Nessus becoming closed. [was: Call to participate]

[trains () doctorunix com]

Some thoughts on Nessus becoming closed, Snort being bought, and the 
life cycle of OSS projects.

<soapbox>

I have heard this before that, "No one contributes".  This is absolute 
crap.  Let me list some contributions:

We showed your handiwork to hundreds of people so they could show 
others.  In other words, we provided the seed capital for your 
marketing team.

We figured out the best way to use the product, participated in 
feedback forums, and chatted in newsgroups (like FD).  In other words, 
we provided a marketing and development steering comittee for your 
fledgling product.

People in business know that valid customer feedback is truly 
priceless.  We went out among the world's security users and tried this 
thing out in every concievable scenario.  All feedback was forwarded 
directly to the development team.

We installed it for our friends.  We showed others how to install it at 
user group meetings, at 2600 meetings, at conerences, is bof breakout 
groups.  They showed others how to install it.  We liked your work and 
we decided to make your product the new hegemon, the de-facto standard. 
 ?Not contributing?, my ass.  We *made* you.

That is enough on that vein.  In a nutshell, We Made You.  And we did 
it because we thought it was the right thing to do.  We did it for free 
(rather than $200/hr for biz dev) because we knew that making your work 
shine like a diamond would make it even better product.  And it did get 
better.  We endured the problems and tried to provide feedback where it 
made sense to do so.

In my own case I have contributed code, test cases, packet traces, etc 
to sendmail, horde, php, linux-kernel, snort, nessus, uw-imap, gfs, 
sara/saint, and others.  Usually it gets rejected with an arrogant snub 
(any body ever correspond with Claus A. at sendmail? Yikes!).  but 
sometimes I see my little contribution (with or without recognition) 
and I know I did the right thing.  I am making the digital world a 
better place.  And why not?  I live and work in the digital world.  But 
that is OSS, right?   As poorly written as it was, "The cathedral and 
the bazaar" had a point here:  when people work without expectation of 
personal gain, the masses can achieve things that corporate software 
development will never approach.

What the "cathedral" document missed, was that people can change their 
minds.  If the community develops something it should belong to the 
community but it doesn't.  It belongs to the project lead person.  
Generally, we hope to see some enlightened leadership, and we can only 
trust the project lead to stick with us as we thick with him/her.  No 
guarantees here, though.

Let this be a warning to the community.  If enough OSS projects become 
closed, people will stop  contributing.  Result:  end of OSS.  For 
example, who didn't see though that recen Post on FD about a 'contest' 
that ends up with everybody's work being in an online ezine with ads 
and such.  Sounds like a scam to get free writing services for a new 
magazine.  LOL.   The digital community has become leery already of 
?new projects? that are thinly veiled attempts to get a new commercial 
venture off the ground.  This is our acchiles' heel.   Trust for the 
future is what holds us together and makes OSS work.  Lose that and OSS 
is gone.

Let this be a warning to anyone who puts a project out as open source:  
the level of input you get from the community will be directly related 
to how much input you solicit from the community.  Funny how that 
works.  By their nature, people want to help out when they see an 
inkling of something great.   To the developers of OSS projects, your 
only payback will be our praise, respect, adulation, and some fantastic 
stuff to put on your resume.  Sorry, dude, that's all we have to give.  
But we will give it freely if your work is worthy.

To anyone thinking of starting an OSS project: If you think you have a 
chance to make big bucks off your new idea, don't put it out as open 
source.   The OSS community deals with closed source as a malfunction 
to be worked around.  And work around it we shall.  Frankly, Nessus was 
looking a little long in the tooth anyway.   The old layer 2-4 attacks 
are passe.  Nessus is so widely used that a pen tester who uses it will 
get stopped instantly.  Every IDS and firewall knows about nessus and 
views the traffic as ?unauthorized recon?.  I have our IDS set to shun 
(at the firewall) any source address what shows packets that I can 
clearly identify as nessus or nikto traffic.  I know I am opening 
myself up to a possible DOS by rouge machines sending fake nessus 
packets, but I can deal with that.  That fact is that for the last 
three years, nessus dev has not been 'accepting' of input from the 
community.  Some of us cannot write a nessus plug-in, but we are 
willing to submit packet traces and participate in a discussion about 
the exploit in question.   That is also support.

Well that went much longer that I thought it would.

</soapbox>

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/