Metasploit Project Sold To Rapid7

ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."

Wow

[Yvan256]

Even names are in high-definition these days.

damn script kidddies

[conspirator57]

get off my lawn.

In my day we had to use smoke signals to exploit a neighbor's abacus. And you know what, we liked it.

Now you have your fancy audio couplers and wireless networks.

Re:damn script kidddies

[TimeElf1]

What you haven't had the upgrade to cans and strings yet?

Re:damn script kidddies

And what are you doing telling people to get off your parent's lawn

He has more than one parent, you insensitive clod!

Opensource tool

[Icegryphon]

Sold to a company, What wut!?

Re:Opensource tool

[Pool_Noodle]

Its nothing new really, there's been several tools that have either been "sold off" or their devs have "closed source". (I could be wrong) 3 that pop to my mind are Nessus, Tripwire, and Snort. ... sure does make me want to start using the words "sell outs" though.

Re:Opensource tool

[bleh-of-the-huns]

Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.

Not sure about tripwire...

Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)

Re:Opensource tool

[Martin+Blank]

Snort was not sold off. Marty Roesch, creator of Snort, formed Sourcefire for the express purpose of commercializing it. Even with that, Snort is still open source under the GPL, and Marty has indicated that there are no plans to ever change that.

Re:Opensource tool

[Pool_Noodle]

I stand corrected ... (thank you ... must get caffeine before posting next time), but my point still stands, open source being traded off isn't new .. but it is irritating.

Positive so far

This seems positive so far and they are making all the right noises (hiring Egypt full time onto the project is a really good sign). Both Snort and Wireshark got much better after commercial backing.

Re:Positive so far

yeah, and nessus too! oh, wait.

A great way to ruin a good resource

[al0ha]

Rapid7, who are incredible jerks at least in terms of aggressive cold-call sales people. There are periodic rounds of complaining about them on one of the lists I'm on. We can't stand those guys.

Re:A great way to ruin a good resource

Boo hoo. Those guys are aggressive at everything they do. Remember the NVIDIA exploit they released and developed? Being aggressive is not always bad in this industry.

Re:A great way to ruin a good resource

I agree. I had those dbags call me just yesterday.

Them: "Do you have any money for upcoming security projects?"

Me: "No." (As if I'd tell a cold caller what we were doing.)

Them: "In that case, I'm done with you."

Avoid these people if at all possible. If this is how they treat customers on the front end, I hate to see how support and/or contract issues are resolved. I went so far as to blacklist their domain so they can't send meeting notices to my boss.

Re:A great way to ruin a good resource

I interviewed with Rapid7 for a software development position, and I too can attest to the fact that the company seems to be full of jerks. I was essentailly pressured to accept a position before being provided with any salary or benefits information - because those are just "minor details" ...

Also the sales team was running laps around the office. It looked like a frat house.

Re:A great way to ruin a good resource

They call me every other day. It is generally the same person for a few days and then I get a new person the next week. I have repeatedly informed them we would never do business with their company based on sales tactics alone. I also ask every time to be placed on their do not call list. I have also contacted our accounting/purchasing team to never do business with Rapid7 or pay any invoices they submit.

Re:A great way to ruin a good resource

I'm a customer, but do NOT have this problem. They had the best price compared to others, and were willing to deal heavily to get my employer's name in their list, which I won't disclose here, per company policy (so I reckon anyone smart will take that with a grain of salt when I claim I'm a customer and not with Rapid7, but it's true).

Re:A great way to ruin a good resource

http://yro.slashdot.org/story/09/10/20/1444256/CIA-Invests-In-Firm-That-Datamines-Social-Networks

This is exactly what came to mind, just about 30 minutes before your reply popped up :).

Re:A great way to ruin a good resource

Just what a commercial Metasploit product will look like is still in the works

I'm going to bet that it'll look like a several hundred dollar pricetag that puts it out of reach of many users of the original project and at least 4 figures for use in enterprise with the most basic support tier.

Call me pessimistic, but when fairly unique security tools are commercial projects this is almost always what the pricing looks like.

Lawsuits?

[supervillain]

Now that this software is run by a company with assets what are risk that they will get sued out of existence by some company who wrote bad code?

Great - Now We Can Use Metasploit !

to penetrate the N.S.A's data mining project hosted by
Google's 10 million servers.

Yours In Ashgabat,
K. Trout

How does one buy an open source program?

[tacokill]

I'd like to buy sendmail and apt-get. How much would those two cost me?

I am not clear on how open-source projects get "sold" to commercial entities. I understand how companies can use open source but I don't understand how companies buy and sell open-source programs.

Can someone smarter than me lay out, in business terms, how this works? Was Metasploit a corporation? If so, what kind? Was it an S-corp? C-Corp? LLC? LLP? What were the mechanics of the sale? What approvals were needed from what stakeholders? etc, etc. Basically, I want to know about the buyers and the sellers and less about the actual product.

It seems odd to me that "someone" would benefit financially by selling the work of an open-source program. Wouldn't you need to compensate all contributors (which I am sure is a nightmare)? If not, I am in the wrong biz. Instead, I should start an open-source program, get other people to contribute, and then sell it for my own personal gain.

I could be wrong but I don't think that is allowed, right? So how does all this work? Or am I hopelessly naive?....

Re:How does one buy an open source program?

[Nursie]

Depends on the project.

If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.

They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.

What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.

Hopefully things won't get that far and the source will continue to flow, but who knows.

Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.

Re:How does one buy an open source program?

If the author requires the copyright of any patches submitted to be attributed to him as a condition of including them then the author (or maybe a separate entity that the author controls) owns the copyright outright. In this way when a company comes to them and says will you sell us the copyright (okay transfer) they can. However, this does not remove the existing GPLed or BSDed versions from the world, it just allows the new owners to develop the project outside those licenses. Others are free to fork and honestly some very nice new owners actually pay the devs they hired (as a condition of the sale often) to merge back in many of their closed improvements into the open source version (i.e. the author continues to work on both versions). Some companies don't do that of course and some even do shady things that probably don't hold up under copyright, but hiring the lead dev is usually a good sign so unless you know the company is a bunch of jerks then give it some time and see.

Re:How does one buy an open source program?

[Tanktalus]

If I am the author of a piece of work, I may choose to offer it to the general public under a license, say GPL, LGPL, Creative Commons, whatever. But, say someone with more cash than brains comes along and doesn't want those licenses. In exchange for some consideration (usually cash), I may choose to offer the same code, which I own the copyright to, to them under a different license. Simple.

In this case, it appears that, in exchange for some consideration (probably cash, but also a job), the author chose to SELL that copyright to a third party (Rapid7) and give up further claims to the code. This does not remove anyone else's rights to the code prior to the purchase, though it may not offer future updates under the old licenses (or it may, that's up to the new copyright owner).

In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

As to other contributors - that all depends. If the license doesn't change, then no compensation is required. If they turn around and try to add additional licenses, then it may get sticky (e.g., a binary-only license so they can embed it, or LGPL so they can derive from it or whatever).

To all that I add: IANAL.

Re:How does one buy an open source program?

[b0bby]

I doubt I'm smarter than you but... I would guess that the HD Moore guy who ran the project owns the Metasploit name, trademark, domain etc, as well as the copyright on the code. So you can see how all that could be worth something, plus they're hiring him to keep working on it. If they wanted to they could presumably close the source going forward, though he says in his blog post that they're committed to keeping it open. If they can make a popular tool work well with their other products, it might be worth it to them and apparently it is, since they've done it.

Re:How does one buy an open source program?

[paimin]

I read it as the company bought future development, which will be closed. You can't close development that's already open, but you can use that existing development in a commercial product, provided you satisfy th licensing of it.

In other words, this will be a closed fork.

Re:How does one buy an open source program?

According to the website, Rapid7 bought the trademarks, the website, and "rights to the Metasploit Framework", the current version of which "was originally developed by Metasploit LLC and is made available for use by Rapid7 under the 3-clause BSD license."

Re:How does one buy an open source program?

In short, no. The Rapid7-based development team is committing directly to the public tree under the BSD license, for all development we currently have planned.

Re:How does one buy an open source program?

[wastedlife]

The name of the project is normally trademarked by someone. While somebody can take the open code and fork it under a different name (IceWeasel, for example), they cannot call the fork by the trademarked name (Firefox, for the previous example). Also, the code is still copyrighted by its owners, BSD or GPL are just licenses for what you are allowed to do with the code. In some cases that I have seen (I believe QT does this), the owner of the trademark will require contributors to assign copyright of their contributions to the trademark holder. That way they can get away with dual licensing without needing to work out the other license with the contributors. I am more familiar with GPL licenses, so some of what I said may apply slightly differently for BSD licensed code like MetaSploit.

Re:How does one buy an open source program?

[solevita]

Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.

Re:How does one buy an open source program?

[MadnessASAP]

Well it depends on how you define open source. If it's simply a program that you distribute the soruce code along with it then it's quite easy, you simply sell the ownership/license the code to somebody else since you presumably own all the code this isn't a problem. Similarly with projects that do have 3rd party developers you can stipulate that they relinquish ownership of any contributions they make to the project to you or whatever organization happens to be managing the project. Where it gets tricky is when you have projects where anybody could contribute but you haven't put in the aforementioned stipulations, at that point you need to track down every contributor and ask for their permission to relicense/sell their code if they say no you either have to replace their code or fork the project to include only code that you DO have permission to sell.

At least that's how I remember it working I may be way off base here though.

Re:How does one buy an open source program?

[drooling-dog]

In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

Re:How does one buy an open source program?

[cachimaster]

Sun basically bought apt-get when it hired the guy that created it. Now it's integrated in OpenSolaris.

Re:How does one buy an open source program?

[tacokill]

Ok, I understand everything you laid out but again....it seems like Rapid7 is "using" the metasploit code - which does not necessarily require them to ouright buy the company. (sidenote: we all agree that they can not rescind what was done in the past. That "stuff" lives forever under whatever license it was released under).

Why would someone buy anything open-source unless the copyrights came with it? The alternative, is to "use" the open-source product and just conform to GPL or whatever the license requirements are. That seems so much simpler than buying the entire company and compensating everyone who has/had a stake.

The part that has me stumped is this: there are plenty of ways Rapid7 could have leveraged this guys code and product. Why did they decide to buy him outright, instead of just licensing the code? What do they gain by buying him out over and above what is already gained by using the open-source code?

I've seen trademarks mentioned in a few responses but that brings up another set of questions: who "owns" the trademark for an open-source proejct? If the trademark is bought, who gets compensated? How is that sorted out?

Others mentioned forking the code. Ok, fair enough. Then why didn't Rapid7 just fork metasploit and do what they wanted to do with it? They don't have to buy it to be able to use it. It's already available under open-source licensing. I guess what I am asking is: why would someone buy metasploit instead of just forking the dev tree. One costs lots of money. The other alternative is free. Both achieve the same result. (Rapid7 gets to release a new product based on Metasploit)

Re:How does one buy an open source program?

[thePowerOfGrayskull]

In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

If the author of the code agrees that this is sufficient compensation, then it is sufficient compensation. Otherwise, the sale couldn't be made.

Re:How does one buy an open source program?

[drooling-dog]

The authors of the code would do well to work on their negotiating skills. Essentially they're being required to forfeit prior intellectual property as a condition of employment; some would call this "theft" in the absence of any additional consideration. I hope at the very least they have lucrative salaries and a solid employment contract, if not royalties.

Re:How does one buy an open source program?

[Dragonslicer]

"The ability to work full time on the code base" comes from him being employed to do it, i.e. he doesn't need to spend time on other paid projects. Being employed could be considered compensation if he wasn't making any money on the project before, since he'll be getting more money for possibly the same amount of work that he was already doing. Many people (not necessarily the original author, just in general) also prefer the security of a steady job and having other people handle administration, sales, etc., instead of having to do those kinds of things themselves.

Re:How does one buy an open source program?

[Lonewolf666]

I guess Rapid7 wants to do closed source versions in the future. That makes it necessary to buy the copyrights, or at least most of them and re-developing the stuff they could not buy.

Of course that puts them in competition with whatever open source version other people maintain. A previous example of that would be Interbase by Borland. Borland released the version 6.0 under an open source license, but reconsidered soon after and the next version was closed source again.
That one open source release was picked up by a group of developers and became the Firebird database (http://www.firebirdsql.org/). Interbase is still available commercially from Embarcadero, but I guess they lose some sales to its open source version.

Re:How does one buy an open source program?

I like how you never even seem to realize that the author's skills might be worth anything at all.

Re:How does one buy an open source program?

[thePowerOfGrayskull]

Indeed, it's a crappy deal - certainly not one I'd take. But a legal one if they agree to it...

Re:How does one buy an open source program?

[wallyhall]

Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.

After forking it, you'll need a new name of course. I vote metasplit.

Re:How does one buy an open source program?

[ediron2]

You're all a pisspool of nattering armchair lawyers bragging about how they'd have won such-and-such case on court.tv without even knowing the details. How the *FSCK* would you even know? Did I miss where the terms of the contract were posted online?

Here are just the scenarios I've seen (or offered) in my own career:

"Hi, this project you're working on is great -- can we buy a nonexclusive license for $$$?"

"How much would we have to pay you to focus on functionality that'd do Y? How long would it take?"

"The tool is nice, but I just need to know how you did X, so I can incorporate it into a limited-niche project. Would you sell me source-code and your time at $$ plus $$ per hour? We'll readily sign NDA's and noncompetes."

"F*** it, I'm out of here. First job, any job..." (phone rings) "You want me to go pro with my open-source project? HELL YESSS!!"

"Great tool, and we'd love the prestige you've attained -- can we pay you a few years back salary and promise $$$$ forward salary. You'll get to focus on this project, some stock options, you'll build a division in our company, and we'll take over marketing and logistics."

Where exactly is the evidence of this being a shitty deal -- Reread egypt's comments at blog.metasploit and then tell me the last time any of you gasbags got offered a chance to exit a decent-but-hectic day job, focus in on a side project you dream about and struggle to find weekends to work on, get a big-ass raise, bump up your prestige, and probably get god knows what else in the way of one-time payments or stock options.

Re:How does one buy an open source program?

[wastedlife]

I thought OpenSolaris had its own package management system. Maybe it is practically apt, but it is not actually apt. Nexenta is an OpenSolaris distro that uses apt, so maybe that is what you are thinking of?

Re:How does one buy an open source program?

[Hurricane78]

That's the nice thing in Germany: You can't sell your rights to your inventions/creations. You are always the one who created it. That fact can't change without a time-machine. (Don't dare calling German Urheberrecht a "copyright law". They are very different. And luckily so.)

Re:"penetration testing"

[BitZtream]

You are right, it gets used by script kiddies.

That is EXACTLY why I use it regularly to make sure it doesn't work for them. I can quickly scan a host and see what they may be able to take advantage of.

What do you do? How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update. Does all of your other software auto update as well? Do you have some mystical application that makes sure you never make a configuration mistake that opens an exploit? My IIS servers don't return customized version information, is it just supposed to look at that and know what it really translates to and what patches I have installed on it.

You sir, are not a system admin. You may be employed as one, but you certainly shouldn't be. The mere thought that patching is enough by itself is retarded. Assuming that you have perfect configurations that never change and will be safe forever after you set them up is retarded. Pretty much no matter how you look at it, your argument is one of extreme lack of experience.

Every high security environment in the world does penetration testing, as do lower security environments who would rather be safe than sorry. Banks, the government, health care providers to name a few, ALL do penetration testing, both by software, and social engineering, all the way down to trying to actually break into a physical location.

Fuck you and your arrogant ignorance about security, come back to us when you get out of pointy-headed-boss-school or secretary school, whichever you happen to be in.

Re:"penetration testing"

[thePowerOfGrayskull]

It's used mainly by crackers to comprise websites. Fuck this tool and fuck the arrogant script kiddies padding their resumes with it. This software has no legitimate purpose.

Sounds like the righteous anger of someone who left some back doors open for a few script kiddies in his time, and got burned by it.

Re:"penetration testing"

How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update.

First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone. Again, let's say you find out some exploit works on your box... is there a patch? If yes, why wasn't it already patched? Did you really need to hack yourself just so you could be made aware of a public patch? If so, I think you're the one that needs to be kept away from important computers. If there isn't a patch, what are you going to do, shut down the service? All non-essential services should already be taken down. Anything left has to stay up and you're SOL anyways.

Every high security environment in the world does penetration testing, as do lower security environments who would rather be safe than sorry. Banks, the government, health care providers to name a few, ALL do penetration testing, both by software, and social engineering, all the way down to trying to actually break into a physical location.

Look, you can't even read. I wasn't making an argument against penetration testing. I'm making an argument against script kiddie tools posing as pentesting tools. Pentests can and should be done, often and well. That's not the same as trying to exploit an unpatched box. The only people interested in that are script kiddies.

If you're doing your job right, metasploit serves no legitimate purpose. If you're some dumbass that has to hack himself just to be made aware of public patches then by all means, continue being a dumbass.

Re:"penetration testing"

[nstlgc]

>> How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update.
> First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.
Good thing you're posting as AC so you can't discredit yourself by saying something stupid like that, right?

Re:"penetration testing"

Steve? Is that you?

Re:"penetration testing"

It's not.

Legal minefield

[n3td3v]

There will be a legal minefield now that a big company with lot's of money owns Metasploit now. I mean the Metasploit web site doesn't even have a privacy policy.

Re:"penetration testing"

No, it's someone who lives in the real world, not their parents basement.

Re:"penetration testing"

Whiny bitch.

Re:"penetration testing"

I work for a hundred million dollar company that makes a substantial portion of its income doing "legitimate" penetration testing.

Our customers are Fortune 500 companies and the like.

It's a very useful toolset.

You would be surprised how many times a week I hear this story:

Security Admin: Upper management doesn't understand the risk these vulnerabilities pose and we can't get funding to get it fixed. We need it demonstrated through videos and screenshots, exactly what sort of damage can be done by a single attacker given 1 week to exploit this application.

So, we pop the app and create a presentation littered with examples of what might happen.

Then security gets funding and the bad guy doesn't get his way.

Re:"penetration testing"

First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.

Huh?

I do security consulting in Fortune 1000 companies and I've never run into one yet that is a strict "no-MS" shop on the server side.

What the hell are you talking about?

Second, every large penetration testing organization that services these Fortune 1000 customers uses Metasploit as a small (very small) component of their toolset.

Our toolset is comprised of over 1000 different bits of software, but I've successfully used Metasploit on at least 10 different engagements in the last 6 months alone against Fortune 1000 (and similar sized) organizations.

I run into a number of environments where patching isn't practical, or isn't allowed.

Medical devices, for example. The kind that do IV-drip monitoring, or the kind that do blood chemistry analysis in a medical laboratory, are regulated by the FDA (I think) and CANNOT be patched. They rely on semi-annual service packs from the manufacturer that are usually 6 months out of date by the time they get FDA approval.

I have done several penetration tests against medical facilities this year and have found metasploit very helpful attacking both UNIX and Windows based systems in this category.

And frankly, even regular systems don't get patched in a large environment. I was in an environment a few weeks ago with over 100 server admins, and very strict rules about change management and patching. There had to be many rounds of testing on every new patch before it went into production and honestly, that wasn't happening. They were consistently running 9 months out of date on some servers. Additionally, they had several Windows NT Machines that hadn't been patched in many years. The security team needed someone to come in to demonstrate the importance of patching and try to accelerate that schedule. Metasploit was very useful in attacking systems, not only Windows, but all platforms.

I'll point out that the greatest number of vulnerabilities present in many server environments comes from Linux/Apache, so your shouting "ooooo Microsoft" seems a little infantile and inexperienced, in retrospect.

Methinks you are talking out your ass.

Re:"penetration testing"

Do you write all of your own security tools? If not then kindly go fuck yourself.

Re:"penetration testing"

[Alpha830RulZ]

First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.

I do work for fortune 200 companies. Every one of them I have worked at uses Windows for servers. This includes the likes of Boeing, HP, Capital One Bank, Bank of America, the London Stock Exchange, NASDAQ, Charles Schwab. HCA, Accenture, Ford, Toyota, and more. Most of them use IIS, SQL Server, and build .NET applications. Exchange and Active Directory are everywhere. MSFT servers, like it or not are pervasive in the business world. Not necessarily dominant, as big apps tend to get built on other platforms. But they are everywhere, running real systems that handle real money. You are the one discrediting yourself if you really don't know or believe this.

Smart sysadmins do their own penetration testing. We do. The higher ups make us use a CA product which doesn't work as well in my experience as the open source tools. It tends to be 6 months behind.

Re:"penetration testing"

[quote]What do you do? How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update. Does all of your other software auto update as well? Do you have some mystical application that makes sure you never make a configuration mistake that opens an exploit? My IIS servers don't return customized version information, is it just supposed to look at that and know what it really translates to and what patches I have installed on it.[/quote]

For this you use Secunia PSI.

Re:"penetration testing"

[TheLink]

> Do you write all of your own security tools? If not then kindly go fuck yourself.

You grow your own wheat and grind your own flour? And built your own CPU factory to make the CPU for your computer?

If you do everything yourself, you're certainly the one who should be "fucking yourself".

Seems more logical.

Re:"penetration testing"

[cpghost]

Security Admin: Upper management doesn't understand the risk these vulnerabilities pose and we can't get funding to get it fixed. We need it demonstrated through videos and screenshots, exactly what sort of damage can be done by a single attacker given 1 week to exploit this application.

From Sneakers (1992):

Bank Secretary: So, people hire you to break into their places... to make sure no one can break into their places?

Martin Bishop: It's a living.

Bank Secretary: Not a very good one.

Re:"penetration testing"

Actually, I do grow my own wheat and grind it. It is fun and healthy.

Since your remarks were totally outside of the context of the parent poster's posting and the subject being discussed, I will invite you to to shut the fuck up.

Re:"penetration testing"

Ah so you're the sort who is already fucking himself.

Re:"penetration testing"

[Hurricane78]

Does all of your other software auto update as well?

Have you never heard of package management systems?

eix-sync && emerge -auDNtv world

Done. Man, you Windows guys are weird.