Metasploit Project Sold To Rapid7

ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."

Wow

[Yvan256]

Even names are in high-definition these days.

damn script kidddies

[conspirator57]

get off my lawn.

In my day we had to use smoke signals to exploit a neighbor's abacus. And you know what, we liked it.

Now you have your fancy audio couplers and wireless networks.

Re:

[TimeElf1]

What you haven't had the upgrade to cans and strings yet?

Opensource tool

[Icegryphon]

Sold to a company, What wut!?

Re:

[Pool_Noodle]

Its nothing new really, there's been several tools that have either been "sold off" or their devs have "closed source". (I could be wrong) 3 that pop to my mind are Nessus, Tripwire, and Snort. ... sure does make me want to start using the words "sell outs" though.

Re:Opensource tool

[bleh-of-the-huns]

Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.

Not sure about tripwire...

Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)

Re:

[Martin Blank]

Snort was not sold off. Marty Roesch, creator of Snort, formed Sourcefire for the express purpose of commercializing it. Even with that, Snort is still open source under the GPL, and Marty has indicated that there are no plans to ever change that.

Re:

[Pool_Noodle]

I stand corrected ... (thank you ... must get caffeine before posting next time), but my point still stands, open source being traded off isn't new .. but it is irritating.

A great way to ruin a good resource

[al0ha]

Rapid7, who are incredible jerks at least in terms of aggressive cold-call sales people. There are periodic rounds of complaining about them on one of the lists I'm on. We can't stand those guys.

Re:

[Anonymous Coward]

I interviewed with Rapid7 for a software development position, and I too can attest to the fact that the company seems to be full of jerks. I was essentailly pressured to accept a position before being provided with any salary or benefits information - because those are just "minor details" ...

Also the sales team was running laps around the office. It looked like a frat house.

Re:

[Anonymous Coward]

Just what a commercial Metasploit product will look like is still in the works

I'm going to bet that it'll look like a several hundred dollar pricetag that puts it out of reach of many users of the original project and at least 4 figures for use in enterprise with the most basic support tier.

Call me pessimistic, but when fairly unique security tools are commercial projects this is almost always what the pricing looks like.

Lawsuits?

[supervillain]

Now that this software is run by a company with assets what are risk that they will get sued out of existence by some company who wrote bad code?

How does one buy an open source program?

[tacokill]

I'd like to buy sendmail and apt-get. How much would those two cost me?

I am not clear on how open-source projects get "sold" to commercial entities. I understand how companies can use open source but I don't understand how companies buy and sell open-source programs.

Can someone smarter than me lay out, in business terms, how this works? Was Metasploit a corporation? If so, what kind? Was it an S-corp? C-Corp? LLC? LLP? What were the mechanics of the sale? What approvals were needed from what

Re:How does one buy an open source program?

[Nursie]

Depends on the project.

If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.

They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.

What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.

Hopefully things won't get that far and the source will continue to flow, but who knows.

Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.

Re:

[tacokill]

Ok, I understand everything you laid out but again....it seems like Rapid7 is "using" the metasploit code - which does not necessarily require them to ouright buy the company. (sidenote: we all agree that they can not rescind what was done in the past. That "stuff" lives forever under whatever license it was released under).

Why would someone buy anything open-source unless the copyrights came with it? The alternative, is to "use" the open-source product and just conform to GPL or whatever the license

Re:

[Lonewolf666]

I guess Rapid7 wants to do closed source versions in the future. That makes it necessary to buy the copyrights, or at least most of them and re-developing the stuff they could not buy.

Of course that puts them in competition with whatever open source version other people maintain. A previous example of that would be Interbase by Borland. Borland released the version 6.0 under an open source license, but reconsidered soon after and the next version was closed source again.
That one open source release was pi

Re:

[Tanktalus]

If I am the author of a piece of work, I may choose to offer it to the general public under a license, say GPL, LGPL, Creative Commons, whatever. But, say someone with more cash than brains comes along and doesn't want those licenses. In exchange for some consideration (usually cash), I may choose to offer the same code, which I own the copyright to, to them under a different license. Simple.

In this case, it appears that, in exchange for some consideration (probably cash, but also a job), the author chos

Re:

[drooling-dog]

In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

Re:

[thePowerOfGrayskull]

In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

If the author of the code agrees that this is sufficient compensation, then it is sufficient compensation. Otherwise, the sale couldn't be made.

Re:

[drooling-dog]

The authors of the code would do well to work on their negotiating skills. Essentially they're being required to forfeit prior intellectual property as a condition of employment; some would call this "theft" in the absence of any additional consideration. I hope at the very least they have lucrative salaries and a solid employment contract, if not royalties.

Re:

[thePowerOfGrayskull]

Indeed, it's a crappy deal - certainly not one I'd take. But a legal one if they agree to it...

Re:

[ediron2]

You're all a pisspool of nattering armchair lawyers bragging about how they'd have won such-and-such case on court.tv without even knowing the details. How the *FSCK* would you even know? Did I miss where the terms of the contract were posted online?

Here are just the scenarios I've seen (or offered) in my own career:

"Hi, this project you're working on is great -- can we buy a nonexclusive license for $$$?"

"How much would we have to pay you to focus on functionality that'd do Y? How long would it take?"

"T

Re:

[Dragonslicer]

"The ability to work full time on the code base" comes from him being employed to do it, i.e. he doesn't need to spend time on other paid projects. Being employed could be considered compensation if he wasn't making any money on the project before, since he'll be getting more money for possibly the same amount of work that he was already doing. Many people (not necessarily the original author, just in general) also prefer the security of a steady job and having other people handle administration, sales, etc

Re:How does one buy an open source program?

[b0bby]

I doubt I'm smarter than you but... I would guess that the HD Moore guy who ran the project owns the Metasploit name, trademark, domain etc, as well as the copyright on the code. So you can see how all that could be worth something, plus they're hiring him to keep working on it. If they wanted to they could presumably close the source going forward, though he says in his blog post that they're committed to keeping it open. If they can make a popular tool work well with their other products, it might be worth it to them and apparently it is, since they've done it.

Re:

[Hurricane78]

That's the nice thing in Germany: You can't sell your rights to your inventions/creations. You are always the one who created it. That fact can't change without a time-machine. (Don't dare calling German Urheberrecht a "copyright law". They are very different. And luckily so.)

Re:

[paimin]

I read it as the company bought future development, which will be closed. You can't close development that's already open, but you can use that existing development in a commercial product, provided you satisfy th licensing of it.

In other words, this will be a closed fork.

Re:

[Anonymous Coward]

According to the website, Rapid7 bought the trademarks, the website, and "rights to the Metasploit Framework", the current version of which "was originally developed by Metasploit LLC and is made available for use by Rapid7 under the 3-clause BSD license."

Re:

[wastedlife]

The name of the project is normally trademarked by someone. While somebody can take the open code and fork it under a different name (IceWeasel, for example), they cannot call the fork by the trademarked name (Firefox, for the previous example). Also, the code is still copyrighted by its owners, BSD or GPL are just licenses for what you are allowed to do with the code. In some cases that I have seen (I believe QT does this), the owner of the trademark will require contributors to assign copyright of their c

Re:

[solevita]

Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.

Re:

[wallyhall]

Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.

After forking it, you'll need a new name of course. I vote metasplit.

Re:

[MadnessASAP]

Well it depends on how you define open source. If it's simply a program that you distribute the soruce code along with it then it's quite easy, you simply sell the ownership/license the code to somebody else since you presumably own all the code this isn't a problem. Similarly with projects that do have 3rd party developers you can stipulate that they relinquish ownership of any contributions they make to the project to you or whatever organization happens to be managing the project. Where it gets tricky

Re:

[cachimaster]

Sun basically bought apt-get when it hired the guy that created it. Now it's integrated in OpenSolaris.

Re:

[wastedlife]

I thought OpenSolaris had its own package management system. Maybe it is practically apt, but it is not actually apt. Nexenta is an OpenSolaris distro that uses apt, so maybe that is what you are thinking of?

Re:"penetration testing"

[BitZtream]

You are right, it gets used by script kiddies.

That is EXACTLY why I use it regularly to make sure it doesn't work for them. I can quickly scan a host and see what they may be able to take advantage of.

What do you do? How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update. Does all of your other software auto update as well? Do you have some mystical application that makes sure you never make a configuration mistake that opens an exploit? My IIS servers don't return customized version information, is it just supposed to look at that and know what it really translates to and what patches I have installed on it.

You sir, are not a system admin. You may be employed as one, but you certainly shouldn't be. The mere thought that patching is enough by itself is retarded. Assuming that you have perfect configurations that never change and will be safe forever after you set them up is retarded. Pretty much no matter how you look at it, your argument is one of extreme lack of experience.

Every high security environment in the world does penetration testing, as do lower security environments who would rather be safe than sorry. Banks, the government, health care providers to name a few, ALL do penetration testing, both by software, and social engineering, all the way down to trying to actually break into a physical location.

Fuck you and your arrogant ignorance about security, come back to us when you get out of pointy-headed-boss-school or secretary school, whichever you happen to be in.

Re:

[nstlgc]

>> How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update.
> First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.
Good thing you're posting as AC so you can't discredit yourself by saying something stupid like that, right?

Re:

[TheLink]

> Do you write all of your own security tools? If not then kindly go fuck yourself.

You grow your own wheat and grind your own flour? And built your own CPU factory to make the CPU for your computer?

If you do everything yourself, you're certainly the one who should be "fucking yourself".

Seems more logical.

Re:

[Anonymous Coward]

First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.

Huh?

I do security consulting in Fortune 1000 companies and I've never run into one yet that is a strict "no-MS" shop on the server side.

What the hell are you talking about?

Second, every large penetration testing organization that services these Fortune 1000 customers uses Metasploit as a small (very small) component of their toolset.

Our toolset is comprised of over 1000 different bits of software, but I've successfully used Metasploit on at least 10 different engagements in the last 6 months alone against F

Re:

[Alpha830RulZ]

First of all, no serious business is using Windows as a server. Sorry but you just discredited yourself with that alone.

I do work for fortune 200 companies. Every one of them I have worked at uses Windows for servers. This includes the likes of Boeing, HP, Capital One Bank, Bank of America, the London Stock Exchange, NASDAQ, Charles Schwab. HCA, Accenture, Ford, Toyota, and more. Most of them use IIS, SQL Server, and build .NET applications. Exchange and Active Directory are everywhere. MSFT servers, like it or not are pervasive in the business world. Not necessarily dominant, as big apps tend to get built on other platf

Re:

[Hurricane78]

Does all of your other software auto update as well?

Have you never heard of package management systems?

eix-sync && emerge -auDNtv world

Done. Man, you Windows guys are weird.

Re:"penetration testing"

[thePowerOfGrayskull]

It's used mainly by crackers to comprise websites. Fuck this tool and fuck the arrogant script kiddies padding their resumes with it. This software has no legitimate purpose.

Sounds like the righteous anger of someone who left some back doors open for a few script kiddies in his time, and got burned by it.

Re:

[Anonymous Coward]

I work for a hundred million dollar company that makes a substantial portion of its income doing "legitimate" penetration testing.

Our customers are Fortune 500 companies and the like.

It's a very useful toolset.

You would be surprised how many times a week I hear this story:

Security Admin: Upper management doesn't understand the risk these vulnerabilities pose and we can't get funding to get it fixed. We need it demonstrated through videos and screenshots, exactly what sort of damage can be done by a single

Re:

[cpghost]

Security Admin: Upper management doesn't understand the risk these vulnerabilities pose and we can't get funding to get it fixed. We need it demonstrated through videos and screenshots, exactly what sort of damage can be done by a single attacker given 1 week to exploit this application.

From Sneakers (1992) [imdb.com]:

Bank Secretary: So, people hire you to break into their places... to make sure no one can break into their places?

Martin Bishop: It's a living.

Bank Secretary: Not a very good one.

Legal minefield

[n3td3v]

There will be a legal minefield now that a big company with lot's of money owns Metasploit now. I mean the Metasploit web site doesn't even have a privacy policy.