Cisco - yes
Juniper - yes
Huawei - no
A backdoor in Juniper's networking gear could provide key evidence in the case against government-mandated Feds-only access – yet the manufacturer has failed to produce a report on the matter, prompting US lawmakers to take action. A cross-party group of senators and House representatives today sent an open letter [PDF] to …
FWIW, the Lawful Intercept Gateway is not supposed to be usable by the manufacturer, and is used for law enforcement personnel to trace individuals in the network as well as listen to their calls and see info about their data sessions. Assuming this is correct, it allows the manufacturer to initiate their own traces, bypassing law enforcement procedures.
Saying that, it seems a bit of a stretch. The network equipment from all manufacturers allow for blanket collection of all information from all calls which is then written to file and can be used to analyse the network for performance issues. At the same time, you can scrape it for IMSIs if you were naughty - but in a lot of networks there are protections in place for casual IMSI fishing (at least encrypting the IMSIs, plus restricting access and auditing IMSI filtered queries). If there's a backdoor ftp then these files would be accessible (although the operator might notice the surge in bandwidth when the files are transferred).
"FWIW, the Lawful Intercept Gateway is not supposed to be usable by the manufacturer"
This isn't lawful intercept.
And I would disagree with your characterisation of lawful intercept - it is clearly documented on all major vendors sites - it defines roles but doesn't guarantee they aren't abused. Naturally it provides auditing and other logging to show you are playing fairly but it assumes telcos are playing fairly to avoid wire tapping charges.
"unless you are suggesting that Huawei created a backdoor for the NSA to spy on its wn kit - that would be a little ironic"
From reading other el Reg articles,I think it's more that Huawei created a few catflaps for testing but forgot remove or secure them and allowing any of the neighbourhood's tomcats to raid your fridge
A "backdoor" is relative to the location of the "house". If two people are using P2P encryption between 2 devices, yet the ISP connecting them together can decrypt the channel, then it could be said that the P2P encryption from the perspective of the user has a "backdoor".
The viewpoint is in the eye of the beholder, and what level of connection security was expected. Anything that can come in from an unexpected direction of connection to intercept data can be seen as a "backdoor", and that perception of direction depends upon the device's use.
And who made the back door?
The TAO ASA/Netscreen/Huawei modifications all appear to have been implanted in-transit.
The Netscreen encryption flaw mentioned in this article appears to have been carried out by someone working on the elliptic curve encryption code. Russia published information about avoiding certain RSA encryption codes (and US manufacturers disabled them) after they seemed to be vulnerable to brute force.
That is not a Huawei backdoor that is an NSA insertion of a backdoor into a Huawei product using physical access or previously unknown software bugs and is not in the device from the manufacturer.
For a claim of XYZ has a backdoor then XYZ would have to have inserted the backdoor themselves or be complicit in the introduction of that backdoor.
If the ability to find insecurities in a product by nation level actors is counted as something having a backdoor then pretty much everything has or could have a backdoor. However it would b described as a vulnerabilty not a backdoor.
The thing to consider here is that certain members of Congress do have top secret security clearances, such as those individuals on the intelligence oversight committee. The NSA cannot override a congressional subpoena. They can take it to court to get it squashed if there is something truly sensitive, but I doubt that.
Ave that's the total irony of our current crony totalitarianism: the very organisation (Congress) that created the entity (NSA) can be told that they (Congress) has no right to access data created by said entity (NSA), and be brought to court to try to enforce that belief.
I thought this was a democracy, where the electorate or their appointed representatives have final word on everything that occurs. Thanks to pro-authoritarian GOP support, I guess we were very, very wrong.
"I thought this was a democracy, where the electorate or their appointed representatives have final word on everything that occurs."
You must be American. You guys have been redefining democracy for over a century now. If you thought that was how your country worked, you need to get out more.
"I thought this was a democracy, where the electorate or their appointed representatives have final word on everything that occurs. Thanks to pro-authoritarian GOP support, I guess we were very, very wrong."
It's actually a representative republic. If it were a democracy it would all need to go through the people. Since that's not workable at our current scale (or just about any scale) we have a republic. "We" are very, very, wrong about a lot of things.
A representative republic is (meant to be) a representative democracy.
Still a democracy.
What you actually have in the states is rather less democratic than a representative republic ought to be, not because its a republic, but because the democracy has been corrupted, by Republicans arguing with Democrats.
I think it's funny that the evidence against American companies having government mandated back doors is fully accepted but other countries doing the same thing is rejected. Especially when the other countries in question are known and accepted oppressors and human rights violators.
There is no moral high ground when it comes to this sort of thing. It's most likely sour grapes from the US government that they don't have the same back doors into Huawei that China does.
Perhaps this needed to happen to prove that government access only backdoors in software and equipment does not work and end the entire backdoored encryption debate. Having flawed encryption is worse than having no encryption at all because flawed encryption creates a false sense of security. Experts have testified before Congress indicating that the science says no.
This post has been deleted by its author
I’m surely not the only ‘GPO’ engineer to have plugged a handset into a circuit and checked for quality, left it plugged in and only occasionally listened? Some very foreign languages on those circuits....
Trouble is this trunk access node / distribution node was at Vauxhall Cross, Sarf Lundon, and it’s now had an american Embassy built on top of it, is that a big backdoor, or a big frontdoor?
Edit: actually, I suppose just knowing how many NKT wave division multiplexing fibres they had installed is a national s...
....and it turns out that the same is true of public encryption too. Is any cipher safe. Perhaps mine is?
Biting the hand that feeds IT © 1998–2020