Can You Trust Closed Source Software?
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
http://mangolassi.it/topic/7560/would-you-say-it-to-your-ceo
This is an example of what I meant there. Would his reaction have been the same had he been saying it to the CEO and defending why a known crappy, undocumented, closed source vendor had intentionally put them at risk and compromised their security instead of to someone he could brush off? Would his thinking change if the CEO were the one questioning if "getting lucky" is an okay state to remain?
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
That's the kind of stuff that I mean. Would he REALLY tell his boss "I know I put us at risk and it's a totally ridiculous risk and people are mocking me but we are taking our chances and so far we've gotten lucky so that's good, right?"
-
Geeze, maybe they should just give up.
-
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious. Fortinet isn't your security vendor, they are the company you have to try to keep out. Fortinet knows, at this point, that anyone running Fortinet still doesn't care about security so there is no incentive for them to change. Fortinet's customers don't care and those that care aren't going to ever do business with the enemy that they are trying to protect against even if they stop that one form of exposure of their clients.
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
Looks like "so far, not so good" now.
-
@scottalanmiller said:
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious.
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
-
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
-
@scottalanmiller said:
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
From the last link..
-
@JaredBusch said:
@scottalanmiller said:
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious.
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
Here is the quote and to me this reads exactly like "malicious backdoor."
As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.
It was intentional remote access. That they claim, now, that they didn't mean for humans to use it but for other computers is not relevant. It is a hard coded back door and intentional. It might be a bug that they left it in, but at this point that's just what they claim. That they intentionally introduced a security vulnerability for they themselves to access customers' systems seems to be something they have admitted to, but carefully couched the wording to attempt to soften it so that it might seem reasonable. But any vendor introduced back door could be described in this way.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?
From the last link..
Exactly what I read. In what way is that not:
-
not something to be believed. When you catch someone breaking into your house they don't say "Sorry, was here for your TV", they say "Oh, I was just testing the locks." Fortinet is not a trusted party here and that they are covering up for this is to be expected.
-
As described, it is exactly what we feared. An intentional back door for them to access customers' systems.
-
-
@scottalanmiller said:
An intentional back door for them to access customers' systems.
This is your opinion. Not stated fact.
-
The article is clear as well, it is an undocumented backdoor. There is no one but Fortinet officials trying to soften the blow by making it sound like it was unintentional after describing why it was intentional, and calling a backdoor a "management feature."
-
@JaredBusch said:
@scottalanmiller said:
An intentional back door for them to access customers' systems.
This is your opinion. Not stated fact.
but it is what they said. They stated that it was a hard coded password for remote management. I guess I assumed "by them" but it could be by "whoever they gave the password to." I gave them some extra credit, but all of the bad stuff they openly admitted to in the paragraph that you quoted.
-
I didn't state that it was malicious, although I think it is without option malicious to introduce a backdoor when you are a security vendor, but I didn't state it. I simply looked at what they said: it was introduced by a feature that they didn't use.
If it was to be a feature, it had to be intentional, right? Maybe it got "left in" after they changed their minds, but there is nothing to support that except for a claim after they were caught red handed. And even if that were true, I see little relevance. That would make it "no longer malicious", but it wouldn't change the fact that it remains a backdoor, was introduced intentionally (what else could a feature be) and for the purpose of remote access. All of that they stated in their defence.
-
@JaredBusch said:
This is your opinion. Not stated fact.
I don't see why you are making this my opinion. I'm quoting Ars Technica.
-
Some other news outlets that have also stated that it is a backdoor:
Even when defending themselves to The Register, Fortinet carefully doesn't say that it wasn't a backdoor, they simply say that it was not a backdoor vulnerability issue. They did tell The Register that it was meant for Fortinet staff to access the systems - e.g. a backdoor. I see no one, not even Fortinet themselves, questioning if this is a backdoor.
That it is a backdoor is only in question to you personally, from what I can tell. Fortinet is defending why they feel it isn't a bad thing to have done it, but isn't saying that they didn't do it.
-
@scottalanmiller Fortinet clearly stated that is was designed to allow an authorized FortiManager to access registered FortiGate devices.
Your usage of them in that context is clearly an accusation against FortiNet as a company.
But how does ForitManager, which is a software product setup by the end user as an appliance or virtual appliance, equate to FortiNet having intentional unrestricted access?
-
@scottalanmiller said:
@JaredBusch said:
This is your opinion. Not stated fact.
I don't see why you are making this my opinion. I'm quoting Ars Technica.
No, you are not quoting. This is your opinion.
-
@JaredBusch said:
@scottalanmiller Fortinet clearly stated that is was designed to allow an authorized FortiManager to access registered FortiGate devices.
And? Why does that change anything? A hardcoded backdoor for "authroized" access is a backdoor. And how does "authorized" apply to hard coded?
