[CVE-2015-7755] Backdoor in Juniper/ScreenOS

• Previous message (by thread): [CVE-2015-7755] Backdoor in Juniper/ScreenOS
• Next message (by thread): [CVE-2015-7755] Backdoor in Juniper/ScreenOS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>
>> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>>
>>> I think "unauthorized code" is still plausible newspeak for "bug".
>>>
>>> Why blame finger foo when you can blame terrorists?
>>
>> It looks like two different holes, one a back door for unauthorized
>> console login and one to somehow leak VPN encryption keys.  There are
>> hints that that latter involved tinkering with certain constants in
>> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
>> that would squarely point the finger at some government's intelligence
>> agency.
>>
>> I don't know who did it, but neither 'bug' nor 'developer debugging
>> code' sounds plausible here.
>
> https://twitter.com/sweis/status/677896363070259200

That tweet got deleted, apparently to redraft/correct; is this the equivalent?

https://twitter.com/sweis/status/677897914643976193
https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff-L16

Royce

• Previous message (by thread): [CVE-2015-7755] Backdoor in Juniper/ScreenOS
• Next message (by thread): [CVE-2015-7755] Backdoor in Juniper/ScreenOS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]