Can You Trust Closed Source Software?
-
People like to ask this the opposite way to lead people to think that open source carries some risk. But all of the risks are magnified when code is closed. This has come to light very dramatically recently as both Juniper and now Fortinet have been caught not just putting in backdoors, but doing so in security appliances. Other vendors, like Barracuda, have been caught doing this in the past. This is so common that it is nearly assumed that closed source vendors are closed just so that things like this and cutting corners are quality and reliability are harder to spot.
In a world when vendor after vendor shows that they cannot be trusted with closed source stewardship and there is no public oversight, why do companies and IT Pros continue to trust closed source software? Not that no closed source vendor isn't good, but with open source we have "trust but verify" but with closed source we purely have "trust someone who is hiding something and won't let you verify." It's more than not being able to verify, it's that they are specifically stopping you from doing so.
-
I posted the link from ars in the other thread we had about Remix OS. How can you trust a company that's supposed to "secure" your network when they do things like hard code passwords in the system. Another reason for Ubiquiti.
-
And another great example, Cisco joins the ranks of "security" vendors that don't understand the most basic fundamentals of security. The problem with closed source software isn't just that it is closed but it encourages people to think that they might get away with things like this as well as companies that choose closed source for security are the same ones likely to make other basic security blunders.
http://www.mangolassi.it/topic/7578/cisco-vulnerabilities-announced
-
Holy Crap - are there any security vendors we can trust anymore?
I was reminded of this Fortinet fiasco (still potentially a huge problem since they didn't actually remove the password from the device, only disabled it's direct access on SSH).
Compared to Juniper's problem, I this one is way worse since they admit they were aware of this and they fully claim there was nothing malicious about it's being there (worded slightly differently - They know it was done on purpose, not by hackers who managed to insert some code.
Juniper on the other hand said they had no idea how the code was added to their systems.
-
No, you can't. Richard Stallman's been preaching that for years. If you don't have the source then your software is a black box and you don't really know what it's doing. You still have to evaluate the cost as to whether that's worth it given the cost of what you are trying to protect.
-
@Nic said:
No, you can't. Richard Stallman's been preaching that for years. If you don't have the source then your software is a black box and you don't really know what it's doing. You still have to evaluate the cost as to whether that's worth it given the cost of what you are trying to protect.
Definitely. I want to say though - worse than that these companies seem to be doing a horrible job! I suppose I can understand Juniper's plight - they appear to have been hacked, and the hacker did a good job of covering their tracks (or it was the NSA and they were paid off, but we're not going to assume that for now).
But Fortinet - this is just unforgivable. I can never recommend their stuff - not that I did before, but they are now on the lifetime ban list. For me this was even easier to ban than Lenovo - it was done on purpose.
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
-
@Dashrender said:
Holy Crap - are there any security vendors we can trust anymore?
Of course, open source ones. The very nature of a security vendor wanting to hide their code suggests that you cannot trust them. It means that they are living by security through obscurity one way or another. Why would they do that? Because the code is bad? Because they don't understand security? Because they are doing something devious? Can't think of a good reason why they would do it.
You need to start by considering what "trust" would mean. Doesn't it start with opening the source? Trust through transparency.
-
@Dashrender said:
But Fortinet - this is just unforgivable. I can never recommend their stuff - not that I did before, but they are now on the lifetime ban list. For me this was even easier to ban than Lenovo - it was done on purpose.
Lenovo was on purpose and FAR more infectious.
-
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
-
@Dashrender said:
Juniper on the other hand said they had no idea how the code was added to their systems.
But they set themselves up for that kind of risk by closing their source.
-
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
-
@johnhooks said:
He said "So far so good as we are running newer firmware."
Read: My boss doesn't realize what I've done and so far i'm not in trouble. Hopefully the customers continue to not find out.
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
http://mangolassi.it/topic/7560/would-you-say-it-to-your-ceo
This is an example of what I meant there. Would his reaction have been the same had he been saying it to the CEO and defending why a known crappy, undocumented, closed source vendor had intentionally put them at risk and compromised their security instead of to someone he could brush off? Would his thinking change if the CEO were the one questioning if "getting lucky" is an okay state to remain?
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
That's the kind of stuff that I mean. Would he REALLY tell his boss "I know I put us at risk and it's a totally ridiculous risk and people are mocking me but we are taking our chances and so far we've gotten lucky so that's good, right?"
-
Geeze, maybe they should just give up.
-
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious. Fortinet isn't your security vendor, they are the company you have to try to keep out. Fortinet knows, at this point, that anyone running Fortinet still doesn't care about security so there is no incentive for them to change. Fortinet's customers don't care and those that care aren't going to ever do business with the enemy that they are trying to protect against even if they stop that one form of exposure of their clients.
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
Wasn't there another security appliance a few years ago that also had a hard coded remote password installed in them to allow the vendor to offer remote support to customers? I think it was a consumer device.
Barracuda. I'd consider it consumer too, but lots of businesses confuse it with business class. Barracuda is in that "not good enough for home" category with other joke "security" crap gear like Fortinet and SonicWall.
I know someone who runs the IT department for a billing company that deals with an EMR company. I sent him the article about Fortinet (he told me a couple months back he was really excited to switch over to them instead of their current Cisco SMB stuff). He said "So far so good as we are running newer firmware."
Apparently if you use the word "Enterprise" on your website, people will use your products no matter what you do.
So far so good? WTF? Did he not read the part where the password is still in there, just not currently known how to access? Most likely a port knocking of some kind will open it back up. Sigh!
Looks like "so far, not so good" now.
-
@scottalanmiller said:
At this point, everyone knows that Fortinet is insecure and actively not someone that can be trusted. Mistakes happen. Backdoors are not mistakes, they are malicious.
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
-
@JaredBusch said:
Have you actually read the articles on this? It was never intended as a backdoor. It was code intentionally wrote to allow Fortinet stuff communicate to each other. It was not meant to be open to the public, that is of course a bug.
In what way was it meant to communicate to other Fortinet gear?