'Unauthorized Code' In Juniper Firewalls Could Decrypt VPN Traffic

m2pc writes: Ars Technica reports that Juniper Networks firewalls have been discovered to include "unauthorized code" inserted into their ScreenOS software. Juniper has has published an advisory addressing the matter, with instructions to patch the affected devices.

From the Ars article: "NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. ... The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. 'The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,' the advisory said." The rogue code was discovered during a recent internal source code review conducted by Juniper.

Welcome to the club

[nehumanuscrede]

says Cisco . . . . .

I'm not entirely certain why the government is bothering to raise such a fuss about strong crypto. ( Other than to make it look like they have no options ) While no evidence exists that Big Brother is responsible for it, they are the most likely suspects. Not much of a need to break the crypto itself when you can install a bypass of some sort into the mix.

I wonder how much it costs to coerce a programmer type to insert a few bits of code into your project.

Re:Welcome to the club

[macs4all]

I wonder how much it costs to coerce a programmer type to insert a few bits of code into your project.

The cost of an IRS Audit, or the threat of same.

Re:Welcome to the club

I'm not entirely certain why the government is bothering to raise such a fuss about strong crypto.

WHICH government?

Where does almost all computer equipment get made?

Re:Welcome to the club

[mark-t]

Barring simple ignorance as a factor, about the only reason I can think of that they could be making a fuss about crypto is that for some reason, they are thoroughly convinced that there are some significant subset of criminals that use unbreakable cryptography and do not get caught because of it, but who would be too incompetent to get away without getting caught if strong cryptographic choices were simply not as readily available to them (through legal channels).

If this belief is correct, one could at least sympathize with why they feel strong crypto should be outlawed, even if one does not actually agree with the proposal.

One may call this simply a tenuous conjecture on their part and discount it on that basis, but I would suggest that even if it were true, I do not think it should outweigh the implications for completely innocent parties with regards to their personal information and their privacy.

Re:Welcome to the club

This would leave such an easy path to proving it well enough to publish in the newspapers though.

Re:Welcome to the club

I'm not entirely certain why the government is bothering to raise such a fuss about strong crypto.

WHICH government?

Where does almost all computer equipment get made?

And WHO is to blame for that shit?

We want to sit here and talk about "evil" China while kissing their ass to manufacture for pennies.

We deserve what we get if this was State-injected offshore.

We also deserve what we get if we allowed OUR government to give China that directive, which sad to say is not inconceivable.

Re:Welcome to the club

If you keep saying that you need crypto back doors and access someone without knowledge of all the existing back doors/zero days/exploits might reasonably believe that his/her encrypted communications or files are actually secure and behave as if they are. This might lead them to rely on that crypto and leave themselves vulnerable to NSA/TSA/CIA/FBI/TLA even though in practice it never seems to go down that way.

Let's face it, crypto is hard for those without the requisite understanding to know that everything can be cracked eventually. Example Paris where so far the evidence is that they communicated in the clear the entire prep time.

Re:Welcome to the club

[ShanghaiBill]

WHICH government?

Where does almost all computer equipment get made?

They found malicious code in the source code to the OS. It is irrelevant where the hardware is assembled, since that is not what was compromised.

Re:Welcome to the club

[unencode200x]

I skimmed TFAs and searched them for Cisco and don't see that they have anything to do with this . How does Cisco come into play?

Re:Welcome to the club

Never attribute to incompetence that which can easily be explained by malice.

Re:Welcome to the club

[macs4all]

This would leave such an easy path to proving it well enough to publish in the newspapers though.

And I'm sure that the .0001% of the population that REALLY understands the issues involved would be duly outraged.

Re:Welcome to the club

It was a joke, Aspergers Man. It was in relation to how Cisco routers have had the same "flaw" reported as of late.

Re:Welcome to the club

[Locke2005]

All ciphers can be cracked eventually, but what about one time pads? How does the government put in a back door to attack them? If it's important enough, can't you have secure communication no matter how the intervening points are compromised? (Secure as in not decrypable, of course the government can always block the message from being delivered.)

Re:Welcome to the club

[mark-t]

I'm pretty certain you've got that backwards.... unless you were only making a joke, in which case I apologize for the fact that your sense of humor was lost on me.

Re:Welcome to the club

Really, ShanghaiBill? They have a big development office in Beijing. Manufacturing is pretty much all in inland china too. There are no doubt several points in mainland china where direct access to the Juniper enterprise repo is available. Its hardly inconceivable that the employees were coerced by party bosses to put something like this in place. After all, VPNs are what cause the most trouble with the Great Firewall of China, and what better way to execute control over your population than by giving them a tool they think is covertly subversive but in actuality is a direct pipe to Mao's inner sanctum so that dissidents can be summarily purged.

Re:Welcome to the club

It's not a joke. At a certain point you realize that, "It was a mistake", or "Mistakes were made", isn't an admission of incompetence, but instead, a cover for active malice.

Re:Welcome to the club

Different AC here. If I read GP correctly, s/he seems to be hinting at the fact that they can zero-day your device/server/etc. If the data ever exists on that device/server as plaintext, it can be hoovered up while it's in that state. Your stash of one time pads can also be hoovered up. Same goes for asymmetric encryption: the private key can be hoovered up.

Re:Welcome to the club

[mark-t]

What "mistake" are you referring to? I was talking about why they might be in such a huff about strong crypto, what are you talking about?

Re:Welcome to the club

[KGIII]

I was so excited to get off Cisco gear and onto Juniper (way back, a very long time ago and in a galaxy far away, namely - North Carolina) and the savings were so lovely. I was able to resell our kit and almost pay for the Juniper gear. And, oh, even *I* could figure out how to use it. We didn't fire our CCNA but we did move him into a slightly more productive role - he did more than manage networks after that. He was up to speed with Juniper before their reps left the building. He was then able to do a few other things with his spare time as we had, at that point, three satellite offices (eventually we had two more).

I've been a Juniper fan ever since. Not quite fanboy at the level of a Mac fan (yes, I had to mention that 'cause, you know) but a fan nonetheless. I've spoken with people and they've gone ahead and moved off of Cisco kit where they could. I didn't, personally, do much of anything with it but I know we got the entire functionality, easier, at a price point that's far less than it would have cost with Cisco. I do think we did end up with some failing hardware but it was still replaced and we had enough to have some redundancy in place.

God, I don't even know when that was that we had a Juniper rep come visit for the first time. Even our CCNA was impressed. (Or was he a CCNE???) I don't know but if you've ever compared the prices then, well, let's just say when you're rolling out a remote office you can literally save many, many thousands of dollars. It is true that you get what you pay for but they were good enough and did just fine for our needs. (Kind of like MySQL worked well enough to not give Oracle any money, I hate Oracle but that's a story for another day.)

To the point!!!

This is disheartening and unfortunate. It is not unexpected, however. They were the underdog when we bumped into them. I'm a pretty geeky guy and I'd never heard of them until getting a cold call and opting to call the number back as the timing was rather convenient. I imagine it's a larger company now and that they've got more holes in 'em than they used to - including hiring someone from a TLA. I'll be interested in finding out how this happened. I can only hope that they release that information and that it was not done as corporate policy. If it turns out it was corporate policy then I will be sad. Anyhow, I'm going to *guess* that I bumped into 'em in 2001-2002 range? I've no idea but that *feels* about right.

Re:Welcome to the club

[KGIII]

I dunno but I'm pretty sure Mao is dead. Other than that, spot on. I'm just hoping it wasn't knowing collusion with Juniper 'cause I'm kind of a fan and it would make me sad. They really should do a checksum type of thing before rolling that shit out. I'm hoping that it could have (should have?) been caught with a bit of oversight.

Re:Welcome to the club

It was a joke, Aspergers Man. It was in relation to how Cisco routers have had the same "flaw" reported as of late.

1. No, Cisco routers have not had this same flaw.
2. No, this does not affect "Juniper Firewalls". It affects Netscreen firewalls, and while yes they are a Juniper product they are a Legacy, end-of-life firewall which runs an entirely different OS developed on an entirely different codebase than Juniper's current firewalls... which are the SRX series running JunOS.

The takeaway from this story should be "Hey, even though Juniper EOL'd the entire Netscreen platform years ago, they are willing to continue issuing security updates".

Re:Welcome to the club

[KGIII]

I believe the theory is that one-time-pads can be broken, eventually, by throwing enough at them until they stop spitting back gibberish. It's just a long and complex process. At least that's my understanding. I'm a mathematician and even I get confused with cryptography. I understand that certain letters are also used more frequently so that they can tune things to get a slightly quicker result but that it is still a lot of compute power.

Re:Welcome to the club

Unlawful coercion is readily understood.

Re:Welcome to the club

[RenderSeven]

Proving you were coerced by not getting an audit is a tough sell, just as proving you were audited because you did nothing is tough. "Your Honor, there is no evidence whatsoever so he MUST be guilty"?

Re:Welcome to the club

[F.Ultra]

Another thing to take away from this is that this flaw managed to avoid detection throughout the entire life span of this product and then some, considering it was EOL'd years ago.

Re:Welcome to the club

[skegg]

Not quite, bud.
I ain't no cryptographer (which will soon become apparent!) but I'll have a go at explaining.

The thing with OTP is that the random component can be *anything*.
Lemme give a very contrived example:

Let's say we've encrypted 1,024 bits of plaintext with 1,024 bit OTP key, resulting in 1,024 bits of cyphertext.
If we reverse that cyphertext with the original 1,024 OTP key, we get the original 1,024 bits of data.

So far so good. However ...

It would be possible to put together a *different* combination of 1,024 bits that, when combined with the cyphertext, would yield another, valid plaintext message.

e.g.
Original Message = Hello, world!
OTP = AAAAAAAAAAAAA
Final Cyphertext = BBBBBBBBBBBBB
Reverse the process, and you get "Hello, world!"

But we could use:
OTP = GGGGGGGGGGGGG
To yield this Cyphertext = I like jelly!

Or:
OTP = PPPPPPPPPPPPP
To yield = Summer's here

which would still trigger alarms when checked for things like the frequency of characters, etc. After all, to someone eavesdropping, the OTP can be anything, can it not? Therefore the plaintext could also have been anything.

I hope the above makes sense. (?)

Re:Welcome to the club

[AHuxley]

Prying Eyes: Inside the NSA's War on Internet Security (December 28, 2014)
http://www.spiegel.de/internat...
It was always interesting to see what govs, mil and related security services made a public issue about vs what is just allowed to be offered to the public without comment over the years :)

Re:Welcome to the club

Dude the issue was found in the SOURCE code...a checksum would play no benefit...

Re:Welcome to the club

You are giving the bounds of the politicians gullibility too much credit...I don't doubt that some politicians that support limits on strong encryption MIGHT think that or have been convinced to think that but it is far more likely that the 'power structure' convincing them to think that way know full well that with wide spread strong encryption they'll lose control over the 'masses' it has nothing to do with any fear that 'dumb criminals with strong encryption would be a big threat'...think about it...a dumb/incompetent criminal would have 1000 different ways of screwing up & getting caught, encryption isn't going to help them...and of course banning wide spread use of strong encryption (or mandating backdoors) won't guard against the 'smart criminals' either...since they are a criminal than by definition they won't care about what law is in place telling them they can't use strong encryption since they'll just break that law along with whatever other laws they are intending to break....

Re:Welcome to the club

[mikael]

That wouldn't work. There would still be code reviews, a change list and all sorts of logs. Easier to just hack into a server and make the changes on the trunk branch.

Re:Welcome to the club

[KGIII]

I'm thinking they've got more than one repository?

Re:Welcome to the club

[KGIII]

Err... Unless you're sending one letter shouldn't you have a few more letters than AAAAAAAAA or BBBBBBBB?

Re:Welcome to the club

A true bitwise xor one-time-pad is as likely to be deciphered into a gif of the Mona Lisa as it is to be turned back into the original cleartext. The OTP can be anything, causing the source for a given ciphertext to literally be anything with equal probability. Even if you did correctly guess the OTP, you would have no reason to think that your solution was more legitimate than a random shakespeare sonnet, which could also be OTP, or the original cleartext. The point of the O is to use each encrypting bit once, and only once.

Re:Welcome to the club

[KGIII]

But what are the odds of the results being gibberish vs. the actual message?

Re:Welcome to the club

[skegg]

Most definitely. (And of course, I know you know that.)
I used very simple strings as keys in an attempt to aid the example. Apologies if that caused confusion.

I recall the first time I heard about OTP.
I remember thinking the same as you wrote earlier: that if you throw enough raw power at it you can still solve it; just that it's harder than "regular keys".

Then I read a wonderful explanation here on Slashdot (far better than my terrible attempt) and the penny dropped with a heavy thud. OTP are completely uncrackable *because the key can be anything*! Of course, this comes with all the caveats regarding key security.

I generally browse /. as AC, but logged-in to comment when I saw your initial comment. I typically enjoy reading your contributions / comments, and wanted to share this sentiment. What can I say ... it's Christmas ... I'm not my usual cranky self.

Re:Welcome to the club

[the_doctor_23]

The odds are 1 in ({number of different symbols per character} to the power of {length of ciphertext}) - 1 of it being the plaintext.
If the OTP is truely random, then a ciphertext can be decoded to any possible permutation of the same length with equal probability.

Take for example the ciphertext TIGZIFZOMASDRVBTJFVTS:

With an OTP of ABCDEFGHIJKLMNOPQRSTU it decodes to THEWEATHERISFINETODAY,
while an OTP of LPOIIXMGZUQDYDBGGCHNA yields ITSRAININGCATSANDDOGS.

Without knowing the original OTP you have no way of knowing which of these decodes (or all other legible) is the correct one.
Of course many decodes will result in gibberish as well (e.g. OTP 123456789012345678901).
In this case the probability that any given message is the correct one (without being able to decide that, of course) is 1 in 7,31e+43.
Its likelier to win the lottery and be struck by lightning on the same day.

To try it out for your self look here: http://www.braingle.com/braint...

Re:Welcome to the club

[KGIII]

Thank you and that confirms that I had thought to understand but can't one still crunch and then look at, systematically, to throw out all probable gibberish and then use machine learning, or similar, to make probable guesses and then keep refining either by human, circumstance, or additional metrics to reduct the probable answers until you can make a few educated guesses?

Of course, that would probably be defeated by making the code gibberish to begin with. Maybe that's what I'm missing? "PINKANDPURPLEGARBONZOBEANS" might not mean anything to you but it makes like five of us giggle like little school girls. (I can not explain, you would not understand, this is not how I am... *nods*)

So is that what I'm missing? 'Cause if the answer is no and the resulting text is "IMGOINGKILLHIM" then someone's eventually gonna figure that out if you've got patience. Unless I'm seriously missing something. I don't care enough (or know enough) to work on this but, it seems pretty likely that they'll still be able to, eventually, figure it out. Even if the phrase translated into 3,12e3 results that were in the appropriate language and with words that make sense, and person A sent a message to person B, and then person B died, well... We should be able to figure that one out.

Re:Welcome to the club

[KGIII]

Why thank you. I wrote a bit more on this.

http://slashdot.org/comments.p...

I could have sworn that I'd seen some of this discussed and maybe it's never really just clicked. The problem is, I don't have a clue where I read it. It might have been here? It might have been a scholarly work?

Re:Welcome to the club

[the_other_chewey]

Thank you and that confirms that I had thought to understand but can't one still crunch and then look at, systematically, to throw out all probable gibberish and then use machine learning, or similar, to make probable guesses and then keep refining either by human, circumstance, or additional metrics to reduct the probable answers until you can make a few educated guesses?

No. One-time-pads are random.
There is nothing in the transmitted ciphertext to even start any kind of probablility guessing.
The ciphertext you get by XORing the message with a random number of equal length is itself a
random number.

Of course, you now can generate random numbers of said length yourself and try them on the
ciphertext, but this is mathematically equivalent to just generating random cleartext
messages, without any input at all.

If you have some bits of intercepted ciphertext, all "decryptions" (really just an equal number
of randomly generated bits) are equally likely: A PDF version of the Bill of Rights, an animated
GIF of goatse, a rickroll video, random noise (lots), a JPEG of an upside-down portrait of Gandhi chasing
Roger Rabbit, Dick Cheney's voice calling for friday prayer...

It's the infinite monkeys on the bit level. And there is absolutely no way to tell which one is "correct".

Re:Welcome to the club

[KGIII]

I'm going to have to take your word for it but I am a mathematician and I don't really think we've got anything that's truly random. We have unpredictable pretty well covered but not true random. That's why most anything is a PRNG or CSRNG. In math we have some unpredictability that appears random, such as the occurrence of the number nine in pi. There's pretty good improbability results from decay - that *might* be random but probably isn't, we're just not able to know why so we still call even that pseudo-random. Maybe I'm missing something? Contrary to popular opinion, I do not know everything. ;-) But it seems likely that, with enough time and enough compute power, that if you sent a message to Tim and Tim burned down a house we'd be able to throw out any results that look like the Mona Lisa.

Re:Welcome to the club

[the_other_chewey]

I'm going to have to take your word for it but I am a mathematician and I don't really think we've got anything that's truly random. We have unpredictable pretty well covered but not true random. That's why most anything is a PRNG or CSRNG.

Yeah, OK. However: You being a mathematician, it should be clear to you that
"the amount of randomness" in an XOR operation is always the one from the more
random side (XOR preserves randomness) - that's why XORing multiple sources of entropy
never makes the randomness worse.

So the entropy of the ciphertext is equal to the entropy of the OTP keystream, and none of
the structural properties of the plaintext survive.

But it seems likely that, with enough time and enough compute power, that if you sent a message to Tim and Tim burned down a house we'd be able to throw out any results that look like the Mona Lisa.

No, it doesn't. No, we wouldn't.

The Mona Lisa, "burn down that house", "defend that house at all cost", "paint that house
blue with pink flowers", and "build a monument to our eternal noodleness" are all equally valid,
and you have no way to prove that your "deXORing", even if it is the original plaintext,
is the original plaintext.

The sender will always be able to provide a keystream that deXORs to "defend that house at all cost".

Again, trying all possible keystreams on a cipherstream is mathematically equivalent to just
pulling random bitstreams of the same length out of thin air. This has nothing to do with the amount
of computing power you have, which would just allow you to generate all possible messages faster -
without helping you at all to find the real one.

Without the original keystream, there is no message in the cipherstream.

Re:Welcome to the club

[mark-t]

Of course they know that banning widespread use of strong encryption won't guard against 'smart criminals', but I would argue that they likely believe there are far more 'dumb' ones.... laymen who are committing relatively small scale crimes and getting away with it because of the convenient and legal availability of strong encryption, where law enforcement cannot determine the difference between legal activity that happens to be private and illegal activity.

Banning encryption would do nothing to stop the most serious crimes, and would certainly not help law enforcement cope with anything as big as terrorism.... that they frequently try to spin the suggestion that it would is laughable because it is unsustainable. It suggests that the people who commit such crimes are otherwise relatively incompetent where there is no real reason to suspect that they are. I discard such an argument which they might present as superfluous, and an exaggeration at best that may only be getting used to try and generate sympathy for their cause.

However, the fact does remain that there is no lack of occasion where law enforcement has discovered an encrypted device during a criminal investigation and found themselves frustrated by attempts to decrypt it. I suggest, therefore, that their argument for wanting to ban strong encryption would be simply so that they would be able to discern between devices that contain innocuous information and devices that would criminally incriminate someone if their content were known. While I can be sympathetic to this kind of incentive, I do not allege that this argument convinces me that they *should* ban strong encryption, however.... because to do so would compromise everyone's privacy for what is, even if the government were entirely correct that banning strong encryption would enable them to eventually catch at least more of the bad guys than they currently do (which is not inconceivable), the net benefit to society could not possibly be positive. Law enforcement cannot be everywhere at once, and so the harm to innocent parties could be ongoing, and could happen in multiple places simultaneously because the Internet is not a geographical place, as opposed to those that are harmed by discrete and isolated incidents of terrorism that happen in specific locales. The conclusion is inescapable, even from a standpoint of being sympathetic to law enforcement's frustration with encryption, that banning strong encryption is not a sustainable solution that is in the best interests of protecting the greatest percentage of the general public

Re:Welcome to the club

[KGIII]

I get where you are missing my point which, I admit, was probably made in a separate thread. This is, of course, simply defeated and (probably) unbreakable by sending "PINKANDPURPLEGARBONZOBEANS" which will mean nothing to you but there are five of us on the planet who will absolutely know what it means and giggle like little school girls. So, it's useful but is it *truly* unbreakable if the message is "GOKILLHARRY" or the likes? By truly unbreakable, I don't mean damned hard - I mean truly unbreakable, that it can *never* be solved?

Thank you for your patience, by the way. It's hard for me to grasp the idea that there's something (like this) that math can not do - eventually. Maybe, before I die, I'll make a random OTP and cypher the digits to a Swiss bank account and whoever gets it right (and the password) will get the money in it. I guess I could do GPS coordinates.

Re:Welcome to the club

[the_other_chewey]

So, it's useful but is it *truly* unbreakable if the message is "GOKILLHARRY" or the likes? By truly unbreakable, I don't mean damned hard - I mean truly unbreakable, that it can *never* be solved?

YES! Provably (and proven) so!
(provided of course that your cipherstream stays secret.)
Again, in a OTP-generated cipherstream, there is nothing to solve.
It's random noise. Structureless. This is not an algorithmic cipher where the cipherstream
suddenly makes sense once your brute-forcing hits the right key bit-pattern. It's a random(!)
bitstream that, if XORed with a pre-shared key known to Alice and Bob, results in a plaintext.

But all other plaintexts generated by all other possible keystreams are equally likely, and the
"real" plaintext is in no way special. So every single OTP cipherstream decrypts to GOKILLHARRY.
And to DOLOVESUSIE.
And to JABBERWOCKY.
And to HOMOGENIZED.
And to ITINERARIES.
And to Fa4dohwaraM.
And so on.

None of which can be identified (ever! mathematically proven!) by an attacker as being the
plaintext that was sent. All plaintexts are equally likely (I'm repeating myself...).

You have to let go of the idea that there is a correct key that can be found (and recognized as
beingthe correct one, as opposed to all others that XOR to a readable message that is not
the message sent), or that there are some very difficult but theoretically possible calculations can
be made to identify the plaintext.
There isn't. There aren't.

OTP-encryption is different from all other encryption methods that way:
The only "algorithm" used is XOR, and there is nothing to break here.
Once there is a properly random OTP bitstream known to sender and recipient only,
and they don't lose that OTP to an attacker, the cipherstream is eternally secure.
It is - to repeat myself again - just random noise.

Thank you for your patience, by the way. It's hard for me to grasp the idea that there's something (like this) that math can not do - eventually.

Even better: Math has been used to proove that math cannot do it.

Maybe, before I die, I'll make a random OTP and cypher the digits to a Swiss bank account and whoever gets it right (and the password) will get the money in it. I guess I could do GPS coordinates.

That is equivalent to not publishing anything and just saying "whoever guesses the secrets
in my head wins", so people would have to brute-force account number and password by
running all possible combinations through the bank's customer desk. They might allow a
second try, maybe even a third - but then one will be politely and firmly escorted outside.

In other words: If you do that, you are donating the money to the bank. Forever.

Re:Welcome to the club

[KGIII]

Hmm... I read that and, well, I noted the part below your link. Namely, the problems section. Allow me to quote, if you will and do not object, to your own link:

Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice because it requires:

Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement. See Pseudorandom number generator.

Also, this but not as important:

The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no real-world implementation of any cryptosystem can provide perfect security because practical considerations introduce potential vulnerabilities.

I surmise that, simply, the proof is wrong as we have no true random and may never have true random. Hard as fuck, yes. Perfect? I object.

I'm pretty sure that I am missing something. Again, I thank you for your patience. Some things sink in slowly - I'm thinking that I'm not explaining it well.

If you send a cypher via OTP and someone goes and kills Harry then, by reasonable conclusion, with enough time - we can find that you, who sent the message, told that someone to go kill poor Harry (well, he probably deserved it). Random does not, as far as we know, exist. What we do have are probabilities. They are not the same.

Re:Welcome to the club

[the_other_chewey]

Hmm... I read that and, well, I noted the part below your link. Namely, the problems section. Allow me to quote, if you will and do not object, to your own link:

Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice because it requires:

Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement.

Drawbacks? Yes. Unsolveable ones? Absolutly not.

There are several natural processes that can be used to generate
random numbers (without pseudo-): Radioactive decay, thermal noise,
cosmic rays, ...

It's quite bothersome indeed to generate a useful amount (gigabytes+)of
randomness, but it is in no way impossible, and actually routinely done for
cryptographic purposes.

Also, this but not as important:

The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no real-world implementation of any cryptosystem can provide perfect security because practical considerations introduce potential vulnerabilities.

That's extremely weasel-wordy and gives no example of a vulnerability. This paragraph
should be removed as being totally content-free.

Yes, one shouldn't lose the OTP. Also, it is strictly forbidden to reuse it.
But beyond that, OTP crypt is really easy to implement and quite hard to screw up.

I surmise that, simply, the proof is wrong as we have no true random and may never have true random. Hard as fuck, yes. Perfect? I object.

What kind of a mathematican are you, exactly? There are very few absolutes
anywhere - mathematical proofs being one of the few notable exceptions. Once
something is proven in its system of axioms, it is absolutely and irrevocably true.
I'm close to giving up on you here...

If you send a cypher via OTP and someone goes and kills Harry then, by reasonable conclusion, with enough time - we can find that you, who sent the message, told that someone to go kill poor Harry

But not by breaking the intercepted ciphertext. You either get a confession, or find the OTP used.
The ciphertext alone is useless to prove any kind of message content, even with infinite resources.

Random does not, as far as we know, exist. What we do have are probabilities. They are not the same.

Random exists all over the place in nature.

Re: Welcome to the club

You're missing the point that a OTP can be decrypted equally easilly into ANY message you want it to be. Literally anything. Gibberish or not. And all of the messages are equally likely. OTPs are perfectly secure and unbreakable. This is cryptography 101, chapter 1.

Re:Welcome to the club

[KGIII]

Thank you for explaining and I see where you're coming from. I'm an applied mathematics grad, actually. I know, literally, almost nothing about encryption as it was simply not something that interested me and we barely covered it in any of the classes that I took.

And I think I get it now. We can go on and on about randomness. Now that I understand, I hope, one wouldn't really need true random in order to make use of this - even outside of a perfect world.

Re: Welcome to the club

[KGIII]

Yeah, I think I understand that now. Thanks. I've taken a look at a few links and I kind of grok it now. I'm mostly unfamiliar with cryptography though it was briefly, very briefly, discussed. It had nothing to do with the things I was planning on and so I never took an interest and never did any additional study. I probably should but I probably won't except to pick up bits and pieces here and there for curiosity.

Re:Welcome to the club

[swalve]

Are people really that spineless?

Snowden

This is EXACTLY a vulnerability that Snowden leak suggested. Juniper and ScreenOS by name.

Trust?

Thanks for disclosing this, Juniper, but why didn't you know about it three years ago? What else is hiding in your products? This is quite different from a software flaw introduced by a mere human. This is indicative of a poorly managed, haphazard approach to managing software development.

Re:Trust?

And you think there are security softwares - open OR closed source - that you can use which have NOT been back-doored by the NSA?

How cute.

Re:Trust?

Considering Juniper's VPN client still isn't 64-bit, I am not surprised in the least.

Re:Trust?

Sufficiently advanced malice is in distinguishable from incompetence.

Re: Trust?

You think compilers couldn't introduce these flaws?

Re:Trust?

[thegarbz]

This is indicative of a poorly managed, haphazard approach to managing software development.

There's nothing poorly managed or haphazard about it. This looks like software designed as required by a company which was told compliance will be rewarded.

Re:Trust?

This is indicative of a poorly managed, haphazard approach to managing software development.

There's nothing poorly managed or haphazard about it. This looks like software designed as required by a company which was told compliance will be rewarded.

We don't know that for certain. Could be a government mole working inside the company unbeknownst to the company. Could be a formerly-honest employee who was compromised by a government. Could be government compromised the build servers or developer machines using APTs or other malware. Could even be multiple governments in the company's network, all playing something that would resemble a cross between Spy vs. Spy and CoreWars simultaneously.

Re:Trust?

You really can't imagine a way that someone could insert seemingly-innocuous code into an otherwise well-managed project that breaks something crucial?

It doesn't even necessarily have to be malicious. Like... that time that Linux's entire /dev/urandom pool was reduced to virtually nothing, because someone committed a kernel patch to remove what they thought was pointless code not knowing it was a crucial part of the entropy generator?

Now obviously this code IS malicious in the worst way, but that makes it MORE likely to hide because it will hide by design, rather than someone foolishly altering what they don't understand and it slipping through.

Re:Trust?

[AmiMoJo]

Indeed. Most people wrote "GOTO fail" off as a mistake, but I'd say more than likely it was planted.

Re:Trust?

[Jeremi]

Indeed. Most people wrote "GOTO fail" off as a mistake, but I'd say more than likely it was planted.

If so, then at least the attackers there had the common decency to make it look like it could have been a mistake. Here they don't even try to hide their tracks -- shameless! :p

ScreenOS?

People still use netscreens? Oh wait we do... Luckily our code is too old to be exploited. Yay?

Hopefully, it was at least an exclusive club?

Did the backdoor let just anybody in, or did you have to have some key info to get in?

Best possible bad behavior: Adding a secure backdoor.
Worse behavior: Using a zero day instead of trying to get it fixed.
Worse still: Adding a backdoor that is a zero day for others to find.

Re:Hopefully, it was at least an exclusive club?

[StayFrosty]

Once the key gets out (and too many people know it for this not to happen) option 1 becomes option 3.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re:Hopefully, it was at least an exclusive club?

Option 1 would presumably imply some sort of public/private key cryptography which could be an extremely secure backdoor that may never turn into #3.

Re: Hopefully, it was at least an exclusive club?

Sure, but how many extremely secure private keys are they going to make? The more keys there are, the more likely one will be compromised. Obviously they can be revoked but by then its too late.

Just like a large company with herds of sysadmins, key wrangling is difficult to do correctly and mostly just relies on the good faith of the key holders

Who should you trust?

[Kevin+by+the+Beach]

It will come down to the point where network vendors will need to spend more of their time verifying their code hasn't been tampered with. It wont be enough just to have change control, but we will need to have change locking and verification. Exploits come from many directions, but is it worth the cost to fight both internal and external agents.

This compromise hits the bottom line directly. It will effect purchase decisions, just like having Cisco products intercepted and tampered with by the NSA effected their sales. I guess it's now a matter of who do we want listening in... (State actors...US, China, etc, Corporate actors... Google, Apple, Dell, or Network Providers... Verizon, AT&T , Level 3, Comcast...) Unfortunately it's never just one party attempting to listen in, or glom on....

   

Re:Who should you trust?

[AHuxley]

The typewriter is looking rather useful again :)
Re: "I guess it's now a matter of who do we want listening in."
Share a long paper book to a friend and have a one time pad system with all work done on paper before the encoded message is entered into any computer, network, system.

"Unauthorized"?

[fuzzyfuzzyfungus]

The phrase "Unauthorized code" smells of weasel wording. If the malware was injected afterwards(either through a network attack or a physical intercept-and-tamper, then the manufacturer could reasonably call it "unauthorized" or "malware" or similar; but if they shipped it, how much more 'authorized' do you get?

Perhaps "mistakenly authorized after slipping past scrutiny" or "authorized by one or more of our employees who is also a spook", or "we fucked up"; but not really "unauthorized". Were I a customer, I'd want a much, much, better account of how exactly this 'unauthorized code' came to be present, when, and who knew about it, who didn't, and why or why not.

Re:"Unauthorized"?

The phrase "Unauthorized code" smells of weasel wording.

No, if they are announcing it immediately after it was discovered (which is what they should do), it just means that they haven't yet tracked down how it got inserted into their code. They could have waited until they did that before announcing it-- because the very first thing anybody always asks is "how did it get there?"-- but it's better to announce it without waiting.

Figuring out how and why comes later, and I presume (or at least hope) that they'll tell us more when they have better information

Re:"Unauthorized"?

[rickb928]

Don't overthink this, and don't bother to conflate naivete with malice.

Despite multiple code reviews, it's probably insanely easy to slip in code that isn't reviewed for functionality or compliance. If they use Git or something similar, compromises there lead to the same thing.

Demanding a line by line code review doubles the work, but for that level of network hardware is probably essential now. Bad actors will make every effort to inject their backdoors into production code, and I suspect this was an inside job.

I also would not discount the possibility that this was someone's clever idea of some diagnostics to help them. Doubt they will take credit for this.

At work I am seeing a change in our development to apply the Agile processes to not only coding and design, but also testing and deployment. This has led to a team relying on unit testing, and failing to do functional testing on the product - with predictably disastrous results. This Juniper problem has heightened my interest in application security, and this will only lead to more testing, longer sprints, and longer development cycles. None of which will get traction with management unless someone takes an interest in the security risk.

But at work our security team defaults to assuming threats come from both within and without the corporate infrastructure. Rightly so. We see risks of data loss and unauthorized access equally inside and outside, and so we must also monitor all traffic, and they do identify and fingerprint all apps. Our most recent debacle involved an internal app. This data should never be sent outside the corporate network unless via VPN to an authorized device.

Juniper deserves some credit for finding this, though the time interval for reviewing code will probably need to be shorter. Overall, if I were still in infrastructure management, I would be less than thrilled about a firmware patch - I never trust those.

Re:"Unauthorized"?

[postbigbang]

Could be onerous, might be someone slipped in a fast fix because a big customer bitched that their ancient stuff wouldn't work, so how 'bout an exception?

The pending retirement of SHA-1 is just such an exception-handling nightmare.

Could also have been a stupid patch for a genuine bug.

And perhaps, their random-number seed generation was actually pseudo-random, and predictable. This is the problem with closed source: you don't know and must trust vendors to do the right thing. At least in this case, it *appears* they're doing the right thing. A small, downside possibility is that the new code brings its own problems. We can't and won't know.

Re:"Unauthorized"?

Overall, if I were still in infrastructure management, I would be less than thrilled about a firmware patch - I never trust those.

I agree most what you wrote, but could you elaborate a bit more that last sentence, please.

A hint to a direction that this is just a clever trick to get everybody upgrade* the firmware which eventually now got backdoor, or what?

Dang, that would be smart move from NSA, but I dunno how hard it would be to coerce or trick a large vendor in that.

*) free download ie. even without service agreement, just create account if you don't have one yet.

Re:"Unauthorized"?

> apply the Agile processes to not only coding and design, but also testing and deployment.

The problem with that is that Agile requires if something takes longer than a sprint then you cannot do it. That means a lot of security issues cannot be addressed if you use Agile.

At my current company, we have feature we promised customers that have not been delivered because our certified scrum master, as he should, refuses to allow any stories be done that take more than one sprint. We've already lost our two largest customers since switching to Agile, and we might lose another two of the ten largest.

Re:"Unauthorized"?

We do week long sprints so no fundamental improvements ever get done. There's a ton of known security problems after our last PCI audit, but most of the items can't be fixed since they can't be completed by development, tested, and verified by stakeholders within a week. Agile is going to put us out of business. An article I read about eight years ago about Agile that called it a suicide pact was right.

Re:"Unauthorized"?

[Gr8Apes]

Agile - something invented by people that did not want to document anything, not realizing that all they did was put themselves at the end of a bunch of bungie cords and get bounced about at the stakeholder puppetmasters whims, gathering crap and debris as they go. Not until the project is declared a failure do they come back with "but it didn't fail, we delivered all these incremental and desired items" while missing the point that incremental releases are irrelevant when you're needing a full product to be delivered last year.

Re: "Unauthorized"?

[rickb928]

If you've managed or freaky or dealt with complex systems, you know that software upgrades are often troublesome. Outright failures, bricked devices, lost functionality or configurations, intermittent problems, new bugs or interfaces, any or all these are a risk.

Did Juniper give NSA source code?

So are Juniper one of the companies that provided source code to the NSA? We can pretend its Russian hackers or Chinese hackers or whatever, but the reality is NSA has the history of doing this, probably had the source code and maybe even the assistance of employees.

Because the extra code would have to be in the SOURCE CONTROL system to survive every incremental upgrade, and so will have some user name associated with it to track it.

And this reminds me of the other big revelation, that the UK Spooks did mass surveillance and lied to UK Parliament to cover it up. Which included planting malware in a slightly cruder way:

http://www.theregister.co.uk/2015/12/16/big_brother_born_ntac_gchq_mi5_mass_surveillance_data_slurping/

"PRESTON, which collects about four million intercepted phone calls a year, has also recently been used to plant malware on iPhones, according to disclosures by former NSA contractor Edward Snowden. The phones were then targetted for MI5 "implants" (malware), authorised by a ministerial warrant."

You may also remember GCHQ 'Smurfs' software for mobile phones.

Dreamy Smurf. turns phones on when they are off.
Tracker Smurf turns on the GPS
Nosey Smurf turns on the microphone and listens in

I wonder how Dreamy Smurf can do something that is a system protected function without the help of Google or Apple. It seems remarkably easy to get around the security.

Re:Did Juniper give NSA source code?

"I wonder how Dreamy Smurf can do something that is a system protected function without the help of Google or Apple."

NSL

Re:Did Juniper give NSA source code?

Hey! You're not allowed to talk about that.

Is this FEEDTHROUGH?

Is this the project codename FEEDTHROUGH that was revealed to the public by Snowden 2 years ago?

compromise my text-editor

[yes-but-no]

If my vim/emacs or any other text editor is compromised [or why not compromise the file-system itself..so it will serve "good" file for reading and supply the souped-up version only to the compiler], how will I even spot the issue?

Come on ..when you can put in wrong code directly in the OS.. they should've gone ahead and put it right inside the file-system/editor/display-system. Reminds the story of login program vulnerability put inside C compiler by Ritchie.

Re:Just being helpful

No, we must deal with the biggest threat first.

what is their development strategy?

[i_ate_god]

Every commit I make at work is required to have at least one peer review and its' recommended to have two and we are not selling security-related software.

I've never heard of this company, but this revelation speaks volumes to their poor development strategy. Maybe they fell in love with buzzwords like Agile or Waterfall or whatever without realizing that proper processes like peer reviews have nothing to do with these buzzwords. Either way, they can not be trusted for letting this happen. Either they do not review their own code on a regular basis, or parts of management are corrupt for letting this happen. Either way, probably time to stop doing business with them.

Re:what is their development strategy?

[yes-but-no]

Very likely they directly changed in the SCM and covered the tracks [erase in log files etc]. That is not going through a developer workflow (using code-review, commit etc). Once you know which file to add the snippet too, it's a simple task. And in a very stable OS, some of the OS related code [things which manage TCP say] hardly change for years and it's very easy to hide the malware and be spotted.

Re:what is their development strategy?

Just because you peer review it, doesn't mean that is the actual package that gets submitted :) Do you check it post submit or is it just one of those things they do to say "we peer review" and get management credit for it?

Re:what is their development strategy?

> Every commit I make at work is required to have at least one peer review and its' recommended to have two and we are not selling security-related software.

So, I suspect you have no bugs then.

Even if one of your cow-orker wanted to make something that mis-behave, you are 100% confident that those fantastic code reviews will catch them.

Even if one of the most powertful organisation of the world infiltrated your workforce, you are confident that those code reviews, even if done by individual from that organisation would catch the issue, because reasons.

Yeah. Of course.

Re:what is their development strategy?

Just because you peer review it, doesn't mean that ...

anyone else understands the crypto well enough to know which ecc values are good, or poor.... Crypto has often been filled with "magic" values, and one value often looks the same as another to most of your peers (unless your peer is someone like Whitfield Diffie).

Re:what is their development strategy?

You've never heard of this company ?!?!?

This revelation speaks volumes about you don't know what the fuck you're talking about.

Re:what is their development strategy?

[ByteSlicer]

Every commit I make at work is required to have at least one peer review and its' recommended to have two and we are not selling security-related software.

You may vet your code all you want, but if someone compromises your build server's compiler, your binaries may contain backdoors anyway, just ask Ken Thomson

Re:what is their development strategy?

[i_ate_god]

goes through branches before making it to trunk

Not the official back door?

[mschaffer]

So, they were sitting around the table at the code review meeting and nobody knew which government asked for THAT back door?

Configuration management?

Configuration management? Don't they have it? Did they also remove any log entries showing the changes?

I smell disgruntled employee (or a paid off one).

What was the change?

Is the backdoor now officially authorized?

Sonicwall NSA

[Sir_Eptishous]

A while back we migrated from a Juniper to a Sonicwall NSA(Network Security Appliance).
I can just imagine the laughter generated at Sonicwall and at the NSA when this product line was announced...

Re:Sonicwall NSA

Sonicwall? That's a heck of a downgrade. Certain environments though I could see it since Sonicwalls are easier for systems admin types to administer in addition to servers.

Also, CDW at least is terrible about recommending Sonicwalls as replacements for anything, so you might have gotten swindled by a vendor. Once had a CDW job come through to replace an HA pair of Checkpoint NGX firewalls with a pair of NSA 3600s. Very painful since there was so much the Checkpoints were doing which a Sonicwall is simply not functionally capable or equivalent. The first conference call with the customer, I outlined there existing VPN structure was a no-go and would certainly be changing.

Alternatively ...

[AnomalousTurd]

Maybe they want to ADD a backdoor?

worked as intended.

signed,
nsa

Telnet

Well, with a telnet daemon running, who needs a backdoor?

Translation:

[kheldan]

An undercover (national || foreign national) government agent infiltrated our company and inserted a 'backdoor' into our firewall code

..or..

A member of a (criminal || terrorist) organization infiltrated our company and inserted a 'backdoor' into our firewall code

..or..

A (national || foreign national || criminal) organization (paid off || extorted) a Juniper Networks employee to insert a 'backdoor' into our firewall code

Take your pick from any of the above theories, since 'unauthorized' is about as thinly-veiled a euphemism as you can get.

Congressional investigation?

[sshir]

Assuming that NSA did that, can this even be legal? I mean, to sabotage an entire line of products of an American company by an American government agency? It's like if FDA went and injected all MacDonald's happy meals with cadmium.

One thing is to pay them, as they did with RSA, and another is to actually break their code. Or maybe Juniper was paid, but subscription has lapsed?

Re:Congressional investigation?

Legal doesn't matter to them. Especially when judges shit out their brains whenever the magical words "national security" are uttered.

Re:Congressional investigation?

This sounds a bit like a VW detective story.

If 'unauthorized' means they unintentionally shipped it,
then there should be an audit trail in the source control system.

There may soon be a queue of liability lawyers checking on this.

Congress may have to wait their turn.

Re:Congressional investigation?

[Jeremi]

They'll have to wait their turn -- the Congressional investigating committees are all booked up until November 2016, investigating Benghazi and Planned Parenthood.

Juniper + Google Fiber in Nashville

Saw stacks and stacks of Juniper devices at the location in Nashville where Google is building out their Fiber datacenter.

Juniper + Google Fiber in Nashville

Saw stacks of Juniper devices at the location in Nashville where Google is building out their Fiber datacenter.
http://imgur.com/OzHk9Y6
http://imgur.com/FQ4htyr

So they do not have working source-code management

[gweihir]

Because if they had that, then all code would be authorized and signed off on. At least they found the problem, but this is really amateur-level.

Security is a matter of layers

[snowsnoot]

This is why you should not rely on a VPN or any single layer solely as your entire security solution. Multiple layers of encryption and AAA and best practices are required. Its all about making it harder for the bad guys. No solution is fool proof.

Re:Security is a matter of layers

[Jeremi]

This is why you should not rely on a VPN or any single layer solely as your entire security solution. Multiple layers of encryption and AAA and best practices are required. Its all about making it harder for the bad guys. No solution is fool proof.

I don't disagree, but the usual problem in practice is that each additional layer of security adds an additional layer of inconvenience for the user, and at some point people who want to just get their work done start finding ways to "get around" the inconvenience (e.g. by using their personal laptop instead of the difficult-to-use company-issued laptop), and then we're back to square one.

I wonder if there is any practical way to automate the layering of multiple levels of security, so that it would be as transparent as possible to the user? (Of course it would need to be done carefully, so that it doesn't also automate the subversion of multiple layers for an attacker ;))