I am sure we all agree that Renaud, Nessus and Tenable is an important
asset, and the work they do is nothing less than remarkable.
Paying a subscription for $1200 per year is not an issue in most cases,
though this pricing model should probably be expanded to support a wider
market, but this can be done at any time in the future.
The question is still the restrictions placed on the subscription license
will insite competitors of Tenable to branch out and create alternate plugin
sources. Some of the well funded organizations which rely Nessus include
Symantic, FoundStone, nCircle and various branches of the US government (and
other governments as well).
For Tenable to force competition in the security market when Tenable should
be cornering this market creates a serious risk for the future of Nessus and
Tenable. This should be avoided at any cost.
Robert
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org]On Behalf Of Matt Jonkman
Sent: Saturday, January 22, 2005 12:44 PM
To: Renaud Deraison
Cc: nessus@list.nessus.org
Subject: Re: Tenable's license changes (and why the license changed)
I don't want to start flame war or make this thread last any longer than
it must. But I feel it's necessary to voice support for Renaud, the
nessus team and Tenable. Without this group of experts and the company
that's making them enough of a living to keep their focus on this, we'd
not have any kind of open vulnerability scanner for the community with
the features, stability, and capabilities of nessus. You'd be stuck
paying a whole lot of money to have even basic vuln scanning abilities.
I wholeheartedly applaud Renaud and crew's efforts, and this change in
licensing. I believe they are fully 'legal' and very much acting in all
of our best interests.
If it's enough of an issue for you to avoid the 7 day delay then I'd
gess you're making a living at least in part by using this tool. If
you're not making more than $1200/year then you might have some room to
complain. (and you should probably consider another line of work :) ).
If you are making more than that then it shouldn't be an issue to
contribute. But that's only if you have issue with the 7 day thing.
Otherwise it's still a free tool.
I understand people have suspicions when a change of this magnitude
takes place, and without a portion of the community out there playing
devil's advocate there would be folks that would take advantage. This
conversation is a very good one to have, I hope it stays professional. I
don't think there's a person here that can take up a personal gripe with
Renaud. Over the years I've sent him many a stupid question and he's
answered every one in kind, and written code to solve my problems. And
to date Renaud hasn't made a single penny from me, while I've made a
good portion of my living using his tools. I fully intend to put in my
1200 bucks in my next budget cyle, and I hope those of you that make a
living doing so will consider doing so as well. It'll only result in
more plugins, more features, faster response, and more stability.
Thank you Renaud for the years of effort. I hope it turns into something
that'll give you a comfortable retirement one day. :)
Matt
Renaud Deraison wrote:
Hi Robert (and list),
Ron replied to most of your questions, but I'll add my grain of salt to
a few items, because I think there is a strong misunderstanding between
what we're trying to do and what some users (like you) seem to perceive.
On Fri, Jan 21, 2005 at 04:28:44PM -0800, Robert Keith wrote:
- Tenable granting themselves a special right to write non-GPL plugins
sounds legally questionable. If it is in fact legal, it still is should
have been made very clear to all Nessus users when they started this
practice at the beginning of Tenable. This should also be clear when
Nessus
is downloaded and installed. It is frightening to think that authors of
GPL
programs can secretly grant themselves rights to create non-GPL modules
and
then surprise the community demanding payment after everyone has
unknowingly
become dependent on the modules.
So by your reasoning, if I write a software and give it away for free to
the community under certain conditions, I (the author of the software)
have to obey the exact same conditions regarding the use I want to make
of my own software developed by myself.
Interestingly, even gnu.org says that an author can dual-license his own
work
- please see http://www.gnu.org/copyleft/gpl-faq.html#HeardOtherLicense
- meaning that an author does _not_ have to abide to the rules he set for
the software he writes.
If a third party want to write non-GPL plugins, they have to ask the
copyright owner for permission, because otherwise they would be in
violation of the GPL, that's as simple as that. We granted ourselves the
authorization to distribute non-GPL plugins. End of story.
Regarding the demand of payment (or 'ransom' as you should have called
it), your statement is incorrect - plugins are GIVEN AWAY FOR FREE.
The main differences between _now_ and a pure GPL feed are :
(a) There is a delay between the time we write the plugins and the
time you get them FOR FREE ;
(b) You have to respect some conditions regarding the use of the
plugins. For instance, you can not put them in a shiny appliance you
want to resell ;
(c) The upside of this is that now that there are commercial customers
out there, you (as a free user) have the _garantee_ that plugins will be
written and released in about 7 days for every new flaw. The reason is
simple : while we do not have SLAs in place for commercial customers
(it's not doable to commit to a timely delivery for any flaw which may
be disclosed i the future), we are commited to give the best possible
response time regarding plugin-writing, and that's what we've been
doing so far.
If we decide to not write a plugin for a given flaw, we have an internal
database explaining why, so our suport team can explain to customers
why there's no check for a given flaw.
Also, most of the money made from the plugin feed goes back in research and
QA directly, which in turn make us distribute better plugins.
So in a way, this new policy *benefits* to everyone :
- You now have a seven days nearly-garanteed delivery time of high quality,
whereas in the past you had no garantee AT ALL that we'd write plugins on
a given flaw, and if the plugins had been written under the GPL there
would be no garantee that they work at all ;
- We now have a very formal process to write plugins and we keep track of
the plugins which are written and the ones which won't be because
customers have the right to ask for an explanation of what goes in and
what does not ;
- 7 days is still a very good time compared to other scanners out there ;
- Tenable's claim that they can pick between GPL and their own plugins
when
a collision occurs, is a clear conflict of interest.
So far, we only had one collision (a script submitted by Noam Rathaus
for a bug in an modest CGI script had already been written).
At the same time, there is a lot things behind the scene that you do not
see :
- We QA and fix every plugin we receive under the GPL. For example,
this week David Maciejak submitted a plugin for 'awstats', and the plugin
he sent me was non-functional (the test was wrong) [I don't mean to pick
on David, I'm happy with most of his plugins]
I spent time testing and fixing the plugin so that it worked properly,
and I released it under the GPL _anyway_ (an evil me could have
rejected the plugin on the grounds it was incorrect, and rewrite a
functionnal version from scratch) ;
- We _maintain_ every GPL plugin we receive. We receive bug reports and
fix the plugins. We improve the plugins. We keep them up-to-date if
they need to be ;
- We _keep_ the GPL status even when we end up re-writing them. For
instance, Nicolas re-wrote a bunch of Anti-Virus plugins from scratch
last week (because they had became too hard to read and did not fit with
the new versions of Norton and McAfee AV). Every plugin _rewritten from
scratch_ has been released under the GPL, with NO delay.
In the same vein, a few months ago I re-did nearly all the smb_nt_* plugins
with the new smb_hotfix.inc API, and I left the copyright to the
original authors of the plugins ;
That being said, there is one thing I'd like to point out : we did NOT
change the way the plugins are being released in order to hurt users or
to make piles of money. And it's not a "ransom" either - plugins are
available for free.
We changed the plugins license because there is an imbalance between
what we contribute compared to the rest of the community. Basically,
Tenable (and myself, that's the same thing) contributes a _huge_ chunk
of the plugins. Like 70% of them. (and don't get me started on the
Nessus _engine_).
If you define Tenable, Michel Arboi, David Maciejak, George Theall and
Noam Rathaus as a single group, you're talking about over 95% of the
plugins. That goes against the perception that "open-source" is a
million of little elves coding for free all the time, does not it ?
At the same time, I'll let you count the number of companies out there who
resell Nessus with a nice web interface on top of it. They are much more
numerous than the full list of plugins contributors !
So if people take the license change of the feed as a good incentive to
_write_ good quality plugins(1) and submit them to us, then that's cool.
If that prevents these companies from reselling Nessus because they have
few plugins for it, that's cool too.
We're fed up to do most of the work and let many companies not only profit
from our efforts, but also actively fight against us (or me personally
as it happened in the past).
I'm fed up of seeing companies bill their customers for "plugin updates"
for a
much higher price than $1,200 per year, when all they do simply is to
mirror
www.nessus.org/nasl/all-2.0.tar.gz and resell it to their users (without
any QA
on them by the way, I have a funny annecdote about that). And I'm fed up of
seeing all these companies take _my_ work, rebrand it, and claim it as
being their own technology.
For Christ's sake, go to <http://www.predatorwatch.com/Public.ppt>, go to
page 20 and compare the output of their sample plugin with webdist.cgi
(plugin#10299) - it seems that someone out there mastered the
almighty 'sed s/Nessus/PredatorWatch/g' command.
Or go to <http://www.securityspace.com/smysecure/last30.html> and see
how their ambiguous wording makes the average user thinks that
SecuritySpace
actually wrote the checks themselves.
Or go to <http://www.stillsecure.com/products/vam/> and once again, see
how their ambiguous wording makes the average user thinks _they_ are
writing new checks and wrote their own vulnerability scanner.
Or there is a company out there which - during their training classes -
explain to their prospects that they fix the Nessus source code,
because I'm a very naughty person and could insert backdoors and malware
in my code (and they are careful enough to only say it verbally, which
is why I don't mention their name in public).
And this is the tip of the iceberg.
So now, having seen a slightly larger part of the pictures, please, oh
please, give me your magical recipe to continue improving Nessus and
writing better plugins while :
- not helping these guys as much as a full GPL feed would ;
- avoiding to hurt most of the Nessus users ;
- making sure this developement makes sense for us commercially ;
From a business perspective, we could have done things which are much
more ugly than publishing plugins under a non-GPL license - believe me -
but we may have overseen some items - so feel free let me know what
your ideas would be.
- Tenable's claim that they are distributing plugins for free is not
correct. They are forcing people to agree to a very restrictive non-GPL
contract. Giving up rights is not free.
You're absolutely correct in your last statement : giving up rights is
not free. The thing is that when people talk about a copyRIGHT, it's
because in most countries, there is a _right_ regarding the use,
distribution and copying of intellectual works, and the GPL actually
_gives up_ some of these rights. So yes, releasing programs under the
GPL has a cost for us.
That being said, Tenable plugins are available for FREE, as in free
beer. I know the english language is a bit limited in that area, but if
we ever do a french version of the Nessus web site, rest assured that
we'll say the plugins are available "gratuitement".
[...]
- New plugins should be GPL. I think that most users would pay a fair
price
to get the latest tested plugins. I think if users feel that they are
being
charged a fair price for a great product they will pay. Tenable can still
hold new plugins for 7 days, which would be a major value to corporate
Nessus users.
You do not seem to understand what the GPL is. If that was the case,
then anyone can subscribe to the plugin feed for $1,200 per year, and
give it away to the rest of the community for free. And that does not
address
the problems mentionned above.
-- Renaud
(1) If you set up a cronjob to send us a non-working plugin every time a
new
BID surfaces, then we'll have to reject your plugins.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
