Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit (csoonline.com)

Posted by ryuzaki0 on from the get-it-fixed dept.

itwbennett writes: In an effort to gauge the impact of the recent Juniper ScreenOS backdoors on government organizations, the House of Representatives is questioning around two dozen U.S. government departments and federal agencies. The U.S. House of Representatives' Committee on Oversight and Government Reform sent letters to the agencies on Jan. 21, asking them to identify whether they used devices running the affected ScreenOS versions, to explain how they learned about the issues and whether they took any corrective actions before Juniper released patches and to specify when they applied the company's patches. The questioned organizations have until Feb. 4 to respond and deliver the appropriate documents, a very tight time frame giving that 'the time period covered by this request is from January 1, 2009 to the present.'

77 comments

  1. In other words by Anonymous Coward · · Score: 0

    House Republicans go on Yet Another Fishing Expedition.

    1. Re:In other words by Anonymous Coward · · Score: 1, Interesting

      In other words you oppose effective government oversight of government. Progressive? Or just a Democrat?

    2. Re:In other words by michelcolman · · Score: 5, Funny

      I don't know what they're complaining about, I thought they wanted backdoors?

    3. Re: In other words by Anonymous Coward · · Score: 0

      The fascist corporate elite want us to die.

    4. Re: In other words by Anonymous Coward · · Score: 0

      They raped my mother with rebar until she died.

    5. Re: In other words by Anonymous Coward · · Score: 0

      That is the way of their kind.

    6. Re: In other words by Anonymous Coward · · Score: 0

      They hate us and want us 2 die

    7. Re: In other words by Anonymous Coward · · Score: 0

      Those republicans murdered my two little sisters to death in front of me. In front of me.

    8. Re: In other words by Anonymous Coward · · Score: 0

      As they did mine.

    9. Re: In other words by Anonymous Coward · · Score: 0

      No one rapes like a republican.

    10. Re: In other words by Anonymous Coward · · Score: 0

      Raping mothers is what they strive for.

    11. Re: In other words by Anonymous Coward · · Score: 0

      Their entire party is structured around rape.

    12. Re: In other words by Anonymous Coward · · Score: 0

      You can always tell their kind by their weak upper body strength.

    13. Re: In other words by Anonymous Coward · · Score: 0

      Itsie how dey b

    14. Re: In other words by Anonymous Coward · · Score: 0

      Or at the very least stack us like cordwood at gitmo

    15. Re: In other words by Anonymous Coward · · Score: 0

      That is the way of their kind.

      I haven't seen any evidence other than the article's claim that those Republicans closed the roads in order to force us into traps set by their thugs in blue. This is just paranoid nonsense.

    16. Re: In other words by Anonymous Coward · · Score: 0

      Other better sites don't constantly remind us what those pukianz r doings

    17. Re:In other words by Opportunist · · Score: 3, Interesting

      I was thinking the same. First they start lamenting how they need government backdoors, now they complain when they find some. Make up your fucking mind, people!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    18. Re:In other words by peragrin · · Score: 2, Insightful

      republicans don't want effective oversight of government. that runs contradictory to small government.

      you can't have oversight, and small it doesn't work. Oversight by definition makes things bigger.

      --
      i thought once I was found, but it was only a dream.
    19. Re:In other words by gtall · · Score: 3, Insightful

      I know this might come as a shock to you, but the U.S. Government is very large. It does multiple things at one time. One part can have a policy contradicting another part. In some cases, the contradiction is mandated by Congress. Government is not a large company where getting out of line can get you fired. There is no line, there are fiefdoms. And you wouldn't want it any other way.

    20. Re:In other words by Anonymous Coward · · Score: 0

      You're thinking NSA/FBI. Congress goes after a completely different backdoor...

    21. Re: In other words by Anonymous Coward · · Score: 0

      Except that the only thing that the fief lords agree on is that it's in their collective interest to fuck the citizenry to death.

    22. Re:In other words by Anonymous Coward · · Score: 0

      "A lot of truth comes in a joke". They're willing to do anything to make sure they can watch all the citizens' activity, but they piss themselves when they find out someone could have been monitoring them. Where's the transparency? Where is the accountability to the citizens for whom this government is supposed to represent?

      captcha: protests

    23. Re: In other words by Anonymous Coward · · Score: 0

      That's just how how they be.

    24. Re:In other words by KGIII · · Score: 1

      While I am not (nor should I be confused with) a Republican - I think you'll find your logical fallacy is that of the excluded middle. Small does not mean absolute least amount. Those would be the minarchists. They are not generally Republicans. We have some in my party, however. I'm inclined to agree in principle - I'm just not certain that their ideal is reasonable or would be as effective as they like. They're usually proponents of a strong, very strong, but minimal government. Some are actually in favor of a weak and minimal government, they're not far from anarchists and I tend to think of them in similar manners.

      Oh, they're great ideals and would be fantastic in an ideal world and that's all good. It's just unrealistic, never going to happen - ever, and is silly to even propose it in a serious conversation about where the lines should be drawn.

      --
      "So long and thanks for all the fish."
  2. ScreenOS is dying anyways by dreamchaser · · Score: 2, Insightful

    They should be phasing those out regardless. Netscreen devices are EOL. Too many people are still using them. I know I have actively encouraged clients to ditch them. Unfortunately the Juniper SRX firewalls are crap, at least the low end/branch ones. The big iron is alright but still doesn't compare feature wise to Check Point, Palo Alto, Fortinet, etc.

    1. Re:ScreenOS is dying anyways by msauve · · Score: 4, Interesting

      Fortinet?

      Perhaps they should simply ask the NSA, they should know exactly when the backdoor stopped working on any particular site.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:ScreenOS is dying anyways by Anonymous Coward · · Score: 0

      I think comparing Juniper "Big Iron" to toy devices like UTMs or application-level proxies is apples to oranges. They're not even in the same category of device. Their low end products are comparable, and suck.

      But the same happens across Cisco - have a look at ASA or IronPort. Network infrastructure vendors don't seem good at application-level stuff, and vice versa; I wouldn't trust Fortigate to throw voice RTP packets around either. It's not a router.

    3. Re:ScreenOS is dying anyways by Anonymous Coward · · Score: 0

      The big iron, well at least the 3xxx ones are pretty crap as well. We've had lots of problems with them.

    4. Re:ScreenOS is dying anyways by dreamchaser · · Score: 1

      I was speaking in terms of firewall performance and features. I pretty much expect them all to be compromised in some way these days.

    5. Re:ScreenOS is dying anyways by Anonymous Coward · · Score: 0

      Are you sure about that? Has Netcraft confirmed it?

  3. Proscecutions? by jdwolfe · · Score: 5, Insightful

    Who at Juniper is getting prosecuted for selling backdoor'd routers to the United States Federal Government?

    1. Re:Proscecutions? by sims+2 · · Score: 4, Insightful

      Prosecuted? Somebody's probably going to get an award for thinking ahead. They had their kit backdoored before the government even made it a requirement! Whats good for the goose is good for the gander and all that.

      --
      Minimum threshold fixed. Thanks!
    2. Re:Proscecutions? by Anonymous Coward · · Score: 0

      Why would the government do that? It would just draw unwanted attention that maybe they themselves had their fingers in the whole thing.

      It might also cause a chilling effect for other vendors who'd cooperate less with surveillance agencies. I doubt they'd want to risk that while every other politician is demanding backdoors these days.

  4. Isnt this a good thing? by thesupraman · · Score: 4, Interesting

    I thought government security organisations of the three letter variety were busy trying to convince
    us that security backdoors and 'special' access for government level players was a good thing?

    Surely they should just be promoting this as a feature, that enables the rounding up of literally millions
    of pedophiles, drug addicts, and terrorists Real Soon Now?

    Oh, wait, they are not sure its only THEIR backdoors? Dont tell me other governments may also be
    involved? But surely if its good for one government to have access, its better if more do - hell, they ALL
    should, right? So they can enforce their own local views of What Is Right?

    Are we being told only some governments are trustworthy? Can we please have a list? What happens when
    governments change? This is all just too complicated!

    It is a pity most police are now just too busy collecting revenue to do much police work, it all seemed a bit
    simpler when they used to investigate actual crimes against the populace.

    1. Re:Isnt this a good thing? by msauve · · Score: 2, Funny

      But, think of the children (aka "congress").

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:Isnt this a good thing? by Anonymous Coward · · Score: 1

      ... enables the rounding up of enables the rounding up of literally millions of pedophiles, drug addicts, and terrorists ...

      That's kinda the problem. There laws were passed to spy on suspicious people. Spying on politicians and their friends is treating them like criminals. That's a defamation of their good names and an insult to their lofty jobs. Important people don't hate mass surveillance because it's ineffective, abusive, or encourages treason; they hate it because it makes them look bad.

    3. Re:Isnt this a good thing? by Anonymous Coward · · Score: 0

      You ll leave behind only Africans and morons, believe it.

  5. Don't underestimate a security audit by Anonymous Coward · · Score: 2, Interesting

    I spent much of last year responding to a security audit that had to do with a leak of personal information through email. Very few people were affected . It was an honest mistake. The audit is exhaustive.

    It is hard to provide every email *relevant* message for your colleagues for years. It is hard to document everything we ever said about securing information. It's hard in a short time to prove you are educating the whole staff again about what you told them all before.

    We are better for it, and my group wasn't punitive. Still, it took up about a quarter of a year for me for my unit so far..

  6. Just try and stay out of my way. Just try! by turkeydance · · Score: 0

    I'll get you, my pretty, and your little dog, too!

    1. Re:Just try and stay out of my way. Just try! by subk · · Score: 2

      I'll get you, my pretty, and your little dog, too!

      Spoiler Alert: I know what happens next. The house falls on the bitch.

      --
      Now, if you'll excuse me, I have backups to corrupt.
  7. What did you know by JustAnotherOldGuy · · Score: 3, Insightful

    Q: "What did you know and when did you know it?"

    A: We didn't know nothin' then, we don't know nothin' now, and we won't know nothin' next week either."

    "Thank you, this meeting is adjourned."

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:What did you know by Anonymous Coward · · Score: 0

      Excellent and I wish I could mod up.

      #2 question is what you going to do NOW stupid. Agency X reports they used 3 devices each with about 3 years of exposure each with a transmission of about xxxx terabytes, And we had a couple of other routers with admin back doors, say. whatch ya gunna do?

  8. Republicans hate encryption by Anonymous Coward · · Score: 0

    The Data Breach You Haven’t Heard About

    Finally, this incident shows that backdoors to bypass encryption—even those requested by law enforcement or mandated by lawmakers—are extremely dangerous. There is no way to create a backdoor that is not vulnerable to this kind of breach. Encryption is essential to our national security and economy; we should be focused on strengthening it not weakening it.

    Rep. Hurd, a Republican from Texas, sits on the House Homeland Security Committee and is chairman of the IT Subcommittee on Oversight and Government Reform.

    1. Re:Republicans hate encryption by schwit1 · · Score: 2

      Just the republicans ... http://arstechnica.com/informa...

  9. Closed sessions by AHuxley · · Score: 1

    then mention the NSL that was always in place?

    --
    Domestic spying is now "Benign Information Gathering"
  10. Juniper Jones to the rescue by WaffleMonster · · Score: 2

    Congress should just ask NSA and save everyone the trouble.

  11. This is a drill by bitchtits · · Score: 1

    Just sayin'

  12. Dumb and Dumber by chromaexcursion · · Score: 1

    There's no way this order can be reasonably complied with. If indeed it could ever be done.
    And, who's going to pay for it?
    What a disgusting bunch of idiots pretend to run my country.

    1. Re:Dumb and Dumber by redmid17 · · Score: 1

      Going back to 2009 is a huge undertaking, even for an organization with a decent asset management process.
      Complying with what is currently on the network shouldn't be difficult at all.

    2. Re:Dumb and Dumber by Anonymous Coward · · Score: 0

      If any agency doesn't know enough about there own network to answer this in 2 weeks then the IT staff running the network need to be mass fired on the spot.

    3. Re:Dumb and Dumber by chromaexcursion · · Score: 1

      I agree. current status should be trivial.
      But the demand is for a historical report. Who knows if the data even exists.

    4. Re:Dumb and Dumber by Anonymous Coward · · Score: 0

      really? where in the letter is the demand for historical data (beyond when they applied the patch)? perhaps I missed something?

    5. Re:Dumb and Dumber by Anonymous Coward · · Score: 0

      Are IT in government Agencies really that incompetent? I could tell exactly how many devices, who made them and the firmware/OS levels for everything in our network (we have 50,000 staff, not huge but not small), given a couple of hours I could give you that information for the past 5 years without a problem from change control records.

    6. Re: Dumb and Dumber by bill_mcgonigle · · Score: 1

      Many government IT folks only do what they're told to do. Often they can do those things well. And especially with contractors, there's nothing done that's not specified in lengthy contracts.

      In the private sector, an IT worker will often see a need and implementation a solution to save his frustration - occasionally he'll even tell the boss about it.

      This tends to attract different types of people to the two jobs. The same goes for Congress - very few people who are competent actually want to work there. Most of the Congressman will privately confide that most of the other Congressman are unimpressive. Not themselves, of course.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  13. 2009 time frame is bogus by Anonymous Coward · · Score: 3, Informative

    Here's the letter to SSA:

    Dear Ms. Colvin:
    On December 17, 2015, Juniper Networks announced in a press release that it discovered
    “unauthorized code that could allow a knowledgeable attacker to gain administrative access” to
    certain devices and “decrypt VPN connections.“

    On December 20, 2015, Juniper Networks issued a patch to the aforementioned software
    vulnerability to their ScreenOS platform. In a related press release, Juniper Networks listed
    vulnerable devices and described the potential exposure ifthis vulnerability was exploited:

    0 Administrative Access (CVE-2015-7755) affecting devices rtmning ScreenOS 6.3
    0r17 through 6/3 0r20; and 0 VPN decryption (CVE-2015-7756) affecting devices rtmning ScreenOS 6.20r15
    through 6.2or18, ScreenOS 6.30rl2 through 6/3 0r2O.2

    So that the Committee may better understand the extent of the ScreenOS vulnerabilities
    and related effects on the cybersecurity posture of federal agencies that use the ScreenOS
    platform, please provide the following documents and information as soon as possible, but no
    later than 5:00 p.m. on February 4, 2016:

    1. Documents sufficient to identify whether your agency, or any component agency,
    used the affected Juniper ScreenOS platfonns;
    2. Documents and communications referring or relating to how the agency, or its
    components, discovered the vulnerability and ifany corrective measures were taken
    prior to deploying the software patch issued by Juniper Networks on December 20,
    2015;
    3. Documents and communications referring or relating to what version(s) of ScreenOS
    your agency, or any component agency, used; and
    4. Documents sufficient to show when your agency, or any component agency,
    deployed the software patch issued by Jtmiper Networks on December 20, 2015.

    The Committee on Oversight and Government Refonn is the principal oversight
    committee of the House of Representatives and may at “any time” investigate “any matter” as set
    forth in House Rule X.

    When producing documents to the Committee, please deliver production sets to the
    Majority staff in room 2157 of the Rayburn House Ofce Building and the Minority staff in
    room 2471 of the Rayburn House Office Building. The Committee prefers, ifpossible, to
    receive all documents in electronic format. An attachment to this letter provides additional
    information about responding to the Committee’s request.

    Please contact Mike Flynn of the Majority staff at (202) 225-5074 or Brian Quinn ofthe
    Minority staff at (202) 225-5051 with any questions about this request. Thank you for your
    attention to this matter.
    [signatures]

    There's no mention of getting information as far back as 2009 in the letter. That bit was from some attached boilerplate rules about how the committee wants the report formatted, media, etc. Other letters that have nothing to do with the Juniper firewall issue have the same boilerplate rules attached. The committee only wants the information at stated in their four items. I don't why the report for the TFA put in that bit about the 2009 timeframe other than to exaggerate the work each agency is going to have to do.

    1. Re:2009 time frame is bogus by Zocalo · · Score: 3, Interesting

      Maybe because they read between the lines a bit? If you put the part of the letter that reads "Documents sufficient to identify whether your agency, or any component agency, used the affected Juniper ScreenOS platforms" (note the tense) with the timeframe that Juniper when started shipping products with a vulnerable version of ScreenOS (e.g. from 2009), then they are indeed asking for data that could potentially go back to 2009. Just because a company might be using an alternative product now, doesn't mean that they didn't have vulnerable products in the past, so they are indeed asking for agencies to review their equipment purchasing records going back to 2009.

      Still, it's a pretty incompetent company that won't have at least some form of records of CapEx purchases going back six years, let alone a government agency, just because of financial and tax legislation requirements, albeit possibly not entirely digital and searchable. At my previous employer I could get a report with a complete list of assets from a given vendor complete with every logged change made to those assets from our ITIL CMDB system in a couple of minutes that would easily cover that timescale, although I suspect for many government agencies this is likely to involve some hapless interns digging through dusty paper boxes in a warehouse rather than someone running a report.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:2009 time frame is bogus by jbmartin6 · · Score: 1

      Regardless of the deadline for the report, this is mostly information the agencies should already have considered when the vulnerability was announced. If they cannot comply with the deadline, well you know there is an agency where IT is asleep at the switch. That's valuable information in itself. I would not be surprised if it was all of them.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  14. More government idiocy. Consider: by Anonymous Coward · · Score: 2, Insightful

    the same morons who want to worry about THIS seem to have no problem with nearly the entire government running a combination of ancient, unmaintained and vulnerable old flavors of Windows and IE, or WORSE the newest flavors of windows that have a permanent, autonomous and continually-active "back-door" built right in. With the most-recent versions of Windows sucking-up all keystrokes and mouse moves and even, in some cases, audio from any built-in microphones, and sending stuff off to headquarters in Redmond (or mirror sites, or shell corporations, etc) should ANYBODY be comfortable with the government storing ANY personal, private, medical, tax, business, security, or other info on computers???????

    People need to be hammering every member of congress about this and the government should not be running ANY computer operating system without having the full source-code to it and building it in-house to be certain the object code came from that source code.

  15. Fuck backdoors! by Anonymous Coward · · Score: 0

    Fuck Juniper! Fuck ScreenOS! Fuck backdoors! Fuck federal agencies! Fuck Congress! Fuck the House! Fuck the Senate! Fuck committees! Fuck hackers! Fuck vulnerabilities! Fuck software! Fuck itwbennett! Fuck sampenzus! Fuck patches! Fuck the United States! Fuck Linux! Fuck Slashdot! Fuck open source! Fuck science fiction! Fuck Star Wars! Fuck free software! Fuck all software! Fuck logged-in users! Fuck editors! Fuck moderators! Fuck all stories! Fuck Slashdot readers! Fuck your comments! Fuck computers! Fuck everything! Fuck the government! Fuck all of this shit! Fuck me! Fuck you! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck! Fuck!

  16. Nobody cares by Anonymous Coward · · Score: 0

    Stop spamming slashdot spam site CSO and your spammy uninteresting news

  17. Hey! What's the hubbub? by Opportunist · · Score: 1

    I thought you wanted government backdoors, now you make a fuss. Make up your fucking mind!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. Congress questions APK by Anonymous Coward · · Score: 0

    I'm giving Congress and federal agencies just two weeks to figure out why APK is a fag

    1. Re:Congress questions APK by Anonymous Coward · · Score: 0

      Writing a decent ware for added security and speed makes him a fag? I don't see a correlation. I do see his ware looks pretty good though http://slashdot.org/comments.p... and am going to try it now in fact.

  19. 9+ hours, no new stories posted on crapdot by Anonymous Coward · · Score: 0

    Good work, editors! No new stories, just leaving this at the top of the front page. Did a gay orgy among the editors get out of hand last night? Maybe they've been busy sucking each other's dicks and haven't gone back to the computer to post new stuff. Good work, lazy asses!

  20. Fishing expedition for ancient history by Anonymous Coward · · Score: 0

    If they wanted to make sure everything got patched.

    Please provide an inventory for the boxes affected by the bug announcement which your agency, directly or indirectly used in December 2015.

    For each box in the inventory, provide the following information.
    The current patch state and how the patch state has changed over time since 1-Dec-2015.
    If it is connected to the Internet.
    The person(s) responsible for maintaining the box over the above time period.
    Details of any known break-ins into your networks where the box was implicated.

    For bonus points, when and how each of the responsible parties above learned of this bug.

  21. https://www.youtube.com/watch?v=UMnC3Nwif1k by teac2019 · · Score: 0

    https://www.youtube.com/watch?...

  22. U.S. Gov't.: Security U patch yourself easily by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

    ---

    FREE, not 'souled-out' to advertisers + adds speed, security & reliability. Does FAR more w/ FAR less more efficiently vs. redundant browser addons & local DNS servers @ home.

    It not ONLY fixes DNS' many security issues, it stops a LOT of tracking @ webpage + DNS levels via 1 file you NATIVELY have per my subject above!

    Firewalls do the rest (on less used IP address trackers vs. host-domain name type).

    ---

    It obtains data vs. threats & for adblocking from 10 reputable security community sites - easily edited by you via my program.

    ---

    SPEEDS YOU UP 2 ways (adblocks + local RAM cached favorite sites @ TOP of hosts for fastest resolution speed vs. remote DNS (aids reliability)) vs. other "so-called security 'solutions'" SLOWING YOU!

    ---

    All that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

    ---

    MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    Its 32-bit model too https://www.virustotal.com/en/...

    Its installer too -> http://f.virscan.org/APKHostsF...

    ---

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes!)

    ...apk

  23. Oh, the irony by phorm · · Score: 1

    A backdoor, likely added by a 3-letter US government agency, being used in another US government agency causing a security breach....

  24. circle jerk by Anonymous Coward · · Score: 0

    Who will watch the watchers? Why we, the watchers of course.

    We have become a masturbatory society. We lifted the veil of privacy and now we cannot get enough. We watch ourselves day and night. The more authority we possess we deeper we look and the more we jerk off to things we should not see.

    Violating privacy is not the fix for this sickness among us. Private intercouse is private of course.