Over the last month I've read a lot of inane crap posted by security journalists who should know better. I'm specifically addressing the issue around the vulnerability discovered in Juniper's NetScreen devices. Conspiracy theories ranging from "it's a US agency pretending to mimic Chinese state intelligence" to NSA influenced or deliberately backdoored code making its way into the release system bypassing internal QE testing.
I do "not" know the full story and nobody ever will but heres my starter for ten.
Juniper just like two dozen major US technical vendors providing catalogue items to US Government and Federal Agency / Defense customers (as well as other global government accounts and the private sector which makes up 70% of their revenues) have grown by acquisition. Not innovation. Acquisition.
Having been a CEO that exited handsomely from his own non VC funded startup I've got some experience here. As a casual investor, VC and journalist I sit and research this stuff to the nth degree and I'm still none the wiser about the rationale behind some "marriages" of technology vendors. There seems to be an expectation from a lot of analysts who frankly haven't the first clue about where tech comes from and is going, and institutional shareholders that companies should use warchests of saved revenue to grow their product range by acquiring other companies.
Rather than innovate and grow their own products safely and sanely - even if it means an increased R&D curve. Not every acquisition leads to bottom line success but often a company is acquired for its people not its product, or its market position and revenue share rather than it's product and people. It's not a precise science and you can count the number of commercially savvy acquisitions in the network sector where direct reflected growth has resulted on two hands. Often its the weak hugging the almost as sickly or it's the oft commented over valued acquisition where the inbound company (and their advisors) run towards the hills rubbing both hands as soon as their vesting period is done.
One of the problems with acquisition of technology is that most companies in the EU and the US are utterly clueless as to how to do due diligence. The financial due diligence and the locking down of commercially sensitive news and key figures takes precedence. The concept of code escrow or sanity checking of code and process is hardly ever adhered to, often there "isn't time". Sadly for Juniper (and other companies) this has cost them because as well as acquiring brand and market share and position they also acquired a lot of accidentally naive processes and a company who had gone to market delivering great value and promise that wasn't reflected in the methodology in engineering.
In October 2003 Netscreen acquired Neoteris to bolt on a lot of strength and focus around their SSL products, four months later Juniper acquired Netscreen. So you have a company, Netscreen who can't have onboarded Neoteris and their processes and engineering in key SSL processes by the time they are then acquired by Juniper. Then you have Juniper trusting the product specialists at Netscreen where there is already confusion and poor co-working on SSL engineering taking ownership of core PKI stuff.
Dumb decisions around key management and key generation, cipher strength and release engineering result because nobody at an engineering level is understanding the core skills and risks around how you onboard or do sanitisation of code and QE process. This is allowed to fester and results in a car crash that will eventually happen down the line - it was just a question of when.
Juniper aren't alone, and they're a great company. I could name six major companies all trading in the US and Israel five of them on NASDAQ, all six providing goods and services to US Gov and major government accounts where this lack of intrinsic technical and process management is compressed into forked Linux based appliances and where M&A mistakes and loss of key staff who have gone, once vested, over the horizon to do their next startup without back filling or competency checking. Worse there are two of them where GPL v3 code has been backported to GPL v2 to get around licencing issues that are generating cataclysmic future security issues which when you add to the dumb mistakes made in M&A process make you just want to bang your head on a desk.
Do I think the NSA went after Juniper ? No. Genuinely they aren't that silly, the NSA is run and managed by bright folk who are there for a reason. Do I think the NSA / GCHQ in the UK knew about the vulnerability ? Sure, I hope so, they hire the brightest and the best for a reason.
Enough poor security journalism, look at the underlying facts nobody wants to talk about - onboarding and QE failed and some engineering release managers probably held to ransom by sales guys rushed stuff out to hit a revenue cycle. It was going to happen it was just when.