Can You Trust Closed Source Software?
-
The article is clear as well, it is an undocumented backdoor. There is no one but Fortinet officials trying to soften the blow by making it sound like it was unintentional after describing why it was intentional, and calling a backdoor a "management feature."
-
@JaredBusch said:
@scottalanmiller said:
An intentional back door for them to access customers' systems.
This is your opinion. Not stated fact.
but it is what they said. They stated that it was a hard coded password for remote management. I guess I assumed "by them" but it could be by "whoever they gave the password to." I gave them some extra credit, but all of the bad stuff they openly admitted to in the paragraph that you quoted.
-
I didn't state that it was malicious, although I think it is without option malicious to introduce a backdoor when you are a security vendor, but I didn't state it. I simply looked at what they said: it was introduced by a feature that they didn't use.
If it was to be a feature, it had to be intentional, right? Maybe it got "left in" after they changed their minds, but there is nothing to support that except for a claim after they were caught red handed. And even if that were true, I see little relevance. That would make it "no longer malicious", but it wouldn't change the fact that it remains a backdoor, was introduced intentionally (what else could a feature be) and for the purpose of remote access. All of that they stated in their defence.
-
@JaredBusch said:
This is your opinion. Not stated fact.
I don't see why you are making this my opinion. I'm quoting Ars Technica.
-
Some other news outlets that have also stated that it is a backdoor:
Even when defending themselves to The Register, Fortinet carefully doesn't say that it wasn't a backdoor, they simply say that it was not a backdoor vulnerability issue. They did tell The Register that it was meant for Fortinet staff to access the systems - e.g. a backdoor. I see no one, not even Fortinet themselves, questioning if this is a backdoor.
That it is a backdoor is only in question to you personally, from what I can tell. Fortinet is defending why they feel it isn't a bad thing to have done it, but isn't saying that they didn't do it.
-
@scottalanmiller Fortinet clearly stated that is was designed to allow an authorized FortiManager to access registered FortiGate devices.
Your usage of them in that context is clearly an accusation against FortiNet as a company.
But how does ForitManager, which is a software product setup by the end user as an appliance or virtual appliance, equate to FortiNet having intentional unrestricted access?
-
@scottalanmiller said:
@JaredBusch said:
This is your opinion. Not stated fact.
I don't see why you are making this my opinion. I'm quoting Ars Technica.
No, you are not quoting. This is your opinion.
-
@JaredBusch said:
@scottalanmiller Fortinet clearly stated that is was designed to allow an authorized FortiManager to access registered FortiGate devices.
And? Why does that change anything? A hardcoded backdoor for "authroized" access is a backdoor. And how does "authorized" apply to hard coded?
-
@JaredBusch said:
Your usage of them in that context is clearly an accusation against FortiNet as a company.
?They are the ones who did it, yes,. They themselves admitted it. There is no question or opinion here. I'm injecting nothing.
-
@JaredBusch said:
But how does ForitManager, which is a software product setup by the end user as an appliance or virtual appliance, equate to FortiNet having intentional unrestricted access?
Because that is not what they gave access to, nor what they themselves stated that they gave access to. Fortinet themselves did two things that, even from Fortinet, are without question:
- Made a backdoor
- Intended to use it for more than Fortimanager
And step two doesn't even matter. Intention isn't actually an issue. It remains an open backdoor issue.
-
@scottalanmiller said:
@JaredBusch said:
Your usage of them in that context is clearly an accusation against FortiNet as a company.
?They are the ones who did it, yes,. They themselves admitted it. There is no question or opinion here. I'm injecting nothing.
Your entire argument is that they are intentionally and maliciously doing this. That is purely you injecting your opinion on the facts.
-
@JaredBusch said:
I don't see why you are making this my opinion. I'm quoting Ars Technica.
The term "backdoor" is directly from all of those news sources. You aren't stating why I am wrong or that I am wrong, you are simply using personal attack to make it look like maybe I made this up. I'm neither the person who posted it here, nor the one(s) who stated it was a backdoor.
The only thing that differs from all accepted statements here appears to be you. You are stating that everyone, including Fortinet themselves, is just "opinion." Sure, you can use that for anything. Nothing is fact in the universe, it is all opinion. The difference here is that I'm with the crowd and you seem to be alone defending someone who isn't even defending themselves in the way that you are.
I'm just a bystander, why are you chosen to go after me and act like I added a new opinion? If you feel the articles are incorrect and that Fortinet was incorrect, state so.
-
@JaredBusch said:
Your entire argument is that they are intentionally and maliciously doing this. That is purely you injecting your opinion on the facts.
Based on what do you feel that I said it was malicious, other than when I later, after you had already gone into your "my opinion" thing, added that how anyone could non-maliciously hard code a password into a security device seemed impossible.
-
And, just to be clear, I'm using the dictionary definition of malicious here when I do use it and I fully believe that Fortinet has stated clearly that it was malicious, but this was not stated by me before it was proposed as my opinion that it was a backdoor: An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification.
From Fortinet's own statements that they intended for their staff to use it to access systems, and that customers were not informed that access was given to Fortinet staff. That it was willfully done has been admitted to, according to their interview with the Register and from the quote about it being put in for management purposes.
-
Maybe I am misreading the dictionary, so correct me there, but it seems like malice is very clear here. Malice does not mean with evil intent, only that it wasn't right to do and they willfully did it.
-
@scottalanmiller said:
Maybe I am misreading the dictionary, so correct me there, but it seems like malice is very clear here. Malice does not mean with evil intent, only that it wasn't right to do and they willfully did it.
The intentionally coded in a method of access for their software. They never intentionally coded a wide open backdoor.
The term backdoor is used by the media. Not by FortiNet.
-
@JaredBusch said:
@scottalanmiller said:
Maybe I am misreading the dictionary, so correct me there, but it seems like malice is very clear here. Malice does not mean with evil intent, only that it wasn't right to do and they willfully did it.
The intentionally coded in a method of access for their software. They never intentionally coded a wide open backdoor.
So two things that I'm not clear on:
-
Are you disputing the definition of backdoor? "A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc." - Wikipedia
-
It is your opinion that they never intentionally coded it that way, they stated otherwise in their interview.
-
-
While Fortinet never states, that I have seen, that it IS a backdoor, they also never dispute it. But they describe it in a way that matches the definition of backdoor. So all outlets seem to agree that it is a backdoor, the description matches the definition and Fortinet never states otherwise, that I have seen. While you can make the argument that nothing can ever be "proven" to be an intentional backdoor, I feel like we are far outside the point of reason here to do so.
Are any of these things not true:
- A backdoor exists or existed (unauthorized access was granted through a secret password that the customer did not know about.)
- The backdoor was typed in, hardcoded, by a Fortinet programmer.
- The intent of the hardcoded password was to provide a wide open access channel for Fortinet to use (whether by people or by code) for access to systems that it otherwise would not have access to (using a customer provided password, for example.)
Am I wrong in believing that those are the basic facts that everyone agrees on?
-
The part that no one can prove and will always be opinion on any side is this part of Fortinet's quote: "...this is not a case of a malicious backdoor implemented to grant unauthorized user access"
As far as I know, all opinion revolves around this portion - not if the backdoor was intentional, not if it is a backdoor, Fortinet never questions those, only whether it was for unauthorized user access. They don't clarify by whom it would have been authorized (customer, Fortinet, government, etc.), or what user access means, but all of their defence of it is couched in those words. They don't even question the malicious part. They might not agree that it is, but no statement that we have seen from them actually says it. They seem careful to not actually state that it was not malicious or that it wasn't a backdoor.
That they only intended for "authorized user access" is what they claim, after getting caught. You can agree or disagree with them or weigh how likely it is for someone caught in the cookie jar to tell the truth or even know the truth, but it appears, to me, that this is the only portion of the discussion where there is question. And I don't believe that I ever implied who Fortinet intended to give backdoor access to or when.
-