Penetration Testing mailing list archives
Re: MBSA scanner
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 10 May 2004 09:04:12 +0200
Steven Trewick wrote:
I think you're confusing code with output. The licenses you cite with regard to both SARA and MBSA have restrictions upon redistribution of the product, not the output of the product.I'm confusing them because output might _include_ significant information that is in the code. The license covers both the software and the reports they generate, it does not explicitly exclude the later (so under copyright laws it _is_ included).To start with :To which copyright law, and in which country are you referring, exactly ?
That would be the WIPO copyright treaty [1] (regarding copyright law) and the GPL _license_ [2] regarding SARA and Nessus use of copyright law. Obviously, different countries have different (more detailed) copyright laws, but most (all?) uphold to that treaty including redistribution and public communication. The data (i.e. vulnerability information wether separate or included in the code) in any of these tools is a database on its own right, this data is introduced into the output of the program (i.e. the reports). Moreover, this data is a sustantiable part of the report.
As far as I see, a report of a vulnerability assessment tool without detailed information of the discovered vulnerability, impact, remediation, and links to external sources is not really useful. It would be not more than lines saying "found vulnerability XYZ in system 0 in port A" which, even if it useful for an auditor, leaves him an enormous amount of work related to: digging vulnerability impact, risk involved, more details in order to weed out false positives....
Regards Javier [1] http://www.wipo.int/documents/en/diplconf/distrib/94dc.htm [2] http://www.fsf.org/licenses/licenses.html#TOCGPL ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: MBSA scanner Javier Fernandez-Sanguino (May 04)
- RE: MBSA scanner Rob Shein (May 04)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 06)
- RE: MBSA scanner Rob Shein (May 06)
- RE: MBSA scanner JTH (May 06)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 06)
- Re: MBSA scanner Igor Filippov (May 04)
- <Possible follow-ups>
- RE: MBSA scanner Steven Trewick (May 06)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 10)
- RE: MBSA scanner Steven Trewick (May 10)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 11)
- RE: MBSA scanner Rob Shein (May 04)