Re: Apology - not necessary

["Paul D. Robertson" <proberts () clark net>]

On Sat, 26 Sep 1998, Marcus J. Ranum wrote:

> Frank Willoughby wrote:
> > IMO, there is nothing to apologize for.
>
> Frank, I gotta disagree.

I've mixed feelings on this, and nobody seems to be able to slide them 
one way or another, so I'll sit on the fence but lean over towards 
Frank's yard.

> Since his posting I've made a number of enquiries of unquotable
> nonexistent sources. None of them have pointed to a single
> substantive "smoking gun."  Clearly the DOD may have problems
> with Israelis, after that Israeli kid embarrassed some of the
> DOD networkers so badly by pointing up how lame their security
> was, but that's the best I could find. I spoke with Checkpoint's
> VP of federal sales, and he said they've been working with NSA
> to get them source code for review. (Hopefully source code that

At the same time, there was a period last year (around this time, I think) 
where at least two U.S. Government sites stopped FW-1 installs that I was 
aware of. 

I don't remember the first (and it could have been .gov, not .mil - I 
honestly don't remember), but the second was Defense Logistics Agency 
(Carlisle Barracks, Carlisle Pennsylvania).  
  
While there may be a perfectly innocent reason for it, (or maybe they listened
to the rumors) it was certainly suspicious enough to fuel quite a bit of 
"why-the-heck-would-they-buy-it-then-not-install-it?" speculation.  

My understanding of the DLA event was that a higher command halted the 
scheduled installation of FW-1 within 3 weeks of the scheduled install date to
replace it with a different product.  This was after sending the site's
administrators to FW-1 training.  When I was in the military, I know what that
would indicate to me, and I still find that metric to be the most appropriate 
to apply in this case, Your Paranoia May Vary.  

I heard about it from two different folks, both of whom seemed to be capable 
of knowing fact from fiction, one of whom would have had an ulterior 
motive, and the second of whom (to the best of my knowlege) wouldn't have.  

Last time Checkpoint asked who was spreading "rumors" I held up my hand 
on their mailing list.  That's what I heard,  I hope it's not too vague and 
irrefutable, I'm not a consultant, I don't play in .mil or .gov, I don't 
have a secret agent decoder ring, and I'd already heard enough to make me drop
FW-1 before that came around (FIN scans, OOB packets, apparent use of 
the host stack for admin/VPN, frag hassles and lack of state on ICMP if 
anyone's interested - and yes, I'm aware that you can fix the last of 
those if you write an Inspect program, the undocumented inconsistancies 
were my main gripe with that aspect).  

Checkpoint's VP of Federal Sales was on spin cycle, but they didn't
seem interested in anything other than the standard "If you know a 
vulnerability please tell us" line.     

I'd always put the rumors prior to that point aside as "possible but no 
evidence", I'm not sure the above counts as evidence for everyone, but in 
this game, you take what you get and then make your own calls.  I've made 
mine, and I'm still comfortable with it.  

> While Frank's points about national security make sense (especially
> in the light of Crypto AG and related tales) this is about
> squashing mud-slinging attempts, not security.

It's difficult to reliably seperate mud-slinging from fact when the 
empirical evidence flows in parallel with the mud.  As Frank points out, 
anyone in an ISSO-type position has to take a paranoid stance, and 
foreign intel doesn't always _just_ mean government clients.  While my 
list of countries is a bit longer than Frank's, his are on my list too.  

To me, the main worry wouldn't be espionage, it would be the black hats 
discovering the vulnerability.     
 
While mud-slinging is generally a bad thing, if there's a reasonable chance 
that said mud came from that mud puddle over there at the vendor's house, 
it often makes sense to point out the puddle.

> For the record, I'll reiterate my $3,000 challenge for a
> disassembled proof of a trapdoor. I've appended the original
> posting below.

It's sometimes difficult to prove "trap door" from "bug".  What's your 
metric for proof?  Can it be non-disassembled evidence (packets, rules, 
sniffer output), or is a direct comparison in the code the only form of 
proof you'll accept, and are there any version limits?   

I'm perfectly willing to let you test the one I've heard of (read - 
*unsubstantiated rumor* that I *haven't personally tested*, which may or 
*may not* be there, but isn't mine to give out) under NDA (sorry, it keeps 
the terms that I got it under) I'm not interested in making anything off of it 
*if* it turns out that my rumor isn't a rumor.

If you've access to FW-1 with code from the time of my rumor (last June) and 
the current code, we can try it on both at your convenience.  I don't have 
the patience to disassemble anything these days though, and I don't have a 
FW-1 box.  

[FWIW- I'm also willing to go over a list of holes CP's fixed and state 
that it was fixed if it was, but my non-disclosure rules simply don't allow 
for me asking them if they've fixed "xyzzy-hole".] 

Paul
[Seekrit Agent 0.0.0.0]
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280