On Wed, May 08, 2002 at 04:50:09PM +0200, Renaud Deraison wrote:
> I attended CanSecWest last week and I was told there were rumors of
> people complaining about Nessus "calling home" when doing a scan.
Thanks to everyone who replied to me on this issue. I was surprisingly
overwhelmed with answers, so please forgive me if I did not reply to you
personnaly.
So sum up the replies : a vast majority of people don't care, but
everyone agreed that a user-defineable third party domain was the way to
go.
In Nessus 1.2.1 (or the current CVS snapshot), a new option now appears
in the 'plugin prefs' tab, and is set to "nessus.org" by default. Users
can change it to something else, so privacy issues should be somewhat
resolved.
I modified more plugins than what I thought would be necessary - I'd
like to thanks Thomas Reinke for sending me a list of plugins that used
"nessus.org" in one way or another (there were more than what I thought,
mostly because of lazyness on my part). People interested in the full
list can go to cvs.nessus.org and look for the plugins whose commit log
is "privacy".
While I apologize to those who have felt threatened by this issue, I
sincerely regret the fact that they did not voice their concerns
directly to me (even though I was attending CanSecWest, and the person
who spread the rumor too), and prefered to go the sneaky way about this.
Hopefully, the incident is over in CVS, and will be in Nessus 1.2.1.
-- Renaud
