Full Disclosure: Re: Barracuda backdoor

[bk <chort0 () gmail com>]

On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:
> On Fri, Apr 29, 2011 at 3:30 AM, bk <chort0 () gmail com> wrote:
>
> > On Fri, Apr 29, 2011 at 3:17 AM, bk <chort0 () gmail com> wrote:
> > On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
> >
> > > One day their Barracuda product stopped working.
> > >
> > > After investigating problem it came out that Barracuda reseller and
> > > Barracuda itself have some misunderstandings and because of this
> > > Barracuda not only disabled all kind of subscription services
> > You're unsubstantiated claims don't bare repeating.  I will however point out that many vendors disable some portion 
> > of functionality when subscription or support payments lapse.  This is widely done in the industry and a surprise to 
> > no one.
> >
> > --
> > chort
> > _______________________________________________
> On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:
>
> > Name ten.
> For starters, every anti-spam company ever.  I should know, I've worked for half of them.  At the very least you 
> cannot get upgrades or patches of any kind.  Most of them disable anti-spam updates, all of them disable anti-virus 
> updates, and some even disable anti-spam scanning entirely.  The anti-spam SaaS vendors I know of will disable 
> accepting your mail after a grace period if you haven't moved your MX records.
>
> Hmm, let's see.  Firewall vendors won't let you apply updates, some of them cripple VPN functionality when your 
> license has expired... really, do we need to go on?  There's a long precedent for products going into a degraded mode 
> if your subscription or license expires.
>
> --
> chort
>
>
> Everything you have mentioned there are when you have 'leased' a product, so if the license runs out, of course it's 
> going to terminate those 'leased' services.

Actually, no.  I'm really starting to doubt you have any experience what so ever with enterprise products.  Every 
appliance I've ever heard of or sold personally is sold, as in ownership is transferred.  The physical unit belongs to 
the party who purchased it.  The continuing fees or subscriptions cover:
1.  Support
2.  Product updates and patches
3.  Updates to anti-spam and anti-virus definitions
4.  Other product features that either require infrastructure on the vendor's part, or capabilities that are OEM'd from 
another vendor and require recurring royalty fees.

In all those cases the hardware unit doesn't just stop working, but certain aspects of the software functionality that 
require money & effort from the vendor to support do cease to operate.

I believe OP is wildly exaggerating the extent to which functionality was impaired.  I also really doubt that 
Barracuda, with thousands of units deployed in the field, would assign a human being to individually login remotely and 
disable them.  They probably do it like most other vendors, where the units do periodic phone-home functions to a set 
of license servers.  If there isn't an updated license present for the unit to download, functionality automatically 
turns off when the original license on the box expires.

Lastly, to touch on the other "shocking" subject, yes security appliance vendors have ssh access to the units in the 
field, either directly or via reverse tunnel.  Every vendor I have experience with calls this out in their 
documentation and the custom either has to allow it explicitly through their firewall, or they're given the option to 
block it (in the case of reverse tunnel).

Anyone with a reasonable level of technical competence who has ever implemented one of these appliances from any vendor 
in this space would already be well aware of these facts.  You'd probably all be stunned to learn that your phones, 
which can position you with accuracy of a few hundred feet, are storing information about locations of beaconing 
objects around them.  Yes, I'll give you a few minutes to get over that shock.

--
chort

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/