Questions Linger As Juniper Removes Suspicious Dual_EC Algorithm

msm1267 writes: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored. Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, said that he and a number of crypto experts looked at dozens of versions of Juniper's NetScreen firewalls and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. 'And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.'

Are you insane?

[Okian+Warrior]

I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.

Are you nuts?

An entrepreneur with an idea starts a business, builds it over the course of many years, has a sizeable value and clientelle and personal integrity and a duty to stockholders.

The NSA compels him to put a backdoor in his product, so that if it's found out he loses credibility, his business loses value, clients (especially international ones) flee to other products, stockholders lose value, and in all probability workers lose jobs...

And you think this is OK because the government will bail him out?

Bail out what?

The company might very well be irrecoverable, and in any event the owner might want the company more than its monetary book value (because he likes running the business, or because he wants to leave something to his kids), and the government isn't known for paying book value on eminent domain seisures.

In addition, knowing that the NSA does this to one company, customers abroad assume that they have done this to many others, and avoid American products in general. Our economy takes a big hit, people are unemployed and miserable, the government has less tax money to do things, and we're less safe because of it.

Your position has no rational logic. Are you insane?

Re:NSA has ruined the American tech sector

[Aighearach]

The part I find really funny is the claim that they don't even know where the updates came from.

Yeah, haha, we don't use version control either! Oh, wait, yes we do. It is free and saves time and money.

You push out firmware updates without version control?! I guess George just makes a zip file, and emails it to Frank who burns a CD and mails it to the company flashing the EEPROMs... oh wait.

And if you read about how deeply the Russians infiltrated the US nuclear program, then you'll realize that there is no need for outsourcing to enable foreign governments to be responsible for some fraction of the discovered exploits, back doors, side doors, trap doors, and dishonest press releases.

If they don't even have their software under version control, how can we trust them to know what press releases they actually made? Maybe it was planted in their files after they didn't give it, and they never gave it! They can't even trust themselves, if they're paying attention. But I suspect they're paying enough attention to not to be paying attention.