RE: Tenable's license changes (and why the license changed)

["Robert Keith" <Robert.Keithi_at_technolords.com>]

I am sure we all agree that Renaud, Nessus and Tenable is an important
asset, and the work they do is nothing less than remarkable.

Paying a subscription for $1200 per year is not an issue in most cases,
though this pricing model should probably be expanded to support a wider
market, but this can be done at any time in the future.

The question is still the restrictions placed on the subscription license
will insite competitors of Tenable to branch out and create alternate plugin
sources.  Some of the well funded organizations which rely Nessus include
Symantic, FoundStone, nCircle and various branches of the US government (and
other governments as well).

For Tenable to force competition in the security market when Tenable should
be cornering this market creates a serious risk for the future of Nessus and
Tenable.  This should be avoided at any cost.

Robert

-----Original Message-----
From: nessus-bounces_at_list.nessus.org
[mailto:nessus-bounces_at_list.nessus.org]On Behalf Of Matt Jonkman
Sent: Saturday, January 22, 2005 12:44 PM
To: Renaud Deraison
Cc: nessus_at_list.nessus.org
Subject: Re: Tenable's license changes (and why the license changed)


I don't want to start flame war or make this thread last any longer than
it must. But I feel it's necessary to voice support for Renaud, the
nessus team and Tenable. Without this group of experts and the company
that's making them enough of a living to keep their focus on this, we'd
not have any kind of open vulnerability scanner for the community with
the features, stability, and capabilities of nessus. You'd be stuck
paying a whole lot of money to have even basic vuln scanning abilities.

I wholeheartedly applaud Renaud and crew's efforts, and this change in
licensing. I believe they are fully 'legal' and very much acting in all
of our best interests.

If it's enough of an issue for you to avoid the 7 day delay then I'd
gess you're making a living at least in part by using this tool. If
you're not making more than $1200/year then you might have some room to
complain. (and you should probably consider another line of work :) ).
If you are making more than that then it shouldn't be an issue to
contribute. But that's only if you have issue with the 7 day thing.
Otherwise it's still a free tool.

I understand people have suspicions when a change of this magnitude
takes place, and without a portion of the community out there playing
devil's advocate there would be folks that would take advantage. This
conversation is a very good one to have, I hope it stays professional. I
don't think there's a person here that can take up a personal gripe with
Renaud. Over the years I've sent him many a stupid question and he's
answered every one in kind, and written code to solve my problems. And
to date Renaud hasn't made a single penny from me, while I've made a
good portion of my living using his tools. I fully intend to put in my
1200 bucks in my next budget cyle, and I hope those of you that make a
living doing so will consider doing so as well. It'll only result in
more plugins, more features, faster response, and more stability.

Thank you Renaud for the years of effort. I hope it turns into something
that'll give you a comfortable retirement one day. :)

Matt

Renaud Deraison wrote:

>Hi Robert (and list),
>
>Ron replied to most of your questions, but I'll add my grain of salt to
>a few items, because I think there is a strong misunderstanding between
>what we're trying to do and what some users (like you) seem to perceive.
>
>
>On Fri, Jan 21, 2005 at 04:28:44PM -0800, Robert Keith wrote:
>
>
>
>>- Tenable granting themselves a special right to write non-GPL plugins
>>sounds legally questionable.  If it is in fact legal, it still is should
>>have been made very clear to all Nessus users when they started this
>>practice at the beginning of Tenable. This should also be clear when
Nessus
>>is downloaded and installed.  It is frightening to think that authors of
GPL
>>programs can secretly grant themselves rights to create non-GPL modules
and
>>then surprise the community demanding payment after everyone has
unknowingly
>>become dependent on the modules.
>>
>>
>
>So by your reasoning, if I write a software and give it away for free to
>the community under certain conditions, I (the author of the software)
>have to obey the exact same conditions regarding the use I want to make
>of my own software developed by myself.
>
>Interestingly, even gnu.org says that an author can dual-license his own
work
>- please see http://www.gnu.org/copyleft/gpl-faq.html#HeardOtherLicense
>- meaning that an author does _not_ have to abide to the rules he set for
>the software he writes.
>
>If a third party want to write non-GPL plugins, they have to ask the
>copyright owner for permission, because otherwise they would be in
>violation of the GPL, that's as simple as that. We granted ourselves the
>authorization to distribute non-GPL plugins. End of story.
>
>Regarding the demand of payment (or 'ransom' as you should have called
>it), your statement is incorrect - plugins are GIVEN AWAY FOR FREE.
>
>The main differences between _now_ and a pure GPL feed are :
>
>(a) There is a delay between the time we write the plugins and the
>time you get them FOR FREE ;
>
>(b) You have to respect some conditions regarding the use of the
>plugins. For instance, you can not put them in a shiny appliance you
>want to resell ;
>
>(c) The upside of this is that now that there are commercial customers
>out there, you (as a free user) have the _garantee_ that plugins will be
>written and released in about 7 days for every new flaw. The reason is
>simple : while we do not have SLAs in place for commercial customers
>(it's not doable to commit to a timely delivery for any flaw which may
>be disclosed i the future), we are commited to give the best possible
>response time regarding plugin-writing, and that's what we've been
>doing so far.
>If we decide to not write a plugin for a given flaw, we have an internal
>database explaining why, so our suport team can explain to customers
>why there's no check for a given flaw.
>
>Also, most of the money made from the plugin feed goes back in research and
>QA directly, which in turn make us distribute better plugins.
>
>So in a way, this new policy *benefits* to everyone :
>
>- You now have a seven days nearly-garanteed delivery time of high quality,
>whereas in the past you had no garantee AT ALL that we'd write plugins on
>a given flaw, and if the plugins had been written under the GPL there
>would be no garantee that they work at all ;
>
>- We now have a very formal process to write plugins and we keep track of
>the plugins which are written and the ones which won't be because
>customers have the right to ask for an explanation of what goes in and
>what does not ;
>
>- 7 days is still a very good time compared to other scanners out there ;
>
>
>
>
>
>>- Tenable's claim that they can pick between GPL and their own plugins
when
>>a collision occurs, is a clear conflict of interest.
>>
>>
>
>So far, we only had one collision (a script submitted by Noam Rathaus
>for a bug in an modest CGI script had already been written).
>
>At the same time, there is a lot things behind the scene that you do not
see :
>
>- We QA and fix every plugin we receive under the GPL. For example,
>this week David Maciejak submitted a plugin for 'awstats', and the plugin
>he sent me was non-functional (the test was wrong) [I don't mean to pick
>on David, I'm happy with most of his plugins]
>I spent time testing and fixing the plugin so that it worked properly,
>and I released it under the GPL _anyway_ (an evil me could  have
>rejected the plugin on the grounds it was incorrect, and rewrite a
>functionnal version from scratch) ;
>
>- We _maintain_ every GPL plugin we receive. We receive bug reports and
>fix the plugins. We improve the plugins. We keep them up-to-date if
>they need to be ;
>
>- We _keep_ the GPL status even when we end up re-writing them. For
>instance, Nicolas re-wrote a bunch of Anti-Virus plugins from scratch
>last week (because they had became too hard to read and did not fit with
>the new versions of Norton and McAfee AV). Every plugin _rewritten from
>scratch_ has been released under the GPL, with NO delay.
>In the same vein, a few months ago I re-did nearly all the smb_nt_* plugins
>with the new smb_hotfix.inc API, and I left the copyright to the
>original authors of the plugins ;
>
>
>That being said, there is one thing I'd like to point out : we did NOT
>change the way the plugins are being released in order to hurt users or
>to make piles of money. And it's not a "ransom" either - plugins are
>available for free.
>
>
>We changed the plugins license because there is an imbalance between
>what we contribute compared to the rest of the community. Basically,
>Tenable (and myself, that's the same thing) contributes a _huge_ chunk
>of the plugins. Like 70% of them.  (and don't get me started on the
>Nessus _engine_).
>
>If you define Tenable, Michel Arboi, David Maciejak, George Theall and
>Noam Rathaus as a single group, you're talking about over 95% of the
>plugins. That goes against the perception that "open-source" is a
>million of little elves coding for free all the time, does not it ?
>
>At the same time, I'll let you count the number of companies out there who
>resell Nessus with a nice web interface on top of it. They are much more
>numerous than the full list of plugins contributors !
>
>So if people take the license change of the feed as a good incentive to
>_write_ good quality plugins(1) and submit them to us, then that's cool.
>If that prevents these companies from reselling Nessus because they have
>few plugins for it, that's cool too.
>
>We're fed up to do most of the work and let many companies not only profit
>from our efforts, but also actively fight against us (or me personally
>as it happened in the past).
>I'm fed up of seeing companies bill their customers for "plugin updates"
for a
>much higher price than $1,200 per year, when all they do simply is to
mirror
>www.nessus.org/nasl/all-2.0.tar.gz and resell it to their users (without
any QA
>on them by the way, I have a funny annecdote about that). And I'm fed up of
>seeing all these companies take _my_ work, rebrand it, and claim it as
>being their own technology.
>
>For Christ's sake, go to <http://www.predatorwatch.com/Public.ppt>, go to
>page 20 and compare the output of their sample plugin with webdist.cgi
>(plugin#10299) - it seems that someone out there mastered the
>almighty 'sed s/Nessus/PredatorWatch/g' command.
>
>Or go to <http://www.securityspace.com/smysecure/last30.html> and see
>how their ambiguous wording makes the average user thinks that
SecuritySpace
>actually wrote the checks themselves.
>
>Or go to <http://www.stillsecure.com/products/vam/> and once again, see
>how their ambiguous wording makes the average user thinks _they_ are
>writing new checks and wrote their own vulnerability scanner.
>
>Or there is a company out there which - during their training classes -
>explain to their prospects that they fix the Nessus source code,
>because I'm a very naughty person and could insert backdoors and malware
>in my code (and they are careful enough to only say it verbally, which
>is why I don't mention their name in public).
>
>
>And this is the tip of the iceberg.
>
>
>So now, having seen a slightly larger part of the pictures, please, oh
>please, give me your magical recipe to continue improving Nessus and
>writing better plugins while :
>
> - not helping these guys as much as a full GPL feed would  ;
> - avoiding to hurt most of the Nessus users ;
> - making sure this developement makes sense for us commercially ;
>
>
>>From a business perspective, we could have done things which are much
>more ugly than publishing plugins under a non-GPL license - believe me -
>but we may have overseen some items - so feel free let me know what
>your ideas would be.
>
>
>
>
>>- Tenable's claim that they are distributing plugins for free is not
>>correct.  They are forcing people to agree to a very restrictive non-GPL
>>contract.  Giving up rights is not free.
>>
>>
>
>You're absolutely correct in your last statement : giving up rights is
>not free. The thing is that when people talk about a copyRIGHT, it's
>because in most countries, there is a _right_ regarding the use,
>distribution and copying of intellectual works, and the GPL actually
>_gives up_ some of these rights. So yes, releasing programs under the
>GPL has a cost for us.
>
>That being said, Tenable plugins are available for FREE, as in free
>beer. I know the english language is a bit limited in that area, but if
>we ever do a french version of the Nessus web site, rest assured that
>we'll say the plugins are available "gratuitement".
>
>[...]
>
>
>>- New plugins should be GPL.  I think that most users would pay a fair
price
>>to get the latest tested plugins.  I think if users feel that they are
being
>>charged a fair price for a great product they will pay.  Tenable can still
>>hold new plugins for 7 days, which would be a major value to corporate
>>Nessus users.
>>
>>
>
>You do not seem to understand what the GPL is. If that was the case,
>then anyone can subscribe to the plugin feed for $1,200 per year, and
>give it away to the rest of the community for free. And that does not
address
>the problems mentionned above.
>
>
>				-- Renaud
>
>
>(1) If you set up a cronjob to send us a non-working plugin every time a
new
>BID surfaces, then we'll have to reject your plugins.
>_______________________________________________
>Nessus mailing list
>Nessus_at_list.nessus.org
>http://mail.nessus.org/mailman/listinfo/nessus
>
>

--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

_______________________________________________
Nessus mailing list
Nessus_at_list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus