[CVE-2015-7755] Backdoor in Juniper/ScreenOS
Steven M. Bellovin
smb at cs.columbia.edu
Fri Dec 18 17:32:50 UTC 2015
Yes. He's backing off a bit on the claim, since he doesn't have full context.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
Sent from from a handheld; please excuse tyops
> On Dec 18, 2015, at 12:27 PM, Royce Williams <royce at techsolvency.com> wrote:
>> On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
>>> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>>>> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>>>> I think "unauthorized code" is still plausible newspeak for "bug".
>>>> Why blame finger foo when you can blame terrorists?
>>> It looks like two different holes, one a back door for unauthorized
>>> console login and one to somehow leak VPN encryption keys. There are
>>> hints that that latter involved tinkering with certain constants in
>>> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
>>> that would squarely point the finger at some government's intelligence
>>> I don't know who did it, but neither 'bug' nor 'developer debugging
>>> code' sounds plausible here.
> That tweet got deleted, apparently to redraft/correct; is this the equivalent?
More information about the NANOG