[Freeswitch-users] Hello hackers!

Sun Dec 9 09:49:27 MSK 2012

I appreciate your comments and concerns, and I respect the fact that we can
talk about this stuff without things getting ugly. My comments are below.

-BDF

On Sat, Dec 8, 2012 at 11:46 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leeming at simplicitymedialtd.co.uk> wrote:

> Thank you for the detailed response.
>
> On Sun, Dec 9, 2012 at 1:29 AM, Brian Foster <bdfoster at endigotech.com>wrote:
>
>> The 'bad apple' in which I was referring to was using the same IP as a
>> client of ours. He was trying to DOS the honeypot from an IP I posted on
>> the mailing list when doing some testing for someone. I have no idea if he
>> read the post on the mailing list or not. It's not really of my concern.
>>
>
> You know what happens when someone attacks one of our clients?
>
> We track them down, introduce them to the CTO/CEO of the company they
> attacked, and give them an opportunity to prove themselves. I have been
> involved in this process on several occasions now where the outcome has
> been extremely positive. I'm not saying this works all the time, but
> sometimes people don't need punishment, they need guidance.
>

This is not really a practice of ours because there are so many people out
there that contribute to the problem. It's too time consuming to educate
those people. I really wish I could do that, but it's just not feasible. We
do not actively pursue these abusive IP's nor do we DDOS them or fight back
in any other way other than fighting back some of the noise through
blocking those activities on machines we support.

>
>> If you got on the wiki and searched for fail2ban, you would be setting up
>> your server to jail the same IP's we are under the same circumstances. The
>> only difference is we log who gets caught by fail2ban and distribute the
>> list internally.
>>
>
>> We do not release this information per company policy. We also do not
>> gather this information from other sources. We only use the information we
>> gather through the processes we put in to place.
>>
>> My comment on the 180K IP's was mostly sarcastic, however. It probably
>> wasn't appropriate and I do apologize for that.
>>
>> I'm not exactly up to date on the legalities of releasing that type of
>> information so we rather not release it. It's nothing against the
>> freeswitch community or the open source community. We just don't like
>> getting in trouble.
>>
>> If we did spend the resources into making sure everything was legal on
>> the information regarding the 180K IP's, we would certainly release these
>> free of charge. It's not something I would be interested in making money
>> from.
>>
>
> The concept is no different to email blacklist databases (e.g. XBL), and
> there would be no legalities stopping you from releasing this information
> into the public domain - only internal red tape and policies. I can say
> this with at least some authority on the subject (although I'm by no means
> an expert).
>

I'm open to this idea, but I would have to consult attorneys to do this. We
operate very cautiously as in we do not operate in grey areas. If this is a
potential grey area we will certainly take the extra precautions in order
to prevent legal issues.

This isn't some big company that has endless amounts of resources. We're a
small business, just like those we support. We also have to consider how
this effects our clients as well, and we're not about to take the risk of
operating in a grey area. I can't afford mistakes like that especially
since we're still a brand new company in the grand scheme of things.

> Right now we live in a society where often companies can't/won't share
> information for one reason or another (I hear the 'company policy' story a
> lot), but yet feel it's okay to use years of time/development in open
> source for free. I mean no direct disrespect, I just personally find this
> quite irritating.
>

First of all I'd like to introduce you to the CEO of Endigo Computer LLC.
He's 23 years old, and is currently in school pursuing his Bachelors in
Computer Science and eventually his Masters. He also works part time at a
real estate firm. Hi :)

We are not foreign to the open source world. I founded this company back in
2010 to help promote the use of open source software. We seek clients who
are tired of proprietary, non-moldable software for an open-source based
solution that works for them. Most of our technical staff are hired from
within the open source community and contribute to various open source
projects both on and off company time. I'm extremely happy to find people
who live and breathe the open source philosophy.

>
>> As far as telling this story on a public mailing list, it won't stop
>> anyone from trying to hack into anyone's server. It does frustrate me that
>> I have to do any of this stuff at all, but there's always going to be
>> someone out there trying to screw it up for the rest of us. These servers
>> are also set up for testing, which is why I use them when trying to help
>> people on the mailing list. There is really nothing you can do to these
>> machines to 'screw them up'. They are VPS's. There are no accounts tied to
>> them. We can change those IP's in a heartbeat. There's really no risk.
>> Besides, hackers can't read ;)
>>
>
>> The biggest thing you should take away from this post is that I'm pissed
>> off that I have to go through all of this. Even though it makes our lives
>> easier in the long run, it's still an expense we could live without.
>>
>
> Giving away IPs shouldn't amount to any concern in the first place though,
> hence the previous comment about security through obscurity..
>

> It all comes down to stacking... there is no one big solution, just lots
> of small solutions (assuming you don't believe those AF/WAF sales guys
> selling god damn snake oil)
>
> Production services really shouldn't be live without at least being behind
> some form of DPI/SPI appliance (L7 deep/stateful packet inspection).
>
> I will agree with you that cost can be a contributing factor.. but hey, I
> don't like paying tax.. still gotta pay it!
>

This strategy of using honeypots is certainly not the only tactic we use to
fight attacks like this. It's just one piece of the puzzle. I can assure
you there are many other processes in place to actively and passively
protect the machines we support.

>
>
>>
>> Believe it or not the whole reason why I started doing honeypots is that
>> about 8 months ago I DID release IP's that I shouldn't have, by accident.
>> Since then I have added more resources to help curve the attacks on other
>> servers we have contracts on.
>>
>
>>
>>
>> -BDF
>> Sent from my iPhone
>>
>> On Dec 8, 2012, at 7:28 PM, "Cal Leeming [Simplicity Media Ltd]" <
>> cal.leeming at simplicitymedialtd.co.uk> wrote:
>>
>> Hi Brian,
>>
>> I had contemplated replying off-list, but was interested to hear other
>> peoples thoughts on this too.
>>
>> First - could you elaborate further on the 'bad apple' that you found,
>> exactly what justifies an attempt to 'hack into our phone systems', and why
>> this person in your story has been fired because of it?
>>
>> Second, in reference to the 180k IPs.. There are other companies out
>> there that share abusive IP information from a variety of sources. Why do
>> they share? Because it's nice to share. If the FreeSWITCH developers took
>> the same attitude as your post here, then you wouldn't have FreeSWITCH.
>>
>> Third, why are you telling us this on a public mailing list? If the
>> honeypots are designed to catch people unwittingly, then this post does the
>> exact opposite. This leads me to think that a more probable story is that
>> you actually don't have any honey pots (or the story is slightly
>> exaggerated), and when you realised you gave out potentially damaging
>> information, you panic'd and tried to discourage by asserting this email.
>> If this is the case, then you are taking the lay approach of security
>> through obscurity.
>>
>> Fourth, if someone is wanting to break into your phone system, they
>> probably don't care about losing their job.. and if they do, then this post
>> will just give them more reason to be careful about hiding themselves.
>>
>> I apologise in advance if this reply is inappropriate in anyway.
>>
>> Cal
>>
>> On Sat, Dec 8, 2012 at 11:05 PM, Brian Foster <bdfoster at endigotech.com>wrote:
>>
>>> Regarding a recent mailing list posting that included some of my IP
>>> addresses, most of you don't know that I do set up honeypots in hopes of
>>> catching some of the bad apples that try and hack into our phone systems.
>>> We have a centralized list of Bad IP's that end up getting sent to all of
>>> our other servers. Today, one of those servers was an IT guy that works for
>>> one of my clients. He has since been fired. If anyone is interested in the
>>> 180,000 IP's I've collected...sorry you can't have 'em.
>>>
>>> -BDF
>>>
>>> Sent from my iPhone
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>

-- 
Brian D. Foster
Endigo Computer LLC
Email: bdfoster at endigotech.com
Phone: 317-800-7876
Indianapolis, Indiana, USA

This message contains confidential information and is intended for those
listed in the "To:", "CC:", and/or "BCC:" fields of the message header. If
you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of
this information is strictly prohibited. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20121209/63bc848e/attachment-0001.html 