Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nessus 3.0 Released

ScuttleMonkey posted more than 8 years ago | from the now-vulnerable-to-consumer-aquisition dept.

Security 108

duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14244973)

fp

There's also the itsy bitsy license change... (5, Informative)

Anonymous Coward | more than 8 years ago | (#14244978)

You know, not GPL anymore. Did that escape you while writing the ad?

Re:There's also the itsy bitsy license change... (1)

Pieroxy (222434) | more than 8 years ago | (#14245155)

I was wondering... Do these guys pay the slashdot editors when they release an ad like that? I would seem to be a fair deal.

Re:There's also the itsy bitsy license change... (3, Informative)

burns210 (572621) | more than 8 years ago | (#14245245)

Yea, they do actually. It is a revenue source for slashdot, paid stories. No kidding.

Re:There's also the itsy bitsy license change... (1)

grazzy (56382) | more than 8 years ago | (#14247203)

So sayeth the digg user.

Yeah, but there's also... (5, Interesting)

hug_the_penguin (933796) | more than 8 years ago | (#14245165)

...the fact it's majorly improved. Of the people here, most of them won't care that it's closed source, purely because of the reason they closed the source. If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source. It's still the best there is, people will still use it.

Not everyone will avoid anything that isn't free/libre, especially if the quality is good. The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL. 100 hour weeks hacking on code don't come for free, you know. We'd all prefer it to be free, but it's not essential

Re:Yeah, but there's also... (0, Offtopic)

the_loon (742522) | more than 8 years ago | (#14245193)

I will call BS on this, Nessus could be open source all day long. I believe they think there is money (lots of it) to be made, and they made the jump. They did indeed leave the covenant. Example, look at Snort, bought out, Marty got paid like a mofo, yet still open source and still free to the end user. I find "rebranding" issues to be a pretty cheap scapegoat for what is in reality "wallet low on cash issues".
Not everyone will avoid anything that isn't free/libre, especially if the quality is good. The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL. 100 hour weeks hacking on code don't come for free, you know.
This is a horrible argument. Do you mean to tell me that the Nessus team found every vuln themselves and then coded an exploit to check for such vuln? The "free software community" you speak of actually coded the exploits, and released to the wild (save the full disclosure args for another day) POC's and working code, of which a simple check, MAYBE coded by the Nessus team, will bring in loads of cash to the now closed source product. Lets face it, money talks. I don't even really blame them, I would probably take the money too....but don't give me the "free/open software community never gave back" argument, as until this last 7 days, you don't exactly buy those exploits on ebay...

Re:Yeah, but there's also... (5, Informative)

seifried (12921) | more than 8 years ago | (#14245225)

"Do you mean to tell me that the Nessus team found every vuln themselves and then coded an exploit to check for such vuln?"

In a nutshell yes. They don't actually find all the vulnerabilities themselves, for that you can simply check the CVE database/etc. However as far as writing the plugins to check for the actual flaw/etc most of those were written by the core team, very few have been contributed by outsiders. Basically Nessus loses almost no outside development in moving to a closed source model, one of the biggest reasons to open source something (gain outside developers).

Re:Yeah, but there's also... (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14245195)

> Not everyone will avoid anything that isn't free/libre, especially if the quality is good.

For security related software???

Re:Security Software (2, Interesting)

hug_the_penguin (933796) | more than 8 years ago | (#14245220)

Traditionally people have trusted closed source antiviruses and firewalls...

Re:Security Software (-1)

Anonymous Coward | more than 8 years ago | (#14245229)

For feel-good purposes and entertainment, yes.

On windows / auditing free/libre code (1)

hug_the_penguin (933796) | more than 8 years ago | (#14245424)

On a windows environment (and most us have been there) there is little choice in the matter. You can't tell me you'd trust clam to give you a clean bill of health on it's own?

And how often do you audit all the code in the software anyway? You can't rely on the community to do that for you, very few in the community know the code well enough to know what everything does anyway. In the case of nessus where next to no code was contributed, how are you supposed to know it's safe just because it's free/libre?

Re:Security Software (1)

John Hurliman (152784) | more than 8 years ago | (#14248125)

Like ClamAV [clamav.net] and pf [openbsd.org] ?

Re:Yeah, but there's also... (1)

bit01 (644603) | more than 8 years ago | (#14245316)

...the fact it's majorly improved.

Except for the license, which apparently took a major step backwards.

Of the people here, most of them won't care that it's closed source,

You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.

purely because of the reason they closed the source.

Which is? The two page press release said nothing.

If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source.

Wrong. They chose the license and if they wanted they could've had a variant of GPL with whatever branding exceptions they wanted.

It's still the best there is,

Except for the license.

people will still use it.

I won't, I'll be using the forked open source version.

Not everyone will avoid anything that isn't free/libre, especially if the quality is good.

The license is part of the feature set of the program. Different people regard different features as important. Some people regard a quality license as important. No surprises there.

The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL.

I don't know the situation but just as likely it's Nessus' fault for not controlling their brand with the appropriate license, open or closed, and/or providing a service that consumers would prefer over the rebranders.

More likely Nessus is going closed source because they've got mindshare now and they think they can make more money closed source. It's happened before. Open source for them was simply a loss leader to get free advertising.

100 hour weeks hacking on code don't come for free, you know.

Sometimes it does, sometimes it doesn't. There are many motivations besides money for creating code and with 6,500,000,000+ people in the world all it takes is 0.0001% coding to get something happening.

We'd all prefer it to be free, but it's not essential

Depends on the individual and whether they regard an open license as a negative, unimportant, important or essential.

---

Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

Re:Yeah, but there's also... (2, Insightful)

hug_the_penguin (933796) | more than 8 years ago | (#14245536)

Except for the license, which apparently took a major step backwards.

So it's crap because of the licence? I don't buy that

You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.

I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus with inferior detection. (Of course if Gnessus takes off and becomes better, great stuff, I'd prefer that).

Which is? The two page press release said nothing.

It did say they were gaining very little benefit from being open source, very little code had been contributed, and when it happened, i remember reading it was about rebranding.

Wrong. They chose the license and if they wanted they could've had a variant of GPL with whatever branding exceptions they wanted.

When you go into making a product like this, you like to keep the nature of free software open, you don't go about assuming that people will take your product and rebrand it, thereby stealing your custom

Except for the license.

I won't, I'll be using the forked open source version.

So you're willing to settle for inferior security for the sake of a licence? A nicety only, security is the most important thing to their systems, you can't afford to skimp based on licence.

The license is part of the feature set of the program. Different people regard different features as important. Some people regard a quality license as important. No surprises there.

Naturally people will see different features as important, but i would say it was safe to assume that in security, effectivemess at creating security is the best thing, and so nessus would win out over gnessus. Of course I'm here purely thinking from the point of view that I want my servers to stay standing for the forseeable future...

I don't know the situation but just as likely it's Nessus' fault for not controlling their brand with the appropriate license, open or closed, and/or providing a service that consumers would prefer over the rebranders.

What can you provide to a free/beer product that makes it more valuable than rebrands? You can't pull closed source here because you're claiming the main fault with nessus is it's closed source. As for another open source licence, I agree this should have been done in the first place, but c'est la vie.

More likely Nessus is going closed source because they've got mindshare now and they think they can make more money closed source. It's happened before. Open source for them was simply a loss leader to get free advertising.

It would be interesting to take a look at their accounts and find out if this is indeed true.

Sometimes it does, sometimes it doesn't. There are many motivations besides money for creating code and with 6,500,000,000+ people in the world all it takes is 0.0001% coding to get something happening.

Yes, but there is the small fact of having to live, and 100 hours a week is hard to fit around a job providing sufficient income to live.

Depends on the individual and whether they regard an open license as a negative, unimportant, important or essential.

Very few people would be in the negative group, and i would say it's about a 45 each on unimportant and important. Not so many regard it as essential, like you might think. There are those groups who would sacrifice security for openness, however, but they are the minority.

Re:Yeah, but there's also... (1)

bit01 (644603) | more than 8 years ago | (#14249920)

So it's crap because of the licence? I don't buy that

I don't think many people said it's crap (I haven't checked all the posts!). I think people are just disappointed that an important piece of open source has stopped being sponsored. We'll see if the open source version takes off, like ssh/openssh.

I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus with inferior detection. (Of course if Gnessus takes off and becomes better, great stuff, I'd prefer that).

Fair enough. However I have concerns that if the government hasn't done so already it will soon be secretly mandating backdoors in closed source software for the purposes of law enforcement. A security checker that is deliberately blind to FBI TCP/IP bugging for example. Ditto backdoors for commercial purposes. Open source isn't perfect but it's less likely to have those sorts of holes and in addition gives me the opportunity to check precisely what the scanner is doing.

It did say they were gaining very little benefit from being open source, very little code had been contributed, and when it happened, i remember reading it was about rebranding.

The press release on businesswire referenced by this slashdot story did not say any of this.

When you go into making a product like this, you like to keep the nature of free software open, you don't go about assuming that people will take your product and rebrand it, thereby stealing your custom

Hope for the best case, plan for the worst case. In a world of billions of people it's a statisical certainty you'll get at least a few bad apples.

So you're willing to settle for inferior security for the sake of a licence?

The license is part of the security architecture. I plan my security architecture in a way that has the minimum hidden dependencies on third parties. To give you an idea of the sort of thing that can happen at least one big name router vendor deliberately re-routed a small fraction of all http requests on at least one of their routers to their website for advertising purposes. I'm not saying Nessus are doing similar things, just that with closed source they have more of a temptation to do so, and over time there's less checks and balances.

A nicety only, security is the most important thing to their systems, you can't afford to skimp based on licence.

For you a nicety, for others core.

Naturally people will see different features as important, but i would say it was safe to assume that in security, effectivemess at creating security is the best thing, and so nessus would win out over gnessus.

Security is defence in depth. You can't make it perfect. The degree that the new closed source version is technically superior to the previous open source version is a judgement call and may or may not be important.

Of course I'm here purely thinking from the point of view that I want my servers to stay standing for the forseeable future...

Depends on what you're doing as to whether the new version of the scanner is worthwhile.

What can you provide to a free/beer product that makes it more valuable than rebrands?

You're the expert. You're the one that people know best. You're the one that people trust. People buy name brands (e.g. Nike) all the time for exactly that reason.

You can't pull closed source here because you're claiming the main fault with nessus is it's closed source.

I didn't. I said there are many licensing options. Traditional closed source is just one of many. Parallel licensing with restrictions on branding is common.

As for another open source licence, I agree this should have been done in the first place, but c'est la vie.

More likely Nessus is going closed source because they've got mindshare now and they think they can make more money closed source. It's happened before. Open source for them was simply a loss leader to get free advertising.

It would be interesting to take a look at their accounts and find out if this is indeed true.

Yes but I'm not sure if the accounts would give evidence of intent.

Yes, but there is the small fact of having to live, and 100 hours a week is hard to fit around a job providing sufficient income to live.

Depends on the individual situation. One of the reasons why large companies are getting in on open source. Their payback is better because they can put a small percentage of their payroll on open source development and get a large payback in terms of number of people impacted and mindshare. Small companies usually get into it because of the advertising or because they want to be more obviously trustworthy to their customers.

Depends on the individual and whether they regard an open license as a negative, unimportant, important or essential.

Very few people would be in the negative group,

Not so sure about that. There's quite a lot of people in the "nobody ever got fired for buying microsoft or other name brands" camp.

and i would say it's about a 45 each on unimportant and important. Not so many regard it as essential, like you might think. There are those groups who would sacrifice security for openness, however, but they are the minority.

As I said before I don't regard open access to my software tools as a security sacrifice. Depends on the inidividual situation of course. If I was a bank I probably would run both the open source and the closed source scanners, plus as many other vendors' products as I could lay my hands on. With a firewall to make sure none of those products could phone home without my authorisation and monitoring with ethereal to make sure they're doing nothing dodgy.

---

Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

Re:Yeah, but there's also... (1)

thomasa (17495) | more than 8 years ago | (#14250198)

Except for the license, which apparently took a major step backwards.

So it's crap because of the licence? I don't buy that

-----

So you find that unTenable?

Re:Yeah, but there's also... (3, Insightful)

Kjella (173770) | more than 8 years ago | (#14245402)

If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source.

If your OSS business model relies on someone else not slapping their logo on it and selling it, then you have the wrong business model. It is not a fault with the GPL, and I'd be very worried if the GPL started making demands on when or if you could fork a project. I can sell "Mynix computers with Mohawk web server, YourSQL database and MyHP scripting language" (= LAMP) any day of the week, I doubt anyone would buy it. As long as the rebranders were respecting the GPL, it is Nessus' fault for not getting through to their customers about who is the source of this tool, and whom to support if they want it to continue. If you can't make any money other than on product sale, perhaps OSS is not for you. I'd much rather accept that than to see the GPL expand to become something like a "look, but don't touch" model.

Re:Yeah, but there's also... (2, Insightful)

Just Some Guy (3352) | more than 8 years ago | (#14247111)

Not everyone will avoid anything that isn't free/libre, especially if the quality is good.

You're probably right. Only the terminally paranoid will refuse to run a closed source vulnerability finder on their network.

Then again, the terminally paranoid are pretty much the only audience for this software. People with trusting natures don't tend to become security auditors in the first place, and even if they do, they don't tend to make a career out of it (mainly because they lack the mindset to be truly great at it).

Re:There's also the itsy bitsy license change... (4, Interesting)

Mark Round (211258) | more than 8 years ago | (#14245299)

Which is a major PITA, as there's currently no download for anything other than x86 Linux/FreeBSD. I run Nessus on Solaris (I'm the maintainer for the Blastwave.org packages), and it is this ramification of the license change that I find most infuriating. It wouldn't perhaps be so bad if Tenable could guarantee that all platforms would have binaries available for them - but this means they're leaving a large section of their userbase out in the cold. And woe betide you if you're running anything they consider really obscure or not worth supporting. Here's to the continued development of the forked GPL version.

Re:There's also the itsy bitsy license change... (2, Interesting)

zerocool^ (112121) | more than 8 years ago | (#14245761)


*sigh*

Just get a $200 e-machine computer from best buy, wipe it, install ubuntu or whatever, and run the new nessus under x86 / linux. If you're worried about security or conformity of machines on your network, leave it turned off when not scanning. Or, boot off of a ubuntu or knoppix live cd and install nessus 3.0, configure it, and run it - save the config file to a thumbdrive for future runs - if you don't want to dedicate a computer to the task.

While I agree that it would be nice to be able to run it under solaris natively, x86 computers are essentially commodity hardware now. I'd imagine in the time it took you to type this post on slashdot, you probably could have walked around the office and found a computer that wasn't being used for anything - I know I could have.

~W

Re:There's also the itsy bitsy license change... (4, Insightful)

Mark Round (211258) | more than 8 years ago | (#14245862)

And if I wanted to host this at our datacentre, in order to scan the systems on our network which is firewalled off from the outside world ? I'd then have to shell out for additional rack space, power, etc. Not to mention that in many environments "just bung a live CD into an x86 box" won't get past upper management ? Throwing additional hardware (even if it is "commodity" as you say) is hardly a great solution and only further encourages vendors to provide closed source solutions.

Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform. You also, by extension, have to hope they never go out of business, especially if their product incorporates some sort of time-locked licensing. If they wake up one morning and decide that it's no longer economically viable to continue building their product for your platform, you're screwed. Never mind that you may have built your entire infrastructure around a certain technology, and it's not economically viable for you to jump ship to whatever the flavour of the month is; if you want to continue running closed source product X, you have to dance to the beat of the developers' drum.

Re:There's also the itsy bitsy license change... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14245941)

Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform.

Well, it seems like you were before anyhow because no one else was fucking contributing to the project! Who's running the GPL fork now? Are they maintaining and updating it to the standard that the original was? If not, do you really want to use that as the basis for your security, or do you want to use the best tool available? What's the use of their being a GPL fork if no one is maintaining it, or doing it well???

Re:There's also the itsy bitsy license change... (0)

Anonymous Coward | more than 8 years ago | (#14248015)

... anyhow ... fucking ... What's the use of their being a GPL fork ...

Caution: Genius at work.

Re:There's also the itsy bitsy license change... (1)

Wakko Warner (324) | more than 8 years ago | (#14249625)

Just get a $200 e-machine computer from best buy, wipe it, install ubuntu or whatever, and run the new nessus under x86 / linux.

Where the hell do you work that this kind of stunt wouldn't get you fired?

"Yeah, let me just drag this into the datacenter and hook it up, who will notice?"

- A.P.

Re:There's also the itsy bitsy license change... (2, Insightful)

millerjl (126046) | more than 8 years ago | (#14246011)

According to the nessus.org [nessus.org] site, OS X, Solaris, and Windows platforms are supported in early 2006. So for those of us who are currently running nessus on these platforms, we are now experiencing a minor inconvience. In the meantime, be patient and test the software out on linux. That way when it comes out on the platform you are already familiar with the changes and can implement them more effectively.

Linux/BSD (1)

PhYrE2k2 (806396) | more than 8 years ago | (#14246583)

It ___CLEARLY___ states that it has been released for Linux/BSD at this time. I'd imagine Solaris, AIX, Windows, and other platforms will follow, but for the time being, they set a release date for Linux/BSD- a large market. Give it time. Let them test Linux/BSD releases and then go from there.
-M

In Fact... (1)

PhYrE2k2 (806396) | more than 8 years ago | (#14246619)

The following platforms will be supported in early 2006 :

        * Mac OS X 10.3 and 10.4
        * Microsoft Windows 2000/XP Pro/2003
        * Solaris 9 and 10

Re:There's also the itsy bitsy license change... (-1)

Anonymous Coward | more than 8 years ago | (#14245312)

Mods, I understand "funny", I accept "overrated", but that comment is certainly not "offtopic".

***RTFA*** (2, Informative)

sczimme (603413) | more than 8 years ago | (#14245373)


You know, not GPL anymore. Did that escape you while writing the ad?

From TFA:

Nessus 3.0 was developed in response to growing market demand from enterprises, government agencies and consultants for a commercially licensed version of Nessus. Nessus 3.0 users will now have access to a number of commercial support and training options from Tenable Network Security. Tenable Network Security will continue to manage, distribute and maintain the open source version, Nessus 2.x. (emphasis mine)

Did that escape you while you were writing your kneejerk response? Of course it did: you couldn't be bothered to read the FIRST PARAGRAPH of the article.

Re:***RTFA*** (0)

Anonymous Coward | more than 8 years ago | (#14245698)

Full quote of the Slashdot summary:

duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

No mention of the license change. The Slashdot summary isn't a summary, it's an ad.

Re:***RTFA*** (1)

slo_learner (729232) | more than 8 years ago | (#14248085)

Or RTF post. I think he was pointing out that the summary of the article did not mention the most news worthy fact in the article.

***STFU*** (1)

Wakko Warner (324) | more than 8 years ago | (#14249711)

1) there is a difference between "maintaining" and "developing".
2) the new version (which is where all active development will happen) changed its license; this was not mentioned in the advertisement appearing at the top of this page and is a pretty fucking significant omission.
3) you do not get any extra mod points by adding more asterisks.

in conclusion, stop pretending you are the internet police. you are doing a really shit job of it.

Nessus 3 no longer GPL (4, Informative)

hunterx11 (778171) | more than 8 years ago | (#14244981)

Worth mentioning (though it has already been covered here on /.) is that this is the first closed-source version.

Re:Nessus 3 no longer GPL (-1, Troll)

SteevR (612047) | more than 8 years ago | (#14245037)

Sounds like it is time for the OS community to take the open fork and make it better than the closed one, therefore screwing over people who break their covenant with their userbase.

Yes, I do understand the reasons behind closing it (too many freeloaders, legal under the GPL and not).

Re:Nessus 3 no longer GPL (1)

daliman (626662) | more than 8 years ago | (#14245144)

While I can see it's annoying (hell, it's inconvenient for me too), I don't think it's fair to say that they broke the covenant. We still have the source and can continue with that. As mentioned above, it could well turn out better. And I wish them luck with their closed source version too.

Hindmost (4, Funny)

Spy Handler (822350) | more than 8 years ago | (#14244982)

Nessus is an enterprise level vulnerability scanner

I thought he was Hindmost's lover :o

Re:Hindmost (0)

secolactico (519805) | more than 8 years ago | (#14245082)

Troll?? Man, we need more Niven fans with mod points.

Re:Hindmost (1)

ozmanjusri (601766) | more than 8 years ago | (#14245188)

Man, we need more Niven fans with mod points.

Offer them rishathra.

Re:Hindmost (1)

MichaelSmith (789609) | more than 8 years ago | (#14245217)

Of course it is a bad name because Nessus was only paranoid part of the time. Doesn't sound very reliable to me.

Re:Hindmost (1)

llamalicious (448215) | more than 8 years ago | (#14246126)

... and we're going to rename Slashdot the Lying Bastard.

New and Improved! (-1, Offtopic)

dspisak (257340) | more than 8 years ago | (#14244987)

So advanced that now can you no longer look at the souce but you can't even load the nessus.org website anymore. Take that GPL!

Now that Tenable is /.'d (3, Informative)

Cherita Chen (936355) | more than 8 years ago | (#14244992)

Re:Now that Tenable is /.'d (1)

jacklexbox (912121) | more than 8 years ago | (#14245125)

Is it against the rules to mirror files like the Nessus 3.0 release on a site like this [filefactory.com] (to avoid the /. effect)?

v3.0 Download? What Download? (3, Interesting)

perlionex (703104) | more than 8 years ago | (#14245004)

Nessus 3.0 is immediately available for download from Tenable...
Their website [nessus.org] doesn't list 3.0 as being available for download, just the old 2.26. What's up?

Yes but... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14245011)

...does it run (on) MS Windows (tm) yet?.. :P

I feel safe (1, Funny)

this great guy (922511) | more than 8 years ago | (#14245012)

Ahhh what a pleasure to feel safe and good, knowing that my network is regularly audited by this now non-opensource Nessus security scanner. This product is developed by a respectable company, that really know computers, networks, and stuff like that. They have a fantastic website very well administered, and very safe. You know for sure that for example, given their competence and immense wisdom, such a website will NEVER succumb under intense intrusion attacks, denial of service attacks, and this kind of crazy things. Look just go to www.nessus.org.

/me look at the browser trying to load the page...

Re:I feel safe (0)

Anonymous Coward | more than 8 years ago | (#14245073)

Ddos attacks are almost impossible to stop without a huge infrastructure and the cost to go with it. A slashdotting is pretty much like a ddos, only it's legitimate traffic. Honestly, since you know it all, what would you do to prevent a ddos?

Re:I feel safe (1)

Yvanhoe (564877) | more than 8 years ago | (#14245322)

At least have a lightweight static page stating that the site is overwhelmed by a hord of nerdy zerglings. A 500 byte message would do it.

And when you are a company which has a network business, with a reputation of networking skills, the least you could do is having a static version of your website and switch to this one when traffic goes high. We have even seen DSL box answering something even in the middle of a /.ing !

That, and I don't like the fact that more and more /. stories look like a disguised ad.

Re:I feel safe (1)

kfg (145172) | more than 8 years ago | (#14245422)

. . .more and more /. stories look like a disguised ad.

Yeah, like Superman was "disguised" when he put on a pair of glasses.

And you wouldn't hit an ad wearing glasses, now would you?

KFG

Re:I feel safe (-1)

Anonymous Coward | more than 8 years ago | (#14246027)

Did you stop for a minute to think perhaps it was legitimate traffic?

If anything, maybe they'll be able to afford some bandwidth now that they don't give their work away for free.

Stop taking things for granted.

Tookie Goes To Hell (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14245038)

Hey all you liberal nigger lovers, your favorite murderer Tookie is DEAD. He ain't gonna kill no more. E X E C U T E D like a dog.

The Nigger Is Dead.

ROT IN HELL TOOKIE

Ha Ha Ha. Next.

MOD PARENT UP! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14245182)

He got what he fucking deserved.

Vulnerability shoots and scores (4, Insightful)

Neo-Rio-101 (700494) | more than 8 years ago | (#14245040)

Without trying to sound like spam, we're currently using a vulnerability checking system called "nCircle IP360" (yeah, knock off the Xbox jokes). This thing needs constant updates and upgrades in order to keep track of the numerous vulnerabilities out in the wild. The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system! It too, gives each server it tests a vulnerability score.

Thing is, when you're talking about constantly updated files for vulnerabilities, we're delving into the realm of virus-scanners and ad-ware scanners. There's gold in those downloadable updates people. Makes sense to me why Nessus is no longer open sourcing their new stuff.

Re:Vulnerability shoots and scores (1)

LiquidCoooled (634315) | more than 8 years ago | (#14245266)

You can make an open source scanning and detection engine whilst holding the detection data updates on a monthly contract if you like.

This is just the same as I can download and use Open Office, but that doesn't mean I should have access to every document created in it.

Re:Vulnerability shoots and scores (0, Funny)

Anonymous Coward | more than 8 years ago | (#14245991)

my god, finally the utility for my beowulf cluster of Commodore 64's

Re:Vulnerability shoots and scores (1)

Slashcrap (869349) | more than 8 years ago | (#14246405)

The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system!

Are you sure it doesn't just connect to the Contiki web server on Port 80 and print the banner? That seems ever so much more likely than them having an OS fingerprint for the C64 listed.

Re:Vulnerability shoots and scores (1)

SteelRat (11640) | more than 8 years ago | (#14251322)

actually if you look at the license disclosure in the nCircle documentation, you'll see that it uses nessus.

removing the gpl for future developments just allows Tenable to get paid by companies such as nCircle.

FUCK ME ASS (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14245043)

FUCK MON ASS

Beware! (0, Funny)

Anonymous Coward | more than 8 years ago | (#14245053)

Anything labelled 'enterprise'.

TOTALLY SYNERGISTIC, DOOD! CUSTOMER DRIVEN EXIT PLAN MANUFACTURERED END USER APPLICATION LOGIC POWER AT THE END OF TEH DAY!!!!!!!!111111111111111

Peel the onion! Shift the paradigm! Web 2.0! Low-risk, high-yield objective mindshare total quality driven living document!

You're right. (1)

Wakko Warner (324) | more than 8 years ago | (#14249763)

Every Sun Enterprise server I've ever dealt with has been a tremendous pile of shit.

Enterprise level ? (2, Funny)

ultranova (717540) | more than 8 years ago | (#14245121)

Does being an "Enterprise level vulnerability scanner" mean that it can be used to figure out how to remotely shut down the Klingon cloaking device or make a Borg cube self-destruct ?-)

Re:Enterprise level ? (0)

Anonymous Coward | more than 8 years ago | (#14245232)

"Enterprise" is a technical term meaning unreliable, poorly documented, over complicated and massively expensive.

Re:Enterprise level ? (1)

slashname3 (739398) | more than 8 years ago | (#14245899)

No, this is for the Enterprise itself. It keeps pointing to the holo deck as a major source of problems as well as poor security procedures which allows anyone access to engineering and the bridge. It also reports that the firewalls used on the Enterprise are non-existant. Proven by how many times their computer system was taken over by alien programs. Funny, after all these years they appeared to still be running a Windows operating system on that starship. And the fact that aliens knew that and had viruses ready to use. :)

What about the commercial offerings? (0)

Anonymous Coward | more than 8 years ago | (#14245139)

I'm thinking Core Impact etc...how does Nessus 3.0 rate against them ?

I dunno if you've seen the licencing for Core Impact lately but it's VERY expensive....

cheers!

Fro5t ,pist (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14245199)

or chair, return may well remain OF AMERICA) today,

To be fair... (4, Insightful)

victorhooi (830021) | more than 8 years ago | (#14245207)

Guys, lay off the slagging, ok?


I mean, seriously, it's been GPL all these years, the developers were putting in the hours and the hard work (And don't give me that c*ap about community contributions, because in relative terms, there wasn't really any).


And they were suffering because people were essentially taking their work and simply rebranding it and selling it as their own. Isn't it only fair that Tenable themselves should now have the opportunity to sell what is, after all predominantly their work?


I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.


Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of /., huh? Sun, eBay, Amazon, all of these petty masses shall cower before us, for we shall crush them under teh (sic) boot of our T1 1337-ness....


cya,
Victor

Re:To be fair... (0)

Anonymous Coward | more than 8 years ago | (#14245366)

Going commercial is one thing, writing about the new version like nothing happened is a whole other story. You know, "the popular vulnerability scanner, all new and improved" without even a footnote about the license change. That's what makes it an ad or VERY shoddy reporting.

Re:To be fair... (1)

bit01 (644603) | more than 8 years ago | (#14245447)

I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is

Nonsense. At the time of writing I don't see even a single post claiming Tenable is evil or anything like it. I do see a number of posts saying that they think the license change is important and a step backwards. Deal with it.

---

Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

Re:To be fair... (0)

Anonymous Coward | more than 8 years ago | (#14245656)

Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of /., huh? Sun, eBay, Amazon, all of these petty masses shall cower before us, for we shall crush them under teh (sic) boot of our T1 1337-ness...

I second that...

Re:To be fair... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14245902)

I don't know the background, but if others were able to sell their software while it was licensed under the GPL, why can't they?

Re:To be fair... (0)

Anonymous Coward | more than 8 years ago | (#14246349)

They did just fine.

The problem is that it allowed compeititors to easily take the code and rebrand it, depriving them of potential sales.

This is why the GPL is a bad software model for companies.

Re:To be fair... (1)

_Sprocket_ (42527) | more than 8 years ago | (#14248867)

Having said that - if they showed up on the market with a proprietary product... I doubt I would have heard of them. Proprietary software is no guarantee of business success either.

Re:To be fair... (1)

Just Some Guy (3352) | more than 8 years ago | (#14247219)

I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.

Yep. I mean, NetBSD closed the source after OpenBSD rebranded their hard work and started selling CDs. Star dropped the Open Source version of StarOffice because of the relative lack of external development. Remember when Linus started selling "ClosedLinux++" after people started thinking of Linux and RedHat as the same thing?

Oh, wait. None of that happened. It seems like Nessus really is breaking new ground after all.

Re:To be fair... (0)

Anonymous Coward | more than 8 years ago | (#14247991)

boo freakin hoo about the developers.

the plugins are what make it useful, and I've got a buddy that wrote a few plugins for nessus.

Re:To be fair... (1)

Ragica (552891) | more than 8 years ago | (#14248603)

One wonders however if it wasn't being GPL for all those years being one thing (besides being a decent system, and filling a niche) that enabled Nessus to gain as much mindshare as it did, which now enables it to close its source and continue on as successfully as they no doubt will.

This is not meant as a criticism at all. Just musing aloud.

It'll be interesting to see if the GPL fork goes anywhere also. All of those evil companies that ripped off Nessus should be getting behind the GPL version now, right? <-;

Don't you think... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14245227)

...that literacy is a useful acquisition?

Now I can scan... (0)

Anonymous Coward | more than 8 years ago | (#14245260)

...all my enterprise level vulnerabilities.

Obligitory (0)

StaticFish (839708) | more than 8 years ago | (#14245270)

All your base are belong to Nessus

Re:Obligitory (0)

Anonymous Coward | more than 8 years ago | (#14245778)

It's not "Obligitory", or even obligatory for that matter. In fact, it's not even funny. You just made yourself look lame.

Typical Hippies/Commies Slashdot Mentality (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14245285)

Another fine example of typical hippies/commies slashdoter mentality.

Where do you people get off with this entitlement? the application was free for a long time!!! Did any of you tards bother to help them out? the version 2 is still out there. free! you don't like Tenable changing the liscense. Go freaking fork the version 2 and do something usefull other than bitching on someone's else hard work!!!

what a bunch whiners.

Re:Whining marketers (1)

bit01 (644603) | more than 8 years ago | (#14245460)

Typical marketing nonsense. At the time of writing not a single article is claiming entitlement or anything like it. All they're saying is they think the license change for them is a step backwards.

A license is part of the featureset of a program. Some people think the license is an important feature. Deal with it.

---

Paid marketers are the worst zealots.

Re:Whining marketers (1)

Joehonkie (665142) | more than 8 years ago | (#14248098)

And that feature has been taken away. It is no requirement that the venodr keep offering that feature.

Re:Whining marketers (1)

_Sprocket_ (42527) | more than 8 years ago | (#14248906)

But apparently it's not acceptable for users to note among themselves that this feature, of which some feel is rather important, is now missing - with little fanfare.

Re:Typical Hippies/Commies Slashdot Mentality (1)

thomasa (17495) | more than 8 years ago | (#14250059)

Your post actually seems to be the whiniest of the above.

GPL? who cares? Only zealots! (0)

Anonymous Coward | more than 8 years ago | (#14245458)

Just to make it perfectly clear. YOU were supposed to give patches back. YOU were supposed to help improve it. Instead YOU f***ed them over by re-branding it. That is the wonderful GPL for you. And all of you that feel "entitled" to the GPL version -- fork off. Most of you make me sick because you can't even see that YOU were the problem and YOU were the cause of the license change. The only thing you care about is the "communist" GPL.

Why name product after a scumbag centaur? (1, Funny)

aapold (753705) | more than 8 years ago | (#14245532)

Just curious... I mean, Nessus is a pretty despicable centaur, tried to rape Hercules' wife and then, after being fatally wounded, tricks her into poisoning herself with his blood.

http://en.wikipedia.org/wiki/Nessus_(mythology) [wikipedia.org]

Perhaps it is named for the Pierson's Puppeteer?

doh (1)

aapold (753705) | more than 8 years ago | (#14245542)

I mean poisoning herc, not herself.

Really Lousy Use of Security Lexicon (2, Insightful)

Alexander (8916) | more than 8 years ago | (#14245545)

(Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)

"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

1.) Outside of a box infected by a Worm, how can it find a threat?

Does it actually track down the human or natural threats?

2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?

3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?

Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.

Oh, well, at least they aren't claiming to find "risk".

A detail I can't explain about the license. (1)

fraktus (632342) | more than 8 years ago | (#14245720)

Ok they changed the license

But how can they do this on behalve of all peoples that did contribute to the project? If coder X did submit his code 2 years ago can they decide to change the license of the work that was submitted by coder X?

Re:A detail I can't explain about the license. (0)

Anonymous Coward | more than 8 years ago | (#14245893)

Apparently since the fixes sent in by the community were few and far between it wasn't an issue. This is one case where the GPL was a failure, pure and simple.

Re:A detail I can't explain about the license. (1)

LurkerXXX (667952) | more than 8 years ago | (#14245998)

"all the peoples that did contribute to the project?"

Almost no one contributed. That was the problem. They were doing all the work coding it plus try to run a business supporing it, while other leaches only had to slap a new name on it and support it.

If others had really been doing some serious contributing to the project so that it wasn't all falling on the Tenable folks shoulders, they wouldn't have switched licenses.

OpenVAS (0)

Anonymous Coward | more than 8 years ago | (#14245984)

If you don't trust closed source security products, if you would prefer to have the support of a worldwide community rather than a small handful of developers, use OpenVAS [openvas.org] .

Who is Tenable anyway? (1)

samj (115984) | more than 8 years ago | (#14246050)

Were it not for Nessus' roots in open source it (and Tenable) would have been unlikely to have seen the light of day, and the void they filled would have been instead occupied by some other open source project that accomplished the same goals. Instead our security is being adversely affected by greed when others (eg MySQL, RedHat) have proven that there are profits to be had by providing associated services. It is indeed unfortunate that Slashdot is giving them undeserved publicity.

Yes, they provided a lot to the community but they have also reaped the benefits of the associated exposure and are now attempting (hopefully unsuccessfully) to turn that into cash.

Re:Who is Tenable anyway? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14246406)

Tenable is the one that put the majority of the work into CREATING the project.

You are entitled to NOTHING. Given how the community has put very little back into the project, I can understand their posistion. I can't understand yours.

Re:Who is Tenable anyway? (1)

Transdimentia (840912) | more than 8 years ago | (#14246700)

Dear AP, Please go post at the idealistic, feel-good-and-all-the-users-understand-logic board down the hall. This is the whine, bitch and moan about things you can't control (and things you can, but want to cry about anyway) board! Regards, The Management

Nessus going closed source (1)

midian_va (839022) | more than 8 years ago | (#14246947)

What this all comes down to is our responsibilities as users and developers to the OSS products we use. Part of the idea behind open source is that the users contribute back to the project to better the project. You do not have to be a developer to do this, you can submit bug reports, help with graphics/web design, help with documentation, etc...

With the nessus project, yes there is community development, but the amount of contributed code was disproportionate to the long hard hours the core team has put in to it. I am not saying that community developers have done nothing, but a good example of what i mean is located http://www.nessus.org/plugins/index.php?view=newes t [nessus.org] here. These people have families, or at least need to feed themselves, and cannot put this amount of work into a product that is making others money while they may or may not be going through hardship themselves.

In the end, you get what you pay for. Whether it be MS Windows, FreeBSD, Linux, Nessus, whatever..... Either you pay in cash or make your contribution.

I will continue to use Nessus, it has saved my a** numerous times and will continue to do so for as long as it is a great product.

GPL bullshit (2, Insightful)

packman (156280) | more than 8 years ago | (#14247253)

Ok - title makes it sound like a troll - or whatever. Fact is, these people have to make a living. Other fact is - a lot of people made a living of their work without giving ANYTHING back.

As you can see on their CVS servers, there are barely any external contributions. Isn't that the whole point of GPL? Everybody profits from everybodies changes. That didn't happen, so YOU may be using Nessus 2.x without giving anything back. It's not a bad thing, but these people do this for their living. All the bitching about the moral of the whole GPL stuff, why isn't there any bitching about ripping off Nessus? It's the same thing for me as Cherry OS - which ripped off the wine project. The only difference was, the nessus rip-offs provided the source code, written by Tenable and were open about it. What's the difference? They openly say "I'm a parasite, and I admit it", and it's ok by the GPL, so no problem. I would not have a problem with it when those people contributed to the nessus project, and I'm a absolutely confident that it would still be GPL'd if this would have been the case - but it isn't. Sorry - if you make money out of a project like that, the least you could do is contribute in some way to it.

I think there's a huge difference between company-driven OSS programs, and "hobby" projects in this regard. If I would be the CEO or responsible for a company, and I suddenly see the profit go down because your biggest competitors are guys simply copying all your hard work, without giving anything back and having no development costs at all, I wouldn't hesitate for a second what to do. Do something that gives me the advantage back - and they did. Even legally, I would have to, simply to protect the rights of the share-holders, because that's the world we live in, not some kind of GPL fairy-tale.

Now it is forked, which is an old version which is 1 a 2 years behind the current Nessus release. If nobody contributed in the first project, do they really believe that anybody will contribute to the "GPL" fork? Maybe in the beginning, but when all the buzz is over, forget it. The project will be burried in a few years. Most companies like plug-and-play security-scanners, but paying someone to help writing one? Don't forget, Nessus isn't targettet at the hobbyist's network at home, but at large enterprise-size networks. This means, companies, not people who use and profit from it - either way. Why do you think there aren't any other large GPL'd network intrusion/monitoring systems? Because the geek with his 20 computer-network doesn't need a tool like Nessus, but companies do. GPL is about freedom for the people for me, companies are there to make money, and if they use a tool to ensure they can make money, I think it would be perfectly normal to charge them for it in some way. GPL doesn't provide anything like this, too bad, but I perfectly understand the decision they made, no hard feelings. If I'd be in their shoes, I'd do the same thing.

I also bet most of the ones bitching about it not being GPL anymore never contributed to any GPL project in some way. Stop critisizing, and start contributing to the GPL-fork, but no, prolly no-one will do it anyway, spending time posting bullshit on /. is soo much more important... *sigh* It's not your right to have access to someone's work, it's a privilege. If it's abused, too bad, but don't bitch about it when the rules change due to that...

Compare it to someone who makes doors for friends, they just need to pay the materials, he does the work for free cause he likes it. Then he sees that a lot of people he knows want doors. He still makes them for free, but charges something to install them. Suddenly other people go fetch doors he makes for free, and start charging for installing them also, but no-one offers to help him making the doors. Doesn't that sound plain wrong to you? To me it does... If he then starts charging for a new kind of doors which are more silent, but the old-ones would still be for free, would you bitch about it?
People who don't know software development will say "yeah but you can easily copy programs". That's not the point. The point is, the door-maker still has to put time and efford into the product. Software is never finished nor bug-free, so the coder will always have to change things, and put time in it. This is exactly the same thing in the end. Both have skills and time that are both given away for free.

I simply don't believe in GPL for projects of which their only real use is in corporate environments.

Re:GPL bullshit (0)

Anonymous Coward | more than 8 years ago | (#14248785)

*stands and Applauds* Most off their still giving away the new scanner for free anyway, you just can't see how it works.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?