Full Disclosure mailing list archives
Re: Barracuda backdoor
From: Cal Leeming <cal () foxwhisper co uk>
Date: Fri, 29 Apr 2011 17:22:47 +0100
On Fri, Apr 29, 2011 at 4:13 PM, bk <chort0 () gmail com> wrote:
On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote: On Fri, Apr 29, 2011 at 3:30 AM, bk <chort0 () gmail com> wrote:On Fri, Apr 29, 2011 at 3:17 AM, bk <chort0 () gmail com> wrote:On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:One day their Barracuda product stopped working. After investigating problem it came out that Barracuda reseller and Barracuda itself have some misunderstandings and because of this Barracuda not only disabled all kind of subscription servicesYou're unsubstantiated claims don't bare repeating. I will however point out that many vendors disable some portion of functionality when subscription or support payments lapse. This is widely done in the industry and a surprise to no one. -- chort _______________________________________________On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote: Name ten. For starters, every anti-spam company ever. I should know, I've worked for half of them. At the very least you cannot get upgrades or patches of any kind. Most of them disable anti-spam updates, all of them disable anti-virus updates, and some even disable anti-spam scanning entirely. The anti-spam SaaS vendors I know of will disable accepting your mail after a grace period if you haven't moved your MX records. Hmm, let's see. Firewall vendors won't let you apply updates, some of them cripple VPN functionality when your license has expired... really, do we need to go on? There's a long precedent for products going into a degraded mode if your subscription or license expires. -- chort Everything you have mentioned there are when you have 'leased' a product,so if the license runs out, of course it's going to terminate those 'leased' services. Actually, no. I'm really starting to doubt you have any experience what so ever with enterprise products. Every appliance I've ever heard of or sold personally is sold, as in ownership is transferred. The physical unit belongs to the party who purchased it. The continuing fees or subscriptions cover: 1. Support 2. Product updates and patches 3. Updates to anti-spam and anti-virus definitions 4. Other product features that either require infrastructure on the vendor's part, or capabilities that are OEM'd from another vendor and require recurring royalty fees.
Are you referring to hardware or virtual appliances? Almost everything I have used in an enterprise deployment, has been where the unit was owned outright by the customer, with the license simply being for support. Take Zeus products (ZXTM) for example.
In all those cases the hardware unit doesn't just stop working, but certain aspects of the software functionality that require money & effort from the vendor to support do cease to operate.
I believe OP is wildly exaggerating the extent to which functionality was impaired. I also really doubt that Barracuda, with thousands of units deployed in the field, would assign a human being to individually login remotely and disable them. They probably do it like most other vendors, where the units do periodic phone-home functions to a set of license servers. If there isn't an updated license present for the unit to download, functionality automatically turns off when the original license on the box expires. Lastly, to touch on the other "shocking" subject, yes security appliance vendors have ssh access to the units in the field, either directly or via reverse tunnel. Every vendor I have experience with calls this out in their documentation and the custom either has to allow it explicitly through their firewall, or they're given the option to block it (in the case of reverse tunnel).
I can understand why this feature would be in there, but I am strongly against the practise of it being on an opt-out basis, not opt-in.
Anyone with a reasonable level of technical competence who has ever implemented one of these appliances from any vendor in this space would already be well aware of these facts. You'd probably all be stunned to learn that your phones, which can position you with accuracy of a few hundred feet, are storing information about locations of beaconing objects around them. Yes, I'll give you a few minutes to get over that shock.
You can stop with the smart ass comments.
-- chort
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Barracuda backdoor, (continued)
- Re: Barracuda backdoor Valdis . Kletnieks (Apr 28)
- Re: Barracuda backdoor Cal Leeming (Apr 29)
- Re: Barracuda backdoor Hartley, Christopher J. (Apr 29)
- Re: Barracuda backdoor bk (Apr 28)
- Re: Barracuda backdoor Cal Leeming (Apr 29)
- Re: Barracuda backdoor bk (Apr 28)
- Re: Barracuda backdoor Cal Leeming (Apr 29)
- Re: Barracuda backdoor bk (Apr 29)
- Re: Barracuda backdoor Valdis . Kletnieks (Apr 29)
- Re: Barracuda backdoor Benji (Apr 29)
- Re: Barracuda backdoor Cal Leeming (Apr 29)
- Re: Barracuda backdoor bk (Apr 29)
- Re: Barracuda backdoor Cal Leeming (Apr 29)