Sounds like I might have slightly misinterpreted your initial email and jumped too fast to a conclusion, so my apologies for this!<div><br></div><div>I agree that it's rare to have a discussion about such topics without things getting hot, and hearing someone else's thoughts on the subject has been quite interesting.</div>
<div><div><div><br></div><div>Cal<br><br><div class="gmail_quote">On Sun, Dec 9, 2012 at 6:49 AM, Brian Foster <span dir="ltr"><<a href="mailto:bdfoster@endigotech.com" target="_blank">bdfoster@endigotech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I appreciate your comments and concerns, and I respect the fact that we can talk about this stuff without things getting ugly. My comments are below.<div>
<br></div><div>-BDF<br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">
On Sat, Dec 8, 2012 at 11:46 PM, Cal Leeming [Simplicity Media Ltd] <span dir="ltr"><<a href="mailto:cal.leeming@simplicitymedialtd.co.uk" target="_blank">cal.leeming@simplicitymedialtd.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thank you for the detailed response.<br><br><div class="gmail_quote"><div>On Sun, Dec 9, 2012 at 1:29 AM, Brian Foster <span dir="ltr"><<a href="mailto:bdfoster@endigotech.com" target="_blank">bdfoster@endigotech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>The 'bad apple' in which I was referring to was using the same IP as a client of ours. He was trying to DOS the honeypot from an IP I posted on the mailing list when doing some testing for someone. I have no idea if he read the post on the mailing list or not. It's not really of my concern.</div>
</div></blockquote><div><br></div></div><div>You know what happens when someone attacks one of our clients? </div><div><br></div><div>We track them down, introduce them to the CTO/CEO of the company they attacked, and give them an opportunity to prove themselves. I have been involved in this process on several occasions now where the outcome has been extremely positive. I'm not saying this works all the time, but sometimes people don't need punishment, they need guidance.</div>
</div></blockquote><div><br></div></div><div>This is not really a practice of ours because there are so many people out there that contribute to the problem. It's too time consuming to educate those people. I really wish I could do that, but it's just not feasible. We do not actively pursue these abusive IP's nor do we DDOS them or fight back in any other way other than fighting back some of the noise through blocking those activities on machines we support.</div>
<div class="im">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><div><br></div><div>If you got on the wiki and searched for fail2ban, you would be setting up your server to jail the same IP's we are under the same circumstances. The only difference is we log who gets caught by fail2ban and distribute the list internally. </div>
</div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><div>We do not release this information per company policy. We also do not gather this information from other sources. We only use the information we gather through the processes we put in to place.</div>
<div><br></div><div>My comment on the 180K IP's was mostly sarcastic, however. It probably wasn't appropriate and I do apologize for that. </div><div><br></div><div>I'm not exactly up to date on the legalities of releasing that type of information so we rather not release it. It's nothing against the freeswitch community or the open source community. We just don't like getting in trouble.</div>
<div><br></div><div>If we did spend the resources into making sure everything was legal on the information regarding the 180K IP's, we would certainly release these free of charge. It's not something I would be interested in making money from.</div>
</div></blockquote><div><br></div></div><div>The concept is no different to email blacklist databases (e.g. XBL), and there would be no legalities stopping you from releasing this information into the public domain - only internal red tape and policies. I can say this with at least some authority on the subject (although I'm by no means an expert).</div>
</div></blockquote><div><br></div></div><div>I'm open to this idea, but I would have to consult attorneys to do this. We operate very cautiously as in we do not operate in grey areas. If this is a potential grey area we will certainly take the extra precautions in order to prevent legal issues. </div>
<div><br></div><div>This isn't some big company that has endless amounts of resources. We're a small business, just like those we support. We also have to consider how this effects our clients as well, and we're not about to take the risk of operating in a grey area. I can't afford mistakes like that especially since we're still a brand new company in the grand scheme of things.</div>
<div class="im">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div><div>Right now we live in a society where often companies can't/won't share information for one reason or another (I hear the 'company policy' story a lot), but yet feel it's okay to use years of time/development in open source for free. I mean no direct disrespect, I just personally find this quite irritating.</div>
</div></div></blockquote><div><br></div></div><div>First of all I'd like to introduce you to the CEO of Endigo Computer LLC. He's 23 years old, and is currently in school pursuing his Bachelors in Computer Science and eventually his Masters. He also works part time at a real estate firm. Hi :)</div>
<div><br></div><div>We are not foreign to the open source world. I founded this company back in 2010 to help promote the use of open source software. We seek clients who are tired of proprietary, non-moldable software for an open-source based solution that works for them. Most of our technical staff are hired from within the open source community and contribute to various open source projects both on and off company time. I'm extremely happy to find people who live and breathe the open source philosophy. </div>
<div class="im">
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div>
</div><div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><div>As far as telling this story on a public mailing list, it won't stop anyone from trying to hack into anyone's server. It does frustrate me that I have to do any of this stuff at all, but there's always going to be someone out there trying to screw it up for the rest of us. These servers are also set up for testing, which is why I use them when trying to help people on the mailing list. There is really nothing you can do to these machines to 'screw them up'. They are VPS's. There are no accounts tied to them. We can change those IP's in a heartbeat. There's really no risk. Besides, hackers can't read ;) </div>
</div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><div>The biggest thing you should take away from this post is that I'm pissed off that I have to go through all of this. Even though it makes our lives easier in the long run, it's still an expense we could live without. </div>
</div></blockquote><div><br></div></div><div>Giving away IPs shouldn't amount to any concern in the first place though, hence the previous comment about security through obscurity..</div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote"><div><br></div><div>It all comes down to stacking... there is no one big solution, just lots of small solutions (assuming you don't believe those AF/WAF sales guys selling god damn snake oil)</div>
<div><br></div><div>Production services really shouldn't be live without at least being behind some form of DPI/SPI appliance (L7 deep/stateful packet inspection).</div><div><br></div><div>I will agree with you that cost can be a contributing factor.. but hey, I don't like paying tax.. still gotta pay it!</div>
</div></blockquote><div><br></div></div><div>This strategy of using honeypots is certainly not the only tactic we use to fight attacks like this. It's just one piece of the puzzle. I can assure you there are many other processes in place to actively and passively protect the machines we support. </div>
<div><div class="h5">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div><div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><div>Believe it or not the whole reason why I started doing honeypots is that about 8 months ago I DID release IP's that I shouldn't have, by accident. Since then I have added more resources to help curve the attacks on other servers we have contracts on. </div>
</div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><div><br></div><div><br></div><div><br></div><div>-BDF</div><div>Sent from my iPhone</div>
</div><div><div><div><br>On Dec 8, 2012, at 7:28 PM, "Cal Leeming [Simplicity Media Ltd]" <<a href="mailto:cal.leeming@simplicitymedialtd.co.uk" target="_blank">cal.leeming@simplicitymedialtd.co.uk</a>> wrote:<br>
<br></div><blockquote type="cite"><div>Hi Brian,<div><br></div><div>I had contemplated replying off-list, but was interested to hear other peoples thoughts on this too.</div><div><br></div><div><div><div>First - could you elaborate further on the 'bad apple' that you found, exactly what justifies an attempt to 'hack into our phone systems', and why this person in your story has been fired because of it?</div>
<div><br></div><div>Second, in reference to the 180k IPs.. There are other companies out there that share abusive IP information from a variety of sources. Why do they share? Because it's nice to share. If the FreeSWITCH developers took the same attitude as your post here, then you wouldn't have FreeSWITCH.</div>
<div><br></div><div>Third, why are you telling us this on a public mailing list? If the honeypots are designed to catch people unwittingly, then this post does the exact opposite. This leads me to think that a more probable story is that you actually don't have any honey pots (or the story is slightly exaggerated), and when you realised you gave out potentially damaging information, you panic'd and tried to discourage by asserting this email. If this is the case, then you are taking the lay approach of security through obscurity.</div>
<div><br></div><div>Fourth, if someone is wanting to break into your phone system, they probably don't care about losing their job.. and if they do, then this post will just give them more reason to be careful about hiding themselves.</div>
<div><br></div><div>I apologise in advance if this reply is inappropriate in anyway.</div><div><br></div><div>Cal</div><div><br><div class="gmail_quote">On Sat, Dec 8, 2012 at 11:05 PM, Brian Foster <span dir="ltr"><<a href="mailto:bdfoster@endigotech.com" target="_blank">bdfoster@endigotech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Regarding a recent mailing list posting that included some of my IP addresses, most of you don't know that I do set up honeypots in hopes of catching some of the bad apples that try and hack into our phone systems. We have a centralized list of Bad IP's that end up getting sent to all of our other servers. Today, one of those servers was an IT guy that works for one of my clients. He has since been fired. If anyone is interested in the 180,000 IP's I've collected...sorry you can't have 'em.<br>
<br>
-BDF<br>
<br>
Sent from my iPhone<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div></div></div>
</div></blockquote><blockquote type="cite"><div><span>_________________________________________________________________________</span><br><span>Professional FreeSWITCH Consulting Services:</span><br><span><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a></span><br>
<span><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a></span><br><span></span><br><span>FreeSWITCH-powered IP PBX: The CudaTel Communication Server</span><br><span><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a></span><br>
<span></span><br><span>Official FreeSWITCH Sites</span><br><span><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></span><br><span><a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a></span><br>
<span><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a></span><br><span></span><br><span>FreeSWITCH-users mailing list</span><br><span><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a></span><br>
<span><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a></span><br><span>UNSUBSCRIBE:http://<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">lists.freeswitch.org/mailman/options/freeswitch-users</a></span><br>
<span><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></span><br></div></blockquote></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div></div></div><br>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Brian D. Foster<br>Endigo Computer LLC<br>Email: <a href="mailto:bdfoster@endigotech.com" target="_blank">bdfoster@endigotech.com</a><br>
Phone: <a href="tel:317-800-7876" value="+13178007876" target="_blank">317-800-7876</a><br>
Indianapolis, Indiana, USA<br><br>This message contains confidential information and is intended for those listed in the "To:", "CC:", and/or "BCC:" fields of the message header. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.<br>
<br>
</font></span></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div></div>