Re: MBSA scanner

[Igor Filippov <igor () osc edu>]

Javier,

Thank you for pointing this out, I guess I should have included another
disclaimer as to what I consider to be free -  though it's hard to believe
that the results of a scan are not re-distributable.
By "free" I meant free for end-user who's not a security professional -
(or somebody who's doing such scanning for living - they probably wouldn't
use MBSA anyway, or would they ?) nor is going to re-sell the code or
its derivatives; that is "free" for a guy like myself, which is a bit
self-centric, but I did talked about it in the beginning of my first message.

Igor

On Tue, 4 May 2004, Javier Fernandez-Sanguino wrote:

> Since you asked for comments here they are:
>
> Igor Filippov wrote:
> (...)
> > Sara (many things also apply to Nessus):
> >  Good:
> >       - It's free
>
> That's, unfortunately, not really true. Sara is built upon Satan which
> is _not_ free. Check your COPYING file:
>
> "Redistribution and use in source and binary forms are permitted
> provided that this entire copyright notice is duplicated in all such
> copies.  No charge, other than an "at-cost" distribution fee, may be
> charged for copies, derivations, or distributions of this material
> without the express written consent of the copyright holders."
>
> Since the "material" includes the documentation included in a report.
> If you sold a commercial service which includes a Sara (or SAINT, for
> that matter) report, you are violating its copyright. I doubt that
> either Dan Farmer, Wietse Venema or the ARSC guys are going to pursue
> you but if you use the data in any commercial way you _are_ violating
> the license it was distributed you with.
>
> Notice that SAINT, in this respect is even worst, since _they_ (the
> company) are violating SATAN's license by charging money for the
> redistribution of SATAN code (in their propietary product). I've
> brought this to the attention of Mr. Farmer and Mr. Venema in the past.
>
> Sara used to be GPL, but obviously that license is incompatible to the
> real SATAN license and they have ammended that.
>
>
> >       - It runs on Linux
>
> Well, that's not always a plus for everyone (it is for me :-)
>
> > MBSA (most apply also to HFNetChk):
> >      Good:
> >         - It's free
>
> Not free enough, read its EULA. Also, from the installation:
>
> "Unauthorized reproduction or distribution of this program, or any
> portion of it, may result in severe civil and criminal penalties...."
>
> This makes it "not free enough" for professional auditors since you
> _cannot_ include information from a BSA scan/report in any of your
> audit reports. Again, Microsoft might or might not want to pursue this
>   misuse.
>
> Just to clear up the facts, the only free (in all senses) and
> professional remote vulnerability scanner I know of are Nessus. For
> free local vulnerability scanners I believe that OVAL [1] will become
> a good alternative in the near future.
>
> Regards
>
> Javier
>
> [1] http://oval.mitre.org
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------