The NSA's back door has given every US secret to our enemies

[Jeffrey Walton <noloader () gmail com>]

http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software development programs ever undertaken.

And what is meta-software? It's the one science that the entire
Western World has entirely overlooked. It is a high level set of
principles for developing software that are imperative if a nation is
to survive in a cyberwar.

For example, programmers must constantly be audited. Every line of
code written by every programmer is audited by two senior programmers,
and these auditors are rotated each month and the same two are never
paired more than once. You will see very clearly, later in this
article, why such a principle is vital to a society’s survival.

Another principal is that back doors into software can never, under
any circumstances, be allowed. Under Deng Xiaoping, the penalty for
back doors, and for violating any of the meta- software principles,
was death.

I will give an example of what happens in the real world when back
doors are put into software. On December 17th of last year, Juniper
Networks - a major provider of secure network systems, who's customers
include nearly every US government agency, announced that it had
discovered two “unauthorized” back doors in its systems.

For those of my readers who do not understand how back doors are
created - they can only be created by the manufacturers of the
software. There is, absolutely, no other way.

So, the company had to have a rogue employee in the software
development department. This much is clear.

It will also be clear, if you continue reading, who placed the rogue
employee within Juniper Networks and why.

First, a little background: Juniper Networks has operations in more
than 100 countries. Around 50% of its revenue is from the United
States, 30% are from EMEA and 20% are from Asia. Over half of
Juniper’s customers are in parts of the world in which the NSA has
extreme interest.

Thomson ReutersA woman walks past a banner with the logo of Juniper
Networks Inc. covering the facade of the New York Stock Exchange

Now, a legitimate TOP-SECRET document. Released by Anonymous and dated
February 2011 reveals that the British spy agency GCHQ, with the
knowledge and apparent cooperation of the NSA, acquired the capability
to covertly exploit security vulnerabilities in 13 different models of
firewalls made by Juniper Networks.

I hope we all understand now what “acquired the capability” means. The
NSA planted a programmer within Jupiter Networks. The was no other way
to “acquire" this capability.

Nothing new in this. Black hat hackers have been planting themselves
in target agencies for years. It was just such a plant that brought
down Ashley Madison last year. So it's no surprise that the NSA uses
this technique as well.

Of interest here is that Juniper announced that two back back doors
were discovered in its system. One of the back doors was code
verifiable written by the NSA prior to 2011.

Wired magazine wrote: "But what makes the Juniper backdoor even more
interesting and notable is the fact that it appears to be based on
another backdoor the NSA allegedly created years ago in the Dual_EC
algorithm for its own secret use."

So, in 2011 he NSA surreptitiously got their back door into a powerful
piece of security software used by many enemies of the US. They could
now monitor these enemies easily.

The Internet underground knew of these back doors within weeks of
their release, and so did the Chinese, and so did the Russians. An so
did every hacker on the planet. Monitoring changes within major
software systems is the simplest if all things. Every hacker toolkit
contains a compare program that will outline all changes made to a
piece of software by the manufacturer. Disassembly tools tell the
hacker what each change does.

REUTERS/Steve MarcusAttendees listen to a keynote address by Dan
Greer, chief information security officer for In-Q-Tel, during the
Black Hat USA 2014 hacker conference at the Mandalay Bay Convention
Center in Las Vegas, Nevada August 6, 2014.

So, while the NSA was monitoring our perceived Middle Eastern enemies,
the Chinese and Russians, and god knows who else, were making off with
every important secret in the US, courtesy of the NSA’s back door. The
NSA failed to notice that 50% of Jupiter Network users were American,
and the majority of those were within the US Government.

Last year alone, the Defense Department was hacked. Using the NSA’s
back door the Chinese walked off with 5.6 million fingerprints of
critical personnel. The same back door was used to hack the Treasury
Department on May 27th of last year in which millions of tax returns
were stolen. And again, our most devastating hack as a nation was the
Office of Personnel Management hack, in which 22 million sensitive
files were stolen. The Chinese gained access through the Defense
Department’s Juniper Systems and then using inter-operability with the
Personnel Office, took what they wanted. Again, courtesy if the NSA’s
back door.

Whatever gains the NSA has made through the use of their back door, it
cannot possibly counterbalance the harm done to our nation by everyone
else’s use of that same back door.

Now, consider this: if Juniper Networks had the foresight to follow
the same procedures that the Chinese have been using for 35 years,
none of this could have happened. The programmer planted within
Juniper by the NSA would have been audited by two senior coders. They
each would have read the code and immediately recognized the back
door. Management would be notified and the employee charged with a
felony, where he would undoubtedly had snitched on the NSA. The NSA
could not possibly have engaged the assistance of the auditors because
they would be randomly rotated.

Clever, these Chinese

The moral is this: we are at the very least, 20 years behind the
Chinese, and by association with the Chinese and by copying them, the
Russians as well.

We have to get our act together, and soon. We can no longer act like
children in a playground playing with real guns. We have to grow up.
Our technology has outgrown us, because we have failed to grasp it's
subtle implications.

_______________________________________________

NOTE: As of July 10, the mailing list address HAS CHANGED from @linuxbox.org TO @lists.linuxbox.org. Please use the new 
address in all mail to the list.
_______________________________________________

Fun and Misc security discussion for OT posts.
http://lists.linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.