Nessus Closes Source

JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.

Re:GPL Kool-aid

[Mr.+Underbridge]

Free as in beer is cool and all that, but if one excuse for dumping GPL is that they aren't getting any benefits in the way of free code, I guess they weren't really drinking the Kool-aid in the first place, eh?

That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.

I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.

nessus is dead, long live gnessus?

[nanop]

So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".

So what's left??

[eno2001]

SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.

Well, this has been coming for some time...

[cowbutt]

As someone who encouraged a former employer to pay for a Nessus support contract when it voluntary, someone who personally contributed a minor enhancement to the engine, and as someone who actually used Nessus professionally (i.e. manually verifying the results it gave, rather than selling the reports as-is to customers), I've been pretty disgusted by the way competitors have abused Renaud's generosity.

Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.

Re:hmm

[Nichotin]

People haven't contributed anything special to the scanning engine. They would have to strip that out, but as already mentioned, it was no biggie. They hold the rest of the copyright, and are legally allowed to change the licence, but they cannot restrict any usage of previously released source code.

You do not get Open Source.

[RevDigger]

This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.

Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.

        - H

From their perspective?

[ivoras]

Why isn't anybody looking at it from *their* perspective: A small, young-ish company tried to make a great product but failed to remain financially viable with the GPL license. Free-as-in-speech code is all well and great but at the end of the day, philosophy doesn't pay the bills.

Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)

Re:GPL Kool-aid

[massysett]

I suppose everyone is entitled to his understanding of the purpose of the GPL, but it was not my understanding that the GPL is about having a community make free improvements to one's software. My understanding is that the GPL is about giving users freedoms, not about community giveback. The FSF seems to agree.

The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)

Free as in Kool-aid

[Thud457]

Is this Kool-aid free as in beer or free as in openCola?

Moral of this Story and Nmap Response

[fv]

I responded for the Nmap Security Scanner project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.

I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

-Fyodor

GPL Screws Tenable and Tenable Screws GPL

[Anonymous+Asskicker]

A month ago I submitted a story (rejected, alas) about Tenable intentionally breaking the GPL version of Nessus:

When the 2.2.5 version of Nessus was released, Brian Weaver (formerly of OpenNMS fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security, the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus. With stunts like this, would you trust Tenable to protect your network?

Re:GPL Kool-aid

[Mateito]

I agree - in principle - but principle doesn't put food in your mouth or pay the rent.

These guys did a wonderful job. Six years contributing to software that was obviously so good that other people could make money off it. Its one thing to work on an open source project in your spare time, or to be employed by one of the few companies that can leverage free software to make money, but these guys aren't. So unless you are working on the kernel, on samba or one of maybe a dozen other projects, you can't give up your day job.

Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code. Rather than berating these guys for leaving the fold, thank them profusely for the six years of hard work.

If you don't like it, fork it. Once GPLed, always GPLed, and only V3 and above is going closed.

Nessus dead. Long live Hindmost

[scoove]

The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.

I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.

Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.

I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost (for all the Ringworld fanatics out there).

*scoove*

That's not the half of it.

[Zaurus]

I'll give you THE REASON why there wasn't much of a community around nessus:

Renaud

Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:

A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).

Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)

Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.

Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.

I say, GOOD RIDDANCE NESSUS.