Fortinet Backdoor

I think it may be time to the InfoSec community to collectively send a message. Backdoors are not OK. Backdoors with hardcoded passwords are even worse and saying you fixed a backdoor when all you did was obscure it with port knocking is the last straw.

Fortinet has claimed their 'feature' is fixed however the hardcoded password is still there. It's FGTAbc11*xy+Qqz27 by the way. Search the code for it. 

So the "issue" is no longer exposed but the hardcoded password is still there? Uh, can't get to SSH? Well why leave it in? The only reason I can think of is because they still plan to use it. If they do the first thought I had if they must now be relying on port knocking right? I figure someone will figure this out and let us know soon.

So here is where the community needs to step up and say this is not acceptable. We should do it by recommending everyone to jump ship and drop Fortinet products completely. Stop selling it, stop recommending it, stop servicing it. If you have it in your environment, REPLACE IT! That's it. That's the only way this message will get across.


For a Free and Neutral Internet? Good, but that's not what this is about.

This is not as simple as being for or against "net neutrality" or "an open Internet" as it's often referred, like most of the articles you will read lead you to believe. It isn't about throttling, we know Comcast and others already throttle. My issue is that with the reclassification as a Common Carrier what new  regulations will be imposed and what legal implications & liabilities will that bring?

First -  Throttling - The truth is reclassification will not stop throttling, ISPs can't discriminate and can't charge for priority treatment, but they could still allow for higher tiers of service to amazon or Netflix for example, or charge per bit rates for different things. What it means is providers just can't discriminate*.

Second - Providers can't discriminate, but they can change their whole pricing structure. Could broadband's unlimited data go away like it did with wireless companies or worse? We have seen with other industries that regulation will negatively influence innovation and growth as well as result in more fees.

Third - Liability - There is a very real chance that being classified a common carrier (according to our legal system a common carrier is absolutely liable for goods carried by it, with exceptions) will bring new regulatory** attention to companies that provide the content  like the social networks, search engines, device makers & app creators - possibly affecting all our privacy.


As an IT security professional I am concerned if the ISPs or the government considers that liability a reason to start classifying and restricting what we can send and receive then what? Regulations involving the contents of the data would  be great right? When has the government ever had their good intentions go awry? We have already heard the Director of the FBI , the NSA and the President of the United States (1 & 2) call for backdoors in encryption products. This is a horrible idea (1, 2, & 3) for IT security and for our privacy as well.

What can be done? Well I think the providers affected by the FCC's decision (AT&T, Verizon, Sprint, Cox, Comcast, Time Warner, etc.) should definitely plan to bring a lawsuit if for no other reason than to resolve some of the ambiguity of the new rules.

Also, don't believe me, get out & sort through all the misinformation and find your own truth. Then when you have contact your Senator and Congressman and the FCC tell them what is really needed. TransparentSensible, and sustainable open Internet rules.


*Title II, the second subsection (202) clearly states that common carriers can’t “make any unjust or unreasonable discrimination in charges, practices, classifications, regulations, facilities, or services.” 

**Title II includes more than 100 pages of regulations that common carriers must follow to ensure they act “in the public interest.”


Further Reading: 

Net Neutrality: Lessons from the Past

Cameron & Obama talk about banning encryption

Analogy - When is a lock not a lock?

The FCC’s Latest Net Neutrality Proposal: Pros, Cons, and Question Marks

No Rate Regulation? Let's hope

Techno Security & Forensics Investigation Conference Announces Advisory Board

Comexposium announced today the creation of an Advisory Board to assist with the development of the Techno Security & Forensics Investigation Conference / Mobile Forensics World events. The first Advisory Board will consist of more than twenty industry leaders and will be co-chaired by Jack Wiles and Don Withers, the founders of the events.

The key objectives for the Advisory Board are to assist the event management team with further strengthening and developing the conference content as well as building awareness in the industry to increase attendance.

Click here to view the Advisory Board

It's time to remove Skype

So Microsoft has shown they are not honoring the original purpose Skype(communications encrypted from point-to-point). The patent after the purchase, and recent news from H Security have proven to me that it should be uninstalled from my machines. I will also be making the same recommendation to my clients.

For more info read H Security's article:

OR HNS's Article

Problem with iOS 5 iMessages? Try this...

Does iMessage kick in when you're trying to send a regular txt to another iPhone user? This can happen in the case that a test iMessage was successfully sent to then while they were using iOS 5, then they downgraded to iOS 4. In previous iOS 5 betas the app would tell you if the iMessage was not successfully and provide a button to press to send as a regular text message. In iOS 5 GM there is no longer the error displayed, or the button provided.

So what to do? Press and hold on the message text & a pop-up will give you access to the "send as a text message" option.

WSJ says it's a "Long Wait for RSA Security Tokens"

In an article by The Wall Street Journal, Computer security firm RSA Chairman Arthur W. Coviello Jr. said the company offered to provide security monitoring or replace the SecurID tokens "for virtually every customer we have." Most Customers and the press thought that meant RSA would replace all of the physical tokens for free. Well, it looks like they are only offering that to 30% of their customers. You're not impressing anyone with this position RSA.

I recommended on the day the news of the hack broke that all my customers switch immediately. Most did. I can give you a friends name at VeriSign if anyone's interested.

Read more: