Slashdot Mirror
Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing (zdnet.com)
An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
Yes, the direction the code is moving in is an improvement, but that's not good, that's less awful. But the fact that there were seven backdoor accounts to remove is a huge problem.
This is my signature. There are many like it, but this one is mine.
Would someone care to explain how these backdoors got in the code in the first place?
Well, unlikely but not completely impossible.
So . . . you' re saying that code can just magically appear somewhere, on it's own. Sorry, it just doesn't work that way. It doesn't happen accidentally, it doesn't happen magically all by it self.
*SOMEONE* (most likely more than one person) had to make a deliberate decision
*SOMEONE* had to create that backdoor and put it in there.
*SOMEONE* (most likely more than one person) has known about it from day one.
The *REAL* question is "How is it possible that Cisco doesn't know exactly who did it, when they did it, who authorized it, etc." This is trivial even on the shittiest version control system.
*THAT* is incompetence at a truly epic level.