Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Eugeniu Patrascu <eugen () imacandi net>]

On Thu, Jan 2, 2014 at 10:01 AM, Saku Ytti <saku () ytti fi> wrote:

> On (2014-01-01 23:51 +0200), Eugeniu Patrascu wrote:
>
> > > Is this legal? Can NSA walk in to US based company and legally coerce
> to
> > > install such backdoor? If not, what is the incentive for private
> company to
> > > cooperate?
> >
> > As you might have seen from the beginning of time, people in power assume
> > anything can go until proven otherwise.
>
> This is mostly academic, as being legal or not being legal it's not
> appealing
> attack vector due to difficulties containing the information.
> But what I implied is, if it is legal, you'd have paper trail, like legal
> document from court.
I can't speak for NSA practices, but for example FBI asserted that they are
entitled to put GPS trackers on cars owned by people they suspected of
something without a court order. And they fought to the death in courts
when the suspects brought suits against them for violating their rights
with these practices.

It would assume that other agencies employ the same tactics and strong-arm
companies into doing their bidding with minimal paperwork. Let's not forget
that NSA vets all the security vendors and products that the USG uses and
it would be pretty easy for them to stop recommending SecurID tokens (main
RSA business is authentication) for government use.

The above presumption would have sounded crazy six months ago, but now...