[186456] in North American Network Operators' Group
Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Dec 18 22:38:02 2015
X-Original-To: nanog@nanog.org
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <CA+E3k93LiE0cy=AKSsKf+wWvgEUFn0fNuYZwfs-GVStw6hiZkg@mail.gmail.com>
Date: Fri, 18 Dec 2015 12:32:50 -0500
To: Royce Williams <royce@techsolvency.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Yes. He's backing off a bit on the claim, since he doesn't have full context=
.=20
--Steve Bellovin, https://www.cs.columbia.edu/~smb
Sent from from a handheld; please excuse tyops
> On Dec 18, 2015, at 12:27 PM, Royce Williams <royce@techsolvency.com> wrot=
e:
>=20
>> On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <smb@cs.columbia.edu>=
wrote:
>>> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>>>=20
>>>> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>>>>=20
>>>> I think "unauthorized code" is still plausible newspeak for "bug".
>>>>=20
>>>> Why blame finger foo when you can blame terrorists?
>>>=20
>>> It looks like two different holes, one a back door for unauthorized
>>> console login and one to somehow leak VPN encryption keys. There are
>>> hints that that latter involved tinkering with certain constants in
>>> the crypto (https://twitter.com/matthew_d_green/status/67787100435437158=
4);
>>> that would squarely point the finger at some government's intelligence
>>> agency.
>>>=20
>>> I don't know who did it, but neither 'bug' nor 'developer debugging
>>> code' sounds plausible here.
>>=20
>> https://twitter.com/sweis/status/677896363070259200
>=20
> That tweet got deleted, apparently to redraft/correct; is this the equival=
ent?
>=20
> https://twitter.com/sweis/status/677897914643976193
> https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-di=
ff-L16
>=20
> Royce
