[186454] in North American Network Operators' Group
Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Dec 18 22:33:06 2015
X-Original-To: nanog@nanog.org
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Dave Taht" <dave.taht@gmail.com>
Date: Fri, 18 Dec 2015 11:52:42 -0500
In-Reply-To: <CAA93jw541rK_etQa=4qsXYzCdAuw3+KFtidYdSCL-M9kXxEiMQ@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 18 Dec 2015, at 7:28, Dave Taht wrote:
> I think "unauthorized code" is still plausible newspeak for "bug".
>
> Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized
console login and one to somehow leak VPN encryption keys. There are
hints that that latter involved tinkering with certain constants in
the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
that would squarely point the finger at some government's intelligence
agency.
I don't know who did it, but neither 'bug' nor 'developer debugging
code' sounds plausible here.
