Slashdot Mirror
Nessus Closes Source
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.
I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.
If their competitors were just repackaging their software, they should have put some massive bugs in it.
So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".
SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Or rather, using the GPL as it was intended, to prevent vendor lock-in.
This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?
# cat
Damn, my RAM is full of llamas.
Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.
People haven't contributed anything special to the scanning engine. They would have to strip that out, but as already mentioned, it was no biggie. They hold the rest of the copyright, and are legally allowed to change the licence, but they cannot restrict any usage of previously released source code.
Dvorak on Doomtech
The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.
In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.
That's not a loophole, that's how it's supposed to work.
He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.
His code, his rules. As long as he's not including code that others contributed under the GPL, that is.
The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?
Lacking <sarcasm> tags,
From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely.
And, of course, old versions will still remain under the GPL (happily).
Throw the bums out!
They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.
That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.
And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.
They can't relinquish the license of course. Anyone that wants to take that code and maintain it themselves is obviously free to do so.
AccountKiller
This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.
Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.
- H
I think you misunderstand. It is their program. The owner of the program can have multiple licences. The GPL gives non-owners specific rights and specific requirements, none of those licences necessarily have the same effect on the owner as it does the user.
While they can't "take back" the versions that are already out there, but the copyright owners themselves can make a variation and not release the source of the variation.
Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.
Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?
It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.
Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.
Click here or a puppy gets stomped!
Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)
-- Sig down
Choice 1) Pay (a likely non-existent) legal team huge amounts of cash to come up with a new license that is legally sound in all of the respects that need to be accounted for in their position.
Choice 2) Close source code.
Seems to make sense to me...
The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)
Penny - plain text accounting
Is this Kool-aid free as in beer or free as in openCola?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I responded for the Nmap Security Scanner project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.
I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.
Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.
-Fyodor
Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.
For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.
This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.
When the 2.2.5 version of Nessus was released, Brian Weaver (formerly of OpenNMS fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security, the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus. With stunts like this, would you trust Tenable to protect your network?
Yep, this is just one real-life example of why Open Source can only work for some situations but simply does not make sense for others. At the end of the day developers have to eat and have shelter (and provide such for their spouse/children) too.
Most people understand this principle. But the OSS activists seem to believe that smart developers can donate forever and should be totally selfless. Why is it only the developers? Developers who spent many years of their lives learning to be experts at their complex trade (programming) are expected to donate. Yet the typical help-desk types are "allowed" to charge for their consulting services when they pop a CD in a drive and install the OSS software for a client.
I'll admit, I'm a software developer. But, I know OSS activist guys who charge companies $100/hr consulting fees to implement OSS solutions that they don't pay a dime for. These guys are walking in to a firm, spending a day setting up a PHP server (or whatever) and walking out with a fat-ass paycheck.
But when a developer wants to charge for the software he writes the OSS community of activists starts hissing at him and brand him with some sort of corporate greed type crap.
Can somebody please explain this OSS-mentality inconsistency????
What some open source zealots, and the vast majority of open source "consumers" don't recognize is that programmers need to eat to. Until these "consumers" stop taking advantage of open source, and start paying... Open source will stay in Microsoft's (and other big corporations) shadow, and very likely even shrink.
... It is not an easy life, I am $200k or more in debt and drive a 1989 CRX Si.
Nessus is not the first, and not the last. Even Hans Reiser has this problem:
See here... Hans Reiser: Doing GPL work is doing charity work [...] That should be and could be changed, but for now it is so. I have done my share of charity, and I would not have a problem doing proprietary work. I think people should keep their lives in balance, and that includes balancing charity work and better paid work.
Here is another: Mute file sharing. Not sure how long this experiment will last.
And one more: Daniel Robbins founded Gentoo linux, went bankrupt, got job at Microsoft
Either help these programmers feed themselves and their families, or expect other big and large profile projects to disappear and become pay-for-play.
I love open source, and contribute money to many projects -- but open source will just prove to be a fad that will start to wear thin on programmers as they get into debt and can't feed their families. The business case for open source software longterm survival is weak, unforunately.
m
I agree - in principle - but principle doesn't put food in your mouth or pay the rent.
These guys did a wonderful job. Six years contributing to software that was obviously so good that other people could make money off it. Its one thing to work on an open source project in your spare time, or to be employed by one of the few companies that can leverage free software to make money, but these guys aren't. So unless you are working on the kernel, on samba or one of maybe a dozen other projects, you can't give up your day job.
Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code. Rather than berating these guys for leaving the fold, thank them profusely for the six years of hard work.
If you don't like it, fork it. Once GPLed, always GPLed, and only V3 and above is going closed.
Norman Cook's Ode to Sl
Open Source cuts into software revenue whether we like it or not. If somebody expects to Open Source their product and then earn a living from selling licenses, well they don't understand Open Source. Actually I tend to think they are living in a dream world! The key to Open Source is added value, and not sales of software. Obviously their competition understood that and created devices!
Their call that using devices is a GPL loophole is pure BS. If somebody sells a device with the software and does not make any changes then they are entitled to that. If they change the sources then the sources have to be made available and I am sure that they did. The point is that somebody was clever enough to create a device that maybe they should have in the first place!
Here is a question, if the person's competition was making money on GPL, why couldn't he? Oh yeah he wanted to sell software and only sell software! Here's my prediction, that he will bankrupt himself after close-sourcing the software and blame it on the Open Source community!
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Free as in Jim Jones
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
This is one of the counter-arguments used against the GPL. When people start crying "Everything should be OSS", here's a case to point to of it not working.
The GPL does create problems for commercial viability in many cases. You spend tons of time and money developing something, others then market the solutions for it, you get squat in return. This is a problem. The "Well make money selling support" argument doesn't work when others are selling the support better than you can.
Now, perhaps you are inclined to think this is fine. They are better at it, so they should make the money right? Except the only reason they can, is that you put in the up front investemant to actually make the software.
What this will lead to is people deciding that open source is not the way to go, or at least GPL-style open source. If it just leads to other people making money off of your hard work, it'll really turn people off to it.
But sometimes I think the authors of popular open-source software see their user base and think "gee, what if I had $59 from each user!"... when in fact, "free" is their main competitive advantage and the only reason they have users in the first place. Charging for software licenses might save them, but it might just wipe them off the map.
At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:
t ml
http://silverstr.ufies.org/blog/archives/000864.h
Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.
[In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."
The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.
I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.
I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.
Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.
I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost (for all the Ringworld fanatics out there).
*scoove*
I'll give you THE REASON why there wasn't much of a community around nessus:
Renaud
Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:
A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).
Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)
Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.
Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.
I say, GOOD RIDDANCE NESSUS.
With stunts like this, would you trust Tenable to protect your network?
No.
As I've already mentioned, Renaud has never considered his project to be under the GPL. Oh sure, he knew it was under it, but flaming anyone and everyone that he suspected of "working at a company" or "using nessus for profit" or "doing anything that didn't meet Renaud's fancy" was not exactly uncommon.
The reason that there's not a serious community around nessus is Renaud.
I think many of us in the security community have always had the feeling that Tenable was less than forthcoming about their plans. I can remember many a security colleague mentioning things to me about the people behind Nessus. It was that sort of hushed tones, something is wrong kind of thing. Being the skeptic, I initially discounted those conversations.
Later on, Tenable started to make commercial only modifications. The truth started to come out.
Lets get this straight - the only reason why many of us chose Nessus was because it was Free & OSS. We could have just as easily chosen other tools to use instead. The commercial vulnerability scanners of the earlier era were far better at that time.
Now they want to change? Good luck.
I'm looking forward to whatever OSS tool takes the place of Nessus.
Oh and another thing too, on setting the record straight. Tenable might be the sole authors of the core scanning engine, but they definitely benefited *GREATLY* from external plugin authors.