
NSA knew about Juniper backdoors and kept quiet about them - us0r
http://thenextweb.com/us/2015/12/24/nsa-knew-about-juniper-backdoors-and-kept-quiet-about-them/
======
dang
This article is blogspam of [https://theintercept.com/2015/12/23/juniper-
firewalls-succes...](https://theintercept.com/2015/12/23/juniper-firewalls-
successfully-targeted-by-nsa-and-gchq/). Submitters: when an article is just a
rip of a more original story, please submit the original story instead, as the
HN guidelines ask.

We've buried this submission because it is a dupe of
[https://news.ycombinator.com/item?id=10784595](https://news.ycombinator.com/item?id=10784595).

~~~
jlgaddis
Hi Dan,

I often see submissions labeled as "[dupe]" and I've came across some of them
myself. In these cases, what's the proper/best way of "marking" them as
duplicates? Usually, I just hit "flag" but I feel that might not be the best
way.

Thanks for all you do to keep HN awesome!

~~~
dang
Flagging is the way. If the story gets flagkilled and has a single comment
pointing to a previous HN submission, the software displays [dupe] instead of
[flagged]. [dupe] also shows up if a moderator marks the item as a dupe.

We're probably going to extend flagging to ask the user to pick from a list of
reasons, one of which will be "duplicate", so this mechanism may change
somewhat in the new year.

------
mkagenius
"The ability to exploit Juniper servers and firewalls will pay many dividends
over the years." \- NSA [1]

This is the first time I have seen any snowden document. I am stunned, they
talk like black hat hackers, only caring about themselves and not the people
using that tech.

1\. [https://www.documentcloud.org/documents/2653542-Juniper-
Oppo...](https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-
Assessment-03FEB11-Redacted.html)

~~~
pdkl95
> This is the first time I have seen any snowden document.

Seriously? Then there's interesting[1] reading available[2].

[1] For various definitions of "interesting" ranging from "meh" to "OMGWTF"
depending on your interpretation and politics.

[2]
[https://en.wikipedia.org/wiki/Global_surveillance_disclosure...](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29)

------
us0r
The document:

[https://www.documentcloud.org/documents/2653542-Juniper-
Oppo...](https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-
Assessment-03FEB11-Redacted.html)

------
dogma1138
If the NSA/GCHQ knew about those backdoors but didn't introduce them it's even
more worrying.

Finding/buying a zero day exploit is what most SIGINT intelligence
organizations around the world could more or less easily achieve.

Penetrating an organization to the point of being able to introduce foreign
code into their products which remained there for at least several years, as
well as launch a fairly sophisticated crypto attack which would only benefit
some one if they had the ability to tap into large scale internet traffic
isn't something that many organizations if at all outside of the NSA-GCHQ coop
should be able to achieve.

Russia and China are quite far behind, Germany and France don't have the
budget (as far as appropriations goes, if they wanted too they could surely
find the money), Israel could pull the exploit off both technically and
operationally but it most likely lacks the ability to gather internet traffic
on wide scale (it is probably one of the best out there as far as wireless
sigint goes but it lacks the resources to be able to tap into world wide
internet cable infrastructure) which makes it unlikely that they would
introduce the VPN backdoor (unless it was for a very specific target, although
Juniper together with ZTE pretty much rule the Iranian ISP market). This
either means that either Russia and China are playing way beyond their
presumed level of both capability and competency or there are other players
most likely private hanging around the court which should is even more
frightening.

Ofcourse there's still a chance that the NSA not only knew about those
backdoors but actually introduce them but at the time being all the supportive
documents just show that they discovered them rather than introduced them.

~~~
1stop
I'm curious what your reasoning for thinking Russia and China are behind
israel on this is? Surely Russia and China have put a lot more resources into
this than israel even has...

~~~
dogma1138
China maybe, Russia so far not really, the reasoning is simply based on what
we know about their current offensive cyber operations and capabilities and
their commercial market presence as far as general cyber security technology
goes, in that regard China is a potential strong contender but Russia is far
behind (Putin's intellectual spring cleaning and general crackdowns really
doesn't help them to advance).

Israel is currently the 2nd largest exporter of cyber security solutions in
the world it's mandatory military service means that virtually every employee
of those companies served in their military intelligence or signal corps and
since they are in the reserves until their mid 40's continues to do. Israel is
in general is largely held as the strongest player at least as far as
technical capabilities go after the US/UK coop. And they also have a very
strong humint and general intelligence capabilities which would allow them to
penetrate an organization like Juniper (Juniper having an R&D center in Israel
also helps).

------
tptacek
Edward Snowden says the opposite is true; he's suggested on Twitter that NSA
probably _alerted_ Juniper to the backdoors.

------
wpietri
As a taxpayer, a voter, and a tech entrepreneur, I'd really like to see our
government put significant money behind securing our infrastructure. There are
so many important open-source products that could use better funding and high-
quality security reviews.

~~~
electic
I would say this is far more serious than that. If true, this means in order
to satisfy their charter they allowed just about every other government
agency, company, and defense contractor to fall victim to this vulnerability
causing hundreds of billions of dollars in potential damages.

------
A1kmm
> There’s been speculation about whether the UK, China or > the NSA are to
> blame — but today’s revelation strongly > suggests that it might have been
> the US.

Why would the NSA infiltrate Juniper to change the Dual EC DBRG parameters,
when the standard parameters are already exactly how they want them?

There is a good chance they noticed that their attacks against Dual_EC_DBRG
weren't working - but to reveal that pre-Snowden would prove that they knew
the private key and were exploiting it.

That said, I understand there was more than one back-door disclosed.

~~~
djcapelis
FWIW, I believe people have said that Juniper was always using non-standard EC
DBRG parameters. The backdoor changed those parameters to something else. So
the NSA wouldn't have already had the parameters they wanted.

------
pearjuice
NSA is an intelligence agency. As a stakeholder in all of this, they have
absolutely no benefit to disclose the backdoors. In fact, who says they aren't
in part responsible for said backdoors? We all know financial support for
ideological gains is something American authorities excel at.

~~~
A1kmm
Their primary mission is to defend (including both protecting US information
security and gathering intelligence) - cases like this show that they have
compromised their direct information security defence mission to further their
offensive capabilities.

~~~
pdkl95
According[1] to Dan Geer[2], the intelligence community is all offense:

    
    
        Chris Inglis, recently retired NSA Deputy Director, remarked that if we were
        to score cyber the way we score soccer, the tally would be 462-456 twenty
        minutes into the game, i.e., all offense.  I will take his comment as confirming
        at the highest level not only the dual use nature of cybersecurity but also
        confirming that offense is where the innovations that only States can afford
        is going on.
    

[1]
[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)

[2] (among other credentials) CISO at In-Q-Tel

