Backdoor Account Found On Devices Used By White House, US Military

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.

Just What the Government Wants - Backdoors

[BoRegardless]

That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.

Re: Just What the Government Wants - Backdoors

Who monitors the monitors? Do the backdoors have little backdoors in them? Is it backdoors all the way down? Backdoorception?

Re: Just What the Government Wants - Backdoors

[radiumsoup]

whoops, accidental downmod (meant to make 'funny') so posting reply to undo

Re: Just What the Government Wants - Backdoors

[Locke2005]

There have been many, many movies about backdoors... you've just been visiting the wrong DVD store!

Re: Just What the Government Wants - Backdoors

[DoofusOfDeath]

Is it backdoors all the way down?

No, it would be backdoors all the way back.

It's trapdoors all the way down.

Re: Just What the Government Wants - Backdoors

[tha_toadman]

+1 to you if I had the points.

Re:Just What the Government Wants - Backdoors

[nytes]

They're eating their own dog food.

I'd like to ask some of the presidential candidates what they think about backdoors now. There's another Republican debate coming up. This needs to be brought to the attention of the moderators along with any press that happens to be interviewing HRC and Sanders.

Re: Just What the Government Wants - Backdoors

[AndyKron]

Reminds me of user made Duke Nukem maps

Front door

[awkScooby]

Nothing to see here. This was a "front door," not a "back door."

Re:Front door

[ebvwfbw]

Nothing to see here. This was a "front door," not a "back door."

It's ok. We put a password on the account. We're not stupid, it's not Password. Ours is far more secure. It's qwerty. Just a bunch of random characters.

Joke is probably on me, watch someone use that as an excuse sometime.

Distinctions

[Bovius]

"AMX claimed that the two accounts were only used for debugging,"

No, you only use them for debugging.

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

Re:Distinctions

Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

Re:Distinctions

[jenningsthecat]

Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

Mod parent up!

Re:Distinctions

Think about it for more than 2 seconds.

Re:Distinctions

[jones_supa]

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

I was going to say the same. It possibly was not an intentional backdoor, but it can still be used as one. If it quacks like a duck and walks like a duck, it is a duck.

It is also quite facepalmy mistake. Some guy creates "Black Widow" and "Batman" accounts and this kind of stuff ends up to important government systems.

Re:Distinctions

No kidding! I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life. 10 yrs isn't enough, they need 20-30 minimum just to contemplate the shit storm they have created and maybe, just maybe be humbled by their arrogance and total disregard for human life.

These are the very bad people in the world. They have hurt or killed many more people than the vast majority of POOR people who are locked up in jail.

Why is it this country rarely disciplines the really bad people? Sure you go on a killing spree you're going to jail, but if you're poor and commit some minor crime or if you're just the wrong color in the wrong neighborhood, or you're just uneducated and you spend an inordinate amount of time behind bars for "rehabilitation". When it's the top people at Goldman Sachs, the Governor of Michigan, and the execs at many other companies who have committed crimes against humanity and the world who are the truly bad, evil people.

Re:Distinctions

[MrTester]

Yeah, there is absolutely no value in pointing out our failures as a society. We should just accept life as it is and move on.
White men with power will make certain that women and minorities will never get the vote!

Drivel indeed.

Re:Distinctions

[JackieBrown]

You must work for a pretty small company if you are used to executives being involved in programing. Heck, most probably have no idea what a backdoor account is.

Re:Distinctions

[Ungrounded+Lightning]

I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life.

(Speaking of "distinctions"...)

Why should somebody in the STATE govenment be locked up? Isn't the Flint debacle solely the result of actions by, and solely the responsibility of the, CITY government?

(Honest question here. I haven't been following it, and am curious as to why a city water screwup is being reported as the fault of a different level of government. Did the higher levels really have some responsibility? Is it just faulty reporting? Is it maybe the media cooperating with those actually responsible to blame it on their political opponents?)

Re:Distinctions

[Locke2005]

Sounds like treason to me... that's usually good for some really long jail time!

Re:Distinctions

[Locke2005]

Lying about a known danger for a rear is clearly a case of reckless endangerment, not sure if this should be a civil or criminal matter, but the mayor of Flint should definitely be spending a LOT of time in a court!

Re:Distinctions

[Locke2005]

Why does this country rarely discipline the really bad people? Watch _The Big Short_ and get back to me about that one...

Re:Distinctions

[Locke2005]

They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe. That's criminal indifference in my book.

Re:Distinctions

[Bob+the+Super+Hamste]

They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe.

Still sounds like CITY, not a STATE, problem so people at the CITY level should be prosecuted, not people at the STATE level.

Re:Distinctions

[sumdumass]

Probably because it is easier to find an actual violation of the law with poor people. For instance, what law was violated in flint Michigan? What law would have been violated in the backdoor thing? I understand the premise of the issues but under what law could they be prosecuted?

We don't want to start creating laws after the fact and trying to prosecute under them. Despite it being unconstitutional, it would surely come back to bite you and me or any one else they have issues with.

Re:Distinctions

[UnderCoverPenguin]

I have friends in MI - and, I actually read the news.

If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.

The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.

Re:Distinctions

[DarkOx]

Why should somebody in the STATE govenment be locked up?

Because the liberal biased media, Obama, and the Clinton campaign want to blame those nasty Republicans in the state house for poisoning Flint's poor black population. That is pretty much the reason. Yes the water pipe corrosion happened because the emergency manager a state official made decisions to use a chemically different water source, to save money. That person did this without understanding the potential consequences.

Quite honestly this is clear argument for the IMPORTANCE of HOME RULE, when you let some big far away central government make decisions about local matters these are types of results you get, no matter what party that far away official belongs too. So really we are left with the question of why did Flint not have home rule on the matter, and the reason for that is because the left leaning local politicians had screwed things up so bad their fellow state citizens were stuck bailing them out! Essentially the people of Flint and their elected officials would have been unable to keep the lights on or the water running left to their own devices due to years of mismanagement. If not for the state government a little lead in the water would be the least of their problems. So I don't feel especially sorry for them. This is ultimately a disaster of their own make.

Re:Distinctions

[NoImNotNineVolt]

A few blog posts about how that isn't how things "should" work will change nothing. Wealth is power, and power includes the power to separate one's self from the consequences of one's actions. This is a non-negotiable fact of how humans do things, and will remain so into the foreseeable future.

Bernie 2016

Re:Distinctions

[HiThere]

Not the mayor, the manager...who was appointed by the state governor, and ignored all warnings that this was endangering people.

I believe that there is sufficient evidence that both the appointed manager and the state governor should be put in prison from wanton endangerment and inentional poisoning. I'm not quite sure what the legal terms for that are, since you probably couldn't prove any intent to harm, just a decision to do the not care about the harm.

Re:Distinctions

[HiThere]

You can't show malice, but you can show indifference. And I believe it's a crime to intentionally poison people even if it doesn't kill them. (Of course, I could be wrong.)

I'd say wanton endangerment is certainly applicable, and I'm not sure that assault wouldn't apply. But possibly 100,000 (or whatever the number is) of cases of wanton endangerment with the sentences applied consecutively would suffice.

Re:Distinctions

[HiThere]

Sorry, treason is rather specifically defined by the Constitution, and this doesn't fit the definition. I'm sure there are lots of other things that could fit it rather easily, though.

Re:Distinctions

[KGIII]

I am worth a very, very nice median 9 digit number - or close enough, counting assets what would be difficult to liquidate. I've not only spent a weekend in jail, I've paid my pot taxes (fines) more times than I can count.

However, I own a whole stable full of automobiles. I never, ever get stopped (no matter how fast I'm going) in some of those cars. That could be preferential treatment or it could be that I live in an area with a beautiful highway that sees almost no traffic but is kept in good repair for the logging trucks. (I've also rally raced, raced on a track - dirt and asphalt, and spent more time in various driving schools than some lots of people have spent in college.)

Hell., I want and took professional lessons, hired a coach on top of that, and spent the next week driving rented exotics around Nuburgring but I'm pretty sure the cops don't know this. Yet, I've blown by cops where the speedometer was pegged at 140 and been let off with a warning.

No, I'm not white. I don't think I can even pass as white - though I do have some in me. This would be a great Grandpa Story but I am sick. Damned pneumonia.

Re:Distinctions

[dsmatthews9379]

It is a typo, Juan their marketing rep. meant to type de bugging.

Re:Distinctions

[sumdumass]

No one was intentionally poisoned though. The water was/is completely safe to drink at the time of processing. The poison came from the aging water distribution system that didn't handle the different ph levels well.

Wanton means deliberate. No one deliberately set out to endanger anyone or participated in any action without regard to human life or health. Again, the water is perfectly acceptable at the point of treatment. It after it runs the pipes where that changed.

You also need a point of law that allows consecutive sentences. Otherwise they run concurrent and you would run into constitutional problems if it was all the sudden changed. And that is if there isn't any exceptions to enforcement for public officials (government ) in the course of their duties.

Re:Distinctions

[amiga3D]

Funny how the elected representatives of the city's citizens have no real power. I've never been a fan of city managers unless the mayor has the power to fire them.

Re:Distinctions

[UnderCoverPenguin]

In this case, it's emergency managers that were appointed under a law that was repealed by a voter referendum, then re-enacted by attaching it as an addendum to a "must pass" appropriations bill (which also makes it immune to referendum). Basically, the governor and treasurer, acting together, took Flint's elected officials power away.

Re:Distinctions

[rtb61]

The better question is, well, if they were only used for debugging and you obviously were fully aware of their purpose and functionality, 'er', why the fuck were they not removed from production units. Why the hell would you need a debugging account in something you were never ever going to debug? The only sane logical answer, it was left in on purpose just because power trip by the morons at the top and billions to be made on insider trading. Hacks on top of hacks on top of hacks, insider trading feeding by far the majority of it.

Re:Distinctions

[bloodhawk]

The only thing the government is interested in preventing is the backdoors being so blatantly obvious and not in their hands.

Re:Distinctions

[amiga3D]

I think if I was a citizen of Michigan I'd be pretty pissed. It appears to me someone or several someones should be going to jail. It appears that the people of Flint were knowingly poisoned. If true that is so horrible that to fail to imprison those responsible would be a travesty.

Re:Distinctions

[raind]

Oh there's plenty of pissed off people in Michigan, I am pretty sure it's why Gov. Snyder (who sounds like Kermit the Frog) rarely shows up in Detroit much less Flint environs. For some decidedly real news views I would peruse:

http://motorcitymuckraker.com/

If I were Rick I would be a little paranoid that someone might you know - just blow him away.

In fact I am even more pissed that NO ONE will go to jail but they still collect when they pass go. Of course this goes for Wall Street, the Banksters, Cheney/Bush and yes Barack too.

Re:Distinctions

[currently_awake]

Having armed FBI agents backed up by a platoon of special forces visit the main office and interrogate the senior management would discourage repetition.

Re:Distinctions

[HiThere]

Sorry, but though the water was acceptable at the place of treatment, the manager had been informed that it would result in poisonous levels of lead leaching into the water before it reached the users.

IIUC, it is always a judicial decision as to whether sentences should run consecutively or concurrently. I know that there have been cases in the past where different judges have decided differently, though I admit not knowing on what grounds.

Re:Distinctions

[sumdumass]

Well, I just checked and near as I can tell, the state knew about children under 16 having elevated lead but not in the water. The state continued to deny it was a crisis for a few weeks later until some pediatrician made a claim directly about the water. The EPA had someone bring a notice about lead levels up internally but didn't act right away.

If you have evidence otherwise, please post it.

One might hope this illustrates danger of backdoor

[DutchUncle]

.... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.

Renamed it to Batman

[Jason+Levine]

Everyone knows that you should always be yourself. Unless you can be Batman, then be Batman.

*backdoor account access granted, Batman*

Documentation of the presidency will be available?

[Bruce66423]

Let's hope that someone has been recording the output for posterity; to hear the real story of a presidency for the first time since Nixon would be great...

Governent and backdoors

I thought the government *wants* back doors in everything.

I'm confused now... Why would they have them removed?

Re:Governent and backdoors

[phishybongwaters]

Silly pleb, the government wants backdoors into YOUR stuff, not theirs.

Why didn't they order more?

[Voltas]

It was my understanding that the US Government was in favor of putting security back-doors in everything? Are they just mad cuz it wasn't their backdoor?

Buried by lawsuits

[timrod]

Hopefully, AMX will be buried by thousands of incoming lawsuits for this childish behavior. The article never mentions what this backdoor would actually let someone with access to it do, but I'm assuming that the possibility existed for someone to use that backdoor to obtain classified or proprietary information. That they tried to hide the backdoor once it was discovered rather than immediately patching it out is just another piece of evidence usable by anyone wishing to sue them. I can foresee a large-scale data audit in AMX's near future as any business owning their software tries to determine whether any of their information was taken, on purpose or inadvertently.

Re:Buried by lawsuits

[ArchieBunker]

The NSA probably "persuaded" them to install it. The NSA spied on congress and nothing happened. Nobody was fired or went to jail. Spying on the whitehouse isn't that far a stretch.

Re: Buried by lawsuits

[slazzy]

They'll probably be given government grants to try and do better next time.

Re:Buried by lawsuits

[rahvin112]

The NSA spies on everyone. They operate pretty much independently of the executive and legislative branches. Their leaders though technically serve the president they are often independent in the sense that the occupant tends to survive presidential replacement and their leadership comes from the military. For some reason the political leadership tends to view them as an extension of the military and thus "above politics".

The fact that neither the legislature or president are bothered by the NSA spying on them all should scare the bejesus out of everyone.

Re:If they don't have anything to hide...

Nope, think of it like a Kwikset Smartkey deadbolt where you twist the faceplate, exposing a second lock cylinder.

This isn't a "debugging" tool.

I have personally seen "debug" access done properly:

1: The debug account is only accessible from a certain IP range.
2: The debug account is set to be inaccessible after a certain time.
3: The debug account uses a long passphrase.
4: The appliance website has an obvious note that the code is not for prime-time.
5: The debug account drops an entry into a log bucket.
6: When switching to a release build, the #ifdef macros ensure those accounts are never in the actual production software.

Basic common sense here. Any company can grok this, as it isn't any more complex than installing HID card readers on the office doors.

There's a simple solution

[Brett+Buck]

Don't hook up critical resources where sensitive information is discussed to the internet! Or the phone, or any other network with clear-text external connections.

Re:There's a simple solution

[Frosty+Piss]

SIPRNET is on the Intertubes, not a separate set of tubes...

Re:There's a simple solution

[AHuxley]

The pretty colors and glow displayed to the leaders are worth billions in funding.
Why did this happen?
Look at the sales teams, sorry "advisory boards" that sell and watch over what the US needs, to use or buy or offer a no bid contract for decades of networks.
The very few with any real counterintelligence, counterespionage or force protection analysis just seem to want to buy into the same systems they always used from the same teams they knew people in gov can to buy into... surrounded by many people who never worked near or with signals intelligence.
They may have been cleared to see the product of years of signals intelligence offered down to their former bosses but been able to secure anything was never their role...
Been cleared to sell something to the gov is the only needed ability.

Re:If they don't have anything to hide...

[FatdogHaiku]

Don't think of it as a back door. Think of it as a front door with really big locks.

I'd rather it had great knockers:
https://www.youtube.com/watch?v=XTw1lzxTAis

Better Names

[will_die]

You go from Marvel to DC and expect that to save you?
Should of gone something better maybe FatFreddy, CheechWizard or BettyVeronica.

Re:Better Names

[phishybongwaters]

My money is on "totallynotabackdoor"

Error, summary!= article

[clovis]

Did the submitter even read the article?
The new account was not named "Batman". It was named "1MB@tMaN".

dot

[Ryanrule]

The government should really make this stuff in house.

Re:dot

[amxcoder]

Good luck with that. These systems are a platform for a very niche industry. They are programmed by very niche programmers in this industry. As a programmer of AMX and Crestron and Extron, it's a small market even when you include the fact that these are used in schools, corporate campuses, and governement. If the government engineered their own, and make their own platform, they would still need to have a big enough market to attract programmers to learn and implement these things.

Re:One might hope this illustrates danger of backd

[gstoddart]

No, because the people advocating for backdoors still magically think only they can use the backdoors, and don't understand the reality that a backdoor is open to anybody who knows about it.

Don't ever expect those people to understand how their wishes diverge from reality.

Bin Laden Raid

In the photos from a conference room during the Bin Laden raid, you can clearly see some AMX equipment on the table. Scary to think that a backdoor was present in their conferencing system when a sensitive operation was taking place.

Someone with backdoor access could have seriously fucked up the whole operation.

Re:Bin Laden Raid

[amxcoder]

The most someone would have been able to do is "maybe" hang up a call or something. While this might have been an inconvenience, it's not like the people on the ground need the white house watching them to complete their mission. The higher ups that were watching live might have been upset only because they got disconnected on their ring-side seat to their "reality tv show".

Dog door in the back door. Seriously MD5 backdoor

[raymorris]

> Do the backdoors have little backdoors in them?

A little door inside that back door? I suppose that would be a dog door.

But seriously, yes they do and that's the big concern. I've seen backdoors where the password was protected by unsalted MD5 hashing, which may have been reasonably secure when the code was written in 1996. Now, that can be cracked in less than 10 seconds, so I can access those backdoors. You could say the bad guys do indeed have a back door into the backdoor.

New method of preserving secrecy needed....

[Sqreater]

We could call it, perhaps, "The Cone of Silence."

Re:New method of preserving secrecy needed....

We could call it, perhaps, "The Cone of Silence."

What?

Re:New method of preserving secrecy needed....

[AHuxley]

A contractor could rediscover selling the US gov on handing out a limited number of one page executive summary papers and a build a walk in vault.
Patent the ability to type page one of one for each person attending. Ensure only one copy is handed out to each person and then collected at the end of the meeting.
Thats going to be one very expensive typewriter. Think of the contract for a new linotype machine :)

Delicious, delicious irony

[naasking]

Enough said. Though I doubt this will convince anyone in politics that encryption backdoors are a bad idea, period.

Not Normally Connected

[Jack+Kolesar]

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.

Re:Not Normally Connected

[PPH]

isn't physically connected to the house network.

Stuxnet. Iranian centrifuges.

Re:Not Normally Connected

[Jack+Kolesar]

Well, it doesn't make me happy. But I don't know why a customer wouldn't trust ME. I've now got to make sure that if we have these systems are connected to the network at installed facilities that they get a firmware update. That's part of service. With the initial release of the NX series processors, they discovered a 50 day lockup bug. That was corrected in firmware as well. We had to update those processors affected. That's just part of service. When your vehicle has a recall do you send it to the heap and never go back to the same dealer? Do you turn off updates on your computer and just switch operating systems when a security flaw is found? You've asked an ignorant question AC.

Re:Not Normally Connected

[mtmra70]

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network.

Maybe in government, somewhat in education (by VLAN only), pretty much never in corporate.

Re:Not Normally Connected

[Jack+Kolesar]

OK. I'll give that to you. It's a valid point. You certainly see much more use of Fusion and RMS (Managment Tools) in the Corporate environment. Again, I wasn't trying to defend the action as much as defend the company. I do like their products and the team. It's a security hole. I should have chosen a better title for my post.

Re:Not Normally Connected

[amxcoder]

I'm am also an AMX programmer (see my username), and I program Crestron as well (main competitor). While this is all new news to me as well, I can concur with the OP on several topics.

Firstly: AMX doesn't make hardware dedicated to government use. It's used in in lots of places, schools, homes, businesses, churches, government facilities and the like. The headline makes it sound like it's a defense contractor that did this. No excuse here, though, as a backdoor on anyones network is not good, but it's not good.

Secondly: AMX has taken strides for over the last 10 years to implement this small industries best security in the class of hardware they make. They ARE an engineering driven company, and I would be shocked if this was implemented for nefarious purposes over being a mistake.

Thirdly: I can also attest to the OP's comment, that the majority of these devices are being installed on air-gapped isolated networks that only connect to the AV gear located in a particular room. When they are attached to a larger network, or clients network, they are usually isolated on a seperate VLan dedicated to the AV gear and other controllers in other rooms/systems.

Forthly: This isn't a typical network appliance that many of you might be familiar with. It is an embedded controller, it doesn't access other computers or servers, it doesn't have hard drives, or the capabilities of a general purpose computer/server. It runs custom written code that communicates to A/V gear (projectors, monitors, audio DSP's, and video conference units, etc) to control them for the user from a custom GUI touch panel. They don't have access to data stores, or have sensitive information passing through them for any purposes. The most sensitive information that it might have that I can think of off the top of my head might be a phonebook list from a video conference device (names/contacts).

These units normally do not have internet access, so to access this backdoor, you would usually already have to have local network access anyway. While I'm not positive what this backdoor could allow a person to do, the most common/likely thing that could be done might be to wipe the existing programming or insert some extra commands to devices, which might play havoc with a system (turning it off in the middle of use, or turning it on by itself, or making it inoperable). I just don't see how it would allow actual real nefarious actions like accessing sensitive information or stealing secrets.

Because the other AV devices that these controllers interact with are only for control (many use simple RS232 serial) some telnet or other, there is really no danger, or possibility of using these backdoors to say, capture or evesdrop audio from the room, or spy on a video conferencing session, or "see" what is being displayed on a projector or monitor. The protocols of these devices are for control only, and do not actually transport this type of data on these connections. For instance, an AMX controlling a cisco VTC codec would be able to make calls, hang up calls, move cameras and other actions similar to the manufacturers control interface, but not actually "see" or "hear" the content of the video conferencing session. That's just not how it works, or what it's able to do.

I give AMX the benefit of the doubt on this one, while it was a mistake, and got magnified because of their installation in sensitive areas, the AMX team is good set of engineers. Thier aquisition by Harman might have changed things a little, but I still don't think this the security hole that most here are picturing. It's not like these things have access to data streams of an entire network passing through them like the Juniper switches we read about a few weeks ago that have backdoors.

We'll lose our lucrative government contract!

[kheldan]

I'll bet it went something like this:

Oh shit, someone managed to infiltrate us and install covert backdoor accounts in our products? What'll we do, the Government and Military will have a shit fit over this, we'll get all our contracts cancelled! We'll be ruined!

Calm down Fred, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

..Yeah, you're right, Steve, no need to spook them, not like they're smart enough to know better, right? Guess my Porche payment will be on time this month after all!

Re:We'll lose our lucrative government contract!

[PPH]

Calm down Zhang, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

FTFY

Re:We'll lose our lucrative government contract!

[Locke2005]

Can't you think of a funnier Chinese name than "Zhang"? I kinda like "Pu Ping" myself...

Back Door Man

[sammy_cda]

"Wha, yeah!, c'mon, yeah, yeah, c'mon, yeah I'm a back door man, I'm a back door man The men don't know, but the little girl understand"

Right...

[Locke2005]

As a software engineer, you have debug builds and production builds, and as a general rule you don't ship builds to customers with the debug features enabled... unless you're beta testing. The White House probably wouldn't be my first choice for a beta test site!

Re:So?

[Locke2005]

Reciprocal transparency, that's all I ask for!

Re:One might hope this illustrates danger of backd

[Locke2005]

Actually, Eisenhower got us into Vietnam, although Kennedy and Johnson escalated it. Nixon does wrongly take most of the flack for Vietnam, although he _eventually_ ended the war, but not before tens of thousands more died.

Re:One might hope this illustrates danger of backd

[roman_mir]

All animals are equal but some are more equal than others.

Simple solution

[Locke2005]

Arrest the corporate officers in charge of AMX for treason and put them in jail for 20 years. Then watch how quickly the rules for shipping software with "debug features" enabled change...

Re:Simple solution

[currently_awake]

Or you could ban them from government contracts for 5 years. Money talks with this crowd.

Re:If they don't have anything to hide...

[aaarrrgggh]

Personally I prefer a special recessed button to be pressed to go into debug mode, and for the display to indicate debug mode is active. Needs to be fully transparent... But how can you trust that it is?

Makes what Hillary did even more of a problem

I think no matter what political side your on. We should be appalled at Hillary Clinton's unprofessional use of a home server for her email. Now that we know some of that was highly classified material, it becomes a national security problem that is worse by far than what General Petraeus did. Maybe some are so relating to her as poor old grandma who did not know better, or some incredible addition to her that you would overlook her being a murderer if you had too. But this is a national security mess and it happens because of the idiots straight down from the top who are totally incompetent about security. The politicians probably will never admit it, but we have probably lost a lot of sensitive information and they are trying their best not to let the people know it. Hillary, absolutely does not have a clue, and should have never been Secretary of State and should not be president of a PTA let alone President of the USA. Hillary, go home and be a grandma and save us all a lot of grief.

The government CAN'T complain.

[sehlat]

Under the "Do unto others as you would have them do unto you." rule. The government does it, so....

Why they called it "Batman"....

[jtara]

Nah nah nah nah nah nah nah nah,
nah nah nah nah nah nah nah nah!

That's why. They're basically flipping them the bird.

BAT-MAN!

Re:Hillary Clinton

[KGIII]

That's 'cause Bill's a Back Door Man.

Re:One might hope this illustrates danger of backd

[KGIII]

If I recall correctly, you come from a ex-Soviet Bloc country. Was that book available, read in school, digested, or?

No excuse for leaving a backdoor?

[tetraverse]

Jack Kolesar: "I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. ref

They didn't just leave a backdoor, they wilfully inserted one under instruction of the US spying apparatus. I do know that people are going to be very reluctant to use the product in the future.

Re:No excuse for leaving a backdoor?

[amxcoder]

If they were "made" to put one in by , then that means that Crestron would have them too. Crestron has higher market share in all the same places AMX does as they are competitors.

Re:One might hope this illustrates danger of backd

[roman_mir]

Not before 1991. Worse than that, books censored just like everything else, many books and other materials were simply illegal to own.

Way older than most people think

[stikves]

These kind of backdoors have been around for a very long time. Remember "AWARD_SW", or "AMIBIOS"? Those passwords have opened so many BIOSes back in the day. It was helpful, until everybody started circulating lists. The manufacturers changed default passwords, but took a while for them to give up on those passwords entirely.

They help "lazy" operators and sysadmins, but they also help hackers as well.

Re:One might hope this illustrates danger of backd

[KGIII]

Thank you for sharing. I have one further question, if you don't mind. What might the penalty be, say for someone who's traditionally a bit of a trouble maker but not a violent criminal nor trying to overthrow the country, to own a copy of The Animal Farm? Maybe a couple of questions - what might the penalty have been for distributing that work? Perhaps on a larger scale?

Sorry for my naive questions but I'm truly curious and I appreciate your knowledge, candor, and general ability to fill in details that one may have forgotten to ask. If, perhaps, you do not wish to be open about this then email is available. The email listed with this account is valid and checked on a regular bases. The concept of a book being prohibited isn't so foreign that I can't understand it but it is foreign enough that there are aspects that make me curious.

One example would be, would the book have been available (without being too specific, in order to protect yourself - if required) to those who wanted to read it bad enough? Were there clandestine printing presses? Black market shops? Underground lending libraries?

I know that some old Soviet Bloc countries had people who would literally fashion the computers out of not just parts but often out of handmade parts. I think that, at least by itself, is awesome.

Again, thank you for sharing. Your insight is valued and I truly appreciate any effort you make at helping me understand better. In my country, the United States of America or Canada (I'm a citizen of both countries) there are classified documents but if, for some reason, they ended up leaked then we'd certainly be free to publish them, read them, loan them, sell them, gift them, and do things like mark them up for context and greater understanding. Seriously, thanks for explaining. I, for one, truly appreciate it.

Re:One might hope this illustrates danger of backd

[dryeo]

It was part of the curriculum back in the mid-70's here. (BC)

I'm confused as to why they want them removed?

[wardrich86]

Why does the US Government want these backdoors removed? I thought they loved backdoors and wanted them installed on EVERYTHING? I mean, only good guys can use the backdoors, right? So what's the big deal?

this post has been brought to you by Sarcasm

Re:you're actually right.

[amxcoder]

This is correct, I would venture that 90% of the systems I program for and have seen installed, have a local switch in the rack that interconnects the touch panels, processor, and a few other dedicated AV devices for the system. Their is nothing touching the clients network in these cases.