back to article Juniper resets 'days since last rogue code incident' clock

Juniper Networks has announced its own investigations have found none of the "oops ... how did that code get there" trouble in Junos OS and that it will kill off Dual Elliptic Curve (Dual_EC) encryption in ScreenOS. The company says it hired a "respected security organization" that "undertook a detailed investigation of …

  1. Aslan

    See the article on Wired

    http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/

    I like the Register I do, and Wired is usually the place with puff pieces, but if you want the hard info, to know who discovered what, the timeline of events, and what was actually going on with the code and why the nonce matters see the Wired article.

    1. Anonymous Coward
      Anonymous Coward

      Re: See the article on Wired

      Wired article is good for a change, but elReg is normally excellent (have to say that or AO gets pissy):

      "“The more output you see [from the generator], the better [it is to crack the encryption],” Checkoway says. “Anything you see over 30 bytes is very helpful. Anything you see less than 30 bytes makes the attack exponentially harder. So seeing 20 bytes makes the attack basically infeasible. Seeing 28 bytes makes it doable, but it takes an amount of time, maybe hours. Seeing 32 bytes makes it take fractions of a second.”

  2. allthecoolshortnamesweretaken

    I have said it before and I'll say it again: if it comes out of a machine it ain't random - see xkcd for alternatives.

    1. ZSn

      Avalanche noise in Zener diodes? Depends upon what you mean by 'machine'?

    2. Anonymous Coward
      Anonymous Coward

      Background noise hitting a tuned CMOS?

  3. TeeCee Gold badge
    WTF?

    Nonce?

    Really?

    I take it that whoever's responsible for dreaming that up is also the only SOB on the entire planet who doesn't know what it really means?

    And who also doesn't double-check their neologisms with the urban dictionary to avoid nasty fuckups like this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nonce?

      The term "nonce" has been used by cryptographers forever. It's short for "Number used ONCE". (I.e. if you reuse it then Bad Things happen). It's typically either randomly generated, or a sequence number.

      Yes, it has other meanings in other contexts. But it's meaning in cryptography is well-known. And it's usage in cryptography goes back far before the first Urban Dictionary entry for it.

      1. Keef

        Re: Nonce?

        "The term "nonce" has been used by cryptographers forever"

        Care to define forever in the context of your comment?

        I doubt you can in any meaningful way.

        I think here in blighty we had offenders referred to as nonces before we had the crypto version.

        Don't assume your one size fits all...

      2. frank ly

        Re: Nonce?

        "Number used once" is a happily convenient backronym. A 'nonce word' (a word made up for a particular use and not intended to be used again) is a term that was invented about 100 years ago, some time before its use for numbers in cryptography.

        Have a look at:

        http://www.dailywritingtips.com/nonce-words-for-the-nonce-and-nonce/

    2. phuzz Silver badge
      Headmaster

      Re: Nonce?

      It's only us brits (and probably some of the commonwealth too) who use nonce as an insult, in the US that meaning is unknown.

      American's don't even know what 'trump' means.

    3. Anonymous Coward
      Anonymous Coward

      Re: Nonce?

      On web pages if you wish to avoid double posting or wish to trigger an action on a page if they arrive from a certain page and not if they refresh, can and often does use a nonce. It's a well known and well used programming term - just because it has a different and unrelated meaning as slang for something else (and never likely to be confused) is nothing to get your nuts in a twist.

      Geez ... you should have ended your post with "Won't somebody think of the children?"

      That Brass Eye episode was a spoof wasn't it?

  4. CAPS LOCK

    The 'back door' in D. E. C. C. has been known since 2005...

    ... when Daniel R. L. Brown and Scott Vanstone's patent application describing the mechanism.

    Juniper might get rid of it this year. Hahaha - more quality from Juniper.

  5. Anonymous Coward
    Meh

    "respected security organization"

    What is the reason for them not giving the name of the organization they hired? Should I trust them more, or less, because they don't tell us?

    1. NotBob
      Black Helicopters

      Re: "respected security organization"

      Trust them completely. Like other companies and your government, they have only their your best interests at heart.

  6. Woodnag Silver badge

    Summary

    Asian - here's the exec summary you'd like. No trouble, mate. Happy to help

    1. By 2011 "GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks" <url>https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq</url>

    2. An external researcher or internal engineer found the security flaws. "The company said it discovered the backdoors during an internal code review, but it didn’t say if this was a routine review or if it had examined the code specifically after receiving a tip that something suspicious was in it." <url>http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors</url>

    3. Juniper sat on it until the discoverer was at the point of going public.

    4. Juniper's CTO made the "During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections" announcement to own the discovery <url>http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors</url>

    5. Juniper issues fixes that don't fix all the security issues <url>http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company</url>

    A damning piece of circumstantial evidence is that Juniper won't be explicit about who/how/when the security flaws came to light. It would be to their credit to claim that they found it, but being caught lying (as opposed to evasive) would make their situation and trustworthiness so much worse. That implies that Juniper's hand was forced by the discoverer who was not under their control.

    So, Cisco, got anything you need to need to do? Like go to court to get any NSA instructions to you judged illegal before you get caught?

  7. Anonymous Coward
    Anonymous Coward

    0x20 vs 20?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021