The PDF is a little confusing because it's posted upside down but it's a great read. I will briefly paraphrase for those too lazy to read this themselves.. Grannick's response is: 1) There isn't a chance in hell someone would confuse the fedexfurniture site for a multinational shipping organization 2) Some guy sold artistic expression of Barbie doing naughty things once 2a) not only did a court find this OK but the company (Mattel) that tried to sue him ended up paying for all his attorneys fees (HINT: Fedex will pay lots of money to Avila if you pursue this) 3) The DMCA reference is Bullshit! 4) He complied with all your websites terms and conditions 5) BTW we put his website on Stanford's servers. Care to sue us both?
In just a page and a half she shredded their case and taunted them to try and sue one of the top legal institutions in the country. But it's all done so subtley. I have a feeling a NEW terms and conditions will get posted to Fedex in the very near future. Just a gut feeling.
and $4500 stretches out to something like 10 years of living expenses for a Nigerian house. Or maybe 1 year out in India. You get the idea. I checked the rules and it says "we're looking to find developers around the world". Not just the US. I wonder how long $4500 would last you in Brazil or Argentina?
Normally I would give the same "make sure you have a contract" speech I've seen in other threads. But that's because I assume my audience is over 18. These KIDS will possibly get into trouble with their school but the criminal charges are total BS. Now when they graduate they should have some nice lucrative jobs lined up. BTW since school is a government resource isn't this a terrorist action?:-o
At least as far as I'm concerned. I've been using adblock (an extension for firefox) and I literally don't see ads anymore. Oh sure a few manage to find their way in but 90% are now gone. It's incredible and the way the web should be viewed, sans ads!
Not if they are smart. Not that all criminals are genius, far from it. But even an idiot knows that getting caught is a factor. Now if you live in Nigeria what are the chances that someone making a complaint will get a warrant issued for your arrest. And if the warrant were issued Big F'n Deal! Try serving an arrest warrant in Nigeria issued from the US. NOT GONNA HAPPEN. So it is a big deal when the crime is occuring from other countries because we can arrest any nimrod who abuses access here (see the UCSB story of the girl who stole her prof's identity!)
I think the issue underscored here is risk vs. reward. For someone in the US 30,000 USD isn't *that* much, not enough for many of us to risk jail time. That amount barely covers a years salary for many and I'd say for most reading this site it is way less then a years salary. If you're making $2.00/hr that is a LOT of money. Now we are talking almost a DECADE of salary.
From the Terms of Use: "To the maximum extent permitted by applicable law, Microsoft may monitor your e-mail, or other electronic communications and may disclose such information in the event it has a good faith reason to believe it is necessary for purposes of ensuring your compliance with this Agreement, and protecting the rights, property, and interests of the Microsoft Parties or any customer of a Microsoft Party."
So if I submit an article from my Hotmail account then it's ok for you to monitor it and see if I'm complying with this agreement? Sounds great sign me up!
or Sony leads the way. The PSP introduced WiFi into gaming and I would bet that the PS3 will have it as well. Now if only Sony followed Nintendo's lead and made the PSP the uber controller for the PS3. Then we'd be in good shape.
I think a better analogy is 119 applicants who found themselves alone in the admissions office. They see a file with "Acceptance List" written on it and they decide to have a peek. Little did they know a video camera records the whole thing. The board reviews this and rejects the applicants.
Was this criminal? Sort of, but HBS isn't pushing for convictions here. HBS receives thousands of applications each year and something like 10% are accepted. Since ethics is something they would like to see in their candidates this issue provides an excellent litmus test. Also there have been many real hacks that involved knowing a certain URL. Like stealing CC numbers or even reading a press release before it goes public. Or how about peeking at your competitor's client list because you know about this special URL for SalesForce.com. If you're still not following the logic http://somesite.com/../../../../../etc/pass wd Should this be illegal? BTW MIT and CM are rejecting anyone caught who followed the instructions. Stanford is allowing those caught to "explain themselves". The admins probobly had nothing to do with it. The web application developer likely created the loophole through insecure coding practices.
great now do something about those 419 scammers and maybe you'll put a small dent in online fraud. support 419eaters.com if you haven't already stopped by. These guys are doing a great job reversing the scam on these nigerian fraudsters. Some funny stories in the forum as well
If it's worth the money to your friend then he can make a valid claim. It will go to arbitration first and likely then to a court near you. the first procedure cost something like $1000.00. In this proceeding an arbitration panel will likely figure out that neither side is willing to budge and that both have equally "valid" claims. It doesn't sound like you can claim squatting under federal legislation. even if it could be found in your friends favor the transfer of the domain can be stopped with a simple appeal by taking the case to a state court. It can then be appealed to a federal court. So here's the deal It's $1000.00 to play and after that it's whoever has the most money, the best attorneys, and the most time. If it's worth it to your friends then seek an IP attorney.
I have an IBM T40 and I can't get certain things working without sweat and blood. Wireless has been a bane on this machine (under Fedora Core 3) and USB only works so long as I'm not attaching storage devices. Other users of this system note that APC doesn't work worth a damn and I have to agree. Can all these things be fixed. Yes, more or less, with a lot of work almost all the issues can be eradicated. But it's not as simple as just plugging things in and watching them work. The only reason I'm still stuck on it is I have to perform network audits with this laptop and the XP SP2 "improvement" of limiting the unanswered connections proves to debilitating for auditing. I'm considering Win2k at the moment.
I just had to learn about this in a class I'm taking. Having a trademark does help but it's not as simple as sending a C&D. If the squatter is a push over then great but normally the greed factor kicks in. In that case your usually subject to an arbitration proceeding between you and the squatter. This should run about $1000 and generally handed to org's like WIPO. There was a huge case at one point for Corinthians.com and essentially WIPO sided with a Brazilian firm (who's trademark was infringed on by a squatter). Problem is WIPO can't supercede law so the URL, temporarily awarded to the brazilian firm, ultimately came back to the squatter after he took it to federal court (he appealed a lower court ruling in his home state). check it out for yourself (www.corinthians.com)
Bottom line: C&D's are not a solution that will work on anyone with legal council.
So the drowning man is MAME and he is the one standing outside of the water. He's trying to kill MAME!! And we can't believe any of his claims that he won't sue the authors of MAME because he states
"Convince yourself That it is okay to lie."
This is also supported by the above stanza where we see the true motives of his plan
"All he can do is flail, And try and not sink. Eventually he will tire."
At no point does the man outside the water actually help him out. He could throw him a line but instead he just hangs around and waits for the drowning.
RTFA! The kid took the gun from the police officer. Unless you're trying to argue that the police shouldn't have guns your post and all the ones under it should be modded way the hell off topic.
"Cotton and Tulip have been fed 4209 times" In a few seconds time the number was up to 4215 Good going guys, you've/.'d the poor cats. At this rate they will weigh 30 lbs each. Not to mention the stinky fish budget is going to increase exponentially.
On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote: > In other news, some users have expressed concern about the new Nessus > license. If you want to use Nessus and all its plugins for > consulting, you are now required to fax Tenable a signed license > agreement requesting permission.
This is correct. The issue is that in legalese-speak, it's difficult to distinguish between a consultant and a Managed Security Services Provider (MSSP), and some of them have blatantly abused Nessus in the past by claiming they "invented the technology", so we had to find a way which:
a) Makes the use of Nessus free for consultants;
b) Allows us to prevent such companies from using it if they lie in
their claims;
In the same vein that in real life you have to use annoying keys to lock your door to prevent a minority of bad guys from breaking into your house, we had to set up some measures to prevent a minority from abusing the project.
> You must also promise not to redistribute or reverse-engineer the > plugins (http://www.nessus.org/plugins/index.php?consultan t=1&email=c&product=). > They also instituted a $1200/year charge for the latest plugins ( a > delayed feed is available free with registration for certain limited > uses).
The registred plugin feed (which is _free_) allows you to scan the network of your workplace or home, with all the plugins that have ever been written, although there is a 7 day delay between the time we write the plugins and the time you receive them. If members of the open-source community submit a given plugin, then it's available under the GPL with no delay.
Same thing with consultants and MSSPs: you can get the plugin feed for _free_ but you need to ask for authorization only once. We do NOT use the gathered data for commercial purposes. Actually, we don't even keep a digital copy of the authorizations, since we're talking about a fax, so we do not have a database of consultants and/or MSSPs.
Finally, if you have some kind of religious stance regarding the use of non-GPL software, there is a 100% GPL plugin feed which contains over 2,000 plugins.
> They also now claim that many of the existing Nessus plugins were > never open source. At the same time, they rewrote the Nessus web page > to emphasis that Nessus is "the open-source vulnerability > scanner".
Nessus is an engine, and it is released under the GPL license. A great number of plugins is released under the GPL license. I think that qualifies for "open-source".
[...] > They argue that this change is neccessary to maintain quality and > satisfy sharholders
We have never claimed that we clarified the license to satisfy shareholders. We are privately funded and not dependant on VCs.
What we've claimed is that setting up an environment to react in real time to new vulnerabilities (instead of reacting "whenever I have time"), and hiring people to work full time on new security checks (and QA them) requires more than goodwill, especially when you see that these checks are then being used by our competitors. If the community had submitted more plugins, maybe this would not have been necessary, but when you look back and see that Tenable contributed over 80% of the new plugins in 2004, then there is a problem.
It turns out that when people think of "open-source", most of them think of a million of person writing one line of code each, and this is absolutely false.
Just a quick recap:
+ 100% of the Nessus Engine : Michel Arboi and Renaud Deraison (Tenable)
+ 95% of the Nessus Plugins : Michel Arboi, David Maciejak, Noam Rathaus,
Digital Defense Inc., George Theall and Tenable.
I recently explained the rationale behind the license change in a lengthy email, available at
I think Open Source refers to the license. I was just correcting the idea that the OS project known as nessus was still free. Before Dec of 2004 it was free AND open source. NMAP is actually both still and Fyodor asserts that he has no plans to follow Nessus lead in a for profit business model. He wants to keep his tool the way it is. Again I have no issue with the team at Tenable moving to this model but it just seems like news of the shift in plugins isn't very widely known. It now costs money if it is to be used effectively (timely updates). As for forking, I think about it and may. If I do I'll make sure to give you a mention in the release notes.
With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date. Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think]. Some intersting article on scanning here and here
Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.
While the tool itself *is* still free Lightning has made a change in their pricing model regarding the plugins. Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
Pricing
The access to the GPL feed and to the Registered Feed is free.
Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.
I was at an airport recently and met with a guy whose company literally goes to grocery stores and purchases all that info. they mine it and sell it back to the products companies. So don't think that it's very safe for you to purchase anything that can be traced. Even if you are using a credit card it can be traced back to you. Viet Deng (main author of PATRIOT) said it best, "you have the right to privacy in America but you never had the right to anonymity."
What am I hiring a hacker for in this scenario? My mail room? sure, he can deliver mail and pens to the cubicles. How about to design my security infrastructure or web application policy? Not so sure here, he might be out of his league. The beauty of this question is everyone is making all these assumptions in their answers. Beyond the hacker v. cracker debate this question seems to imply that to be a "made hacker" one has to be convicted. And that is utter bullshit. Some of the best hackers I know have been in prison for Federal crimes (notably USC title 18 violations) however the majority of them have NOT been to prison. Of those some have been investigated but never convicted and some believe it or not have never commited a crime more heinous then violating a EULA. So to restate the question, "Would you hire a convicted felon with electronic skillsets?" Yes I possibly would depending on the job. If it were a closed network and I needed someone to conduct penetration testing I would certainly hire him/her. If the job were to involve consulting and facing clients I might be more reserved. A felon has serious liabilities including, but not limited to, bans on interstate travel and certainly international travel. In this case the person could only service clients in the local area without having to petition his PO every single time and then it's too big a hassle.
Slashdot Mirror
The PDF is a little confusing because it's posted upside down but it's a great read.
I will briefly paraphrase for those too lazy to read this themselves..
Grannick's response is:
1) There isn't a chance in hell someone would confuse the fedexfurniture site for a multinational shipping organization
2) Some guy sold artistic expression of Barbie doing naughty things once
2a) not only did a court find this OK but the company (Mattel) that tried to sue him ended up paying for all his attorneys fees (HINT: Fedex will pay lots of money to Avila if you pursue this)
3) The DMCA reference is Bullshit!
4) He complied with all your websites terms and conditions
5) BTW we put his website on Stanford's servers. Care to sue us both?
In just a page and a half she shredded their case and taunted them to try and sue one of the top legal institutions in the country. But it's all done so subtley.
I have a feeling a NEW terms and conditions will get posted to Fedex in the very near future. Just a gut feeling.
and $4500 stretches out to something like 10 years of living expenses for a Nigerian house. Or maybe 1 year out in India. You get the idea. I checked the rules and it says "we're looking to find developers around the world". Not just the US.
I wonder how long $4500 would last you in Brazil or Argentina?
Here is the contact info that was left on the press release. Download a free VoIP client like IPkall and let these folks know how you feel. Be nice.
MPAA Los Angeles
Kori Bernards
Anne Caliguiri
(818) 995-6600
MPAA Washington, DC
John Feehery
Gayle Osterberg
(202) 293-1966
Normally I would give the same "make sure you have a contract" speech I've seen in other threads. But that's because I assume my audience is over 18. These KIDS will possibly get into trouble with their school but the criminal charges are total BS. Now when they graduate they should have some nice lucrative jobs lined up. :-o
BTW since school is a government resource isn't this a terrorist action?
At least as far as I'm concerned. I've been using adblock (an extension for firefox) and I literally don't see ads anymore. Oh sure a few manage to find their way in but 90% are now gone. It's incredible and the way the web should be viewed, sans ads!
Not if they are smart. Not that all criminals are genius, far from it. But even an idiot knows that getting caught is a factor. Now if you live in Nigeria what are the chances that someone making a complaint will get a warrant issued for your arrest. And if the warrant were issued Big F'n Deal! Try serving an arrest warrant in Nigeria issued from the US. NOT GONNA HAPPEN. So it is a big deal when the crime is occuring from other countries because we can arrest any nimrod who abuses access here (see the UCSB story of the girl who stole her prof's identity!)
I think the issue underscored here is risk vs. reward. For someone in the US 30,000 USD isn't *that* much, not enough for many of us to risk jail time. That amount barely covers a years salary for many and I'd say for most reading this site it is way less then a years salary. If you're making $2.00/hr that is a LOT of money. Now we are talking almost a DECADE of salary.
From the Terms of Use:
"To the maximum extent permitted by applicable law, Microsoft may monitor your e-mail, or other electronic communications and may disclose such information in the event it has a good faith reason to believe it is necessary for purposes of ensuring your compliance with this Agreement, and protecting the rights, property, and interests of the Microsoft Parties or any customer of a Microsoft Party."
So if I submit an article from my Hotmail account then it's ok for you to monitor it and see if I'm complying with this agreement? Sounds great sign me up!
or Sony leads the way. The PSP introduced WiFi into gaming and I would bet that the PS3 will have it as well. Now if only Sony followed Nintendo's lead and made the PSP the uber controller for the PS3. Then we'd be in good shape.
I think a better analogy is 119 applicants who found themselves alone in the admissions office. They see a file with "Acceptance List" written on it and they decide to have a peek. Little did they know a video camera records the whole thing. The board reviews this and rejects the applicants.
s wd
Was this criminal? Sort of, but HBS isn't pushing for convictions here. HBS receives thousands of applications each year and something like 10% are accepted. Since ethics is something they would like to see in their candidates this issue provides an excellent litmus test.
Also there have been many real hacks that involved knowing a certain URL. Like stealing CC numbers or even reading a press release before it goes public. Or how about peeking at your competitor's client list because you know about this special URL for SalesForce.com. If you're still not following the logic
http://somesite.com/../../../../../etc/pas
Should this be illegal?
BTW MIT and CM are rejecting anyone caught who followed the instructions. Stanford is allowing those caught to "explain themselves".
The admins probobly had nothing to do with it. The web application developer likely created the loophole through insecure coding practices.
great now do something about those 419 scammers and maybe you'll put a small dent in online fraud. support 419eaters.com if you haven't already stopped by. These guys are doing a great job reversing the scam on these nigerian fraudsters. Some funny stories in the forum as well
If it's worth the money to your friend then he can make a valid claim. It will go to arbitration first and likely then to a court near you. the first procedure cost something like $1000.00. In this proceeding an arbitration panel will likely figure out that neither side is willing to budge and that both have equally "valid" claims. It doesn't sound like you can claim squatting under federal legislation. even if it could be found in your friends favor the transfer of the domain can be stopped with a simple appeal by taking the case to a state court. It can then be appealed to a federal court. So here's the deal
It's $1000.00 to play and after that it's whoever has the most money, the best attorneys, and the most time. If it's worth it to your friends then seek an IP attorney.
I have an IBM T40 and I can't get certain things working without sweat and blood. Wireless has been a bane on this machine (under Fedora Core 3) and USB only works so long as I'm not attaching storage devices.
Other users of this system note that APC doesn't work worth a damn and I have to agree. Can all these things be fixed. Yes, more or less, with a lot of work almost all the issues can be eradicated. But it's not as simple as just plugging things in and watching them work.
The only reason I'm still stuck on it is I have to perform network audits with this laptop and the XP SP2 "improvement" of limiting the unanswered connections proves to debilitating for auditing. I'm considering Win2k at the moment.
I just had to learn about this in a class I'm taking. Having a trademark does help but it's not as simple as sending a C&D. If the squatter is a push over then great but normally the greed factor kicks in. In that case your usually subject to an arbitration proceeding between you and the squatter. This should run about $1000 and generally handed to org's like WIPO. There was a huge case at one point for Corinthians.com and essentially WIPO sided with a Brazilian firm (who's trademark was infringed on by a squatter). Problem is WIPO can't supercede law so the URL, temporarily awarded to the brazilian firm, ultimately came back to the squatter after he took it to federal court (he appealed a lower court ruling in his home state).
check it out for yourself (www.corinthians.com)
Bottom line: C&D's are not a solution that will work on anyone with legal council.
So the drowning man is MAME and he is the one standing outside of the water. He's trying to kill MAME!! And we can't believe any of his claims that he won't sue the authors of MAME because he states
"Convince yourself
That it is okay to lie."
This is also supported by the above stanza where we see the true motives of his plan
"All he can do is flail,
And try and not sink.
Eventually he will tire."
At no point does the man outside the water actually help him out. He could throw him a line but instead he just hangs around and waits for the drowning.
RTFA! The kid took the gun from the police officer. Unless you're trying to argue that the police shouldn't have guns your post and all the ones under it should be modded way the hell off topic.
"Cotton and Tulip have been fed 4209 times" /.'d the poor cats. At this rate they will weigh 30 lbs each. Not to mention the stinky fish budget is going to increase exponentially.
In a few seconds time the number was up to 4215
Good going guys, you've
We are the target market for these companies and you should take your outrage to them. Here is some contact info. Remember to be polite but firm :)
Public Relations
PublicRelations@tecmoinc.com
Customer Service
CustomerService@tecmoinc.com
Game Counselor
GameCounselor@tecmoinc.com
Business Accounts
BusinessAccounts@tecmoinc.com
Public Relations
PublicRelations@tecmoinc.com
Corporate Opertunities
Jobs@tecmoinc.com
Webmaster
Webmaster@tecmoinc.com
Contact Us Via Snail Mail:
Tecmo Inc.
PO Box 5553
21213-B Hawthorne Blvd.
Torrance, CA 90503
Contact Us Via Fax or Phone:
Phone: 310.944.5005
Fax: 310.944.3344
Contact Us Via Email:
Contact@tecmoinc.com
Hi List and Fyodor,
:
; ;
:
On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote:
> In other news, some users have expressed concern about the new Nessus
> license. If you want to use Nessus and all its plugins for
> consulting, you are now required to fax Tenable a signed license
> agreement requesting permission.
This is correct. The issue is that in legalese-speak, it's difficult to distinguish between a consultant and a Managed Security Services Provider (MSSP), and some of them have blatantly abused Nessus in the past by claiming they "invented the technology", so we had to find a way which
a) Makes the use of Nessus free for consultants
b) Allows us to prevent such companies from using it if they lie in
their claims
In the same vein that in real life you have to use annoying keys to lock your door to prevent a minority of bad guys from breaking into your house, we had to set up some measures to prevent a minority from abusing the project.
> You must also promise not to redistribute or reverse-engineer the
> plugins (http://www.nessus.org/plugins/index.php?consultan t=1&email=c&product=).
> They also instituted a $1200/year charge for the latest plugins ( a
> delayed feed is available free with registration for certain limited
> uses).
The registred plugin feed (which is _free_) allows you to scan the network of your workplace or home, with all the plugins that have ever been written, although there is a 7 day delay between the time we write the plugins and the time you receive them. If members of the open-source community submit a given plugin, then it's available under the GPL with no delay.
Same thing with consultants and MSSPs: you can get the plugin feed for _free_ but you need to ask for authorization only once. We do NOT use the gathered data for commercial purposes. Actually, we don't even keep a digital copy of the authorizations, since we're talking about a fax, so we do not have a database of consultants and/or MSSPs.
Finally, if you have some kind of religious stance regarding the use of non-GPL software, there is a 100% GPL plugin feed which contains over 2,000 plugins.
> They also now claim that many of the existing Nessus plugins were
> never open source. At the same time, they rewrote the Nessus web page
> to emphasis that Nessus is "the open-source vulnerability
> scanner".
Nessus is an engine, and it is released under the GPL license. A great number of plugins is released under the GPL license. I think that qualifies for "open-source".
[...]
> They argue that this change is neccessary to maintain quality and
> satisfy sharholders
We have never claimed that we clarified the license to satisfy shareholders.
We are privately funded and not dependant on VCs.
What we've claimed is that setting up an environment to react in real time to new vulnerabilities (instead of reacting "whenever I have time"), and hiring people to work full time on new security checks (and QA them) requires more than goodwill, especially when you see that these checks are then being used by our competitors. If the community had submitted more plugins, maybe this would not have been necessary, but when you look back and see that Tenable contributed over 80% of the new plugins in 2004, then there is a problem.
It turns out that when people think of "open-source", most of them think of a million of person writing one line of code each, and this is absolutely false.
Just a quick recap
+ 100% of the Nessus Engine : Michel Arboi and Renaud Deraison (Tenable)
+ 95% of the Nessus Plugins : Michel Arboi, David Maciejak, Noam Rathaus,
Digital Defense Inc., George Theall and Tenable.
I recently explained the rationale behind the license change in a lengthy email, available at
I think Open Source refers to the license. I was just correcting the idea that the OS project known as nessus was still free. Before Dec of 2004 it was free AND open source. NMAP is actually both still and Fyodor asserts that he has no plans to follow Nessus lead in a for profit business model. He wants to keep his tool the way it is. Again I have no issue with the team at Tenable moving to this model but it just seems like news of the shift in plugins isn't very widely known.
It now costs money if it is to be used effectively (timely updates). As for forking, I think about it and may. If I do I'll make sure to give you a mention in the release notes.
With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date.
Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think].
Some intersting article on scanning here and here
Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.
While the tool itself *is* still free Lightning has made a change in their pricing model regarding the plugins.
Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
Pricing
The access to the GPL feed and to the Registered Feed is free. Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.
I was at an airport recently and met with a guy whose company literally goes to grocery stores and purchases all that info. they mine it and sell it back to the products companies. So don't think that it's very safe for you to purchase anything that can be traced. Even if you are using a credit card it can be traced back to you.
Viet Deng (main author of PATRIOT) said it best, "you have the right to privacy in America but you never had the right to anonymity."
Last time I saw MTV Cribs there weren't any movie pirates on there. Just a bunch of overpaid anorexic actors.
What am I hiring a hacker for in this scenario? My mail room? sure, he can deliver mail and pens to the cubicles. How about to design my security infrastructure or web application policy? Not so sure here, he might be out of his league. The beauty of this question is everyone is making all these assumptions in their answers.
Beyond the hacker v. cracker debate this question seems to imply that to be a "made hacker" one has to be convicted. And that is utter bullshit.
Some of the best hackers I know have been in prison for Federal crimes (notably USC title 18 violations) however the majority of them have NOT been to prison. Of those some have been investigated but never convicted and some believe it or not have never commited a crime more heinous then violating a EULA.
So to restate the question, "Would you hire a convicted felon with electronic skillsets?"
Yes I possibly would depending on the job. If it were a closed network and I needed someone to conduct penetration testing I would certainly hire him/her.
If the job were to involve consulting and facing clients I might be more reserved. A felon has serious liabilities including, but not limited to, bans on interstate travel and certainly international travel. In this case the person could only service clients in the local area without having to petition his PO every single time and then it's too big a hassle.