Juniper resets 'days since last rogue code incident' clock Juniper Networks has announced its own investigations have found none of the "oops ... how did that code get there" trouble in Junos OS and that it will kill off Dual Elliptic Curve (Dual_EC) encryption in ScreenOS. The company says it hired a "respected security organization" that "undertook a detailed investigation of …
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/
I like the Register I do, and Wired is usually the place with puff pieces, but if you want the hard info, to know who discovered what, the timeline of events, and what was actually going on with the code and why the nonce matters see the Wired article.
Wired article is good for a change, but elReg is normally excellent (have to say that or AO gets pissy):
"“The more output you see [from the generator], the better [it is to crack the encryption],” Checkoway says. “Anything you see over 30 bytes is very helpful. Anything you see less than 30 bytes makes the attack exponentially harder. So seeing 20 bytes makes the attack basically infeasible. Seeing 28 bytes makes it doable, but it takes an amount of time, maybe hours. Seeing 32 bytes makes it take fractions of a second.”
The term "nonce" has been used by cryptographers forever. It's short for "Number used ONCE". (I.e. if you reuse it then Bad Things happen). It's typically either randomly generated, or a sequence number.
Yes, it has other meanings in other contexts. But it's meaning in cryptography is well-known. And it's usage in cryptography goes back far before the first Urban Dictionary entry for it.
"The term "nonce" has been used by cryptographers forever"
Care to define forever in the context of your comment?
I doubt you can in any meaningful way.
I think here in blighty we had offenders referred to as nonces before we had the crypto version.
Don't assume your one size fits all...
"Number used once" is a happily convenient backronym. A 'nonce word' (a word made up for a particular use and not intended to be used again) is a term that was invented about 100 years ago, some time before its use for numbers in cryptography.
Have a look at:
http://www.dailywritingtips.com/nonce-words-for-the-nonce-and-nonce/
On web pages if you wish to avoid double posting or wish to trigger an action on a page if they arrive from a certain page and not if they refresh, can and often does use a nonce. It's a well known and well used programming term - just because it has a different and unrelated meaning as slang for something else (and never likely to be confused) is nothing to get your nuts in a twist.
Geez ... you should have ended your post with "Won't somebody think of the children?"
That Brass Eye episode was a spoof wasn't it?
Asian - here's the exec summary you'd like. No trouble, mate. Happy to help
1. By 2011 "GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks" <url>https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq</url>
2. An external researcher or internal engineer found the security flaws. "The company said it discovered the backdoors during an internal code review, but it didn’t say if this was a routine review or if it had examined the code specifically after receiving a tip that something suspicious was in it." <url>http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors</url>
3. Juniper sat on it until the discoverer was at the point of going public.
4. Juniper's CTO made the "During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections" announcement to own the discovery <url>http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors</url>
5. Juniper issues fixes that don't fix all the security issues <url>http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company</url>
A damning piece of circumstantial evidence is that Juniper won't be explicit about who/how/when the security flaws came to light. It would be to their credit to claim that they found it, but being caught lying (as opposed to evasive) would make their situation and trustworthiness so much worse. That implies that Juniper's hand was forced by the discoverer who was not under their control.
So, Cisco, got anything you need to need to do? Like go to court to get any NSA instructions to you judged illegal before you get caught?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
