Today Chuck Daddy Wy-Fi became aware of injustice in the land of BarCamp San Diego.
I open with a bit of levity as this is an incredibly serious post and it weighs heavy on my heart and mind.
I am a direct member of numerous mailing lists and often have things sent to me from folks who are on lists I’m not a member of. Recently one of my numerous intelligence sources tipped me off to a thread on the BarCamp San Diego list about a product announcement on the list from an employee of Aten Labs named Dan Tentler. The thread subject was ZipLine – a new security product from AtenLabs (and Viss!)
Reading over the announcement, I had some concerns and posted a reply at 12/31/2009 01:16PM.
Here is the log snippet from my mail system showing the reply:
mail.log:85:Dec 31 16:42:41 charles-laptop postfix/smtp[4305]: CC9964DF6B: to=<barcampsd@googlegroups.com>, relay=gmr-smtp-in.l.google.com[209.85.222.207]:25, delay=1.2, delays=0.26/0.05/0.31/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK 1262306560 24si4117155pzk.10)
Here is my post:
Viss wrote:
>> So how is this any better then OpenVPN running on a server I control?
>> Why on earth would one outsource their security to a 3rd party?
>>
>
> People did that with anonymizer. There was a huge camp of people who
> claimed flat out that "Anonymizer helps people spread spam and helps
> attackers be anonymous". This was wholely untrue, but it certainly
> didn't stop people from making accusations. The bottom line is just
> because someone says something on the internet, doesn't make it true.
>
Huh? What does that have to do with what I said? I'm not saying
that about your service. Let me ask another way.... What are the pros
and cons of Zipline vs my own (Ipsec/SSL)VPN solution?
> And plenty of companies outsource their security to 3rd parties. Any
> company that hires another company to do anything remotely security
> related is 'outsourcing their security'. Thats how companies like
> Tenable, Rapid7, Foreground and MANY others make their living -
> they're security experts and they work on a consultancy basis.
>
>
They outsource audits, vulnerability assessments etc yes. However
most organizations host a VPN terminator under their administrative
control, and often physical control. Placing that outside of ones control
is a recipe for disaster.
>
>> I'll let the other replies in this thread stand on their own (in
>> regards to the exploits you have pulled in the past at a coffee
>> shop).
>>
>
> I did exactly the same thing at Qualcomm, during RefreshSD for a room
> of 60 people. *EXACTLY* the same thing. Nobody at Qualcomm complained,
> in fact they came to me, shook my hand, and asked me what they could
> do to secure themselves in places where using cleartext was
> unavoidable. The difference is when I was at Qualcomm it was clearly
> understood that I was showing people something for educational
> purposes. At the coffeeshop there were a couple guys who went all fox
> news because they showed up an hour late and had no idea what was
> going on - then went berzerk and started a witch hunt.
>
>
Heh.... well that is your view of the world Dan. It's not what actually
happened. However it's not my place to comment on ongoing litigation
in a public forum.
>> Though I do rather like this quote:
>>
>> The architecture of Zipline is dubious from a security standpoint, and
>> moreover, we have every reason to believe that its operators are
>> precisely the sort of script-kiddies Zipline purports to protect
>> people
>> from.
>> Dan, you are the fox, offering hens your services as henhouse manager.
>> Moreover, you expect them to pay for it! The mind boggles.
>>
>
> How juvenile. Name calling and slinging mud, this is exactly what we
> want on the barcamp mailing list, thanks.
>
Oh I was simply reposting a quote from a previous reply on this thread.
I do agree it was a bit flamy, but it captures the sentiment of what
happened.
>
>> Even if you didn't pull those antics, why should any potential user of
>> your product trust you?
>>
>
> I'm not twisting your arm - if you dont like me, dont buy my products.
> So far the people from this mailing list that are using my product are
> quite happy with it.
>
Oh it has nothing to do with you personally. It has to do with
product/service
selection criteria. I was simply asking what about you and your organziation
would convince me to go with your product/service over something else
(namely
a vpn concentrator under my administrative control).
>
>> Do you hold industry standard credentials from
>> SANS or other reputable organizations?
>>
>
> I hold certs from websense and an OSCP cert. I don't see how this is
> relevant at all, since I'm offering a VPN product from a well known
> infrastructure vendor.
>
It was a follow on to my question of why I should choose you. I look for
these sort
of things when I select a security product or service.
>
>> Do you undergo regular security
>> audits?
>>
>
> Yes.
>
Good. Presumably the results of the audits are available to customers
upon request (subject to good faith/NDA etc)?
>
>> Do you meet any sort of SBOX/PCI compliance requirements? Or
>> are you just some guy with a box in a colo asking people to trust you
>> with their data?
>>
>
> I don't have to, I'm not a publically held company. I don't need to
> undergo audits to maintain PCI compliancy because I don't take credit
> card payments or store credit cards (I'm using paypal for now, then
> intend to use a solution provided to me by Intuit.). I don't have to
> undergo sarbox compliancy because, again, I'm not a publically held
> company and I don't have shareholders. I have, however, been paid to
> DO sarbox audits from an IT standpoint - I quite enjoy them.
>
Well... as an organization providing products/services, there are many
aspects of PCI and SBOX that apply to you. Many people/organizations
exploring your product/service will want that as a checkbox.
> The bottom line is this is sounding more and more like a flamewar.
> This is not something that belongs on the barcamp mailing list.
>
>
This is not a flame war. Mr Tentler, if you feel this is flaming, the you
sir have never been flamed. 
> If you aren't interested in my product, don't buy it - simple.
Is this the attitude you take with all potential customers Dan? This is
a pretty standard list of questions one might ask, especially after
performing
due diligence on you and your organization.
> If you
> have PROOF that I'm capturing packets, manipulating traffic, or doing
> something nefarious with zipline after I've clearly stated I haven't,
> please present it.
I don't. I'm simply asking questions about your product/service. The
various audits/compliance check boxes etc lead to further assurance.
At some point customers will simply need to trust you of course.
> Keep in mind - if someone was shortsighted enough
> to try and sell a product wherein the alterior motive was to capture
> traffic and someone were to find out - that would put them at the
> business end of a class-action lawsuit.
>
It would in all likelyhood land them in jail for violating federal law.
A lawsuit
would be the least of the worries.
I was not the first or last person to post a reply to the thread.
Mail messages available upon request.
However it now appears as if this thread was deleted. It is no longer in the Bar Camp San Diego google group archives.
If one looks at the owner of this google group they will see that it is Viss. The same person who initiated the thread.
If I was asked for my expert opinion in this matter, I would say that the list owner deleted the thread as it was critical of his product. I have no proof that the list owner deleted the thread. It is just my opinion, and not a statement of fact.
I will leave it to the community to draw their own conclusions to ethics and morals around this activity.