EVERY State and Federal Server Has Been Broken Into!
- Any network with even a single Cisco, or Juniper Networks, device was “wide-open” to “any kid with a keyboard for last ten years”
- Hackers have “run amuck” through corruption records, political kick-back documents, Department of Energy files and background check files
- Agencies warned over eight years ago but refused to remove Cisco and Juniper hardware because of supplier kick-back deals
- Any Chinese hacker could get in “with ease, and very little skill”…
- HUGE implications for 2016 election revelations. Hacked campaign documents already rolling in…
(Mis)Uses of Technology
by Mike Masnick
backdoors, china, cybersecurity, privacy, russia, security
US Gov’t Agencies Freak Out Over Juniper Backdoor; Perhaps They’ll Now Realize Why Backdoors Are A Mistake
from the wishful-thinking dept
Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it’s been interesting to watch various US government agencies totally freak out over their own networks now being exposed:
The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”
The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to “stealing a master key to get into any government building.”
And, yes, this equipment is used all throughout the US government:
Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that “US intelligence agencies require.”
Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.
And, of course, US officials are insisting that it couldn’t possibly be the NSA, but absolutely must be the Russians or the Chinese:
The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn’t reached conclusions.
Yeah, sure. Anything’s possible, but the NSA still has to be the leading suspect here, and the insistence that it’s the Chinese or the Russians without more proof seems like a pretty clear attempt at keeping attention off the NSA.
And, of course, all of this is happening at the very same time that the very same US government that is now freaking out about this is trying to force every tech company to install just this kind of backdoor. Because, as always, these technically illiterate bureaucrats still seem to think that you can create backdoors that only “good” people can use.
But that’s not how technology works.
Indeed, now that it’s been revealed that there was a backdoor in this Juniper equipment, it took one security firm all of six hours to figure out the details:
Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.
“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”
Putting backdoors into technology is a bad idea. Security experts and technologists keep saying this over and over and over and over again — and politicians and law enforcement still don’t seem to get it. And, you can pretty much bet that even though they now have a very real world example of it — in a way that’s impacting their own computer systems — they’ll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won’t get exploited by those very same Chinese and Russian hackers they’re now claiming were crafty enough to slip code directly into Juniper’s source code without anyone noticing.
Blackberry CEO Gives Public One More Reason To Not Buy Its Phones By Arguing For Greater Law Enforcement Cooperation
from the the-greater-good-is-apparently-whatever-the-government-says-it-is dept
Blackberry’s CEO John Chen feels the company hasn’t hit rock-bottom yet. In a post for the company’s blog, Chen announces that the phone favored by much of The Establishment will continue to support the hopes and dreams of The Establishment.
There will be no “going dark” at Blackberry.
Hillary Clinton Wants A ‘Manhattan Project’ For Encryption… But Not A Back Door. That Makes No Sense
from the politics-is-dumb dept
In the Democratic Presidential debate on Saturday night, Hillary Clinton followed up on her recent nonsensical arguments about why Silicon Valley has to “solve” the problem of encryption. As we’ve noted, it was pretty clear that she didn’t fully understand the issue, and that was even more evident with her comments on Saturday night.
Here’s what’s clear: she’s trying to do the old politician’s trick of attempting to appease everyone with vague ideas that allow her to tap dance around the facts.
First, she proposed a “Manhattan-like project” to create more cooperation between tech companies and the government in fighting terrorism. The Manhattan Project was the project during World War II where a bunch of scientists were sent out to the desert to build an atomic bomb. But they had a specific goal of “build this.” Here, the goal is much more vague and totally meaningless: have tech and government work together to stop bad people. How do you even do that? The only suggestion that has been made so far — and the language around which Clinton has been echoing — has been to undermine encryption with backdoors.
However, since that resulted in a (quite reasonable) backlash from basically anyone who knows anything about computer security, we get the second statement from Clinton that she doesn’t want backdoors.
“Maybe the back door isn’t the right door, and I understand what Apple and others are saying about that. I just think there’s got to be a way, and I would hope that our tech companies would work with government to figure that out.”
No, she clearly does not understand what Apple and others are saying about that. Just a week or so ago, she insisted that Apple’s complaint about it was that it might lead to the government invading users’ privacy, but that’s only a part of the concern. The real concern is that backdooring encryption means that everyone is more exposed to everyone, including malicious hackers. You create a backdoor and you open up the ability for malicious hackers from everywhere else to get in.
So, she’s trying to walk this ridiculously stupid line in trying to appease everyone. She wants the security/intelligence officials to hear “Oh, I’ll get Silicon Valley to deal with the ‘going dark’ thing you’re so scared of,” and she wants the tech world to hear “Backdoors aren’t the answer.” But, that leaves a giant “HUH?!?” in the middle.
It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.
The issue, again, is that what they’re really asking for is “Can you make a technology where only ‘good’ people can use it safely, and everyone else cannot?” And the answer to that question is to point out how absolutely astoundingly stupid the question is. Because there’s no way to objectively determine who is “good” and who is “bad,” and thus the only possible response is to create code that really thinks everyone is “bad.” And to do that, you have to complete