Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Nessus closes source => How to help open source projects

Re: Nessus closes source => How to help open source projects

From: Alex Zimin <alex_at_inprotect.com>
Date: Thu, 06 Oct 2005 00:54:01 -0700

All,

First of all, I think Renaud did a great job over the years to keep the
Nessus project growing and competitive with the commercial products. I
am sure it took him lots of time and effort to make Nessus what it is now.

Sadly enough I think there is a big tendency for the last few years to
commercialize open source projects. Can the open source and business
ideas co-exist? I think yes, if the company is service or support
oriented, then it may make few bucks and keep the code open.

Tenable is mainly product oriented, Nessus is their base product and I
don't see service offerings on their web site. I think Nessus alone, as
a GPL'ed product, will not bring enough money to cover for development
and other business expenses. $5-$10 donations may be sufficient to keep
some open source developers work until 2AM, but certainly such donations
will not break-even at the for profit corporation.

Can a new open source security scanner be developed? Certainly. GPL'ed
Nessus can be improved and used as a base, or a new scan engine be
developed from scratch. Is it a reality? Not unless there is a good team
of people capable of developing a new product, willing to dedicate
enormous amount of time to it and a supportive community or a
corporation behind them. At the same time, what would be a motivation
for these people? Pride? Accomplishment? Work itself?

Fyodor, what keeps you awake until 2AM or later releasing new versions
of Nmap?

If another open source security scanner project starts because of Nessus
changes, Debian model + commercial services may be a good way to go.
However so many unethical people may take advantage of it by claiming
their ownership of the product and advancement in security scanning.

Maybe Tenable model is an only way for a good quality security product
to exist in a long term?
Maybe we will see a reverse process soon, where another big name
security company will open-up their closed code to gain popularity, kill
competition, and expand their services?

Lets keep discussion going. 

-- 
Alex Zimin
Fyodor wrote:
> Nmap Hackers,
> 
> In the last Insecure.Org Security Tools survey, you guys proudly voted
> Nessus #1.  It complements the functionality of Nmap by going further
> to detect application-level vulnerabilities.  Then in February of this
> year, Tenable changed the Nessus license to further restrict the
> plugins and require that you fax them a permission request form before
> you use Nessus for any consulting engagements.  Renaud wrote to this
> list on Feb 8
> (http://seclists.org/lists/nmap-hackers/2005/Jan-Mar/0001.html),
> explaining that their new slogan ("the open-source vulnerability
> scanner") was accurate because the engine was still open source.
> Today, their slogan has changed to "the network vulnerability
> scanner", and you can probably guess what that means.  In the
> announcement below, Renaud announces that Nessus 3 (due in a couple
> weeks) will be binary only and forbid redistribution.  They say it
> will be free, for now, if you use the delayed plugin feed.  They have
> also announced that Nessus 3 will be faster and contain various other
> improvements.  They promise to maintain GPL Nessus 2 for a while, but
> I wouldn't count on that lasting long.
> 
> I am not taking a position on this move, but I do feel it is worth
> noting for the many Nessus users on this list.  Tenable argues that
> this move is necessary to further improve Nessus and/or make more
> money.  Perhaps so, but the Nmap Project has no plans to follow suit.
> Nmap has been GPL since its creation more than 8 years ago and I am
> happy with that license.
> 
> When asked why they are making this change, Renaud replied to the
> Nessus list today that open source hasn't really worked for Nessus
> because "virtually nobody has ever contributed anything to improve the
> scanning _engine_ over the last 6 years."  This may be the most
> important and useful point we can take from this change.  Open source
> really is a two-way street.  The only way we (open source projects)
> can seriously compete with projects staffed by dozens or hundreds of
> paid full time developers is by having hundreds or thousands of
> volunteers each contributing a little bit part time.  So if you are a
> heavy user of open source software, please think about how you can
> help out.  Here are some ideas:
> 
> o If you are feeling ambitious, write and distribute your own little
>   program to solve a problem you are having or otherwise makes your
>   life easier.  It doesn't have to be anything big or fancy at first.
>   Nmap started out as a little 2,000-line utility published in Phrack
>   magazine.  Post your creation to Freshmeat, or to nmap-dev if it
>   relates to Nmap in some way.  Hmm, I think there is a current vacuum
>   in the open source vulnerability scanner field :).
> 
> o Or take a more active coding role for an existing open source
>   project.  In the Nmap world, former Google SoC students are
>   developing three promising projects: NmapGUI and UMIT are new GUIs
>   and results viewers for large Nmap scans, and Ncat is a powerful
>   reinterpretation of the venerable Netcat.  Working code for all
>   three of these is available if you join the Nmap-dev list
>   (http://cgi.insecure.org/mailman/listinfo/nmap-dev) and I'm sure the
>   respective authors (Ole Morten Grodaas, Adriano Monteiro, and Chris
>   Gibson) would appreciate help, feedback, and testing.
> 
> o Find a bug in some open source software?  Try to reproduce it with
>   the latest version of the software and do some web searching to see
>   if it is already known/fixed.  If not, report it with full details
>   about how to reproduce it and the platform and software version of
>   the software you are running.  It is even better if you can submit a
>   patch which fixes the problem.
> 
> o Join the relevant mailing lists for the project and help out new
>   users.  Maybe you can write or translate some documentation, such as a
>   tutorial for using the product or a HOWTO for using it to solve a
>   common need.
> 
> o The Nmap Project does not accept financial donations, but many other
>   projects do.  If some little project does exactly what you need and
>   saves you half a day of work or makes it into your regular-usage
>   arsenal of tools, consider kicking the author back $5 or $10.  Not
>   only will it help defray costs of the project, but it shows the author
>   that users really appreciate his/her work and thus makes a newer
>   version more likely.  Similarly, if you see an ad on the project
>   web site that interests you, click on it and spend a couple minutes
>   checking the product out.
> 
> o Spread the word!  Commercial software houses pay to spread the word
>   about their product in magazines, web sites, TV, conferences, etc.
>   Open source projects such as Nmap can't.  So if you find a project
>   useful, don't hesitate to post a link on your web page and  mention it
>   (including the URL) on mailing list, newsgroup, and web forum posts.
> 
> Those are a few ideas, and I'm sure you can think of more based on
> your experience, expertise, and available resources.  Rather than mope
> over the loss of open source Nessus, we can treat this as a call to
> action and a reminder not to take valuable open source software such
> as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux
> for granted.
> 
> Cheers,
> Fyodor
> 
> PS:  Here is the Nessus announcement:
> 
> ----- Forwarded message from Renaud Deraison <rderaison_at_tenablesecurity.com> -----
> 
> Date: Wed, 5 Oct 2005 12:16:45 -0400
> X-Mailer: Apple Mail (2.734)
> From: Renaud Deraison <rderaison_at_tenablesecurity.com>
> To: nessus_at_list.nessus.org, nessus-announce_at_list.nessus.org
> Cc: 
> Subject: [Nessus-announce] Nessus Roadmap / Nessus 3.0.0rc1 testers wanted
> 
> 
> 
> Hi everyone,
> 
> 
> We are a few weeks away from releasing Nessus 3.0.0, and I'd like to  
> take some time to explain our roadmap in this regard.
> 
> Nessus 3 / Nessus 2 Roadmap
> ----------------------------
> 
> 
> Nessus 3 is major enhancement of the key components of the Nessus  
> engine - the NASL3 intepreter has been rewritten from scratch, the  
> process management has changed to reduce the overhead of executing a  
> plugin (instead of creating NxM processes, nessusd now only creates N  
> processes), the way plugins are stored has been improved to reduce  
> disk usage, etc...
> 
> Nessus 3 also contains a lot of built-in features and checks to debug  
> crashes and mis-behaving plugins more easily, and to catch  
> inconsistencies early.
> 
> 
> As a result, Nessus 3 is much faster than Nessus 2 and less resource  
> intensive. Your mileage may vary, but when scanning a local network,  
> Nessus 3 is on average twice as fast as Nessus 2, with spikes going  
> as high as 5 times faster when scanning desktop windows systems.
> 
> 
> Nessus 3 will be available free of charge, including on the Windows  
> platform, but will not be released under the GPL.
> 
> Nessus 3 will be available for many platforms, but do understand that  
> we won't be able to support every distribution / operating system  
> available. I also understand that some free software advocates won't  
> want to use a binary-only Nessus 3. This is why Nessus 2 will  
> continue to be maintained and will stay under the GPL.
> 
> To make things simple :
> 
>  - Nessus 2 : GPL, will have regular releases containing bug fixes
>  - Nessus 3 : free of charge, contains major improvements
> 
> 
> The two versions can share most of their plugins -- we intend to  
> maintain backward compatibility whenever possible for most  
> vulnerability checks. Some checks will only work on Nessus 3 (ie: we  
> are about to release a set of plugins to determine policy  
> compliance), but the huge majority will work on either platform  
> likewise.
> 
> 
> Finally, the Nessus GUI has been split in a separate project  
> (NessusClient) which is released under the GPL. The 'nessus' client  
> in Nessus3 is CLI only, as it will be in Nessus 2.4.x. For a GUI, use  
> NessusClient.
> 
> 
> Testers needed
> ---------------
> 
> That being said, we are looking for experienced Nessus users who  
> would want to try Nessus 3.0.0rc1. For the sake of simplicity, we  
> would like users running on Red Hat ES3 or ES4 platforms or  
> compatible. We are looking for people scanning big networks, mostly  
> to collect performance information. Keep in mind that Nessus3 is CLI  
> only, so you'll have to use NessusWX or be familiar with the CLI.
> 
> 
> If you are interested in testing Nessus 3.0.0rc1, please drop me a  
> line at <deraison_at_nessus.org> (no @gmail/@hotmail/@anonymous accounts  
> please).
> 
> 
> Thanks,
> 
>                                     -- Renaud
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Nessus-announce mailing list
> Nessus-announce_at_list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus-announce
> 
> ----- End forwarded message -----
> 
> 
> _______________________________________________
> Sent through the nmap-hackers mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers
> 
> 
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Oct 06 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos