Last week, Juniper revealed that it had found 'unauthorized code' in its ScreenOS firewall software, and while they issued a patch very quickly the repercussions for the industry as a whole are just getting started. This wasn't a bug, it was rogue code designed and covertly inserted to do what it did, which was to allow anyone to tap in to communications, encrypted or not. And it has been in place for 2-3 years.
Nobody is quite sure who might have been listening in. Some have the NSA at the source of it all, which wouldn't surprise anybody after all we've learned in the last few years. But even if they were, they might not have been the only ones, and the FBI is looking to see if a foreign government might have been listening. A little late, it would seem...
This is all one big illustration of why making apparently reasonable exceptions in security measures for law enforcement can backfire. One man's security camera is another's voyeur opportunity, and encryption designed with a skeleton key isn't encryption.
Juniper has born the brunt of this PR disaster, but I doubt very much whether its brethren vendors are going to benefit from it. Now Cisco and probably every other entity out there that writes code for the boxes that run the internet are auditing their code, and who knows what they might find -- though they may never actually tell us.
But they shouldn't be surprised at the idea this sort of thing could happen, because it's an obvious vector. Why should even a friendly spy agency ask for cooperation they might not get if they can just get someone hired at a company to insert such things without telling anyone?
For that matter, with the increasing role that software is playing in network infrastructure today, there's more and more software out there doing jobs that have only just become fully automated. The environment is becoming a rather target rich, and it's so much easier than, say, tapping a submarine cable 3 miles underneath the ocean, or actually cracking modern decryption.
The real winner is likely to be the Open Source movement, because the real reason this hack was successful is because it was behind closed doors. A little sunlight on the source code and the changes made to it may not fix the accidental bugs that inevitably get introduced, but it can go a long way toward keeping away the intentional ones.
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!Categories: Security · Software · Telecom Equipment