On 04/28/2011 05:51 AM, Tõnu Samuel wrote: > On Thu, 2011-04-28 at 11:45 +0100, Benji wrote: >> Do you actually have any evidence of a backdoor? Or could this just be >> a remote 'turn-off' switch as such? I'm not saying that one is better >> than the other, but they are very different features. > > I have no idea how this technically is implemented or what they can do > else. This is clear example of closed source product dangers. Today we > found some "switch off", tomorrow what?
Tomorrow Barracuda gets pwned and this turns into a cascade failure. Oh wait, that happened two weeks ago: http://www.theregister.co.uk/2011/04/11/barracuda_networks_attack/ > How we can be sure about > anything? Only thing I am sure now: they kept copy of keys to house you > bought from them years ago and their used those keys for illegal thing. Let's be careful though: just because your system stopped working doesn't mean it has a backdoor. It could have been implemented as simply a periodic "phone home for updates" which received some type of "license expired" message. A remote kill switch, for sure, but not necessarily the same as a back door. It raises the question though of how many companies have that particular combination of ethics and self-discipline to implement one and not the other. It sometimes takes extra work to build a product that performs security functions in a customer's network without granting yourself unnecessary privilege on that network. As we saw with RSA SecurID, many admins didn't realize that the vendor might be keeping a copy of the keys. Sites with products on their networks may want to consider if Barracuda as an external vendor falls under the scope of their PCI requirements. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
