Landing : Athabascau University

Juniper Networks backdoor confirmed, password revealed, NSA suspected

Yet another reason to be deeply concerned for privacy. The NSA or some other agency has embedded a backdoor into the firewalls that 'protect' a great many organizations, allowing them (and now the whole world) to decrypt supposedly private communications, virtually undetectably and at will.

This kind of vulnerability might affect any closed-source product, but it is particularly worrying when it exists at such a crucial node in the network infrastructure. AU's own VPN has been moving across to Juniper's Junos Pulse over the past month or two, and AU has been increasingly shifting to closed-source, proprietary products from US companies (and, in the case of email and webinars, using services that are actually based in the US). This is a truly terrible idea. Open source products are not invulnerable to such manipulation, but the chances of finding flaws are at least thousands of times greater than in closed-source products like this, and it is possible for individuals to fix them, no matter how old the product. Given other open-source advantages like vendor-independence, control, capacity to be altruistic, and innate flexibility, it is hard to understand why anyone would entrust their network infrastructure to a proprietary, closed-source company.


  • One comment about anyone putting backdoors into products is that they don't just allow the intended persons access, they also create a significant weakness in any security the product might have had.

    It is almost a guarantee now that if some agency has built a backdoor into a product (as with Juniper in this case), the black hat's have already found and exploited it.

    Sadly, it was probably hacked within minutes of the product release.

    Backdoors are TERRIBLE things. Proprietary software is in many ways worse, because the probability of the company secretly putting a backdoor into the product has pretty much reached "1.0" in the past few years.

    Richard Huntrods December 21, 2015 - 12:17pm

  • This is bad news, although nothing surprising. I do applaud though that Juniper released the advisory. It comes at an interesting time as I was just looking at how GnuPG fundraising campaign was doing. And that was a really pleasant surprise :) It was in 1997 when Richard Stallman "urged the crowd to write their own version of PGP." according to the ProPublica article. To add some facts on security when it comes to closed vs proprietary according to SECPOINT the top 2 most secure operating systems are OpenBSD followed by Linux and in 3rd place the BSD based OSX.

    Viorel Tabara December 22, 2015 - 12:56am

  • Not surprisingly, the back door was at least known to both NSA and GCHQ for several years - - crazy that we should trust proprietary systems like this.

    Jon Dron December 24, 2015 - 5:14pm

These comments are moderated. Your comment will not be visible unless accepted by the content owner.

Only simple HTML formatting is allowed and any hyperlinks will be stripped away. If you need to include a URL then please simply type it so that users can copy and paste it if needed.