Athabasca University | AU Student/Staff Login | Invited Guest Login
Juniper Networks backdoor confirmed, password revealed, NSA suspected
Yet another reason to be deeply concerned for privacy. The NSA or some other agency has embedded a backdoor into the firewalls that 'protect' a great many organizations, allowing them (and now the whole world) to decrypt supposedly private communications, virtually undetectably and at will.
This kind of vulnerability might affect any closed-source product, but it is particularly worrying when it exists at such a crucial node in the network infrastructure. AU's own VPN has been moving across to Juniper's Junos Pulse over the past month or two, and AU has been increasingly shifting to closed-source, proprietary products from US companies (and, in the case of email and webinars, using services that are actually based in the US). This is a truly terrible idea. Open source products are not invulnerable to such manipulation, but the chances of finding flaws are at least thousands of times greater than in closed-source products like this, and it is possible for individuals to fix them, no matter how old the product. Given other open-source advantages like vendor-independence, control, capacity to be altruistic, and innate flexibility, it is hard to understand why anyone would entrust their network infrastructure to a proprietary, closed-source company.
- My latest paper: On the Misappropriation of Spatial Metaphors in Online Learning
January 3, 2023 - 12:49pm
Jon Dron
Jon Dron
Comments
One comment about anyone putting backdoors into products is that they don't just allow the intended persons access, they also create a significant weakness in any security the product might have had.
It is almost a guarantee now that if some agency has built a backdoor into a product (as with Juniper in this case), the black hat's have already found and exploited it.
Sadly, it was probably hacked within minutes of the product release.
Backdoors are TERRIBLE things. Proprietary software is in many ways worse, because the probability of the company secretly putting a backdoor into the product has pretty much reached "1.0" in the past few years.
This is bad news, although nothing surprising. I do applaud though that Juniper released the advisory. It comes at an interesting time as I was just looking at how GnuPG fundraising campaign was doing. And that was a really pleasant surprise :) It was in 1997 when Richard Stallman "urged the crowd to write their own version of PGP." according to the ProPublica article. To add some facts on security when it comes to closed vs proprietary according to SECPOINT the top 2 most secure operating systems are OpenBSD followed by Linux and in 3rd place the BSD based OSX.
Not surprisingly, the back door was at least known to both NSA and GCHQ for several years - http://flip.it/wVQ5C - crazy that we should trust proprietary systems like this.