I just wanted to share a quick mail we’ve received tonight at AlienVault. I’m hiding the user’s identity until he grants me permission to disclose it, which I doubt he’ll do btw.
The mail did read as following:
Subject: Port scan from you guys to my server from 22.214.171.124. Cease and desist. I installed your ossim product and now you are port scanning my servers? You are scanning [insert FQDN here] servers right now and I am picking it up on my IDS coming from 126.96.36.199. Can you explain why you would be doing this? You had better have a good explanation or I guarantee your company will be written up in all the security publications I write in and I will recommend that nobody ever use your product.
Amazing, ain’t? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.
Well, here goes the answer. As said, this is my very own opinion and the company (Alienvault) has nothing to do with it.
Just for the records, before replying I logged in into the above host, checked for unauthorized access, ran several tcpdumps and checked logs on his domain. Clean. Oh, and I’m going to call the user “Hugo” after a big mounth president with the same name.
Hello Hugo, have you ever heard about kindness going a long way? Well, it usually works. If you had kindly requested information about this, either on the forums (where hundreds of happy users would've been eager to answer you), on the irc, even on this contact address, I'd have answered with a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an automatic, free, nessus plugin feed which gets checked on a daily basis. Due to the huge amount of users we've got we noticed rsync starting to duplicate itself, launching multiple instances which in turn get denied, provoking some sort of false positives". I even would've offered you help on sorting it out if that weren't the cause, which I'm pretty sure is. But… here you come, threatening, menacing with bad manners. So the answer is. Hugo, I encourage you to post the above mail to all the security publications you write in. I'm sure your mail has the possibility to become one of those long lasting laughers which will be used as openings in security conferences all over the world for the next few years. Not enough with this, I offer you to also publish it on the ossim forums. I for sure will post it on my blog (no worries, unless you grant me permission to do so I'll hide your name and mail) for other fellow users to comment on it. And, on top, I offer you a free refund for OSSIM. Oh, wait, you haven't paid a single cent for it… So please, just deinstall OSSIM right now, that will solve both our problems or I guarantee your name will be written up in all the security publications I write in and I will recommend that nobody ever lets you use their product. I'd feel bad coding OSSIM and knowing that you would benefit from it. With kind regards, Dominique Karg PS: Any views or opinions presented in this email are solely those of the author, that is, me and do not represent those of the company
Things like these keep opensource developers motivated. *sigh*
Update 2009/03/27: the story goes on.
Hugo was so kind and replied to my friendly mail in order to make sure I’d know he has no clue what he’s talking about:
No worries? When you download and install nessus by itself it asks you if you want to update and it does not trigger IDS systems. A user of your products should not have to be woken up in the middle of the night and read a forum to figure that out. If your system has an issue triggering IDS systems, why have you not fixed the issue or at least put a warning up during install. Your product was not free in this case, it cost me my time waking up and trying to figure out why I was receiving IDS alerts. Lastly, why would the product be receiving updates from your IP range for nessus. Would nessus not receive updates from the nessus update servers? I will be calling today to speak with someone in management and I will be happy to pass your email along to them.
Anything amiss? right… the threats weren’t clear enough, so in a separate email he just wrote me a short:
Your sarcasm will be noted when I speak with management at Alienvault today.
After that level of threats, my only obvious answer could be (and was):
Don't you think that would be a bit excessive? I could loose my job…
To which at least he didn’t answer yet (I expected something like “Mess with the best, die like the rest”).
So, just to get it clear. Hugo downloads the ossim 1.0.6 iso which comes with automatic nessus updates, places into a restricted / highly protected network (I assume it is at least, what else would make you setup an IDS to send you an alarm and wake you up in the middle of the night), grants it full access to the internet (in order to trigger a portscan from rsync failures port 873 would have to be allowed in a firewall) and later on threatens the site where he downloaded the original .iso?
C’mon Hugo, you should know better than that. Maybe it’s me who should talk to your management. What you’ve done show you’ve got no clue about security, best practices or infosec at all. I wouldn’t let you manage my ipod shuffle out of fear you could expose it.
Furthermore, even after getting pointed at your mistake in the first response, you had the chance to apologize, but no, you answer with more threats. Threatening me to talk to AlienVault management shows your lack of checking on sources, which in turn not only nullifies you as a security professional but also should make everyone doubt 90% of the statements you make about what you know, what you think, what you recommend.
I hope this is the end of the story…