nanog mailing list archives

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

From: A.L.M.Buxey () lboro ac uk
Date: Fri, 18 Dec 2015 14:09:29 +0000

Hi,

Should we blame Juniper for letting a git repository open to
"unauthorized code" or should we congratulate them for their frankness
(few corporations would have admitted the problem)?


'un-authorized' - not authorized.

this could be code/idea by some/one engineer for eg debugging purpose etc that
just didnt get ANY signoff by anyone - so during code review they've questioned
its presence and not found the relevant sign-off etc.

take VW here...they are now blaming a small set of engineers who rigged the emissions
system....if they can say that no managers/execs knew about this and it was purely in
some small code team etc then that too is unauthorized code - but its internal,
not an external bad guy (it will be interesting however, in that case, whether that really
was the case and it WASNT known about by someone else...thus 'authorized' in that it wasnt
stopped)

alan

Current thread:

[CVE-2015-7755] Backdoor in Juniper/ScreenOS Stephane Bortzmeyer (Dec 18)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Karsten Thomann (Dec 18)
  - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Dave Taht (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Royce Williams (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
  - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS A . L . M . Buxey (Dec 18)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Stephane Bortzmeyer (Dec 21)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Doug Barton (Dec 21)