Firewall Wizards mailing list archives
Re: Apology - not necessary
From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 26 Sep 1998 10:19:38 -0400 (EDT)
On Sat, 26 Sep 1998, Marcus J. Ranum wrote:
Frank Willoughby wrote:IMO, there is nothing to apologize for.Frank, I gotta disagree.
I've mixed feelings on this, and nobody seems to be able to slide them one way or another, so I'll sit on the fence but lean over towards Frank's yard.
Since his posting I've made a number of enquiries of unquotable nonexistent sources. None of them have pointed to a single substantive "smoking gun." Clearly the DOD may have problems with Israelis, after that Israeli kid embarrassed some of the DOD networkers so badly by pointing up how lame their security was, but that's the best I could find. I spoke with Checkpoint's VP of federal sales, and he said they've been working with NSA to get them source code for review. (Hopefully source code that
At the same time, there was a period last year (around this time, I think) where at least two U.S. Government sites stopped FW-1 installs that I was aware of. I don't remember the first (and it could have been .gov, not .mil - I honestly don't remember), but the second was Defense Logistics Agency (Carlisle Barracks, Carlisle Pennsylvania). While there may be a perfectly innocent reason for it, (or maybe they listened to the rumors) it was certainly suspicious enough to fuel quite a bit of "why-the-heck-would-they-buy-it-then-not-install-it?" speculation. My understanding of the DLA event was that a higher command halted the scheduled installation of FW-1 within 3 weeks of the scheduled install date to replace it with a different product. This was after sending the site's administrators to FW-1 training. When I was in the military, I know what that would indicate to me, and I still find that metric to be the most appropriate to apply in this case, Your Paranoia May Vary. I heard about it from two different folks, both of whom seemed to be capable of knowing fact from fiction, one of whom would have had an ulterior motive, and the second of whom (to the best of my knowlege) wouldn't have. Last time Checkpoint asked who was spreading "rumors" I held up my hand on their mailing list. That's what I heard, I hope it's not too vague and irrefutable, I'm not a consultant, I don't play in .mil or .gov, I don't have a secret agent decoder ring, and I'd already heard enough to make me drop FW-1 before that came around (FIN scans, OOB packets, apparent use of the host stack for admin/VPN, frag hassles and lack of state on ICMP if anyone's interested - and yes, I'm aware that you can fix the last of those if you write an Inspect program, the undocumented inconsistancies were my main gripe with that aspect). Checkpoint's VP of Federal Sales was on spin cycle, but they didn't seem interested in anything other than the standard "If you know a vulnerability please tell us" line. I'd always put the rumors prior to that point aside as "possible but no evidence", I'm not sure the above counts as evidence for everyone, but in this game, you take what you get and then make your own calls. I've made mine, and I'm still comfortable with it.
While Frank's points about national security make sense (especially in the light of Crypto AG and related tales) this is about squashing mud-slinging attempts, not security.
It's difficult to reliably seperate mud-slinging from fact when the empirical evidence flows in parallel with the mud. As Frank points out, anyone in an ISSO-type position has to take a paranoid stance, and foreign intel doesn't always _just_ mean government clients. While my list of countries is a bit longer than Frank's, his are on my list too. To me, the main worry wouldn't be espionage, it would be the black hats discovering the vulnerability. While mud-slinging is generally a bad thing, if there's a reasonable chance that said mud came from that mud puddle over there at the vendor's house, it often makes sense to point out the puddle.
For the record, I'll reiterate my $3,000 challenge for a disassembled proof of a trapdoor. I've appended the original posting below.
It's sometimes difficult to prove "trap door" from "bug". What's your metric for proof? Can it be non-disassembled evidence (packets, rules, sniffer output), or is a direct comparison in the code the only form of proof you'll accept, and are there any version limits? I'm perfectly willing to let you test the one I've heard of (read - *unsubstantiated rumor* that I *haven't personally tested*, which may or *may not* be there, but isn't mine to give out) under NDA (sorry, it keeps the terms that I got it under) I'm not interested in making anything off of it *if* it turns out that my rumor isn't a rumor. If you've access to FW-1 with code from the time of my rumor (last June) and the current code, we can try it on both at your convenience. I don't have the patience to disassemble anything these days though, and I don't have a FW-1 box. [FWIW- I'm also willing to go over a list of holes CP's fixed and state that it was fixed if it was, but my non-disclosure rules simply don't allow for me asking them if they've fixed "xyzzy-hole".] Paul [Seekrit Agent 0.0.0.0] ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Apology Jason L. Snowden (Sep 24)
- Re: Apology - not necessary Frank Willoughby (Sep 25)
- Re: Apology - not necessary Marcus J. Ranum (Sep 25)
- Re: Apology - not necessary Paul D. Robertson (Sep 26)
- Re: Apology - not necessary Paul D. Robertson (Sep 29)
- Re: Apology - not necessary Marcus J. Ranum (Sep 25)
- Re: Apology - not necessary Perry E. Metzger (Sep 29)
- Re: Apology - not necessary John Nicholson (Sep 29)
- Re: Apology - not necessary Perry E. Metzger (Sep 29)
- Re: Apology - not necessary Frank Willoughby (Sep 25)