[j-nsp] juniper hack news

[Aaron Dewell]

While that may be completely correct (while not completely provable, it is entirely reasonable to assume it), the immediate question was whether this particular vulnerability affected JunOS also, or only ScreenOS.

The answer to that more narrow question is that it only affects ScreenOS.

I think we can assume that most of the software we use today (Windows, MacOS, IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced weakness.  Exactly what those are have yet to be discovered.  I for one am confident that they all contain at least one if not many.  

However, the question asked only concerned this particular vulnerability, for which JunOS is not affected.  The malicious code in question was introduced into ScreenOS source code and not into JunOS.

> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio <chris at nmedia.net> wrote:
> 
> Hugo Slabbert [hugo at slabnet.com] wrote:
>> 
>> Am I missing something that indicates this is known to affect Junos as well?
>> 
> 
> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- from
> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
> a new vulnerability in this class of software.
> 
> I think the best we can hope is that Juniper was privately informed and has
> quietly patched any JunOS vulnerabilities.
> 
> Juniper has a lot of international business to lose from public
> vulnerabilities in core Internet infrastructure. Cisco already took a large
> hit.
> 
> I don't know what else to say. Anyone who thinks that the NSA did not develop
> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
> this capability again (once their old vulnerabilities are burned) does not
> understand the class of this attacker.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp