I had an odd experience while troubleshooting a
Barracuda Spam Firewall 300
today. I don't need to get into the technical specifics on what I was working
on because it doesn't really matter. What does matter is the conversation I had
with the tech during this call. But first, let me explain how tech support
works at Barracuda Networks along with what a Barracuda is.
Essentially, a Barracuda box sits between your E-mail server and the rest of
the world. Inbound E-mail comes in to the Barracuda, which examines it for
viruses and spam, then deals with it according to your wishes and forwards it
off to your E-mail server for final delivery. This, in and of
itself is a very good thing, but what bothers me is this. When you call tech
support they won't walk you though anything. They make you go into the
troubleshooting section of the web interface and click a button that opens a
reverse ssh tunnel to their network. Essentially bypassing your firewall. And
even this wouldn't be bad really except that they don't give you a choice.
They won't do
anything unless they do it through the tunnel. I asked
for the root password and they refused to give it. Who's box is this anyway?
Oh, I should mention that the Barracuda runs Linux. And appears to have
several modified applications from Open Source projects. I've read that the
flavor of Linux they use is a modified Mandrake. And from looking at the way
they deal with spam it looks incredibly similar to
Spamassassin. I'm not sure
what they use to scan for viruses. They might have rolled their own scanner as
far as I know. I really didn't go ripping into the Barracuda since it's a
clients machine and is in active service so I can only speculate. I'd love
to yank the hard drive out of one and stick it in a normal PC and see what's on
it. After all, it's just a PC. If you look at the back you can see the normal
layout of ports on the back and can see the edge of the motherboard along with
normal memory slots. It's just a standard PC packed into a small mountable
case.
So, anyway, during my support call I was thinking of how nice it was to see a
corporate level device running Linux when I realized there was no license
agreement at all that came with it. I mean, nothing. No EULA of any sort. I
figure since much of it appears to be based on Open Source stuff that there
should be a copy of maybe the GPL or the Apache License, and a notice on where to
get the source code. So, while talking to the Barracuda engineer I asked him
where I could get the source. And here is where I got the funny feeling that
something wasn't right. His answer was, "What I'm supposed to tell anyone who
asks this question is to Google on 'Barracuda Spam' and you should find all the
information you need." So while I was on the phone with him I Googled as he
suggested which only produced pro Barracuda stuff and places to buy them. I
mentioned Apache, Spamassasin, and Linux and said that at least some of the
stuff in their product probably had origins in a GPLed project somewhere. And
if so then why didn't they have any source available? The answer was, "Well,
we've modified it so much that it's not really original anymore." I asked why
he couldn't talk about it much and his final answer before I dropped it was,
"We are allowed to say only certain things to prevent us from saying something
stupid." He was a nice guy and doing his best to help me out with my problem
so I didn't push the issue. He seemed sort of uncomfortable with the subject
matter anyway.
So, to satisfy my curiosity I got in contact with one of their Sales reps. I
figured if anyone should know the ins and outs of the legal behind their
products it should be the sales guys who have to deal with people like me
asking all kind of questions. When I asked about getting a copy of the license
he said, "Uhm, I'll have to look into that. Can you send your request in an
E-mail and I'll forward it off to our VP?" I sent the license request Friday
afternoon, so I'm curious to see what I get if anything come Monday.
After all this I did a Google for "Barracuda GPL violation" and other similar
phrases and came up with this
white paper at
packetstorm which brings up things I was thinking about and a heck of a lot
more food for thought. I also found a couple of links pointing to forums where
someone was talking about this exact subject but didn't take the time to read
the entire thread, it was rather long.
This is one of those times when I wish I knew a lawyer who was versed in such
things just so I could get a professional opinion. I'm no lawyer and I can't
pretend to totally understand the
GPL yet alone
the
other licenses that OSS
can come under. However, their inability to produce a license, the sales reps
confusion when asked for a license, and the "I can't talk about it."
restrictions on the engineer all seem fishy. I'm not sure what to think, or
even how I could go about finding out if they are in violation of any license.
It wouldn't surprise me if they were though and they wouldn't be the first ones
who tried to benefit from OSS without fulfilling the obligations in the
applicable licenses. Remember Linksys did the same thing and
got caught.
Who knows? I may just be over reacting and blowing smoke out my of ass on this.
Like I said, I'm no lawyer.
Maybe someone else who actually has an informed clue on this could enlighten
me?