Was that part of the acquisition of NetScreen in 2004? Juniper acquired NetScreen in February...but Dual EC wasn't published as a draft until June of that year. This is new code.
Even if it weren't, why would it be reasonable to allow critical cryptographic components to go unaudited for 8 years? If the analysis so far is correct, then a single independent test vector for the RNG should have caught this bug. One. Lousy. Test. Furthermore, the fact they discussed their use of DualEC in 2013, and then claimed their construct was secure, is proof they were aware of the danger and yet, apparently, they hadn't done anything to verify this.
Hanlon's razor is going to condemn them one way or another here. Unless they can demonstrate extraordinary circumstances, then Juniper security products should be considered toxic.
The likelihood of them ever having the cryptographic components of ScreenOS competently audited is very low.
Most firms didn't even start getting basic software security assessments done until ~5 years ago, and almost nobody gets crypto reviews done (crypto reviews are nosebleed expensive, because only a tiny fraction of software security people can do them competently).
Even if it weren't, why would it be reasonable to allow critical cryptographic components to go unaudited for 8 years? If the analysis so far is correct, then a single independent test vector for the RNG should have caught this bug. One. Lousy. Test. Furthermore, the fact they discussed their use of DualEC in 2013, and then claimed their construct was secure, is proof they were aware of the danger and yet, apparently, they hadn't done anything to verify this.
Hanlon's razor is going to condemn them one way or another here. Unless they can demonstrate extraordinary circumstances, then Juniper security products should be considered toxic.