESSUS.
With stunts like this, would you trust Tenable to protect your network?
No.
As I've already mentioned, Renaud has never considered his project to be under the GPL. Oh sure, he knew it was under it, but flaming anyone and everyone that he suspected of "working at a company" or "using nessus for profit" or "doing anything that didn't meet Renaud's fancy" was not exactly uncommon.
The reason that there's not a serious community around nessus is Renaud.
What about a partnership? While the other security company offers appliance solutions using Nessus, the Nessus developers could write better and more focused releases to accommadate with the business demand. Seems like a win-win to me. Any other thoughts?
Yes, they will (and are) scrambling. But not because they have little understanding of the underlying code. No, that's trivial. The real value is in all the updates, signatures, definitions of various vulnerabilities, etc. People come up with them all the time, and nessus always has the latest & greatest, and everyone else seems to be weeks, if not months behind. Unless, of course, they are building on top of nessus as the engine, in which case they are always up to speed.
I am have some firsthand familiarity with this. I know of a company that essentially built their whole business around nessus as the core of their product. They added tons of bells and whistles to it, packaged it nicely, made it user-friendly, and shipped it. For a lot of money. Sounds silly, but I think they had a good product -- it actually made network security manageable. Just knowing what is vulnerable on your network is not good enough. In fact, if the network is of any appreciable size, that's not good at all. You need to filter out tons of noise -- false positives, things that you know are vulnerable but you do not care about for one reason or another, need to do some basic triaging, and be able to monitor trends and tendencies over time. So, there's a great need for a good presentation layer on top of nessus, and several companies recognized that need and built their business models on that. And that was good, it was really, really needed.
Then, a couple of years ago it became harder to get nessus updates. Nessus started detecting scrapers that were getting latest nasl updates and banning them. Then they started licensing those updates differently, I think, so it was harder for closed-source companies to use them. So, that company started rewriting newer NASLs in a "clean room" environment to stay in the legal clean waters. While the practice was silly, it made sense -- it was either that, or GPL the whole thing, and they could not figure out how to build a viable business plan if they were to GPL their whole product. I must admit that this is a very challenging, and at times an impossible task. I must say that I applaud them for going through all that extra effort to stay clean and respect the GPL -- a lot of other people do not do so.
So, has nessus just droppped a bombshell on all those companies that were building their stuff on top of its enine? Not really. The change has been coming for quite some time. Recent NASLs haven't been available for a while under a liberal license. In fact, I think that new software features and bugfixes in version 3 are not even all that important or needed. Signatures and definitions for newer vulnarabilities are. So, all those companies had ample time to change, if they wanted to. The company I was referring to did a good job, as far as I know -- they added a bunch of features beyond what nessus provided -- various network discovery, some windows-specific stuff, etc. I do not know much about what they are doing now, but I know that they worked hard to shift from a nessus-wrapper to a product that could stand on its own. And, to the best of my knowledge, they succeeed. Some others did not see the writing on the wall. So, they wasted time and this change of license will be the latest nail in their coffins. Stuff happens. Don't feel sorry for them. Nessus departing from the GPL is a sad fact of life, but... it's understandable. They can do it. And freeloaders deserve little compassion.
just my 2c...
Jobs? Which jobs?
I really don't get it.
The company announces they are fine money-wise but will close it's next version's source to stop all the free-loaders/previous customers that make money from simply repackaging the source.
Therefore i currently can get the software from several distributors and if i need support i can choose between several service providers. Sounds good!
This is a really spiteful move. I decided to put my software under the GPL and now that the GPL is actually doing its work -- customers have more choice, more, distributors, more services available -- i note that choice is only good for the customers but bad for me! I earn money with my software and services but so do others, too, oh no. I lock it away. I lock my customers in. It's mine, mine! and you have no right to earn money using my hard work.
On the argument of "nobody's contributing, buhuu":
The argument that the other distributors are not adding code is none. Millions of people are not contributing code and still use, repackage or provide services for FOSS software. It's part of the model and often considered one of the strengths of FOSS.
Maybe nobody contributes because the the current Nessus is good enough (for my needs it is) or the contribution process is clumsy or difficult (i don't know). I guess, once the sources are closed the current version (2.2.5 i think) will be the focus of FOSS development, if there is any need.
I think many of us in the security community have always had the feeling that Tenable was less than forthcoming about their plans. I can remember many a security colleague mentioning things to me about the people behind Nessus. It was that sort of hushed tones, something is wrong kind of thing. Being the skeptic, I initially discounted those conversations.
Later on, Tenable started to make commercial only modifications. The truth started to come out.
Lets get this straight - the only reason why many of us chose Nessus was because it was Free & OSS. We could have just as easily chosen other tools to use instead. The commercial vulnerability scanners of the earlier era were far better at that time.
Now they want to change? Good luck.
I'm looking forward to whatever OSS tool takes the place of Nessus.
Oh and another thing too, on setting the record straight. Tenable might be the sole authors of the core scanning engine, but they definitely benefited *GREATLY* from external plugin authors.