[Treat as possible innuendo, fiction, or unsupported facts, none of this is provable.] In 1997 this was disclosed to me through technical support channels. Attempting to verify this on the lists resulted in long threads of various strong opinions on trust of security products. Checkpoint subsequently responded to 'Mossad rumors'. http://www.nexial.com/cgi-bin/firewallsbodyview?h=3&d=52415&q=mossad%20rumou r I don't have the ability to reverse-engineer code, and doing so would not reveal purposely hidden code. It was hinted that the backdoor enabled remote administration from the outside, which some support people were (mis?)using when helping customers. Unrelated - I missed last year's blackhat, but I understand a current Checkpoint may have been 'walked through' (might have been this presentation: http://www.blackhat.com/presentations/bh-usa-99/Route/New-fire.ppt). At the time interested parties who contacted me indirectly or directly were White House personnel, TLA-associated personnel, and military people. They either knew of the backdoor or were doing investigation of possible sister agency knowledge. Mitre did firewall evaluations for the NSA, released a FW-1 3.0 evaluation after much delay, internal approvals, alerts/notifications, and the end report was heavily edited. Internally it was supposedly the backdoor issue, the whitestory on the delay was 'PR and legal issues'. The posted Mitre contact stopped taking calls from various people about the release of FW-1 report (finished June97, released ~January98). Shortly after the release, mitten.ie.org was taken offline. I'm not sure if those reports live online elsewhere, my copies were not backed up, and were lost in a disk crash. <Sidebar> I was told that a 'Infowar' center in the White House was making use of this knowledge, had interest in my conversations, and was concerned that knowledge of the backdoor was compromised. DCI John Deutch did not 'win' the project to build this widely advertised national 'Infowar center', the White House did, which supposedly caused embarrassment and contributed to the abrupt resignation of the CIA Director in December96, leaving the DCI position open until July97 when John Tenent was assigned. The Infowar center supposedly caused annoyance in other agencies as well, since the national 'Infowar center' became driven by political issues rather than military, intelligence, or law enforcement. The Executive Office of the President, being one of the three entities for the balance of power (Executive, Legislative, Judicial), is a very large entity. Having the Infowar center in the hands of the EOP supposedly made it easier to execute UKUSA-47 agreements for international inter-agency knowledge transfers, whereas agencies must have Executive approval. Therefore a compromise of the backdoor, if planted by a foreign agency participating in UKUSA SIGINT knowledge exchanges, and if utilized or in the toolkit of the US, would have been a concern. (UKUSA definition: http://www.tscm.com/cseukusa.html) </Sidebar> (unverifiable) I was also informed by TLA-associates that a funded project ($5M) investigated placing tools in compiler code or security product code either through executive level or surreptitiously with individuals with source code control repository access (unverifiable). At the 1999 RSA conference, the NSA presented a program 'tracklett'. I asked the NSA a few pointed questions that day. That evening an NSA director (not THE director) wearing a red jacket approached me and stated 'The offending code was present in version 3.0, but it HAS been removed'. He quickly started off and I pursued him asking for more detail, but he held up his hand to stop further questions and pursuit. Later discussions with TLA-associates verified the 'offending code' is no longer present, which also infers that it did exist in at least 3.0. (unverifiable) Though I had the assurances of the NSA, I am not sure what to think about FW-1. Previous to the NSA assurances, I was against implementing any version of FW-1. I was told by two sources that pursuing the backdoor issue or discussing it in public could become very personally 'unhealthful'. 'Strange things' occurred during the 1997, such as odd entities asking me about phrases which I had only used in private e-mail. I quickly then became a fan of PGP, and notified IT that our Internet traffic may be watched (different company). Something I had not resolved was two computers simultaneously locked up at home, company laptop on battery power and a home office desktop, not connected to each other in any way (I had no network or laplink then). The motherboard on the desktop was fried (rebooting caused beep codes), and the laptop was unusable for a week while scandisk rebuilt the disk (thought it was a goner). My paranoid self thought it was a HERF hit, but I live in a rural area, 200 yards from the nearest road. I attribute it to coincidence... The reason I was interested in Checkpoint was because I was peripherally involved with the B2C BofA firewall design (Digital Firewall (ported Altavista firewall related to DEC SEAL) on clustered Digital UNIX systems, manually load-balanced). This I counted as national infrastructure systems. I also designed and implemented BofA tape backup systems for their $400B/day Money Funds Transfer system (S.F. and Concord), designed the E-Trade VMS cluster systems (Palo Alto and Corte Madera sites), designed and implemented Network Associates NT/Alpha clusters (tis.com, pgp.com, nai.com - Santa Clara) prior to HP 8-way systems brought in when Compaq pulled the rug from NT/Alpha, Flycast.com Digital UNIX/Oracle systems (S.F. / Palo Alto Digital Exchange), and some Digital UNIX database systems for Amazon.com (Seattle), many of which are nearly national infrastructure systems. The external FBI and NSA contacts were of NONE/ZERO/ZILTCH/NO help (they were useless) in determining what shrink-wrap products were usable for national infrastructure systems other than to reference FOCI documents and to ask what I knew about an alleged backdoor I heard about and if I had any techical details. These days I'm not as outspoken. This is about all I can remember on this topic. This message may include errors or omissions, or outright misinformation. ;) Bill Stout -----Original Message----- From: Nguyen_Trang [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 9:53 AM To: '[EMAIL PROTECTED]' Subject: Dod & CheckPoint backdoor All: I have been reading and collecting responses to my original post regarding DoD and CheckPoint with keen interest. After the thread remisses, I will see if I can compile a summary. Meanwhile, I received this email. In posting it, I hope that it will quelch the backdoor issue or open another can of worm. Trang -----Original Message----- From: Robert Deitz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 28, 2000 6:04 PM To: Nguyen Trang Cc: Jeff Deitz Subject: DoD Firewall Policy Nguyen, I was forwarded your e-mail requesting information on Check Point Firewalls and DoD. We are very familiar with this issue - we have been working with the NSA, Army, OSD and Check Point on this for about 2 years. While it is true the the Army some time ago sent out a memo requiring all Check Point Firewalls to be uninstalled because of a "supposed back door" found by NSA that is actually past history. I think you are aware of the NIAP certification program and web page. This is sponsored by NSA/NIST and is the only official standard for DoD/Federal certifications. This has put the DoD into a precarious situation as the Army's main Firewall - Gauntlet, the Air Force's main Firewall - Sidewinder, and the Navy's main Firewall - Raptor (they have a bigger mix than other Departments however) all are not approved by NIAP. Thus, NSA's suggestion (a Federal Requirement via Executive order effective Jan, 2002) for secure and tested products is not being followed by the DoD. The web page has been up since Oct of 1999 so it has been over a year that these products and what was certified has been public. This would tend to indicate that DoD is not following it's own guidelines thus any previous mandate to remove a particular product would not seem to have carried any DoD wide mandate. If I can answer any other questions please feel free to contact me. Robert Deitz Government Technology Solutions 530-621-1163 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
