Big Brother touched Juniper Networks - backdoor allowed anyone to eavesdrop on communications

By: (plus.google.com) +David Herron; Date: 2015-12-23 10:14

Tags: Big Brother » Government Spying » Privacy

It's known the U.S. Government spy agencies have demanded "cooperation" from computer and networking equipment vendors in ensuring spy agencies can unlawfully tap into communications traffic. The effect is that anybody learning the secret keys used by government spies to wiretap communications can also listen in on communications.

A couple weeks ago the Republican candidates for the 2016 US Presidential election held a debate in which Carly Fiorina (former HP CEO) bragged about having helped Government spy agencies do something to a computer shipment that may have involved installing backdoors.

All the Republican candidates (except for Rand Paul) proclaimed the necessity of undermining the Internet so that spy agencies can "do something about Terrorism". My blog post at the time pointing out the problem, that they're willing to destroy the Internet and trample on our freedom of privacy and freedom of speech, was met with a certain amount of derision. This is a serious problem we're facing, that the Internet has been subverted into a massive spying operaton.

An example of this, and the problems with having done so, is in today's news. According to The Register, (www.theregister.co.uk) routers made by Juniper Networks have been discovered to have "backdoors" installed that make it easy for those with knowledge of certain details to decrypt any communication going through those routers. The backdoors share characteristics with a random number generator the NSA lobbied for adoption, even though researchers who studied the Dual EC DRBG random number generator determined it could be decoded by "clever eavesdroppers".

In other words, the NSA wanted the world to adopt this random number generator - these are used for initializing encryption algorithms - that would predetermine the characteristics of encrypted communications that the NSA could then easily decrypt.

Juniper Networks admitted there had been unauthorized changes to software in their routers. The researchers who uncovered the flaw of course don't have access to the audit trail to determine who inserted these changes. It smells like the NSA caused this to happen, but The Register doesn't have proof of the culprit.

However, the effect is what I said above - a backdoor allowing anyone with the right knowledge to easily decrypt communications. It may not matter whether it was the NSA who did it. The truth is that Juniper routers are vulnerable, and it seems purposely so. It's just that the NSA has the motive to do this, and the means (it's well known Government agencies have demanded various forms of "cooperation" of this sort over the last several years).

What's truly egregious about this is that nefarious 3rd parties also discovered the same vulnerability. According to The Register, they built ... well, The Register has this quote from (blog.cryptographyengineering.com) a blog post by Matthew Green, a cryptography researcher at Johns Hopkins University. That blog post goes into many more details.

"For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA's Dual EC DRBG algorithm,"

"At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it's important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters."

"To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional – you be the judge,"

"They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them,"

"The end result was a period in which someone – maybe a foreign government – was able to decrypt Juniper traffic in the US and around the world."

His blog post closes with this explanation of why these details of random number generators and encryption algorithms matter:

For the past several months I've been running around with various groups of technologists, doing everything I can to convince important people that the sky is falling. Or rather, that the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington -- namely, that our encryption systems should come equipped with "backdoors" intended to allow law enforcement and national security agencies to access our communications.

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages. Normally when we talk about this, we're concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

The problem with cryptographic backdoors isn't that they're the only way that an attacker can break into our cryptographic systems. It's merely that they're one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.

That is - he's raising the same concern I raised. Many politicians are calling for subversion of the Internet, so that spy agencies can more easily eavesdrop, and more easily "catch terrorists". But the effect will simply be more invasion of privacy, and worse that criminals and others will make unintended use of these backdoors.

An example that came up in todays news is (arstechnica.com) a guy from the Bahama's captured by the FBI trying to sell stuff he purloined out of private e-mail accounts of Actors/Actresses/etc. In part it's the same-old-same-old story of someone hacking into e-mail accounts, and pilfering stuff. In this case it's TV scripts, movie scripts, sex tapes, private identifying numbers, and so on. It's the sort of story which comes up on occasion, you read it, yawn and move on. But, it's also a symptom of the whole problem. Nefarious people grabbing private personal data they have no business accessing.

Maybe this guy used the sort of backdoor which was installed by government agents, or maybe not. It doesn't matter. It's just another instance of privacy violation. When the Government leans on computer equipment makers to install security backdoors - it means the Government is increasing the chance of privacy violations. And the government cannot control who uses those tools.

« How to restore a MySQL database and tables from .frm .ibd or .myd raw database files If Wordpress is switching from PHP to Node.js, how should they do it? »
2016 Election Acer C720 Ad block AkashaCMS Amiga Android Anti-Fascism Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Astronomy Asynchronous Programming Authoritarianism Automated Social Posting Bells Law Big Brother Big Finish Black Holes Blade Runner Blogger Blogging Books Botnet Botnets Cassette Tapes Cellphones Christopher Eccleston Chrome Chrome Apps Chromebook Chromebooks Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Computer Hardware Computer Repair Computers Cross Compilation Crouton Curiosity Rover Cyber Security Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant DDoS Botnet Detect Adblocker Developers Editors Digital Photography DIY DIY Repair DNP3 Docker Doctor Who Doctor Who Paradox Drobo Drupal Drupal Themes DVD Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Emdebian Energy Efficiency Enterprise Node ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Facebook Fake News Fedora VirtualBox File transfer without iTunes FireFly Fraud Freedom of Speech Gallifrey git Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Heat Loss Home Automation HTTPS I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man Iternet of Things iTunes Java JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kindle Marketplace Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac OS Mac OS X MacOS X setup Make Money Online MariaDB Mars Matt Lucas MEADS Anti-Missile Mercurial Michele Gomez Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications MODBUS Mondas MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Node Web Development Node.js Node.js Database Node.js Testing Node.JS Web Development Node.x North Korea Online advertising Online Fraud Online Journalism Online Video Open Media Vault Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenVPN Personal Flight Peter Capaldi Photography PHP Plex Media Server Political Protest Postal Service Power Control Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero Recycling Remote Desktop Republicans Retro-Technology Reviews Right to Repair River Song Rocket Ships RSS News Readers rsync Russia Russia Troll Factory SCADA Scheme Science Fiction Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Shell Scripts Silence Simsimi Skype Social Media Warfare Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spring Spring Boot SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Swagger Synchronizing Files Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Torchwood Total Information Awareness Trump Trump Administration Ubuntu UDOO Virtual Private Networks VirtualBox VLC VNC VOIP Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Website Advertising Weeping Angels WhatsApp Window Insulation Wordpress YouTube