RE: MBSA scanner

["Rob Shein" <shoten () starpower net>]

I think you're confusing code with output.  The licenses you cite with
regard to both SARA and MBSA have restrictions upon redistribution of the
product, not the output of the product.  With regard to SAINT, however, you
may have a point.

Nessus is another example; the GPL has the same restrictions on distribution
in either binary or source code format for money, but it's very clear that
using Nessus in the course of one's work and including its output in the
deliverable is entirely acceptable within the license terms.

> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] 
> Sent: Tuesday, May 04, 2004 8:00 AM
> To: Igor Filippov
> Cc: pen-test () securityfocus com
> Subject: Re: MBSA scanner
>
>
> Since you asked for comments here they are:
>
> Igor Filippov wrote:
> (...)
> > Sara (many things also apply to Nessus):
> >  Good:
> >       - It's free
>
> That's, unfortunately, not really true. Sara is built upon 
> Satan which 
> is _not_ free. Check your COPYING file:
>
> "Redistribution and use in source and binary forms are 
> permitted provided that this entire copyright notice is 
> duplicated in all such copies.  No charge, other than an 
> "at-cost" distribution fee, may be charged for copies, 
> derivations, or distributions of this material without the 
> express written consent of the copyright holders."
>
> Since the "material" includes the documentation included in a report. 
> If you sold a commercial service which includes a Sara (or SAINT, for 
> that matter) report, you are violating its copyright. I doubt that 
> either Dan Farmer, Wietse Venema or the ARSC guys are going to pursue 
> you but if you use the data in any commercial way you _are_ violating 
> the license it was distributed you with.
>
> Notice that SAINT, in this respect is even worst, since _they_ (the 
> company) are violating SATAN's license by charging money for the 
> redistribution of SATAN code (in their propietary product). I've 
> brought this to the attention of Mr. Farmer and Mr. Venema in 
> the past.
>
> Sara used to be GPL, but obviously that license is 
> incompatible to the 
> real SATAN license and they have ammended that.
>
>
> >       - It runs on Linux
>
> Well, that's not always a plus for everyone (it is for me :-)
>
> > MBSA (most apply also to HFNetChk):
> >      Good:
> >         - It's free
>
> Not free enough, read its EULA. Also, from the installation:
>
> "Unauthorized reproduction or distribution of this program, or any 
> portion of it, may result in severe civil and criminal penalties...."
>
> This makes it "not free enough" for professional auditors since you 
> _cannot_ include information from a BSA scan/report in any of your 
> audit reports. Again, Microsoft might or might not want to 
> pursue this 
>   misuse.
>
> Just to clear up the facts, the only free (in all senses) and 
> professional remote vulnerability scanner I know of are Nessus. For 
> free local vulnerability scanners I believe that OVAL [1] will become 
> a good alternative in the near future.
>
> Regards
>
> Javier
>
> [1] http://oval.mitre.org
>
> --------------------------------------------------------------
> ----------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are 
> guaranteed to be 10 students or less to facilitate one-on-one 
> interaction with one of our expert instructors. Attend a 
> course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art 
> hacking lab. Master the skills of an Ethical Hacker to better 
> assess the security of your organization. Visit us at: 
> http://www.infosecinstitute.com/courses/ethica> l_hacking_training.html
> --------------------------------------------------------------
> -----------------


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------