 |
How to make good friends Fri, 27 Mar 2009 I just wanted to share a quick mail we've received tonight at AlienVault. I'm hiding the user's identity until he grants me permission to disclose it, which I doubt he'll do btw. The mail did read as following: Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist. I installed your ossim product and now you are port scanning my servers? You are scanning [insert FQDN here] servers right now and I am picking it up on my IDS coming from 207.158.15.208. Can you explain why you would be doing this? You had better have a good explanation or I guarantee your company will be written up in all the security publications I write in and I will recommend that nobody ever use your product. Amazing, ain't? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold. Well, here goes the answer. As said, this is my very own opinion and the company (Alienvault) has nothing to do with it. Just for the records, before replying I logged in into the above host, checked for unauthorized access, ran several tcpdumps and checked logs on his domain. Clean. Oh, and I'm going to call the user "Hugo" after a big mounth president with the same name.
Hello Hugo, have you ever heard about kindness going a long way? Well, it usually works. If you had kindly requested information about this, either on the forums (where hundreds of happy users would've been eager to answer you), on the irc, even on this contact address, I'd have answered with a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an automatic, free, nessus plugin feed which gets checked on a daily basis. Due to the huge amount of users we've got we noticed rsync starting to duplicate itself, launching multiple instances which in turn get denied, provoking some sort of false positives". I even would've offered you help on sorting it out if that weren't the cause, which I'm pretty sure is. But... here you come, threatening, menacing with bad manners. So the answer is. Hugo, I encourage you to post the above mail to all the security publications you write in. I'm sure your mail has the possibility to become one of those long lasting laughers which will be used as openings in security conferences all over the world for the next few years. Not enough with this, I offer you to also publish it on the ossim forums. I for sure will post it on my blog (no worries, unless you grant me permission to do so I'll hide your name and mail) for other fellow users to comment on it. And, on top, I offer you a free refund for OSSIM. Oh, wait, you haven't paid a single cent for it... So please, just deinstall OSSIM right now, that will solve both our problems or I guarantee your name will be written up in all the security publications I write in and I will recommend that nobody ever lets you use their product. I'd feel bad coding OSSIM and knowing that you would benefit from it. With kind regards, Dominique Karg PS: Any views or opinions presented in this email are solely those of the author, that is, me and do not represent those of the company Things like these keep opensource developers motivated. *sigh* Update 2009/03/27: the story goes on. ::start hereHugo was so kind and replied to my friendly mail in order to make sure I'd know he has no clue what he's talking about:
No worries? When you download and install nessus by itself it asks you if you want to update and it does not trigger IDS systems. A user of your products should not have to be woken up in the middle of the night and read a forum to figure that out. If your system has an issue triggering IDS systems, why have you not fixed the issue or at least put a warning up during install. Your product was not free in this case, it cost me my time waking up and trying to figure out why I was receiving IDS alerts. Lastly, why would the product be receiving updates from your IP range for nessus. Would nessus not receive updates from the nessus update servers? I will be calling today to speak with someone in management and I will be happy to pass your email along to them. Anything amiss? right... the threats weren't clear enough, so in a separate email he just wrote me a short: Your sarcasm will be noted when I speak with management at Alienvault today. After that level of threats, my only obvious answer could be (and was): Don't you think that would be a bit excessive? I could loose my job... To which at least he didn't answer yet (I expected something like "Mess with the best, die like the rest").
So, just to get it clear. Hugo downloads the ossim 1.0.6 iso which comes with automatic nessus updates, places into a restricted / highly protected network (I assume it is at least, what else would make you setup an IDS to send you an alarm and wake you up in the middle of the night), grants it full access to the internet (in order to trigger a portscan from rsync failures port 873 would have to be allowed in a firewall) and later on threatens the site where he downloaded the original .iso? I hope this is the end of the story...
posted at: 08:34 | path: /personal | permanent link to this entry | 5 comments |
* Posted by Pablo at Fri Mar 27 10:02:52 2009
If hugo installed ossim into a restricted network (with another IDS), and this seems to be the case, he should be familiar with ossim. A restricted network is not a testing lab for new products of any kind.
IMHO! :)
* Posted by Karl at Mon Mar 30 19:59:54 2009
Love it, did he not do any research of how the product works. Sounds like he screwed up and is now getting pressure from his boss. Hugo, next time do us all a favor and find a new profession, you are not cut out for Information Security.
DK, keep up the great work. ;-)
* Posted by Brian Lavender at Wed May 27 06:41:12 2009
Sounds like the guy is a candidate for the CERTDUMBASS. ;-)
|
Categories
/ (66) Dominique Karg (feel free to get in touch) Friend's blogs: 
Archives
2010-Apr Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||
