mailing list archives
Nessus becoming closed. [was: Call to participate]
From: trains () doctorunix com
Date: Wed, 12 Oct 2005 07:33:41 -0500
Some thoughts on Nessus becoming closed, Snort being bought, and the
life cycle of OSS projects.
I have heard this before that, "No one contributes". This is absolute
crap. Let me list some contributions:
We showed your handiwork to hundreds of people so they could show
others. In other words, we provided the seed capital for your
We figured out the best way to use the product, participated in
feedback forums, and chatted in newsgroups (like FD). In other words,
we provided a marketing and development steering comittee for your
People in business know that valid customer feedback is truly
priceless. We went out among the world's security users and tried this
thing out in every concievable scenario. All feedback was forwarded
directly to the development team.
We installed it for our friends. We showed others how to install it at
user group meetings, at 2600 meetings, at conerences, is bof breakout
groups. They showed others how to install it. We liked your work and
we decided to make your product the new hegemon, the de-facto standard.
?Not contributing?, my ass. We *made* you.
That is enough on that vein. In a nutshell, We Made You. And we did
it because we thought it was the right thing to do. We did it for free
(rather than $200/hr for biz dev) because we knew that making your work
shine like a diamond would make it even better product. And it did get
better. We endured the problems and tried to provide feedback where it
made sense to do so.
In my own case I have contributed code, test cases, packet traces, etc
to sendmail, horde, php, linux-kernel, snort, nessus, uw-imap, gfs,
sara/saint, and others. Usually it gets rejected with an arrogant snub
(any body ever correspond with Claus A. at sendmail? Yikes!). but
sometimes I see my little contribution (with or without recognition)
and I know I did the right thing. I am making the digital world a
better place. And why not? I live and work in the digital world. But
that is OSS, right? As poorly written as it was, "The cathedral and
the bazaar" had a point here: when people work without expectation of
personal gain, the masses can achieve things that corporate software
development will never approach.
What the "cathedral" document missed, was that people can change their
minds. If the community develops something it should belong to the
community but it doesn't. It belongs to the project lead person.
Generally, we hope to see some enlightened leadership, and we can only
trust the project lead to stick with us as we thick with him/her. No
guarantees here, though.
Let this be a warning to the community. If enough OSS projects become
closed, people will stop contributing. Result: end of OSS. For
example, who didn't see though that recen Post on FD about a 'contest'
that ends up with everybody's work being in an online ezine with ads
and such. Sounds like a scam to get free writing services for a new
magazine. LOL. The digital community has become leery already of
?new projects? that are thinly veiled attempts to get a new commercial
venture off the ground. This is our acchiles' heel. Trust for the
future is what holds us together and makes OSS work. Lose that and OSS
Let this be a warning to anyone who puts a project out as open source:
the level of input you get from the community will be directly related
to how much input you solicit from the community. Funny how that
works. By their nature, people want to help out when they see an
inkling of something great. To the developers of OSS projects, your
only payback will be our praise, respect, adulation, and some fantastic
stuff to put on your resume. Sorry, dude, that's all we have to give.
But we will give it freely if your work is worthy.
To anyone thinking of starting an OSS project: If you think you have a
chance to make big bucks off your new idea, don't put it out as open
source. The OSS community deals with closed source as a malfunction
to be worked around. And work around it we shall. Frankly, Nessus was
looking a little long in the tooth anyway. The old layer 2-4 attacks
are passe. Nessus is so widely used that a pen tester who uses it will
get stopped instantly. Every IDS and firewall knows about nessus and
views the traffic as ?unauthorized recon?. I have our IDS set to shun
(at the firewall) any source address what shows packets that I can
clearly identify as nessus or nikto traffic. I know I am opening
myself up to a possible DOS by rouge machines sending fake nessus
packets, but I can deal with that. That fact is that for the last
three years, nessus dev has not been 'accepting' of input from the
community. Some of us cannot write a nessus plug-in, but we are
willing to submit packet traces and participate in a discussion about
the exploit in question. That is also support.
Well that went much longer that I thought it would.
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services () doctorunix com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Call to participate: GNessUs security scanner Barrie Dempster (Oct 11)
Re: Call to participate: GNessUs security scanner Tim Brown (Oct 15)