[Cryptography] McAfee: NSA Juniper backdoor used by China to clean out OPM/DOD/IRS/...
ianG
iang at iang.org
Tue Mar 8 00:24:34 EST 2016
On 28/02/2016 19:48 pm, Henry Baker wrote:
> http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2
> http://www.marketwatch.com/story/juniper-networks-security-issue-raises-more-questions-about-backdoors-2015-12-28
>
> For those of my readers who do not understand how back doors are created - they can only be created by the manufacturers of the software. There is, absolutely, no other way.
I'm not sure if the author nailed it by logic alone or not, but I was
told a long time ago that this is indeed the process:
> So, the company had to have a rogue employee in the software development department. This much is clear.
Likely, more than one. Post-Snowden, I wrote up the model we developed
here:
http://wiki.cacert.org/Risks/SecretCells/ThreatsAndAssumptions
Once we knew there was a process of injecting personnel into our
critical areas, once we knew what to look for, it was a lot easier to
spot the spooks. It is perversely pleasing to know that we as a group
spotted a dodgy character within by applying the model, kept him away
from the critical systems, rooted him out of the organisation over time,
and later got credible evidence he was working for the intelligence
agencies.
However, it's really quite hard to operate under this sort of threat
level. The model eventually fell apart because after it had been handed
on to the 3rd generation of defenders, they had lost the understanding.
In large part because it wasn't documented, kept so secret we didn't
even dare write it down.
iang
More information about the cryptography
mailing list