RE: MBSA scanner

["JTH" <jth () visi com>]

Javier, I think I am unsure what stance you are taking in the end, with
regard to how you wish to license Nessus reports. (I went through the
thread on plugins-writers. [1]) But that doesn't matter too much, so I
will just respond.

And please, if I am (or my assumptions are) wrong, correct me, don't flame
me!

> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] 
> Sent: Thursday, May 06, 2004 3:32 AM
> To: Rob Shein
> Cc: 'Igor Filippov'; pen-test () securityfocus com
> Subject: Re: MBSA scanner
>
> Rob Shein wrote:
>
> > I think you're confusing code with output.  The licenses 
> you cite with 
> > regard to both SARA and MBSA have restrictions upon 
> redistribution of 
> > the product, not the output of the product.
>
> I'm confusing them because output might _include_ significant 
> information that is in the code. The license covers both the 
> software and the reports they generate, it does not 
> explicitly exclude the later (so under copyright laws it _is_ 
> included).

Even if this information is in the code, it is output from the program. As
stated in the GPL FAQ to which you link below, [2] the output of a program
is only copyright if the program copies part of itself into the output. As
was stated in the plugins-writiers thread and here, the report is output,
not code or plaintext, (can be HTML, XML, NSR, NBE) and is produced from
code. (NASL scripts) 

I would argue that the program (NASL script) is not copying itself into
the output. And while I am not familiar with the inner workings of Nessus,
I presume Nessus reads in a NASL script, performs the test, and extracts
the text for the report, if a vulnerability is found.

> Again, notice that the output of the product is based on (sometimes
> lengthy) information that is included in the code of the 
> product. So, all the suggestions on how to fix a 
> vulnerability that a report might include are like a 
> "knowledge base" of sorts, which is copyrighted. 

The plugin db on nessus.org can be viewed this way. I disagree that the
plugin db within the program itself is this, as it is an intrinsic part of
the program.

> This includes also detailed information on a vulnerabilities 
> (what does it do, how does it affect a system). Without the 
> original author's permission you can't translate that at 
> will, you cannot provide that report as a commercial offering 
> (inside a report or
> standalone) and you cannot (taking it to the extreme) include 
> the information from that report into your new brand 
> vulnerability assesment tool with different code to assess 
> the vulnerabilities but similar output.

Am I mistaken in assuming NASL scripts are GPL'd, as they are included in
Nessus, a GPL'd work? Because if they are GPL, then yes, I could take them
and dump them into my commercial product. BUT, the product would then be
"infected", as Pavel Kankovsky points out. [3]

> Notice that, if that was permitted under copyright law, there 
> would be nothing preventing Nessus, Internet Scanner, 
> Cybercop, Retina, you_name_it from using the same 
> vulnerability database. If you consider the output in the 
> public domain you could run a test against a host that turns 
> out vulnerable to everything that is in the database (maybe 
> faking the answers) and then copy the information from the 
> report to your propietary or free vulnerability assesment system. 
> That's obviously illegal.

I don't know that this would be illegal based on what I said above, which
I assume is why all of this began in the first place. This is where a
restricted-use clause in the report comes into play, but I don't know if
that intermingles with the GPL properly or not.

Realistically speaking though, the NASL scripts and the vulnerability
detection technique is the more difficult piece of intellectual property
here, not someone's search for a BID/CVE and summarisation of said
advisories.

> > Nessus is another example; the GPL has the same restrictions on 
> > distribution in either binary or source code format for money, but 
> > it's very clear that using Nessus in the course of one's work and 
> > including its output in the deliverable is entirely 
> acceptable within the license terms.
>
> That's because Reanud, as well as other Nessus developers (me
> included) wanted to make a distinction in that side. Notice 
> that the output of Nessus is still copyrighted (it's part of 
> the NASL script) and you cannot do whatever you like (such as 
> including it in a closed source scanner) [sic]

This is why I am unclear on your stance; you appear to argue that report
usage should be restricted, with a long copyright notice (restricted use
clause) included in the report. But I think I agree with Pavel's
conclusion, that the report is the output of a program, and not a text.

The majority of my uncertainty now, though, is what was the conclusion of
this? I saw not clear conclusion, but just a message from Renaud Deraison
stating his lawyer is looking into it. [4]

Was there ever a decision made whether you can dictate a license of the
output of a nessus scan at all, and if so, what is the license/stipulation
placed on said output?

jth

[1] http://list.nessus.org/plugins-writers/0312/1001.html
[2] http://www.gnu.org/licenses/gpl-faq.html#TOCWhatCaseIsOutputGPL
[3] http://list.nessus.org/plugins-writers/0312/1079.html


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------