How to make good friends

March 27, 2009 | Dominique Karg
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

I just wanted to share a quick mail we’ve received tonight at AlienVault. I’m hiding the user’s identity until he grants me permission to disclose it, which I doubt he’ll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.



I installed your ossim product and now you are port scanning my servers?



You are scanning [insert FQDN here] servers right now and I am picking

it up on my IDS coming from 207.158.15.208.



Can you explain why you would be doing this?



You had better have a good explanation or I guarantee your company

will be written up in all the security publications I write in and I

will recommend that nobody ever use your product.

Amazing, ain’t? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Well, here goes the answer. As said, this is my very own opinion and the company (Alienvault) has nothing to do with it.



Just for the records, before replying I logged in into the above host, checked for unauthorized access, ran several tcpdumps and checked logs on his domain. Clean. Oh, and I’m going to call the user “Hugo” after a big mounth president with the same name.

Hello Hugo,



have you ever heard about kindness going a long way? Well, it usually works.



If you had kindly requested information about this, either on the

forums (where hundreds of happy users would've been eager to answer

you), on the irc, even on this contact address, I'd have answered with

a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an

automatic, free, nessus plugin feed which gets checked on a daily

basis. Due to the huge amount of users we've got we noticed rsync

starting to duplicate itself, launching multiple instances which in

turn get denied, provoking some sort of false positives". I even

would've offered you help on sorting it out if that weren't the cause,

which I'm pretty sure is.



But… here you come, threatening, menacing with bad manners. So the answer is.



Hugo, I encourage you to post the above mail to all the security

publications you write in. I'm sure your mail has the possibility to

become one of those long lasting laughers which will be used as

openings in security conferences all over the world for the next few

years.

Not enough with this, I offer you to also publish it on the ossim

forums. I for sure will post it on my blog (no worries, unless you

grant me permission to do so I'll hide your name and mail) for other

fellow users to comment on it.



 And, on top, I offer you a free refund for OSSIM. Oh, wait, you

haven't paid a single cent for it…



So please, just deinstall OSSIM right now, that will solve both our

problems or I guarantee your name will be written up in all the

security publications I write in and I will recommend that nobody ever

lets you use their product. I'd feel bad coding OSSIM and knowing that

you would benefit from it.



With kind regards,



Dominique Karg



PS: Any views or opinions presented in this email are solely those of

the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

Hugo was so kind and replied to my friendly mail in order to make sure I’d know he has no clue what he’s talking about:

No worries? When you download and install nessus by itself it asks you

if you want to update and it does not trigger IDS systems. A user of

your products should not have to be woken up in the middle of the

night and read a forum to figure that out. If your system has an issue

triggering IDS systems, why have you not fixed the issue or at least

put a warning up during install.

Your product was not free in this case, it cost me my time waking up

and trying to figure out why I was receiving IDS alerts. Lastly, why

would the product be receiving updates from your IP range for nessus.

Would nessus not receive updates from the nessus update servers? I

will be calling today to speak with someone in management and I will

be happy to pass your email along to them.

Anything amiss? right… the threats weren’t clear enough, so in a separate email he just wrote me a short:

Your sarcasm will be noted when I speak with management at Alienvault today.


After that level of threats, my only obvious answer could be (and was):


Don't you think that would be a bit excessive? I could loose my job…


To which at least he didn’t answer yet (I expected something like “Mess with the best, die like the rest”).

So, just to get it clear. Hugo downloads the ossim 1.0.6 iso which comes with automatic nessus updates, places into a restricted / highly protected network (I assume it is at least, what else would make you setup an IDS to send you an alarm and wake you up in the middle of the night), grants it full access to the internet (in order to trigger a portscan from rsync failures port 873 would have to be allowed in a firewall) and later on threatens the site where he downloaded the original .iso?

C’mon Hugo, you should know better than that. Maybe it’s me who should talk to your management. What you’ve done show you’ve got no clue about security, best practices or infosec at all. I wouldn’t let you manage my ipod shuffle out of fear you could expose it.

Furthermore, even after getting pointed at your mistake in the first response, you had the chance to apologize, but no, you answer with more threats. Threatening me to talk to AlienVault management shows your lack of checking on sources, which in turn not only nullifies you as a security professional but also should make everyone doubt 90% of the statements you make about what you know, what you think, what you recommend.

I hope this is the end of the story…

Dominique Karg

About the Author: Dominique Karg
Read more posts from Dominique Karg ›

TAGS: funny, rude

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL