Dailydave mailing list archives
Re: interesting..
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 13 Oct 2005 23:12:06 -0500
On Thursday 13 October 2005 22:11, Arun Koshy wrote:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/037923. html Did anyone read this ?
Yup, it is way off on a few points. A couple specific ones:
What the "cathedral" document missed, was that people can change their minds. If the community develops something it should belong to the community but it doesn't. It belongs to the project lead person.
People can change their minds, but OSS licenses can rarely be revoked. The Nessus license change was in the works for *years* and it rarely dissuaded people from contributing. The take-home message is don't put sweat into someone else's project unless you understand their licensing. Most people contribute to OSS projects to scratch an itch - some do it for fun, many for experience, but most of them do it because they don't want to maintain their own patch tree. "Sharing my work with others to make the internet a better place" is a nice side benefit, but rarely the real reason behind OSS development.
Let this be a warning to the community. If enough OSS projects become closed, people will stop contributing. Result: end of OSS.
That won't happen as long as OSS development is an easy path to name recognition and programming experience. Some OSS projects will always close - but thats the whole point of OSS - you can fork them, take over maintenance, and cannibalize their code for your own project.
For example, who didn't see though that recen Post on FD about a 'contest' that ends up with everybody's work being in an online ezine with ads and such.
If you spent 5 minutes looking at the zine's web page (www.uninformed.org), you might notice a conspicious lack of advertisments... or commercial material in any form. The only reason winning results would be published in Uninformed at all is to give better visibility to the work and more credit to the author.
The digital community has become leery already of ?new projects? that are thinly veiled attempts to get a new commercial venture off the ground.
With good reason - but thats why licensing matters. Who cares if the project goes commercial as long as you have access to the source code. When you download an OSS package, you aren't getting free upgrade services for life, you are gambling that there are enough people interested in the project to maintain it for you. Sometimes that doesn't happen and you have to get off your ass and code.
To anyone thinking of starting an OSS project: If you think you have a chance to make big bucks off your new idea, don't put it out as open source.
My own advice: if you have a great new idea, start an OSS project, maybe you can make big bucks from it. The money doesn't come in from selling the code, or selling the idea, it comes from selling yourself. Literally. If your idea is cool enough and your code actually works, people might actually use it. The more people that use it, the more important that code becomes. Since you are the defacto authority on that code, you can sell support services, training, or just use the experience to get a better day job. Nessus wasn't some hot new idea that nobody had thought of before - nor was it the best scanner available at many times - what made it popular was that it was free and people were cheap. Consultants used it when they couldn't afford other solutions, MSSPs used it when they didn't have the in-house resources to do it themselves. All these commercial uses drove its development - it wasn't some hippy daisy chain of free love that pushed for features like XML reporting. Nessus got better as more businesses depended on it. When Tenable was formed, they became a direct competitor of all the companies leeching off the Nessus code. Once again, business reasons drove development, in this case away from open source. Renaud put in years of his life on the Nessus project - most of the third-party contributions still had to go through him before they could be integrated into the project. The quality of submitted plugins was never stellar, although there were some contributors who did better than the rest. Not suprisingly, most of those contributors now work at Tenable. These days, the commercial plugin tree is kicking some serious ass, both on quality and innovation. There are still dozens of companies out there using the commercial tree under conditions that violate the commercial license. These companies have the nerve to sandbag Tenable in their marketing materials while still leeching off the Tenable plugin tree.
The OSS community deals with closed source as a malfunction to be worked around. And work around it we shall.
You go girl.
Nessus was looking a little long in the tooth anyway. The old layer 2-4 attacks are passe.
Compared to what? Do you have any idea what goes into writing a vulnerability assessment system? Is there some magic security solution that detects all of those "old layer 2-4" issues that people are still actively exploiting?
Nessus is so widely used that a pen tester who uses it will get stopped instantly. Every IDS and firewall knows about nessus and views the traffic as ?unauthorized recon?.
Awesome. Any IDS worth their price should be able to block public attack tools. If an pen-tester is stupid enough to use a public VA tool against an IPS'd network, they deserve what they get. Its not like there is any other tool out there (commercial or otherwise), that can provide a thorough assessment without tripping even the stupidest IDS.
I have our IDS set to shun (at the firewall) any source address what shows packets that I can clearly identify as nessus or nikto traffic.
Go you. Now that you feel all safe and secure, I guess you can sleep well at night while someone pops all of your client workstations via an IE bug. Oh wait, thats something you could have used Nessus to check for.
I know I am opening myself up to a possible DOS by rouge machines sending fake nessus packets, but I can deal with that.
Spamming out security-by-obscurity techniques to a mailing list doesn't help your risk index much either...
That fact is that for the last three years, nessus dev has not been 'accepting' of input from the community. Some of us cannot write a nessus plug-in
Check your facts, hell, use a search engine and read the Nessus mailing list archives. All of the major external contributors were kept in the loop on both the plugin feed license change and the recent switch to closed source.
Some of us cannot write a nessus plug-in, but we are willing to submit packet traces and participate in a discussion about the exploit in question. That is also support.
Consider it payment for using someone else's software without having to send them money. Besides, you submit these "traces" to make the tool better.. better to use on your own network. -HD </aggravatedRant>
Current thread:
- interesting.. Arun Koshy (Oct 13)
- Re: interesting.. H D Moore (Oct 13)