Slashdot Mirror
The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com)
itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'
Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
This isn't a "backdoor," it's an officially sanctioned terrorist detector.
Good job NSA!
The demands for "Government Backdoor to All Encryption" need to stop! Installing a back door makes it available for _EVERYONE_, not just some agency which may or may not have a warrant. Not that we _will_ see it stop, just that it should.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.
Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.
The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.
What would be useful right now would be the release of any Snowden docs that might have information about potential NSA/FBI policies that network equipment manufacturers have adopted in order to put backdoors into their products. Those polices would be in the same vein of the backroom deals that printer manufacturers have with the US Secret Service to put hidden codes on printed documents to help trace them back to the printer on which they were produced.
If there are such docs existing then fuck Glenn Greenwald and the other media gatekeepers from releasing them to the public.
For the good of all internet users and as Internet of Things becomes more prevalent.
Back doors must be banned and criminalized with severe punishments enacted and strong encryption must be mandated for all devices living on the internet.
From smart electric meters, household appliances, thermostats, door locks to light bulbs any IoT or other device accessible from the internet all present a risk from malicious actors individuals or nation states.
This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary. Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was. The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places. We are shooting ourselves in the foot by letting the NSA hold onto this encryption pipe dream.
already looking to shift the blame onto China or Russia? Hilarious.
So it's like the government wants to put a new lock on all cars so they can easily check to see if a bomb/terrorist is inside. The owner keeps a unique key and in parallel the gov't has a master key that works on all cars. And the gov't keeps that master key nice and safe and sound in their mega-safe vault somewhere underneath Washington DC. Sounds great!
But what happens if that safe does get broken into by bad guys and the master key is stolen just like in the movies? Sure, if for some reason Bruce Willis gets killed in the first five minutes and can't catch the bad guy they can simply change to a new key for all future cars. But are they going to change the locks on every car that it was already installed on?
(Pause thoughtfully)
It's the same exact thing as removing existing security from every car out there. The gov't needs to find a different, more intelligent way to look in car windows to see if there's a bomb/terrorist inside.
Y'know, face the fact that their job is really hard and do things the old-fashioned way, do their intelligence job using intelligence, not shortcuts.
Captcha: squirmy
Getting into encryption at the vpn/router level does not really make it easier to catch the bad guys, unless that bad guys actually own the router. Bad guys using encryption are encrypting end to end, not the that level. Maybe I am missing something.
No one seriously wants to try to backdoor all crypto. This is just basic sales 101. They scream "we demand a back door!" for a while, knowing damn well it'll never happen, so that they can work out a "compromise" everyone is much more willing to accept, because hey, at least they aren't going to make EVERYONE do it.
Judging from what i've read so far it is pretty obvious that the original Dual_EC_DRBG-based backdoor was placed there quite intentionally. Juniper has a lot to answer for.
The US government does that with suitcases. You now get to buy suitcases that have a three digit combination lock, as well as a special DHS lock that bypasses that combination lock.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
The problem with back doors is that they can lie in the software for long periods of time while data theft continues unknown to its owner. Stealing a physical key, stealing a pickup (and sending it to Syria) or car will likely be noticed quickly. And of course, there may be multiple back doors, so swatting down one of them doesn't ensure data security.
As many writers in these forums have noted, once a back door is installed, anyone, good or bad, with the appropriate tools and skill can open the door. The distinction between bad and good guys seems to be blurred these days.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
If you want to compromise networks carrying sensitive data, you do.
That makes more sense for physical locks. You can reasonably criminalize unauthorized possession of one of those keys, which means if someone commits a crime with one and gets caught, you can nail them to the wall. And because you can't unlock a suitcase from across the planet, it's fairly likely that you can catch someone eventually, and that they'll be in your jurisdiction to actually arrest them.
Someone in a hostile country gets ahold of a master encryption key? You might never find out, and if you do you can't catch them, and if you catch them you can't prosecute them.
That's a service to you. They do that so that your suitcase remains intact. Otherwise, the lock on your suitcase would simply be broken, rendering the locking mechanism useless and the bag ugly.
Religion is what happens when nature strikes and groupthink goes wrong.
Criminalizing things doesn't work at this point... 99.9% of the population is currently implicated in something illegal, with selective enforcement being applied politically. What needs to happen is holding ceo's or owners of corporations personally accountable for their cash cow's actions. Making fines income/profit based could help too. What was it Capone said? I made a million dollars last year and it only cost me 20 grand (regarding tax evasion).
But who's to say this isn't the cover story for the "Government VPN Encryption" program where a foreign entity managed to "steal" the backdoor password so now everyone has to patch.
Bet we hear similar things from cisco in the coming weeks/months.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I know what is in it cause we have the complete set of source code and it's actually easy to buid cause it's properly documented and everything. For those who don't know libreCMC is the only real embedded distribution for routers that is 100% free. With other distributions there are non-free parts and even digital restrictions in some cases. Of course most off the shelf routers are non-free and locked now due to FCC rule changes sadly. If your not aware check out ww.savewifi.org
First it is an incredibly simple key the DHS uses, a plastic thing with 3 prongs on it, they have to make thousands one for each DHS/TSA agent.
People already made copies of it and started stealing things from your bag at the airport.
A physical key like the TSA one can be duplicated by just having a picture of it. The analogy is actually pretty good here.
Suspect there's a back door and you'll probably find it. KNOW there's a back door and it really doesn't take so long.
Or, like real keys, someone opens the lock and reverse engineers the master key. Then every lock is compromised. That's why people panic when root certs have issues. They are essentially master keys to certain types of locks.
Learn to love Alaska
Watch some of the border security shows sometime. They can get into your suitcase without opening the lock, then seal it back like they were never in. Only a keyed hardcase with real latches will keep anyone out. Zippers are secure against someone who doesn't have 5 spare seconds to untraceably open and reseal it.
Learn to love Alaska
"malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls."
Given todays computing model, where clicking on a link opens up a two-way connection to a server and executes remote code on your computer, the firewall is next to useless.
We don't need to second guess as to who did what. Open source your code ...
Anybody now understand what would happen.
Retards the lot.
Now you just have to hope that the compiler hasn't got a backdoor generator built into it (the Ken Thompson hack)...
... can't unlock a suitcase from across the planet YET.
FTFY, the IoT disaster will take care of that.
How cute. Corporations now ARE the government. They are the de facto rulers, and the State only enforces their will. It's us little people who must watch our every step because we can never know when our benevolent rulers may decide to make an example of us.
Does the rabbit hole go?
Who knows what pressure the criminal US regime is putting on US companies to allow it to violate citizens civil liberties? It is best to avoid US hardware and software completely, or you will end up paying the price. With a history of economic espionage, I certainly wouldn't be exposing my company to the risk of American spying.
We need a mainstream front page news article "Government encryption backdoor is exploited by criminals." Instead the mainstream coverage fails to connect the Juniper story to the debate on backdoors at all. e.g. CNN runs with: "Newly discovered hack has US fearing foreign infiltration", an article stoking fears over hackers and cybersecurity without once mentioning the keys put under the mat by the government.
Hi res photos of the DHS keys were posted on reddit a few months ago.
If that suitcase was purchased at Walmart, you are an Ubuntu user. Congratulations.