Big Brother touched Juniper Networks - backdoor allowed anyone to eavesdrop on communications

By: ; Date: 2015-12-23 10:14

Tags: Big Brother » Government Spying » Privacy

It's known the U.S. Government spy agencies have demanded "cooperation" from computer and networking equipment vendors in ensuring spy agencies can unlawfully tap into communications traffic. The effect is that anybody learning the secret keys used by government spies to wiretap communications can also listen in on communications.

A couple weeks ago the Republican candidates for the 2016 US Presidential election held a debate in which Carly Fiorina (former HP CEO) bragged about having helped Government spy agencies do something to a computer shipment that may have involved installing backdoors.

All the Republican candidates (except for Rand Paul) proclaimed the necessity of undermining the Internet so that spy agencies can "do something about Terrorism". My blog post at the time pointing out the problem, that they're willing to destroy the Internet and trample on our freedom of privacy and freedom of speech, was met with a certain amount of derision. This is a serious problem we're facing, that the Internet has been subverted into a massive spying operaton.

An example of this, and the problems with having done so, is in today's news. According to The Register, routers made by Juniper Networks have been discovered to have "backdoors" installed that make it easy for those with knowledge of certain details to decrypt any communication going through those routers. The backdoors share characteristics with a random number generator the NSA lobbied for adoption, even though researchers who studied the Dual EC DRBG random number generator determined it could be decoded by "clever eavesdroppers".

In other words, the NSA wanted the world to adopt this random number generator - these are used for initializing encryption algorithms - that would predetermine the characteristics of encrypted communications that the NSA could then easily decrypt.

Juniper Networks admitted there had been unauthorized changes to software in their routers. The researchers who uncovered the flaw of course don't have access to the audit trail to determine who inserted these changes. It smells like the NSA caused this to happen, but The Register doesn't have proof of the culprit.

However, the effect is what I said above - a backdoor allowing anyone with the right knowledge to easily decrypt communications. It may not matter whether it was the NSA who did it. The truth is that Juniper routers are vulnerable, and it seems purposely so. It's just that the NSA has the motive to do this, and the means (it's well known Government agencies have demanded various forms of "cooperation" of this sort over the last several years).

What's truly egregious about this is that nefarious 3rd parties also discovered the same vulnerability. According to The Register, they built ... well, The Register has this quote from a blog post by Matthew Green, a cryptography researcher at Johns Hopkins University. That blog post goes into many more details.

"For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA's Dual EC DRBG algorithm,"

"At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it's important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters."

"To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional – you be the judge,"

"They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them,"

"The end result was a period in which someone – maybe a foreign government – was able to decrypt Juniper traffic in the US and around the world."

His blog post closes with this explanation of why these details of random number generators and encryption algorithms matter:

For the past several months I've been running around with various groups of technologists, doing everything I can to convince important people that the sky is falling. Or rather, that the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington -- namely, that our encryption systems should come equipped with "backdoors" intended to allow law enforcement and national security agencies to access our communications.

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages. Normally when we talk about this, we're concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

The problem with cryptographic backdoors isn't that they're the only way that an attacker can break into our cryptographic systems. It's merely that they're one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.

That is - he's raising the same concern I raised. Many politicians are calling for subversion of the Internet, so that spy agencies can more easily eavesdrop, and more easily "catch terrorists". But the effect will simply be more invasion of privacy, and worse that criminals and others will make unintended use of these backdoors.

An example that came up in todays news is a guy from the Bahama's captured by the FBI trying to sell stuff he purloined out of private e-mail accounts of Actors/Actresses/etc. In part it's the same-old-same-old story of someone hacking into e-mail accounts, and pilfering stuff. In this case it's TV scripts, movie scripts, sex tapes, private identifying numbers, and so on. It's the sort of story which comes up on occasion, you read it, yawn and move on. But, it's also a symptom of the whole problem. Nefarious people grabbing private personal data they have no business accessing.

Maybe this guy used the sort of backdoor which was installed by government agents, or maybe not. It doesn't matter. It's just another instance of privacy violation. When the Government leans on computer equipment makers to install security backdoors - it means the Government is increasing the chance of privacy violations. And the government cannot control who uses those tools.

« How to restore a MySQL database and tables from .frm .ibd or .myd raw database files If Wordpress is switching from PHP to Node.js, how should they do it? »
2016 Election Acer C720 Ad block Android Apple Hardware History Apple iPhone Hardware April 1st ARM Compilation Authoritarianism Big Brother Blade Runner Botnets Cassette Tapes Cellphones Christopher Eccleston Chrome Chrome Apps Chromebook Chromebooks ChromeOS CIA CitiCards Civil Liberties Clinton Cluster Computing Computer Hardware Computer Repair Cross Compilation Crouton Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant Detect Adblocker Digital Photography DIY Repair Docker Doctor Who Drobo Drupal Drupal Themes DVD Emdebian ESP8266 Eurovision Facebook Fake News FireFly Fraud Freedom of Speech Gallifrey git Gitlab GMAIL Google Google Chrome Google Gnome Government Spying Great Britain Home Automation HTTPS InfluxDB Internet Internet of Things Internet Privacy iPad iPhone iPhone hacking Iron Man Iternet of Things JDBC John Simms Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Mac OS MEADS Anti-Missile Mercurial Michele Gomez Military Hardware Missy Mobile Applications Mondas Monty Python MQTT Music Player Music Streaming MySQL NanoPi Node Web Development Node.JS Online advertising Online Fraud Open Media Vault Open Source Software OpenVPN Personal Flight Peter Capaldi Photography Plex Media Server Political Protest Power Control Privacy Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero Recycling Republicans Retro-Technology Right to Repair River Song Rocket Ships Russia Russia Troll Factory Science Fiction Season 1 Season 10 Season 11 Security Security Cameras Silence Simsimi Skype Social Media Warfare Software Development Space Flight Space Ship Reuse Space Ships SpaceX SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Terrorism The Cybermen The Daleks The Master Time-Series Database Torchwood Total Information Awareness Trump Trump Administration Ubuntu Virtual Private Networks VOIP Web Developer Resources Web Development Tools Weeping Angels WhatsApp Wordpress