I migrated to a local hardware controller early this morning, seeing some odd network traffic with the device. Most makes sense, ubuntu, cloudflare, etc. But there are 2 uploads to jeffhansen.com that seem odd - see screenshots below.
Why is the Control connecting to jeffhansen.com and why so much traffic to manage.alta.inc?
Thanks!
Mark
Do you know what the payload is to jeffhansen?
Unfortunately, I do not. It was small, 85 kB across 2 connections. Just seems out of place so I’m more curious than anything else. Connected on port 85.
Looks like Jeff is the CTO
LOL - Mystery solved…Still seems odd to have it hit a non-Alta Labs site and push data.
It would be nice to see some kind of security and privacy policy from Alta, as I haven’t really come across anything. Given everything is cloud first and given the local controller is really anything but local, with dependancies for ddns / acme etc. and previous discoveries of stuff in code, such as report emails out to third party companes (xnet).
As Mark mentioned, pushing out to a non-alta branded thing is even more concerning, whether an employee or not, if a disgruntled member of staff left and had control over a domain not belonging to Alta that could be problematic.
A quick look into that domain seems to suggest it’s a residential google fibre connection too, does that mean that the data here (whatever it is) is going outside of Alta’s control?
Keen to see your security stance, without a “coming soon” ™ that seems all to common on these forums.
I also note that requesting the free Alta control keys that were published in the forums a few days ago has triggered marketing emails to both myself and friends to which I have sent the post.
There is no explicit opt-in to this marketing, nor does there seem to be an opt-out.
This would be in violation of EU GDPR / UK DPA regulations on holding residents data.
Not very good business practices.
Very bizarre, mine doesn’t seem to talk to that domain. But it 100% shouldn’t be talking to a domain thats not part of the AltaLabs company.
Our privacy policy can be found here: Privacy Policy . We do collect usage data, always in an effort to make our products better, faster, and more secure.
I will admit, the jeffhansen.com is me, the CTO of Alta Labs. I do use my systems to manually debug customer issues, which was the case in this specific instance.
As far as the marketing emails, 1) we explicitly avoided sending to European TLDs, since we did not have the ability to track which country each user was coming from, 2) it was a relatively small number of emails that went out, and 3) we did not receive any actual complaints or requests to stop emails, but we will absolutely comply with any request to stop marketing emails.
Thank you Jeff for the clarifications - I do appreciate it.
In this case, there were no issues, I had not reached out to support, I had just setup the device. It appears it connected to your domain twice shortly after initial setup, I have not seen any additional connections to your domain. I’m not concerned about it at this point, but do want to point out that this does seem to be a proactive thing, not reacting to any support requests I had initiated.
Again, I appreciate you clearing this up for me and providing the information above, it is very helpful!
Thanks!
Mark
@mark Thank you for your understanding. There were a couple of automated crash reports there, and with a new product, it’s important to make sure they are not impacting user experience.
Jeff, is it worth using the Alta domain for it? In my eyes using a personal domain just doesn’t sit right. Not that you are malicious at all!
So do automated crash reports go to that domain then?
I do think the use of personal systems for debugging issues is unacceptable especially if dumps are being offloaded from customers onto them.
Could you please provide information as to what is contained in these reports that are going outside of Alta as a corporate entities control?
Every person I have checked with used a “.uk” cctld, .org.uk/.me.uk/.uk and still fell victim to these emails, albeit the UK is no longer part of the EU, however the DPA enshrined into law the same protections afforded to residents by GDPR.
Im getting really tired of the hiding behind coming soon or a defense of customer experience. I have many Alta products across multiple sites, including on customer sites, im a big fan of what you guys are doing and the hardware you churn out, but often I feel the basics are really falling short. I am sure any reasonably expierenced platform/security/devsecops engineer would be calling out many of these bad practices.
With the cloud controllers, you, in essence, have the ability to get a shell onto devices within my network or any site in which I use your equipment. Thats some serious power, and even if you have the best of intentions, which im sure you do, you need to take your responsibilities seriously. Especially given you now have the Route10 which is a border security device.
If your self hosted controllers are doing call backs and unexpected traffic I cant help but wonder what capabilities you have here, reverse shells for instance.
Transparency and also opt in to things like crash reports, telemetry, marketing, etc. are all basic things which garner trust from your end users.
@Hefty I appreciate the concerns you raise. I am sure Jeff will chime in again as well on some of your specific points. In addition to the Privacy Policy Jeff already shared above, we have an initial version of our Trust Site our development and marketing teams have been working on that is being created right now. We will be launching that in the next week or so.
Those items aside, what “coming soon” items do you feel we are “hiding behind?”
@Alta-Chase that comment was more at the user experience comments that I see very often.
Yes, sure, a great user experience is essential, but it is not a reason to forgo many of the basics when it comes to your customers and their data.
I am all for fixing bugs quick, I am not for customers having stuff shipped off their devices with no knowledge or opt in.
I have highlighted in discord other examples (such as launching with a broken dns implementation on the route10, then attempting to fix this in production, breaking it further, then finalily fixing it) in the past - which was ignored. I think the volume of support queries where fundamental functionality is missing from the route10 that we see in the forums in recent weeks also speaks volumes and justifies other concerns I have raised in the past.
I think you can expect most of EU users coming from .com mails, I don’t think the TLD is a valid check. I’m sure you could insert a country picker in the form, quite easily 
You could also track from which IP the request comes from, or which language the browser requests, if you wish to make a safer assumption.
I would like to have it clarified: does Alta have the technical possibility of remoting in the device, or change device settings?
@mattiasso As with any cloud service provider, of course Alta as a company does have access to anything connected to its cloud. However, we do follow industry standard practices to ensure tight control over who has access, and I assure you that access list is as short as possible. We’ll require opt-in for emails moving forward.
@WhyAydan There is nothing automated that goes to jeffhansen.com. It was manual crash research which has helped improved the stability and reliability of the product.
The bottom line is that Alta is laser focused on user experience, and there is nothing malicious about that. The above list of domains is 100% expected. We will be detailing all of this and much more in our upcoming Trust article. Please feel free to discuss this topic further after that has been posted.
