Slashdot Mirror
John McAfee: NSA's Back Door Has Given Every US Secret To Enemies (businessinsider.com)
John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA's back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information. For example, the Chinese used the NSA's back door to hack the Defense Department last year and steal 5.6 million fingerprints of critical personnel. "Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else's use of that same back door." McAfee believes the U.S. has failed to grasp the subtle implications of technology and, as a result, is 20 years behind the Chinese, and by association, the Russians as well.
You are mad. Perhaps even more crazy is the fact that you speak the truth.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
with a red crayon.
Isn't this the guy wanted in connection with the mysterious disappearance of a former neighbor? I'm not sure I'd take anything at face value from Mr. Stability.
If he's talking about the Chinese, they don't need an NSA back door to hack systems in the U.S., they've been porking government and contractor systems for years. The Chinese have the designs for every nuclear weapon in our arsenal and the personnel records of hundreds of thousands of government workers, including their security clearance applications. What would they get from an NSA back door that they don't already have?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I thought he sided with the FBI against Apple. He thinks Apple should include a backdoor in their phones for the FBI...and now he's pointing out how dangereous backdoors are....
No, he didn't side with anyone. He offered to decrypt the phone. That's not what the FBI wants. The FBI wants Apple to produce vulnerable code. John didn't offer to produce vulnerable code. By making his offer, McAfee was illustrating that the FBI isn't after the decrypted data.
"Oh no... he found the
He did no such thing. That article you wrongully remember was him blasting the US government and comparing them to the Nazis.
In the 70s there were secure operating systems like Multics. Then the only things allowed for US export were the ones that failed to be secure. That's how we got DOS then Windows. Now everything needs to be rewritten from scratch by people without commercial pressure for there to be any chance. Think about the nave ending up forced to use "Windows for warships". In the meantime the Chinese always knew they couldn't trust software from the West. 20 year head start is probably an underestimate.
Americs has fallen behind in nearly every area. We are a stupid nation a lot of the time.
Well no shit. If it's made by a human, it can be exploited by another.
Just like if a human thought up an electronic board, another can unravel its workings with time and patience.
In the same manner a flaw produced by a human will be seen through by another one way or another.
It's just plain common sense.
Or at least it should be common.
From TFA:
The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.
I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.
Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.
Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":
1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.
Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.
Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.
My counterpoint to what?
He may not have explicitly sided with Apple, but his remarks in this article were clearly not on the side of the FBI.
There is no doubt that McAfee speaks the truth here, but what he doesn't reference is that while the NSA and the FBI are retarded, there are huge numbers of folks in the US who do not subscribe to that policy and HAVE kept up on security and can spin the US Gov'mint up to speed quickly when the need arises, and it will. The US has traditionally been a late riser when it comes to open warfare, we mince in and get bloodied and then, come together in an economic juggernaut, uniting seemingly perpetual fighting sides of our country against any external threat, much like a bickering family consolidates against any outsider. Then when the threat is gone we go back to feuding like dysfunctional hamsters. I just hope we don't wait too long in the face of this more subtle threat...
"I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve."
"Regardless of the provenance of the quote, Yamamoto believed that Japan could not win a protracted war with the US. Moreover, he seems to have believed that the Pearl Harbor attack had become a blunder even though he was the person who came up with the idea of a surprise attack on Pearl Harbor. It is recorded that "Yamamoto alone" (while all his staff members were celebrating) spent the day after Pearl Harbor "sunk in apparent depression". He is also known to have been upset by the bungling of the Foreign Ministry which led to the attack happening while the countries were technically at peace, thus making the incident an unprovoked sneak attack that would certainly enrage the Americans."
errr....umm...*whooosh* *whoosh* Is this thing on ?
...then eats the crayon.
... then eats the napkins.
Socialism: a lie told by totalitarians and believed by fools.
McAfee isn't unaware of all this. One of his campaign keys is that he will provide a more security-hardened communications platform to U.S. government personnel.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
..and what's wrong with McAfee showing that the FBI was interested in a little bit MORE than just a decrypted phone?
He offered them what they SAID they wanted by a different path. So the FBI was lying because what they REALLY wanted wouldn't sit well with the public. So THANK YOU McAfee for actually looking out for the people.
I take a different tack, from a perspective that the NSA should always seek to be more transparent. This has proven to be a pretty successful basis of advice, so far.
Whatever backdoors the NSA is using, they should reveal to the American public. This in turn makes the information available to enemies of the U.S., but it also gives the U.S. public all the tools they need implement measures to safeguard against the threat. Let's leave it to the CIA to secretly use backdoors against the U.S.'s enemies, and let the NSA be more focused on getting the American populace up to speed on being more secure.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
is when I stopped reading. The country with the biggest military on the planet, who has not had its borders breached since briefly during WW2, and has used its "defence" force for nothing but illegal invasion, is crying about "enemies".
I didn't say there was anything wron with what he said. I was disproving the GP's claim that McAfee was siding with the FBI.
He makes me uncomfortable by holding the same position that I do? Yeah, sure, guy.
Why is my post funny? What's funny about disproving the GP's claim that McAfee sided with the FBI?
I'd have to agree based on many historic examples.
The current issue with Apple is my favorite example at the time. There's no way of knowing whether Apple has already given some agencies backdoors or not; if they have, pretending to "fight" with the agencies on a backdoor gives consumers and shareholders the illusion that's more desirable.
And also, let's take into consideration that Apple is well-known for abusing the leverage of "planned obsolescence". Their devices are apt to be updated with a completely necessary platform revision that renders old-enough models absolutely incapable of maintaining any decent level of performance.
Given that Apple is a known abuser of planned obsolescence, let's think about the current stand-off in similar terms:
* Apple could, after much "fighting" for the audience of consumers and shareholders, be "forced" to give-in to the agencies' demands and produce a backdoor.
* But Apple is smart, and courageous. So they promise consumers and shareholders that the currently release backdoor is only going to be useful on all previous and existing models of Apple devices; the next iteration of Apple devices will utilize a different standard, function, or giant integer that renders the backdoor moot.
* Voila: every person who owns every past model of Apple devices will gladly get rid of their old "junk" and get the brand-newest Apple device. If they don't do so gladly, maybe it's because standards of practice at their workplace simply force them to do so in order to maintain corporate integrity.
McAfee has sided with Apple a bit too strongly and a bit too readily at the present time, for my tastes. And that taste is one that prefers my computer gurus and infosec wizards to be consistent, unwavering and to never miss a single detail.
Now, McAfee's a busy guy. Maybe he hasn't had the time to consider that Apple could be co-conspiring with the FBI and so on.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Assume (and this is hopelessly naive) that any back doors that you leave in the software will never be found and hacked. With the U.S. Government's miserable record on keeping secrets, SOMEBODY on the team will turn out to be a Chinese or Iranian or Russian agent, and the back door will become a SCREEN door, allowing all your data to be stolen and disinformation inserted into your systems.
If all you think the Cold War is about is nuclear weapons brinkmanship, you're totally coddled as to (or better, per) the Cold War.
There are things that came to fruition just prior to and during WW2 that haven't even brushed the public foremind, yet. And even the nuke race aspect has been escalating for the last seven years, which puts your De Lorean reference way out in right field.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Just because John wouldn't show up for your Annual Tinfoil Hat Convention doesn't mean you should just lash out in anger and dismiss the entire field. There are still people in Tinfoil Hat land who need leaders like you to press ahead, even if John can't be one of them.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
From John McAfee - I have considered that. But isn't it more convenient to assume, at the start, that individual people are mostly honest, than mostly dishonest?
I have the most to lose - already being investigated by the FBI for a multitude of imagined offenses (multiple murders, drug manufacturer, treason and a host of others). I am, at least, standing up - risking all - and calling the FBI deceptive, dishonest, self serving and anti-society.
The US government is, without any doubt, my enemy. At least with Apple there is the possibility that they are not my enemy.
Is it too much to get the basic facts right?
Wow..
If it is known that I can defeat security measure X for Y reasons, then I can defeat security measure X for any reasons. Yes, the FBI specifically asked Apple to write code to defeat it's own security measure. If it happens, the FBI does not need to have access to the code, just access to Apple which is the same in all respects considering the loose requirements for warrants under laws like the patriot act and so on.
Nothing material about what was said is false. Please stop arguing semantics. It is about as bad as Dick Cheney going around saying that no one's civil liberties were violated in the metadata bulk collection spying because they are officially "company records" and not private communications.
He makes me uncomfortable being on the same planet, but there's nothing that can be done about that.
I've seen him as a nutcase since the 90s.
I'm just surprised the media finally noticed.
Only if your personality is that of a nutcase, which definitely applies to him.
He's been licking that acme toad for a long time now, but it's finally starting to get covered by some of the media.
http://yro.slashdot.org/commen...
http://yro.slashdot.org/commen...
So, your third try at a "last post"?
Which is precisely what the grandparent poster didn't do; here's the irony of the challenge facing an ad hominem arguer: To successfully challenge the message one has to point out how the message is not worth taking seriously. The very thing the arguer tries to get us to ignore is the thing that has to be examined and taken down thus justifying future skepticism. I could see where someone's background would justifiably raise suspicion, but not outright dismissal of all claims such as what you propose. You're making the same mistake that poster made; while white knighting for a bad argument you're claiming "Charles Manson is not going to give you sound advice" without telling us exactly which Manson advice we should dismiss. I can only guess you think we should dismiss everything Manson (and thus McAfee) says on any topic but without any examples of why we should follow that advice. And then you post this anonymously, so as to prevent anyone from understand whom they're reading so we won't dismiss what you've said in the past further now that your own argument has failed to convince and raised suspicions of you.
When one makes an argument like yours and doesn't supply the information we need to justify dismissing someone out of hand, people look into things. For example, people tried arguing this way with Donald Trump, someone whose racist and unfactual screeds have justifiably earned him quite a bit of bad press. But when Trump recently pointed out that in 2003 George W. Bush lied to get the US to invade Iraq, Trump was right and at that time millions of people on the streets of the world in the world's largest anti-war protests knew the Bush government and pro-war sycophants didn't have the evidence they needed to justify war. Trump got booed by seemingly reflexively pro-war Republicans when he pointed out Bush's lies but that didn't make what Trump said in those statements worthless.
Digital Citizen
Hello,
Actually, hosts files are a reactive technology and not a proactive one, since they only block what is already listed in them. That does not mean they are useless, of course, but that they are just a supplemental tool, much like anti-malware software, segmenting administrative and user privilege, auditing logs, etc. There's no one magic bullet for security.
Regards,
Aryeh Goretsky
Dexter is a good dog.
With the articles on them? Now there's food for thought.
Ezekiel 23:20
Mods are being subtly ironic today.
Sunspots.
Faster! Faster! Faster would be better!
He has a long history of doing unethical and dishonest things, including lying and ip theft in the software industry. I'm not just talking about when he ran his company, but him personally. Of course, it's not like he's ever been taken to court for it, and very little of it was ever published that I'm aware of, but still, even if you do firmly believe that most people are basically honest, do not include him with that group.
Hello,
Mr. McAfee has a rich and varied history of stating as fact things which cannot be proven as true or as false, simply because they cannot be verified. It is most certainly not paranoid rantings, nor is it based on any actual information about the current situation. Instead, it is carefully-crafted statements made for one reason and one reason only: To maximize his coverage in the media.
Recent examples of similar behavior include:
Sometimes making comments to the media works to McAfee's advantage, sometimes they don't. But as long as he keeps coming up with new ones, he keeps getting media coverage. This story is just one more example of such continuing behavior.
Regards,
Aryeh Goretsky
Dexter is a good dog.
"Under Deng Xiaoping, the penalty for back doors, and for violating any of the meta- software principles, was death." In the US it's just a mandatory minimum of one-year in federal prison. https://dockets.justia.com/doc...; https://www.fas.org/sgp/crs/mi...
As an Australian, I feel very uncomfortable about an American coming up my back passage. It makes me feel naked and violated.
The commercial software industry pretty well started with Gates and others dumpster diving for other people's code and closing off previously freely available software that other people had written. The figures that are not "wild west" were either giving their stuff away with hardware or publishing it freely from academia.
The UK was very happy to let the press, courts, authors and historians just wonder about the role of the GCHQ for decades.
If expert help was needed for the courts different front groups could offer decryption or play the role of expert witnesses. No need for any comment in open court or for anyone to even understand any aspect of the UK's signals intelligence. Large bases globally, huge amount of staff had nothing to do with the public, courts, politicians, the press, authors. Funding flowed and collect it all worked to ensure information flowed as needed within the UK mil and gov.
The NSA seemed to have a lot of different budget and growth problems. Size and an expanding budget matters in the US, been seen to get results, leading missions not just helping, showing political leaders and their random staff real time results.
The instant and very public win, an ever expanding budget, more mil/public/private sector work, looking after no bid contractors and attracting a new, expanding workforce.
Weak, junk standard crypto sold by big US brands to the world was the easy key to bureaucratic growth and very public success without too much effort for decades.
Every interesting nation knows their domestic and international networks are totally compromised when fully importing junk products. The problem with the easy path of designing in junk crypto is every other nation soon learns of the same simple weaknesses and can cope with that reality.
Other nations can cope with the US gov having total mastery of every US branded turn key telco and computing product sold, designed or in use.
They can focus on getting their own trusted human staff deep into gov, higher education, industry globally as all focus is on the signals side.
Position loyal staff to shape other nations policy formation for decades with charming humans takes generations and time but they do rise to the very top.
Was a total focus on signals intelligence by the West beyond the 1960's a win? They got to "collect it all" by selling low cost junk encryption globally but the human side was always the way in.
Domestic spying is now "Benign Information Gathering"
"Grain of salt" just means that you don't believe it blindly, you're aware the details may be wrong and you have to check them before believing each one. It applies to everything all the time; the phrase is just a reminder in some cases that checking is prudent.
Checking the details of what he says is important, you might have missed a few of the jokes with just a casual listening.
But I'm not convinced you understand American English cliches very well.
Perhaps adding a back door to the iPhone would do the trick...
He offered them what they SAID they wanted by a different path. So the FBI was lying because what they REALLY wanted wouldn't sit well with the public. So THANK YOU McAfee for actually looking out for the people.
He made an offer to decrypt the phone without any demonstration that he could actually do it. Do you think the FBI would just hand over a critical piece of evidence to a wacko bird and his supposed crack team of hackers?
I don't understand. This McAfee seems to be implying that the NSA might be doing something wrong.
That's why the FBI is asking Apple to flash the firmware on THIS iPhone with a new signed version from Apple with the number of attemps limit removed and the time delay between attempts zeroed, enabling the FBI to brute force attack the password which is 4 digit long on this model leading to about 30 million possiblities if only English characters, numbers and special characters were used. This is much more easier and certainly feasible to recover the password quickly, then the encryption key and finally decrypt the iPhone data.
McAfee is an idiot if he really thinks he can decrypt directly the data without cracking the password and recovering the encryption key.
Achille Talon
Hop!
False, the FBI may just get Apple's private key to sign the firmware and they will then be able to write their own firmware to circumvent the protections which prevent them to crack the password and recover the encryption key and flash the device with the new firmware. This model, iPhone 5c, doesn't require the user's authorization to be flashed. The only thing that prevent the FBI to go ahead without any help from Apple is the signature of the firmware.
Achille Talon
Hop!
john doesn't have the firmware signing certs or the 0-day fw jailbreak(and ios sources.. maybe doable without the ios sources but would take a lot longer)..
it's not about making even vulnerable code. what the fbi wants in the iphone 5c case is to make a fw that boots the phone and has the 10 tries wipe command disabled. entirely doable on iphone 5C, with apples fw cert and ios sources it's just an afternoon to do what the FBI requests and it will not compromise anything else than the phone it is loaded on. if apple doesn't then leak that build+source then other iphone 5C's are still as secure as ever.
keep in mind that this attack on the iphone 5C needs apples cert and firmware sources to be easy, but if you have those then it is so easy to do that it is as good as done already - so replicating this attack by a 3rd party is not any more likely before or after apple provides the bruteforcing of the pin for this one iphone 5C. the vulnurability status of any other iphone 5C would remain the same and the legal precedent for apple to provide this service would diminish in importance quickly as iphone 5C's leave the market.
on 5S, 6 or anything later, they already have the further mechanism for wiping the key that doesn't depend on the OS.
what phone stealing gangs want is not to get the pin either, what they want is a jailbreak and the apple certs to write firmware to make builds that disable findmyiphone.
why is apple so reluctant then to provide this and spins it as being something different than it is in the media then? who the fuck knows, maybe some of the other cases is about decrypting an iphone 5C with info on how apple is circumventing taxes or some shit like that, maybe they scare that people don't understand why they could do it with this 5C and not 5S and would lose face - OR they were previously lying about secure enclave(5S) and it would affect them as well, if they were not lying about secure enclave capabilities then this should not affect them at all.
and geez, a brute forcer is not "vulnerable code". they just want a build on that phone that they can boot from usb that doesn't instruct the cpu to wipe the internally stored key after 10 attempts - and 15 mins more to do the brute forcing in phone. it's a very simple request that doesn't compromise anything else and would be doable anyways if you could get around the bootloader - AAANYWAYS.. apple has never denied that they COULD do this so from that viewpoint it is _already_ vulnerable to this kind of attack. the fbi request in the media is _not_ about adding a backdoor into the operating system - it's more like making a build with a new front door that doesn't burn the house down if you try to open it with the wrong keys.
you can't really _add_ backdoor to access a password from a guy that is already dead you know. the way to get the code is already in it and it is the flaw that the encryption key wipe is in operating system included/loaded code and thus can be turned off.
world was created 5 seconds before this post as it is.
... isn't it more convenient to assume, at the start, that individual people are mostly honest, than mostly dishonest?
Sure. For instance, I assume at the start that John McAfee is mostly honest. That's why my assumption is perhaps John hadn't thought of a potentially dishonest Apple in this situation.
But overall, how can anybody pursue info security without a strong tendency to assume dishonesty on behalf of nearly every party?
At least with Apple there is the possibility that they are not my enemy.
But that's also true, as well. Given the numerous lies against John McAfee and attempts on his life, I wouldn't call it necessarily "fatigue" if he were to hedge his bets with a potential non-threat.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Heh.
Thanks, A.C., for calling me "Mulder" -- it suggests that my views could be popular instead of quieted up.
But sorry, I can't bite. Frankly, just judging by your tone, it would do me little good to even breach any one of numerous subjects. I'll just take your below-the-surface bubbling of ridicule ready to blow for what it is and leave the island before it blows.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Sigh.. reading comprehension is not your strong point is it?
If that's really the case, then all McAfee had to do was get the same model phone and make a video of it being hacked with explicit instructions, rather than going on his word. The FBI wouldn't even have to give him the phone.
Even a stopped clock gives the correct time at least twice a day.
Even if McAfee has said other stupid things, I think it's very highly probable that any backdoor put into place by the NSA is probably well known by other service in other countries with big means and big budget, and probably exploited by them too (Though smaller player like Switzerland's Onyx probably don't have access).
I wouldn't be surprised if Snowden was far from the first time that China's MSS and Russia's FSB/KGB ever heard about those backdoors (second reason why I suspect Russia speaks the truth when they say they haven't read any document from Snowden. They wouldn't need it: these documents wouldn't contain anything that they aren't already aware of and exploiting actively).
So yup, I think for McAffee has said something sensible: Russia and China have probably had a field's day using backdoors left by the NSA.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Anyone (else) remember how we used to write programs (for the main frame)? The Chinese didn't invent anything, they simply followed the IBM red book. Although the advent of personal computers has certainly changed everything, the very basis upon which they did that eliminated the very thing being touted. Giving the power to process data (write code) to the end user will of necessity remove any impetus for code review.
There are other issues as well that are engendered in the forces driving software development itself. First and foremost is the inclusion of inexperienced programmers. Ones whose only experience is with writing GUI routines who are then promoted to creating systemic code. The two have completely different security needs. Similarly the move to frameworks such as AGILE where code production is valued over code correctness have led to a plethora of routines which only have positive testing, and no review. Finally the creation of both tertiary languages, ones that have to be translated twice before they arrive at machine code, and the rampant use of tools which eliminate the need to actually write code in lieu of dragging and dropping functional blocks, make code review nearly impossible. You aren't reviewing the code itself but rather larger collections of routines. You'll never find the backdoor because it isn't in the code you are reviewing.
What I'd like to see, and it won't happen, is a return to the bad old days. This is when a program update took between 6 mos and several years due to review and rewrite schedules. You can approach the same endpoint with well constructed negative testing, but I have yet to encounter a software firm which performed exhaustive negative testing. Usually if it is done at all it is simply a session using random data. No stress testing. No deliberate failure induction. No code review.
Why do we want to move all of our things to being internet connected (IoT) when we can't even write a decent firewall.
Aahh! Good to know. Thanks for clarifying that.
Only boring people are ever bored.
A public key block would flag a back door very obviously. The data has a unique look. It also has a unique profile of use, in that someone would have to initialize a cipher session or whatever. Even a trivial code review would find a fully encrypted back door.
Hiding the public key block within an obfuscation generator adds a huge block of code instead of data, followed by the same need to invoke the cipher system.
To function as a "back door" the door, by definition, has to be pretty damn simple and innocuous enough to go unnoticed.
So "creating a back door that only you can use" is actually creating a separate front door with all the trappings, which kind of moots the point of sneaking it in.
Back doors are, pretty much by definition, mechanisms that only implement security through obscurity.
Fully secure ingress is way too hard to sneak into place and remain hidden.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press