
NSA Helped British Spies Find Security Holes in Juniper Firewalls - slasaus
https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/
======
discardorama
I have a feeling that this is how these agencies skirt the law: agency X is
not allowed to do "A", so it helps agency B do it, and share the findings with
X. And vice versa. So the GCHQ spies on Americans willy-nilly, and the
Americans spy on Brits, with full knowledge of each other.

~~~
akerro
That's how British government "doesn't use drons". They tell US to use drons
to automatically bomb a target and kill hundreds of people, whole attack is
organised by UK, but technically, it was done by US. In such case UK says in
report they didn't kill anyone and US say they rented weapons.

~~~
mattmanser
Our government does use drones? Has done for years.

------
tptacek
Worth considering: every serious SIGINT agency probably had this capability
against Netscreen VPNs. If you do a lot of network infiltration, these boxes
are among the most useful targets; unlike routers running JunOS, the VPN
concentrators have a large outside-the-packet-filter attack surface, and
everyone runs them.

It'd be surprising if NSA and GCHQ didn't have similarly powerful capabilities
against all the current VPN products.

~~~
epistasis
While I don't doubt that's true for closed-source products, would it also be
true for open source products? I've heard that some methods of IPSec key
exchange are compromised, but don't know details. Would it also be good to
suspect OpenVPN's method of key exchange?

~~~
vox_mollis
Since it's now clear that "many eyes makes all bugs shallow" is patently
false, the MO for said agencies to compromise OSS projects is to play the long
game of making numerous benign commits, becoming trusted, then committing
subtly compromised code.

This would be much easier than compromising specific algorithms or KE
protocols. Cheap, too. All it takes is plenty of patience.

~~~
nyan4
> Since it's now clear that "many eyes makes all bugs shallow" is patently
> false

"patently false". Proof needed, please, we have enough FUD.

~~~
nickpsecurity
On contrary, the person making that claim needs to prove it's true or else we
reject it as FUD against proprietary software. For a long time, the only
software to resist prolonged pentesting by NSA were proprietary products
certified to B3/A1 and Type 1 respectively. If NSA could hack them, they
couldn't pass. Likewise, in safety, we've seen a number of high assurance
systems fielded where every state (including failure) it could be in was known
ahead of time. Some setups, like mainframes, hit 17-30 year uptime. All
proprietary.

Meanwhile, in OSS land, we have a steady stream of easily-prevented or
detected defects that compromise security. Just like in most proprietary
shops. Like proprietary, those OSS projects producing highly-secure stuff are
done by great designers/coders with careful review and testing processes. The
community-developed OSS hasn't reached the assurance of aforementioned
proprietary systems or some in academia. Yet, highly correct or secure stuff
seems equally rare in both types of development with proprietary having a bit
more just because there were people paying professionals to build those. In
theory, with free/cheap labor, OSS could eventually produce more but there's
not enough interest.

So, the endless stream of bugs in both closed and OSS software that are often
really old disproves many eyes argument. It didn't work for even shallowest
bugs consistently, much less deep ones. Software quality comes from people
taking responsibility and putting time into QA, esp design/code review. OSS,
shared-source proprietary, closed-source... always same requirement that gives
quality.

~~~
guelo
Maybe a new OSS license is needed where the price of using the software is
reviewing some code once in a while.

~~~
nickpsecurity
I broke it down from a security or auditing angle for all sides here:

[https://www.schneier.com/blog/archives/2014/05/friday_squid_...](https://www.schneier.com/blog/archives/2014/05/friday_squid_bl_424.html#c6051639)

Review was fundamental. It would be costly and take talent. So, like you, I
proposed something that was open source but not quite free. Not many in OSS
want to discuss proprietary OSS options but I think it's a critical
conversation as it could get better stuff on the market. Prior conversations
here at least showed the term, open source, was highly loaded with the
expectation of free distribution due to its history. So, I'll modify the essay
and next discussion to use shared source.

Elaborated more on my concept for a hybrid here:

[https://news.ycombinator.com/item?id=10500298](https://news.ycombinator.com/item?id=10500298)

------
MichaelGG
> ...it does make clear that, like the unidentified parties behind those
> hacks, the agencies found ways to penetrate the “NetScreen” line of security
> products...

It does? Sounds like this is a rather normal, expected, analysis. They're just
reviewing products; probably they already had similar capabilities on IOS and
wanted to make sure they could handle other targets or a shift in the market.
This does not sound like getting backdoors placed, at all.

I hate to be suspicious or cynical here, but is this just The Intercept being
opportunistic? Is there any reason to relate this to the recent "unauthorized
code" issues?

~~~
BinaryIdiot
You are completely correct. There isn't any correlation indicating that a
security agency was behind the backdoors setup in their OS. Granted this could
still be the case but there isn't any evidence, known to the public at least,
that any security agency had a hand in creating the backdoors.

The timing of this article is obviously done in order to capitalize on the
recent Juniper news. I would suspect all security agencies to be looking at
the security of al networking products that they can get a hand on.

~~~
atmosx
> There isn't any correlation indicating that a security agency was behind the
> backdoors setup in their OS.

I am not so sure. There are strong indications pointing[1] at state actors.

[1] [http://securityaffairs.co/wordpress/42971/hacking/juniper-
sc...](http://securityaffairs.co/wordpress/42971/hacking/juniper-screenos-
authentication-backdoor.html)

------
tptacek
Did The Intercept just publish a document about Juniper insecurity that
they've had since 2013, or had they already published this?

If they hadn't already published it, why not? It could have done some good
before, but does no good now.

~~~
striking
To me, it almost seems like they haven't gotten to reading through all of the
content of the archives that they have. But when there's a serious 0-day on
the loose, it's not too difficult to Ctrl-F the archives to check if the NSA
has anything to do with it.

~~~
akerro
> the archives

[https://search.edwardsnowden.com/](https://search.edwardsnowden.com/)
[https://search.wikileaks.org](https://search.wikileaks.org)

what more you have?

~~~
BinaryIdiot
It's my understanding that Snowden released the documents to two journalists
(Glenn being one of them) on the grounds that they release "responsibly"
meaning redact or don't publish names of under cover agents, etc. So unless I
missed it the entire archive has never been released.

Instead it's released in tiny bits and pieces by Glenn when it seems most
appropriate.

I'm assuming this archive is updated as pieces come in. For example I did not
see this content within the archive.

That's my understanding anyway; if I'm wrong please let me know :)

~~~
akerro
Yes, you're right, but what does it have to do with the link I posted?

~~~
BinaryIdiot
Hmm I thought you were implying that was everything. Oops.

~~~
akerro
No, I'm just looking for more places like the ones I linked ;)

Searchable database of leaked documents that can be linked in flamewars ;)

------
oroup
Seems like a prime opportunity for a class action lawsuit. Juniper was selling
a class of products that categorically did not do what it claimed. What would
be interesting is their method of defense. As was pointed out to me in an
earlier thread, companies have legal immunity when assuring the intelligence
community with their work.[1] But Juniper already claims that they do not
assist third parties to compromise their products. So they would either need
to change their statements or be ineligible for this defense.

~~~
superuser2
There is no indication that Juniper cooperated with the NSA or acted
intentionally to compromise its products.

All software has defects, and if bugs entitled customers to civil damages
there would be 0 technology companies left alive. The standard is negligence,
but the NSA is sophisticated enough to compromise designs that were not
negligent.

~~~
chei0aiV
[http://blog.cryptographyengineering.com/2015/12/on-
juniper-b...](http://blog.cryptographyengineering.com/2015/12/on-juniper-
backdoor.html)

------
nickpsecurity
Not sure about whether it's subversion or basic hacking. You should assume,
though, that they might have hacks in any common product that can be used for
a security bypass. Here's why: IT markets usually become oligopolies where a
few players products are all over the place. Firewalls, routers, VPN's, OS's
on desktop, OS's on mobile, net configuration, build systems... handfuls of
implementations in each dominate in market share. So, rather than beating
everything, you can focus on 0-days in a tiny few to beat almost everyone
[that matters to a TLA].

Another side of this coin is that they'll add to their hitlist whatever they
encounter the most. They probably run into Juniper firewalls all the time. So,
it's higher priority. Using high-quality, but lower-priority-to-them,
components reduces you risk of being hit by them. So, one of my
recommendations is to build/use strong systems, use diverse components of good
quality, and obscure the workings of both at the interface. They'll trip your
alarms trying to figure out what you're using before they hack you.

------
AndyMcConachie
So how long has Glen Greenwald and others with access to the Snowden cache
known about this?

There was only one Snowden cache. If the document was provided by Snowden, did
we hear about it earlier?

Who has access to the Snowden cache now? Do we know?

------
NN88
So the US isn't supposed to gather intel now? IS that what you're saying
Glenn?

------
biot
Interesting that Juniper merely claims that putting in a backdoor or working
with others to do the same is against their policy. They seem to be avoiding
saying a very simple, clear statement: "We never have and never will
intentionally compromise the security of or put backdoors into our products,
whether for ourselves or on behalf of a third party". That they can't come out
and say that makes their claims suspect.

~~~
jlgaddis
From TFA:

> _" As we’ve stated previously … it is against established Juniper policy to
> intentionally include ‘backdoors’ that would potentially compromise our
> products or put our customers at risk. Moreover, it is Juniper policy not to
> work with others to introduce vulnerabilities into our products.”_

\-- Juniper

~~~
chei0aiV
Seems they were lying when they said that:

[http://blog.cryptographyengineering.com/2015/12/on-
juniper-b...](http://blog.cryptographyengineering.com/2015/12/on-juniper-
backdoor.html)

~~~
draw_down
Well, or they are spectacularly incompetent. We don't know which.

