Slashdot Mirror
Metasploit Project Sold To Rapid7
ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."
Even names are in high-definition these days.
get off my lawn.
In my day we had to use smoke signals to exploit a neighbor's abacus. And you know what, we liked it.
Now you have your fancy audio couplers and wireless networks.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Rapid7, who are incredible jerks at least in terms of aggressive cold-call sales people. There are periodic rounds of complaining about them on one of the lists I'm on. We can't stand those guys.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Its nothing new really, there's been several tools that have either been "sold off" or their devs have "closed source". (I could be wrong) 3 that pop to my mind are Nessus, Tripwire, and Snort. ... sure does make me want to start using the words "sell outs" though.
"Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind" - Dr. Seuss
Depends on the project.
If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.
They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.
What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.
Hopefully things won't get that far and the source will continue to flow, but who knows.
Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.
I doubt I'm smarter than you but... I would guess that the HD Moore guy who ran the project owns the Metasploit name, trademark, domain etc, as well as the copyright on the code. So you can see how all that could be worth something, plus they're hiring him to keep working on it. If they wanted to they could presumably close the source going forward, though he says in his blog post that they're committed to keeping it open. If they can make a popular tool work well with their other products, it might be worth it to them and apparently it is, since they've done it.
Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.
Not sure about tripwire...
Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)
I came, I conquered, I coredumped
You are right, it gets used by script kiddies.
That is EXACTLY why I use it regularly to make sure it doesn't work for them. I can quickly scan a host and see what they may be able to take advantage of.
What do you do? How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update. Does all of your other software auto update as well? Do you have some mystical application that makes sure you never make a configuration mistake that opens an exploit? My IIS servers don't return customized version information, is it just supposed to look at that and know what it really translates to and what patches I have installed on it.
You sir, are not a system admin. You may be employed as one, but you certainly shouldn't be. The mere thought that patching is enough by itself is retarded. Assuming that you have perfect configurations that never change and will be safe forever after you set them up is retarded. Pretty much no matter how you look at it, your argument is one of extreme lack of experience.
Every high security environment in the world does penetration testing, as do lower security environments who would rather be safe than sorry. Banks, the government, health care providers to name a few, ALL do penetration testing, both by software, and social engineering, all the way down to trying to actually break into a physical location.
Fuck you and your arrogant ignorance about security, come back to us when you get out of pointy-headed-boss-school or secretary school, whichever you happen to be in.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.
How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?
If the author of the code agrees that this is sufficient compensation, then it is sufficient compensation. Otherwise, the sale couldn't be made.
It's used mainly by crackers to comprise websites. Fuck this tool and fuck the arrogant script kiddies padding their resumes with it. This software has no legitimate purpose.
Sounds like the righteous anger of someone who left some back doors open for a few script kiddies in his time, and got burned by it.
"The ability to work full time on the code base" comes from him being employed to do it, i.e. he doesn't need to spend time on other paid projects. Being employed could be considered compensation if he wasn't making any money on the project before, since he'll be getting more money for possibly the same amount of work that he was already doing. Many people (not necessarily the original author, just in general) also prefer the security of a steady job and having other people handle administration, sales, etc., instead of having to do those kinds of things themselves.
First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.
Huh?
I do security consulting in Fortune 1000 companies and I've never run into one yet that is a strict "no-MS" shop on the server side.
What the hell are you talking about?
Second, every large penetration testing organization that services these Fortune 1000 customers uses Metasploit as a small (very small) component of their toolset.
Our toolset is comprised of over 1000 different bits of software, but I've successfully used Metasploit on at least 10 different engagements in the last 6 months alone against Fortune 1000 (and similar sized) organizations.
I run into a number of environments where patching isn't practical, or isn't allowed.
Medical devices, for example. The kind that do IV-drip monitoring, or the kind that do blood chemistry analysis in a medical laboratory, are regulated by the FDA (I think) and CANNOT be patched. They rely on semi-annual service packs from the manufacturer that are usually 6 months out of date by the time they get FDA approval.
I have done several penetration tests against medical facilities this year and have found metasploit very helpful attacking both UNIX and Windows based systems in this category.
And frankly, even regular systems don't get patched in a large environment. I was in an environment a few weeks ago with over 100 server admins, and very strict rules about change management and patching. There had to be many rounds of testing on every new patch before it went into production and honestly, that wasn't happening. They were consistently running 9 months out of date on some servers. Additionally, they had several Windows NT Machines that hadn't been patched in many years. The security team needed someone to come in to demonstrate the importance of patching and try to accelerate that schedule. Metasploit was very useful in attacking systems, not only Windows, but all platforms.
I'll point out that the greatest number of vulnerabilities present in many server environments comes from Linux/Apache, so your shouting "ooooo Microsoft" seems a little infantile and inexperienced, in retrospect.
Methinks you are talking out your ass.
You're all a pisspool of nattering armchair lawyers bragging about how they'd have won such-and-such case on court.tv without even knowing the details. How the *FSCK* would you even know? Did I miss where the terms of the contract were posted online?
Here are just the scenarios I've seen (or offered) in my own career:
"Hi, this project you're working on is great -- can we buy a nonexclusive license for $$$?"
"How much would we have to pay you to focus on functionality that'd do Y? How long would it take?"
"The tool is nice, but I just need to know how you did X, so I can incorporate it into a limited-niche project. Would you sell me source-code and your time at $$ plus $$ per hour? We'll readily sign NDA's and noncompetes."
"F*** it, I'm out of here. First job, any job..." (phone rings) "You want me to go pro with my open-source project? HELL YESSS!!"
"Great tool, and we'd love the prestige you've attained -- can we pay you a few years back salary and promise $$$$ forward salary. You'll get to focus on this project, some stock options, you'll build a division in our company, and we'll take over marketing and logistics."
Where exactly is the evidence of this being a shitty deal -- Reread egypt's comments at blog.metasploit and then tell me the last time any of you gasbags got offered a chance to exit a decent-but-hectic day job, focus in on a side project you dream about and struggle to find weekends to work on, get a big-ass raise, bump up your prestige, and probably get god knows what else in the way of one-time payments or stock options.