Slashdot Mirror
Questions Linger As Juniper Removes Suspicious Dual_EC Algorithm (threatpost.com)
msm1267 writes: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored. Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, said that he and a number of crypto experts looked at dozens of versions of Juniper's NetScreen firewalls and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. 'And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.'
We really need to resurrect the House Un-American Activities panel. It sure seems to me that the NSA is hellbent on destroying American networking and computing companies - and that's about as Un-American as it gets.
#DeleteChrome
They were a backdoored company with backdoored code running a backdoored algorithm. What's the question? Never buy anything they ever touch again. They are just poison.
If there's a question in your mind, you aren't thinking clearly.
"They made all of these changes in the same version update."
Immediately following a visit from the mob, no doubt.
It's hard to say 'NO' when you have a gun at your head.
"'It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update."
Bizarre bug and coincidental, I'm sure... No Such Accident has ever been noticed at Juniper, hmm?
Should we go back to telnet?
“He’s not deformed, he’s just drunk!”
Considering we don't manufacture much of anything anymore, and Silicon Valley was one of our few shining beacons of prosperity, I wonder how the traitorous assholes at NSA sleep at night. Was it worth it?
Keep in mind that the only reason to close one backdoor is because another has already been opened - likely one much harder to find.
Meet face to face, use a one time pad, number stations. Type on paper in a secure vault.
At a national level stop importing and using export grade junk standard crypto and create your own trusted networking systems.
It will be expensive, slow, hard to cool, power demanding work but it will be your own system that is fully tested and understood from the domestic fab up.
Local staff and experts loyalties are a lot more easy to ensure long term than allowing fully imported hardware on secure gov networks.
It was telling during the US and UK gov/mil crypto comments over the years that the UK and US did not seem interested in denouncing VPN use or onion routing.
The worlds standards and interconnects belong to the five eye nations https://en.wikipedia.org/wiki/.... Trap doors, back doors and tame standards are just all part of getting plain text or the origin ip every decade.
The other aspect is who has the keys. Five Eyes nation staff, ex staff, former staff, trusted third party nation invited in, all their ex staff, former staff.
Domestic spying is now "Benign Information Gathering"
The NSA is strong in this one. Feel the NSA Luke! Feel its power! Be drawn in to the power of the ??? side...
I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.
Look at the complexity of that hack, someone has gone to such lengths to ensure access to communications from a company that is supposed to be a cryptographic expert.
It's worth looking again at the voting machines. How is their software verified clean from similar hacks?
How do they communicate with the central counter? Is it hacked? Do they connect through Juniper or Cisco routers? i.e. is the basic voting system compromised by a backdoor?
Note: Cisco has found backdoors too:
http://www.computerworld.com/article/2487598/security0/cisco-says-it-will-fix-backdoor-found-in-routers.html
> "Cisco Systems promised to issue firmware updates removing a backdoor from a wireless access point and two of its routers later this month. The undocumented feature could allow unauthenticated remote attackers to gain administrative access to the devices."
Firefox turned off SHA-1 signed certificates as of Jan 1, 2016. Good riddance. SHA-1 was weak. And all was well until last week.
It seems someone went and filed a bug report about being stuck behind an old security filter that still uses SHA-1 and now they can't do https. Sorry about that. Maybe we could offer an optional patch to get you folks back on line until your crappy IT department gets its act together and fixes your firewall. And the rest of the world could go on about their business, knowing that a crappy algorithm has been put to death.
But Noooo! I've got to put up with hourly nag popups, asking me to upgrade to 43.0.4 which re-enables SHA-1 certificates? Why? Because a couple of people are stuck behind crappy hardware? Doubtful, because the logical solution would be an optional patch for the few who need it. Is it possible that there is still a lot of NSA MITM gear out there, based on SHA-1 that suddenly 'went dark'? That's my guess. And I think someone leaned on the Mozilla Foundation to get their crappy digest algorithm back.
They work in the opposite way. If you don't do what they want, then they blackball you and f*** you over as much as possible, even going so far as to trump up some charges for your CEO after they do everything they can to bankrupt you.
I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.
Are you nuts?
An entrepreneur with an idea starts a business, builds it over the course of many years, has a sizeable value and clientelle and personal integrity and a duty to stockholders.
The NSA compels him to put a backdoor in his product, so that if it's found out he loses credibility, his business loses value, clients (especially international ones) flee to other products, stockholders lose value, and in all probability workers lose jobs...
And you think this is OK because the government will bail him out?
Bail out what?
The company might very well be irrecoverable, and in any event the owner might want the company more than its monetary book value (because he likes running the business, or because he wants to leave something to his kids), and the government isn't known for paying book value on eminent domain seisures.
In addition, knowing that the NSA does this to one company, customers abroad assume that they have done this to many others, and avoid American products in general. Our economy takes a big hit, people are unemployed and miserable, the government has less tax money to do things, and we're less safe because of it.
Your position has no rational logic. Are you insane?
I'm an implementor of non backdoored RNGs that are very widely deployed. However to be able to do that well you need to understand the many ways how to backdoor RNGs, so you can take preventative measures to prevent other people backdooring your design.
So I know many ways to backdoor an RNG. If I was trying to do that, why would I choose an RNG that was already widely known to be backdoored?
So either they are back at backdooring, or not good at not backdooring.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Is what is needed.
NSA Helped British Spies Find Security Holes In Juniper Firewalls Quote: "... British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks..."
... eventually
Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors Quote: "This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire."
New Discovery Around Juniper Backdoor Raises More Questions About the Company Quote: "Juniper added the insecure algorithm to its software long after the more secure one was already in it, raising questions about why the company would have knowingly undermined an already secure system."
Juniper 'fesses up to TWO attacks from 'unauthorised code'
'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS Quote: "And it may have been there since 2008, making this a late contender for FAIL of the year."
How to log into any backdoored Juniper firewall -- hard-coded password published
Juniper promises to fix ScreenOS cryptography
Listen up, FBI: Juniper code shows the problem with backdoors Quote: "FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors."
Another quote from that article:
"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said.
I think the NSA is doing what NSA needs to do.
Based on what evidence? What do you know about how any of this was leveraged or why it was done?
That being said, if they forcefully compel a company to allow backdoor into products,
What do you mean by force? Withholding contracts? Bribes? Vindictive leverage of regulatory sticks?
the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster.
LOL
No private company should stick their neck out for the government.
Have no fear CISA is here.
Links to 8 more articles about Juniper posted below
Step 1: Privately encourage companies to utilize 'govt. compliant' encryption routines 'for security purposes', implied to be tied to govt. contracts.
Step 2: Hire everyone you can who has the education needed to understand said cryptographic schemes. No amount of money is too high.
Step 3: Enjoy the brain drain. Every person who works for you is a person who doesn't work for those you want to surveil (i.e. everyone else).
Step 4: Watch public and private sector security researchers be overwhelmed by the sheer number of ways and places to be compromised, and realize you don't have to backdoor everything your targets use, merely ONE of the things they use. Of course, very few researchers who can understand the cryptography involved, aren't on your payroll.
TL;DR: the attackers outnumber the defenders so overwhelmingly that the latter can't keep up with the former.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
NSA = No Sales for America
I find it shocking that articles about the NSA seem to start from the assumption that, except for the theft of a huge amount of data by an employee of a sub-contractor, Edward Snowden, the NSA is well managed. To me, it is utterly obvious that the NSA is not well managed.
If NSA employees can listen to all telephone calls, do you think that none of them notice an increase of traffic at a company and listen to the recordings to find stock tips?
My perception is that governments don't manage technology companies well. (NASA and the U.S. Department of Energy, for example.) Part of the reason is that the best technology people want to work for organizations that are known for their good work. A government, especially a secret government agency, cannot hire the kind of people who are creative with technology. What technology genius wants to go to prison if he talks about his work?
I posted links to 8 more articles about Juniper Networks below. A quote from one of them:
"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said."
It is definitely not reasonable to think that the NSA can hire people who are smarter than all those who want to break into computer systems. Cryptographic backdoors are a bad idea, and not only because they kill the sales of any nation that sponsors them.
When a government agency can break into any company's affairs, do you think the managers never take advantage of that information to make money?
Who chooses the sub-contractors, and decides how much they are paid? Suppose a relative of an NSA manager owns a contracting company?
Secrecy causes huge problems. It is difficult or impossible to review the quality of management. Bad managers can hide their mistakes. That effectively assures that the management will be poor.
Also, democracy works only if citizens can know what the government is doing.
The NSA is based on an idea that just does not function correctly, and cannot be made to function correctly.
Leave it up to /. to assume it's about some giant conspiracy. In reality it's almost definitely about an elliptical curve patent troll. Aka most companies don't care about politics, they care about money.
http://www.theregister.co.uk/2...
Tons of companies have been sued over this in the last few months. Given the perfectly good alternatives, why would any company not remove EC from their products?
These events sound dodgy as hell with sticky NSA fingers all over it. I would be pissed off if I was a Juniper shareholder. Who the hell is going to trust/buy Juniper kit now? They just handed their foreign competitors a huge bone - if not them then Cisco is looking pretty.
Bingo. Through this abuse, the NRA is now self-funding (at least for off-shore executive 'bonuses').