06:32 GMT +329 September 2016
Live
A new report from the United Nations recognizes what may soon be a fundamental truth: data encryption is an essential human right.

Networking Giant Abandons NSA-Developed Firewall Code

© Flickr/ Perspecsys Photos
US
Get short URL
43212120

Technology company Juniper Networks has announced that it will drop code developed by The National Security Agency it believes to be responsible for breaches in the company’s firewall.

Based in Sunnyvale, California, Juniper Networks produces networking equipment used by many private companies and government agencies. Last month, the company announced a major security flaw: two unauthorized backdoors were discovered in its own firewall.

In place for three years, one of those backdoors allowed hackers to decrypt Juniper’s traffic.

Experts immediately suspected that the US government was behind the programming flaw, and the company appeared to agree. On Friday, the company announced that it would remove the Dual_EC_DRBG random number generator from its firewall, saying it believes that portion of code to be responsible.

"We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products," Juniper said in a blog post.

"The investigation of the origin of the unauthorized code continues."

While the company doesn’t mention the NSA by name, the Dual_EC code is widely believed to have been developed by the intelligence agency for surveillance purposes.

Nicholas Weaver, a researcher with the International Computer Science Institute, told Wired Magazine that "the weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency," and that the NSA has been guilty of similar actions against corporate entities in the past.

Juniper’s decision to use Dual_EC has been criticized since it first began using the code. In 2007, cryptographer Bruce Schneier wrote a piece for Wired in which he called it “scary stuff.” In 2013, the New York Times, in an article based on documents provided by NSA whistleblower Edward Snowden, published a story warning of the code’s weaknesses.

"There’s no legitimate reason to put Dual_EC in a product," Matthew Green, a cryptopher at Johns Hopkins University, told Wired. "There never was. This is an incredibly powerful and dangerous code and you put it in your system and it creates a capability that would not have been there otherwise."

"There’s no way to use it safely."

Juniper had earlier defended its decision, insisting that its encryption was secure.

Related:
White House Should Expect Backlash for NSA Spying on US, Israeli Officials
William Binney: NSA Could Have Prevented 9/11
NSA to Continue Bulk Data Collection Regardless of Legal Changes
Tags:
Dual_EC, backdoor encryption access, encryption, National Security Agency (NSA), Juniper, Edward Snowden, Matthew Green, Bruce Schneier, Nicholas Weaver, United States
Community standardsDiscussion
Comment via FacebookComment via Sputnik
  • Сomment

All comments

  • poofipoofipoofi
    Getting security code from the NSA sounds inherently suspicious. It'd be like hiring the lawyer the police recommended for you. Both are terrible ideas.
  • Ann in reply topoofipoofipoofi(Show commentHide comment)
    poofipoofipoofi, Or like giving a burglar a spare key to your house.
  • STOP killary !!
    ellison bought the loss making SunSystems only to lay his hands on Java as a backdoor into ALL operating systems on all computers in the world. For ..... his yiddish pals in the mossad. As usual the oligarki is one step ahead of us goyim.
  • Ivan Zadorozhny
    That's open society for you.
Show new comments (0)