Re: [SAGE] mirapoint?

[Dan Foster <sage@evilphb.org>]

Hot Diggety! amos+lists.sage@utdallas.edu was rumored to have written:
> Anybody here have any experience with the Mirapoint products? Any 
> opinions that you care to share? I did some digging on this list and 
> didn't see it mentioned, but maybe my searching wasn't aggressive 
> enough....

Depends on what kind of size / needs your organization has. We've had
some Mirapoint units.

I've got some mixed feelings about them. The below is a very frank
technical critique of the product and company. Mostly factual, and I've
labelled the few parts that has personal opinions (which themselves are
based on facts or experience).

On one hand, the product itself is a pretty nice (my opinion) appliance
- has a ssh CLI (custom shell), easy to monitor data via CLI, web, SNMP,
etc... even has an API (and can be called through simple perl routines)
that you can hook into for provisioning stuff -- we use that to very
good effect.

On the other hand, I'm not all that enamored with the pricing -- it
seems a little over the top to me. (And that's a personal opinion, based
on experience with pricing a wide range of products over the years.)

When we were thinking about buying a newer generation of Mirapoint
units, we needed a way of moving the old data off (configs, actual
mailboxes, etc). Mirapoint quoted about $25,000 (if memory serves) to do
the migration for a small box -- not including the cost of new hardware,
of course. That basically killed any management interest in going for
newer Mirapoint products. Too bad, because the current products did look
nice. (My opinion.)

This also raised concerns about this being an effective attempt at
vendor lock-in. That kind of tactic just doesn't work here. :) (We're
constantly migrating services to newer hardware and software, over time,
as needs changes... lock-in is the last thing we would ever want.)

A few years ago, our security team was running a scan. The security
person whom was running the scan was pretty flabbergasted when he was
dropped into an actual root shell prompt, and not the normal CLI shell
-- without entering a root password. :) That was the only time where a
scan ever had that result, for any of our systems and appliances, in the
past 12 years.

Turns out that at the time, Mirapoint had shipped boxes with rsh enabled
and no root password (presumably for tech support remote debugging?).

We discovered that it was (at the time, years ago) a FreeBSD 2.1.5 (as I
seem to recall) system and some custom mods to the boot stuff -- could
be booted off the internal hard drives or a LS120 'floppy' with some
special/custom stuff (maybe special drivers or init script?).

I administer some FreeBSD boxes at home, and started with 2.1.5, so was
familiar with that stuff... as was the security person whom did the scan
(long-time BSD user from the earliest days).

But one of my concerns was that we had no way of knowing if Mirapoint
had released software patches to address specific FreeBSD
vulnerabilities that might apply to the Mirapoint as they came out...
and of course, when you run an old version long enough, you'll
eventually not get any more patches, leaving you in a dicey situation
short of getting newer hardware/software or moving to something else.

(This is a generic issue for appliances; especially since they can
easily be used for a far longer period of time than a typical server.
So, to be fair, that concern wasn't a Mirapoint-specific issue per se.)

What was telling was Mirapoint's rather lackluster (my opinion) response
when we called in this root-has-no-password issue... we had to spend an
hour or so in a rather contentious teleconference to convince them that
it was an extremely serious security issue. For the better part of that,
they just didn't believe that it was serious and spent some time
belittling us. Guess I was just far more disappointed than offended.

(I've had the same kind of conversation regarding a serious password
exposure vulnerability with Sun security, silence from Apple security on
a different and potentially serious password exposure issue. So it's not
unheard of for vendors to blow off critical reports, so...

At least, in Mirapoint's case, they *did* something about it... I'm not
sure if Sun ever fixed that hole, and I think Apple later silently
slipped in the fix in a later version of MacOS X.)

To their credit, once they understood the seriousness, they immediately
gave us a software patch that fixed that particular hole. And I should
note that this was perhaps five or six years ago, so the issue has long
since been fixed.

Still, the fact that such a gaping hole was in the product, and the
response... well, it wasn't that confidence inspiring. Also my opinion.

With the boxes we had, it took several days to do a single level 0 dump
even on a fast ethernet network, and we only had a small disk array!
That really complicated plans to transition to other equipment with a
minimum of downtime.

There was also a bug with dump where it was possible for the dump
process to hang forever (and was not killable), requiring a reboot to
retry the dump run. No idea if fixed now, but possibly?

I have also heard of and seen credible evidence that the password scheme
(at least, for the old boxes we have) is a variation on the Vignere
cipher.

It will not be trivial for someone unschooled in cryptography to crack
it, but there are general public tools (but not Mirapoint-specific)
easily found via a web search to crack Vignere ciphers.

So this falls into the category of 'security by obscurity'. I might
describe a Vignere cipher as being a fancy version of ROT-13. Fancy, but
still ROT-13ish. (Description of cipher being a fancy ROT-13ish is my
opinion.)

It's hard for most people to crack it, but if someone was sufficiently
knowledgeable, then all passwords are laid bare. I'm not interested in
going into any further details -- I only hope that Mirapoint has chosen
a stronger scheme for their current shipping products such as SHA or MD5.

I'm not schooled in cryptography (and have yet to read Mr. Schneier's
seminal book, alas) but it seems to me that even with password guessing
tools (e.g. Jack the Ripper), DES would be an improvement over a Vignere
cipher, if the passwords were well-chosen. And obviously, one of the
modern ciphers would be even better.

I also always wished that the Mirapoint supported an external hook to
user-supplied tools via some sort of API that would allow us to enforce
passwords according to site-specific policy. That would, for instance,
allow us to run passwords through a basic sanity filter such as Cracklib.

All bets are off with such a weak cipher, though -- figure out the exact
cipher algorithm, then it won't matter how good the password may be.

More useful if it was protected by DES, MD5, SHA, whatever -- by their
nature, they can't be easily reversed short of dictionary attacks.
(Though I'm sure the NSA has non-dictionary attacks that works with DES,
as hinted in the book _The Cuckoo's Egg_.)

Anything like a substitution cipher, XOR, etc... are easily reversible
once you know how it was generated and maybe a minute or two of
computing time to find the right 'ranges'.

The Vignere cipher, as I understand it, was designed to defeat simple
frequency analysis... but with a theoretical custom-made program and at
least one known password as a point of comparison, it would probably be
possible for a determined and knowledgeable attacker to soon figure out
details.

No, neither I nor anyone I know has written such a tool -- this is just
theory, though I have indeed seen our Mirapoint passwords cracked and
have some knowledge of how it was done. I have only a binary, so someone
has already done it. (Source code was, unfortunately, not found on the
server.)

Once the attacker figures out the exact algorithm and ranges involved
for the cipher variant, it's just an extremely trivial program in any
language to decode every single Mirapoint password.

Perhaps a little harder if coding in INTERCAL (aka the world's worst and
most maddeningly difficult and impossible programming language known in
human history. :-) )

>From my limited understanding of Vignere ciphers, a program to decode is
trivial if you know particulars of the exact variant's cipher (and
understand how Vignere ciphers themselves work).

What the Mirapoint customer has going for them is that: a) it may be
possible they no longer use the Vignere cipher variant, and b) a
successful attack requires the attacker:

	- is aware of your Mirapoint unit
	- has an interest in compromising it
	- knows your Mirapoint unit is not protected by a sufficiently
	  restrictive network ACL (but don't discount the possibility
	  that you could block external ssh access, but attacker could
	  come in through an internal machine that does have access!)
	- has access to your Mirapoint to trigger a level 0 dump
	- has access to a second box somewhere (local or remote) to receive
	  the dump data (which would also yield users' mailboxes too)
	- has the Administrator password (social engineering, sniffing, etc)
	- knows at least one and preferrably two Mirapoint users'
	  passwords (which can be obtained through social engineering or
	  capturing plaintext network traffic)
	- knows cryptography, or at least, details of how a Vignere
	  cipher works
	- can figure out the variant that Mirapoint uses (used?)

So the bar is somewhat 'high' enough that this is not very likely in
normal operation... but once someone, anyone, figures out the algorithm
and can meet all of the prereqs, the kingdom can be lost in short order
(so to speak).

We also had issues with how the unit responded once the queue got large.

Can't really tell but it almost seemed like a single large queue because
performance seemed to exponentially drop once the incoming queue got
large enough.

A multi-tiered hashed directory scheme or something would probably go a
very long way... but then again, this was with an older software version
so they could very well have had fixed that performance issue long ago.

A really large mailbox (245 MB, IIRC) also made performance crawl, too.
It took a few hours to delete all the messages in that mailbox, as I
seem to recall. :)

So I would summarize it as having real mixed feelings: I like most of
the product, save for a few points. I've had so-so dealings with the
company. Nothing that would prevent me from seriously considering them
for new purchases -- which we did recently consider.

But given the technical and security issues I've seen with that product,
as well as the pricing... I'm just not comfortable in recommending it
unless one really has wheelbarrows of money and can lock it down *tight*.
Maybe they offer more reasonable pricing to other people, who knows? :)

I should also note that it is entirely possible that Mirapoint has
become much more security conscious and responsive, as well as beefed up
the internal protections (eg password scheme) with their current products.

If that is indeed the case, then the only real issue I would have is
with their pricing. I don't believe it provides the best
bang-for-the-buck or value relative to cost, even if the appliance is
pretty nice on the whole. My opinion, based on the numbers they've given
to us... which could potentially be significantly better for other
Mirapoint customers.

So... I don't necessarily want to discourage anyone from checking out
the Mirapoint offerings; I only suggest that you do so very carefully to
determine if it meets your needs.

Wouldn't hurt to ask them questions about various technical and security
issues to see if they've cleaned up these issues by now. And I'll leave
the judgement of price vs value to the individual potential customer,
especially since the numbers they quote may very well (my guess) vary
between various customers.

As with most anything, it (the product and the company) has its good
points and bad points. I just wish I had more reasons to be enthusiastic
for what is mostly a decent product.

I have high standards! I'd just like to see Mirapoint live up to these
high standards. Then I could perhaps recommend the product without all
the caveats.

-Dan