[Freeswitch-users] Hello hackers!

Cal Leeming [Simplicity Media Ltd] cal.leeming at simplicitymedialtd.co.uk
Sun Dec 9 07:46:57 MSK 2012


Thank you for the detailed response.

On Sun, Dec 9, 2012 at 1:29 AM, Brian Foster <bdfoster at endigotech.com>wrote:

> The 'bad apple' in which I was referring to was using the same IP as a
> client of ours. He was trying to DOS the honeypot from an IP I posted on
> the mailing list when doing some testing for someone. I have no idea if he
> read the post on the mailing list or not. It's not really of my concern.
>

You know what happens when someone attacks one of our clients?

We track them down, introduce them to the CTO/CEO of the company they
attacked, and give them an opportunity to prove themselves. I have been
involved in this process on several occasions now where the outcome has
been extremely positive. I'm not saying this works all the time, but
sometimes people don't need punishment, they need guidance.


>
> If you got on the wiki and searched for fail2ban, you would be setting up
> your server to jail the same IP's we are under the same circumstances. The
> only difference is we log who gets caught by fail2ban and distribute the
> list internally.
>

> We do not release this information per company policy. We also do not
> gather this information from other sources. We only use the information we
> gather through the processes we put in to place.
>
> My comment on the 180K IP's was mostly sarcastic, however. It probably
> wasn't appropriate and I do apologize for that.
>
> I'm not exactly up to date on the legalities of releasing that type of
> information so we rather not release it. It's nothing against the
> freeswitch community or the open source community. We just don't like
> getting in trouble.
>
> If we did spend the resources into making sure everything was legal on the
> information regarding the 180K IP's, we would certainly release these free
> of charge. It's not something I would be interested in making money from.
>

The concept is no different to email blacklist databases (e.g. XBL), and
there would be no legalities stopping you from releasing this information
into the public domain - only internal red tape and policies. I can say
this with at least some authority on the subject (although I'm by no means
an expert).

Right now we live in a society where often companies can't/won't share
information for one reason or another (I hear the 'company policy' story a
lot), but yet feel it's okay to use years of time/development in open
source for free. I mean no direct disrespect, I just personally find this
quite irritating.


> As far as telling this story on a public mailing list, it won't stop
> anyone from trying to hack into anyone's server. It does frustrate me that
> I have to do any of this stuff at all, but there's always going to be
> someone out there trying to screw it up for the rest of us. These servers
> are also set up for testing, which is why I use them when trying to help
> people on the mailing list. There is really nothing you can do to these
> machines to 'screw them up'. They are VPS's. There are no accounts tied to
> them. We can change those IP's in a heartbeat. There's really no risk.
> Besides, hackers can't read ;)
>

> The biggest thing you should take away from this post is that I'm pissed
> off that I have to go through all of this. Even though it makes our lives
> easier in the long run, it's still an expense we could live without.
>

Giving away IPs shouldn't amount to any concern in the first place though,
hence the previous comment about security through obscurity..

It all comes down to stacking... there is no one big solution, just lots of
small solutions (assuming you don't believe those AF/WAF sales guys selling
god damn snake oil)

Production services really shouldn't be live without at least being behind
some form of DPI/SPI appliance (L7 deep/stateful packet inspection).

I will agree with you that cost can be a contributing factor.. but hey, I
don't like paying tax.. still gotta pay it!


>
> Believe it or not the whole reason why I started doing honeypots is that
> about 8 months ago I DID release IP's that I shouldn't have, by accident.
> Since then I have added more resources to help curve the attacks on other
> servers we have contracts on.
>

>
>
> -BDF
> Sent from my iPhone
>
> On Dec 8, 2012, at 7:28 PM, "Cal Leeming [Simplicity Media Ltd]" <
> cal.leeming at simplicitymedialtd.co.uk> wrote:
>
> Hi Brian,
>
> I had contemplated replying off-list, but was interested to hear other
> peoples thoughts on this too.
>
> First - could you elaborate further on the 'bad apple' that you found,
> exactly what justifies an attempt to 'hack into our phone systems', and why
> this person in your story has been fired because of it?
>
> Second, in reference to the 180k IPs.. There are other companies out there
> that share abusive IP information from a variety of sources. Why do they
> share? Because it's nice to share. If the FreeSWITCH developers took the
> same attitude as your post here, then you wouldn't have FreeSWITCH.
>
> Third, why are you telling us this on a public mailing list? If the
> honeypots are designed to catch people unwittingly, then this post does the
> exact opposite. This leads me to think that a more probable story is that
> you actually don't have any honey pots (or the story is slightly
> exaggerated), and when you realised you gave out potentially damaging
> information, you panic'd and tried to discourage by asserting this email.
> If this is the case, then you are taking the lay approach of security
> through obscurity.
>
> Fourth, if someone is wanting to break into your phone system, they
> probably don't care about losing their job.. and if they do, then this post
> will just give them more reason to be careful about hiding themselves.
>
> I apologise in advance if this reply is inappropriate in anyway.
>
> Cal
>
> On Sat, Dec 8, 2012 at 11:05 PM, Brian Foster <bdfoster at endigotech.com>wrote:
>
>> Regarding a recent mailing list posting that included some of my IP
>> addresses, most of you don't know that I do set up honeypots in hopes of
>> catching some of the bad apples that try and hack into our phone systems.
>> We have a centralized list of Bad IP's that end up getting sent to all of
>> our other servers. Today, one of those servers was an IT guy that works for
>> one of my clients. He has since been fired. If anyone is interested in the
>> 180,000 IP's I've collected...sorry you can't have 'em.
>>
>> -BDF
>>
>> Sent from my iPhone
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20121209/073267c0/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list