Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy Software United States News Technology Your Rights Online

John McAfee: NSA's Back Door Has Given Every US Secret To Enemies (businessinsider.com) 186

John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA's back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information. For example, the Chinese used the NSA's back door to hack the Defense Department last year and steal 5.6 million fingerprints of critical personnel. "Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else's use of that same back door." McAfee believes the U.S. has failed to grasp the subtle implications of technology and, as a result, is 20 years behind the Chinese, and by association, the Russians as well.
This discussion has been archived. No new comments can be posted.

John McAfee: NSA's Back Door Has Given Every US Secret To Enemies

Comments Filter:
  • Dear John (Score:5, Insightful)

    by alphatel ( 1450715 ) * on Sunday February 28, 2016 @12:56PM (#51603689)
    You are mad. Perhaps even more crazy is the fact that you speak the truth.
  • Wait (Score:2, Informative)

    by HangingChad ( 677530 )

    Isn't this the guy wanted in connection with the mysterious disappearance of a former neighbor? I'm not sure I'd take anything at face value from Mr. Stability.

    If he's talking about the Chinese, they don't need an NSA back door to hack systems in the U.S., they've been porking government and contractor systems for years. The Chinese have the designs for every nuclear weapon in our arsenal and the personnel records of hundreds of thousands of government workers, including their security clearance applicati

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Isn't this the guy wanted in connection with the mysterious disappearance of a former neighbor? I'm not sure I'd take anything at face value from Mr. Stability.

      If you can't attack the message, attack the messenger, eh?

      And per your next sentence: while the Chinese probably don't need to exploit the NSA's backdoor to get the information they want, it certainly makes it easier... and is deliciously ironic to boot.

    • Boy, we need a (-1, Ad hominem) here. FWIW, the non-mass-media account is that he was working on a science-based aphrodisiac chemical and had _far_ too many of the local women at his compound, so he "needed" to be run out of town. Who knows what the real story is, but AFAIK there's no evidence of a crime.

      Anyway, since Juniper hasn't come clean about the providence of the backdoors, he's probably right about who the contractor really worked for. Regardless of whether it was NSA, GCHQ, or whatever, the sof

    • If he's talking about the Chinese, they don't need an NSA back door to hack systems in the U.S., they've been porking government and contractor systems for years. The Chinese have the designs for every nuclear weapon in our arsenal and the personnel records of hundreds of thousands of government workers, including their security clearance applications.

      What would they get from an NSA back door that they don't already have?

      I'll assume this last sentence is a rhetorical statement, and not an actual logical argument.

      Because the same could be said of the NSA and the FBI, "they already have access to almost everything we have, why would they even want more access?"

      doesn't seem to take into account human unquenchable thirst for more and more power.

  • by Anonymous Coward on Sunday February 28, 2016 @01:17PM (#51603789)

    In the 70s there were secure operating systems like Multics. Then the only things allowed for US export were the ones that failed to be secure. That's how we got DOS then Windows. Now everything needs to be rewritten from scratch by people without commercial pressure for there to be any chance. Think about the nave ending up forced to use "Windows for warships". In the meantime the Chinese always knew they couldn't trust software from the West. 20 year head start is probably an underestimate.

  • by Anonymous Coward on Sunday February 28, 2016 @01:22PM (#51603821)

    From TFA:

    The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.

    I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.

    Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.

    Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":

    1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
    2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
    3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
    4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.

    Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

    Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.

    • by hawguy ( 1600213 ) on Sunday February 28, 2016 @01:33PM (#51603855)

      From TFA:

      The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.

      I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.

      Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.

      Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":

      1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
      2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
      3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
      4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.

      Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

      Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.

      If the NSA discovered the backdoor on their own and didn't share it with Juniper so they could close it, that's arguably worse than if the NSA planted it themselves. At least if they planted it themselves, they could convince themselves that it's buried too deep to be discovered, but if they stumbled upon it themselves, then they *knew* it was discoverable and that it's likely that others had discovered it too.

      • by tricorn ( 199664 ) <sep@shout.net> on Sunday February 28, 2016 @02:21PM (#51604083) Journal

        Why would the NSA put in a back door that could be used by anyone? Only allow a connection that has the right private key. Sure, the key might be stolen, but it's a lot more secure than a wide open vulnerability. The NSA is more competent than that.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          If they did that, everyone would know who did it once a breach happens. There's no plausible deniability.

        • If a backdoor exists, it can be used by anyone with the skill to break in, which is much easier than trying to break in the primary security of that system because otherwise the backdoor would be redundant and probably wouldn't even exist in the first place. One of the primary securities to a backdoor is the obscurity as people don't try to open the door that they don't know is there. Of course, as soon as they find out about it's existence by whatever means, it becomes vulnerable. This is why any and all r
        • by dbIII ( 701233 )
          The same reason they paid a Star Trek set designer to build an operations room.
          Toy soldiers employed due to who they got drunk with in school playing at being James Bond.
        • by rtb61 ( 674572 )

          Why would the NSA plant a backdoor that could be used by anyone who discovered because stupid thats why. Basically there has been a complete administrative breakdown in the NSA in the lust for power by political appointees. They have been told time and time again to completely separate offencive operations from defence operations because they do not work well togethor and offence always takes over from defence, gets the best tools and the best people. The defence people should be housed in a completely sep

        • by AmiMoJo ( 196126 )

          Then you have to hide a private key in the source code and binary somehow. It's easier to create a subtle programming error that opens up a way in, much like the "goto fail" bug in Apple's code. It looks innocent enough that it could just be a coding error or even a merge error.

          The mistake was underestimating the ability of the Chinese to find and exploit the backdoor without the source code. It's incompetent to think that they wouldn't fuzz the hell out of every API and interface, but apparently the NSA di

          • by tricorn ( 199664 )

            There's likely already an RSA public key and checking in the code. So, reuse the same modulus (where you, the coder, have access to the private key), and then just create a different public/private key pair. "3" isn't an unusual number, but makes for a fine RSA public exponent. Make a "mistake" when authenticating a secure connection (even if the secure connection is disabled), and if the backdoor key is being used, allow access without checking for passwords (or whatever other bypass you want) and accep

        • A public key block would flag a back door very obviously. The data has a unique look. It also has a unique profile of use, in that someone would have to initialize a cipher session or whatever. Even a trivial code review would find a fully encrypted back door.

          Hiding the public key block within an obfuscation generator adds a huge block of code instead of data, followed by the same need to invoke the cipher system.

          To function as a "back door" the door, by definition, has to be pretty damn simple and innocuou

      • From TFA:

        The British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.

        I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire" this capability.

        Except that he just referenced a claim that the British acquired the capability by being told about the backdoor, and he then goes on to say that the Chinese acquired the same capability by discovering the backdoor through reverse-engineering. So there is another way after all.

        Which raises the following possibilities, each just as plausible as "The NSA planted a programmer":

        1. The Chinese planted a programmer, and the NSA or GCHQ discovered it via reverse-engineering and shared it with the other.
        2. The Chinese planted a programmer, and the NSA discovered it during review of source-code shared as a condition of purchasing for sensitive government use.
        3. A programmer was paid to create the backdoor by a non-governmental entity interested in corporate espionage, and all the state actors discovered it via reverse-engineering.
        4. The backdoor was created unintentionally (e.g. failure to remove white-box test code before going to production), and all the actors discovered it via reverse-engineering and/or source review.

        Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

        Ultimately, I do agree with his point he does make is that code inspections can catch and close both intentional and unintentional backdoors. But the rest of the article is FUD.

        If the NSA discovered the backdoor on their own and didn't share it with Juniper so they could close it, that's arguably worse than if the NSA planted it themselves. At least if they planted it themselves, they could convince themselves that it's buried too deep to be discovered, but if they stumbled upon it themselves, then they *knew* it was discoverable and that it's likely that others had discovered it too.

        If the NSA discovered a backdoor planted by GCHQ and the NSA then closed that backdoor that'd be in violation of the 5 eyes arrangement.

        And don't forget, anything that GCHQ learns about American Citizens by spying on them through that backdoor would be shared right back to the NSA. So its win-win.

      • Remember... He sold software that was a backdoor that came pre-installed on virtually every Windows computer made for quite some time.

        I'm sure he's gotten the same calls and letters from the TLAs before, and may have some insider knowledge in how it goes down.

    • by lgw ( 121541 )

      Basically, John presents no evidence whatsoever for his claim that the NSA caused the backdoor.

      But it's a reasonable guess, give we do have proof, thanks to Snowden, that the NSA has successful programs to put backdoors into similar gear. The Chinese government has done similar, but so far we only have evidence of that happening in gear manufactured in China (no idea where the Juniper boxes were made, so maybe just as likely?).

    • Option 4 is unlikely, they made too many separate changes to enable this backdoor;
      1. Use the broken Dual_EC random number generator.
      2. Use their own Q constant, not the standard one decodable by the NSA.
      3. Send 32 raw bytes from the RNG in a network packet.
      4. Add a hard coded ssh password, with the same format as a debug string.

      Whoever did this was trying to be underhanded. Leaving few clues in the source code and compiled binary. But there's no way these changes were accidentally included test code.

    • Just because you disbelieve the factual nature of every statement doesn't automatically mean it is "FUD." FUD is a real accusation with real meaning, it isn't just how you say BS when you're visiting slashdot.

      There is no reason at all to create FUD here. He is clearly not trying to create that at all; he is trying to create certainty about his own relevance to the issue, and calling out various elements in the government by accusing them of what they are suspected of doing. Time will tend to prove him right

  • No doubt (Score:2, Interesting)

    by Archfeld ( 6757 )

    There is no doubt that McAfee speaks the truth here, but what he doesn't reference is that while the NSA and the FBI are retarded, there are huge numbers of folks in the US who do not subscribe to that policy and HAVE kept up on security and can spin the US Gov'mint up to speed quickly when the need arises, and it will. The US has traditionally been a late riser when it comes to open warfare, we mince in and get bloodied and then, come together in an economic juggernaut, uniting seemingly perpetual fighting

    • There is no doubt that McAfee speaks the truth here, but what he doesn't reference is that while the NSA and the FBI are retarded, there are huge numbers of folks in the US who do not subscribe to that policy and HAVE kept up on security and can spin the US Gov'mint up to speed quickly when the need arises, and it will. The US has traditionally been a late riser when it comes to open warfare, we mince in and get bloodied and then, come together in an economic juggernaut, uniting seemingly perpetual fighting sides of our country against any external threat, much like a bickering family consolidates against any outsider. Then when the threat is gone we go back to feuding like dysfunctional hamsters. I just hope we don't wait too long in the face of this more subtle threat...

      "I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve."

      "Regardless of the provenance of the quote, Yamamoto believed that Japan could not win a protracted war with the US. Moreover, he seems to have believed that the Pearl Harbor attack had become a blunder even though he was the person who came up with the idea of a surprise attack on Pearl Harbor. It is recorded that "Yamamoto alone" (while all his staff members were celebrating) spent the day after Pearl Harbor "sunk in apparent depression". He is also known to have been upset by the bungling of the Foreign Ministry which led to the attack happening while the countries were technically at peace, thus making the incident an unprovoked sneak attack that would certainly enrage the Americans."

      The biggest blunder, though, was attacking Pearl Harbor while the US aircraft carriers were at sea.

      • Yes, but it's not like he could schedule a convenient attack time with the US Navy or anything.
        Ok, back to nutjob Mcafee and busting into apple gear.
    • by dbIII ( 701233 )

      uniting seemingly perpetual fighting sides of our country against any external threat

      That generation is dead.

      • by Archfeld ( 6757 )

        I don't think this generation would react differently to a consolidated external threat, they've just never had to face one, and with luck won't have to but I still hold high hopes that if the need arose the masses would too.

        • by dbIII ( 701233 )
          The things your parents (or grandparents) had to put up with got them used to working together and prepared them for the situation while now we have a generation so coddled that they didn't even get to wander around unsupervised as children. I think it's roughly analogous to Rome where the legions ended up being full of people from the fringes of the empire because the citizens did not have the will to fight. The "I'm all right - fuck you" attitude had set in, and that attitude is very much at the core of
  • Assume (and this is hopelessly naive) that any back doors that you leave in the software will never be found and hacked. With the U.S. Government's miserable record on keeping secrets, SOMEBODY on the team will turn out to be a Chinese or Iranian or Russian agent, and the back door will become a SCREEN door, allowing all your data to be stolen and disinformation inserted into your systems.

    • Look at it more abstractly:

      Any system feature that allows for the remote uploading of data such that it then is treated as privileged executable code will allow anyone with knowledge of this feature to have as much control over the system as the people who developed, or who currently administer, it.

      "Backdoor" implies a deliberate act, but it is another matter to prove it was not simply incompetence.

      So is it possible to create an entirely secure backdoor? Yes it is, but if other people have physical
      • by joh ( 27088 )

        Are Apple phones backdoored? I don't know, but what I do know is that the right people with the right gear can pull the keys off any piece of commodity hardware they can physically access and take to their labs.

        So why is Mc Nutcase not talking about such things? Perhaps broadcasting the truth and the entire truth is not his primary agenda?

        Of course you can pull the hardware encryption key off an iPhone if you invest the effort. Just that this key is just the key for this very iPhone. This does not give you a backdoor to iPhones. Just to this iPhone.

        He's speaking the truth in so far that the security culture that the NSA created actually is an insecurity culture. Looking for zero day exploits and them keeping them secret to save them for their own use instead of instantly having the companies fix them means others can find and use them too. I

    • All backdoors are screen doors, the only question is who currently knows it's there and walks in to raid your dresser?
  • Is it too much to get the basic facts right?
  • by Aryeh Goretsky ( 129230 ) on Sunday February 28, 2016 @05:54PM (#51605241) Homepage

    Hello,

    Mr. McAfee has a rich and varied history of stating as fact things which cannot be proven as true or as false, simply because they cannot be verified. It is most certainly not paranoid rantings, nor is it based on any actual information about the current situation. Instead, it is carefully-crafted statements made for one reason and one reason only: To maximize his coverage in the media.

    Recent examples of similar behavior include:

    • Notifying [ibtimes.co.uk] the world that he had determined the Ashley Madison hacker to be a former female employee, based entirely on his interpretation of the language used in the disclosures. In fact, investigative journalist Brian Krebs had contemporaneously identified the probably hacker as European man who had lived in North America for a period.
    • Offering [ibtimes.co.uk] to decrypt the iPhone used at work by Syed Rizwan Farook, primarily through the use of social engineering to obtain the passphrase or PIN unlock code. Social engineering the dead man's close friends and relatives in order to gain relevant information would likely need to be done in Arabic, Urdu or perhaps even Pashto. And, in any case, was subsequently rendered moot when it was revealed the phone's passphrase had been reset by law enforcement.
    • Claiming [ibtimes.co.uk] that America was vulnerable to EMP attacks, despite the fact that EMP weaponry had been investigated for years by Winn Schwartau [wikipedia.org] who eventually determined widespread use wasn't feasible.

    Sometimes making comments to the media works to McAfee's advantage, sometimes they don't. But as long as he keeps coming up with new ones, he keeps getting media coverage. This story is just one more example of such continuing behavior.

    Regards,

    Aryeh Goretsky

    • by dbIII ( 701233 )
      On the last issue it really depends on how far someone wants to go so while he is technically correct it's pointless. If an enemy wants to detonate a hydrogen bomb in the upper atmosphere above the USA as an EMP weapon then there would already be far worse things to worry about.
      • That's not quite the conclusion drawn by your own government's EMP commission [empcommission.org]:

        Several potential adversaries have or can acquire the capability to attack the United States with a high-altitude nuclear weapon-generated electromagnetic pulse (EMP). A determined adversary can achieve an EMP attack capability without having a high level of sophistication.

        A readable fictionalisation of such an event can be read in "One Second After [wikipedia.org]"

        Now, if all you're saying is that there are more pressing things to worry about, then sure. There always are. But an EMP strike is unfortunately well within the means of a fairly unsophisticated attacker and could be made in a deniable fashion. (That won't help you much, as the US is not above attacking whole countries for unrelated reasons, (cough) Ira

        • by dbIII ( 701233 )
          My point is that if someone detonates a nuke over the USA it's not going to be the only thing they do, hence "far worse things to worry about".
          • Yes, I'm not sure I agree with that. Sure, an EMP strike as part of an all out Soviet style nuclear armageddon attack, is neither here nor there. There's going to be plenty of EMP going around anyway, and the overpressure/heat/radiation/fallout are going to be much, much, worse problems.

            But, my point is rather that if you're facing that kind of enemy then EMP isn't that much of a concern, if you're facing a much smaller and weaker enemy, then all of a sudden an EMP strike becomes a force multiplier and part

            • by dbIII ( 701233 )

              Now, you'd still need a state level actor here, but which state? Are you going to nuke all of North Korea, Pakistan, Iran etc. in retaliation?

              Well Libya did get the crap bombed out of it when a Pan Am jet was blown up with explosives traced back that far even though Iran was actually financing the terrorist that did it. Retaliation is going to happen to whoever is already on the shit list (eg. Iraq after 9/11) instead of whoever actually was responsible.

              If you're worried about nations with just a small han

              • Well, in order to take out the entire country with one strike you need a megaton device and large rocket. But for say Texas, a kiloton on top of a "Scud"-class missile would do quite nicely.

                Now of course, Pan Am was different in that it was a very localised event with law enforcement etc. being able to respond in full. With a couple of mid-high level EMP bursts, resources would be severely strained to do that, to say the least. So the only relatively quick option then is striking with nuclear weapons (even

                • by dbIII ( 701233 )

                  The question then becomes, whom do you shoot? That's not an easy question

                  It was after 9/11 :(
                  The people with their fingers on the button shoot whoever has annoyed them the most in the past.

  • The UK was very happy to let the press, courts, authors and historians just wonder about the role of the GCHQ for decades.
    If expert help was needed for the courts different front groups could offer decryption or play the role of expert witnesses. No need for any comment in open court or for anyone to even understand any aspect of the UK's signals intelligence. Large bases globally, huge amount of staff had nothing to do with the public, courts, politicians, the press, authors. Funding flowed and colle
  • by DFDumont ( 19326 ) on Monday February 29, 2016 @08:36AM (#51607627)

    Anyone (else) remember how we used to write programs (for the main frame)? The Chinese didn't invent anything, they simply followed the IBM red book. Although the advent of personal computers has certainly changed everything, the very basis upon which they did that eliminated the very thing being touted. Giving the power to process data (write code) to the end user will of necessity remove any impetus for code review.
    There are other issues as well that are engendered in the forces driving software development itself. First and foremost is the inclusion of inexperienced programmers. Ones whose only experience is with writing GUI routines who are then promoted to creating systemic code. The two have completely different security needs. Similarly the move to frameworks such as AGILE where code production is valued over code correctness have led to a plethora of routines which only have positive testing, and no review. Finally the creation of both tertiary languages, ones that have to be translated twice before they arrive at machine code, and the rampant use of tools which eliminate the need to actually write code in lieu of dragging and dropping functional blocks, make code review nearly impossible. You aren't reviewing the code itself but rather larger collections of routines. You'll never find the backdoor because it isn't in the code you are reviewing.
    What I'd like to see, and it won't happen, is a return to the bad old days. This is when a program update took between 6 mos and several years due to review and rewrite schedules. You can approach the same endpoint with well constructed negative testing, but I have yet to encounter a software firm which performed exhaustive negative testing. Usually if it is done at all it is simply a session using random data. No stress testing. No deliberate failure induction. No code review.
    Why do we want to move all of our things to being internet connected (IoT) when we can't even write a decent firewall.

Technology is dominated by those who manage what they do not understand.

Working...