NSA able to compromise Cisco, Juniper, Huawei switches

Jimmy Hess mysidia at gmail.com
Wed Jan 1 19:06:59 UTC 2014

On Wed, Jan 1, 2014 at 3:55 AM, Saku Ytti <saku at ytti.fi> wrote:

> Is this legal? Can NSA walk in to US based company and legally coerce to
> install such backdoor? If not, what is the incentive for private company to
> cooperate?

As evidenced by "Lavabit";  apparently,  one thing that they CAN do
is issue an  order to the US based company  to release their  secret
cryptography keys such as RSA secret keys to the government,  including the
secret keys  that correspond to the public keys on their X509 certificates;
  possibly including certificates used for code signing   and code
distribution to users.

AND  maintain confidentiality  that they were required to release keys.
 Recall,  Lavabit   was deemed  in violation of the order:   due to halting
their service, after being forced to release the cryptography keys.

The RSA secret keys can then be used to forge the company's signature on a
payload containing a malicious copy of the firmware or operating system.

And perform man in the middle attacks  against web sites, and other
software update infrastructure  ---  in order to distributed   tampered
with software   with   forged code signatures.


More information about the NANOG mailing list