RE: Tenable's license changes (and why the license changed)

["Robert Keith" <Robert.Keithi_at_technolords.com>]

>So now, having seen a slightly larger part of the pictures, please, oh
>please, give me your magical recipe to continue improving Nessus and
>writing better plugins while :
>
> - not helping these guys as much as a full GPL feed would  ;
> - avoiding to hurt most of the Nessus users ;
> - making sure this developement makes sense for us commercially ;

I am reticent to question Tenable's business model or even give advice,
being an outsider, but I will give it a shot anyway.

The current plugin model (as described on this email thread and the licenses
published), does not allow for reselling Tenable's plugin feed.  I am a
consultant, and do install   Nessus at client locations.  Tenable's new
requirement of paying for the plugin feed would  work well for me, since
this would allow me to provide a higher level, guaranteed service by  a
professional firm (Tenable) instead of relying on a GPL feed.  I have always
told clients  that Nessus was the system under the hood - though most
corporations do not know of Nessus; they just rely on my competance.
   Unfortunately, as I understand the current license, if I were to install
Nessus, and  desire the up-to-date feed, I will have to have the client
order the feed directly from  Tenable.  This is an unnecessary complexity,
and hampers propegating the Tenable plugin feed  product.  I would rather
order the feed from Tenable, then provide this to clients directly,  paying
Tenable a fee for every Nessus implementation.
   If I am wrong on this restriction, please let me know, but Tenable have
said this is how  the license works.


About trying to stop competitors from using Nessus and the Tenable plugins,
I do not  understand why these competitors are a problem.  Why not charge
each of these security  vendors $1200.00/year for each product they sell.
The potential market for Vulnerability  Assessment is HUGE.  Every company
(small and large) SHOULD be using a VA product.   Companies not running VA
are seriously vulnerable and inept.

If there are really 1000s of companies using Nessus under the hood, this is
an incredibly  large market.  If PreditorWatch.com sells 100 boxes, this
would be $120,000.00 revenue for  Tenable each and every year.  If
PreditorWatch is successful, and has a sells 100 units each  year,  the
revenue for Tenable is $600,000.00/year in five years.

I doubt that there are 1000s of substantial companies with Nessus enbedded,
but it only  takes a dozen or two to make real revenue.

Tenable seems to want to eliminate this competition.  I am guessing that
Tenable does not  see this plugin subscription revenue as substantial, and
will make more revenue selling  their commercial products directly to the
enterprise marketplace.  This assumes that the  revenue that Tenable would
miss, which would go to a Nessus knockoff competitor (minus the  Tenable
plugin fee), is greater than the subscript fees from hundreds of Nessus
knockoff  products.  Tenable probably knows best here, but...


In my limited experience selling to the enterprise market, each sale
requires effort.  Sales  people have to get through the door, they have to
educate the enterprise that VA is a good  thing, then talk them into a
product which has a tendancy to increase the IT staff's  efforts, since
knowledge of vunerabilities adds to their work since they are then required
to fix their problems.  (Ignorance is bliss to many IT departments).   Is
Tenable really  going to be able to completely cover the entire world with
sales people, and beat out the  well established companies in this market?
(Symantec,  ISS,  FoundStone,  Qualys, ...)
   Tenable does have a chance if they were to encourage embedding
Nessus/Tenable  technologies into other products.  This would be a world
wide opportunity.
   Imagion hundreds of companies, each running embedded Tenable technology,
each with their  own market focus, each with different implementations which
appeal to different audiences.

Can Tenable really create Newt/Lighting like products which work well with
(for example):
  - Medical communities
  - Small enterprises with no IT support (law offices, credit unions, ...)
  - Foreign markets
  - Government agencies
  - Appliance applications (large and small)
  - Managed Service Providers
  - Consulting firms (KPMG, Price Waterhouse, small guys, ...)
  - Integrate with HP Openview, Tivoli, eSecurity, Trouble Ticketing
systems, etc.

It seems to me that partnering with the product vendors, which create a
Nessus+ product,  would scale very well, and would be an excellent business
model.  Each of these business  partners would handle the burden of creating
web sites, supporting sales teams around the  world, build and support
product user communities.  This burden is quite expensive, but the  Tenable
portion of supplying the embedded technology would be the same burden for
Tenable as  is already being provided - at no cost.


As for competition for the commercial Tenable products, Tenable products
should compete based  on product and business competance.  This will be the
case with or without Nessus knockoff  competitors.  Newt/Lightning Console
may beat out the competition in their particular  market, but there are
other markets, and if these are not covered by Tenable and the  commercial
plugin feed, these markets will be covered by other companies, and Tenable
will be left out of these market opportunities.  Tenable would be leaving
money on the table.



My best case scenerio is a healthy Tenable/Nessus, providing the excellent
service they  already provide, while paying the Tenable staff so much that
they never leave.


OK, so my magical recipe for
> - not helping these guys as much as a full GPL feed would  ;
> - avoiding to hurt most of the Nessus users ;
> - making sure this developement makes sense for us commercially ;

1.  Encourage these knockoff guys with a special license ($1200/mo.?) for
every product they  sell.  Get Nessus/Tenable technologies embedded
everywhere.  Tenables real competition is  the big guys recently entering
this market (Symantec, etc.).  Reserve the right to audit these partnerships
to guarantee compliance.

2.  Provide the feed (minus 7 days) to everyone else (as you have already
done), but make  this license for end-users of Nessus only.  Nessus+
knockoffs have to use #1.

3.  Consider a free up-to-date feed to non-commercial use, education,
non-profit, etc.  This is a  good-will and further propegates Nessus/Tenable
products.  A common practice today.


Robert Keith

-----Original Message-----
From: nessus-bounces_at_list.nessus.org
[mailto:nessus-bounces_at_list.nessus.org]On Behalf Of Renaud Deraison
Sent: Saturday, January 22, 2005 7:56 AM
To: nessus_at_list.nessus.org
Subject: Re: Tenable's license changes (and why the license changed)


Hi Robert (and list),

Ron replied to most of your questions, but I'll add my grain of salt to
a few items, because I think there is a strong misunderstanding between
what we're trying to do and what some users (like you) seem to perceive.


On Fri, Jan 21, 2005 at 04:28:44PM -0800, Robert Keith wrote:

> - Tenable granting themselves a special right to write non-GPL plugins
> sounds legally questionable.  If it is in fact legal, it still is should
> have been made very clear to all Nessus users when they started this
> practice at the beginning of Tenable. This should also be clear when
Nessus
> is downloaded and installed.  It is frightening to think that authors of
GPL
> programs can secretly grant themselves rights to create non-GPL modules
and
> then surprise the community demanding payment after everyone has
unknowingly
> become dependent on the modules.

So by your reasoning, if I write a software and give it away for free to
the community under certain conditions, I (the author of the software)
have to obey the exact same conditions regarding the use I want to make
of my own software developed by myself.

Interestingly, even gnu.org says that an author can dual-license his own
work
- please see http://www.gnu.org/copyleft/gpl-faq.html#HeardOtherLicense
- meaning that an author does _not_ have to abide to the rules he set for
the software he writes.

If a third party want to write non-GPL plugins, they have to ask the
copyright owner for permission, because otherwise they would be in
violation of the GPL, that's as simple as that. We granted ourselves the
authorization to distribute non-GPL plugins. End of story.

Regarding the demand of payment (or 'ransom' as you should have called
it), your statement is incorrect - plugins are GIVEN AWAY FOR FREE.

The main differences between _now_ and a pure GPL feed are :

(a) There is a delay between the time we write the plugins and the
time you get them FOR FREE ;

(b) You have to respect some conditions regarding the use of the
plugins. For instance, you can not put them in a shiny appliance you
want to resell ;

(c) The upside of this is that now that there are commercial customers
out there, you (as a free user) have the _garantee_ that plugins will be
written and released in about 7 days for every new flaw. The reason is
simple : while we do not have SLAs in place for commercial customers
(it's not doable to commit to a timely delivery for any flaw which may
be disclosed i the future), we are commited to give the best possible
response time regarding plugin-writing, and that's what we've been
doing so far.
If we decide to not write a plugin for a given flaw, we have an internal
database explaining why, so our suport team can explain to customers
why there's no check for a given flaw.

Also, most of the money made from the plugin feed goes back in research and
QA directly, which in turn make us distribute better plugins.

So in a way, this new policy *benefits* to everyone :

- You now have a seven days nearly-garanteed delivery time of high quality,
whereas in the past you had no garantee AT ALL that we'd write plugins on
a given flaw, and if the plugins had been written under the GPL there
would be no garantee that they work at all ;

- We now have a very formal process to write plugins and we keep track of
the plugins which are written and the ones which won't be because
customers have the right to ask for an explanation of what goes in and
what does not ;

- 7 days is still a very good time compared to other scanners out there ;



> - Tenable's claim that they can pick between GPL and their own plugins
when
> a collision occurs, is a clear conflict of interest.

So far, we only had one collision (a script submitted by Noam Rathaus
for a bug in an modest CGI script had already been written).

At the same time, there is a lot things behind the scene that you do not see
:

- We QA and fix every plugin we receive under the GPL. For example,
this week David Maciejak submitted a plugin for 'awstats', and the plugin
he sent me was non-functional (the test was wrong) [I don't mean to pick
on David, I'm happy with most of his plugins]
I spent time testing and fixing the plugin so that it worked properly,
and I released it under the GPL _anyway_ (an evil me could  have
rejected the plugin on the grounds it was incorrect, and rewrite a
functionnal version from scratch) ;

- We _maintain_ every GPL plugin we receive. We receive bug reports and
fix the plugins. We improve the plugins. We keep them up-to-date if
they need to be ;

- We _keep_ the GPL status even when we end up re-writing them. For
instance, Nicolas re-wrote a bunch of Anti-Virus plugins from scratch
last week (because they had became too hard to read and did not fit with
the new versions of Norton and McAfee AV). Every plugin _rewritten from
scratch_ has been released under the GPL, with NO delay.
In the same vein, a few months ago I re-did nearly all the smb_nt_* plugins
with the new smb_hotfix.inc API, and I left the copyright to the
original authors of the plugins ;


That being said, there is one thing I'd like to point out : we did NOT
change the way the plugins are being released in order to hurt users or
to make piles of money. And it's not a "ransom" either - plugins are
available for free.


We changed the plugins license because there is an imbalance between
what we contribute compared to the rest of the community. Basically,
Tenable (and myself, that's the same thing) contributes a _huge_ chunk
of the plugins. Like 70% of them.  (and don't get me started on the
Nessus _engine_).

If you define Tenable, Michel Arboi, David Maciejak, George Theall and
Noam Rathaus as a single group, you're talking about over 95% of the
plugins. That goes against the perception that "open-source" is a
million of little elves coding for free all the time, does not it ?

At the same time, I'll let you count the number of companies out there who
resell Nessus with a nice web interface on top of it. They are much more
numerous than the full list of plugins contributors !

So if people take the license change of the feed as a good incentive to
_write_ good quality plugins(1) and submit them to us, then that's cool.
If that prevents these companies from reselling Nessus because they have
few plugins for it, that's cool too.

We're fed up to do most of the work and let many companies not only profit
from our efforts, but also actively fight against us (or me personally
as it happened in the past).
I'm fed up of seeing companies bill their customers for "plugin updates" for
a
much higher price than $1,200 per year, when all they do simply is to mirror
www.nessus.org/nasl/all-2.0.tar.gz and resell it to their users (without any
QA
on them by the way, I have a funny annecdote about that). And I'm fed up of
seeing all these companies take _my_ work, rebrand it, and claim it as
being their own technology.

For Christ's sake, go to <http://www.predatorwatch.com/Public.ppt>, go to
page 20 and compare the output of their sample plugin with webdist.cgi
(plugin#10299) - it seems that someone out there mastered the
almighty 'sed s/Nessus/PredatorWatch/g' command.

Or go to <http://www.securityspace.com/smysecure/last30.html> and see
how their ambiguous wording makes the average user thinks that SecuritySpace
actually wrote the checks themselves.

Or go to <http://www.stillsecure.com/products/vam/> and once again, see
how their ambiguous wording makes the average user thinks _they_ are
writing new checks and wrote their own vulnerability scanner.

Or there is a company out there which - during their training classes -
explain to their prospects that they fix the Nessus source code,
because I'm a very naughty person and could insert backdoors and malware
in my code (and they are careful enough to only say it verbally, which
is why I don't mention their name in public).


And this is the tip of the iceberg.


So now, having seen a slightly larger part of the pictures, please, oh
please, give me your magical recipe to continue improving Nessus and
writing better plugins while :

 - not helping these guys as much as a full GPL feed would  ;
 - avoiding to hurt most of the Nessus users ;
 - making sure this developement makes sense for us commercially ;


>From a business perspective, we could have done things which are much
more ugly than publishing plugins under a non-GPL license - believe me -
but we may have overseen some items - so feel free let me know what
your ideas would be.


> - Tenable's claim that they are distributing plugins for free is not
> correct.  They are forcing people to agree to a very restrictive non-GPL
> contract.  Giving up rights is not free.

You're absolutely correct in your last statement : giving up rights is
not free. The thing is that when people talk about a copyRIGHT, it's
because in most countries, there is a _right_ regarding the use,
distribution and copying of intellectual works, and the GPL actually
_gives up_ some of these rights. So yes, releasing programs under the
GPL has a cost for us.

That being said, Tenable plugins are available for FREE, as in free
beer. I know the english language is a bit limited in that area, but if
we ever do a french version of the Nessus web site, rest assured that
we'll say the plugins are available "gratuitement".

[...]
> - New plugins should be GPL.  I think that most users would pay a fair
price
> to get the latest tested plugins.  I think if users feel that they are
being
> charged a fair price for a great product they will pay.  Tenable can still
> hold new plugins for 7 days, which would be a major value to corporate
> Nessus users.

You do not seem to understand what the GPL is. If that was the case,
then anyone can subscribe to the plugin feed for $1,200 per year, and
give it away to the rest of the community for free. And that does not
address
the problems mentionned above.


				-- Renaud


(1) If you set up a cronjob to send us a non-working plugin every time a new
BID surfaces, then we'll have to reject your plugins.
_______________________________________________
Nessus mailing list
Nessus_at_list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus