2004-12-15

[en] There shall be weeping and gnashing of teeth

Tenable Security has changed the way Nessus plugins are distributed. There are now two feed:
  • one for the ~ 3000 GPL plugins: they are available freely and can be redistributed freely.
  • one for the ~ 3000 Tenable plugins. To get them, you have to register, and pay if you want them at once, or get them with a delay of one week.
This modification is not a licence change: Renaud has been warning for years on the mailing lists that some plugins were not necessarily GPLed.
It is not really a surprise either: Tenable is a privately owned company and has to make money. This move clearly targets ASP which resell Nessus and the plugins without authorization, often violating the GPL and intellectual property of C code or plugins contributers.

As usual, some people were pissed off by this move and yelled on the mailing list, mostly for bad reasons.
I did not hear them when ASP violated my intellectual property.
Strange, isn't it?

Labels: ,

2004-12-04

[en] Slackware "local tests"

I have finished my conversion tool from SSA to NASL. Nessus will be able to do "local tests" on Slackware (i.e. check through an SSH connection that all patches are applied)
Once again, parsing English in Perl was easier than processing XML.
What's the use of this buzzword compliant crap? Can anybody tell?

Labels: ,

[fr] Slackware Security Advisories

J'ai écrit une moulinette de conversion des avis de sécurité Slackware en NASL (nessus Attack Script Language). Une fois encore, parser de l'anglais a été plus rapide que traiter du XML.

En résumé, au cas où vous n'auriez pas compris, XML c'est gros, c'est moche et ça ne sert à rien.
Ça va mieux en le disant.

Labels: ,

2004-12-03

[en] Zen and the art of automation

I dislike doing a silly job. And I really hate doing it twice.
Whenever I have to do such a f*ing job, I give it to a robot. Robots do not complain, never get tired and are usually better than me for any task that do not require a brain.
Working on robots is more fun than doing silly jobs.
That's why I work on Nessus. Not the only reason, but the main one: looking for security patches on a server is definitely stupid, 150000 lines of C will do it well.
(some stupid tasks need a little subtlety and more than one page of Perl)

Nessus is working, and rather well (much better than its competitors in my humble but biaised opinion) and anybody who'd want to spend a little energy could write patches or test plugins, or concentrate on higher level tasks, like deciding if the whole IT system is vulnerable, to which threat, which sensitive data is exposed, etc.
Nessus scans each machine independantly of the others, and it does not know your network architecture or the sensitivity of your data or servers; in fact, it is not his job, it is ours.

It seems that I overestimate human beings. I know that homo sapiens sapiens is not that sapiens, but I have not lost all hope that people sometimes wants to improve, some way or another.
Many people have improved indeed: they were lusers, they became "security consultants". They run Nessus and sell the raw report.
Added value: none.

After WW3, only robots will survive.
Good.

Labels: ,