Can You Trust Closed Source Software?
-
Holy Crap - are there any security vendors we can trust anymore?
I was reminded of this Fortinet fiasco (still potentially a huge problem since they didn't actually remove the password from the device, only disabled it's direct access on SSH).
Compared to Juniper's problem, I this one is way worse since they admit they were aware of this and they fully claim there was nothing malicious about it's being there (worded slightly differently - They know it was done on purpose, not by hackers who managed to insert some code.
Juniper on the other hand said they had no idea how the code was added to their systems.
-
No, you can't. Richard Stallman's been preaching that for years. If you don't have the source then your software is a black box and you don't really know what it's doing. You still have to evaluate the cost as to whether that's worth it given the cost of what you are trying to protect.
-
@Nic said:
No, you can't. Richard Stallman's been preaching that for years. If you don't have the source then your software is a black box and you don't really know what it's doing. You still have to evaluate the cost as to whether that's worth it given the cost of what you are trying to protect.
Definitely. I want to say though - worse than that these companies seem to be doing a horrible job! I suppose I can understand Juniper's plight - they appear to have been hacked, and the hacker did a good job of covering their tracks (or it was the NSA and they were paid off, but we're not going to assume that for now).
But Fortinet - this is just unforgivable. I can never recommend their stuff - not that I did before, but they are now on the lifetime ban list. For me this was even easier to ban than Lenovo - it was done on purpose.
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
-
@Dashrender said:
Holy Crap - are there any security vendors we can trust anymore?
Of course, open source ones. The very nature of a security vendor wanting to hide their code suggests that you cannot trust them. It means that they are living by security through obscurity one way or another. Why would they do that? Because the code is bad? Because they don't understand security? Because they are doing something devious? Can't think of a good reason why they would do it.
You need to start by considering what "trust" would mean. Doesn't it start with opening the source? Trust through transparency.
-
@Dashrender said:
But Fortinet - this is just unforgivable. I can never recommend their stuff - not that I did before, but they are now on the lifetime ban list. For me this was even easier to ban than Lenovo - it was done on purpose.
Lenovo was on purpose and FAR more infectious.
-
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
-
@Dashrender said:
Juniper on the other hand said they had no idea how the code was added to their systems.
But they set themselves up for that kind of risk by closing their source.
-
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
-
@johnhooks said:
He said "So far so good as we are running newer firmware."
Read: My boss doesn't realize what I've done and so far i'm not in trouble. Hopefully the customers continue to not find out.
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
http://mangolassi.it/topic/7560/would-you-say-it-to-your-ceo
This is an example of what I meant there. Would his reaction have been the same had he been saying it to the CEO and defending why a known crappy, undocumented, closed source vendor had intentionally put them at risk and compromised their security instead of to someone he could brush off? Would his thinking change if the CEO were the one questioning if "getting lucky" is an okay state to remain?
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
That's the kind of stuff that I mean. Would he REALLY tell his boss "I know I put us at risk and it's a totally ridiculous risk and people are mocking me but we are taking our chances and so far we've gotten lucky so that's good, right?"
-
Geeze, maybe they should just give up.
-
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious. Fortinet isn't your security vendor, they are the company you have to try to keep out. Fortinet knows, at this point, that anyone running Fortinet still doesn't care about security so there is no incentive for them to change. Fortinet's customers don't care and those that care aren't going to ever do business with the enemy that they are trying to protect against even if they stop that one form of exposure of their clients.
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
Looks like "so far, not so good" now.
-
@scottalanmiller said:
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious.
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
-
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
-
@scottalanmiller said:
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
From the last link..
-
@JaredBusch said:
@scottalanmiller said:
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious.
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
Here is the quote and to me this reads exactly like "malicious backdoor."
As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.
It was intentional remote access. That they claim, now, that they didn't mean for humans to use it but for other computers is not relevant. It is a hard coded back door and intentional. It might be a bug that they left it in, but at this point that's just what they claim. That they intentionally introduced a security vulnerability for they themselves to access customers' systems seems to be something they have admitted to, but carefully couched the wording to attempt to soften it so that it might seem reasonable. But any vendor introduced back door could be described in this way.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
From the last link..
Exactly what I read. In what way is that not:
-
not something to be believed. When you catch someone breaking into your house they don't say "Sorry, was here for your TV", they say "Oh, I was just testing the locks." Fortinet is not a trusted party here and that they are covering up for this is to be expected.
-
As described, it is exactly what we feared. An intentional back door for them to access customers' systems.
-
