Wow. The title kind of gave away that this was going to be a fun read, but I did not expect it to be that bad.
Even if the vendor did not make those bold claims and simply sold it as a hassle-free email appliance for home users and small businesses, it would be borderline fraudulent. With the bold claims attached it almost looks like performance art to ridicule all the snake oil-peddlers out there.
It's unlikely to be performance art, and if this isn't fraud it's gross negligence. Does anyone know of any British legislation that refers to the sale of these types of products?
I read through the patent application cited in the article [1] so I can explain what the device is supposed to be doing.
The "secret sauce" is it can send email between two Nomx devices without using DNS or other third party servers, avoiding DNS attacks. The handshake between two devices sets up DNS records on each device so they can locally resolve each other. There's a mechanism so if a device changes IP address, it informs the other paired devices, with some sort of authentication.
So, it's not just a standard email server running on a RasPi, but does have something new. (To be clear, I'm not defending this device, just explaining what I learned from the patent.)
It's suspicious that the article's author didn't see any network traffic between devices when the handshake was set up, which makes me wonder how much of this is implemented. A couple followup experiments the author could do: a) verify that the device doesn't do an external DNS after the handshake. b) see if changing one device's IP address causes the other to get updated.
> There's a mechanism so if a device changes IP address, it informs the other paired devices, with some sort of authentication.
Except there appears to be no evidence that there is such a mechanism.
and as i336_ here stressed:
"The device is designed to send TLS-encrypted mail from nomx device to nomx device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil" TLS CERTIFICATE."
From what the author found, it seems pretty clear to me that that patent is nothing more than an idea on paper right now. If the device doesn't send anything over the network for a "handshake" then it isn't a handshake at all. Also, I'm not sure if the author added detail or not but it makes it quite clear that the web interface simply adds a row to the handshake table with the fields entered and nothing else. He also found that the only other place in the GUI that references this table at all is to display the existing "handshakes".
As far as how it actually works on the device the author also showed the relevant portion of the postfix config where it checks if the domain is in the handshake table and if it is then connect to that IP on port 26 with the hardcoded default cert.
Maybe they plan on creating something based on that patent someday but right now what they're selling as based on that patent has nothing to do with it.
Calling your product 'the most secure' and 'ensuring absolute privacy' should already set off alarm bells for anyone interested in either security or privacy. It's the kind of marketing that no one in their right mind would use if they knew much about either.
Not surprising, this device does everything wrong and provides neither of those things.
I find these kinds of stories infuriating (and just a bit frustrating). Charlatans repackage, rebrand, and repurpose FOSS, then sell them at an unrealistic markup to unsuspecting dupes. Anything from PABX or VoIP systems based on Asterisk, through overly complex CMS's based on Wordpress. I'm not sure what riles me more: consumers being ripped off by these products, or the fact that my strengths lie in tech rather than sales.
The FSF has always made clear that they don't have any problem with people selling Free Software; it's about freedom, not low low price.
(What infuriates me about this story is that it reminds me of how far companies like Google have destroyed Mail as a protocol usable without their intermediation. Use Googlemail or get your mails spam-binned.)
If you are distributing a product using GPL code aren't you supposed to explicitly display the license in the product manual or somewhere else ? The end user is not supposed to have to open a product case to find out... I have not seen it mentioned in the original post. So this is a license infringement as well.
Three sentences into "Security testing" section and you have to wonder if they have ever heard of an evil maid attack. Along with outdated kernels that have remote execution bugs, CSRF / XSS bugs, outdated versions of PHP, etc. You really have to wonder if they have any real world security knowledge or skills.
> Addressing the issue of old software, he said Nomx planned to let users choose which updates should be applied to their device.
> "We will selectively allow users to pick and choose when that becomes available but today we're not forcing any types of updates," he said, adding that updates can introduce vulnerabilities.
> "Updates actually cause a cascading effect and now you're patching patches and that is not a good place to be in," he told Click.
I don't understand the point of this, even if it worked correctly.
If I understand correctly what it does is create some kind of secure tunnel between two nomx devices if you tell it to. But doesn't starttls do that already if you configure your mail server that way? And it already just works with any compliant email server?
So unless I'm missing something there's absolutely no doubt in my mind that this is a scam. Kudos to the author for bothering to find flaws in the admin interface but honestly at this point I'd just have reflashed the raspberry pi and used it as a media center.
Even the first picture with the case open is already a huge red flag, not because of the raspberry pi but because of the botched glue gun job.
The thing I think it is trying to do is enforce that TLS is used for the known domains. Starttls as implemented in most SMTP servers normally allows fallback to non-encrypted delivery (it's opportunistic).
This kind of agreed upon enforcement has been possible in many email products for years though (I worked on one which could do it about 10 years ago).
The real story here, is that if you try to set up your mail server so that you can send mail to a microsoft email server such as live or hotmail, you eventually end up here where they ask for a bribe: https://returnpath.com/solutions/email-deliverability-optimi...
Nomx may be terrible, but it's not their fault you can't send mail to hotmail.com
That's strange: I have my own hosted mail server (on a static home IP) and I haven't had a problem with hotmail (but I've got DKIM, reverse DNS, and SPF configured)
> Contrary to the blogger's claim that this was an easy, simply hack, in fact, the blogger couldn't make the code work and requested other participants to support his attempts and publicly stated so on his blog. The "payload" he developed was from a third party named Paul.
That's embarassingly bad logic. The fact that this particular guy wasn't an expert at XSS doesn't make the hack hard, and the fact that it exists at all is the issue. What a bunch of fuckin' jokers.
If i understand this correctly, the device is (apart from being the least secure thing ever) basically useless at it's function, since it doesn't support SPF/DKIM/DMARC and you can't get it to use HTTPS and as such will bounce off every single correctly configured email server in the world?
If i remember correctly, when i tried to setup my own email server with my domain on a VPS box, i had to go through the whole nine yards of getting a letsencrypt cert and setting up lots of voodoo stuff before i could send mails to anyone but myself.
Also, how are you supposed to use this at home at all, if most residential ISPs (at least here in germany) block any Port 25 traffic?
I really can't tell whether this is an outright scam, or an earnest attempt by someone completely unqualified (and completely unaware that they're unqualified, per Dunning and Kruger).
At the very least there was bad faith from trying to stall and making false claims about updates and disclosure to costumers in the e-mail chain between Scott and them.
I'd also doubt they "had two of the largest security firms provide remote and "in hand" vulnerability assessments on nomx", or else they just completely ignored their advice.
I'm feeling it's an earnest attempt by someone to set up a p2p email system (that will also send email normally), that wasn't quite finished (like: how will we handle certs, what about dynamic IPs) but was picked up by someone good at marketing who convinced then it was awesome and has created a tidy looking package, etc..
I actually like the idea: a plug-and-play email device that will do p2p with your known contacts.
Just needs more development to make it work, and then some more to make it work securely!?
They ripped that straight out of the OWASP CSRF cheat sheet, under "Personal Safety CSRF Tips for Users". Yep, clearly nomx's issues are all just user education issues.
While I have a summary post elsewhere in here, at the risk of being a bit spammy I'm double-commenting the following bit:
The device is designed to send TLS-encrypted mail from nomx device to nomx device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil" TLS CERTIFICATE.
The rampant goalpost-moving in their response suggests that they'll never actually pay out. I mean, their response to the author pointing out that it can be infected by drive-by malware sites is "don't visit those sites".
Many years ago, I've been working on similar (but better ?) SMTP security device [1], that was doing on-the-fly email encryption by catching outgoing SMTP connections and encrypting their content. One only had to setup some keys and stick in in the outgoing network and it worked - like PGP, but without the need to setup it on every device. But, they are already out of business now...
This (statistics on the nomx rebuttal pages) must be coming from some kind of alternate universe:
>For Media - Some statistics:
Number of nomx accounts that have been compromised since inception: 0
Number of Gmail accounts that have been compromised in the United States (from 2014): About 5 million to 24 million depending on source
How about the TOTAL number of (respectively) nomx accounts and gmail accounts (from 2014)?
I mean, 0/(something) is undoubtedly a smaller number than 5-24*10^6/(a very HUGE number), but maybe the (something) is so little that the target in itself is irrelevant...
Interesting findings. Though I didn't get why the author concentrated so much on the security issues of the UI while the real issue is that the whole thing is snake oil. I mean - what if the UI was great, had https and there were no CSRF vulnerabilities? Would this be considered a secure product?
[+] [-] krylon|9 years ago|reply
Even if the vendor did not make those bold claims and simply sold it as a hassle-free email appliance for home users and small businesses, it would be borderline fraudulent. With the bold claims attached it almost looks like performance art to ridicule all the snake oil-peddlers out there.
[+] [-] micaksica|9 years ago|reply
[+] [-] kens|9 years ago|reply
The "secret sauce" is it can send email between two Nomx devices without using DNS or other third party servers, avoiding DNS attacks. The handshake between two devices sets up DNS records on each device so they can locally resolve each other. There's a mechanism so if a device changes IP address, it informs the other paired devices, with some sort of authentication.
So, it's not just a standard email server running on a RasPi, but does have something new. (To be clear, I'm not defending this device, just explaining what I learned from the patent.)
It's suspicious that the article's author didn't see any network traffic between devices when the handshake was set up, which makes me wonder how much of this is implemented. A couple followup experiments the author could do: a) verify that the device doesn't do an external DNS after the handshake. b) see if changing one device's IP address causes the other to get updated.
[1] https://patentscope.wipo.int/search/en/detail.jsf?docId=WO20...
[+] [-] justinsaccount|9 years ago|reply
Except there appears to be no evidence that there is such a mechanism.
and as i336_ here stressed:
"The device is designed to send TLS-encrypted mail from nomx device to nomx device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil" TLS CERTIFICATE."
[+] [-] MertsA|9 years ago|reply
As far as how it actually works on the device the author also showed the relevant portion of the postfix config where it checks if the domain is in the handshake table and if it is then connect to that IP on port 26 with the hardcoded default cert.
Maybe they plan on creating something based on that patent someday but right now what they're selling as based on that patent has nothing to do with it.
[+] [-] CM30|9 years ago|reply
Not surprising, this device does everything wrong and provides neither of those things.
[+] [-] socket0|9 years ago|reply
[+] [-] cronjobber|9 years ago|reply
(What infuriates me about this story is that it reminds me of how far companies like Google have destroyed Mail as a protocol usable without their intermediation. Use Googlemail or get your mails spam-binned.)
[+] [-] seren|9 years ago|reply
[+] [-] adrianN|9 years ago|reply
[+] [-] griffinmb|9 years ago|reply
"nomx Passes Security Tests After Blogger Claims to Have Penetrated nomx
- UK blogger makes false claims he can access nomx remotely
- UK blogger fails to access nomx remotely"
[+] [-] tankenmate|9 years ago|reply
[+] [-] DanBC|9 years ago|reply
http://www.bbc.co.uk/news/technology-38934822
> Addressing the issue of old software, he said Nomx planned to let users choose which updates should be applied to their device.
> "We will selectively allow users to pick and choose when that becomes available but today we're not forcing any types of updates," he said, adding that updates can introduce vulnerabilities.
> "Updates actually cause a cascading effect and now you're patching patches and that is not a good place to be in," he told Click.
[+] [-] simias|9 years ago|reply
If I understand correctly what it does is create some kind of secure tunnel between two nomx devices if you tell it to. But doesn't starttls do that already if you configure your mail server that way? And it already just works with any compliant email server?
So unless I'm missing something there's absolutely no doubt in my mind that this is a scam. Kudos to the author for bothering to find flaws in the admin interface but honestly at this point I'd just have reflashed the raspberry pi and used it as a media center.
Even the first picture with the case open is already a huge red flag, not because of the raspberry pi but because of the botched glue gun job.
[+] [-] doubleplusgood|9 years ago|reply
[0]: https://www.exratione.com/2012/05/a-mailserver-on-ubuntu-120...
[+] [-] dgl|9 years ago|reply
This kind of agreed upon enforcement has been possible in many email products for years though (I worked on one which could do it about 10 years ago).
[+] [-] ams6110|9 years ago|reply
I guess there's some theoretical benefit possible there but if you're worried about your ISP reading your email, just use GPG.
[+] [-] Zekio|9 years ago|reply
[+] [-] VMG|9 years ago|reply
Haha
[+] [-] timthelion|9 years ago|reply
Nomx may be terrible, but it's not their fault you can't send mail to hotmail.com
Edit: here is the price list for sending mail to hotmail.com https://returnpath.com/wp-content/uploads/2015/06/Return-Pat...
[+] [-] mike-cardwell|9 years ago|reply
https://postmaster.live.com/snds/JMRP.aspx
It's free. A bonus of this is that you get reports about emails from your IP that their users mark as spam.
[+] [-] Faaak|9 years ago|reply
[+] [-] cwyers|9 years ago|reply
[+] [-] nameless912|9 years ago|reply
> Contrary to the blogger's claim that this was an easy, simply hack, in fact, the blogger couldn't make the code work and requested other participants to support his attempts and publicly stated so on his blog. The "payload" he developed was from a third party named Paul.
That's embarassingly bad logic. The fact that this particular guy wasn't an expert at XSS doesn't make the hack hard, and the fact that it exists at all is the issue. What a bunch of fuckin' jokers.
[+] [-] Vesther|9 years ago|reply
If i remember correctly, when i tried to setup my own email server with my domain on a VPS box, i had to go through the whole nine yards of getting a letsencrypt cert and setting up lots of voodoo stuff before i could send mails to anyone but myself.
Also, how are you supposed to use this at home at all, if most residential ISPs (at least here in germany) block any Port 25 traffic?
[+] [-] i336_|9 years ago|reply
D:
Australian ISPs kill anything outbound on port 25 also.
[+] [-] NoGravitas|9 years ago|reply
[+] [-] Giroflex|9 years ago|reply
I'd also doubt they "had two of the largest security firms provide remote and "in hand" vulnerability assessments on nomx", or else they just completely ignored their advice.
[+] [-] pbhjpbhj|9 years ago|reply
I actually like the idea: a plug-and-play email device that will do p2p with your known contacts.
Just needs more development to make it work, and then some more to make it work securely!?
With IPv6 some issues could be solved.
Are there other examples of similar systems?
[+] [-] i336_|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] henrikschroder|9 years ago|reply
That's so hilariously misguided I don't even know where to start!
[+] [-] micaksica|9 years ago|reply
[1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%...
[+] [-] davotoula|9 years ago|reply
"31 March 2017 16:52: Asked for confirmation of receipt of earlier email given apparent email issues.
4 April 2017 11:13: Asked for confirmation of receipt of earlier email given apparent email issues. "
Wonder why...
[+] [-] dbalan|9 years ago|reply
[+] [-] i336_|9 years ago|reply
The device is designed to send TLS-encrypted mail from nomx device to nomx device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil" TLS CERTIFICATE.
[+] [-] nrki|9 years ago|reply
That will be an easy win for whoever submits first.
[+] [-] doubleplusgood|9 years ago|reply
[+] [-] Analemma_|9 years ago|reply
[+] [-] samsk|9 years ago|reply
[1] https://www.scmagazineuk.com/securecoms-launches-sme-encrypt...
[+] [-] jaclaz|9 years ago|reply
>For Media - Some statistics:
Number of nomx accounts that have been compromised since inception: 0
Number of Gmail accounts that have been compromised in the United States (from 2014): About 5 million to 24 million depending on source
How about the TOTAL number of (respectively) nomx accounts and gmail accounts (from 2014)?
I mean, 0/(something) is undoubtedly a smaller number than 5-24*10^6/(a very HUGE number), but maybe the (something) is so little that the target in itself is irrelevant...
[+] [-] doubleplusgood|9 years ago|reply
[+] [-] skarap|9 years ago|reply