The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 19

Monday 28 December 2015

Contents

"Listen up, FBI: Juniper code shows the problem with backdoors"
Fahmida Rashid
NSA Helped British Spies Find Security Holes In Juniper Firewalls
Gallagher and Greenwald
More on Juniper backdoor
Henry Baker
China passes law requiring tech firms to hand over encryption keys
Mark Wilson via Henry Baker
China's New Big Brother Law Is A Clone Of The West's Bad Ideas
HuffPo
Dangerous helicopter bird strikes on the rise, FAA warns
KSL via LW
Techno-skeptics objection growing louder
WashPo
U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of Celebrities
NYTimes
Re: Reply by Karl Auerbach to The Moral Failure of Computer Scientists
Gene Wirchenko
Re: Super-literate software reads and comprehends better than humans
Gene Wirchenko
Re: Vulnerability in popular bootloader puts locked-down Linux, computers at risk
Mike Rechtman
Re: Lie-detecting Software uses Machine Learning to Achieve 75% accuracy
Erling Kristiansen
Re: Hotmail and how not to block spam
John Levine
Re: Driverless Cars
John Levine
Info on RISKS (comp.risks)

"Listen up, FBI: Juniper code shows the problem with backdoors" (Fahmida Rashid)

Gene Wirchenko <genew@telus.net>
Thu, 24 Dec 2015 10:50:47 -0800
Fahmida Y. Rashid, InfoWorld, 23 Dec 2015
FBI director James Comey should be taking notes: The Juniper debacle
shows why security experts are up in arms over government-ordered backdoors
http://www.infoworld.com/article/3018029/virtual-private-network/listen-up-fbi-juniper-code-shows-the-problem-with-backdoors.html

opening text:

Government officials keep asking technology companies to put encryption
backdoors in their products. But the saga of the Juniper VPN backdoor is an
object lesson on how attackers can use this avenue for nefarious purposes.

Last week, Juniper Networks announced that during a routine internal audit,
it had found unauthorized code in ScreenOS, the operating system used in
products including firewalls and VPN gateways. The spying code would allow
someone monitoring VPN traffic flowing through NetScreen to decrypt the
traffic and monitor all communications. A second vulnerability provides
attackers with administrator access to NetScreen devices via a hard-coded
master password. Security researchers believe a backdoor was already present
in Juniper's code, and unknown attackers simply took advantage of it.


NSA Helped British Spies Find Security Holes In Juniper Firewalls (Gallagher and Greenwald)

Dewayne Hendricks <dewayne@warpspeed.com>
Thursday, December 24, 2015
Ryan Gallagher and Glenn Greenwald, The Intercept, 23 Dec 2015
https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/

<https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assessment-03FEB11-Redacted.html> *A TOP-SECRET* document dated February 2011
reveals that British spy agency GCHQ, with the knowledge and apparent
cooperation of the NSA, acquired the capability to covertly exploit security
vulnerabilities in 13 different models of firewalls made by Juniper
Networks, a leading provider of networking and Internet security gear.

The six-page document, titled *Assessment of Intelligence Opportunity
Juniper*, raises questions about whether the intelligence agencies were
responsible for or culpable in the creation of security holes disclosed
<https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554>
by Juniper last week. While it does not establish a certain link between
GCHQ, NSA, and the Juniper hacks, it does make clear that, like the
unidentified parties behind those hacks, the agencies found ways to
penetrate the NetScreen line of security products, which help companies
create online firewalls and virtual private networks, or VPNs. It further
indicates that, also like the hackers, GCHQ's capabilities clustered around
an operating system called ScreenOS, which powers only a subset of products
sold by Juniper, including the NetScreen line. Juniper's other products,
which include high-volume Internet routers, run a different operating system
called JUNOS.

The possibility of links between the security holes and the intelligence
agencies is particularly important given an ongoing debate in the U.S. and
the U.K. over whether governments should have backdoors allowing access to
encrypted data. Cryptographers and security researchers have raised the
possibility that one of the newly discovered Juniper vulnerabilities stemmed
from an encryption backdoor engineered by the NSA and co-opted by someone
else. Meanwhile, U.S. officials are reviewing
<http://www.nytimes.com/reuters/2015/12/21/technology/21reuters-juniper-networks-cyberattack-cisco-systems.html>
how the Juniper hacks could affect their own networks, putting them in the
awkward position of scrambling to shore up
<http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html>
their own encryption even as they criticize the growing use of encryption by
others.


More on Juniper backdoor

Henry Baker <hbaker1@pipeline.com>
Thu, 24 Dec 2015 16:38:47 -0800
So, is Juniper liable for this Dual_EC screwup if it's their own code ?

Is Juniper liable for this Dual_EC screwup if NSA/FBI/FISA issued an NSL to
Juniper ?

Or with all the waivers Congress passed, *no one* is liable ?

Time to trot out Dan Geer's comments on software liability:

http://geer.tinho.net/geer.blackhat.6viii14.txt

 - -

Everyone should also be aware of *Certicom's patent application*
that talks about a very Juniper-like back door.

'An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random.'

'The relationship between P and Q is used as an *escrow key* and
stored by for a security domain'

https://projectbullrun.org/dual-ec/patent.html

Pub. No.: US 2007/0189527 Al

Pub. Date: Aug. 16, 2007

ELLIPTIC CURVE RANDOM NUMBER GENERATION

Inventors: Daniel R. L. Brown, Mississauga (CA); Scott A. Vanstone, Campbellville (CA)

Appl. No.: 11/336,814

Filed: Jan. 23, 2006

Related U.S. Application Data

Provisional application No. 60/644,982, filed on Jan. 21, 2005.

Publication Classification

ABSTRACT

An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random.  An
arbitrary string is chosen and a hash of that string computed.  The
hash is then converted to a field element of the desired field, the
field element regarded as the x-coordinate of a point Q on the
elliptic curve and the x-coordinate is tested for validity on the
desired elliptic curve.  If valid, the x-coordinate is decompressed to
the point Q, wherein the choice of which is the two points is also
derived from the hash value.  Intentional use of escrow keys can
provide for back up functionality.  The relationship between P and Q
is used as an *escrow key* and stored by for a security domain.  The
administrator logs the output of the generator to *reconstruct the
random number with the escrow key.*


China passes law requiring tech firms to hand over encryption keys

Henry Baker <hbaker1@pipeline.com>
Sun, 27 Dec 2015 15:43:04 -0800
FYI—It's not clear what happens if the company doesn't *have* any keys --
i.e., they are only in the hands of the end-user.

"This latest move is one that will be view very suspiciously by foreign
companies operating within China, or looking to do so."

http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/

Mark Wilson, BetaNews, 27 Dec 2015

Apple may have said that it opposes the idea of weakening encryption and
providing governments with backdoors into products, but things are rather
different in China.  The Chinese parliament has just passed a law that
requires technology companies to comply with government requests for
information, including handing over encryption keys.

http://betanews.com/2015/12/22/apple-wants-the-uk-government-to-rein-in-snoopers-charter/

http://betanews.com/2015/11/11/apples-tim-cook-on-weakening-encryption-any-backdoor-is-a-backdoor-for-everyone/

Under the guise of counter-terrorism, the controversial law is the Chinese
government's attempt to curtail the activities of militants and political
activists.  China already faces criticism from around the world not only for
the infamous Great Firewall of China, but also the blatant online
surveillance and censorship that takes place.  This latest move is one that
will be view very suspiciously by foreign companies operating within China,
or looking to do so.

China's infringement of freedom of speech and the hard line it takes on
those opposing the government is well-recorded.  While the government
insists that there will be no requirement for companies to install
backdoors, the country has already earned itself a reputation that is going
to be very difficult to shake off.

The deputy head of the Chinese parliament's criminal law division tried to
play down the controversy surrounding the new law.  Li Shouwei said:

http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227

"This rule accords with the actual work need of fighting terrorism and is
basically the same as what other major countries in the world do."

As well as granting new powers within China's borders, the new law also
permits overseas action by the People's Liberation Army—something which
will be eyed with suspicion and likely opposed by for foreign nations.
There is also a provision, as reported by Reuters, that "media and social
media cannot report on details of terror activities that might lead to
imitation, nor show scenes that are 'cruel and inhuman' "—something else
which will bring about accusation of standing in the way of free speech.

http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227

  [The law that actually passed is slightly different.  See this item.  PGN]
http://www.wsj.com/article_email/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383-lMyQjAxMTE1NDI3ODAyMTgyWj


China's New Big Brother Law Is A Clone Of The West's Bad Ideas (HuffPo)

Lauren Weinstein <lauren@vortex.com>
Sun, 27 Dec 2015 11:04:13 -0800
http://www.huffingtonpost.com/entry/china-anti-terror-law-encryption_56801192e4b014efe0d86ed0

  Li Shouwei, a government spokesman, told Reuters that companies won't have
  to fear any backdoors—entryways that bypass a traditional security
  mechanism—into their products and services. But a draft of the
  legislation that the International Association of Privacy Professionals
  analyzed in March shows that's untrue: China's new law requires Internet
  service providers and telecommunications providers to install
  government-accessible backdoors and provide encryption keys for any data
  stored on their servers. Shouwei also told Reuters that China was "simply
  doing what other major nations already do in asking technology firms to
  help fight terror." He cited Western nations' actions as justification,
  Reuters reported. Although US leaders have condemned China's laws, they
  are engaging in the same rhetoric of national security stateside,
  suggesting that technology companies find a magical way to create secure
  backdoors through a Manhattan-like project despite technologists and
  experts resolutely telling politicians that to do so is to mandate
  insecurity.


Dangerous helicopter bird strikes on the rise, FAA warns

Lauren Weinstein <lauren@vortex.com>
Sun, 27 Dec 2015 09:13:52 -0800
https://www.ksl.com/?nid1&sid7912384&title┌ngerous-helicopter-bird-strikes-on-the-rise-faa-warns

  Reports of helicopter bird strikes are up dramatically in recent years,
  including incidents, like the one in Dallas, that damage the aircraft and
  create the potential for crashes, according to the Federal Aviation
  Administration. In 2013, there were 204 reported helicopter bird strikes,
  a 68 percent increase from 2009 when there were 121 reports and an
  increase of over 700 percent since the early 2000s, said Gary Roach, an
  FAA helicopter safety engineer.

In response, the FAA has announced that all birds must register online
and pay $5 via credit card every three years.


Techno-skeptics objection growing louder (The Washington Post)

"Dave Farber" <farber@gmail.com>
Sun, 27 Dec 2015 10:39:53 -0500
https://www.washingtonpost.com/classic-apps/techno-skeptics-objection-growing-louder/2015/12/26/e83cf658-617a-11e5-8e9e-dce8a2a2a679_story.html


U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of Celebrities (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 27 Dec 2015 00:02:01 -0500
The charges against Alonzo Knowles illustrate the ease with which private
email contacts, even for security-conscious entertainers, can be exploited.
http://www.nytimes.com/2015/12/23/nyregion/us-says-hacker-stole-ids-and-unreleased-scripts-from-host-of-celebrities.html


Re: Reply by Karl Auerbach to The Moral Failure of Computer Scientists (RISKS-29.18)

Gene Wirchenko <genew@telus.net>
Thu, 24 Dec 2015 18:58:30 -0800
  [Paragraphs which start with "GW:" are by me; the others are by
  Mr. Auerbach.]

GW:  Mr. Auerbach referred to the following article:
http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement

Apparently the University of California is being pushed to count high-school
computer science courses taken by applying students as if those were
mathematics or science courses.

This disturbs me for several reasons.

First is that I have only on occasion found computer science to be a
substitute for the kind of intellectual disciple any of the hard sciences.

GW: As have I.  In 2010, I graduated from Thompson Rivers University (TRU)
with a Bachelor of Computing Science degree.

GW: I worked with a few students who were math students double majoring in
computing science.  (Call them MCs.)  They were not, and I am not aware of
any who were, computing science students double majoring in math.  (Call
these hypothetical students CMs.)  The distinction is important.

GW: In fact, I am unaware of any computing-science-major-only student (CSMO)
taking any more than the bare requirement of math courses (two) with one
exception: me.  I minored in math.  I was told by the computing science
chair that I was the only CSMO to ever do so.

GW: I found that CSMOs avoided math like the plague.

Second is that what is being called `computer science' at the high school
level is typically simple programming.  There is no doubt that it would be
useful if everyone coming out of high school had at least a thin knowledge
of what programming is.

GW: It was also true at TRU.  Courses that were coding and very close were
the ones of interest.  A special topics course on professionality in the
computing field was canceled due to lack of interest.  I would have liked
to have taken that course.  I wanted to take a course in computation theory.
There were supposedly three courses on the books for it, but only one had
ever been taught and that one only once.  I ended doing it as independent
study through the math department.

GW: I snipped the remainder of Mr. Auerbach's comments.  In short, I agree
that there is too much emphasis on tools and not enough on the higher
levels.


Re: Super-literate software reads and comprehends better than humans (RISKS-29.18)

Gene Wirchenko <genew@telus.net>
Thu, 24 Dec 2015 19:53:00 -0800
(https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/)
This article [noted in the previous RISKS issue] concludes with:

  There are still some issues to overcome, however, such as dealing with
  text in unusual formats. For example, names are particularly important to
  the Declassification Engine, and the system relies on the capital letters
  at the start of names to find them. But the cables come in all capitals, a
  relic of the Telex system that conveyed them around the planet. Rambow is
  confident he can get over the hurdle. "I hope that in the next month or
  two the humming will start," he says.

Is anyone else skeptical of the humming timeline?


Re: Vulnerability in popular bootloader puts locked-down Linux, computers at risk (Constantin, RISKS-29.18)

Mike Rechtman <mike@rechtman.com>
Fri, 25 Dec 2015 05:59:10 +0200
> Grub2 bootloader's password protection and allow a hacker to install
> malware on a locked-down Linux system

Two minor points:
  One: The breakin require physical access. Once you have that, you
    can own the Desktop/Server/Device using several methods.
  Two:┬  Not new, and IIRC fixed some time back.


Re: Lie-detecting Software uses Machine Learning to Achieve 75% accuracy (RISKS-29.18)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 25 Dec 2015 17:41:07 +0100
What one would want is separate performance figures for false positives and
false negatives. Those are mostly not identical, and might actually be very
different.

One would hope that the false positive (accusing somebody of lying, when
actually truthful) rate is significantly lower than the false negative (not
detecting a liar) rate in this case.


Re: Hotmail and how not to block spam (RISKS-29.18)

"John Levine" <johnl@iecc.com>
24 Dec 2015 23:56:58 -0000
Large mail services have been managing sender reputation this way for the
better part of a decade.  The hack to report competitors' mail as spam, and
the reverse, to report your own cruddy mail as not-spam, are well known, and
mail providers have ways to detect and deal with them, although for obvious
reasons they don't publish the details.

Mailers who grouse about their wonderful mail getting blocked this way
invariably turn out to be sending "greymail", it's not exactly spam, but the
recipients care whether they get it.  If real users missed it, they would be
complaining or at least marking it as not-spam.  And if a mailer can't
detect and block bulk signups by competitors, well, sheesh.

(Incidentally,) Sometimes a free service is worth what you pay for it,
although in this case it seems to be working as designed.


Re: Driverless Cars (Analog)

"John Levine" <johnl@iecc.com>
24 Dec 2015 23:43:47 -0000
> Robot cars, of today, know the rules of the road, but not the psychology
> of other participants on the highways.

Perhaps the people who write for Analog don't read the *Wall Street Journal*.
This article appeared in September:

  Google Inc. designed its self-driving cars to follow the rules of the
  road. Now it's teaching them to drive like people, by cutting corners,
  edging into intersections and crossing double-yellow lines. ...

http://www.wsj.com/articles/google-tries-to-make-its-cars-drive-more-like-humans-1443463523

Please report problems with the web pages to the maintainer

Top