Secure VPN Gateway a new solution to InterNet Security

"Sebastian Gottschalk" <> wrote in message
news:...
> Walter Roberson wrote:
>
>> - In other words, posting a private letter to Usenet "probably" IS
>> a copyright violation
>
> Damn, no. The reason is a quite simple one: You cannot expect the sender
> to be unwilling to allow publishment unless he explicitly stated so. By
> posting a letter to someone you're actively putting it into public domain.
>
> The reason why it's illegal under _zivil_ rights is that's an
> unreasonable violation of privacy to publish someone else's private
> information without even asking him first.

Off-topic, and I Am Not A Lawyer, but a followup. The questions of email and
Usenet copyright are quite old, and pretty well described at this antique
FAQ:

http://www.faqs.org/faqs/law/copyright/faq/part3/

In particular, this note makes sense to me:

3. Are Usenet postings and email messages copyrighted?

Almost certainly. They meet the requirement of being original works of
authorship fixed in a tangible medium of expression (see section 2.3).
They haven't been put in the public domain; generally, only an
expiration
of copyright or an unambiguous declaration by an author is sufficient to
place a work into public domain.

There is then considerably more detail about what constitutes a violation of
the existing copyright. My nose is completely clean due to the "fair use"
doctrine, for reasons better described there. Admittedly, this probably is
not New Zealand law, but I'm sticking with my own country's laws for
safety's sake.

Nico Kadel-Garcia

Chuck wrote:

> Call me skeptical, but why would I want to risk using an unknown
> security product? Why should I choose this over something like OpenVPN
> which is also free and makes the source code available for review?

....good point!

Imhotep

Imhotep wrote:
> Chuck wrote:
>
>> Call me skeptical, but why would I want to risk using an unknown
>> security product? Why should I choose this over something like
>> OpenVPN which is also free and makes the source code available for
>> review?
>
> ...good point!

Or pptpclient and poptop, both at sourceforge.net with the same benefits and
interoperability with Microsoft's built-in VPN tools.

Nico Kadel-Garcia

On 2006-06-02, Nico Kadel-Garcia <> wrote:
> I just double-checked the license of OpenSSH, which states:
>
> * Copyright (c) 1995 Tatu Ylonen <>, Espoo, Finland
> * All rights reserved
> *
> * As far as I am concerned, the code I have written for this software
> * can be used freely for any purpose. Any derived versions of this
> * software must be clearly marked as such, and if the derived work is
> * incompatible with the protocol description in the RFC file, it must be
> * called by a name other than "ssh" or "Secure Shell".

Actually that's just the license for a subset of the files. The copyright
is held by a number of people (including, for recent Portable versions, me)
and while each file has its own license, a summary is available in the
file "LICENCE". It says, in part:

"The licences which components of this software fall under are as
follows. First, we will summarize and say that all components
are under a BSD licence, or a licence more free than that.

OpenSSH contains no GPL code."

[...]
> So I submit among its other weirdness, it's a violation of the very generous
> OpenSSH license, since the software is closed source and makes no such

Their use of OpenSSH is probably OK (I say "probably" because I'm not a
lawyer and am not the copyright holder of most of it).

A more interesting question is: what about the other components that
they use? They appear to be using at least the Linux kernel which most
definitely *is* GPLed (and most Linux-based systems use many other GPLed
components in addition to just the kernel).

I downloaded the zip file and it contains only vmware images and no source
code. Can someone who has run it confirm whether or not the source for
the GPL'ed (and LGPL'ed) parts is available?

(Followup-To: set)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Darren Tucker

Rick Merrill wrote:
> Sebastian Gottschalk wrote:
>
>> Walter Roberson wrote:
>>
>>
>>> - In other words, posting a private letter to Usenet "probably" IS
>>> a copyright violation
>>
>>
>>
>> Damn, no. The reason is a quite simple one: You cannot expect the sender
>> to be unwilling to allow publishment unless he explicitly stated so. By
>> posting a letter to someone you're actively putting it into public
>> domain.
>>
>> The reason why it's illegal under _zivil_ rights is that's an
>> unreasonable violation of privacy to publish someone else's private
>> information without even asking him first.
>
>
> Hey, cut the crap guys, I want to buy this thing - does it work?!
Rick,

I wrote Secure VPN Gateway. It does work and in my opinion it works really well. I
believe that I have addressed some security issues that other products have not.

My reason for posting to these three news groups is that they all focus on Computer
security issues. I hoped that members of these groups would also be focused on security,
rather than GPL trivia.

My product needs to be tested, poked, and prodded by people that really know the security
field.

In particular I'd like to know answers to these questions regarding the Secure VPN Gateway:

1) Can you stage a man in the middle attack and successfully gain access to a users
network services ?

2) Using some sort of spy ware (and not one you've written just for this product) can you
automatically capture the ssh2 rsa file, username & password. Then use these to access any
network services on the VPN gateway ?

3) Can anyone crack the Secure VPN gateway with whatever means they like and then gain
access to any on the defined user network services ?

By "user network services" Im refering to the "Link rules" which are basic ssh port
forwarding details.

Please note - Im really looking for constructive information here so please provide full
details on how you managed to get around the security. I plan to use the information you
provide to make the product even more secure. If I use your ideas, I'd like to include
you in the product credits.

Regards
David Gempton. - Programmer (Not Lawyer

David Gempton

David Gempton wrote:

> I wrote Secure VPN Gateway. It does work and in my opinion it works
> really well. I believe that I have addressed some security issues
> that other products have not.

With no usable documentation, no published source code, and due to the lack
of published source code, a complete violation of the GPL license for any
GPL components such as glibc or a Linux kernel. It's a blackbox from an
unknown author with no previous large scale products, making outrageous
claims about being "Absolutely Secure VPN Gateway".

There's not even an installation guide: that's just pitiful. Without source
code, we have to assume to assume that the rest of your work is equally lax
and poorly thought out. Nothing personal against you, but that's not how you
engender the necessary trust in potential clients or users.

> My product needs to be tested, poked, and prodded by people that
> really know the security field.

Then publish your source, or do what a closed source software company must
do: hire experts to review it. No one sane is going to vouch for it without
access to the source.

> In particular I'd like to know answers to these questions regarding
> the Secure VPN Gateway:
> 1) Can you stage a man in the middle attack and successfully gain
> access to a users network services ?
> 2) Using some sort of spy ware (and not one you've written just for
> this product) can you automatically capture the ssh2 rsa file,
> username & password. Then use these to access any network services on
> the VPN gateway ? 3) Can anyone crack the Secure VPN gateway with whatever
> means they
> like and then gain access to any on the defined user network services
> ?
> Please note - Im really looking for constructive information here so
> please provide full details on how you managed to get around the
> security. I plan to use the information you provide to make the
> product even more secure. If I use your ideas, I'd like to include
> you in the product credits.

No, you're really not. You're looking for validation by some of the really
sharp people available here of your personal little black box security tool.
With no documentation and no source, this is like asking for a restaurant
review and not even showing people the menu, only showing them the sign on
the door.

I've just downloaded Smoothwall Express, and guess what? It's GPL Licensed,
and by failing to publish your source code to people using your software,
you're clearly in violation. I'm notifying them immediately.

Nico Kadel-Garcia

Nico Kadel-Garcia

On 2006-06-06, David Gempton <> wrote:

> 2) Using some sort of spy ware (and not one you've written just for this product) can you
> automatically capture the ssh2 rsa file, username & password. Then use these to access any
> network services on the VPN gateway ?

Why the artificial restriction "not one you've written just for this product"?
Do you think attackers don't write attacks against specific products?

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/
One of my other 11 computers runs Minix.

all mail refused

all mail refused wrote:
> On 2006-06-06, David Gempton <> wrote:
>
>
>>2) Using some sort of spy ware (and not one you've written just for this product) can you
>>automatically capture the ssh2 rsa file, username & password. Then use these to access any
>>network services on the VPN gateway ?
>
>
> Why the artificial restriction "not one you've written just for this product"?
> Do you think attackers don't write attacks against specific products?
>
Thats a fair point.

I guess I was thinking along the lines of public Internet places (like Internet cafes)
where the spyware that may be installed is going to be more general. Like key-logging
software.

Im sure that given a little information about how my software handles security it would
not be difficult to write a very targeted application that could obtain a copy of the
security details.

This is an area that I am currently working on improving. My aim is to come up with a
connection model that mutates every time its used. So even if you get a copy of the
security details they will be of no use if you try and use them again.

- David Gempton.

David Gempton

Nico Kadel-Garcia wrote:

> Imhotep wrote:
>> Chuck wrote:
>>
>>> Call me skeptical, but why would I want to risk using an unknown
>>> security product? Why should I choose this over something like
>>> OpenVPN which is also free and makes the source code available for
>>> review?
>>
>> ...good point!
>
> Or pptpclient and poptop, both at sourceforge.net with the same benefits
> and interoperability with Microsoft's built-in VPN tools.

Never liked pptp and I am not a Windows user but, good point about them (and
sourceforge)...

Imhotep

imhotep

"David Gempton" <> wrote in message
news:4485f81b$...
> all mail refused wrote:
>> On 2006-06-06, David Gempton <> wrote:
>>
>>
>>>2) Using some sort of spy ware (and not one you've written just for this
>>>product) can you automatically capture the ssh2 rsa file, username &
>>>password. Then use these to access any network services on the VPN
>>>gateway ?
>>
>>
>> Why the artificial restriction "not one you've written just for this
>> product"?
>> Do you think attackers don't write attacks against specific products?
>>
> Thats a fair point.
>
> I guess I was thinking along the lines of public Internet places (like
> Internet cafes) where the spyware that may be installed is going to be
> more general. Like key-logging software.
>
> Im sure that given a little information about how my software handles
> security it would not be difficult to write a very targeted application
> that could obtain a copy of the security details.
>
> This is an area that I am currently working on improving. My aim is to
> come up with a connection model that mutates every time its used. So even
> if you get a copy of the security details they will be of no use if you
> try and use them again.

Ahh. Security through obscrutityy, *AND* violation of the GPL of the
SmoothWall Express software you're pirating. (And you're blatantly in
violation of the GPL on their software, by your own admission of using it
and your failure to publish your source code along with your downloads.)

And this guy wonders why no one will take it seriously as the "ABSOLUTELY
SECURE VPN" he advertises it as. Sheesh!

Nico Kadel-Garcia