itwbennett writes:
Earlier this month, an SSH backdoor was identified in Fortinet firewall appliances. Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Now, it has found that the same issue also exists in some versions of FortiSwitch, FortiAnalyzer and FortiCache. They said, "In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using [those] products update their systems with the highest priority."
What the hell?
By gstoddart
•
2016-Jan-25 11:11
• Score: 4, Insightful
• Thread
Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password
Dear god, this company makes security products???
This is so crazy stupid it isn't even funny.
It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.
This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.
Re:license
By TWX
•
2016-Jan-25 11:34
• Score: 4, Insightful
• Thread
You ever try to deal with the legal department of a large company?
First they ignore you. They do this for quite some time. Quite some time being months to years.
If they eventually do respond, they don't know what you're talking about.
If you keep pestering then eventually they call officers for the company for whom they represent. Those officers, knowing nothing themselves, tell the lawyers that there is no problem, which is what they tell you.
If you still keep pestering eventually the bill that the company receives starts attracting attention and the officer is asked by someone else what's going on, and that officer then gets annoyed and may start asking his department heads. They don't know either, so eventually due to managerial badgering they start asking their subordinates.
If the subordinates find anything then it gets forwarded back through the section manager to the officer to the lawyer, being revised at each stage by the management layer. Your response from the lawyer is BS. Eventually your back and forth with the lawyer casues the company to finally ask for original reports from the employee to be sent to the lawyer, at which time they look at the actual issues and compare it to their knowledge of the law to now start looking for a way to form a defense.
Then it finally starts to get somewhere, if you can afford these legal proceedings.
The legal case involving SCO took something like
a decade to essentially resolve, and there are still loose strings to tie-up. In the end it'll probably be twenty years before it's completely done and buried. That was with a company that
wasn't healthy financially, that was grasping at straws to find any way it could to survive, how ever underhanded, and with actual companies on the other side that could afford their own extensive legal teams to do battle.
You as a person do not really stand a chance in these circumstances. Even if you do get an entity like the EFF to take the case for you it'll still take a decade to get somewhere.