Talk:ScreenOS

This is the talk page for discussing improvements to the ScreenOS article. This is not a forum for general discussion of the article's subject.

Put new text under old text. Click here to start a new topic. New to Wikipedia? Welcome! Learn to edit; get help. Assume good faith Be polite and avoid personal attacks Be welcoming to newcomers Seek dispute resolution if needed Article policies Neutral point of view No original research Verifiability

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL

This article has not yet been rated on Wikipedia's content assessment scale.

Controversy section

Latest comment: 8 years ago7 comments3 people in discussion

Someone at Juniper noticed and word eventually got to me, that the page now has a controversy section that takes up most of the entire article. Much of the content is unsourced or cited to blogs and forums, or highly speculative in nature. I raised the issue in the IRC chat and an editor suggested I throw together a shorter draft using just the two WIRED articles that are considered acceptable references. I have done so below.

Draft

In December 2015 Juniper Networks announced that it had found unauthorized code in ScreenOS that had been there since August 2012. The two backdoors it created would allow sophisticated hackers to control the firewall of un-patched Juniper Netscreen products and decrypt network traffic. At least one of the backdoors appeared likely to have been the effort of a governmental interest. There was speculation in the security field about whether it was the NSA.[1] Many in the security industry praised Juniper for being transparent about the breach.[1] WIRED speculated that the lack of details that were disclosed and the intentional use of a random number generator with known security flaws could suggest that it was planted intentionally.[1]

I do not have any subject-matter expertise; just whipped something up quickly as a summary of what I read in the two good sources. David King, Ethical Wiki (CorporateM) (Talk) 05:15, 15 January 2016 (UTC)Reply

I also have a conflict of interest - forgot to mention. David King, Ethical Wiki (CorporateM) (Talk) 05:19, 15 January 2016 (UTC)Reply

I have approved this edit and made the change. Many of the refs in the original were to blogs were are not reliable sources. If the OP that placed the original content wants to redo the information it must be sourced to something reliable. --Majora (talk) 05:29, 15 January 2016 (UTC)Reply

Umm, is there any point from the deleted text which was actually controversial? Except for Juniper not wanting it known? We can't just remove stuff from Juniper's article because Juniper doesn't like it in general. IIRC, it was mainly sourced from Wired and Matthew Green, who is a respected cryptographer. If it seemed one-sided, then that is because Juniper has declined the opportunity to explain their side of the story. That is not our problem.

A large part of the text you removed was totally uncontroversial technical explanation of how the backdoor worked.

I wrote most of it. Can you put me in contact with Juniper, and then I can look at their specific complaints. Thue (talk) 19:51, 15 January 2016 (UTC)Reply

@Thue: I was contacted on IRC regarding this and after taking a look at it I saw that most of the references in that section were to blogs.

• http://web.archive.org/web/20160109173318/https://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Security-of-Juniper-Products/ba-p/286383 specifically says it is a blog.
• http://web.archive.org/web/20160113225234/https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor as does this one.
• http://web.archive.org/web/20151223054159/https://www.schneier.com/essays/archives/2007/11/did_nsa_put_a_secret.html says it is a personal website so that would have no editorial oversight.
• http://web.archive.org/web/20160110045758/http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html is also a blog.
• http://dualec.org/ I honestly have no idea what that is but I don't see any evidence that it has any oversight at all or that the research paper has been published in any reliable journals.

It really had nothing to do with Juniper not liking it, in my mind. It had to do with a lot of the information being sourced to things that are not reliable per WP:BLOGS. So I asked CorporateM to write something up and I would take a look at it. What they wrote up was acceptable to me so I replaced it. I have no problem expanding on the details of the backdoor but those details would have to be sourced to something reliable. The WIRED reference was really the only reliable reference there (in my opinion). --Majora (talk) 20:11, 15 January 2016 (UTC)Reply

According to WP:RS, "Self-published material may sometimes be acceptable when its author is an established expert whose work in the relevant field has been published by reliable third-party publications." All the links you mention (with the possible exception of [1]) are to very highly regarded experts in their field (and the Schneier article was published in Wired). Bruce Schneier, Matthew D. Green, Daniel J. Bernstein, etc - really a who is who of who is most relevant in applied cryptography. Thue (talk) 20:27, 15 January 2016 (UTC)Reply

@Thue: I haven't really looked for anything but has the mechanics of the backdoor only been discussed in blogs? Regardless of the expertise of the people it is still a blog. If that is the only place it is discussed, I'm fine with it being reintroduced with that as a source. But I would be much more comfortable if it was coming from something with editorial oversight. --Majora (talk) 22:35, 15 January 2016 (UTC)Reply

References

1. Zetter, Kim (October 27, 2008). "New Discovery Around Juniper Backdoor Raises More Questions About the Company". WIRED. Retrieved January 15, 2016.