Fahmida Y. Rashid, InfoWorld, 23 Dec 2015 FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors http://www.infoworld.com/article/3018029/virtual-private-network/listen-up-fbi-juniper-code-shows-the-problem-with-backdoors.html opening text: Government officials keep asking technology companies to put encryption backdoors in their products. But the saga of the Juniper VPN backdoor is an object lesson on how attackers can use this avenue for nefarious purposes. Last week, Juniper Networks announced that during a routine internal audit, it had found unauthorized code in ScreenOS, the operating system used in products including firewalls and VPN gateways. The spying code would allow someone monitoring VPN traffic flowing through NetScreen to decrypt the traffic and monitor all communications. A second vulnerability provides attackers with administrator access to NetScreen devices via a hard-coded master password. Security researchers believe a backdoor was already present in Juniper's code, and unknown attackers simply took advantage of it.
Ryan Gallagher and Glenn Greenwald, The Intercept, 23 Dec 2015 https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/ <https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assessment-03FEB11-Redacted.html> *A TOP-SECRET* document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear. The six-page document, titled *Assessment of Intelligence Opportunity Juniper*, raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed <https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554> by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the NetScreen line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ's capabilities clustered around an operating system called ScreenOS, which powers only a subset of products sold by Juniper, including the NetScreen line. Juniper's other products, which include high-volume Internet routers, run a different operating system called JUNOS. The possibility of links between the security holes and the intelligence agencies is particularly important given an ongoing debate in the U.S. and the U.K. over whether governments should have backdoors allowing access to encrypted data. Cryptographers and security researchers have raised the possibility that one of the newly discovered Juniper vulnerabilities stemmed from an encryption backdoor engineered by the NSA and co-opted by someone else. Meanwhile, U.S. officials are reviewing <http://www.nytimes.com/reuters/2015/12/21/technology/21reuters-juniper-networks-cyberattack-cisco-systems.html> how the Juniper hacks could affect their own networks, putting them in the awkward position of scrambling to shore up <http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html> their own encryption even as they criticize the growing use of encryption by others.
So, is Juniper liable for this Dual_EC screwup if it's their own code ? Is Juniper liable for this Dual_EC screwup if NSA/FBI/FISA issued an NSL to Juniper ? Or with all the waivers Congress passed, *no one* is liable ? Time to trot out Dan Geer's comments on software liability: http://geer.tinho.net/geer.blackhat.6viii14.txt - - Everyone should also be aware of *Certicom's patent application* that talks about a very Juniper-like back door. 'An elliptic curve random number generator avoids *escrow keys* by choosing a point Q on the elliptic curve as verifiably random.' 'The relationship between P and Q is used as an *escrow key* and stored by for a security domain' https://projectbullrun.org/dual-ec/patent.html Pub. No.: US 2007/0189527 Al Pub. Date: Aug. 16, 2007 ELLIPTIC CURVE RANDOM NUMBER GENERATION Inventors: Daniel R. L. Brown, Mississauga (CA); Scott A. Vanstone, Campbellville (CA) Appl. No.: 11/336,814 Filed: Jan. 23, 2006 Related U.S. Application Data Provisional application No. 60/644,982, filed on Jan. 21, 2005. Publication Classification ABSTRACT An elliptic curve random number generator avoids *escrow keys* by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an *escrow key* and stored by for a security domain. The administrator logs the output of the generator to *reconstruct the random number with the escrow key.*
FYI—It's not clear what happens if the company doesn't *have* any keys -- i.e., they are only in the hands of the end-user. "This latest move is one that will be view very suspiciously by foreign companies operating within China, or looking to do so." http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/ Mark Wilson, BetaNews, 27 Dec 2015 Apple may have said that it opposes the idea of weakening encryption and providing governments with backdoors into products, but things are rather different in China. The Chinese parliament has just passed a law that requires technology companies to comply with government requests for information, including handing over encryption keys. http://betanews.com/2015/12/22/apple-wants-the-uk-government-to-rein-in-snoopers-charter/ http://betanews.com/2015/11/11/apples-tim-cook-on-weakening-encryption-any-backdoor-is-a-backdoor-for-everyone/ Under the guise of counter-terrorism, the controversial law is the Chinese government's attempt to curtail the activities of militants and political activists. China already faces criticism from around the world not only for the infamous Great Firewall of China, but also the blatant online surveillance and censorship that takes place. This latest move is one that will be view very suspiciously by foreign companies operating within China, or looking to do so. China's infringement of freedom of speech and the hard line it takes on those opposing the government is well-recorded. While the government insists that there will be no requirement for companies to install backdoors, the country has already earned itself a reputation that is going to be very difficult to shake off. The deputy head of the Chinese parliament's criminal law division tried to play down the controversy surrounding the new law. Li Shouwei said: http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227 "This rule accords with the actual work need of fighting terrorism and is basically the same as what other major countries in the world do." As well as granting new powers within China's borders, the new law also permits overseas action by the People's Liberation Army—something which will be eyed with suspicion and likely opposed by for foreign nations. There is also a provision, as reported by Reuters, that "media and social media cannot report on details of terror activities that might lead to imitation, nor show scenes that are 'cruel and inhuman' "—something else which will bring about accusation of standing in the way of free speech. http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227 [The law that actually passed is slightly different. See this item. PGN] http://www.wsj.com/article_email/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383-lMyQjAxMTE1NDI3ODAyMTgyWj
http://www.huffingtonpost.com/entry/china-anti-terror-law-encryption_56801192e4b014efe0d86ed0 Li Shouwei, a government spokesman, told Reuters that companies won't have to fear any backdoors—entryways that bypass a traditional security mechanism—into their products and services. But a draft of the legislation that the International Association of Privacy Professionals analyzed in March shows that's untrue: China's new law requires Internet service providers and telecommunications providers to install government-accessible backdoors and provide encryption keys for any data stored on their servers. Shouwei also told Reuters that China was "simply doing what other major nations already do in asking technology firms to help fight terror." He cited Western nations' actions as justification, Reuters reported. Although US leaders have condemned China's laws, they are engaging in the same rhetoric of national security stateside, suggesting that technology companies find a magical way to create secure backdoors through a Manhattan-like project despite technologists and experts resolutely telling politicians that to do so is to mandate insecurity.
https://www.ksl.com/?nid1&sid7912384&title┌ngerous-helicopter-bird-strikes-on-the-rise-faa-warns Reports of helicopter bird strikes are up dramatically in recent years, including incidents, like the one in Dallas, that damage the aircraft and create the potential for crashes, according to the Federal Aviation Administration. In 2013, there were 204 reported helicopter bird strikes, a 68 percent increase from 2009 when there were 121 reports and an increase of over 700 percent since the early 2000s, said Gary Roach, an FAA helicopter safety engineer. In response, the FAA has announced that all birds must register online and pay $5 via credit card every three years.
The charges against Alonzo Knowles illustrate the ease with which private email contacts, even for security-conscious entertainers, can be exploited. http://www.nytimes.com/2015/12/23/nyregion/us-says-hacker-stole-ids-and-unreleased-scripts-from-host-of-celebrities.html
[Paragraphs which start with "GW:" are by me; the others are by Mr. Auerbach.] GW: Mr. Auerbach referred to the following article: http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement Apparently the University of California is being pushed to count high-school computer science courses taken by applying students as if those were mathematics or science courses. This disturbs me for several reasons. First is that I have only on occasion found computer science to be a substitute for the kind of intellectual disciple any of the hard sciences. GW: As have I. In 2010, I graduated from Thompson Rivers University (TRU) with a Bachelor of Computing Science degree. GW: I worked with a few students who were math students double majoring in computing science. (Call them MCs.) They were not, and I am not aware of any who were, computing science students double majoring in math. (Call these hypothetical students CMs.) The distinction is important. GW: In fact, I am unaware of any computing-science-major-only student (CSMO) taking any more than the bare requirement of math courses (two) with one exception: me. I minored in math. I was told by the computing science chair that I was the only CSMO to ever do so. GW: I found that CSMOs avoided math like the plague. Second is that what is being called `computer science' at the high school level is typically simple programming. There is no doubt that it would be useful if everyone coming out of high school had at least a thin knowledge of what programming is. GW: It was also true at TRU. Courses that were coding and very close were the ones of interest. A special topics course on professionality in the computing field was canceled due to lack of interest. I would have liked to have taken that course. I wanted to take a course in computation theory. There were supposedly three courses on the books for it, but only one had ever been taught and that one only once. I ended doing it as independent study through the math department. GW: I snipped the remainder of Mr. Auerbach's comments. In short, I agree that there is too much emphasis on tools and not enough on the higher levels.
(https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/) This article [noted in the previous RISKS issue] concludes with: There are still some issues to overcome, however, such as dealing with text in unusual formats. For example, names are particularly important to the Declassification Engine, and the system relies on the capital letters at the start of names to find them. But the cables come in all capitals, a relic of the Telex system that conveyed them around the planet. Rambow is confident he can get over the hurdle. "I hope that in the next month or two the humming will start," he says. Is anyone else skeptical of the humming timeline?
> Grub2 bootloader's password protection and allow a hacker to install > malware on a locked-down Linux system Two minor points: One: The breakin require physical access. Once you have that, you can own the Desktop/Server/Device using several methods. Two:┬ Not new, and IIRC fixed some time back.
What one would want is separate performance figures for false positives and false negatives. Those are mostly not identical, and might actually be very different. One would hope that the false positive (accusing somebody of lying, when actually truthful) rate is significantly lower than the false negative (not detecting a liar) rate in this case.
Large mail services have been managing sender reputation this way for the better part of a decade. The hack to report competitors' mail as spam, and the reverse, to report your own cruddy mail as not-spam, are well known, and mail providers have ways to detect and deal with them, although for obvious reasons they don't publish the details. Mailers who grouse about their wonderful mail getting blocked this way invariably turn out to be sending "greymail", it's not exactly spam, but the recipients care whether they get it. If real users missed it, they would be complaining or at least marking it as not-spam. And if a mailer can't detect and block bulk signups by competitors, well, sheesh. (Incidentally,) Sometimes a free service is worth what you pay for it, although in this case it seems to be working as designed.
> Robot cars, of today, know the rules of the road, but not the psychology > of other participants on the highways. Perhaps the people who write for Analog don't read the *Wall Street Journal*. This article appeared in September: Google Inc. designed its self-driving cars to follow the rules of the road. Now it's teaching them to drive like people, by cutting corners, edging into intersections and crossing double-yellow lines. ... http://www.wsj.com/articles/google-tries-to-make-its-cars-drive-more-like-humans-1443463523
Please report problems with the web pages to the maintainer