Re: [Full-disclosure] Barracuda backdoor

On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:

On Fri, Apr 29, 2011 at 3:30 AM, bk <chort0@xxxxxxxxx> wrote:

On Fri, Apr 29, 2011 at 3:17 AM, bk <chort0@xxxxxxxxx> wrote:
On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:

One day their Barracuda product stopped working.

After investigating problem it came out that Barracuda reseller and
Barracuda itself have some misunderstandings and because of this
Barracuda not only disabled all kind of subscription services

You're unsubstantiated claims don't bare repeating. I will however point out that many vendors disable some portion of functionality when subscription or support payments lapse. This is widely done in the industry and a surprise to no one.


On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:

Name ten.

For starters, every anti-spam company ever. I should know, I've worked for half of them. At the very least you cannot get upgrades or patches of any kind. Most of them disable anti-spam updates, all of them disable anti-virus updates, and some even disable anti-spam scanning entirely. The anti-spam SaaS vendors I know of will disable accepting your mail after a grace period if you haven't moved your MX records.

Hmm, let's see. Firewall vendors won't let you apply updates, some of them cripple VPN functionality when your license has expired... really, do we need to go on? There's a long precedent for products going into a degraded mode if your subscription or license expires.


Everything you have mentioned there are when you have 'leased' a product, so if the license runs out, of course it's going to terminate those 'leased' services.

Actually, no. I'm really starting to doubt you have any experience what so ever with enterprise products. Every appliance I've ever heard of or sold personally is sold, as in ownership is transferred. The physical unit belongs to the party who purchased it. The continuing fees or subscriptions cover:
1. Support
2. Product updates and patches
3. Updates to anti-spam and anti-virus definitions
4. Other product features that either require infrastructure on the vendor's part, or capabilities that are OEM'd from another vendor and require recurring royalty fees.

In all those cases the hardware unit doesn't just stop working, but certain aspects of the software functionality that require money & effort from the vendor to support do cease to operate.

I believe OP is wildly exaggerating the extent to which functionality was impaired. I also really doubt that Barracuda, with thousands of units deployed in the field, would assign a human being to individually login remotely and disable them. They probably do it like most other vendors, where the units do periodic phone-home functions to a set of license servers. If there isn't an updated license present for the unit to download, functionality automatically turns off when the original license on the box expires.

Lastly, to touch on the other "shocking" subject, yes security appliance vendors have ssh access to the units in the field, either directly or via reverse tunnel. Every vendor I have experience with calls this out in their documentation and the custom either has to allow it explicitly through their firewall, or they're given the option to block it (in the case of reverse tunnel).

Anyone with a reasonable level of technical competence who has ever implemented one of these appliances from any vendor in this space would already be well aware of these facts. You'd probably all be stunned to learn that your phones, which can position you with accuracy of a few hundred feet, are storing information about locations of beaconing objects around them. Yes, I'll give you a few minutes to get over that shock.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -