Penetration Testing mailing list archives
RE: MBSA scanner
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 4 May 2004 14:47:12 -0400
I think you're confusing code with output. The licenses you cite with regard to both SARA and MBSA have restrictions upon redistribution of the product, not the output of the product. With regard to SAINT, however, you may have a point. Nessus is another example; the GPL has the same restrictions on distribution in either binary or source code format for money, but it's very clear that using Nessus in the course of one's work and including its output in the deliverable is entirely acceptable within the license terms.
-----Original Message----- From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] Sent: Tuesday, May 04, 2004 8:00 AM To: Igor Filippov Cc: pen-test () securityfocus com Subject: Re: MBSA scanner Since you asked for comments here they are: Igor Filippov wrote: (...)Sara (many things also apply to Nessus): Good: - It's freeThat's, unfortunately, not really true. Sara is built upon Satan which is _not_ free. Check your COPYING file: "Redistribution and use in source and binary forms are permitted provided that this entire copyright notice is duplicated in all such copies. No charge, other than an "at-cost" distribution fee, may be charged for copies, derivations, or distributions of this material without the express written consent of the copyright holders." Since the "material" includes the documentation included in a report. If you sold a commercial service which includes a Sara (or SAINT, for that matter) report, you are violating its copyright. I doubt that either Dan Farmer, Wietse Venema or the ARSC guys are going to pursue you but if you use the data in any commercial way you _are_ violating the license it was distributed you with. Notice that SAINT, in this respect is even worst, since _they_ (the company) are violating SATAN's license by charging money for the redistribution of SATAN code (in their propietary product). I've brought this to the attention of Mr. Farmer and Mr. Venema in the past. Sara used to be GPL, but obviously that license is incompatible to the real SATAN license and they have ammended that.- It runs on LinuxWell, that's not always a plus for everyone (it is for me :-)MBSA (most apply also to HFNetChk): Good: - It's freeNot free enough, read its EULA. Also, from the installation: "Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties...." This makes it "not free enough" for professional auditors since you _cannot_ include information from a BSA scan/report in any of your audit reports. Again, Microsoft might or might not want to pursue this misuse. Just to clear up the facts, the only free (in all senses) and professional remote vulnerability scanner I know of are Nessus. For free local vulnerability scanners I believe that OVAL [1] will become a good alternative in the near future. Regards Javier [1] http://oval.mitre.org -------------------------------------------------------------- ---------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethica> l_hacking_training.html -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: MBSA scanner Javier Fernandez-Sanguino (May 04)
- RE: MBSA scanner Rob Shein (May 04)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 06)
- RE: MBSA scanner Rob Shein (May 06)
- RE: MBSA scanner JTH (May 06)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 06)
- Re: MBSA scanner Igor Filippov (May 04)
- <Possible follow-ups>
- RE: MBSA scanner Steven Trewick (May 06)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 10)
- RE: MBSA scanner Steven Trewick (May 10)
- Re: MBSA scanner Javier Fernandez-Sanguino (May 11)
- RE: MBSA scanner Rob Shein (May 04)