Re: [Full-disclosure] Barracuda backdoor

[bk <chort0@xxxxxxxxx>]

On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:
> 
> On Fri, Apr 29, 2011 at 3:30 AM, bk <chort0@xxxxxxxxx> wrote:
> 
>> On Fri, Apr 29, 2011 at 3:17 AM, bk <chort0@xxxxxxxxx> wrote:
>> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
>> 
>> > One day their Barracuda product stopped working.
>> >
>> > After investigating problem it came out that Barracuda reseller and
>> > Barracuda itself have some misunderstandings and because of this
>> > Barracuda not only disabled all kind of subscription services
>> 
>> You're unsubstantiated claims don't bare repeating.  I will however point 
>> out that many vendors disable some portion of functionality when 
>> subscription or support payments lapse.  This is widely done in the industry 
>> and a surprise to no one.
>> 
>> --
>> chort
>> _______________________________________________
> 
> On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:
> 
>> Name ten.
> 
> For starters, every anti-spam company ever.  I should know, I've worked for 
> half of them.  At the very least you cannot get upgrades or patches of any 
> kind.  Most of them disable anti-spam updates, all of them disable anti-virus 
> updates, and some even disable anti-spam scanning entirely.  The anti-spam 
> SaaS vendors I know of will disable accepting your mail after a grace period 
> if you haven't moved your MX records.
> 
> Hmm, let's see.  Firewall vendors won't let you apply updates, some of them 
> cripple VPN functionality when your license has expired... really, do we need 
> to go on?  There's a long precedent for products going into a degraded mode 
> if your subscription or license expires.
> 
> --
> chort
> 
> 
> Everything you have mentioned there are when you have 'leased' a product, so 
> if the license runs out, of course it's going to terminate those 'leased' 
> services.


Actually, no.  I'm really starting to doubt you have any experience what so 
ever with enterprise products.  Every appliance I've ever heard of or sold 
personally is sold, as in ownership is transferred.  The physical unit belongs 
to the party who purchased it.  The continuing fees or subscriptions cover:
1.  Support
2.  Product updates and patches
3.  Updates to anti-spam and anti-virus definitions
4.  Other product features that either require infrastructure on the vendor's 
part, or capabilities that are OEM'd from another vendor and require recurring 
royalty fees.

In all those cases the hardware unit doesn't just stop working, but certain 
aspects of the software functionality that require money & effort from the 
vendor to support do cease to operate.

I believe OP is wildly exaggerating the extent to which functionality was 
impaired.  I also really doubt that Barracuda, with thousands of units deployed 
in the field, would assign a human being to individually login remotely and 
disable them.  They probably do it like most other vendors, where the units do 
periodic phone-home functions to a set of license servers.  If there isn't an 
updated license present for the unit to download, functionality automatically 
turns off when the original license on the box expires.

Lastly, to touch on the other "shocking" subject, yes security appliance 
vendors have ssh access to the units in the field, either directly or via 
reverse tunnel.  Every vendor I have experience with calls this out in their 
documentation and the custom either has to allow it explicitly through their 
firewall, or they're given the option to block it (in the case of reverse 
tunnel).

Anyone with a reasonable level of technical competence who has ever implemented 
one of these appliances from any vendor in this space would already be well 
aware of these facts.  You'd probably all be stunned to learn that your phones, 
which can position you with accuracy of a few hundred feet, are storing 
information about locations of beaconing objects around them.  Yes, I'll give 
you a few minutes to get over that shock.

--
chort

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/