Metasploit Project Sold To Rapid7 70
ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."
Re:Opensource tool (Score:2, Informative)
Re:How does one buy an open source program? (Score:5, Informative)
Depends on the project.
If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.
They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.
What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.
Hopefully things won't get that far and the source will continue to flow, but who knows.
Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.
Re:How does one buy an open source program? (Score:1, Informative)
According to the website, Rapid7 bought the trademarks, the website, and "rights to the Metasploit Framework", the current version of which "was originally developed by Metasploit LLC and is made available for use by Rapid7 under the 3-clause BSD license."
Re:Opensource tool (Score:5, Informative)
Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.
Not sure about tripwire...
Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)
Re:"penetration testing" (Score:2, Informative)
First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.
Huh?
I do security consulting in Fortune 1000 companies and I've never run into one yet that is a strict "no-MS" shop on the server side.
What the hell are you talking about?
Second, every large penetration testing organization that services these Fortune 1000 customers uses Metasploit as a small (very small) component of their toolset.
Our toolset is comprised of over 1000 different bits of software, but I've successfully used Metasploit on at least 10 different engagements in the last 6 months alone against Fortune 1000 (and similar sized) organizations.
I run into a number of environments where patching isn't practical, or isn't allowed.
Medical devices, for example. The kind that do IV-drip monitoring, or the kind that do blood chemistry analysis in a medical laboratory, are regulated by the FDA (I think) and CANNOT be patched. They rely on semi-annual service packs from the manufacturer that are usually 6 months out of date by the time they get FDA approval.
I have done several penetration tests against medical facilities this year and have found metasploit very helpful attacking both UNIX and Windows based systems in this category.
And frankly, even regular systems don't get patched in a large environment. I was in an environment a few weeks ago with over 100 server admins, and very strict rules about change management and patching. There had to be many rounds of testing on every new patch before it went into production and honestly, that wasn't happening. They were consistently running 9 months out of date on some servers. Additionally, they had several Windows NT Machines that hadn't been patched in many years. The security team needed someone to come in to demonstrate the importance of patching and try to accelerate that schedule. Metasploit was very useful in attacking systems, not only Windows, but all platforms.
I'll point out that the greatest number of vulnerabilities present in many server environments comes from Linux/Apache, so your shouting "ooooo Microsoft" seems a little infantile and inexperienced, in retrospect.
Methinks you are talking out your ass.