Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'

4 of 61 comments (clear)

  1. Well, like my papa used to say by penguinoid · · Score: 5, Insightful

    Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  2. Well, like James Comey used to say by q4Fry · · Score: 4, Funny

    This isn't a "backdoor," it's an officially sanctioned terrorist detector.

  3. This is why by s.petry · · Score: 5, Interesting

    The demands for "Government Backdoor to All Encryption" need to stop! Installing a back door makes it available for _EVERYONE_, not just some agency which may or may not have a warrant. Not that we _will_ see it stop, just that it should.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  4. This is getting crazy by Anonymous Coward · · Score: 4, Insightful

    This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.

    Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.

    The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.