Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: RIP, information security, done in by backdoors and secret deals

Paul Venezia | Jan. 14, 2014
It seems that the very tools we use to secure our networks represent the greatest insider threat of all

Now we know that we can't trust any commercial, closed source software any more — none of it. Not a single piece of hardware and software is currently trustworthy, and they'll forever more be suspect. This has changed the game, altering the security landscape permanently and horrifically. There's absolutely no way for any commercial, closed source vendor to regain that trust, no matter how much or how often they claim otherwise. The big one, of course, was the fact that RSA accepted millions to allow the NSA backdoor access to its security products. How anyone can continue to do business with RSA baffles me.

It's not just RSA. It's also certificate authorities and other failed guardians of Internet security. With more revelations coming out in a steady stream, it seems more likely than not that any major technology company has been compromised in one way or another. The NSA's list of exploits is extensive, and there are even embedded backdoors in commercial products like Dell PowerEdge servers. But hey, Dell apologizes for the inconvenience. The full list includes companies such as Apple, HP, Cisco, Huawei, Juniper Networks, Microsoft, Maxtor, Seagate, Samsung, and Western Digital, along with products ranging from network hardware to servers to hard drives.

If you run Dell servers, you have no way of knowing what the BIOS on those servers could be doing. You bought them, brought them into your data center, and placed sensitive and mission-critical data on them — because you trusted Dell. The same goes for the disks in your servers and storage arrays, not to mention your routers and firewalls. You can't trust them.

There's that word again: Trust. As I've beaten to death in this piece, that's gone, and nothing will replace it unless and until we open-source everything in the stack, from the absolute top to the absolute bottom. If we get there, then we may once again find ourselves requiring network security. Lacking that level of clarity and openness, however, there's no point. It's an impossible task when your tools are designed to work against you.

Source: InfoWorld

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.