From: H D Moore (hdm-daily-davedigitaloffense.net)
Date: Thu Oct 13 2005 - 23:12:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 13 October 2005 22:11, Arun Koshy wrote:
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/037923.
>html
>
> Did anyone read this ?

Yup, it is way off on a few points. A couple specific ones:

>What the "cathedral" document missed, was that people can change their
>minds. If the community develops something it should belong to the
>community but it doesn't. It belongs to the project lead person.

People can change their minds, but OSS licenses can rarely be revoked. The
Nessus license change was in the works for *years* and it rarely
dissuaded people from contributing. The take-home message is don't put
sweat into someone else's project unless you understand their licensing.

Most people contribute to OSS projects to scratch an itch - some do it for
fun, many for experience, but most of them do it because they don't want
to maintain their own patch tree. "Sharing my work with others to make
the internet a better place" is a nice side benefit, but rarely the real
reason behind OSS development.

>Let this be a warning to the community. If enough OSS projects become
>closed, people will stop contributing. Result: end of OSS.

That won't happen as long as OSS development is an easy path to name
recognition and programming experience. Some OSS projects will always
close - but thats the whole point of OSS - you can fork them, take over
maintenance, and cannibalize their code for your own project.

>For
>example, who didn't see though that recen Post on FD about a 'contest'
>that ends up with everybody's work being in an online ezine with ads
>and such.

If you spent 5 minutes looking at the zine's web page
(www.uninformed.org), you might notice a conspicious lack of
advertisments... or commercial material in any form. The only reason
winning results would be published in Uninformed at all is to give better
visibility to the work and more credit to the author.

>The digital community has become leery already of
>?new projects? that are thinly veiled attempts to get a new commercial
>venture off the ground.

With good reason - but thats why licensing matters. Who cares if the
project goes commercial as long as you have access to the source code.
When you download an OSS package, you aren't getting free upgrade
services for life, you are gambling that there are enough people
interested in the project to maintain it for you. Sometimes that doesn't
happen and you have to get off your ass and code.

>To anyone thinking of starting an OSS project: If you think you have a
>chance to make big bucks off your new idea, don't put it out as open
>source.

My own advice: if you have a great new idea, start an OSS project, maybe
you can make big bucks from it. The money doesn't come in from selling
the code, or selling the idea, it comes from selling yourself. Literally.
If your idea is cool enough and your code actually works, people might
actually use it. The more people that use it, the more important that
code becomes. Since you are the defacto authority on that code, you can
sell support services, training, or just use the experience to get a
better day job.

Nessus wasn't some hot new idea that nobody had thought of before - nor
was it the best scanner available at many times - what made it popular
was that it was free and people were cheap. Consultants used it when they
couldn't afford other solutions, MSSPs used it when they didn't have the
in-house resources to do it themselves. All these commercial uses drove
its development - it wasn't some hippy daisy chain of free love that
pushed for features like XML reporting. Nessus got better as more
businesses depended on it.

When Tenable was formed, they became a direct competitor of all the
companies leeching off the Nessus code. Once again, business reasons
drove development, in this case away from open source. Renaud put in
years of his life on the Nessus project - most of the third-party
contributions still had to go through him before they could be integrated
into the project. The quality of submitted plugins was never stellar,
although there were some contributors who did better than the rest. Not
suprisingly, most of those contributors now work at Tenable. These days,
the commercial plugin tree is kicking some serious ass, both on quality
and innovation. There are still dozens of companies out there using the
commercial tree under conditions that violate the commercial license.
These companies have the nerve to sandbag Tenable in their marketing
materials while still leeching off the Tenable plugin tree.

>The OSS community deals with closed source as a malfunction
>to be worked around. And work around it we shall.
You go girl.

>Nessus was looking a little long in the tooth anyway. The old layer 2-4
>attacks are passe.
Compared to what? Do you have any idea what goes into writing a
vulnerability assessment system? Is there some magic security solution
that detects all of those "old layer 2-4" issues that people are still
actively exploiting?

>Nessus is so widely used that a pen tester who uses it will
>get stopped instantly. Every IDS and firewall knows about nessus and
>views the traffic as ?unauthorized recon?.

Awesome. Any IDS worth their price should be able to block public attack
tools. If an pen-tester is stupid enough to use a public VA tool against
an IPS'd network, they deserve what they get. Its not like there is any
other tool out there (commercial or otherwise), that can provide a
thorough assessment without tripping even the stupidest IDS.

>I have our IDS set to shun (at the firewall) any source address what
>shows packets that I can clearly identify as nessus or nikto traffic.

Go you. Now that you feel all safe and secure, I guess you can sleep well
at night while someone pops all of your client workstations via an IE
bug. Oh wait, thats something you could have used Nessus to check for.

>I know I am opening myself up to a possible DOS by rouge machines sending
>fake nessus packets, but I can deal with that.
Spamming out security-by-obscurity techniques to a mailing list doesn't
help your risk index much either...

>That fact is that for the last three years, nessus dev has not been
>'accepting' of input from the community. Some of us cannot write a
>nessus plug-in

Check your facts, hell, use a search engine and read the Nessus mailing
list archives. All of the major external contributors were kept in the
loop on both the plugin feed license change and the recent switch to
closed source.

>Some of us cannot write a nessus plug-in, but we are
>willing to submit packet traces and participate in a discussion about
>the exploit in question. That is also support.

Consider it payment for using someone else's software without having to
send them money. Besides, you submit these "traces" to make the tool
better.. better to use on your own network.

-HD

</aggravatedRant>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]