Nmap Announce mailing list archives
Re: Nmap 3.81 Released; Pr0n; License Non-changes
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 8 Feb 2005 08:24:02 -0500
Hi List and Fyodor, On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote:
In other news, some users have expressed concern about the new Nessus license. If you want to use Nessus and all its plugins for consulting, you are now required to fax Tenable a signed license agreement requesting permission.
This is correct. The issue is that in legalese-speak, it's difficult to distinguish between a consultant and a Managed Security Services Provider (MSSP), and some of them have blatantly abused Nessus in the past by claiming they "invented the technology", so we had to find a way which : a) Makes the use of Nessus free for consultants ; b) Allows us to prevent such companies from using it if they lie in their claims ; In the same vein that in real life you have to use annoying keys to lock your door to prevent a minority of bad guys from breaking into your house, we had to set up some measures to prevent a minority from abusing the project.
You must also promise not to redistribute or reverse-engineer the plugins (http://www.nessus.org/plugins/index.php?consultant=1&email=c&product=). They also instituted a $1200/year charge for the latest plugins ( a delayed feed is available free with registration for certain limited uses).
The registred plugin feed (which is _free_) allows you to scan the network of your workplace or home, with all the plugins that have ever been written, although there is a 7 day delay between the time we write the plugins and the time you receive them. If members of the open-source community submit a given plugin, then it's available under the GPL with no delay. Same thing with consultants and MSSPs: you can get the plugin feed for _free_ but you need to ask for authorization only once. We do NOT use the gathered data for commercial purposes. Actually, we don't even keep a digital copy of the authorizations, since we're talking about a fax, so we do not have a database of consultants and/or MSSPs. Finally, if you have some kind of religious stance regarding the use of non-GPL software, there is a 100% GPL plugin feed which contains over 2,000 plugins.
They also now claim that many of the existing Nessus plugins were never open source. At the same time, they rewrote the Nessus web page to emphasis that Nessus is "<i>the</i> open-source vulnerability scanner".
Nessus is an engine, and it is released under the GPL license. A great number of plugins is released under the GPL license. I think that qualifies for "open-source". [...]
They argue that this change is neccessary to maintain quality and satisfy sharholders
We have never claimed that we clarified the license to satisfy shareholders. We are privately funded and not dependant on VCs. What we've claimed is that setting up an environment to react in real time to new vulnerabilities (instead of reacting "whenever I have time"), and hiring people to work full time on new security checks (and QA them) requires more than goodwill, especially when you see that these checks are then being used by our competitors. If the community had submitted more plugins, maybe this would not have been necessary, but when you look back and see that Tenable contributed over 80% of the new plugins in 2004, then there is a problem. It turns out that when people think of "open-source", most of them think of a million of person writing one line of code each, and this is absolutely false. Just a quick recap : + 100% of the Nessus Engine : Michel Arboi and Renaud Deraison (Tenable) + 95% of the Nessus Plugins : Michel Arboi, David Maciejak, Noam Rathaus, Digital Defense Inc., George Theall and Tenable. I recently explained the rationale behind the license change in a lengthy email, available at : <http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html> We also have some sort of FAQ regarding the license change : <http://www.tenablesecurity.com/products/direct-examples.shtml> If you have any question, don't hesitate to send them to me. Thanks, -- Renaud -- Renaud Deraison http://www.nessus.org -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List archive: http://seclists.org
Current thread:
- Nmap 3.81 Released; Pr0n; License Non-changes Fyodor (Feb 07)
- Re: Nmap 3.81 Released; Pr0n; License Non-changes Renaud Deraison (Feb 08)