John McAfee: NSA's Back Door Has Given Every US Secret To Enemies

John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA's back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information. For example, the Chinese used the NSA's back door to hack the Defense Department last year and steal 5.6 million fingerprints of critical personnel. "Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else's use of that same back door." McAfee believes the U.S. has failed to grasp the subtle implications of technology and, as a result, is 20 years behind the Chinese, and by association, the Russians as well.

Dear John

[alphatel]

You are mad. Perhaps even more crazy is the fact that you speak the truth.

Re:Dear John

[HiThere]

That's not actually true. You *CAN* do both, but you need to ration your resources to both. If you were to do it just right you could probably get a synergetic mix.

Unfortunately, giving either side all it wants is a recipe for failure, and if either side can grab the levers of power, then it won't show reasonable restraint. As you noted.

Wait

[HangingChad]

Isn't this the guy wanted in connection with the mysterious disappearance of a former neighbor? I'm not sure I'd take anything at face value from Mr. Stability.

If he's talking about the Chinese, they don't need an NSA back door to hack systems in the U.S., they've been porking government and contractor systems for years. The Chinese have the designs for every nuclear weapon in our arsenal and the personnel records of hundreds of thousands of government workers, including their security clearance applications. What would they get from an NSA back door that they don't already have?

Re:Wait

Isn't this the guy wanted in connection with the mysterious disappearance of a former neighbor? I'm not sure I'd take anything at face value from Mr. Stability.

If you can't attack the message, attack the messenger, eh?

And per your next sentence: while the Chinese probably don't need to exploit the NSA's backdoor to get the information they want, it certainly makes it easier... and is deliciously ironic to boot.

Re:Wait

[Lunix+Nutcase]

It's laughable that they criticize Apple for not building in backdoors, when they are so obviously incapable of keeping any info from those backdoors a secret. China is outclassing them in every way and it's time we get a President like Trump who's at least capable of knowing there's a problem, unlike the "mainstream" crooks and liars.

So you're against people criticizing Apple for not building backdoors into their software but then you claim we need Trump as the president who has said he's going to force Apple to build in backdoors? Excellent troll is excellent!

Re:Wait

[bill_mcgonigle]

Boy, we need a (-1, Ad hominem) here. FWIW, the non-mass-media account is that he was working on a science-based aphrodisiac chemical and had _far_ too many of the local women at his compound, so he "needed" to be run out of town. Who knows what the real story is, but AFAIK there's no evidence of a crime.

Anyway, since Juniper hasn't come clean about the providence of the backdoors, he's probably right about who the contractor really worked for. Regardless of whether it was NSA, GCHQ, or whatever, the software engineering practices he advocates would definitely have caught it.

What can be gained by trying to dismiss such clearly correct recommendations to industry by engaging in fallacious reasoning? Cui bono?

Re:Wait

[flatulus]

... the providence of the backdoors, ...

You mean provenance

Re:Didn't McAfee Side With the FBI?

[PsychoSlashDot]

I thought he sided with the FBI against Apple. He thinks Apple should include a backdoor in their phones for the FBI...and now he's pointing out how dangereous backdoors are....

No, he didn't side with anyone. He offered to decrypt the phone. That's not what the FBI wants. The FBI wants Apple to produce vulnerable code. John didn't offer to produce vulnerable code. By making his offer, McAfee was illustrating that the FBI isn't after the decrypted data.

Re:Didn't McAfee Side With the FBI?

[Lunix+Nutcase]

He did no such thing. That article you wrongully remember was him blasting the US government and comparing them to the Nazis.

People have to on secure software

In the 70s there were secure operating systems like Multics. Then the only things allowed for US export were the ones that failed to be secure. That's how we got DOS then Windows. Now everything needs to be rewritten from scratch by people without commercial pressure for there to be any chance. Think about the nave ending up forced to use "Windows for warships". In the meantime the Chinese always knew they couldn't trust software from the West. 20 year head start is probably an underestimate.

Jumping at conclusions

From TFA:

The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.

I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.

Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.

Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":

1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.

Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.

Re:Jumping at conclusions

[hawguy]

From TFA:

The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.

I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.

Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.

Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":

1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.

Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.

If the NSA discovered the backdoor on their own and didn't share it with Juniper so they could close it, that's arguably worse than if the NSA planted it themselves. At least if they planted it themselves, they could convince themselves that it's buried too deep to be discovered, but if they stumbled upon it themselves, then they *knew* it was discoverable and that it's likely that others had discovered it too.

Re:Jumping at conclusions

[tricorn]

Why would the NSA put in a back door that could be used by anyone? Only allow a connection that has the right private key. Sure, the key might be stolen, but it's a lot more secure than a wide open vulnerability. The NSA is more competent than that.

Re:Jumping at conclusions

If they did that, everyone would know who did it once a breach happens. There's no plausible deniability.

Re:Jumping at conclusions

[EETech1]

Remember... He sold software that was a backdoor that came pre-installed on virtually every Windows computer made for quite some time.

I'm sure he's gotten the same calls and letters from the TLAs before, and may have some insider knowledge in how it goes down.

Re:Jumping at conclusions

[meerling]

If a backdoor exists, it can be used by anyone with the skill to break in, which is much easier than trying to break in the primary security of that system because otherwise the backdoor would be redundant and probably wouldn't even exist in the first place. One of the primary securities to a backdoor is the obscurity as people don't try to open the door that they don't know is there. Of course, as soon as they find out about it's existence by whatever means, it becomes vulnerable. This is why any and all reputable company will tell you in no uncertain terms that backdoors are security violations.

Don't forget that any backdoor that isn't specifically customized to that unique installation, is probably using some kind of group key. Of course that means that as soon as you get the key for one of those doors, by whatever means, you instantly have total access to all of those doors.
Backdoors can be identified by analyzing the code, though it can be laborious, especially if it was obfuscated, even if you have open source code. (These days most backdoors are obfuscated.) Though with the potential payoffs, there are serious incentives for certain people and groups, especially among governmental agencies, to do the work.

Re:Jumping at conclusions

[complete+loony]

Option 4 is unlikely, they made too many separate changes to enable this backdoor;
1. Use the broken Dual_EC random number generator.
2. Use their own Q constant, not the standard one decodable by the NSA.
3. Send 32 raw bytes from the RNG in a network packet.
4. Add a hard coded ssh password, with the same format as a debug string.

Whoever did this was trying to be underhanded. Leaving few clues in the source code and compiled binary. But there's no way these changes were accidentally included test code.

Re:Jumping at conclusions

[Aighearach]

It would, because there would be a paper trail on the employee. If you know it is not an accident that changes the meaning of all the details in the investigation at the company; you can follow leads a lot more confidently. You also know to invest real money in certain types of audits of network activity that would not otherwise be of clear value.

If it is not distinguishable from a mistake, then you can't make inferences of malicious intent, and you can't reasonably audit networks expecting to uncover anything. You also don't know when the lack of information is suspicious and implies an altered log, or when you simply failed to find a correlation. There are lots of details where knowing that there is a malicious party involved really helps to decide which logs to worry more about. Whereas if you weren't sure there was anything amiss, it would just be wasted money and if you didn't find anything, you could keep looking forever.

Re:Didn't McAfee Side With the FBI?

[Lunix+Nutcase]

He may not have explicitly sided with Apple, but his remarks in this article were clearly not on the side of the FBI.

Re:Cool fact: McAfee writes all articles on napkin

[lgw]

...then eats the crayon.

... then eats the napkins.

Re:Didn't McAfee Side With the FBI?

[Dutchmaan]

..and what's wrong with McAfee showing that the FBI was interested in a little bit MORE than just a decrypted phone?

He offered them what they SAID they wanted by a different path. So the FBI was lying because what they REALLY wanted wouldn't sit well with the public. So THANK YOU McAfee for actually looking out for the people.

Re:They are all working together

[eyenot]

I'd have to agree based on many historic examples.

The current issue with Apple is my favorite example at the time. There's no way of knowing whether Apple has already given some agencies backdoors or not; if they have, pretending to "fight" with the agencies on a backdoor gives consumers and shareholders the illusion that's more desirable.

And also, let's take into consideration that Apple is well-known for abusing the leverage of "planned obsolescence". Their devices are apt to be updated with a completely necessary platform revision that renders old-enough models absolutely incapable of maintaining any decent level of performance.

Given that Apple is a known abuser of planned obsolescence, let's think about the current stand-off in similar terms:

* Apple could, after much "fighting" for the audience of consumers and shareholders, be "forced" to give-in to the agencies' demands and produce a backdoor.

* But Apple is smart, and courageous. So they promise consumers and shareholders that the currently release backdoor is only going to be useful on all previous and existing models of Apple devices; the next iteration of Apple devices will utilize a different standard, function, or giant integer that renders the backdoor moot.

* Voila: every person who owns every past model of Apple devices will gladly get rid of their old "junk" and get the brand-newest Apple device. If they don't do so gladly, maybe it's because standards of practice at their workplace simply force them to do so in order to maintain corporate integrity.

McAfee has sided with Apple a bit too strongly and a bit too readily at the present time, for my tastes. And that taste is one that prefers my computer gurus and infosec wizards to be consistent, unwavering and to never miss a single detail.

Now, McAfee's a busy guy. Maybe he hasn't had the time to consider that Apple could be co-conspiring with the FBI and so on.

Re: They are all working together

From John McAfee - I have considered that. But isn't it more convenient to assume, at the start, that individual people are mostly honest, than mostly dishonest?

I have the most to lose - already being investigated by the FBI for a multitude of imagined offenses (multiple murders, drug manufacturer, treason and a host of others). I am, at least, standing up - risking all - and calling the FBI deceptive, dishonest, self serving and anti-society.

The US government is, without any doubt, my enemy. At least with Apple there is the possibility that they are not my enemy.

Re:Sublte Lie

[sumdumass]

Wow..

If it is known that I can defeat security measure X for Y reasons, then I can defeat security measure X for any reasons. Yes, the FBI specifically asked Apple to write code to defeat it's own security measure. If it happens, the FBI does not need to have access to the code, just access to Apple which is the same in all respects considering the loose requirements for warrants under laws like the patriot act and so on.

Nothing material about what was said is false. Please stop arguing semantics. It is about as bad as Dick Cheney going around saying that no one's civil liberties were violated in the metadata bulk collection spying because they are officially "company records" and not private communications.

Re:Cool fact: McAfee writes all articles on napkin

[K.+S.+Kyosuke]

With the articles on them? Now there's food for thought.

Re:The moment he started talking about "enemies"

[Anne+Thwacks]

Soon trump will try to put a stop to this.

By deploying an entire Internet of cats?

Nothing new here...

[Aryeh+Goretsky]

Hello,

Mr. McAfee has a rich and varied history of stating as fact things which cannot be proven as true or as false, simply because they cannot be verified. It is most certainly not paranoid rantings, nor is it based on any actual information about the current situation. Instead, it is carefully-crafted statements made for one reason and one reason only: To maximize his coverage in the media.

Recent examples of similar behavior include:

• Notifying the world that he had determined the Ashley Madison hacker to be a former female employee, based entirely on his interpretation of the language used in the disclosures. In fact, investigative journalist Brian Krebs had contemporaneously identified the probably hacker as European man who had lived in North America for a period.
• Offering to decrypt the iPhone used at work by Syed Rizwan Farook, primarily through the use of social engineering to obtain the passphrase or PIN unlock code. Social engineering the dead man's close friends and relatives in order to gain relevant information would likely need to be done in Arabic, Urdu or perhaps even Pashto. And, in any case, was subsequently rendered moot when it was revealed the phone's passphrase had been reset by law enforcement.
• Claiming that America was vulnerable to EMP attacks, despite the fact that EMP weaponry had been investigated for years by Winn Schwartau who eventually determined widespread use wasn't feasible.

Sometimes making comments to the media works to McAfee's advantage, sometimes they don't. But as long as he keeps coming up with new ones, he keeps getting media coverage. This story is just one more example of such continuing behavior.

Regards,

Aryeh Goretsky

Re:more backdoors

[stephows]

As an Australian, I feel very uncomfortable about an American coming up my back passage. It makes me feel naked and violated.

Re:The moment he started talking about "enemies"

[dbIII]

Soon trump will try to put a stop to this.

By deploying an entire Internet of cats?

That's what it's for. We have Cat6 cable now after all.

Re: They are all working together

[dbIII]

and ip theft in the software industry

The commercial software industry pretty well started with Gates and others dumpster diving for other people's code and closing off previously freely available software that other people had written. The figures that are not "wild west" were either giving their stuff away with hardware or publishing it freely from academia.

Systemic Failure

[DFDumont]

Anyone (else) remember how we used to write programs (for the main frame)? The Chinese didn't invent anything, they simply followed the IBM red book. Although the advent of personal computers has certainly changed everything, the very basis upon which they did that eliminated the very thing being touted. Giving the power to process data (write code) to the end user will of necessity remove any impetus for code review.
There are other issues as well that are engendered in the forces driving software development itself. First and foremost is the inclusion of inexperienced programmers. Ones whose only experience is with writing GUI routines who are then promoted to creating systemic code. The two have completely different security needs. Similarly the move to frameworks such as AGILE where code production is valued over code correctness have led to a plethora of routines which only have positive testing, and no review. Finally the creation of both tertiary languages, ones that have to be translated twice before they arrive at machine code, and the rampant use of tools which eliminate the need to actually write code in lieu of dragging and dropping functional blocks, make code review nearly impossible. You aren't reviewing the code itself but rather larger collections of routines. You'll never find the backdoor because it isn't in the code you are reviewing.
What I'd like to see, and it won't happen, is a return to the bad old days. This is when a program update took between 6 mos and several years due to review and rewrite schedules. You can approach the same endpoint with well constructed negative testing, but I have yet to encounter a software firm which performed exhaustive negative testing. Usually if it is done at all it is simply a session using random data. No stress testing. No deliberate failure induction. No code review.
Why do we want to move all of our things to being internet connected (IoT) when we can't even write a decent firewall.