Researchers confirm backdoor password in Juniper firewall code

“Unauthorized code” included password disguised to look like debug code.

The Juniper NetScreen 5200, one of the firewalls that carries the backdoor code inserted into Juniper's ScreenOS.

On December 17, Juniper Networks issued an urgent security advisory about "unauthorized code" found within the operating system used by some of the company's NetScreen firewalls and Secure Service Gateway (SSG) appliances. The vulnerability, which may have been in place in some firewalls as far back as 2012 and which shipped with systems to customers until late 2013, allows an attacker to gain remote administrative access to systems with telnet or ssh access enabled. And now researchers have both confirmed that the backdoor exists and developed a tool that can scan for affected systems.

In a post to the Rapid7 community blog site on December 20, Metasploit project founder and Rapid7 researcher H D Moore published an analysis of the affected versions of Juniper's ScreenOS operating system, including the administrative access password that had been hard-coded into the operating system. This backdoor, which was inserted into ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, is a change to the code that authorizes administrative access with the password "<<< %s(un='%s') = %u"—a password that Moore notes was crafted to resemble debug code to evade detection during review.

Since this code is in the firmware of the affected Juniper NetScreen and SSG appliances, the only way to remove it is to re-flash the firmware with a new version of ScreenOS. Steve Puluka has written a guide on how to perform the upgrade and avoid some of the potential problems around installation, including dealing with the configuration of a new signing key for the upgrade.

Read 2 remaining paragraphs | Comments

French consumer group sues for right to resell Steam games

“Federal union of consumers” also wants more liability for data breaches.

(credit: Kyle Orland)

A French consumer group has brought a lawsuit against Valve, saying the Steam and its required terms of service infringe on a number of European legal rights, including the right to legally resell purchased software.

The 64-year-old UFC-Que Choisir (the "federal union of consumers") argues that Valve must provide the capability for Steam users to resell their legally purchased digital games whenever they want. While noting that many online stores have similar resale restrictions, the group argues that the difference between being able to resell a physical game disc and not being able to resell a digitally purchased game is "incomprehensible... No court decision prohibits the resale on the second-hand market games bought online, and the European Court has even explicitly stated that it’s possible to resell software which, let’s remember, is an integral part of a video game."

The group is referring to a 2012 decision from the European Court of Justice that focused on the resale of downloadable enterprise software licensed from Oracle. "It makes no difference whether the copy of the computer program was made available by means of a download from the rightholder’s website or by means of a material medium such as a CD-ROM or DVD," the court ruled.

Read 6 remaining paragraphs | Comments

The best ride in the galaxy—coming back to Earth in a Soyuz

After returning 10 days ago, Kjell Lindgren recounts the out-of-this-world experience.

Enlarge / Would you ride back from space in this? The Soyuz TMA-17M spacecraft is seen after it landed on December 11 in Kazakhstan. It was -5 degrees Celsius outside. (credit: Bill Ingalls/NASA)

Just a little more than a week ago astronaut Kjell Lindgren prepared to take the ride of his life. The experience of returning to Earth inside a Soyuz spacecraft—likened to a fireball—may well be the most exciting thrill ride known to humans. Even before he departed for a year-long mission to the International Space Station, Soyuz reentry veteran Scott Kelly explained the ride thusly: "Even If I had hated the last six months, I would have done it all again for that last 20 minutes in the Soyuz.” This was fresh in Lindgren's mind as he strapped into the Soyuz spacecraft early on December 11.

"Scott had talked about that as well, in conversations we had had," Lindgren told Ars in an interview. "That certainly set an expectation in my mind for it being a lot of fun. We sometimes talk about things being fun, or type II fun, where it’s kind of fun in retrospect, but while you’re going through it, it’s maybe a little more arduous. I wasn't sure what this would be."

The ride begins quietly. Boring, even.

Read 8 remaining paragraphs | Comments

Chuwi Vi8 Plus is a $100 Cherry Trail Windows tablet

Chuwi Vi8 Plus is a $100 Cherry Trail Windows tablet

Chinese tablets aren’t exactly known for their high price tags. But it’s still kind of impressive to see what you can get for $100 these days. The Chuwi Vi8 Plus is a Windows tablet with an 8 inch display, an Intel Atom Cherry Trail processor, and a USB Type C port. You can buy one […]

Chuwi Vi8 Plus is a $100 Cherry Trail Windows tablet is a post from: Liliputing

Chuwi Vi8 Plus is a $100 Cherry Trail Windows tablet

Chinese tablets aren’t exactly known for their high price tags. But it’s still kind of impressive to see what you can get for $100 these days. The Chuwi Vi8 Plus is a Windows tablet with an 8 inch display, an Intel Atom Cherry Trail processor, and a USB Type C port. You can buy one […]

Chuwi Vi8 Plus is a $100 Cherry Trail Windows tablet is a post from: Liliputing

Lab screw-ups with smallpox and anthrax show we must rethink biosecurity

Self-regulation by biologists was successful in the past but may now be too risky.

Over the past couple of years, American labs have been caught mishandling biological samples that require extreme care: things like smallpox, anthrax, and avian flu. Largely in response to this, the White House issued a memo this past October 29 that outlined its vision of our future biosecurity and safety.

But in last week's Science, a trio of academics from Stanford lamented that the memo's approach was insufficient. Their exact criticism: “It grafts recommendations onto inadequate institutional structures and fails to address underlying systemic needs.”

When those assorted labs screwed up in their own distinctive ways, each was shut down and reviewed on a narrow, individualized basis. It is definitely great that the White House recognized that a more systematic, centralized approach is necessary but, according to this critique, they have not provided it.

Read 6 remaining paragraphs | Comments

Toshiba to eliminate 6800 jobs

Toshiba to eliminate 6800 jobs

Toshiba plans to eliminate 6,800 jobs in the company’s consumer electronics division. While that only represents about 3.4 percent of Toshiba’s 200,000 person workforce, it’s close to a third of the company’s “Lifestyle business segment.” The move is part of a big restructuring in response to an annual loss of more than $4.5 billion. The optimistic name […]

Toshiba to eliminate 6800 jobs is a post from: Liliputing

Toshiba to eliminate 6800 jobs

Toshiba plans to eliminate 6,800 jobs in the company’s consumer electronics division. While that only represents about 3.4 percent of Toshiba’s 200,000 person workforce, it’s close to a third of the company’s “Lifestyle business segment.” The move is part of a big restructuring in response to an annual loss of more than $4.5 billion. The optimistic name […]

Toshiba to eliminate 6800 jobs is a post from: Liliputing

Hillary Clinton wants “Manhattan-like project” to break encryption

US should be able to bypass encryption—but only for terrorists, candidate says.

Enlarge / Hillary Clinton. (credit: Clinton campaign.)

Presidential candidate Hillary Clinton has called for a "Manhattan-like project" to help law enforcement break into encrypted communications. This is in reference to the Manhattan Project, the top-secret concentrated research effort which resulted in the US developing nuclear weapons during World War II.

At Saturday's Democratic debate (transcript here), moderator Martha Raddatz asked Clinton about Apple CEO Tim Cook's statements that any effort to break encryption would harm law-abiding citizens.

"You've talked a lot about bringing tech leaders and government officials together, but Apple CEO Tim Cook said removing encryption tools from our products altogether would only hurt law-abiding citizens who rely on us to protect their data," Raddatz said. "So would you force him to give law enforcement a key to encrypted technology by making it law?"

Read 9 remaining paragraphs | Comments

Measuring Greenland’s increasing weight loss using aerial photos

Current rate of ice melt is double the 20th century average.

Enlarge / Kangiata Nunata Sermia, Greenland. (credit: Nicolaj Krog Larsen, Aarhus University, Denmark)

Past performance may not always predict future results in the stock market, but in the Earth sciences, it can tell us a hell of a lot. Since we only have the one planet, examples of some processes can only be found in the past. That’s why so much effort goes into studying the past behavior of the Greenland and Antarctic ice sheets. We need context for what we’re currently seeing and some ideas about what’s likely to happen next.

While many studies look tens of thousands or even millions of years into the past, much more recent histories can also be of interest. We’ve only had satellites measuring changes in the Greenland ice sheet since the early 1990s, so what happened over the preceding century is much less clear. That makes it difficult to answer questions about Greenland’s contribution to the full century's sea level rise or the ice sheet’s natural short-term variability.

But in a new study, a team led by Kristian Kjeldsen and Niels Korsgaard of the University of Copenhagen has managed to fill in this gap through some clever, if tedious, research. They took advantage of a trove of stereo aerial photos taken in the late 1970s and 1980s as part of a survey of Greenland.

Read 8 remaining paragraphs | Comments

Khronos Group: Grafik-API Vulkan erscheint erst 2016

Eigentlich sollte die Grafik-Schnittstelle Vulkan vor Ende 2015 verfügbar sein, nun wird der von Grund auf überarbeitete Nachfolger zu OpenGL erst im kommenden Jahr fertig. (Vulkan, Server-Applikationen)

Eigentlich sollte die Grafik-Schnittstelle Vulkan vor Ende 2015 verfügbar sein, nun wird der von Grund auf überarbeitete Nachfolger zu OpenGL erst im kommenden Jahr fertig. (Vulkan, Server-Applikationen)