[j-nsp] juniper hack news

Hugo Slabbert hugo at slabnet.com
Sat Dec 26 18:28:40 EST 2015 

What he said ;-)
--
Hugo
hugo at slabnet.com: email, xmpp/jabber
also on Signal

---- From: Aaron Dewell <aaron.dewell at gmail.com> -- Sent: 2015-12-26 - 15:08 ----

>
> While that may be completely correct (while not completely provable, it is entirely reasonable to assume it), the immediate question was whether this particular vulnerability affected JunOS also, or only ScreenOS.
>
> The answer to that more narrow question is that it only affects ScreenOS.
>
> I think we can assume that most of the software we use today (Windows, MacOS, IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced weakness.  Exactly what those are have yet to be discovered.  I for one am confident that they all contain at least one if not many.
>
> However, the question asked only concerned this particular vulnerability, for which JunOS is not affected.  The malicious code in question was introduced into ScreenOS source code and not into JunOS.
>
>> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio <chris at nmedia.net> wrote:
>>
>> Hugo Slabbert [hugo at slabnet.com] wrote:
>>>
>>> Am I missing something that indicates this is known to affect Junos as well?
>>>
>>
>> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- from
>> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
>> a new vulnerability in this class of software.
>>
>> I think the best we can hope is that Juniper was privately informed and has
>> quietly patched any JunOS vulnerabilities.
>>
>> Juniper has a lot of international business to lose from public
>> vulnerabilities in core Internet infrastructure. Cisco already took a large
>> hit.
>>
>> I don't know what else to say. Anyone who thinks that the NSA did not develop
>> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
>> this capability again (once their old vulnerabilities are burned) does not
>> understand the class of this attacker.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: PGP/MIME digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151226/f35fe608/attachment.sig>

More information about the juniper-nsp mailing list