Cyber Norms and the Juniper backdoor

[Dave Aitel <dave () immunityinc com>]

Recently Juniper announced they had two professional backdoors in their
ScreenOS productline - one which allowed remote admin access and one
which allowed for passive collection on VPN connections.

Twitter has, of course, exploded and many people are pointing at the NSA
or US Government as the culprits. *But nothing could be further from the
truth.* The USG could not legally covertly trojan the source code of a
US company. And when the US trojans something, "Nobody but US" is the
clear rule. I mean, "Nobody but US" is the only way to build a backdoor,
in any case. But the US is a stickler for it, and other countries are
not. The Cisco interdiction pictures Snowden leaked are a clear
indicator of our policy in this area: specificity when it comes to targets.

More than that though, the US needs to stand up and declare from a
policy perspective what the norm here is. Is trojaning a mass market
product as out of bounds as the kinds of attacks that hit Sony Pictures?
If so, what are the consequences?  Keep in mind an attack like this
could devastate Juniper's market value.

Imagine if we found out Microsoft Windows had been backdoored by the
Chinese. Is that acceptable? Are we willing to say that we won't trojan
Huawei routers? What WILL and WON'T we do in the future? We need to be
clear about this. We should probably stop talking about export control
for exploits for awhile and start developing a real and public cyber
policy, if we want to succeed at our goals of a safer, more trustworthy
Internet.

If we ask for legal backdoors in products, people are going to put
illegal backdoors in them and there's nothing we can say about it. :(

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave