Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Nessus becoming closed. [was: Call to participate]
From: trains () doctorunix com
Date: Wed, 12 Oct 2005 07:33:41 -0500

Some thoughts on Nessus becoming closed, Snort being bought, and the life cycle of OSS projects.


I have heard this before that, "No one contributes". This is absolute crap. Let me list some contributions:

We showed your handiwork to hundreds of people so they could show others. In other words, we provided the seed capital for your marketing team.

We figured out the best way to use the product, participated in feedback forums, and chatted in newsgroups (like FD). In other words, we provided a marketing and development steering comittee for your fledgling product.

People in business know that valid customer feedback is truly priceless. We went out among the world's security users and tried this thing out in every concievable scenario. All feedback was forwarded directly to the development team.

We installed it for our friends. We showed others how to install it at user group meetings, at 2600 meetings, at conerences, is bof breakout groups. They showed others how to install it. We liked your work and we decided to make your product the new hegemon, the de-facto standard. ?Not contributing?, my ass. We *made* you.

That is enough on that vein. In a nutshell, We Made You. And we did it because we thought it was the right thing to do. We did it for free (rather than $200/hr for biz dev) because we knew that making your work shine like a diamond would make it even better product. And it did get better. We endured the problems and tried to provide feedback where it made sense to do so.

In my own case I have contributed code, test cases, packet traces, etc to sendmail, horde, php, linux-kernel, snort, nessus, uw-imap, gfs, sara/saint, and others. Usually it gets rejected with an arrogant snub (any body ever correspond with Claus A. at sendmail? Yikes!). but sometimes I see my little contribution (with or without recognition) and I know I did the right thing. I am making the digital world a better place. And why not? I live and work in the digital world. But that is OSS, right? As poorly written as it was, "The cathedral and the bazaar" had a point here: when people work without expectation of personal gain, the masses can achieve things that corporate software development will never approach.

What the "cathedral" document missed, was that people can change their minds. If the community develops something it should belong to the community but it doesn't. It belongs to the project lead person. Generally, we hope to see some enlightened leadership, and we can only trust the project lead to stick with us as we thick with him/her. No guarantees here, though.

Let this be a warning to the community. If enough OSS projects become closed, people will stop contributing. Result: end of OSS. For example, who didn't see though that recen Post on FD about a 'contest' that ends up with everybody's work being in an online ezine with ads and such. Sounds like a scam to get free writing services for a new magazine. LOL. The digital community has become leery already of ?new projects? that are thinly veiled attempts to get a new commercial venture off the ground. This is our acchiles' heel. Trust for the future is what holds us together and makes OSS work. Lose that and OSS is gone.

Let this be a warning to anyone who puts a project out as open source: the level of input you get from the community will be directly related to how much input you solicit from the community. Funny how that works. By their nature, people want to help out when they see an inkling of something great. To the developers of OSS projects, your only payback will be our praise, respect, adulation, and some fantastic stuff to put on your resume. Sorry, dude, that's all we have to give. But we will give it freely if your work is worthy.

To anyone thinking of starting an OSS project: If you think you have a chance to make big bucks off your new idea, don't put it out as open source. The OSS community deals with closed source as a malfunction to be worked around. And work around it we shall. Frankly, Nessus was looking a little long in the tooth anyway. The old layer 2-4 attacks are passe. Nessus is so widely used that a pen tester who uses it will get stopped instantly. Every IDS and firewall knows about nessus and views the traffic as ?unauthorized recon?. I have our IDS set to shun (at the firewall) any source address what shows packets that I can clearly identify as nessus or nikto traffic. I know I am opening myself up to a possible DOS by rouge machines sending fake nessus packets, but I can deal with that. That fact is that for the last three years, nessus dev has not been 'accepting' of input from the community. Some of us cannot write a nessus plug-in, but we are willing to submit packet traces and participate in a discussion about the exploit in question. That is also support.

Well that went much longer that I thought it would.


Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]