Netgate Store

Author Topic: Admin password changed itself. Twice. Yes it did.  (Read 5320 times)

0 Members and 1 Guest are viewing this topic.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16025
  • Karma: +1530/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #15 on: January 23, 2018, 03:17:00 pm »
Wow!!  I would be very curious to traffic it was generating.. No logging at all?  And ipsec missing?

I could see creating a back door account, but why would you reset the password?  Seems counter intuitive to draw attention by locking out the owner, etc.

If this is such a case of comprised box sold -- You might want to work with netgate on shipping them the box to investigate further...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline mhvmhv

  • Newbie
  • *
  • Posts: 8
  • Karma: +5/-6
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #16 on: January 23, 2018, 03:49:13 pm »
Wow!!  I would be very curious to traffic it was generating.. No logging at all?  And ipsec missing?

I could see creating a back door account, but why would you reset the password?  Seems counter intuitive to draw attention by locking out the owner, etc.

If this is such a case of comprised box sold -- You might want to work with netgate on shipping them the box to investigate further...

I reached out to jwt about sending them the devices. And yeah, wow...

Offline Jed C.

  • Newbie
  • *
  • Posts: 22
  • Karma: +5/-0
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #17 on: January 23, 2018, 04:20:51 pm »
I saw you added a negative review to that page on Amazon, mentioning the issues.   If you didn't already, there should be a link on that page to report it to Amazon as well.   

Alas it seems like that 3rd party vendor sells a whole array of "Pfsense" products on Amazon.ca. 

I'd almost be tempted to stick it in a quarentine DMZ somewhere and see if it tries to phone home.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #18 on: January 23, 2018, 04:52:33 pm »
> There seems to be something more sinister than simple greed at play in this case.

First, thanks for being a customer, but, to be clear, I wasn't angry with you.


To be extra clear, while I am concerned for your experience, the issue is much larger than the security of your network.

The security of everyone's network is at risk here.


pfSense is a brand.  It stands for something.  More, we have a registered trademark (worldwide) on pfSense, and trademarks have to be defended.

The strength and distinctiveness of many trademarks has been lost due to improper use of the marks in advertising and promotion, sometimes referred to as “genericide.”

This loss occurs if consumers perceive a trademark not as identifying a product from a single source, but rather as a mere description of the nature of the product or as an identification of a product type or product category as a whole. When a trademark no longer identifies a product from a single source, but is used to identify a category of like products, that mark is generic and available to all to use to describe their products. Some examples of common brands that are generic or come close to the generic line are ASPIRIN, ESCALATOR, KLEENEX, BAND-AID, YO-YO, THERMOS and WINDSURFER.

This kind of occurrence is the type of thing that will force me to make one of three choices:

  • Ignore the problem, and continue to put the trademark at risk
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

We have, I think, played more than fair to this point, but this type of thing puts the business at risk in may ways.

I'm curious what the community thinks.

Offline mhvmhv

  • Newbie
  • *
  • Posts: 8
  • Karma: +5/-6
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #19 on: January 23, 2018, 05:18:27 pm »

First, thanks for being a customer, but, to be clear, I wasn't angry with you.

I've seen angry. That wasn't it. No offense taken.

To be extra clear, while I am concerned for your experience, the issue is much larger than the security of your network.

The security of everyone's network is at risk here.

Yeah that's my underlying concern.


This kind of occurrence is the type of thing that will force me to make one of three choices:

  • Ignore the problem, and continue to put the trademark at risk
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

We have, I think, played more than fair to this point, but this type of thing puts the business at risk in may ways.

I'm curious what the community thinks.

I'd be glad to discuss my thoughts. Please contact me if you'd like to.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #20 on: January 23, 2018, 05:22:20 pm »

jim at netgate dot com

Offline Grimson

  • Sr. Member
  • ****
  • Posts: 478
  • Karma: +68/-10
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #21 on: January 23, 2018, 05:44:33 pm »
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

I don't think this would change much. Those unauthorized vendors would simply use older/existing builds, maybe even modify them to report like current builds. At most you will likely have more people asking for help on outdated builds, complaining that they can't update to a newer version and/or reporting bugs that are actually fixed in the real current builds. So more chaos and maybe bad press on top.

Even large companies with non-free products, like MS for example, aren't able to stop stuff like this and they have a lot more money and man power at their disposal. It's like fighting against windmills.

Of course you can try to take on that fight, but it will probably just consume a lot of resources, time and energy from the staff without reaping any real benefits.

Offline Knyte

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +1/-0
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #22 on: January 23, 2018, 05:48:06 pm »

This kind of occurrence is the type of thing that will force me to make one of three choices:

  • Ignore the problem, and continue to put the trademark at risk
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

We have, I think, played more than fair to this point, but this type of thing puts the business at risk in may ways.

I'm curious what the community thinks.

Really difficult to pass judgment on the Amazon seller without being able to analyze that box - I'd be really interested in the findings.  I've seen PC's for sale with 'trial' versions of an OS installed, just to prove it works and all is well.  At first I want to give the Amazon store the benefit of the doubt - maybe they just slapped it in to say 'see ?  ...working!', but the changing password is really strange and does indeed raise some alarm.  I wonder if, considering they claim it'll support IPCop etc  - IF it actually would support another OS.  Maybe no one has tried!!

It's funny this comes up, because my brother and I were discussing something like this just this morning...about the hardware Netgate has to offer vs other systems etc, and about the trade off Netgate has to make between being attractive to consumers, but also earning revenue.  So, sure, there are cheap boards out there that 'might' run pfsense, but that doesn't help to support the project.

To your questions above, obviously option 1 isn't a smart forward-looking solution.
Option 2 seems like strong reason - this smacks of what TiVo did - open source software, closed source hardware; at the risk of losing much of the community.
Option 3 would be good from a community perspective - perhaps a unique ID is generated on a new install that requires activation from pfsense ?
--------------------------------------------------
2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7
VM in ESXi 5.5
1 x 1000baseTX (WAN)
1 x 1000baseTX (LAN)

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #23 on: January 23, 2018, 05:51:47 pm »

This kind of occurrence is the type of thing that will force me to make one of three choices:

  • Ignore the problem, and continue to put the trademark at risk
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

We have, I think, played more than fair to this point, but this type of thing puts the business at risk in may ways.

I'm curious what the community thinks.

Really difficult to pass judgment on the Amazon seller without being able to analyze that box - I'd be really interested in the findings.  I've seen PC's for sale with 'trial' versions of an OS installed, just to prove it works and all is well.  At first I want to give the Amazon store the benefit of the doubt - maybe they just slapped it in to say 'see ?  ...working!', but the changing password is really strange and does indeed raise some alarm.  I wonder if, considering they claim it'll support IPCop etc  - IF it actually would support another OS.  Maybe no one has tried!!

It's funny this comes up, because my brother and I were discussing something like this just this morning...about the hardware Netgate has to offer vs other systems etc, and about the trade off Netgate has to make between being attractive to consumers, but also earning revenue.  So, sure, there are cheap boards out there that 'might' run pfsense, but that doesn't help to support the project.

Are there any you know of less expensive than espresso.bin?


To your questions above, obviously option 1 isn't a smart forward-looking solution.
Option 2 seems like strong reason - this smacks of what TiVo did - open source software, closed source hardware; at the risk of losing much of the community.
Option 3 would be good from a community perspective - perhaps a unique ID is generated on a new install that requires activation from pfsense ?

I'm mulling over #3.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #24 on: January 23, 2018, 05:54:55 pm »
  • Close down 'free" pfSense.  Forever.
  • Invest the time and resources in making sure that nobody can load pfSense without authorization from Netgate

I don't think this would change much. Those unauthorized vendors would simply use older/existing builds, maybe even modify them to report like current builds. At most you will likely have more people asking for help on outdated builds, complaining that they can't update to a newer version and/or reporting bugs that are actually fixed in the real current builds. So more chaos and maybe bad press on top.

Even large companies with non-free products, like MS for example, aren't able to stop stuff like this and they have a lot more money and man power at their disposal. It's like fighting against windmills.

Of course you can try to take on that fight, but it will probably just consume a lot of resources, time and energy from the staff without reaping any real benefits.

So what you're saying is just quit pfSense?

Offline Knyte

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +1/-0
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #25 on: January 23, 2018, 06:02:40 pm »

Are there any you know of less expensive than espresso.bin?


Not at the moment, nope.  Was looking at something or another on AliExpress, but then memories of BananaPi came rushing back...
« Last Edit: January 23, 2018, 06:07:54 pm by Knyte »
--------------------------------------------------
2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7
VM in ESXi 5.5
1 x 1000baseTX (WAN)
1 x 1000baseTX (LAN)

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #26 on: January 23, 2018, 06:07:54 pm »

Are there any you know of less expensive than espresso.bin?


Not at the moment, nope.  Was looking at something or another on AliExpress, but then memories of BananaPi came back...

Banana Pi routers are $65 on Aliexpress
https://www.aliexpress.com/item/Banana-PI-R1-Wireless-Router-Open-Source-Development-Board-BPI-R1-Smart-Home-Control-Plate/32811123035.html

espresso.bin is $49 on Amazon.
https://www.amazon.com/Globalscale-Technologies-Inc-SBUD102-ESPRESSObin/dp/B06Y3V2FBK/

I shouldn't have to tell you which one is faster.  Hint: it's not the B-Pi router.



Offline Grimson

  • Sr. Member
  • ****
  • Posts: 478
  • Karma: +68/-10
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #27 on: January 23, 2018, 06:11:04 pm »
So what you're saying is just quit pfSense?

No that's not what I'm saying.

Look at how for example the Kodi Team handles the piracy box issues. Instead of investing time into a cat and mouse game with a DRM like approach, that will be broken/circumvented anyways, educate the community/people about what pfSense is. Why it's a bad idea to buy your security device from a shady vendor that ignores licenses. pfSense is quite well known, but the issue with those vendors isn't. Try to get coverage from IT magazines, bloggers even youtube channels to get the message out there.

Of course where it's possible use your legal rights to take down those vendors, just don't alienate your community or brake your back/company over them, they aren't worth this.

Offline Knyte

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +1/-0
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #28 on: January 23, 2018, 06:16:07 pm »
I shouldn't have to tell you which one is faster.  Hint: it's not the B-Pi router.

Nope, you sure don't.  I only brought that up in the sense that it looked GREAT and interesting at the time, woohoo, lets get TWO!  ...then, when they arrived, it became instantly clear they're completely schizophrenic.  They have built in HDMI etc, but don't function very well as a media device.  If one were to install a firewall OS, it'd under-perform, as you mentioned.  Could install OpenWRT and turn it into an AP, but that's under-utilizing the hardware.  So, they're not really great at anything...just kinda meh at everything.

Hence, it was a bad purchase, and a bad memory :)  Lesson = don't impulse buy cheap hardware.  Well, at least they were cheap.

I'd much rather look more closely at what Netgate has to offer, and look for ways I can support them/you.
« Last Edit: January 23, 2018, 06:19:14 pm by Knyte »
--------------------------------------------------
2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7
VM in ESXi 5.5
1 x 1000baseTX (WAN)
1 x 1000baseTX (LAN)

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 379
  • Karma: +105/-34
    • View Profile
Re: Admin password changed itself. Twice. Yes it did.
« Reply #29 on: January 23, 2018, 06:34:22 pm »
So what you're saying is just quit pfSense?

No that's not what I'm saying.

Look at how for example the Kodi Team handles the piracy box issues. Instead of investing time into a cat and mouse game with a DRM like approach, that will be broken/circumvented anyways, educate the community/people about what pfSense is. Why it's a bad idea to buy your security device from a shady vendor that ignores licenses. pfSense is quite well known, but the issue with those vendors isn't. Try to get coverage from IT magazines, bloggers even youtube channels to get the message out there.

Of course where it's possible use your legal rights to take down those vendors, just don't alienate your community or brake your back/company over them, they aren't worth this.

Kodi has a different problem.

You won't (long) find a "Kodi box" for sale on Amazon or eBay, and you won't find a Kodi app for iPhone / iPad.

The reason why is that the content providers have been getting laws passed (for instance, in the EU).   The UK has a new law, the "Digital Economy Act" that has this to say:

“A person…who infringes copyright in a work by communicating the work to the public commits an offence if [the person] knows or has reason to believe that [they are] infringing copyright in the work, and…knows or has reason to believe that communicating the work to the public will cause loss to the owner of the copyright, or will expose the owner of the copyright to a risk of loss.”

They've effectively criminalized the sale of hardware pre-loaded with Kodi.  Since merely selling the box means you can be found guilty of contributory copyright infringement, and since the police in Scotland have started to equate Kodi boxes with criminal gangs, https://www.edinburghnews.scotsman.com/our-region/edinburgh/police-commit-to-crackdown-on-kodi-streaming-1-4422380, the larger retail outlets have bowed out.