Re: MBSA scanner

From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: 05/06/04

  • Next message: Alvin: "RE: Odd Pen-test: Security Camera" 
    Date: Thu, 06 May 2004 10:31:33 +0200
To: Rob Shein <shoten@starpower.net>

    Rob Shein wrote:

    > I think you're confusing code with output. The licenses you cite with
    > regard to both SARA and MBSA have restrictions upon redistribution of the
    > product, not the output of the product.

    I'm confusing them because output might _include_ significant
    information that is in the code. The license covers both the software
    and the reports they generate, it does not explicitly exclude the
    later (so under copyright laws it _is_ included).

    Again, notice that the output of the product is based on (sometimes
    lengthy) information that is included in the code of the product. So,
    all the suggestions on how to fix a vulnerability that a report might
    include are like a "knowledge base" of sorts, which is copyrighted.
    This includes also detailed information on a vulnerabilities (what
    does it do, how does it affect a system). Without the original
    author's permission you can't translate that at will, you cannot
    provide that report as a commercial offering (inside a report or
    standalone) and you cannot (taking it to the extreme) include the
    information from that report into your new brand vulnerability
    assesment tool with different code to assess the vulnerabilities but
    similar output.

    Notice that, if that was permitted under copyright law, there would be
    nothing preventing Nessus, Internet Scanner, Cybercop, Retina,
    you_name_it from using the same vulnerability database. If you
    consider the output in the public domain you could run a test against
    a host that turns out vulnerable to everything that is in the database
    (maybe faking the answers) and then copy the information from the
    report to your propietary or free vulnerability assesment system.
    That's obviously illegal.

    > With regard to SAINT, however, you
    > may have a point.
    >
    > Nessus is another example; the GPL has the same restrictions on distribution
    > in either binary or source code format for money, but it's very clear that
    > using Nessus in the course of one's work and including its output in the
    > deliverable is entirely acceptable within the license terms.

    That's because Reanud, as well as other Nessus developers (me
    included) wanted to make a distinction in that side. Notice that the
    output of Nessus is still copyrighted (it's part of the NASL script)
    and you cannot do whatever you like (such as including it in a closed
    source scanner)

    Please read the thread in the Nessus plugins writers that started at
    http://list.nessus.org/plugins-writers/0312/1001.html

    And also read the GPL FAQ:
    "In what cases is the output of a GPL program covered by the GPL too?"
    (http://www.gnu.org/licenses/gpl-faq.html#TOCWhatCaseIsOutputGPL)
    and
    "Is there some way that I can GPL the output people get from use of my
    program? For example, if my program is used to develop hardware
    designs, can I require that these designs must be free?"
    (http://www.gnu.org/licenses/gpl-faq.html#TOCGPLOutput)

    Regards

    Javier

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------

  • Next message: Alvin: "RE: Odd Pen-test: Security Camera"

    Relevant Pages

    • Re: Vulnerability Assessment
      ... levels based on current patch data and such. ... Scanners have evolved through marketing to being the means to a vulnerability assessment rather than a tool of one. ... Maybe it's the "final" report that throws so many people off-- that once the report is generated the work is done and not just the job. ... You know many IT security professionals can't even tell you why Nessus runs a traceroute to each and every host in the list. ...
      (Pen-Test)
    • RE: MBSA scanner
      ... the license must state clearly what is restricted. ... that referred to the nature of the vulnerability or exploit itself would be ... > all the suggestions on how to fix a vulnerability that a report might ... > nothing preventing Nessus, Internet Scanner, Cybercop, Retina, ...
      (Pen-Test)
    • RE: MBSA scanner
      ... regard to how you wish to license Nessus reports. ... And while I am not familiar with the inner workings of Nessus, ... the text for the report, if a vulnerability is found. ...
      (Pen-Test)
    • nessus which plugin reports which vulnerability?
      ... One of my favourite general purpose scanner is nessus for obvious ... I do struggle with the interpretation and evaluation ... I use the report function to generate a HTML type ... possible know which plug-in detected which vulnerability? ...
      (Pen-Test)
    • nessus gtk yields empty scan
      ... nessus-libnasl-2.2.9_1 Nessus Attack Scripting Language ... The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. ... the plug-ins should be updated. ... The native Unix GUI version is installed at server install time. ...
      (freebsd-hackers)
    Loading