Ahh "I TOLD YOU SO!!" :D Funneling ALL your traffic through a single choke point is worse than spreading it out via direct connection and HTTPS/TLS. The only good use case for VPN's is geo-location bypass, but even a simple proxy will do that too.
Wouldn't care to see ads if they didn't make them sexual, spam/scam or fetishy ads like hero wars games that I constantly got. So take your moral high ground and shove it till ads are appropriate for users, there should be atleast a team of people to go though ads and vet them before the consumer can see it.
Honestly I never heard of fortinet until I subscribed to my local govt vulnerability mail list and every week I see at least some cve related to fortinet
@lolo_o4309 no, i'm very skeptical towards all these security solutions. They are proprietary, you don't know what they actually do. And they can backfire, see Crowdstrike for example. I think it's better to just have a secure minimal network without any such devices.
@@Deniil2000 Thanks for clarifying your intentions. I am guessing your first language isn't English, as the sentence you wrote would mean that security companies increase your security. Just think about "reduced security" as "made security worse" and "increased security" as "made security better". I think if you look at your first statement again with the substitution e.g. "0 days since a security product made security worse", makes it more clear that if 0 days have past since such a product made security worse, there must have been one that made security better. Or you substitute "security" with something like "attack surface". If the security is good the attack surface is small.
As for the ad thing, i wouldnt use Ad blockers if the ads were safe and not predatory, for my parents pc for example if i dont enable the ad blocker in a week they will install every toolbar out there, blocking ads is a security thing more than a privacy or piracy thing.
It would be unethical if Google didn't put literal scams at the top of the SERP because scam artists paid them for the space. There's nothing unethical about blocking online advertisements because they themselves aren't ethical.
Yeah, I LOLed when he sai that.. If you want to pay content creators as a creator just buy YTB premium. ( All creators are playing dumb about its constant and volitale price increases already, so I see no issue with them paying for it openly).
I respect your ethics about not using an ad-blocker, but I personally consider it an essential security product. I've done IT for lawyers who are not security-minded. At all. I would be called out at least once a month to disinfect, or re-install someone's PC. Antivirus was not spotting the infected file until it was too late, and no one could figure out how they were getting infected. This might sound like hyperbole, but after I installed ad-blockers on all of their PCs, I never had to disinfect another one. YMMV, but I consider it a necessity.
It's true. Ads are too dangerous, in addition to giving a horrible reading / viewing experience. I support my favourite creators directly. If the others want to block me for using an ad blocker, fine, go ahead.
Do you think Fortinet mite (currently) owe the linux mainline a few patches? Assume they still use linux kernel presently? And assuming they wrote innovative advanced networking patches, eg assembly code accelerator sections for tcp queue etc.
I think he used the wrong term. I think he means that he doesn't want to be a hypocrite. He can't complain about not getting ad revenue, if he used an ad blocker in the video. I imagine that he uses an ad blocker 100% of the time when he's not recording it
@@Shocker99 makes sense. i do feel like he personally should have made it clear that not using an adblocker can be dangerous considering 80% of ads are downright scams or just malware
@@Shocker99 I assumed he felt like it was hypocritical and frankly the response is similar. The % of ads that aren't bullshit or straight up dangerous that get blocked, or trackers invading our privacy and abusing our data, gonna be pretty small. Adblockers are fair game.
@@2beJT Do you mean "If you block ads, how will the website fund hosting?" Coz if so, that hasn't been a real argument for a very long time now. If the website is so unusable that you can't view it without an adblocker, I'm not gonna browse the website in the first place. Not everyone bends over and takes it, there is no excuse for ads being as intrusive as they are and websites blocking you from viewing content to the extent they do, other than greed. Websites with passable ads are a minority.
I admire that statement you made at ~30 seconds, on how you don't use an adblocker because you make money off ads. I'm quite the same but opposite, I decided to not run ads on my website because I run an adblocker 24/7 and consider it to be wrong to then put ads up.
The sites I used to run had ads (and for a time, really made bank on them.) But I still tell everyone to use an adblocker. Ads are annoying, waste your time and bandwidth, and increasing are used to infect people's machines. Had the latter happen repeatedly on my sites - ad companies are HORRIBLE at policing this shit.
of course it's deliberate, someone had to put that line of code there. The question is is it malicious? It could be a debugging feature that escaped into production, but you never know. secure systems are a pain to develop on, hence it makes sense to break their security when you're working on an unrelated feature, but you must be cautious that that feature never ever sees the light of day.
@ I think you could get away with it if you were talking about how vpn's aren't all they are claimed to be. satire is covered under free speech however I would talk to a lawyer first.
Fortinet summary: - introduce several vulnerabilities while patching old ones - fix 9+ cvss vulnerability one year later - input sanitization is optional
I used to be a low-level systems programmer on a mainframe OS, and I remember that I'd do a jobdump of all the memory of a user session for my own userid, and scan that for copies of my password anywhere in memory. Using that I'd find code which was making a temporary copy of the password and then wouldn't think to zero-out the copy once it was done with it. In some cases the problem would be due to pretty subtle oversights in the code in question.
Like, how many proggies would always have "Yes / No / Cancel" Like wtf does cancel do!! Talk about introducing unhandled exceptions lol. For like 5 years sooo many programs like that... Its like GUYS, it's not that hard to define this behavior even when choosing in VB! Literally the field option is RIGHT THERE lol
My guess would be: he has a machine for recording video content (maybe even on a separate VLAN) and that is what he does this. Other machines should not have this.
@@autohmae That's for sure, but given the paranoia a security researcher has, he wouldn't expose his dev credentials or any page that would have his vital info to malware. Since he is showing them in his yt videos! If he uses his main yt account while screen sharing and still does not use adblocker then that's a different discussion altogether!!
Firewall owners don't upgrade or upgrade very slowly because they have learned over time that upgrades can be disruptive and sometimes even destructive. Everyone always puckers up when they do the upgrade. FW companies have gotten away with creating systems that no one really trusts to work properly if there is even the slightest change to a working config. Yes owners need to take responsibility too. But really the ownership experience of any major firewall product is awful.
Well yeah Its the single point of failure. We've been burned by Fortinet in the past with a bad update. Especially if you don't have HA or a secondary WAN in that office. Sucks to see a firewall halfway across the country brick itself during an update and have to talk Steve into learning how a serial cable works and connecting to his phones hot spot.. Been there, done that. It blows.
As for adblocking: look at it from an environmental perspective. All you wanted is let's say some text, maybe 10kb of information. You get flashy animations and videos that are increasing your power draw, need power and infrastructure to be delivered and in the end makes people rich who cheer at "Drill! Drill! Drill!" If anything, then the recent years only reinforced my believe that using an adblocker is mandatory now.
This is probably the worst attempt at moralizing ad blocking I have ever seen lmao, attached to superfluous video content online. Did you watch this in 240p to minimize your CPU/GPU demands? After all, you only need the audio to really get the full story here, hypocrite. You want to not see ads, just admit it. You zoomers are so afraid to just admit what you want. "I pirate things because uhh... Netflix donated to Trump". Just say you want free shit, coward
You can't SSH into my Cisco router externally, it's disabled from that. You have to VPN into my network before you can SSH into the router. If businesses are exposing firewalls and routers SSH to the external world, they are doing it wrong!
Absolutely. I miss the era of the Iron Geek. Freezing sun phones destroyed the information age. We've been in the dark age of Information since about 2016. Now we enter the next phase.. this 3rd global information war is... above my pay grade lol
If you think ACLs are protecting you... they aren't. There have been issues with IOS services being accessible _even with_ ACLs that should've blocked them. It's stupid, but the ACL check is not the first that happens to a received packet.
@@jfbeam No ACLs. Port 22 is not forwarded at all, the only forwarded port my router has is the Wireguard port. Sure I could still get hacked, that's always a possibility, but there are far easier targets out there.
@@dan-nutu I used to have the SSH port exposed, whenever I checked the routers logfiles, I would see daily attempts to hack the device. Once I turned off external SSH access and set up wireguards VPN port (I wanted VPN access to my internal network anyway), the routers logfiles have been silent for years now. If I need to access my router, I can just VPN into my network and then access my router that way. The idea is to reduce your level of exposure as much as possible while still being able to do the things you want or need to do while away.
Keep 'em coming - you're probably the ONLY UA-camr who's able to "sanitize" very obscure exploits so they're understandable & entertainingly explained!
There was an awesome actor in the old TV series Law & Order who often used the line "Don't worry, we're authorized" to convince people to reveal privileged info. That's what this backdoor sounds like to me, just a header saying "trust me bro"
Its ethical to use adblocker especially as someone who works in the cybersecurity area. First rule: Have adblock enabled and enforced. As almost 90% of ads ( served by google ) is literaly best case a scam worst case malware.
@@js-ss1og it blocks what? adblockers do increase your security, both directly by blocking known malicious scripts and indirectly by not exposing you to scam ads
@@js-ss1og since when? When the security executes from a third party domain yeah i guess, but what "security" does it, as everyone knows third party domains are untrustworthy. It blocks literally only bad things. Not just ads but porn too.
It is unethical means we signed up for the commercialization of the internet. We did not sign up for that. There was no plan to do that. It was forced without any rules. The majority said no.
The ad industry will do nothing against their bottom line to help you out. If they aren't paying you to display those ads to us, don't do them any favors.
Disabling addblockers is the worst advice ever. Chances are high you get fucked by malicious ads while browsing porn or even harmless appearing sites. UA-camrs will always be begging for money, but instead of supporting shittified UA-cam, he could insert his own affiliate links or ad segments. This guy is working as a pen tester if I am correct, which is one of the highest paid IT section. So no reason to beg around for data donations.
absolute madness that. when i use to work with firewalls and opened them up to the internet for management purposes, ie ssh - i only allowed ssh from permitted ranges. obviously doesn’t fix the dodgy vpn bugs, but never used a fortigate in prod. use to have juniper firewalls and they had a hardcoded password i believe as well. good content, thanks.
I find it funny that the magic backdoor's password has been pixelated by Orange Tsai, but not sufficiently to actually prevent anyone from reading what it is. Makes me wonder if that was intentional.. Just a reminder that the only secure way to hide text is to completely block it out, without any stray pixels remaining.
You're allowed to use an adblocker dude. If we lived in a properly functioning society where people were paid a decent wage then they'd be able to pay you for content, and ads wouldn't be needed. Excessive advertising is a symptom of an out of control capitalist society. There's zero reason to put up with it globally. Allow list those who you think are worthy.
To be fair, most people demonstrate they would rather give away personal data than pay even a small subscription or fixed price for digital goods and services. Even when the economy was doing pretty well.
Dude your drinking the kool aid. You've been brainwashed into blaming capitalism when this is literally how things like the Soviet Union worked. STATE MONOPOLIES. Information warfare and blaming capitalism for monopolies and state controlled media. Keep pretending it's capitalism while ignoring the loss of your freedoms of travel and right to own your own labor. as you march yourself into the gulag comrade! Gg kid
Yes. There are backdoors which are bad because it give undesired access to people who have placed it. There are bad backdoors which can be hacked to give undesired undesired access. And there are really bad backdoors like this one that give undesired access to everyone by just vaguely looking at the code.
So waht you are saying Fortinet is just like... uhm... TP-Link.... Gotcha.... ... It is absolutely unforgivable for any company offering security solutions to not take something like attacks and CVE's serious.... Loil.. and they offer firewalls? omg
Usually, 1, 2 or 3 CVE is not enough to deserve to be on a blacklist because everyone can do mistakes. But this "magic backdoor" is enough ! Goodbye Fortinet.
ffs even the FBI recommends using an adblocker due to how "dangerous" ads have gotten over the years it's unethical to protect yourself from ads? that's a bunch of bullcrap, and disappointing to hear from a security researcher like you.
@@glytchd I think everyone got the nuance just fine. I understand his postion but still think he's wrong because of all the issues ads have had over the last 15-20 years.
While I am not in IT, I've been interested in computers for decades. I find your videos entertaining, mildly educational and - I hope VERY occasionally - potentially life-saving. I did update all instances of 7-zip on my PCs based on your recent content.
Since when? Been using them since FortiOS 3.0 - 4 different generations of hardware and countless software/firmware revisions. They've been rock solid for over 2 decades. Not one crash, ever, at multiple sites.
"2009 behavior"? maybe I'm just old or naive, but it was not ok to build a magic backdoor to takeover an arbitrary user account in 2009.. or 1999.. or 1989. maybe 1979? idk
During development, we sometimes need backdoors to see what our system is doing during testing. I think that is what this is. They forgot to remove the back door. I once had to put a back door into a production system because I was responsible for fixing problems in the production system but was not authorized to access the production system. I did it in such a way that no one could have even read the code and figured out what I did. Adding the obvious 'magic' word indicates this was not a planned corporate backdoor. BTW: today if I was told to fix a problem, I would say "No access, can't fix". But I was young and stupid at the beginning of my career. If they told me to do something, I would find a way to do it.
Good luck my friend, i tried going without add blockers once and was shocked how bad add placement, frequency and quality has gotten. It actively kills my phone battery faster when i have add block disabled...
Hey, really enjoyed your videos so far as a novice learning this stuff, but I found your comment that it's unethical to use ad blockers a little silly. Me personally, I think virtually the entire PR industry is unethical and refusing to participate, if you are able to find a different line of income, would be the right thing to do. I know that people have to make a living, but I personally wouldn't be caught dead taking money from the advertising industry, which routinely manipulates people's buying habits, voting habits, and ideologies at the behest of their corporate sponsors, and is basically responsible for funding all the misinformation that we suffer with today. Anyway the contents awesome, just thought I'd share my two sense on this.
I do have a quibnle with the "rust wouldn't fix this" on snprintf: while memory safety wouldn't do anything a rust program would likely use a different function that makes you actually handle the error case, unlike c. Although the same could be said for many programming languages, include my favorite at the moment Zig.
The video is completely off base, both CVE's discussed were fixed by Fortigate in a timely fashion years ago -- the "hacked" data is from firewalls that were badly configured and never updated to any newer firmware releases that were fixed. If you don't know how to properly set up a firewall, and you never update the firmware, whose fault is it when you get hacked?
Content reviewers should use adblock as their job is to the article not the ads. Lots of big business remove ads from the public objects/places they use like picture taken, subway stations, park benches and times-square.
From a security perspective, you out of everyone should know using adblockers is smart and actually recommend even by the government. Obviously your feelings about them are valid, but that is what the whitelist is for.
Yeah but they that fixed by changing the tone to 2400+2800 hz, like no one could solder some transistors together and make multi-frequency tones, or run software on a PC with a speaker.
These faults in a security device are inexcusable. If we have any respect for their abilities to design and code when comes to only one conclusion: These faults are intentional on the part of some or one employee.
Hey Low Level, Love your videos (recently sub'd) - Real scary to see how these can be discovered by skilled researchers like yourself, but the fact that the 'magic' backdoor exists is truly wild. How much funding from Intelligence agencies do these tech companies really get for R&D OR intentinally placed ;-). Keep the content flowing Bro 😁😁😁
"Use it if you want to. I can't say if you should or shouldn't." - Yes, Ed, this is one case in which you absolutely CAN say people should NOT use their products. Any company which intentionally puts an easily-exploitable backdoor in its products, especially one which allows passwords to be rewritten for any user, is a company whose products should NOT be used.
As someone whos been a developer since the early 2000s, this is 90s level shenanigans, maybe something you might find in the jargon files lore somewhere.
Great video. I appreciate these kijnds of videos where you provide a quick breakdown of the issue. You're characterization of the issues is also appreciated.
Yeah Ed I love these kinds of videos you put out, I watch them almost every time you put them out, it's nice to have someone who knows what they're talking about explaining the vulnerabilities.
My view on adblockers is that by using one, you (the video maker) shows the article without distraction. Your duty, from my perspective, is to shout out the article for the information and provide a link, so that viewers without adblockers can drive exponentially more ads than you would by having your adblocker off while recording.
Adblock is an essential security component. It’s worth more than any so called anti virus tools. But don’t worry, I watch most videos on my phone or iPad with the UA-cam app so you still get your ad money 😂
CMDB stands for configuration management database, not command buffer. These usually contain information about all equipments in the system and their configurations
I use an ad layer. It loads all the ads on a separate page(emulated page) that I don't see, and blocks them on the front end where we see the page and content. It's great. They get their greedy fingers on fake user data and "views", and I am left alone. :)
I mostly agree, a device like this - to remain legal* - should require a sticker stuck to it warning about the default vulnerable state of the factory reset code right? * under NZ's "Fair Trading Act" a device sold to a consumer as a advanced security firewall can be in breach of inaccurate labeling I reckon. But commercial sales excluded from this and Consumer Guarantees Act I think. Which is odd, because it is the BUSINESS form of usage which is most in need of full awareness of security posture of a SECURITY NET DEVICE! Perhaps contracts act. The admin GUI should also carry a banner "Warning: running insecure mode +fix"
9:45 - That was some comically bad blurring! For those wondering, it's either `4tinet2095866` or `4tinet20958666` (Online sources say one, however it looks like 3 6's were blurred)
every one is worried about Chinese apps having backdoors but I think every thing has a backdoor now. I have yet to see a devices/program where 20 mins of messing about won't lead to some sort of backdoor.
Just wait till you realize there are actually chips in your dumb phone that's literally allowing erupt access and spying on your activity. It allows folks like those at the NSA to check your logs and monitor ur mic etc. I've been trying to tell ppl that for a decade.. nice that it's now finally in public knowledge.
Even after these EMBARRASSING vulnerabilities, you still need buy a subscription to access security updates.... What should I tell my customers? Don't touch Fortinet with a 10 foot pole!
Re: updates to network devices. typically network devices have multiple code trains, when it comes to network infrastructure stability is king. And with all these bugs around ipv6 that can cause devices to unexpectedly reboot etc. We have to analyze the features we use in our networks and if the version we are going to has known bugs impacting those features. We toe the line with security and keeping the network available and it sadly isn't always as simple as just upgrade the device it'll be fineee only to find out the fix version has a bug causing a memory leak when using xyz routing protocol that you are actively using and relying on. Or hey this update breaks interoperability between another device on the network that is passing traffic. Network companies don't always abide by RFCs which is infuriating as a network engineer.
This is just sheer incompetence. I understand that you want to have a magic account that fortinet can use in case of emergencies, but at least use a public key to check the password (digest) created by a private key. You can still use brute force to reverse engineer the private key, but magic plain text password were already a no-go when I started web programming in '96 and I developed client-server applications for Netware (DOS for enterprise networks) networks. No satity check on input parameters like language is also weird behavior for a company that is supposed to know a lot about security. It is like putting in a 30 inch steel door to your garage, but then leave a window open. A language specification is limited to 6 characters ('div-md' is the longest, so any string longer than 6 characters should have been deemed incorrect. I doubt the run both American- and British English, so language code is probably just two letters ('en', 'de', fr', etc) which could have been checked against a list of known languages they support. Some of these are errors that you might expect from an IT student, but not from a company specialized in security. In my opinion they just demonstrated that they know nothing about security, so one could even call it fraudulent practices.
wanna learn to hack? join the waitlist for my new platform -> stacksmash.io
Surely the real sing up is an API endpoint I have to enumerate myself 🤔
title seems 500000/15000 times more than actual leaked passwords 👻
Ahh "I TOLD YOU SO!!" :D Funneling ALL your traffic through a single choke point is worse than spreading it out via direct connection and HTTPS/TLS. The only good use case for VPN's is geo-location bypass, but even a simple proxy will do that too.
Wouldn't care to see ads if they didn't make them sexual, spam/scam or fetishy ads like hero wars games that I constantly got. So take your moral high ground and shove it till ads are appropriate for users, there should be atleast a team of people to go though ads and vet them before the consumer can see it.
generous calling that a backdoor, it's pretty much the front door
no no no no... it's .... magic!
"Speak friend and enter"
Honestly I never heard of fortinet until I subscribed to my local govt vulnerability mail list and every week I see at least some cve related to fortinet
a front door is still too generous, it's basically an open field
They wanted to put a backdoor just besides the front door
it's been 0 days since a security company product actually reduces your security
Do you mean increases your security?
Classic Fortinet
@lolo_o4309 no, i'm very skeptical towards all these security solutions. They are proprietary, you don't know what they actually do. And they can backfire, see Crowdstrike for example.
I think it's better to just have a secure minimal network without any such devices.
@@Deniil2000 Thanks for clarifying your intentions. I am guessing your first language isn't English, as the sentence you wrote would mean that security companies increase your security. Just think about "reduced security" as "made security worse" and "increased security" as "made security better".
I think if you look at your first statement again with the substitution e.g. "0 days since a security product made security worse", makes it more clear that if 0 days have past since such a product made security worse, there must have been one that made security better.
Or you substitute "security" with something like "attack surface". If the security is good the attack surface is small.
@@lolo_o4309 read again the comment :-)
As for the ad thing, i wouldnt use Ad blockers if the ads were safe and not predatory, for my parents pc for example if i dont enable the ad blocker in a week they will install every toolbar out there, blocking ads is a security thing more than a privacy or piracy thing.
It would be unethical if Google didn't put literal scams at the top of the SERP because scam artists paid them for the space. There's nothing unethical about blocking online advertisements because they themselves aren't ethical.
yeah, there are at this point even government agencies from multiple countries which recommend their citizen to use adblockers for security purposes
Blocking ads does not = piracy, just wait for that 0day ad malware that takes the world by storm.
Yeah, I LOLed when he sai that.. If you want to pay content creators as a creator just buy YTB premium. ( All creators are playing dumb about its constant and volitale price increases already, so I see no issue with them paying for it openly).
To be fair Brave Ads are far more dangerous than anything they block.
I respect your ethics about not using an ad-blocker, but I personally consider it an essential security product. I've done IT for lawyers who are not security-minded. At all. I would be called out at least once a month to disinfect, or re-install someone's PC. Antivirus was not spotting the infected file until it was too late, and no one could figure out how they were getting infected.
This might sound like hyperbole, but after I installed ad-blockers on all of their PCs, I never had to disinfect another one. YMMV, but I consider it a necessity.
It's true. Ads are too dangerous, in addition to giving a horrible reading / viewing experience. I support my favourite creators directly. If the others want to block me for using an ad blocker, fine, go ahead.
There's a reason that ad blocking is part of the ACSC Essential 8.
He earns from watching ads
yeah becasue they clicked on the ads
@@AricGardnerMontreal they don't always have to click, just displaying it can be enough
Fun fact: fortinet was caught violating the gpl on the linux kernel in the early 2000s
With lube or no lube ? 😂😂
@@seansingh4421 🤣🤣🤣
@@seansingh4421 lol
@@seansingh4421 DRY .... except they did repeat themselves, over and over and over
Do you think Fortinet mite (currently) owe the linux mainline a few patches? Assume they still use linux kernel presently? And assuming they wrote innovative advanced networking patches, eg assembly code accelerator sections for tcp queue etc.
Using an adblocker is ethical, the state of the internet nowadays with ads is what's unethical. The web is close to unusable.
I think he used the wrong term. I think he means that he doesn't want to be a hypocrite.
He can't complain about not getting ad revenue, if he used an ad blocker in the video.
I imagine that he uses an ad blocker 100% of the time when he's not recording it
@@Shocker99 makes sense. i do feel like he personally should have made it clear that not using an adblocker can be dangerous considering 80% of ads are downright scams or just malware
@@Shocker99 I assumed he felt like it was hypocritical and frankly the response is similar. The % of ads that aren't bullshit or straight up dangerous that get blocked, or trackers invading our privacy and abusing our data, gonna be pretty small. Adblockers are fair game.
who pays for hosting?
@@2beJT Do you mean "If you block ads, how will the website fund hosting?" Coz if so, that hasn't been a real argument for a very long time now. If the website is so unusable that you can't view it without an adblocker, I'm not gonna browse the website in the first place. Not everyone bends over and takes it, there is no excuse for ads being as intrusive as they are and websites blocking you from viewing content to the extent they do, other than greed. Websites with passable ads are a minority.
I admire that statement you made at ~30 seconds, on how you don't use an adblocker because you make money off ads. I'm quite the same but opposite, I decided to not run ads on my website because I run an adblocker 24/7 and consider it to be wrong to then put ads up.
The sites I used to run had ads (and for a time, really made bank on them.) But I still tell everyone to use an adblocker. Ads are annoying, waste your time and bandwidth, and increasing are used to infect people's machines. Had the latter happen repeatedly on my sites - ad companies are HORRIBLE at policing this shit.
I'd rather have a donation link.
Rust isn't going to do anything if you deliberately program a backdoor into your software.
It was deliberate? How can you tell?
of course it's deliberate, someone had to put that line of code there. The question is is it malicious? It could be a debugging feature that escaped into production, but you never know. secure systems are a pain to develop on, hence it makes sense to break their security when you're working on an unrelated feature, but you must be cautious that that feature never ever sees the light of day.
@@martinzihlmann822 Illogical nonsense. Every line of code is deliberate - but that doesn't mean every vulnerability it causes is deliberate.
@@eadweard.You do not have magic string that allows you to reset user passwords without authentification by accident. That does not happen.
@dadudeme That's not what this vulnerability was.
I would have laughed about a nord vpn sponsorship
"this video is brought to you by nord v... nah I'm just messing with you"
ive thought about doing exactly this but 1.) would still piss people off and 2.) not trying to get sued lmao
@@LowLevelTV You can address the getting sued part by saing "This video is sponsored by new VPN provider... nah, jk jk".
@ I think you could get away with it if you were talking about how vpn's aren't all they are claimed to be. satire is covered under free speech however I would talk to a lawyer first.
@@lizardkeeper100 eh, probably, but consulting a lawyer just to plug in a joke whike making news video is hardcore excessive
The way that magic value was blurred looks super secure. 😂
Indeed. They wanted to "hide" the magic key. (as long as their lawyer can't read it, it's "hidden")
Fortinet summary:
- introduce several vulnerabilities while patching old ones
- fix 9+ cvss vulnerability one year later
- input sanitization is optional
is it a true goal to have a secure VPN
imagine a perfect secure VPN ..
with.. or without Logs..
Imagine not using a sanitization library in 2025, either diy or 3rd party
You forgot the literal backdoor they put in
You can use an ad blocker and whitelist UA-cam and other pages you want to support, the internet is so unusable without one nowadays.
There’s a YT extension to pit ads on mute and speed them up. Win-Win.
Google "yt ad speedup"
There’s a YT extension to put ads on mute and speed them up. Win-Win.
Google "yt ad speedup"
Yeah, I white-list trusted web comics and UA-cam videos, while making sure that ads in UA-cam's feed go away.
I used to be a low-level systems programmer on a mainframe OS, and I remember that I'd do a jobdump of all the memory of a user session for my own userid, and scan that for copies of my password anywhere in memory. Using that I'd find code which was making a temporary copy of the password and then wouldn't think to zero-out the copy once it was done with it. In some cases the problem would be due to pretty subtle oversights in the code in question.
Dump
Like, how many proggies would always have "Yes / No / Cancel"
Like wtf does cancel do!! Talk about introducing unhandled exceptions lol. For like 5 years sooo many programs like that...
Its like GUYS, it's not that hard to define this behavior even when choosing in VB! Literally the field option is RIGHT THERE lol
Thats a smart way to check for vulnerabilities actually.
@@DRakeTRofKBam its clever but doesn't take into account base64 or md5 encoded passwords which would be just as big a problem
0:19 a security researcher not using an ad blocker is diabolical
@@Nyxar-2077 just using the internet without an ad blocker nowadays is an awful experience.
@@fatrat92 Besides the experience, the number of ads with malware is just insane, you are not safe without an ad blocker
It depends on point of view, installing an extension that reads ALL your websites maybe rings alarm bell.
Your browser reads all your sites, what do you mean exactly?
Awful answer, try again
A security expert not using an adblock is diabolical!!
Assuming you take what he said at face value
My guess would be: he has a machine for recording video content (maybe even on a separate VLAN) and that is what he does this. Other machines should not have this.
I've noticed many content creators doing the same, probably avoids scrutiny from services/owners that prohibit blockers or something.
@@autohmae That's for sure, but given the paranoia a security researcher has, he wouldn't expose his dev credentials or any page that would have his vital info to malware. Since he is showing them in his yt videos!
If he uses his main yt account while screen sharing and still does not use adblocker then that's a different discussion altogether!!
@@Slugbunny That's none of their business to scrutinize what the creator is showing/using as long as he is doing what he is paid to do!
Firewall owners don't upgrade or upgrade very slowly because they have learned over time that upgrades can be disruptive and sometimes even destructive. Everyone always puckers up when they do the upgrade.
FW companies have gotten away with creating systems that no one really trusts to work properly if there is even the slightest change to a working config.
Yes owners need to take responsibility too. But really the ownership experience of any major firewall product is awful.
Well yeah Its the single point of failure. We've been burned by Fortinet in the past with a bad update. Especially if you don't have HA or a secondary WAN in that office. Sucks to see a firewall halfway across the country brick itself during an update and have to talk Steve into learning how a serial cable works and connecting to his phones hot spot.. Been there, done that. It blows.
In the modern internet era, an adblocker is probably the most important part of your antivirus package.
As for adblocking: look at it from an environmental perspective.
All you wanted is let's say some text, maybe 10kb of information. You get flashy animations and videos that are increasing your power draw, need power and infrastructure to be delivered and in the end makes people rich who cheer at "Drill! Drill! Drill!"
If anything, then the recent years only reinforced my believe that using an adblocker is mandatory now.
This is probably the worst attempt at moralizing ad blocking I have ever seen lmao, attached to superfluous video content online. Did you watch this in 240p to minimize your CPU/GPU demands? After all, you only need the audio to really get the full story here, hypocrite. You want to not see ads, just admit it. You zoomers are so afraid to just admit what you want. "I pirate things because uhh... Netflix donated to Trump". Just say you want free shit, coward
You can't SSH into my Cisco router externally, it's disabled from that. You have to VPN into my network before you can SSH into the router. If businesses are exposing firewalls and routers SSH to the external world, they are doing it wrong!
Absolutely. I miss the era of the Iron Geek. Freezing sun phones destroyed the information age. We've been in the dark age of Information since about 2016. Now we enter the next phase.. this 3rd global information war is... above my pay grade lol
If you think ACLs are protecting you... they aren't. There have been issues with IOS services being accessible _even with_ ACLs that should've blocked them. It's stupid, but the ACL check is not the first that happens to a received packet.
@@jfbeam No ACLs. Port 22 is not forwarded at all, the only forwarded port my router has is the Wireguard port.
Sure I could still get hacked, that's always a possibility, but there are far easier targets out there.
@@ray73864Genuinely interested to hear your opinion here: why do you trust exposing the wireguard port but not the ssh one? Code base size?
@@dan-nutu I used to have the SSH port exposed, whenever I checked the routers logfiles, I would see daily attempts to hack the device.
Once I turned off external SSH access and set up wireguards VPN port (I wanted VPN access to my internal network anyway), the routers logfiles have been silent for years now.
If I need to access my router, I can just VPN into my network and then access my router that way.
The idea is to reduce your level of exposure as much as possible while still being able to do the things you want or need to do while away.
Keep 'em coming - you're probably the ONLY UA-camr who's able to "sanitize" very obscure exploits so they're understandable & entertainingly explained!
"Added a backdoor to the code. Team says it's not a bug-it's a feature."🤣
As a user, we can see this as a bug because it is not what we want. But it is clearly a feature of the company : a magic access to everyone.
It's a feature because it has been made to be used.
The issue is that people who know it can use it, and now we all know.
There was an awesome actor in the old TV series Law & Order who often used the line "Don't worry, we're authorized" to convince people to reveal privileged info. That's what this backdoor sounds like to me, just a header saying "trust me bro"
Its ethical to use adblocker especially as someone who works in the cybersecurity area. First rule: Have adblock enabled and enforced. As almost 90% of ads ( served by google ) is literaly best case a scam worst case malware.
But it block securiti to.
@@js-ss1og !??!?!?!??!?!?!??!?!
@@js-ss1og it blocks what? adblockers do increase your security, both directly by blocking known malicious scripts and indirectly by not exposing you to scam ads
@@js-ss1og since when? When the security executes from a third party domain yeah i guess, but what "security" does it, as everyone knows third party domains are untrustworthy.
It blocks literally only bad things.
Not just ads but porn too.
i can barely write a line of C but you breaking down the vulnerabilities is the coolest thing ever
Calling adblockers unethical is like taking a ride in the clown car
He said it's unethical for him because he makes an income based on ads. Not that their usage is unethical in general :)
...which would be fine if you were a clown yourself.
He said his income is based on ads. He's a clown, he's allowed to ride in the clown car.
It is unethical means we signed up for the commercialization of the internet. We did not sign up for that. There was no plan to do that. It was forced without any rules. The majority said no.
The ad industry will do nothing against their bottom line to help you out. If they aren't paying you to display those ads to us, don't do them any favors.
Disabling addblockers is the worst advice ever. Chances are high you get fucked by malicious ads while browsing porn or even harmless appearing sites. UA-camrs will always be begging for money, but instead of supporting shittified UA-cam, he could insert his own affiliate links or ad segments. This guy is working as a pen tester if I am correct, which is one of the highest paid IT section. So no reason to beg around for data donations.
I love the "rust check" in every video: would rust have caught this? 👍
absolute madness that. when i use to work with firewalls and opened them up to the internet for management purposes, ie ssh - i only allowed ssh from permitted ranges. obviously doesn’t fix the dodgy vpn bugs, but never used a fortigate in prod. use to have juniper firewalls and they had a hardcoded password i believe as well. good content, thanks.
I find it funny that the magic backdoor's password has been pixelated by Orange Tsai, but not sufficiently to actually prevent anyone from reading what it is. Makes me wonder if that was intentional.. Just a reminder that the only secure way to hide text is to completely block it out, without any stray pixels remaining.
You're allowed to use an adblocker dude.
If we lived in a properly functioning society where people were paid a decent wage then they'd be able to pay you for content, and ads wouldn't be needed.
Excessive advertising is a symptom of an out of control capitalist society. There's zero reason to put up with it globally. Allow list those who you think are worthy.
To be fair, most people demonstrate they would rather give away personal data than pay even a small subscription or fixed price for digital goods and services.
Even when the economy was doing pretty well.
Dude your drinking the kool aid. You've been brainwashed into blaming capitalism when this is literally how things like the Soviet Union worked. STATE MONOPOLIES. Information warfare and blaming capitalism for monopolies and state controlled media. Keep pretending it's capitalism while ignoring the loss of your freedoms of travel and right to own your own labor. as you march yourself into the gulag comrade!
Gg kid
@@EpicNicks I'd wager most people don't fully understand what they are actually giving away by even the tiniest margin.
3:45 - So they are just gaslighting the firewall and saying “Just trust me bro”
That're pretty much how every company works.
Banger. Glad I found your channel. I just texted all the people I know who ran Fortinet in the past.
Backdoors like that magic code should be a crime!
The fuck, are you even speaking English?
Yes.
There are backdoors which are bad because it give undesired access to people who have placed it.
There are bad backdoors which can be hacked to give undesired undesired access.
And there are really bad backdoors like this one that give undesired access to everyone by just vaguely looking at the code.
2:39 "Insecurity Architecture" - sounds about right...
I do not believe that this guy doesn't use an ad blocker
So waht you are saying Fortinet is just like... uhm... TP-Link....
Gotcha.... ... It is absolutely unforgivable for any company offering security solutions to not take something like attacks and CVE's serious.... Loil.. and they offer firewalls? omg
Don't forget about Cisco
Usually, 1, 2 or 3 CVE is not enough to deserve to be on a blacklist because everyone can do mistakes. But this "magic backdoor" is enough ! Goodbye Fortinet.
ffs even the FBI recommends using an adblocker due to how "dangerous" ads have gotten over the years
it's unethical to protect yourself from ads? that's a bunch of bullcrap, and disappointing to hear from a security researcher like you.
I think he was talking personally, b/c he would consider himself a hippocrite since he makes revenue from ads
@@tachywubdub2469 yeah I think folks are being a little time deaf. Although he should have probably have been more clear about the nuance
@@glytchd I think everyone got the nuance just fine. I understand his postion but still think he's wrong because of all the issues ads have had over the last 15-20 years.
A security professional not using ad blockers is diabolical
@Zooiest just don't click them, ez
While I am not in IT, I've been interested in computers for decades. I find your videos entertaining, mildly educational and - I hope VERY occasionally - potentially life-saving. I did update all instances of 7-zip on my PCs based on your recent content.
I remember Fortinet sucked so bad I used to joke that the devs are pounding 40s while writing code.
"Looks like 40net is down again 🥴🍺"
I worked there a decade ago and, well, maybe vodka instead of 40s
Since when? Been using them since FortiOS 3.0 - 4 different generations of hardware and countless software/firmware revisions. They've been rock solid for over 2 decades. Not one crash, ever, at multiple sites.
I read that as fortnite lol
@@KL4B same
most of us 😂
It just changed!
Fortinet lol
It kinda was, epic store was marketed using Fortnite. These guys launched their hacking forum using fortinet
"2009 behavior"? maybe I'm just old or naive, but it was not ok to build a magic backdoor to takeover an arbitrary user account in 2009.. or 1999.. or 1989. maybe 1979? idk
During development, we sometimes need backdoors to see what our system is doing during testing. I think that is what this is. They forgot to remove the back door. I once had to put a back door into a production system because I was responsible for fixing problems in the production system but was not authorized to access the production system. I did it in such a way that no one could have even read the code and figured out what I did. Adding the obvious 'magic' word indicates this was not a planned corporate backdoor. BTW: today if I was told to fix a problem, I would say "No access, can't fix". But I was young and stupid at the beginning of my career. If they told me to do something, I would find a way to do it.
Good luck my friend, i tried going without add blockers once and was shocked how bad add placement, frequency and quality has gotten.
It actively kills my phone battery faster when i have add block disabled...
For your own sanity. I highly advise you and everyone outthere browsing the internet. Do not disable your ad blocker
I liked this video but not using ad blockers for ethical reasons is like running an email newsletter and not blocking spam for ethical reasons.
Excellent analogy - well put!
I've used their Linux VPN client, I'm not surprised at all at their incompetence. What I was most surprised is that so many people buy their stuff.
Love the CVE breakdowns, favourite videos!
Same reason I don't use an ad blocker. You're a good man!
Hey, really enjoyed your videos so far as a novice learning this stuff, but I found your comment that it's unethical to use ad blockers a little silly. Me personally, I think virtually the entire PR industry is unethical and refusing to participate, if you are able to find a different line of income, would be the right thing to do. I know that people have to make a living, but I personally wouldn't be caught dead taking money from the advertising industry, which routinely manipulates people's buying habits, voting habits, and ideologies at the behest of their corporate sponsors, and is basically responsible for funding all the misinformation that we suffer with today. Anyway the contents awesome, just thought I'd share my two sense on this.
A free press is one that operates from user donations and sales of subscriptions only, not from advertising dollars.
Definitely enjoy the CVE breakdowns, and I respect your integrity about the whole adblock issue. Stay classy, lolev~
I do have a quibnle with the "rust wouldn't fix this" on snprintf: while memory safety wouldn't do anything a rust program would likely use a different function that makes you actually handle the error case, unlike c. Although the same could be said for many programming languages, include my favorite at the moment Zig.
this is a 2 year old well known CVE. Its insane this stuff is still unpatched...
The video is completely off base, both CVE's discussed were fixed by Fortigate in a timely fashion years ago -- the "hacked" data is from firewalls that were badly configured and never updated to any newer firmware releases that were fixed. If you don't know how to properly set up a firewall, and you never update the firmware, whose fault is it when you get hacked?
Content reviewers should use adblock as their job is to the article not the ads. Lots of big business remove ads from the public objects/places they use like picture taken, subway stations, park benches and times-square.
From a security perspective, you out of everyone should know using adblockers is smart and actually recommend even by the government. Obviously your feelings about them are valid, but that is what the whitelist is for.
Security vulnerability due to spoofable in-band signaling? Who'd think of something like that? [Dusts off 2600Hz Cap'n Crunch whistle...]
Phreaking was so much fun in the pre-mobile pay phone days. Blue boxes, red boxes, beige boxes, never got my green box working.
Yeah but they that fixed by changing the tone to 2400+2800 hz, like no one could solder some transistors together and make multi-frequency tones, or run software on a PC with a speaker.
These CVE breakdowns are awesome! i love it!
These faults in a security device are inexcusable.
If we have any respect for their abilities to design and code when comes to only one conclusion:
These faults are intentional on the part of some or one employee.
Hey Low Level, Love your videos (recently sub'd) - Real scary to see how these can be discovered by skilled researchers like yourself, but the fact that the 'magic' backdoor exists is truly wild. How much funding from Intelligence agencies do these tech companies really get for R&D OR intentinally placed ;-). Keep the content flowing Bro 😁😁😁
I love these CVE breakdowns. It's very interesting and important as a developer to know more ways that software might have vulnerabilities
"Use it if you want to. I can't say if you should or shouldn't." - Yes, Ed, this is one case in which you absolutely CAN say people should NOT use their products. Any company which intentionally puts an easily-exploitable backdoor in its products, especially one which allows passwords to be rewritten for any user, is a company whose products should NOT be used.
As someone whos been a developer since the early 2000s, this is 90s level shenanigans, maybe something you might find in the jargon files lore somewhere.
These episodes vibe like TLDR Darknet Diaries ep's, with practical insights. Appreciate them
Great video. I appreciate these kijnds of videos where you provide a quick breakdown of the issue. You're characterization of the issues is also appreciated.
Thank you for saying abbreviations with their meanings, very helpful for understanding as a beginner!
You think these hardware vendors would have woken up to back doors by now…breaches been going on for decades
Yeah Ed I love these kinds of videos you put out, I watch them almost every time you put them out, it's nice to have someone who knows what they're talking about explaining the vulnerabilities.
My view on adblockers is that by using one, you (the video maker) shows the article without distraction. Your duty, from my perspective, is to shout out the article for the information and provide a link, so that viewers without adblockers can drive exponentially more ads than you would by having your adblocker off while recording.
maybe they should've asked someone who works in security.
[guy with moustache and long hair producing a sparkly rainbow] "Its... Magic!"
Adblock is an essential security component. It’s worth more than any so called anti virus tools. But don’t worry, I watch most videos on my phone or iPad with the UA-cam app so you still get your ad money 😂
Content like this is why I subscribed.
Would love to hear from a lawyer about whether this kind of back door could be used as basis of a lawsuit.
CMDB stands for configuration management database, not command buffer. These usually contain information about all equipments in the system and their configurations
What company is even safe anymore? What network equipment do you even go with at this point?
It's not a 2009 coding problem. This is a 1999 coding problem. Perl in cgi, magic strings.
I really enjoy the intrusion breakdowns
I use an ad layer. It loads all the ads on a separate page(emulated page) that I don't see, and blocks them on the front end where we see the page and content. It's great. They get their greedy fingers on fake user data and "views", and I am left alone. :)
I mostly agree, a device like this - to remain legal* - should require a sticker stuck to it warning about the default vulnerable state of the factory reset code right? * under NZ's "Fair Trading Act" a device sold to a consumer as a advanced security firewall can be in breach of inaccurate labeling I reckon. But commercial sales excluded from this and Consumer Guarantees Act I think. Which is odd, because it is the BUSINESS form of usage which is most in need of full awareness of security posture of a SECURITY NET DEVICE! Perhaps contracts act. The admin GUI should also carry a banner "Warning: running insecure mode +fix"
Love the Would-Rust-Have-Prevented-This feature.
i’m actually glad you explained why you have ads because I did judge you for that. Only a tiny little bit.
9:45 - That was some comically bad blurring!
For those wondering, it's either `4tinet2095866` or `4tinet20958666` (Online sources say one, however it looks like 3 6's were blurred)
every one is worried about Chinese apps having backdoors but I think every thing has a backdoor now. I have yet to see a devices/program where 20 mins of messing about won't lead to some sort of backdoor.
Just wait till you realize there are actually chips in your dumb phone that's literally allowing erupt access and spying on your activity.
It allows folks like those at the NSA to check your logs and monitor ur mic etc.
I've been trying to tell ppl that for a decade.. nice that it's now finally in public knowledge.
Even after these EMBARRASSING vulnerabilities, you still need buy a subscription to access security updates.... What should I tell my customers? Don't touch Fortinet with a 10 foot pole!
Re: updates to network devices. typically network devices have multiple code trains, when it comes to network infrastructure stability is king. And with all these bugs around ipv6 that can cause devices to unexpectedly reboot etc. We have to analyze the features we use in our networks and if the version we are going to has known bugs impacting those features.
We toe the line with security and keeping the network available and it sadly isn't always as simple as just upgrade the device it'll be fineee only to find out the fix version has a bug causing a memory leak when using xyz routing protocol that you are actively using and relying on. Or hey this update breaks interoperability between another device on the network that is passing traffic.
Network companies don't always abide by RFCs which is infuriating as a network engineer.
“chore: add NSA required backdoor to login”
Lmao 🤣🤣🤣
This was s rad video. Happy to have found your channel!
I do enjoy the CVE breakdowns, thanks
This is outstanding... please continue these
3:45 they are using the “trust me bro” protocol.
This is just sheer incompetence.
I understand that you want to have a magic account that fortinet can use in case of emergencies, but at least use a public key to check the password (digest) created by a private key. You can still use brute force to reverse engineer the private key, but magic plain text password were already a no-go when I started web programming in '96 and I developed client-server applications for Netware (DOS for enterprise networks) networks.
No satity check on input parameters like language is also weird behavior for a company that is supposed to know a lot about security. It is like putting in a 30 inch steel door to your garage, but then leave a window open. A language specification is limited to 6 characters ('div-md' is the longest, so any string longer than 6 characters should have been deemed incorrect. I doubt the run both American- and British English, so language code is probably just two letters ('en', 'de', fr', etc) which could have been checked against a list of known languages they support.
Some of these are errors that you might expect from an IT student, but not from a company specialized in security. In my opinion they just demonstrated that they know nothing about security, so one could even call it fraudulent practices.
I'm not even kidding, I got a fortinet advertisement on this video LMAOO
petition for "low level" to use a adblocker...and a lawsuit against him for showing the ads to 50k+ ppl ............ahhh my eyes
11:20 Instead of password, what you should change is the firewall itself. :D
Absolutely love these breakdowns 😊
"making money from ads"
_gravy analytics breach_
I'd rather not be tracked online 24/7 so I use an ad blocker. But I don't make money from ads
Yes! More CVE breakdowns please! :D