[j-nsp] juniper hack news

[Scott Granados]

So I wonder about your statements about the governments.  I would tend to agree and trust me there’s little about the scumbags in Washington (or insert your nations capitol here) that would surprise me but I’m not convinced.  There’s been a ton of bellyaching at least in the US and probably globally about strong cryptography.  For example here in the US the folks in jackboots are trying to convince us that strong cryptography was used in the Paris attacks and if we could only break the cyphers the world would be a  safer place. Maybe if we send all our snail mail on post cards as well.  But this bellyaching makes me think they aren’t nearly as good at this signals thing as we’re lead to believe.  So while I have heard of hacks before and it is absolutely with in the realm of possibility the NSA or whom ever has backdoors in everything but if they did would they cry so much about being able to get in the middle and do what spooks do?  Or is this complaining a false cover and they are so intertwined and back door hacked in to everything it doesn’t matter and they want to create a false sense to throw off potential baddies?  This is something I’ve been very curious about and the Government’s ability to collect this intelligence fascinates me.  I also wonder, if in fact this was in the ScreenOS source code does that mean that an agency or 2 has plants in Juniper?  I think something similar to this happened with a company producing SIM cards and a plant on the inside was able to gather information enabling the cards to be compromised by the NSA.  Wonder how far this is spread and how many vendors.

Excuse me while I go fashion a hat out of tin foil and stock up on canned goods.:)

Thank you
Scott




> On Dec 26, 2015, at 6:08 PM, Aaron Dewell <aaron.dewell at gmail.com> wrote:
> 
> 
> While that may be completely correct (while not completely provable, it is entirely reasonable to assume it), the immediate question was whether this particular vulnerability affected JunOS also, or only ScreenOS.
> 
> The answer to that more narrow question is that it only affects ScreenOS.
> 
> I think we can assume that most of the software we use today (Windows, MacOS, IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced weakness.  Exactly what those are have yet to be discovered.  I for one am confident that they all contain at least one if not many.  
> 
> However, the question asked only concerned this particular vulnerability, for which JunOS is not affected.  The malicious code in question was introduced into ScreenOS source code and not into JunOS.
> 
>> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio <chris at nmedia.net> wrote:
>> 
>> Hugo Slabbert [hugo at slabnet.com] wrote:
>>> 
>>> Am I missing something that indicates this is known to affect Junos as well?
>>> 
>> 
>> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- from
>> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
>> a new vulnerability in this class of software.
>> 
>> I think the best we can hope is that Juniper was privately informed and has
>> quietly patched any JunOS vulnerabilities.
>> 
>> Juniper has a lot of international business to lose from public
>> vulnerabilities in core Internet infrastructure. Cisco already took a large
>> hit.
>> 
>> I don't know what else to say. Anyone who thinks that the NSA did not develop
>> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
>> this capability again (once their old vulnerabilities are burned) does not
>> understand the class of this attacker.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp