The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com) 61
itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'
Well, like my papa used to say (Score:5, Insightful)
Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?
Well, like James Comey used to say (Score:4, Funny)
This isn't a "backdoor," it's an officially sanctioned terrorist detector.
Re: (Score:1)
Hoover just got a boner in his grave.
End of Juniper (Score:2, Insightful)
Good job NSA!
Re: (Score:2, Insightful)
Not too good. It got caught.
"someone â" maybe a foreign government"
Yeeeerright...
This reeks of CIA and/or Shin Bet.
Re: (Score:2)
Not necessarily the end. When Hillary or Donald mandate that those backdoors be included on all US networking products, then every networking company will be in Juniper's boat!
This is why (Score:5, Interesting)
The demands for "Government Backdoor to All Encryption" need to stop! Installing a back door makes it available for _EVERYONE_, not just some agency which may or may not have a warrant. Not that we _will_ see it stop, just that it should.
Re: (Score:1)
This is why it should be called "Buggery code" when backdooring.
This is getting crazy (Score:4, Insightful)
This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.
Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.
The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.
Re: (Score:2)
There were several Manhattan projects for the internet. The first was the design of the original network stacks (OSI, DECnet, and many others all replaced by TCP/IP). The second was the http protocol, and the third was the SSL (Secure Socket Layer) that is the basis for encryption for Internet commerce. Unfortunately, that and any other encryption scheme always ended up getting a bit nobbled in places. Probably thousands others if you read the RFC's.
Re: (Score:3)
Every generation has its crypto subverted by 5 eye nations due to location (global capture) and raw computing power to "collect it all".
US network equipment designers had to fit in domestic production lines around what was Communications Assistance for Law Enforcement Act (CALEA).
Every big brand device as exported, shipped, designed, upgraded, so
Re: (Score:1)
http://uk.businessinsider.com/... [businessinsider.com]
Criminalize back doors mandate strong encryption. (Score:1)
For the good of all internet users and as Internet of Things becomes more prevalent.
Back doors must be banned and criminalized with severe punishments enacted and strong encryption must be mandated for all devices living on the internet.
From smart electric meters, household appliances, thermostats, door locks to light bulbs any IoT or other device accessible from the internet all present a risk from malicious actors individuals or nation states.
Re: (Score:1)
Getting into encryption at the vpn/router level does not really make it easier to catch the bad guys, unless that bad guys actually own the router. Bad guys using encryption are encrypting end to end, not the that level. Maybe I am missing something.
Re: (Score:2)
If you want to compromise networks carrying sensitive data, you do.
Re:Explaining to your Foxnewser Uncle at Xmas dinn (Score:4, Informative)
The US government does that with suitcases. You now get to buy suitcases that have a three digit combination lock, as well as a special DHS lock that bypasses that combination lock.
Re: (Score:2)
That makes more sense for physical locks. You can reasonably criminalize unauthorized possession of one of those keys, which means if someone commits a crime with one and gets caught, you can nail them to the wall. And because you can't unlock a suitcase from across the planet, it's fairly likely that you can catch someone eventually, and that they'll be in your jurisdiction to actually arrest them.
Someone in a hostile country gets ahold of a master encryption key? You might never find out, and if you do
Re: (Score:1)
First it is an incredibly simple key the DHS uses, a plastic thing with 3 prongs on it, they have to make thousands one for each DHS/TSA agent.
People already made copies of it and started stealing things from your bag at the airport.
Re: Explaining to your Foxnewser Uncle at Xmas din (Score:1)
A physical key like the TSA one can be duplicated by just having a picture of it. The analogy is actually pretty good here.
Suspect there's a back door and you'll probably find it. KNOW there's a back door and it really doesn't take so long.
Re: (Score:2)
That's a service to you. They do that so that your suitcase remains intact. Otherwise, the lock on your suitcase would simply be broken, rendering the locking mechanism useless and the bag ugly.
Re: (Score:2)
Re: (Score:2, Insightful)
As many writers in these forums have noted, once a back door is installed, anyone, good or bad, with the appropriate tools and skill can open the door. The
Re: (Score:2)
Re: (Score:2)
>> knowing damn well it'll never happen
Yeah. It just happened. And it's still not properly repaired. (RNG still broken) And that's just the tip of one of the icebergs.
Man, it is incredible (Score:4, Interesting)
Judging from what i've read so far it is pretty obvious that the original Dual_EC_DRBG-based backdoor was placed there quite intentionally. Juniper has a lot to answer for.
Re: (Score:2, Insightful)
RSA was paid $10 million by the NSA to include the broken dual elliptic curve RBG to backdoor their software. I wonder how much Juniper charged for it?
Re: (Score:3)
No. They should be crucified for not disclosing it. Juniper has been selling backdoored security products which, as the article explains, allowed not only the NSA to eavesdrop communications but anyone else as well. RSA took money from the NSA to default that same compromised RNG and never announced it; they should held accountable.
As for your second question, no. Backdoors are never a proper answer when discussing cryptography, on any form.
Re: (Score:2)
Call me cynical (Score:4, Insightful)
But who's to say this isn't the cover story for the "Government VPN Encryption" program where a foreign entity managed to "steal" the backdoor password so now everyone has to patch.
Bet we hear similar things from cisco in the coming weeks/months.
This is why I bought a 100% free libreCMC router (Score:1)
I know what is in it cause we have the complete set of source code and it's actually easy to buid cause it's properly documented and everything. For those who don't know libreCMC is the only real embedded distribution for routers that is 100% free. With other distributions there are non-free parts and even digital restrictions in some cases. Of course most off the shelf routers are non-free and locked now due to FCC rule changes sadly. If your not aware check out ww.savewifi.org
Re: (Score:3)
Now you just have to hope that the compiler hasn't got a backdoor generator built into it (the Ken Thompson hack [c2.com])...
Malicious code and the firewall .. (Score:3)
Given todays computing model, where clicking on a link opens up a two-way connection to a server and executes remote code on your computer, the firewall is next to useless.
NSA wants a back door to all encryption. (Score:1)
Anybody now understand what would happen.
Retards the lot.
How do we get mainstream press to connect the dots (Score:1)