RE: MBSA scanner

From: Rob Shein (shoten_at_starpower.net)
Date: 05/04/04

  • Next message: Jason Ostrom: "Re[2]: Kernel sec. systems WAS: Why eEye Retina (was MBSA scanner)"
    To: "'Javier Fernandez-Sanguino'" <jfernandez@germinus.com>, "'Igor Filippov'" <igor@osc.edu>
    Date: Tue, 4 May 2004 14:47:12 -0400
    
    

    I think you're confusing code with output. The licenses you cite with
    regard to both SARA and MBSA have restrictions upon redistribution of the
    product, not the output of the product. With regard to SAINT, however, you
    may have a point.

    Nessus is another example; the GPL has the same restrictions on distribution
    in either binary or source code format for money, but it's very clear that
    using Nessus in the course of one's work and including its output in the
    deliverable is entirely acceptable within the license terms.

    > -----Original Message-----
    > From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com]
    > Sent: Tuesday, May 04, 2004 8:00 AM
    > To: Igor Filippov
    > Cc: pen-test@securityfocus.com
    > Subject: Re: MBSA scanner
    >
    >
    > Since you asked for comments here they are:
    >
    > Igor Filippov wrote:
    > (...)
    > > Sara (many things also apply to Nessus):
    > > Good:
    > > - It's free
    >
    > That's, unfortunately, not really true. Sara is built upon
    > Satan which
    > is _not_ free. Check your COPYING file:
    >
    > "Redistribution and use in source and binary forms are
    > permitted provided that this entire copyright notice is
    > duplicated in all such copies. No charge, other than an
    > "at-cost" distribution fee, may be charged for copies,
    > derivations, or distributions of this material without the
    > express written consent of the copyright holders."
    >
    > Since the "material" includes the documentation included in a report.
    > If you sold a commercial service which includes a Sara (or SAINT, for
    > that matter) report, you are violating its copyright. I doubt that
    > either Dan Farmer, Wietse Venema or the ARSC guys are going to pursue
    > you but if you use the data in any commercial way you _are_ violating
    > the license it was distributed you with.
    >
    > Notice that SAINT, in this respect is even worst, since _they_ (the
    > company) are violating SATAN's license by charging money for the
    > redistribution of SATAN code (in their propietary product). I've
    > brought this to the attention of Mr. Farmer and Mr. Venema in
    > the past.
    >
    > Sara used to be GPL, but obviously that license is
    > incompatible to the
    > real SATAN license and they have ammended that.
    >
    >
    > > - It runs on Linux
    >
    > Well, that's not always a plus for everyone (it is for me :-)
    >
    > > MBSA (most apply also to HFNetChk):
    > > Good:
    > > - It's free
    >
    > Not free enough, read its EULA. Also, from the installation:
    >
    > "Unauthorized reproduction or distribution of this program, or any
    > portion of it, may result in severe civil and criminal penalties...."
    >
    > This makes it "not free enough" for professional auditors since you
    > _cannot_ include information from a BSA scan/report in any of your
    > audit reports. Again, Microsoft might or might not want to
    > pursue this
    > misuse.
    >
    > Just to clear up the facts, the only free (in all senses) and
    > professional remote vulnerability scanner I know of are Nessus. For
    > free local vulnerability scanners I believe that OVAL [1] will become
    > a good alternative in the near future.
    >
    > Regards
    >
    > Javier
    >
    > [1] http://oval.mitre.org
    >
    > --------------------------------------------------------------
    > ----------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and
    > get $545 off any course! All of our class sizes are
    > guaranteed to be 10 students or less to facilitate one-on-one
    > interaction with one of our expert instructors. Attend a
    > course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art
    > hacking lab. Master the skills of an Ethical Hacker to better
    > assess the security of your organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethica> l_hacking_training.html
    > --------------------------------------------------------------
    > -----------------
    >
    >
    >

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------


  • Next message: Jason Ostrom: "Re[2]: Kernel sec. systems WAS: Why eEye Retina (was MBSA scanner)"

    Relevant Pages

    • Re: MBSA scanner
      ... > Sara: ... the license it was distributed you with. ... "Unauthorized reproduction or distribution of this program, ... professional remote vulnerability scanner I know of are Nessus. ...
      (Pen-Test)
    • Re: Compare Linux and Freebsd Redux
      ... GPL and Linux are two completely separate things. ... The BSD license truly is free. ... the free or redistribution encumbered licenses ... the source code of your own, ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Question about freeBSD package.
      ... I am writting you to ask what are the license terms about bjorb package, ... Is it under BSD license?...is it possible the redistribution for commercial ... Copyright 1997-1999 Hitachi Microsoftware Systems, ... modification for commerical purpose is not permitted. ...
      (freebsd-questions)
    • RE: BSD License "Innocence" Clause Proposal
      ... BSD License "Innocence" Clause Proposal ... Redistribution and use in source and binary forms, ... MI/X X-server for Windows ... People still cite bonnie as a disk tester - but ...
      (freebsd-questions)
    • Re: Wasting our Freedom
      ... The dual-licensing allows relicensing only if that's ... Redistribution and use in source and binary forms, ... GNU General Public License version 2 as published by the Free ... I re-read Theo's mail and still think the factual issues Theo states are ...
      (Linux-Kernel)