Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Fahmida Y. Rashid, InfoWorld, 23 Dec 2015 FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors http://www.infoworld.com/article/3018029/virtual-private-network/listen-up-fbi-juniper-code-shows-the-problem-with-backdoors.html opening text: Government officials keep asking technology companies to put encryption backdoors in their products. But the saga of the Juniper VPN backdoor is an object lesson on how attackers can use this avenue for nefarious purposes. Last week, Juniper Networks announced that during a routine internal audit, it had found unauthorized code in ScreenOS, the operating system used in products including firewalls and VPN gateways. The spying code would allow someone monitoring VPN traffic flowing through NetScreen to decrypt the traffic and monitor all communications. A second vulnerability provides attackers with administrator access to NetScreen devices via a hard-coded master password. Security researchers believe a backdoor was already present in Juniper's code, and unknown attackers simply took advantage of it.
Ryan Gallagher and Glenn Greenwald, The Intercept, 23 Dec 2015 https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/ <https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assessment-03FEB11-Redacted.html> *A TOP-SECRET* document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear. The six-page document, titled *Assessment of Intelligence Opportunity Juniper*, raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed <https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554> by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the NetScreen line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ's capabilities clustered around an operating system called ScreenOS, which powers only a subset of products sold by Juniper, including the NetScreen line. Juniper's other products, which include high-volume Internet routers, run a different operating system called JUNOS. The possibility of links between the security holes and the intelligence agencies is particularly important given an ongoing debate in the U.S. and the U.K. over whether governments should have backdoors allowing access to encrypted data. Cryptographers and security researchers have raised the possibility that one of the newly discovered Juniper vulnerabilities stemmed from an encryption backdoor engineered by the NSA and co-opted by someone else. Meanwhile, U.S. officials are reviewing <http://www.nytimes.com/reuters/2015/12/21/technology/21reuters-juniper-networks-cyberattack-cisco-systems.html> how the Juniper hacks could affect their own networks, putting them in the awkward position of scrambling to shore up <http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html> their own encryption even as they criticize the growing use of encryption by others.
So, is Juniper liable for this Dual_EC screwup if it's their own code ? Is Juniper liable for this Dual_EC screwup if NSA/FBI/FISA issued an NSL to Juniper ? Or with all the waivers Congress passed, *no one* is liable ? Time to trot out Dan Geer's comments on software liability: http://geer.tinho.net/geer.blackhat.6viii14.txt - - Everyone should also be aware of *Certicom's patent application* that talks about a very Juniper-like back door. 'An elliptic curve random number generator avoids *escrow keys* by choosing a point Q on the elliptic curve as verifiably random.' 'The relationship between P and Q is used as an *escrow key* and stored by for a security domain' https://projectbullrun.org/dual-ec/patent.html Pub. No.: US 2007/0189527 Al Pub. Date: Aug. 16, 2007 ELLIPTIC CURVE RANDOM NUMBER GENERATION Inventors: Daniel R. L. Brown, Mississauga (CA); Scott A. Vanstone, Campbellville (CA) Appl. No.: 11/336,814 Filed: Jan. 23, 2006 Related U.S. Application Data Provisional application No. 60/644,982, filed on Jan. 21, 2005. Publication Classification ABSTRACT An elliptic curve random number generator avoids *escrow keys* by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an *escrow key* and stored by for a security domain. The administrator logs the output of the generator to *reconstruct the random number with the escrow key.*
FYI—It's not clear what happens if the company doesn't *have* any keys -- i.e., they are only in the hands of the end-user. "This latest move is one that will be view very suspiciously by foreign companies operating within China, or looking to do so." http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/ Mark Wilson, BetaNews, 27 Dec 2015 Apple may have said that it opposes the idea of weakening encryption and providing governments with backdoors into products, but things are rather different in China. The Chinese parliament has just passed a law that requires technology companies to comply with government requests for information, including handing over encryption keys. http://betanews.com/2015/12/22/apple-wants-the-uk-government-to-rein-in-snoopers-charter/ http://betanews.com/2015/11/11/apples-tim-cook-on-weakening-encryption-any-backdoor-is-a-backdoor-for-everyone/ Under the guise of counter-terrorism, the controversial law is the Chinese government's attempt to curtail the activities of militants and political activists. China already faces criticism from around the world not only for the infamous Great Firewall of China, but also the blatant online surveillance and censorship that takes place. This latest move is one that will be view very suspiciously by foreign companies operating within China, or looking to do so. China's infringement of freedom of speech and the hard line it takes on those opposing the government is well-recorded. While the government insists that there will be no requirement for companies to install backdoors, the country has already earned itself a reputation that is going to be very difficult to shake off. The deputy head of the Chinese parliament's criminal law division tried to play down the controversy surrounding the new law. Li Shouwei said: http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227 "This rule accords with the actual work need of fighting terrorism and is basically the same as what other major countries in the world do." As well as granting new powers within China's borders, the new law also permits overseas action by the People's Liberation Army—something which will be eyed with suspicion and likely opposed by for foreign nations. There is also a provision, as reported by Reuters, that "media and social media cannot report on details of terror activities that might lead to imitation, nor show scenes that are 'cruel and inhuman' "—something else which will bring about accusation of standing in the way of free speech. http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227 [The law that actually passed is slightly different. See this item. PGN] http://www.wsj.com/article_email/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383-lMyQjAxMTE1NDI3ODAyMTgyWj
http://www.huffingtonpost.com/entry/china-anti-terror-law-encryption_56801192e4b014efe0d86ed0 Li Shouwei, a government spokesman, told Reuters that companies won't have to fear any backdoors—entryways that bypass a traditional security mechanism—into their products and services. But a draft of the legislation that the International Association of Privacy Professionals analyzed in March shows that's untrue: China's new law requires Internet service providers and telecommunications providers to install government-accessible backdoors and provide encryption keys for any data stored on their servers. Shouwei also told Reuters that China was "simply doing what other major nations already do in asking technology firms to help fight terror." He cited Western nations' actions as justification, Reuters reported. Although US leaders have condemned China's laws, they are engaging in the same rhetoric of national security stateside, suggesting that technology companies find a magical way to create secure backdoors through a Manhattan-like project despite technologists and experts resolutely telling politicians that to do so is to mandate insecurity.