[Cryptography] McAfee: NSA Juniper backdoor used by China to clean out OPM/DOD/IRS/...

Ray Dillinger bear at sonic.net
Mon Feb 29 01:11:04 EST 2016 


On 02/28/2016 11:48 AM, Henry Baker wrote:

> And what is meta-software?  It's the one science that the entire Western World has entirely overlooked.  It is a high level set of principles for developing software that are imperative if a nation is to survive in a cyberwar.

> For example, programmers must constantly be audited.  Every line of code written by every programmer is audited by two senior programmers, and these auditors are rotated each month and the same two are never paired more than once.  You will see very clearly, later in this article, why such a principle is vital to a society's survival.

I have at least some anecdotal evidence that in some cases
at least, the USG has also been extremely rigorous about
software development procedures - not up to "the penalty is
death" levels, but certainly serious enough.

FWIW, back when I was working for NativeMinds (a provider of
development software specialized for making natural-language
interactive systems - alas, no longer funct), I occasionally
dealt with code intended to run on a secure USG system.  We
weren't the direct government contractors here - we were a
provider of very expensive (like, half a year's wages per
development seat expensive) development tools and support to
the contractor.

What I remember most about that codebase (at least that I'm
allowed to talk about) was the fact that EVERY changed line had
to be accompanied by a code comment that said who made the change,
when, and why, with a reference to the associated bug/enhancement
request in their issue tracker. Those were "hot comments" - they
were in a formal language of their own that was parsed and
audited by an automated system which verified that the date/
attribution data was in agreement with the version control system,
that the associated issue in the issue tracker had been updated
on that day, and that absolutely no undocumented changes had been
made.  Apparently there were auditors who got screamy if this
process (and apparently others which didn't concern our support
contract so I don't have to know what they may have been) was
not rigorously followed.

ISO 9001 was a big buzzword at the time (yes I know I'm
dating myself here) but this went WAY beyond the most anal
of ISO 9001 requirements.

A couple of us had to get security clearances because the
contractor was paying for support and in order to do the
support a couple of us had to be cleared to look at the code
they were using our tools to write.

Almost every line had one of these formatted comments.  I
was assured by the "real" contractors that the only lines
that did not bear such were those which had remained
unchanged since the initial checkin.

> I will give an example of what happens in the real world when back doors are put into software.  On December 17th of last year, Juniper Networks - a major provider of secure network systems, who's customers include nearly every US government agency, announced that it had discovered two "unauthorized" back doors in its systems.
> 
> http://www.marketwatch.com/story/juniper-networks-security-issue-raises-more-questions-about-backdoors-2015-12-28

Yep, yep, yep....  And if our intelligence agencies can force
backdoors to be installed, of course they need to consider the
capabilities of the intelligence agencies in the nations where
it's being manufactured - or shipped through, or where components
are being made, or where firmware is being written, etc.  There
are any number of countries that could have forced a supplier
to place a backdoor the USG would know nothing about into a
typical android phone. And the USG is allowing those devices
to connect with its networks.

It's amusing to think that even when the FBI claims to be unable
to crack an iPhone, the Chinese may have a dozen ways the FBI has
never heard of because China can twist the manufacturers' arms.

Of course, that's paranoid crazy talk, like thinking the NSA
might be spying on American citizens rather than protecting them,
or that Volkswagen would write software specifically to cheat
on EPA tests rather than complying with them.  Nobody would
believe someone would do that, right?


				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160228/b3a4f08d/attachment.sig>

More information about the cryptography mailing list