Critical code-execution flaw was under exploitation 2 months before company disclosed it.
See full article...
See full article...
If China has control of 20,000 Fortinet VPNs, geo-restrictions aren't going to help you all that much.I agree with you. Glad that I am able to geo-restrict my VPN setup, every little bit helps
Any VPN packets that are kind enough to accurately report their geolocation, at least (so definitely not the dangerous ones)Well, I disallow any VPN packets from outside of my country, so that's better than nothing.
There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
Missteps... More like don't give 2 fucks until the money train stops rolling in. Had to use them when corp had no fucking wah plan few years back and threw that shit show together. Spent more time troubleshooting their disaster of a VPN than actual using it, glad someone sitting back in the c suite had 2 working brain cells that made the decision pulled that shit from use... probably saw all the ot costs and shit their pants worrying about how it would effect their bonuses. Well that and all the vulnerabilities it had coming to light.Does it seem like Fortinet has had more than its share of missteps? They’ve had a bunch of bad bugs exploited, and reporting seems to be an issue. Has anyone run any numbers on >9.0 vulnerabilities, reporting time, and number of installed units?
The primary source of attacks in your threat model should be cloud or botnets.Well, I disallow any VPN packets from outside of my country, so that's better than nothing.
There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
take everything, put their asses in jail. The damage done by this is enormous.There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
Security? I don't know that they have that reputation. Privacy, maybe.I thought Scandinavian based companies were more trustworthy when it comes to security. I know the Swiss are more held in high regard when it comes to cyber security but the Scandinavians generally are too.
We have a few clients that use Fortinet firewalls and VPN clients. I'll let our network engineer worry about it lol.
Like everywhere else can't know everything about all their employees and probably outsource to lowest bidders. Just one leak is enough.I thought Scandinavian based companies were more trustworthy ...
There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
That’s beyond ridiculous. That right there is enough to make me very seriously doubt ever putting trust in them. You’re in the security business and you can’t even articulate how you communicate security vulnerabilities to your customers? What?They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities.
While I completely agree with you, if it's not going to happen when Boeing kills hundreds of people, it's definitely not going to happen because of a security flaw in software.There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
Different sorts of targets, democratic governments are defensive in nature mostly targeting military & infrastructure targets whereas the CCP goes after corporate targets, trying to get their intellectual property, Putinstanis seem to be low key outside of propaganda / blackmailabke targets.Honest question I have following the concerning mass of articles about Russian and Chinese state sponsored attacks... Are we doing the same to them ?
Anyone else find communist propaganda whataboutism a curious thing?Anyone else find racism a curious thing?
Good luck. Because Companies lobby their politicians to protect them from lawsuits with laws and EULAs. While I agree that if, say, credit card companies were personally liable for theft, you bet a system would be inplace to stop theft of credit and abuse. But its all a loss and thus, a write off. Same with this, as some firm will spin up some insurance policy for breaches of product and, they can get sued but then the class action lawyers will take most of that as amount.There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
Fortinet responsible disclosure policy is right here (one quick Google search found it) : https://fortiguard.fortinet.com/psirt_policyThat’s beyond ridiculous. That right there is enough to make me very seriously doubt ever putting trust in them. You’re in the security business and you can’t even articulate how you communicate security vulnerabilities to your customers? What?
You should have a look at their VPN client software for Linux. Or rather, don't look at it. It sucks bollocks, and will fail/crash/screw up your system depending on such fun factors as having a mixed IPv4/IPv6 network, client system configuration, server system configuration, hardware configuration, etc. It has a list of issues going back years, including features being advertised as working that, in fact, don't work at all, with complaints all over the internet and zero consistently working solutions.Does it seem like Fortinet has had more than its share of missteps? They’ve had a bunch of bad bugs exploited, and reporting seems to be an issue. Has anyone run any numbers on >9.0 vulnerabilities, reporting time, and number of installed units?
Yup. Their reaction to serious flaws in their VPN client software being disclosed? Hide all previous versions behind a paywall. And since new versions tend to be deployed without proper testing, you better happen to still have the previous installer for a reinstall of a working version, because otherwise you end up with a broken client and lots of privacy (due to no VPN, obviously).The culture at Fortinet is downright shameful for a "security" company. Not disclosing a vulnerability, intentionally hiding it. They dabble in too many different product lines to focus where they really should, on security.
We, us/UK does it to Europe, more specifically Brussels and Angela Merkel. So most likely they do it to them as well.Honest question I have following the concerning mass of articles about Russian and Chinese state sponsored attacks... Are we doing the same to them ?
Sorry, but shareholders have no knowledge and very little say over the policies within ANY company and shareholders of companies listed on non-US exchanges have even less information than shareholders in companies subject to SEC regulation, such as it is. Just curious....are you saying that all of the teachers in the California State Teachers Retirement Fund need to be held accountable? Most companies that offer retirement plans of any sort offer 401-Ks. Most 401-K plans offer only mutual funds or EFTs. Most of either aren't required to disclose their holdings more frequently than quarterly and the report is typically delayed by more than 30 days. YOU might own Fortinet and not even know it.I agree. It's damn time they started facing consequences of their own greed. There is one more group that needs to be flogged. Shareholders. It's time that limited liability stopped meaning no liability.
This business case isn't uncommon. Airplane manufacturing has this attribute as well. Banking and insurance software in the US is subject to 51 sets of laws (50 state + federal). In the EU, any software to be used in multiple countries is subject to multiple sets of national laws and possibly standards, as well as EU laws and regulations. In the case of security appliances, there are probably multiple sets of national security laws that apply from countries including US, UK, Germany, Switzerland, Israel, Taiwan, Japan, S. Korea and Singapore.What I find interesting is that doing a re-install of the firmware does NOT wipe this out, which makes it seriously hard for someone to know that their patches have done anything to fix it. If you're one of the 20,000, and you now upgrade, how do you know for sure that you've gotten rid of this thing?
This is not a fortinet rant, it's a systems and hardware rant. Are they able to put a bootloader into the low level BIOS of the system boards? Have the hackers figured out a way to seriously infect the hardware to the point that it's seriously hard to get them out?
What is the underlying architecture of Fortinet? Obviously their hardware is probably based on Intel processors, and somehow they've managed to find some way to getting in deep. So how do regular end users fix this?
And is it time to get rid of all the point and click management GUIs on these devices and instead goto a model where you compile and ship the configuration to the device, so that that VPN device itself has a much smaller attack surface? And where you can actually view the rules/configuration being sent to the device? Having a device do just one thing and one thing well is the way to do better security. Layering extra stuff on top (or to the side) is just asking for trouble. But is also a business case where 50% of your users use the same features, but then random clumps of other users want features a, b, c, d, e, etc in varying levels. It's hell.