Slashdot Mirror
Nessus Closes Source
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".
SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?
# cat
Damn, my RAM is full of llamas.
Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.
This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.
Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.
- H
Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.
Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?
It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.
Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.
Click here or a puppy gets stomped!
But sometimes I think the authors of popular open-source software see their user base and think "gee, what if I had $59 from each user!"... when in fact, "free" is their main competitive advantage and the only reason they have users in the first place. Charging for software licenses might save them, but it might just wipe them off the map.
At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:
t ml
http://silverstr.ufies.org/blog/archives/000864.h
Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.
[In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."
Nonthing; Tenable is a software dev house, not a marketing firm. So to set themselves apart, they decided to no longer allow the competition to use their code. Sounds like a sensible business plan to me.
While I love the GPL, it's not for everything. There are some cases where it's just not profitable to give away your main product. This appears to be one of them. If you can come up with a better business plan that involves leaving the product GPLed, I'd be glad to hear it.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
I'll give you THE REASON why there wasn't much of a community around nessus:
Renaud
Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:
A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).
Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)
Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.
Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.
I say, GOOD RIDDANCE NESSUS.
With stunts like this, would you trust Tenable to protect your network?
No.
As I've already mentioned, Renaud has never considered his project to be under the GPL. Oh sure, he knew it was under it, but flaming anyone and everyone that he suspected of "working at a company" or "using nessus for profit" or "doing anything that didn't meet Renaud's fancy" was not exactly uncommon.
The reason that there's not a serious community around nessus is Renaud.
Yes, they will (and are) scrambling. But not because they have little understanding of the underlying code. No, that's trivial. The real value is in all the updates, signatures, definitions of various vulnerabilities, etc. People come up with them all the time, and nessus always has the latest & greatest, and everyone else seems to be weeks, if not months behind. Unless, of course, they are building on top of nessus as the engine, in which case they are always up to speed.
I am have some firsthand familiarity with this. I know of a company that essentially built their whole business around nessus as the core of their product. They added tons of bells and whistles to it, packaged it nicely, made it user-friendly, and shipped it. For a lot of money. Sounds silly, but I think they had a good product -- it actually made network security manageable. Just knowing what is vulnerable on your network is not good enough. In fact, if the network is of any appreciable size, that's not good at all. You need to filter out tons of noise -- false positives, things that you know are vulnerable but you do not care about for one reason or another, need to do some basic triaging, and be able to monitor trends and tendencies over time. So, there's a great need for a good presentation layer on top of nessus, and several companies recognized that need and built their business models on that. And that was good, it was really, really needed.
Then, a couple of years ago it became harder to get nessus updates. Nessus started detecting scrapers that were getting latest nasl updates and banning them. Then they started licensing those updates differently, I think, so it was harder for closed-source companies to use them. So, that company started rewriting newer NASLs in a "clean room" environment to stay in the legal clean waters. While the practice was silly, it made sense -- it was either that, or GPL the whole thing, and they could not figure out how to build a viable business plan if they were to GPL their whole product. I must admit that this is a very challenging, and at times an impossible task. I must say that I applaud them for going through all that extra effort to stay clean and respect the GPL -- a lot of other people do not do so.
So, has nessus just droppped a bombshell on all those companies that were building their stuff on top of its enine? Not really. The change has been coming for quite some time. Recent NASLs haven't been available for a while under a liberal license. In fact, I think that new software features and bugfixes in version 3 are not even all that important or needed. Signatures and definitions for newer vulnarabilities are. So, all those companies had ample time to change, if they wanted to. The company I was referring to did a good job, as far as I know -- they added a bunch of features beyond what nessus provided -- various network discovery, some windows-specific stuff, etc. I do not know much about what they are doing now, but I know that they worked hard to shift from a nessus-wrapper to a product that could stand on its own. And, to the best of my knowledge, they succeeed. Some others did not see the writing on the wall. So, they wasted time and this change of license will be the latest nail in their coffins. Stuff happens. Don't feel sorry for them. Nessus departing from the GPL is a sad fact of life, but... it's understandable. They can do it. And freeloaders deserve little compassion.
just my 2c...
Jobs? Which jobs?
I think many of us in the security community have always had the feeling that Tenable was less than forthcoming about their plans. I can remember many a security colleague mentioning things to me about the people behind Nessus. It was that sort of hushed tones, something is wrong kind of thing. Being the skeptic, I initially discounted those conversations.
Later on, Tenable started to make commercial only modifications. The truth started to come out.
Lets get this straight - the only reason why many of us chose Nessus was because it was Free & OSS. We could have just as easily chosen other tools to use instead. The commercial vulnerability scanners of the earlier era were far better at that time.
Now they want to change? Good luck.
I'm looking forward to whatever OSS tool takes the place of Nessus.
Oh and another thing too, on setting the record straight. Tenable might be the sole authors of the core scanning engine, but they definitely benefited *GREATLY* from external plugin authors.