Metasploit mailing list archives

Re: Framework Digest, Vol 21, Issue 30

From: "Moshe Ben Simon" <moshe () injection co il>
Date: Fri, 23 Oct 2009 15:46:33 +0200

Guys 

we need support H.D in his new job at rapid7.

He makes a good job on the metasploit project and promise to continue.

vertigo



-----Original Message-----
From: framework-bounces () spool metasploit com
[mailto:framework-bounces () spool metasploit com] On Behalf Of
framework-request () spool metasploit com
Sent: Thursday, October 22, 2009 9:00 PM
To: framework () spool metasploit com
Subject: Framework Digest, Vol 21, Issue 30

Send Framework mailing list submissions to
        framework () spool metasploit com

To subscribe or unsubscribe via the World Wide Web, visit
        https://mail.metasploit.com/mailman/listinfo/framework
or, via email, send a message with subject or body 'help' to
        framework-request () spool metasploit com

You can reach the person managing the list at
        framework-owner () spool metasploit com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Framework digest..."


Today's Topics:

   1. Re: Metasploit Rising (HD Moore)
   2. Re: Metasploit Rising (Ben Greenfield)


----------------------------------------------------------------------

Message: 1
Date: Thu, 22 Oct 2009 08:21:52 -0500
From: HD Moore <hdm () metasploit com>
To: framework () spool metasploit com
Subject: Re: [framework] Metasploit Rising
Message-ID: <1256217712.10434.199.camel@localhost>
Content-Type: text/plain; charset="UTF-8"

On Thu, 2009-10-22 at 11:20 +0300, Siim P?der wrote:

Just wondering what would "acquire" mean in the context of an open
source project? As far as I understand, this should mean a
non-exclusive patronship of a company supporting the development of a
project by hiring people to develop/manage it full time. Similarily as
many companies could be said to have "acquired" linux kernel? Or was
there an actual "Metasploit" entity that was bought?


This has been a frequent question, let me start with some history:

When skape, spoonm, and I started on the rewrite from Perl to Ruby, we
also took steps to make the IP rights easier to enforce. The reason for
this was to prevent a third-party from ripping off our work before we
even had a functional tool. To this effect, Metasploit LLC was created
as a three-member partnership, and each of the original developers
assigned their copyrights to the LLC. In return, we each received the
equivalent of a personal BSD license to the sum of the code. The public
license for version 3.0 and 3.1 was a commercial-style EULA that had a
clause providing the LLC with rights to incorporate any changes made by
third parties. I personally owned the domains, trademarks, and many of
the original copyrights (going back to 1.0). The LLC also owned training
materials and other documentation.

In 2008, both skape and spoonm left the project to work on other
ventures. This left me as the sole partner of the LLC, but without a
real development team. I converted the LLC to a sole proprietorship and
changed the license of the framework to BSD. With the 3.2 release, all
of the code owned up to that point by the LLC was relicensed under the
3-clause BSD license, and the MSF_LICENSE alias in the modules was
updated to reflect this. All contributions back to the tree would only
be accepted under the BSD license (excluding some third-party stuff as
identified in the README). This change made it easier to bring new
developers into the project.

What Rapid7 acquired is the combination of my personal and the LLCs
assets. This includes all rights to the 3.x code base up to 3.2 in
whole, plus specific rights since 3.2, the trademarks, domains, web site
content that was authored by the LLC, training materials, and a number
of other things that were not actually public. This isn't limited to
just the Metasploit Framework, but also includes things like
Decloak.net, the WarVOX project, and a few unpublished works. Rapid7 is
sponsoring the project in that sense that they are funding dedicated
resources, but its a much more than just a sponsorship. 

The result is closer to the ClamAV acquisition by Sourcefire (as far as
I can tell, details of that were not made public), and less like the
Tenable/Nessus or IBM/Linux models. We plan to continue development
under pretty much the same model. The only major change is that I have
help doing the "boring" backend work, quality testing, and preparing
releases. Rapid7 is committed to the open source model and keeping the
BSD license.


-HD





------------------------------

Message: 2
Date: Thu, 22 Oct 2009 10:22:33 -0400
From: Ben Greenfield <bcg () struxural com>
To: HD Moore <hdm () metasploit com>
Cc: framework () spool metasploit com
Subject: Re: [framework] Metasploit Rising
Message-ID:
        <83ff70350910220722w41a9d3cbg6d7add90fa6ac34 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Congratulations to everyone.  I see this as a very positive move, both
for Rapid7 and for the project.

Personally, as someone who works for a cybersecurity company that
purchases all kinds of licenses each year (Nessus, Burp, GFI, etc), I
would absolutely be willing to pay for Metasploit (assuming the
pricing is realistic, unlike Core which IMO is not affordable or
priced reasonably).  I guess I would just ask that if the project
moves to a subscription model to make the costs somewhere between Burp
and Nessus.  I think Burp is an outstanding value, and Nessus is
terrific, but I think the pricing is a little heavy handed.  Core just
isn't realistically priced in my opinion.

Congratulations again, I'm sure that the project will benefit a lot
from full time development.



On Thu, Oct 22, 2009 at 9:21 AM, HD Moore <hdm () metasploit com> wrote:

On Thu, 2009-10-22 at 11:20 +0300, Siim P?der wrote:

Just wondering what would "acquire" mean in the context of an open
source project? As far as I understand, this should mean a
non-exclusive patronship of a company supporting the development of a
project by hiring people to develop/manage it full time. Similarily as
many companies could be said to have "acquired" linux kernel? Or was
there an actual "Metasploit" entity that was bought?


This has been a frequent question, let me start with some history:

When skape, spoonm, and I started on the rewrite from Perl to Ruby, we
also took steps to make the IP rights easier to enforce. The reason for
this was to prevent a third-party from ripping off our work before we
even had a functional tool. To this effect, Metasploit LLC was created
as a three-member partnership, and each of the original developers
assigned their copyrights to the LLC. In return, we each received the
equivalent of a personal BSD license to the sum of the code. The public
license for version 3.0 and 3.1 was a commercial-style EULA that had a
clause providing the LLC with rights to incorporate any changes made by
third parties. I personally owned the domains, trademarks, and many of
the original copyrights (going back to 1.0). The LLC also owned training
materials and other documentation.

In 2008, both skape and spoonm left the project to work on other
ventures. This left me as the sole partner of the LLC, but without a
real development team. I converted the LLC to a sole proprietorship and
changed the license of the framework to BSD. With the 3.2 release, all
of the code owned up to that point by the LLC was relicensed under the
3-clause BSD license, and the MSF_LICENSE alias in the modules was
updated to reflect this. All contributions back to the tree would only
be accepted under the BSD license (excluding some third-party stuff as
identified in the README). This change made it easier to bring new
developers into the project.

What Rapid7 acquired is the combination of my personal and the LLCs
assets. This includes all rights to the 3.x code base up to 3.2 in
whole, plus specific rights since 3.2, the trademarks, domains, web site
content that was authored by the LLC, training materials, and a number
of other things that were not actually public. This isn't limited to
just the Metasploit Framework, but also includes things like
Decloak.net, the WarVOX project, and a few unpublished works. Rapid7 is
sponsoring the project in that sense that they are funding dedicated
resources, but its a much more than just a sponsorship.

The result is closer to the ClamAV acquisition by Sourcefire (as far as
I can tell, details of that were not made public), and less like the
Tenable/Nessus or IBM/Linux models. We plan to continue development
under pretty much the same model. The only major change is that I have
help doing the "boring" backend work, quality testing, and preparing
releases. Rapid7 is committed to the open source model and keeping the
BSD license.


-HD



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



------------------------------

_______________________________________________
Framework mailing list
Framework () spool metasploit com
https://mail.metasploit.com/mailman/listinfo/framework


End of Framework Digest, Vol 21, Issue 30
*****************************************

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Re: Framework Digest, Vol 21, Issue 30 Moshe Ben Simon (Oct 23)
- Re: Framework Digest, Vol 21, Issue 30 Michael Mondragon (Oct 23)