Can You Trust Closed Source Software?
-
@JaredBusch said:
@scottalanmiller said:
Maybe I am misreading the dictionary, so correct me there, but it seems like malice is very clear here. Malice does not mean with evil intent, only that it wasn't right to do and they willfully did it.
The intentionally coded in a method of access for their software. They never intentionally coded a wide open backdoor.
So two things that I'm not clear on:
-
Are you disputing the definition of backdoor? "A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc." - Wikipedia
-
It is your opinion that they never intentionally coded it that way, they stated otherwise in their interview.
-
-
While Fortinet never states, that I have seen, that it IS a backdoor, they also never dispute it. But they describe it in a way that matches the definition of backdoor. So all outlets seem to agree that it is a backdoor, the description matches the definition and Fortinet never states otherwise, that I have seen. While you can make the argument that nothing can ever be "proven" to be an intentional backdoor, I feel like we are far outside the point of reason here to do so.
Are any of these things not true:
- A backdoor exists or existed (unauthorized access was granted through a secret password that the customer did not know about.)
- The backdoor was typed in, hardcoded, by a Fortinet programmer.
- The intent of the hardcoded password was to provide a wide open access channel for Fortinet to use (whether by people or by code) for access to systems that it otherwise would not have access to (using a customer provided password, for example.)
Am I wrong in believing that those are the basic facts that everyone agrees on?
-
The part that no one can prove and will always be opinion on any side is this part of Fortinet's quote: "...this is not a case of a malicious backdoor implemented to grant unauthorized user access"
As far as I know, all opinion revolves around this portion - not if the backdoor was intentional, not if it is a backdoor, Fortinet never questions those, only whether it was for unauthorized user access. They don't clarify by whom it would have been authorized (customer, Fortinet, government, etc.), or what user access means, but all of their defence of it is couched in those words. They don't even question the malicious part. They might not agree that it is, but no statement that we have seen from them actually says it. They seem careful to not actually state that it was not malicious or that it wasn't a backdoor.
That they only intended for "authorized user access" is what they claim, after getting caught. You can agree or disagree with them or weigh how likely it is for someone caught in the cookie jar to tell the truth or even know the truth, but it appears, to me, that this is the only portion of the discussion where there is question. And I don't believe that I ever implied who Fortinet intended to give backdoor access to or when.
-
