Nessus Closes Source

JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.

nessus is dead, long live gnessus?

So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".

Re:nessus is dead, long live gnessus?

> So a project which was getting very little contribution from the OSS community is going to be forked into a different project that will get all sorts of support from the OSS community?

Yup. Funny how that works. It happened that way with SourceForge/GForge. It sorta happened with NCSA httpd -> Apache. Probably a handful of other examples out there.

It'll probably evolve from the needs of the Debian package maintainer needing an "upstream" [debian.org] for security patches, etc. Or maybe Gentoo, Fedora, etc. You get the idea. I use Debian as an example because of they'll need something that continues to satisfy the DFSG [debian.org]. Thus, if Nessus is still going to remain, it'll eventually need to be updated.

So what's left??

SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.

Moral of this Story and Nmap Response

I responded [seclists.org] for the Nmap Security Scanner [insecure.org] project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.

I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest [seclists.org] a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

-Fyodor [insecure.org]

Re:So what's left??

One can only hope this one disappears. Anyone who has been on the receiving end of a security audit done by some dork who lives in his parents basement who hung out a shingle as a security analyist and basically only runs Nessus without any interpretation can tell you what a HUGE false-positive rate its got. I know how much time *I* waste responding to them, its staggerirng to think how much time throughout the industry is wasted because of them.

Security tools like SATAN and NESSUS (and even tools like NMAP) are a poor substitute for someone who knows what they're doing, and just make being secure harder for everyone who has to deal with them.

thus exploiting a loophole in the GPL.

Or rather, using the GPL as it was intended, to prevent vendor lock-in.

Well, this has been coming for some time...

As someone who encouraged a former employer to pay for a Nessus support contract when it voluntary, someone who personally contributed a minor enhancement to the engine, and as someone who actually used Nessus professionally (i.e. manually verifying the results it gave, rather than selling the reports as-is to customers), I've been pretty disgusted by the way competitors have abused Renaud's generosity.

Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.

Hardly a "loophole"

The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.

In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.

Fair enough

A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL.

That's not a loophole, that's how it's supposed to work.

He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.

His code, his rules. As long as he's not including code that others contributed under the GPL, that is.

The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?

You do not get Open Source.

This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.

Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.

        - H

From their perspective?

Why isn't anybody looking at it from *their* perspective: A small, young-ish company tried to make a great product but failed to remain financially viable with the GPL license. Free-as-in-speech code is all well and great but at the end of the day, philosophy doesn't pay the bills.

Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)

GPL Screws Tenable and Tenable Screws GPL

A month ago I submitted a story (rejected, alas) about Tenable intentionally breaking the GPL version of Nessus:

When the 2.2.5 version of Nessus [nessus.org] was released, Brian Weaver (formerly of OpenNMS [opennms.org] fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security [tenablesecurity.com], the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus [spellweaver.org]. With stunts like this, would you trust Tenable to protect your network?

WHY there were no contributions:

At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:

http://silverstr.ufies.org/blog/archives/000864.ht ml [ufies.org]

Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.

[In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."

Re:GPL Kool-aid

Free as in beer is cool and all that, but if one excuse for dumping GPL is that they aren't getting any benefits in the way of free code, I guess they weren't really drinking the Kool-aid in the first place, eh?

That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.

I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.

The choice was probably about cost...

Choice 1) Pay (a likely non-existent) legal team huge amounts of cash to come up with a new license that is legally sound in all of the respects that need to be accounted for in their position.

Choice 2) Close source code.

Seems to make sense to me...

Re:The choice was probably about cost...

Honestly, when the source is equal, what did he really think would set his product apart from the competition?

Nonthing; Tenable is a software dev house, not a marketing firm. So to set themselves apart, they decided to no longer allow the competition to use their code. Sounds like a sensible business plan to me.

While I love the GPL, it's not for everything. There are some cases where it's just not profitable to give away your main product. This appears to be one of them. If you can come up with a better business plan that involves leaving the product GPLed, I'd be glad to hear it.

Re:GPL Kool-aid

I suppose everyone is entitled to his understanding of the purpose of the GPL, but it was not my understanding that the GPL is about having a community make free improvements to one's software. My understanding is that the GPL is about giving users freedoms, not about community giveback. The FSF [gnu.org] seems to agree.

The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)

Re:GPL Kool-aid

I agree - in principle - but principle doesn't put food in your mouth or pay the rent.

These guys did a wonderful job. Six years contributing to software that was obviously so good that other people could make money off it. Its one thing to work on an open source project in your spare time, or to be employed by one of the few companies that can leverage free software to make money, but these guys aren't. So unless you are working on the kernel, on samba or one of maybe a dozen other projects, you can't give up your day job.

Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code. Rather than berating these guys for leaving the fold, thank them profusely for the six years of hard work.

If you don't like it, fork it. Once GPLed, always GPLed, and only V3 and above is going closed.

Re:GPL Kool-aid

Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code.

Maybe, and you can't blame them for changing strategies when status quo fails.

But sometimes I think the authors of popular open-source software see their user base and think "gee, what if I had $59 from each user!"... when in fact, "free" is their main competitive advantage and the only reason they have users in the first place. Charging for software licenses might save them, but it might just wipe them off the map.

Free as in Kool-aid

Is this Kool-aid free as in beer or free as in openCola?

Re:hmm

People haven't contributed anything special to the scanning engine. They would have to strip that out, but as already mentioned, it was no biggie. They hold the rest of the copyright, and are legally allowed to change the licence, but they cannot restrict any usage of previously released source code.

Re:hmm

I think the presumption is that one of the following is taking place:

• 
     
• There were no external contributers - Nothing needs to be done... just release the new version under the new license.
• 
     
• There were external contributers, who signed over copyrights - If all external contributers signed their copyrights over to Nessus (as is the policy for contributors to some products), then they would already own all copyrights.
• 
     
• There were significant contributions by external contributors, who did not sign over copyrights - They would have substantial rewriting to do.

From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely.

And, of course, old versions will still remain under the GPL (happily).

Re:hmm

They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.

That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.

And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.

They can't relinquish the license of course. Anyone that wants to take that code and maintain it themselves is obviously free to do so.

Re:hmm

I think you misunderstand. It is their program. The owner of the program can have multiple licences. The GPL gives non-owners specific rights and specific requirements, none of those licences necessarily have the same effect on the owner as it does the user.

While they can't "take back" the versions that are already out there, but the copyright owners themselves can make a variation and not release the source of the variation.

Re:Maybe an OSS future isn't that bright afterall

I'm not sure why rude, off-base replies like this get modded up. You seem to have missed the point, adrift in a sea of cliches as you were. The grandparent poster was saying that the OSS approach will not work very well for software that cannot be supplied as a service. There is no incentive for a company such as that to open source at all. If the company meets competition in the form of OSS developers, then yes, the free market will decide who will survive. I believe it is the grandparent's contention that overall, closed-source will win these battles because in the end, people would like to make a living doing what they're doing and as such, the good engineers will end up with the companies.