Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit

itwbennett writes: In an effort to gauge the impact of the recent Juniper ScreenOS backdoors on government organizations, the House of Representatives is questioning around two dozen U.S. government departments and federal agencies. The U.S. House of Representatives' Committee on Oversight and Government Reform sent letters to the agencies on Jan. 21, asking them to identify whether they used devices running the affected ScreenOS versions, to explain how they learned about the issues and whether they took any corrective actions before Juniper released patches and to specify when they applied the company's patches. The questioned organizations have until Feb. 4 to respond and deliver the appropriate documents, a very tight time frame giving that 'the time period covered by this request is from January 1, 2009 to the present.'

Isnt this a good thing?

[thesupraman]

I thought government security organisations of the three letter variety were busy trying to convince
us that security backdoors and 'special' access for government level players was a good thing?

Surely they should just be promoting this as a feature, that enables the rounding up of literally millions
of pedophiles, drug addicts, and terrorists Real Soon Now?

Oh, wait, they are not sure its only THEIR backdoors? Dont tell me other governments may also be
involved? But surely if its good for one government to have access, its better if more do - hell, they ALL
should, right? So they can enforce their own local views of What Is Right?

Are we being told only some governments are trustworthy? Can we please have a list? What happens when
governments change? This is all just too complicated!

It is a pity most police are now just too busy collecting revenue to do much police work, it all seemed a bit
simpler when they used to investigate actual crimes against the populace.

Don't underestimate a security audit

I spent much of last year responding to a security audit that had to do with a leak of personal information through email. Very few people were affected . It was an honest mistake. The audit is exhaustive.

It is hard to provide every email *relevant* message for your colleagues for years. It is hard to document everything we ever said about securing information. It's hard in a short time to prove you are educating the whole staff again about what you told them all before.

We are better for it, and my group wasn't punitive. Still, it took up about a quarter of a year for me for my unit so far..

Re:ScreenOS is dying anyways

[msauve]

Fortinet?

Perhaps they should simply ask the NSA, they should know exactly when the backdoor stopped working on any particular site.

Re:In other words

In other words you oppose effective government oversight of government. Progressive? Or just a Democrat?

Re:2009 time frame is bogus

[Zocalo]

Maybe because they read between the lines a bit? If you put the part of the letter that reads "Documents sufficient to identify whether your agency, or any component agency, used the affected Juniper ScreenOS platforms" (note the tense) with the timeframe that Juniper when started shipping products with a vulnerable version of ScreenOS (e.g. from 2009), then they are indeed asking for data that could potentially go back to 2009. Just because a company might be using an alternative product now, doesn't mean that they didn't have vulnerable products in the past, so they are indeed asking for agencies to review their equipment purchasing records going back to 2009.

Still, it's a pretty incompetent company that won't have at least some form of records of CapEx purchases going back six years, let alone a government agency, just because of financial and tax legislation requirements, albeit possibly not entirely digital and searchable. At my previous employer I could get a report with a complete list of assets from a given vendor complete with every logged change made to those assets from our ITIL CMDB system in a couple of minutes that would easily cover that timescale, although I suspect for many government agencies this is likely to involve some hapless interns digging through dusty paper boxes in a warehouse rather than someone running a report.

Re:In other words

[Opportunist]

I was thinking the same. First they start lamenting how they need government backdoors, now they complain when they find some. Make up your fucking mind, people!