Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com) 61

itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'
This discussion has been archived. No new comments can be posted.

The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto

Comments Filter:
  • by penguinoid ( 724646 ) on Wednesday December 23, 2015 @04:02PM (#51174383) Homepage Journal

    Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?

  • End of Juniper (Score:2, Insightful)

    by Anonymous Coward

    Good job NSA!

    • Re: (Score:2, Insightful)

      by arth1 ( 260657 )

      Not too good. It got caught.

      "someone â" maybe a foreign government"

      Yeeeerright...
      This reeks of CIA and/or Shin Bet.

    • by Rakarra ( 112805 )

      Not necessarily the end. When Hillary or Donald mandate that those backdoors be included on all US networking products, then every networking company will be in Juniper's boat!

  • This is why (Score:5, Interesting)

    by s.petry ( 762400 ) on Wednesday December 23, 2015 @04:16PM (#51174475)

    The demands for "Government Backdoor to All Encryption" need to stop! Installing a back door makes it available for _EVERYONE_, not just some agency which may or may not have a warrant. Not that we _will_ see it stop, just that it should.

    • by Anonymous Coward

      This is why it should be called "Buggery code" when backdooring.

  • by Anonymous Coward on Wednesday December 23, 2015 @04:18PM (#51174497)

    This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.

    Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.

    The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.

    • by mikael ( 484 )

      There were several Manhattan projects for the internet. The first was the design of the original network stacks (OSI, DECnet, and many others all replaced by TCP/IP). The second was the http protocol, and the third was the SSL (Secure Socket Layer) that is the basis for encryption for Internet commerce. Unfortunately, that and any other encryption scheme always ended up getting a bit nobbled in places. Probably thousands others if you read the RFC's.

  • For the good of all internet users and as Internet of Things becomes more prevalent.
    Back doors must be banned and criminalized with severe punishments enacted and strong encryption must be mandated for all devices living on the internet.
    From smart electric meters, household appliances, thermostats, door locks to light bulbs any IoT or other device accessible from the internet all present a risk from malicious actors individuals or nation states.

  • by Lisandro ( 799651 ) on Wednesday December 23, 2015 @05:12PM (#51174851)

    Judging from what i've read so far it is pretty obvious that the original Dual_EC_DRBG-based backdoor was placed there quite intentionally. Juniper has a lot to answer for.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      RSA was paid $10 million by the NSA to include the broken dual elliptic curve RBG to backdoor their software. I wonder how much Juniper charged for it?

    • by houghi ( 78078 )

      I am sure they are willing to do so, but not allowed. You know things are fucked up when the people with the tin foil hats are right.

  • Call me cynical (Score:4, Insightful)

    by grasshoppa ( 657393 ) <skennedy.tpno-co@org> on Wednesday December 23, 2015 @07:01PM (#51175529) Homepage

    But who's to say this isn't the cover story for the "Government VPN Encryption" program where a foreign entity managed to "steal" the backdoor password so now everyone has to patch.

    Bet we hear similar things from cisco in the coming weeks/months.

  • I know what is in it cause we have the complete set of source code and it's actually easy to buid cause it's properly documented and everything. For those who don't know libreCMC is the only real embedded distribution for routers that is 100% free. With other distributions there are non-free parts and even digital restrictions in some cases. Of course most off the shelf routers are non-free and locked now due to FCC rule changes sadly. If your not aware check out ww.savewifi.org

  • by nickweller ( 4108905 ) on Wednesday December 23, 2015 @10:50PM (#51176459)
    "malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls."

    Given todays computing model, where clicking on a link opens up a two-way connection to a server and executes remote code on your computer, the firewall is next to useless.
  • by Anonymous Coward

    Anybody now understand what would happen.

    Retards the lot.

  • We need a mainstream front page news article "Government encryption backdoor is exploited by criminals." Instead the mainstream coverage fails to connect the Juniper story to the debate on backdoors at all. e.g. CNN runs with: "Newly discovered hack has US fearing foreign infiltration", an article stoking fears over hackers and cybersecurity without once mentioning the keys put under the mat by the government.

Quantity is no substitute for quality, but its the only one we've got.

Working...