Leaving the key under the mat for the cops?

The recent discovery of ‘back door’ code and hard coded passwords in Juniper routers has come at a useful time. We don’t know where the code came from or how it got into Juniper’s supply chain, but none of the possibilities are particularly appetizing:

Insiders at Juniper, possibly posing an ongoing threat
Nation state actors, with either inside help or penetration of Juniper’s networks
Criminal actors, again with someone on the inside and/or access to Juniper’s network

All of this is happening as the debate about providing intelligence services with ‘back doors’ to allow them to defeat encryption in their efforts to prevent terrorism. To me, this incident is a great example of why this is a bad idea. Any back doors added to code will eventually be discovered by someone other than the person/organization that they were meant for, putting their capabilities at the service of repressive regimes, terrorists, criminals and other undesirables.

Now that the details of the Juniper issue are out in the world, I am hearing reports of many companies being scanned for vulnerable internet connected devices. Juniper users world-wide have to get their networking staff working on identifying vulnerable devices and testing and applying the patches to them. This process takes more time, effort and cost than the average non networking person would think. To top it all off, many shops are short staffed at this time of year. Whoever was responsible for this may have put a large number of totally innocent organizations at risk (as well as the private data of their customers).

Law enforcement and intelligence agencies have lots of more targeted tools that they could use to specifically target those with larceny or violence in their hearts. Be creative, guys! Work to compromise the endpoints of your targets – roll up your sleeves and infect them with malware, scoop data from their mobile devices and do some old fashioned HUMINT.

If it turns out that the perpetrators of this were non state actors, my level of concern would be even greater as this would mark a significant advance in cyber criminals’ capabilities.

In the end, while terrorists may use encrypted means to communicate, they also must leave trails in the real world – purchases and other suspicious activities come to mind.

To play devil’s advocate for a moment… Is my “you’ll have to pry crypto out of my cold, dead hands” stance so different from the loonies who think everyone from age 12 and up (including people on the no fly list and with mental issues) needs an AR-15 to protect them from the guvnment and ISIS terrorists lurking under their beds? It seems to me that strong crypto is different from AR-15s… It has legitimate uses that protect us all from damage from all sorts of entities (guvnment and criminal). Terrorists use all sorts of dual use tools (duct tape, timers, box cutters, etc) in furtherance of their muderous plots. We aren’t banning all of these items because the risk/reward ratio is pretty clear. I would not feel any safer if everyone were to be banned from buying, say, ball bearings (potential bomb shrapnel) or renting trucks (potential VBIEDs). If we really want to save lives, ban smoking, cars, high fat foods, sugar and about a zillion other things. But we aren’t doing away with these things which would save many more lives than taking away crypto’s secrecy ever could.

Compromising the privacy and safety of everyone on the Internet is not a proportional response to a threat from a relatively small population.

Leaving the key under the mat for the cops?

the $50,000 tweet?

Think before you post that angry tweet… a Chicago woman decided to post her displeasure with the alleged mold situation in her apartment to her Twitter account. Her landlord’s response was a lawsuit for “in excess of $50,000 in damages.”¬† It seems to me that this was an overreaction by the landlord – had they not filed suit, no one other than the poster’s followers would likely have heard about their (allegedly) fungally enhanced accomodations.¬† Now, the story has hit the twit and blog ospheres and (at least in my humble opinion), the landlord looks like a bit of a jerk.¬† Companies need to think about how to deal with threats to their brand on the Internets – and the first step in an effective response is triage.¬† Take a deep breath and think about what kind of damage is going to be done by a blog post, forum comment, or tweet and think about the consequences of taking action before getting the lawyers involved…

the $50,000 tweet?