Dailydave mailing list archives
Cyber Norms and the Juniper backdoor
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 18 Dec 2015 09:24:14 -0500
Recently Juniper announced they had two professional backdoors in their ScreenOS productline - one which allowed remote admin access and one which allowed for passive collection on VPN connections. Twitter has, of course, exploded and many people are pointing at the NSA or US Government as the culprits. *But nothing could be further from the truth.* The USG could not legally covertly trojan the source code of a US company. And when the US trojans something, "Nobody but US" is the clear rule. I mean, "Nobody but US" is the only way to build a backdoor, in any case. But the US is a stickler for it, and other countries are not. The Cisco interdiction pictures Snowden leaked are a clear indicator of our policy in this area: specificity when it comes to targets. More than that though, the US needs to stand up and declare from a policy perspective what the norm here is. Is trojaning a mass market product as out of bounds as the kinds of attacks that hit Sony Pictures? If so, what are the consequences? Keep in mind an attack like this could devastate Juniper's market value. Imagine if we found out Microsoft Windows had been backdoored by the Chinese. Is that acceptable? Are we willing to say that we won't trojan Huawei routers? What WILL and WON'T we do in the future? We need to be clear about this. We should probably stop talking about export control for exploits for awhile and start developing a real and public cyber policy, if we want to succeed at our goals of a safer, more trustworthy Internet. If we ask for legal backdoors in products, people are going to put illegal backdoors in them and there's nothing we can say about it. :( -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Cyber Norms and the Juniper backdoor Dave Aitel (Dec 18)
- Re: Cyber Norms and the Juniper backdoor Arrigo Triulzi (Dec 18)
- Re: Cyber Norms and the Juniper backdoor Darkpassenger (Dec 20)