Agreed. I couldn't figure it out at all without navigating around a bit. Someone with some HTML/CSS ability should attempt to donate some time to fixing this web page's messaging issues to get the product across better, to those technical or otherwise.
> political freedom from authority is only ever won via extreme violence.
Eh, that's the most extreme end. Political freedom from authority is won by having more power, period. That power can come in many forms, but at its most primal can come from having the capability of lethal force. The power of a representative government is supposed to be in being able to vote out those that are destroying you, not in you having to take up arms to solve the issue.
> If you do a lot of network infiltration, these boxes are among the most useful targets; unlike routers running JunOS, the VPN concentrators have a large outside-the-packet-filter attack surface, and everyone runs them.
Don't forget that the newer SRX-series VPN gateways are JunOS-based, and seem to be recommended by most Juniper sales people these days. There are certainly a ton of ScreenOS devices, but Juniper seems to have mostly deprecated them in their messaging.
The primary Juniper security track certifications are JunOS-focused, and there's only a basic specialization available from them for ScreenOS. Juniper has mostly staked their future on JunOS from what I can tell.
Seriously. I can understand non-engineering-types calling SSL "SSL" still, but there's a point at which I will begin to date or discredit people's knowledge of "SSL" if they're still referring to it as such (and not to one of the libraries like polar, open, boring, etc.) I don't generally like being a pedant, but SSL and TLS are different things that attempt to solve the same problem, much like WEP and WPA. Most people don't call WPA WEP anymore.
It's very different from WPA and WEP. "TLS" was a rebranding as part of the standardization process, for political reasons, and was not merited by any of the actual protocol changes. The wire format of TLS 1.0 looks exactly like how you'd have expected an SSL 3.1 or 4.0 to look, down to the fact that the version number field literally contains 3.1. The data structures are the same, the encoding is the same, many of the algorithms are the same, etc. And many of the protocol bugs are the same, and were only closed down in TLS 1.2.
WEP and WPA are completely different protocols. WEP only supports a shared, fixed encryption key, and in its common mode has no handshake. WPA always uses a handshake and derives a per-session key for encryption, and therefore requires a stateful client. (This is why, e.g., on Linux, you can use `iwconfig` to set a WEP password but you need to run the `wpa_supplicant` daemon for a WPA-password.) WPA's handshake supports EAP, and WEP has no concept of it. And so forth.
Perhaps you're thinking of WPA vs. WPA2? That's much more like SSL 3.0 and TLS 1.0: there was a standardization process between them, the protocol has been adjusted to address inherent security issues, there are more secure algorithms available, etc. but it's still clearly an extension of the original protocol. But here, again, most practitioners and implementors are happy to call both protocols "WPA" without any risk of confusion or inaccuracy.
Nope, I'm not thinking of WPA/WPA2; I'm just destroyed here by a lack of my own ability to properly communicate things sometimes.
At the high level, "SSL" is a term for an obsolete standard that encrypts connections, protocols be damned, supplanted by the term and the protocol changes that make up TLS. WEP is an obsolete standard for encrypting wireless connections (so is WPA), and WPA2 is the newest version. However, often we'll hear technical and non-technical people talk about how they implement "SSL" even though that's not technically the correct term to use anymore. Rarely do people use "WEP" to mean WPA.
WPA/WPA2 is a very good analogy for SSL/TLS. Effectively the same protocol, but a more rigorously defined standard. In the case of WPA2 it was WPA as ratified by IEEE 802.11i, whereas the original WPA had to be rushed out to answer the immediate deficiencies in WEP.
> I don't generally like being a pedant, but SSL and TLS are different things that attempt to solve the same problem, much like WEP and WPA.
That is not really accurate - TLS 1.0 is very similar to SSL 3.0. They're so similar that implementations use much of the same code for both. TLS 1.0 should have been called SSL 3.1, but because of the browser wars between Netscape and Microsoft it was renamed (SSL was invented by Netscape, Microsoft didn't want to adopt a Netscape technology). See http://tim.dierks.org/2014/05/security-standards-and-name-ch...
> Overall, resilient public cyber key terrain could prove a double-edged sword: enabling DoD to project power, both in terms of information as well as cyberspace operations, but also enabling enemies of the United States to do the same, and with a lower barrier of entry than before.
I think you could argue this is a bit what the government already thinks of the Tor Project, although they call it 'loosely decentralized'.
I seriously whether or not politically we will actually head down this path; which each successive government I'm beginning to see the fear that cypherpunk-utopia, anarchocapitalist-style decentralization may bring to nation-states and the risks inherent to some citizens in that process.
From a politician's (very misguided) view of laws solving problems, it's easy to smash the "resilient public cyber key terrain", while still getting the edge of the sword you want (allowing these technologies to provoke unrest in countries you don't like) - you pass laws that ruthlessly enforce the use of Tor et al on your own territory, run a lot of psychological operations against the use of those tools by your citizenry, and then spread the shit out of that same technology through covert channels to everywhere else in the world, for those ballsy enough to be "separatists" in their own countries. The politician will think that assuming a powerful security organization and steep enough penalties domestically, you can probably eke a net benefit out of the technology outside of your nation-state with little downsides within you own.
This leads to a scary way of blunting the edge of the sword that a politician thinks could hurt them domestically, and I'm afraid that perhaps in some ways we're going down that path (RIPA 2000 is a good example of that, any type of forced-key-disclosure type of thing, or any type of key escrow and tying laws to requiring key escrow.) In the end it doesn't really work, but it does shed a lot more blood in the process.
As a follow-on question: was NetScreen using Dual_EC_DRBG before Juniper bought them (and with it ScreenOS?) If so, it might be good to scrutinize the original NetScreen owners and where they are now (hint: They now run Fortinet and Palo Alto Networks. Are they at risk of interesting, compromised security choices, now, too?)
And you're right. Juniper could still have their own e, which renders the security pointless.
I'd like to argue Snowden is as pure as many of us wish he was in this case, but he, too, must unfortunately play the games of the nation-states that are more powerful than him.
Snowden is right in talking about MTProto's issues, and this is a case where he can talk about something both he and the Russian government dislike, albeit for different reasons. It's a fine line to walk to maintain integrity.
Why the statement from Juniper, then? To try to CYA so they don't end up looking as shitty to the community as RSA did post-bribe?
EDIT: The conspiracy theorist in me would say "this is intentional, too." Changing a value to 31 from 32, or adding a single global assignment in a different function, wouldn't be caught on first review most likely, especially since where the '31' is, 31 is also used all over the code to refer to X9.31.
Their only options are Google, Bing, Yandex, Exalead, Gigablast, and Mojeek, and most probably in that order as the last two need to grow considerably first. Unless there's any others that have their own index?
They probably scrape Google. Willing to bet there is no deal. Google would never agree to such a thing. Even paying $XXXXX a month isn't worth it to them.
Yeah sorry, I was only counting engines suitable for DDG, ie. English language etc. There's also Qwant and although they are crawling their results still appear to be Bing.
