Secure VPN Gateway a new solution to InterNet Security

Discussion in 'Computer Security' started by David Gempton, Jun 2, 2006.

  1. Absolutely Secure VPN Gateway


    It's the most secure way to connect & now its free!

    Connecting to secure systems over the Internet just got a whole lot safer and easier.

    * Need to connect numerous service providers to different components on your network and
    keep total control ?
    * Need to provide easy access to busy staff members when they are away from the office ?
    * Want to have access to your home computer when your overseas ?
    * Worried about SpyWare and maintaining security ?
    * Looking for a VPN solution that is quick and easy to install ?

    Stop looking ! This is the perfect solution

    Download your free copy from here:
    http://www.ttc4it.co.nz/download/TTC-VPN-Secure-Gateway.zip

    This is a VMware appliance so you'll need VM Player. You can download you free VM player
    from here:
    http://www.vmware.com/download/player/

    Full documentation and support is available from here:
    http://www.ttc4it.co.nz/cgi-bin/yabb/YaBB.cgi

    Secure VPN Gateway from TTC enables you to connect to applications and network services,
    secured behind a firewall, without compromising security.

    At TTC we have developed a secure VPN system that is suitable for everyone to use. There
    is no tricky installation and no client configuration. The whole product is can be up and
    running within a few minutes of downloading. This save you time and allows you to get on
    with business.

    The Secure VPN Gateway just requires a dhcp server to provide it with a network address.
    With this information it configures itself and tells you how to access the management web
    page.

    The VPN client package learns everything directly from the Secure VPN Gateway. Once
    started, the person using the Secure VPN client, is presented with a menu of their
    available network services. Access is as simple as clicking a start button.

    Our key to security.
    ====================
    Our extreme security comes from individually coded client packages that are generated for
    each user by the Secure VPN Gateway. This builds unique digital keys directly into each
    client package. The built-in digital key improves security beyond that of many VPN
    clients because the user must have the correct client package (digital key), the correct
    login name, and the correct password. The digital key is never typed and all network
    communication is strongly encrypted, so “SpyWare” applications are unable to break the
    security. This is of vital importance for people who use public computers to access
    corporate or private resources.

    The Secure VPN gateway is configured and managed from an administration web page where all
    account setup functions are performed. Administrators can create, edit, delete, and
    disconnect live users from this web page. Network link rules are defined and then
    allocated to user accounts. Network link rules provide a network description of the
    service that the user is connecting to. The rule definition allows the administrator to
    use their own words to describe the link rule making it easily adaptable to ever users
    level of understanding.

    For example; “Bob's human resource files” or “Corporate internal e-mail server” rather
    than cryptic strings of numbers.

    Help is only a click away
    =========================
    http://www.ttc4it.co.nz/cgi-bin/yabb/YaBB.cgi

    We have eliminated the most frustrating problem with downloaded software by putting all
    the documentation and access to the software developers right at your fingertips.

    This is done through a free bulletin board where users can read and download
    documentation. They can also share their own experiences with using the software.
    Posting issues and solutions for all users to share. Access to the bulletin board is
    provided directly from the Secure VPN Client and the Administration web page.

    To post a topic/question you just need to register first.

    How was it built
    ================
    This VMware appliance has been built on top of the outstanding freeware firewall,
    Smoothwall Express. Written exclusively in Perl the TTC Secure VPN Gateway has been in
    development and testing for the past 24 months.

    It was intended to run on a standalone server but thanks to the efficient VMPlayer from
    Vmware it can now be run under any environment where VMPlayer is supported. The most
    significant market breakthrough here is the ability to deploy it as an application on a
    Microsoft Windows system.

    Vmware workstation has played a vital part in the development and testing of the TTC
    Secure VPN Gateway. We are delighted to be able to offer this application

    How to get started
    ==================
    Once you have installed VMPlayer and downloaded the zip file “TTC-VPN-Secure-Gateway.zip”,
    simply expand the zip file on the computer that will be hosting the VM-appliance.
    Now start VMPlayer and open the VM appliance found under the TTC-VPN-Secure-Gateway
    directory.

    The appliance will start automatically. When it is up and running a page of information
    will be displayed on the VMPlayer console. Press enter to make sure the information is up
    todate.

    The information on the console will show you three important details:
    1.The external IP address of the Secure VPN Gateway.
    2.The port forwarding rule to configure on your firewall (if you have one) to enable the
    VPN clients to communication with the Secure VPN Gateway.
    3.The URL for accessing the management web page.

    For example:
    ============
    Secure VPN Controller
    My external IP address is 192.168.1.184
    If I am behind a firewall please set a port forwarding rule on the firewall as follows:
    inbound TCP port ==> TCP port : IP address
    2227 ==> 2227 : 192.168.1.184
    Then access my web management interface and change the settings for the “external
    interface” to firewall's external IP address.
    The URL for my web management interface is:
    http://192.168.1.184:81/vpn_frame.html

    When you access the management web page you will be prompted to login.

    The default user name is : administrator
    The default password is : admin123
    (This can be changed from the “Manage the users of this page” menu option.)

    Note# The full documentation and online help is available by clicking on the words “Click
    here for help” at the top right of the screen.

    After logging in to the web page as the administrator, use the menu on the left side of
    your screen and click on “Change settings”. Make sure that the “External IP” address is
    correct. If you will be accessing the Secure VPN Gateway through a firewall the “External
    IP” should be set to the IP address that reaches the firewall from the Internet.

    If you do not have a firewall then the “External IP” setting should be correct.

    Now generate your first VPN Client kit by clicking on the Refresh keys icon for the
    administrator. And confirm that you want to proceed. Now click on the red download symbol
    to receive a copy of the administrator VPN client kit.

    Congratulations, this client kit can now be used to connect to Secure VPN controller from
    the Internet.

    Now its time to “Click here for help” and download a copy of the Secure VPN documentation.
    This will explain how to:
    Use the VPN client.
    Create VPN Link Rules
    Create user accounts
    Even how to change the logos to your own.
    David Gempton, Jun 2, 2006
    #1
    1. Advertising

  2. David Gempton

    nemo_outis Guest

    David Gempton <> wrote in news::

    > Absolutely Secure VPN Gateway

    ....


    If a man brags about his honesty, or a woman her virtue, avoid the former
    and cultivate the latter.

    IOW why the **** should we trust you?

    Regards,
    nemo_outis, Jun 2, 2006
    #2
    1. Advertising

  3. "David Gempton" <> wrote in message
    news:...
    > Absolutely Secure VPN Gateway


    It's a joke: I've written to the website owner: and he's responded only that
    it's Legitimate! Honest! I Promise! Ask me anyithing! And here's the website
    with my non-existent documentation, all written by me!

    Given the lack of documentation, source code, explanation of how it works,
    and the apparent one-person operation, it's obvious that it's a start up
    operation and lacks any pretense of code review that should be in place for
    what is obviously a one-man operation, no one sane should be using it.

    Also, since he's stated in his email to me that it "uses the OpenSSH"
    protocol, I'm notifiying the OpenSSH authors that he's probably in violation
    of the very limited OpenSSH licensing.

    What a maroon!
    Nico Kadel-Garcia, Jun 2, 2006
    #3
  4. I just double-checked the license of OpenSSH, which states:

    * Copyright (c) 1995 Tatu Ylonen <>, Espoo, Finland
    * All rights reserved
    *
    * As far as I am concerned, the code I have written for this software
    * can be used freely for any purpose. Any derived versions of this
    * software must be clearly marked as such, and if the derived work is
    * incompatible with the protocol description in the RFC file, it must be
    * called by a name other than "ssh" or "Secure Shell".

    I wrote to the website's public info address: it's obviously a one-man
    operation, since David Gempton himself wrote back to me with this. (I'm not
    posting the entire letter, because it's generally considered rude to post
    the complete contents of a private email to a public newsgroup, even though
    it's probably nto a copyright violation as some fools complain if you do
    so.)

    This is a product that uses openssh protocols to provide encrypted
    communication channels between clients - the secure gateway - and
    network services on the same LAN as the secure gateway.

    So I submit among its other weirdness, it's a violation of the very generous
    OpenSSH license, since the software is closed source and makes no such
    public notice. Moreover, since he's acting like this, I certainly wouldn't
    want to use a security product from anyone this obviously such a fool. The
    stuff obviously needs a complete public souce code publication to see just
    what else he's done under the hood.

    I've never heard of him before this crosspost to comp.security.ssh, where
    I'm active. Can anyone here vouch for him? Was this just a really, really
    bad mistake?, or what? The only stuff I see in groups.google.com from the
    same name is from 1997 and 1998, also from New Zealand address, so it might
    be the same guy. But it's not as if this is from a well-respected,
    well-known poster.

    Nico Kadel-Garcia
    Nico Kadel-Garcia, Jun 2, 2006
    #4

  5. > Absolutely Secure VPN Gateway


    Never trust anything Described in Capitalized Superlatives!

    --
    Richard Silverman
    Richard E. Silverman, Jun 2, 2006
    #5
  6. David Gempton

    Chuck Guest

    Call me skeptical, but why would I want to risk using an unknown
    security product? Why should I choose this over something like OpenVPN
    which is also free and makes the source code available for review?
    Chuck, Jun 2, 2006
    #6
  7. In article <>,
    Nico Kadel-Garcia <> wrote:
    >(I'm not
    >posting the entire letter, because it's generally considered rude to post
    >the complete contents of a private email to a public newsgroup, even though
    >it's probably nto a copyright violation as some fools complain if you do
    >so.)


    Where to start??

    - These are international newsgroups.

    - Copyright law varies from jurisdiction to jurisdiction.

    - Copyright law deals with the Rights To Copy (and to control when
    copies are made.)

    - In many jurisdiction, material is considered "published" if unrestricted
    access to it is made available to even just one person in that
    jurisdiction. For example, a letter sent to a *specific* (listed)
    set of people is not usually considered to be "published", and
    material made available only under NDA (Non-disclosure agreement)
    {including in the course of employment} is not usually considered
    "published", but if the material is made available without controls
    (e.g., copies offered for public sale, a copy posted on the town
    notice-board) then the material is usually considered "published".

    - In many jurisdictions, publishing includes electronic dissemination

    - In many jurisdictions, if a person submits an electronic document
    to an automated copying mechanism, then that person is considered to
    have made all of the copies that result without further human interaction

    - Thus, in those jurisdictions, the action of posting a letter to
    a Usenet newsgroup (which is, by definition, allowing uncontrolled access
    to the letter) is considered to be one count of "publishing" the letter
    for each automated copy that results -- even though only the person
    only pressed "send" once.

    - Hence, posting a letter to a Usenet newsgroup is considered by
    many jurisdictions to be "copying" the letter and "publishing" it,
    both done many times over. Therefore, the legal authority to post a
    letter to Usenet is there considered a matter subject to Copyright law.
    Copies are deemed to have been made, and the question then becomes
    one of whether the poster had the legal right to make (trigger) those copies.

    - Copyright law usually applies to "an original expression of an idea";
    presuming that David Gempton did not use a form letter, his response
    was likely sufficiently "creative" for copyright law to apply to the
    parts of it that he himself phrased. Note that Copyright law does not
    apply to the ideas themselves [*], only to the -expression- of them: the
    actual words. [*] Exception: the entertainment industry especially is
    increasingly pushing to restrict "derivative works" (originally
    applicable only to translations and to substantial reproductions of the
    original words...)

    - We have by now established that Copyright law applies to the
    situation [in many jurisdictions], and have reduced the question down
    to one of whether the jurisdiction's local Copyright law would
    permit the substantial reproduction of a previously-unpublished letter.

    - The limits on reproduction vary from jurisdiction to jurisdiction.

    -The US has its "Fair Use Doctrine" (which is not actually written
    into law under that name); the boundaries of Fair Use are a bit
    fuzzy in the USA, but case law has deemed copying of as little as
    three lines of a short work to not be within the limits of Fair Use.
    The publishing of large extracts of a longer work has rarely been
    considered to be Fair Use except in cases of high Public Interest.
    And increasingly, case law in the USA has been saying that even
    in situations that were traditionally Fair Use (e.g., academic photocopying),
    that if there is reasonable time available to ask permission for
    the copying, that the permission must be sought [with some leeway
    allowed for researched criticisms of a work whose author would likely
    not grant copying permission in order to avoid the criticism.]
    http://www.copyright.gov/title17/92chap1.html#106

    - Canada does not have any equivilent to the Fair Use Doctrine;
    the "Fair Dealing" clauses are quite limited, and
    the suggested letter-posting activity would not fall within the boundaries
    of any of them
    http://laws.justice.gc.ca/en/C-42/230536.html#Section-29

    - US case law is sufficiently fuzzy that one could perhaps talk about
    "probability" of a copying being within the limits of Fair Use
    (and thus not a copyright violation in the USA), but Canadian law is
    much more rigid, and it would essentially only be meaningful to
    speak of reproducing a letter being "probably" a copyright violation in Canada
    if the probabilities being referred to were zero (i.e., "not") and
    one (i.e., "decidedly so".)

    - In other words, posting a private letter to Usenet "probably" IS
    a copyright violation -- unless one wishes to play games like
    "Oh, my IP is from the USA but I'm really in a country that doesn't
    have a copyright law and doesn't recognize any other country's
    copyright laws."


    Perhaps, Nico, you were thinking of a different matter: not whether it
    would -be- a copyright violation, but rather what the likely legal
    -consequences- would be for that violation.

    For example, in Canada, if the original letter author bothered to do
    anything, the most -likely- result of posting of an informative letter
    from a non-famous person, would be a $C200 fine plus court costs and a
    lecture to Don't Do It Again. (Statutory $C50 per count, multiple
    counts would be deemed, but the judge would have considerable leeway in
    fixing the count; $C200 is about average for multiple count cases where
    malicious publication is not established, sliding up to about $C800-
    $C1000 if there were previous interpersonal spats but no monetary
    gain from the publication.) Stronger penalties are definitely possible,
    especially where there is monetary value involved, but the legal
    standards of proof are also noticably higher than for the stat penalty.
    Walter Roberson, Jun 2, 2006
    #7
  8. Walter Roberson wrote:

    > - In other words, posting a private letter to Usenet "probably" IS
    > a copyright violation


    Damn, no. The reason is a quite simple one: You cannot expect the sender
    to be unwilling to allow publishment unless he explicitly stated so. By
    posting a letter to someone you're actively putting it into public domain.

    The reason why it's illegal under _zivil_ rights is that's an
    unreasonable violation of privacy to publish someone else's private
    information without even asking him first.
    Sebastian Gottschalk, Jun 2, 2006
    #8
  9. David Gempton

    Rick Merrill Guest

    Sebastian Gottschalk wrote:
    > Walter Roberson wrote:
    >
    >
    >>- In other words, posting a private letter to Usenet "probably" IS
    >>a copyright violation

    >
    >
    > Damn, no. The reason is a quite simple one: You cannot expect the sender
    > to be unwilling to allow publishment unless he explicitly stated so. By
    > posting a letter to someone you're actively putting it into public domain.
    >
    > The reason why it's illegal under _zivil_ rights is that's an
    > unreasonable violation of privacy to publish someone else's private
    > information without even asking him first.


    Hey, cut the crap guys, I want to buy this thing - does it work?!
    Rick Merrill, Jun 2, 2006
    #9
  10. Richard E. Silverman, Jun 2, 2006
    #10
  11. "Sebastian Gottschalk" <> wrote in message
    news:...
    > Walter Roberson wrote:
    >
    >> - In other words, posting a private letter to Usenet "probably" IS
    >> a copyright violation

    >
    > Damn, no. The reason is a quite simple one: You cannot expect the sender
    > to be unwilling to allow publishment unless he explicitly stated so. By
    > posting a letter to someone you're actively putting it into public domain.
    >
    > The reason why it's illegal under _zivil_ rights is that's an
    > unreasonable violation of privacy to publish someone else's private
    > information without even asking him first.


    Off-topic, and I Am Not A Lawyer, but a followup. The questions of email and
    Usenet copyright are quite old, and pretty well described at this antique
    FAQ:

    http://www.faqs.org/faqs/law/copyright/faq/part3/

    In particular, this note makes sense to me:

    3.8) Are Usenet postings and email messages copyrighted?

    Almost certainly. They meet the requirement of being original works of
    authorship fixed in a tangible medium of expression (see section 2.3).
    They haven't been put in the public domain; generally, only an
    expiration
    of copyright or an unambiguous declaration by an author is sufficient to
    place a work into public domain.

    There is then considerably more detail about what constitutes a violation of
    the existing copyright. My nose is completely clean due to the "fair use"
    doctrine, for reasons better described there. Admittedly, this probably is
    not New Zealand law, but I'm sticking with my own country's laws for
    safety's sake.
    Nico Kadel-Garcia, Jun 3, 2006
    #11
  12. David Gempton

    Imhotep Guest

    Chuck wrote:

    > Call me skeptical, but why would I want to risk using an unknown
    > security product? Why should I choose this over something like OpenVPN
    > which is also free and makes the source code available for review?


    ....good point!
    Imhotep, Jun 3, 2006
    #12
  13. Imhotep wrote:
    > Chuck wrote:
    >
    >> Call me skeptical, but why would I want to risk using an unknown
    >> security product? Why should I choose this over something like
    >> OpenVPN which is also free and makes the source code available for
    >> review?

    >
    > ...good point!


    Or pptpclient and poptop, both at sourceforge.net with the same benefits and
    interoperability with Microsoft's built-in VPN tools.
    Nico Kadel-Garcia, Jun 3, 2006
    #13
  14. On 2006-06-02, Nico Kadel-Garcia <> wrote:
    > I just double-checked the license of OpenSSH, which states:
    >
    > * Copyright (c) 1995 Tatu Ylonen <>, Espoo, Finland
    > * All rights reserved
    > *
    > * As far as I am concerned, the code I have written for this software
    > * can be used freely for any purpose. Any derived versions of this
    > * software must be clearly marked as such, and if the derived work is
    > * incompatible with the protocol description in the RFC file, it must be
    > * called by a name other than "ssh" or "Secure Shell".


    Actually that's just the license for a subset of the files. The copyright
    is held by a number of people (including, for recent Portable versions, me)
    and while each file has its own license, a summary is available in the
    file "LICENCE". It says, in part:

    "The licences which components of this software fall under are as
    follows. First, we will summarize and say that all components
    are under a BSD licence, or a licence more free than that.

    OpenSSH contains no GPL code."

    [...]
    > So I submit among its other weirdness, it's a violation of the very generous
    > OpenSSH license, since the software is closed source and makes no such


    Their use of OpenSSH is probably OK (I say "probably" because I'm not a
    lawyer and am not the copyright holder of most of it).

    A more interesting question is: what about the other components that
    they use? They appear to be using at least the Linux kernel which most
    definitely *is* GPLed (and most Linux-based systems use many other GPLed
    components in addition to just the kernel).

    I downloaded the zip file and it contains only vmware images and no source
    code. Can someone who has run it confirm whether or not the source for
    the GPL'ed (and LGPL'ed) parts is available?

    (Followup-To: set)

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    Darren Tucker, Jun 3, 2006
    #14
  15. Rick Merrill wrote:
    > Sebastian Gottschalk wrote:
    >
    >> Walter Roberson wrote:
    >>
    >>
    >>> - In other words, posting a private letter to Usenet "probably" IS
    >>> a copyright violation

    >>
    >>
    >>
    >> Damn, no. The reason is a quite simple one: You cannot expect the sender
    >> to be unwilling to allow publishment unless he explicitly stated so. By
    >> posting a letter to someone you're actively putting it into public
    >> domain.
    >>
    >> The reason why it's illegal under _zivil_ rights is that's an
    >> unreasonable violation of privacy to publish someone else's private
    >> information without even asking him first.

    >
    >
    > Hey, cut the crap guys, I want to buy this thing - does it work?!

    Rick,

    I wrote Secure VPN Gateway. It does work and in my opinion it works really well. I
    believe that I have addressed some security issues that other products have not.

    My reason for posting to these three news groups is that they all focus on Computer
    security issues. I hoped that members of these groups would also be focused on security,
    rather than GPL trivia.

    My product needs to be tested, poked, and prodded by people that really know the security
    field.

    In particular I'd like to know answers to these questions regarding the Secure VPN Gateway:

    1) Can you stage a man in the middle attack and successfully gain access to a users
    network services ?

    2) Using some sort of spy ware (and not one you've written just for this product) can you
    automatically capture the ssh2 rsa file, username & password. Then use these to access any
    network services on the VPN gateway ?

    3) Can anyone crack the Secure VPN gateway with whatever means they like and then gain
    access to any on the defined user network services ?

    By "user network services" Im refering to the "Link rules" which are basic ssh port
    forwarding details.

    Please note - Im really looking for constructive information here so please provide full
    details on how you managed to get around the security. I plan to use the information you
    provide to make the product even more secure. If I use your ideas, I'd like to include
    you in the product credits.

    Regards
    David Gempton. - Programmer (Not Lawyer;)
    David Gempton, Jun 6, 2006
    #15
  16. David Gempton wrote:

    > I wrote Secure VPN Gateway. It does work and in my opinion it works
    > really well. I believe that I have addressed some security issues
    > that other products have not.


    With no usable documentation, no published source code, and due to the lack
    of published source code, a complete violation of the GPL license for any
    GPL components such as glibc or a Linux kernel. It's a blackbox from an
    unknown author with no previous large scale products, making outrageous
    claims about being "Absolutely Secure VPN Gateway".

    There's not even an installation guide: that's just pitiful. Without source
    code, we have to assume to assume that the rest of your work is equally lax
    and poorly thought out. Nothing personal against you, but that's not how you
    engender the necessary trust in potential clients or users.

    > My product needs to be tested, poked, and prodded by people that
    > really know the security field.


    Then publish your source, or do what a closed source software company must
    do: hire experts to review it. No one sane is going to vouch for it without
    access to the source.

    > In particular I'd like to know answers to these questions regarding
    > the Secure VPN Gateway:
    > 1) Can you stage a man in the middle attack and successfully gain
    > access to a users network services ?
    > 2) Using some sort of spy ware (and not one you've written just for
    > this product) can you automatically capture the ssh2 rsa file,
    > username & password. Then use these to access any network services on
    > the VPN gateway ? 3) Can anyone crack the Secure VPN gateway with whatever
    > means they
    > like and then gain access to any on the defined user network services
    > ?
    > Please note - Im really looking for constructive information here so
    > please provide full details on how you managed to get around the
    > security. I plan to use the information you provide to make the
    > product even more secure. If I use your ideas, I'd like to include
    > you in the product credits.


    No, you're really not. You're looking for validation by some of the really
    sharp people available here of your personal little black box security tool.
    With no documentation and no source, this is like asking for a restaurant
    review and not even showing people the menu, only showing them the sign on
    the door.

    I've just downloaded Smoothwall Express, and guess what? It's GPL Licensed,
    and by failing to publish your source code to people using your software,
    you're clearly in violation. I'm notifying them immediately.

    Nico Kadel-Garcia
    Nico Kadel-Garcia, Jun 6, 2006
    #16
  17. On 2006-06-06, David Gempton <> wrote:

    > 2) Using some sort of spy ware (and not one you've written just for this product) can you
    > automatically capture the ssh2 rsa file, username & password. Then use these to access any
    > network services on the VPN gateway ?


    Why the artificial restriction "not one you've written just for this product"?
    Do you think attackers don't write attacks against specific products?

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    One of my other 11 computers runs Minix.
    all mail refused, Jun 6, 2006
    #17
  18. all mail refused wrote:
    > On 2006-06-06, David Gempton <> wrote:
    >
    >
    >>2) Using some sort of spy ware (and not one you've written just for this product) can you
    >>automatically capture the ssh2 rsa file, username & password. Then use these to access any
    >>network services on the VPN gateway ?

    >
    >
    > Why the artificial restriction "not one you've written just for this product"?
    > Do you think attackers don't write attacks against specific products?
    >

    Thats a fair point.

    I guess I was thinking along the lines of public Internet places (like Internet cafes)
    where the spyware that may be installed is going to be more general. Like key-logging
    software.

    Im sure that given a little information about how my software handles security it would
    not be difficult to write a very targeted application that could obtain a copy of the
    security details.

    This is an area that I am currently working on improving. My aim is to come up with a
    connection model that mutates every time its used. So even if you get a copy of the
    security details they will be of no use if you try and use them again.

    - David Gempton.
    David Gempton, Jun 6, 2006
    #18
  19. David Gempton

    imhotep Guest

    Nico Kadel-Garcia wrote:

    > Imhotep wrote:
    >> Chuck wrote:
    >>
    >>> Call me skeptical, but why would I want to risk using an unknown
    >>> security product? Why should I choose this over something like
    >>> OpenVPN which is also free and makes the source code available for
    >>> review?

    >>
    >> ...good point!

    >
    > Or pptpclient and poptop, both at sourceforge.net with the same benefits
    > and interoperability with Microsoft's built-in VPN tools.


    Never liked pptp and I am not a Windows user but, good point about them (and
    sourceforge)...

    Imhotep
    imhotep, Jun 7, 2006
    #19
  20. "David Gempton" <> wrote in message
    news:4485f81b$...
    > all mail refused wrote:
    >> On 2006-06-06, David Gempton <> wrote:
    >>
    >>
    >>>2) Using some sort of spy ware (and not one you've written just for this
    >>>product) can you automatically capture the ssh2 rsa file, username &
    >>>password. Then use these to access any network services on the VPN
    >>>gateway ?

    >>
    >>
    >> Why the artificial restriction "not one you've written just for this
    >> product"?
    >> Do you think attackers don't write attacks against specific products?
    >>

    > Thats a fair point.
    >
    > I guess I was thinking along the lines of public Internet places (like
    > Internet cafes) where the spyware that may be installed is going to be
    > more general. Like key-logging software.
    >
    > Im sure that given a little information about how my software handles
    > security it would not be difficult to write a very targeted application
    > that could obtain a copy of the security details.
    >
    > This is an area that I am currently working on improving. My aim is to
    > come up with a connection model that mutates every time its used. So even
    > if you get a copy of the security details they will be of no use if you
    > try and use them again.


    Ahh. Security through obscrutityy, *AND* violation of the GPL of the
    SmoothWall Express software you're pirating. (And you're blatantly in
    violation of the GPL on their software, by your own admission of using it
    and your failure to publish your source code along with your downloads.)

    And this guy wonders why no one will take it seriously as the "ABSOLUTELY
    SECURE VPN" he advertises it as. Sheesh!
    Nico Kadel-Garcia, Jun 7, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page