Another Brick from the Wall - Leadership thoughts
Jericho Forum
Subscribe to this blog
About Author
The Jericho Forum is an international group of organisations working together to define and promote the solutions surrounding the issue of de-perimeterisation. Members include top IT security officers from multi-national Fortune 500s & entrepreneurial user companies, major security vendors, government, & academics. Working together, members drive approaches and standards for a secure, collaborative online business world.
Contact Author
Email JerichoMossad put a backdoor in my firewall (and other tales)
Anyone can install a back door. Even the good guys.
Published 13:34, 24 December 10
I was discussing security matters over a drink with a US Government official at the Black Hat conference in Las Vegas a few years back and the discussion went something like this:
[Official] “We won’t allow [insert Israeli security company] firewalls as they won’t let us review the source code” (for which read, 'we are afraid Mossad has a back door').
[Me, playing devil’s advocate] “So how can the rest of the world be sure that the NSA doesn’t have a back door in [insert leading US network vendor] firewalls?
I was reminded of this when reading claims that the FBI sneaked a back door into the IPSEC encryption in OpenBSD. Now I have no idea whether it’s true or not, but in these days of post-9/11 paranoia, when it is assumed that the Chinese, Iran, Russians, Mossad, organised crime, are all trying to subvert our systems, what makes people think that the NSA, FBI or GCHQ are not?
Or is it just case of it’s OK if ‘we’ do it because we are the good guys and would never abuse it?
After all, the story about the CIA placing a camera in Xerox copiers sold to the Soviet embassy in the 1960 at the height of the cold war is well known.
In today's new pragmatic security environment COTS (commercial off the shelf) software, services and devices can all be Trojan horses for getting malware into any organisation, and in the rush for consumerisation and cloud/utility computing we forget this at our peril.
Paul Simmonds, Jericho Forum board member
[Official] “We won’t allow [insert Israeli security company] firewalls as they won’t let us review the source code” (for which read, 'we are afraid Mossad has a back door').
[Me, playing devil’s advocate] “So how can the rest of the world be sure that the NSA doesn’t have a back door in [insert leading US network vendor] firewalls?
I was reminded of this when reading claims that the FBI sneaked a back door into the IPSEC encryption in OpenBSD. Now I have no idea whether it’s true or not, but in these days of post-9/11 paranoia, when it is assumed that the Chinese, Iran, Russians, Mossad, organised crime, are all trying to subvert our systems, what makes people think that the NSA, FBI or GCHQ are not?
Or is it just case of it’s OK if ‘we’ do it because we are the good guys and would never abuse it?
After all, the story about the CIA placing a camera in Xerox copiers sold to the Soviet embassy in the 1960 at the height of the cold war is well known.
In today's new pragmatic security environment COTS (commercial off the shelf) software, services and devices can all be Trojan horses for getting malware into any organisation, and in the rush for consumerisation and cloud/utility computing we forget this at our peril.
Paul Simmonds, Jericho Forum board member
Print
Email
