Nmap Hackers,

In the last Insecure.Org Security Tools survey, you guys proudly voted

Nessus #1.  It complements the functionality of Nmap by going further

to detect application-level vulnerabilities.  Then in February of
this

year, Tenable changed the Nessus license to further restrict the

plugins and require that you fax them a permission request form before

you use Nessus for any consulting engagements.  Renaud wrote to this

list on Feb 8

(http://seclists.org/lists/nmap-hackers/2005/Jan-Mar/0001.html),

explaining that their new slogan ("the open-source vulnerability

scanner") was accurate because the engine was still open source.

Today, their slogan has changed to "the network vulnerability

scanner", and you can probably guess what that means.  In the

announcement below, Renaud announces that Nessus 3 (due in a couple

weeks) will be binary only and forbid redistribution.  They say it

will be free, for now, if you use the delayed plugin feed.  They have

also announced that Nessus 3 will be faster and contain various other

improvements.  They promise to maintain GPL Nessus 2 for a while,
but

I wouldn't count on that lasting long.

I am not taking a position on this move, but I do feel it is worth

noting for the many Nessus users on this list.  Tenable argues that

this move is necessary to further improve Nessus and/or make more

money.  Perhaps so, but the Nmap Project has no plans to follow suit.

Nmap has been GPL since its creation more than 8 years ago and I am

happy with that license.

When asked why they are making this change, Renaud replied to the

Nessus list today that open source hasn't really worked for Nessus

because "virtually nobody has ever contributed anything to improve
the

scanning _engine_ over the last 6 years."  This may be the most

important and useful point we can take from this change.  Open source

really is a two-way street.  The only way we (open source projects)

can seriously compete with projects staffed by dozens or hundreds of

paid full time developers is by having hundreds or thousands of

volunteers each contributing a little bit part time.  So if you are
a

heavy user of open source software, please think about how you can

help out.  Here are some ideas:

o If you are feeling ambitious, write and distribute your own little

  program to solve a problem you are having or otherwise makes your

  life easier.  It doesn't have to be anything big or fancy at
first.

  Nmap started out as a little 2,000-line utility published in Phrack

  magazine.  Post your creation to Freshmeat, or to nmap-dev
if it

  relates to Nmap in some way.  Hmm, I think there is a current
vacuum

  in the open source vulnerability scanner field :).

o Or take a more active coding role for an existing open source

  project.  In the Nmap world, former Google SoC students are

  developing three promising projects: NmapGUI and UMIT are new GUIs

  and results viewers for large Nmap scans, and Ncat is a powerful

  reinterpretation of the venerable Netcat.  Working code for
all

  three of these is available if you join the Nmap-dev list

  (http://cgi.insecure.org/mailman/listinfo/nmap-dev) and I'm sure
the

  respective authors (Ole Morten Grodaas, Adriano Monteiro, and Chris

  Gibson) would appreciate help, feedback, and testing.

o Find a bug in some open source software?  Try to reproduce it with

  the latest version of the software and do some web searching to
see

  if it is already known/fixed.  If not, report it with full
details

  about how to reproduce it and the platform and software version
of

  the software you are running.  It is even better if you can
submit a

  patch which fixes the problem.

o Join the relevant mailing lists for the project and help out new

  users.  Maybe you can write or translate some documentation,
such as a

  tutorial for using the product or a HOWTO for using it to solve
a

  common need.

o The Nmap Project does not accept financial donations, but many other

  projects do.  If some little project does exactly what you
need and

  saves you half a day of work or makes it into your regular-usage

  arsenal of tools, consider kicking the author back $5 or $10.  Not

  only will it help defray costs of the project, but it shows the
author

  that users really appreciate his/her work and thus makes a newer

  version more likely.  Similarly, if you see an ad on the project

  web site that interests you, click on it and spend a couple minutes

  checking the product out.

o Spread the word!  Commercial software houses pay to spread the word

  about their product in magazines, web sites, TV, conferences, etc.

  Open source projects such as Nmap can't.  So if you find a
project

  useful, don't hesitate to post a link on your web page and  mention
it

  (including the URL) on mailing list, newsgroup, and web forum posts.

Those are a few ideas, and I'm sure you can think of more based on

your experience, expertise, and available resources.  Rather than
mope

over the loss of open source Nessus, we can treat this as a call to

action and a reminder not to take valuable open source software such

as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux

for granted.

Cheers,

Fyodor

PS:  Here is the Nessus announcement:

----- Forwarded message from Renaud Deraison <[email protected]>
-----

Date: Wed, 5 Oct 2005 12:16:45 -0400

X-Mailer: Apple Mail (2.734)

From: Renaud Deraison <[email protected]>

To: [email protected], [email protected]

Cc: 

Subject: [Nessus-announce] Nessus Roadmap / Nessus 3.0.0rc1 testers wanted

Hi everyone,

We are a few weeks away from releasing Nessus 3.0.0, and I'd like to  

take some time to explain our roadmap in this regard.

Nessus 3 / Nessus 2 Roadmap

----------------------------

Nessus 3 is major enhancement of the key components of the Nessus  

engine - the NASL3 intepreter has been rewritten from scratch, the  

process management has changed to reduce the overhead of executing a  

plugin (instead of creating NxM processes, nessusd now only creates N  

processes), the way plugins are stored has been improved to reduce  

disk usage, etc...

Nessus 3 also contains a lot of built-in features and checks to debug  

crashes and mis-behaving plugins more easily, and to catch  

inconsistencies early.

As a result, Nessus 3 is much faster than Nessus 2 and less resource  

intensive. Your mileage may vary, but when scanning a local network,  

Nessus 3 is on average twice as fast as Nessus 2, with spikes going  

as high as 5 times faster when scanning desktop windows systems.

Nessus 3 will be available free of charge, including on the Windows  

platform, but will not be released under the GPL.

Nessus 3 will be available for many platforms, but do understand that  

we won't be able to support every distribution / operating system  

available. I also understand that some free software advocates won't  

want to use a binary-only Nessus 3. This is why Nessus 2 will  

continue to be maintained and will stay under the GPL.

To make things simple :

 - Nessus 2 : GPL, will have regular releases containing bug fixes

 - Nessus 3 : free of charge, contains major improvements

The two versions can share most of their plugins -- we intend to  

maintain backward compatibility whenever possible for most  

vulnerability checks. Some checks will only work on Nessus 3 (ie: we  

are about to release a set of plugins to determine policy  

compliance), but the huge majority will work on either platform  

likewise.

Finally, the Nessus GUI has been split in a separate project  

(NessusClient) which is released under the GPL. The 'nessus' client  

in Nessus3 is CLI only, as it will be in Nessus 2.4.x. For a GUI, use  

NessusClient.

Testers needed

---------------

That being said, we are looking for experienced Nessus users who  

would want to try Nessus 3.0.0rc1. For the sake of simplicity, we  

would like users running on Red Hat ES3 or ES4 platforms or  

compatible. We are looking for people scanning big networks, mostly  

to collect performance information. Keep in mind that Nessus3 is CLI  

only, so you'll have to use NessusWX or be familiar with the CLI.

If you are interested in testing Nessus 3.0.0rc1, please drop me a  

line at <[email protected]> (no @gmail/@hotmail/@anonymous accounts

please).

Thanks,

               -- Renaud

_______________________________________________

Nessus-announce mailing list

[email protected]

http://mail.nessus.org/mailman/listinfo/nessus-announce

----- End forwarded message -----

_______________________________________________

Sent through the nmap-hackers mailing list

http://cgi.insecure.org/mailman/listinfo/nmap-hackers