[167944] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Wed Jan 1 14:07:20 2014
In-Reply-To: <20140101095537.GA21572@pob.ytti.fi>
Date: Wed, 1 Jan 2014 13:06:59 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Saku Ytti <saku@ytti.fi>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 1, 2014 at 3:55 AM, Saku Ytti <saku@ytti.fi> wrote:
> Is this legal? Can NSA walk in to US based company and legally coerce to
> install such backdoor? If not, what is the incentive for private company to
> cooperate?
>
As evidenced by "Lavabit"; apparently, one thing that they CAN do
is issue an order to the US based company to release their secret
cryptography keys such as RSA secret keys to the government, including the
secret keys that correspond to the public keys on their X509 certificates;
possibly including certificates used for code signing and code
distribution to users.
AND maintain confidentiality that they were required to release keys.
Recall, Lavabit was deemed in violation of the order: due to halting
their service, after being forced to release the cryptography keys.
The RSA secret keys can then be used to forge the company's signature on a
payload containing a malicious copy of the firmware or operating system.
And perform man in the middle attacks against web sites, and other
software update infrastructure --- in order to distributed tampered
with software with forged code signatures.
--
-JH
