Re: interesting..

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Thursday 13 October 2005 22:11, Arun Koshy wrote:
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/037923.
> html
>
> Did anyone read this ?

Yup, it is way off on a few points. A couple specific ones:

> What the "cathedral" document missed, was that people can change their 
> minds.  If the community develops something it should belong to the 
> community but it doesn't.  It belongs to the project lead person.  

People can change their minds, but OSS licenses can rarely be revoked. The 
Nessus license change was in the works for *years* and it rarely  
dissuaded people from contributing. The take-home message is don't put 
sweat into someone else's project unless you understand their licensing.

Most people contribute to OSS projects to scratch an itch - some do it for 
fun, many for experience, but most of them do it because they don't want 
to maintain their own patch tree. "Sharing my work with others to make 
the internet a better place" is a nice side benefit, but rarely the real 
reason behind OSS development.

> Let this be a warning to the community.  If enough OSS projects become 
> closed, people will stop  contributing.  Result:  end of OSS.

That won't happen as long as OSS development is an easy path to name 
recognition and programming experience. Some OSS projects will always 
close - but thats the whole point of OSS - you can fork them, take over 
maintenance, and cannibalize their code for your own project. 

> For  
> example, who didn't see though that recen Post on FD about a 'contest' 
> that ends up with everybody's work being in an online ezine with ads 
> and such.

If you spent 5 minutes looking at the zine's web page 
(www.uninformed.org), you might notice a conspicious lack of 
advertisments... or commercial material in any form. The only reason 
winning results would be published in Uninformed at all is to give better 
visibility to the work and more credit to the author. 

> The digital community has become leery already of 
> ?new projects? that are thinly veiled attempts to get a new commercial 
> venture off the ground.

With good reason - but thats why licensing matters. Who cares if the 
project goes commercial as long as you have access to the source code. 
When you download an OSS package, you aren't getting free upgrade 
services for life, you are gambling that there are enough people 
interested in the project to maintain it for you. Sometimes that doesn't 
happen and you have to get off your ass and code. 

> To anyone thinking of starting an OSS project: If you think you have a 
> chance to make big bucks off your new idea, don't put it out as open 
> source.

My own advice: if you have a great new idea, start an OSS project, maybe 
you can make big bucks from it. The money doesn't come in from selling 
the code, or selling the idea, it comes from selling yourself. Literally. 
If your idea is cool enough and your code actually works, people might 
actually use it. The more people that use it, the more important that 
code becomes. Since you are the defacto authority on that code, you can 
sell support services, training, or just use the experience to get a 
better day job. 

Nessus wasn't some hot new idea that nobody had thought of before - nor 
was it the best scanner available at many times - what made it popular 
was that it was free and people were cheap. Consultants used it when they 
couldn't afford other solutions, MSSPs used it when they didn't have the 
in-house resources to do it themselves. All these commercial uses drove 
its development - it wasn't some hippy daisy chain of free love that 
pushed for features like XML reporting. Nessus got better as more 
businesses depended on it. 

When Tenable was formed, they became a direct competitor of all the 
companies leeching off the Nessus code. Once again, business reasons 
drove development, in this case away from open source. Renaud put in 
years of his life on the Nessus project - most of the third-party 
contributions still had to go through him before they could be integrated 
into the project. The quality of submitted plugins was never stellar, 
although there were some contributors who did better than the rest. Not 
suprisingly, most of those contributors now work at Tenable. These days, 
the commercial plugin tree is kicking some serious ass, both on quality 
and innovation. There are still dozens of companies out there using the 
commercial tree under conditions that violate the commercial license. 
These companies have the nerve to sandbag Tenable in their marketing 
materials while still leeching off the Tenable plugin tree. 

> The OSS community deals with closed source as a malfunction  
> to be worked around.  And work around it we shall. 
You go girl.

> Nessus was looking a little long in the tooth anyway.   The old layer 2-4 
> attacks are passe. 
Compared to what? Do you have any idea what goes into writing a 
vulnerability assessment system? Is there some magic security solution 
that detects all of those "old layer 2-4" issues that people are still 
actively exploiting?

> Nessus is so widely used that a pen tester who uses it will  
> get stopped instantly.  Every IDS and firewall knows about nessus and 
> views the traffic as ?unauthorized recon?.  

Awesome. Any IDS worth their price should be able to block public attack 
tools. If an pen-tester is stupid enough to use a public VA tool against 
an IPS'd network, they deserve what they get. Its not like there is any 
other tool out there (commercial or otherwise), that can provide a 
thorough assessment without tripping even the stupidest IDS.

> I have our IDS set to shun  (at the firewall) any source address what 
> shows packets that I can clearly identify as nessus or nikto traffic.

Go you. Now that you feel all safe and secure, I guess you can sleep well 
at night while someone pops all of your client workstations via an IE 
bug. Oh wait, thats something you could have used Nessus to check for.

> I know I am opening myself up to a possible DOS by rouge machines sending 
> fake nessus packets, but I can deal with that. 
Spamming out security-by-obscurity techniques to a mailing list doesn't 
help your risk index much either...

> That fact is that for the last  three years, nessus dev has not been 
> 'accepting' of input from the community.  Some of us cannot write a 
> nessus plug-in

Check your facts, hell, use a search engine and read the Nessus mailing 
list archives. All of the major external contributors were kept in the 
loop on both the plugin feed license change and the recent switch to 
closed source.

> Some of us cannot write a nessus plug-in, but we are 
> willing to submit packet traces and participate in a discussion about 
> the exploit in question.   That is also support.

Consider it payment for using someone else's software without having to 
send them money. Besides, you submit these "traces" to make the tool 
better.. better to use on your own network. 

-HD

</aggravatedRant>