FBI Concerned About Implications of Counterfeit Cisco Gear

SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.

Well that's a change

[aleph42]

Well that's a change. For once a counterfeited items seems a little bit dangerous.

That's a much better job as scaring us to support the anticounterfeit capains than the previous stuff.

I mean, I've seen those ads saying "counterfeited items can kill" with a teddy bear ready to burn a child alive because he's not fireproof, and I must say it felt a little bit too much.

The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?

Still, I don't see how those Cisco conterfeits could be that bad; I mean, if it's critical equipement, of course you'll have to know where it comes from (and I don't see how real Cisco servers made in China would be a lot less of a risk).

Re:Well that's a change

[QMO]

how many people who buy a fake Rolex could afford a real one? [tongue-in-cheek]Just the ones that actually work for their money.[/tongue-in-cheek]

Re:Well that's a change

[jorghis]

The counterfeit thing is nonsense. The chinese could just as easily modify a non-counterfeit router as a counterfeit one.

The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)

Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.

Re:Well that's a change

[rbanzai]

I think you have not heard of counterfeit brake-pads. Counterfeits are a significant danger when they move beyond the more visible realm of watches and bags. I would not be surprised if at least 50% of all manufactured items are subject to counterfeiting and it goes all the way down to mundane but important things like o-rings, cotter pins, bolts, cables, etc.

The problem remains the same whether it is a simple or sophisticated item: something has been compromised. But what exactly? Finish, fit, function? Do you want to gamble your life on it? Your property? Your data?

I don't care about watches and bag. The rest has me concerned.

Re:Well that's a change

[sleigher]

Maybe it's high time America starts to look at how its manufacturing gets done. We spent all this time and money to offshore our manufacturing at the expense of American jobs because of our bottom line. Now we are reaching "long term" and it is going to wind up costing us more than if we kept it here at home. Maybe, just maybe, the corporations will start to look at their long term outlook in a different light. Just because you are getting cheap labor today does not necessarily mean you will save money tomorrow.

Re:Well that's a change

[sleigher]

Awesome, way to take what I said and change the meaning. I never said I hated foreigners. I was pointing out that Americans have lost 1 million jobs in the last year alone. I have no problem with foreigners but is it not my duty as a citizen of a nation to want my fellow citizens and my country to prosper? You should be working for one of these presidential campaigns. You seem good at taking a statement someone says and making it mean something entirely different.

Re:Well that's a change

[Dare+nMc]

Counterfeits are a significant danger when they move beyond the more visible realm of ...

because their have never been quality issues with suppliers outsourcing their production to the lowest cost producer. /sarcasm

I get your point, if you don't know who supplied the part then who follows up on a bad production run, and who do you sue to stop a re-occurring problem.
Seams these items it is better to get from a reputable vendor, than it is to get them with a reputable brand.

Re:Well that's a change

[businessnerd]

I've seen those ads saying "counterfeited items can kill" with a teddy bear ready to burn a child alive because he's not fireproof, and I must say it felt a little bit too much.

When it's watches and hand-bags your talking about, then yes, it is a bit much. But when you start talking about counterfeit pharmaceuticals, that's a whole different story. The fact of the matter is, COUNTERFEIT PHARMACEUTICALS CAN KILL. It's one thing when your heroin was packaged under unsanitary conditions, another entirely when you heart medication has the wrong doses or even the wrong compounds in it.

Re:Well that's a change

[hguorbray]

somewhat timely that it is now revealed that the reason the Titanic went down so fast was due to substandard fasteners (ie. too much filler not enough iron)
http://www.newsobserver.com/front/story/1037540.html

just like the heparin that was 'stretched' with something that would pass the chemical QA tests
http://www.iht.com/articles/2008/04/22/healthscience/22fda.php

or electronic components that will fry in a matter of weeks or months instead of years......
http://www.purchasing.com/article/CA6450781.html

The FBI Followed Up With

[neoform]

It's not fair, if people are using the Chineese pre-wiretapped routers, we can't get people to use OUR specially pre-wiretapped routers!

Re:The FBI Followed Up With

[TheRaven64]

Don't Cisco make the routers used in the Great Firewall of China? There's probably just a flag somewhere in IOS saying which government to send the logs to...

Re:The FBI Followed Up With

[zappepcs]

Your joke is exactly why I'm starting to play with Vyatta http://www.vyatta.com/ and http://en.wikipedia.org/wiki/Vyatta to get away from the alphabet soup of groups that want to know what happens inside my home without my knowledge. Performance is pretty good for small office/home networks and leaves you quite a few options if playing with computers is your hobby.

Re:The FBI Followed Up With

[lathama]

Start with ImageStream and learn some IPtables.

Nightmare

[chrome]

This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have?

This is going to keep a lot of people awake at night.

Re:Nightmare

[Arccot]

This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have? This is going to keep a lot of people awake at night. Indeed. Even if you tried to flash the firmware on your routers to clean them, who is to say the "bad" firmware isn't designed to look like it was flashed, but really do nothing to get rid of any backdoors?

If you can't trust the hardware, you can't trust anything. Scary stuff.

Re:Nightmare

[neoform]

The solution: Buy a router from every major router maker, then use them all chain-linked together. That way you get super-ultra firewall protection.. and unless the Chinese AND the NSA are working together, you can't be hacked! FLAWLESS VICTORY!

Re:Nightmare

[sm62704]

You can only trust software that you have examined the code and compiled yourself, and people you trust who have examined and compiled the code themselves.

I trust neither Cisco nor the FBI.

Re:Nightmare

[jdunn14]

It's really nothing new, and there is no real solution other than you have to trust someone at some point. For an entertaining paper about this exact problem in the software world, check out "Reflections on Trusting Trust" by Ken Thompson

Re:Nightmare

[demachina]

I think you are just getting a dose of turn about is fair play. The CIA and NSA have tampered with electronics being sold to America's adversaries for years. Countries like China and Brazil have zero confidence in Windows because of the possibility of back doors allowing the NSA and CIA access, which is why Linux is so popular in these countries, especially for government use.

I'm not exactly sure why counterfeit Cisco routers are considered more of a security threat than real Cisco routers since Cisco, like a lot of American companies, are outsourcing so much of their hardware manufacture and software development to China. The Chinese government can just as easily put an agent in to any of these companies and slip back doors in to the real products.

All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years.

Re:Nightmare

[sconeu]

But can you trust the compiler?

Re:Nightmare

[Kadin2048]

> This is going to keep a lot of people awake at night.

As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.

I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)

It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.

Re:Nightmare

[neoform]

I trust neither Cisco nor the FBI.

On an unrelated note, ever since the NSA started giving me free Cisco routers, I can't help but think they're just honest guys trying to help out regular Joes like me.

Re:Nightmare

[evanbd]

Oh really?

Re:Nightmare

[chrome]

Yeah, I agree 100% here. It will never happen of course, because real, serious threats like this get brushed under the rug while other, spurious ones get an inordinate amount of attention, almost as if to say, he look! we're doing something.

Re:Nightmare

[chrome]

yeah, i've read a lot of Ken's work. I'm as old enough that I'm getting grey hairs. Naturally, not through stress. Though I do wonder about that C compiler I user at work a lot ...

Re:Nightmare

[chrome]

Thats a lot of lines of code.

I think I'm just going to trust those other guys over there that I've never met, but everyone else seems to trust...

Re:Nightmare

[LWATCDR]

Maybe somethings shouldn't be COTS?
Maybe Cisco should open a factory in the US and sell a line of super secure routers. You can only buy them from Cisco and they are shipped right from Cisco to the buyer.
Or maybe some other company should do that.

I am just waiting for some group to slip some bot code into all those linksys/netgear home routers. Now that would be a bot net that would be hard to even detect. Who runs malware detection on their router?

Re:Nightmare

[bluelip]

Isn't Shenzen the province that the Governor Corzine from NJ signed a trade agreement with? They have to be trustworthy for him to deal with them, no?

Re:Nightmare

[jandrese]

I think the concerns run deeper. What if the modifications are in the ASICs instead of in the flash?

Luckily, while there is a theoretical possibility of an attack using that vector, it seems unlikely to me once I consider the difficulty of adding a full speed packet sniffer on a Cisco that doesn't impact performance noticeably and has some way to get data out of a network you don't know. It's not like the government says "I'm buying this router to install in classified network X", rather they buy from a big lot in a warehouse and install them where needed.

A bigger concern might be a hacked PIX that (for instance) allows an IP address through if it sends a series of carefully crafted packets. The bad guys could then spam the internet with these packets looking for suddenly vulnerable networks. They wouldn't even have to be government related, there are plenty of private sector networks that would be a treasure trove for some malicious party.

Of course if someone was going to this amount of trouble, they could probably get the same vulnerabilities in official Cisco gear (especially stuff that is manufactured in China or Southeast Asia, which is almost all of it I think). The only major stumbling block is that if it ever is discovered, then there will be hell to pay.

Re:Nightmare

[kcelery]

How could you leave out the M$ ?

Re:Nightmare

[sjames]

Who says the real Cisco made in the same factory by the same people isn't just as thoroughly hacked?

Perhaps it's time to INSIST that those jobs come back to the U.S.

Re:Nightmare

[TheLink]

The grey hairs are because even your very DNA is being subverted and counterfeited.

That's what you get with cheap clones.

Just wait till Monsanto and friends catch up with you. Unauthorized reproduction and all that.

Re:Nightmare

[samkass]

It doesn't even have to be a sniffer or anything. They could simply have put something in the power supplies such that some sort of signal (maybe from a satellite?) would trigger all the routers to turn off, or something in any of the ASIC that would fry them on command. Just as our carriers are rushing to Taiwan's defense, *poof* all C2, logistics, and situational awareness capabilities revert to the early 20th century.

Re:Nightmare

[evanbd]

How much more tax money are you willing to spend? 10x? 100x? What about for the stuff that's important, but not national security important? Are you willing to live with the fact that the results will cost 100x as much and be 1/10th the speed? The government has been there and done that, at least for some sorts of components, and decided it couldn't afford to. Now, they might be wrong, but they might not be. It might be cheaper and easier to attempt to make the commercial gear secure, realize that won't completely work, and deal with the occasional problem -- even at a national security level. After all, there are national security implications to being unable to afford as much equipment as you can make use of... and it's entirely possible it's better to have the occasional huge security problem than to have nothing worth securing.

The right solution is defense in depth, multiple vendors, and a whole host of other, more mundane techniques. As long as one security hole, even widespread, can cause only limited damage, it's possible to contemplate dealing with it when it appears.

Re:Nightmare

[Megane]

allows an IP address through

Or maybe a back-doored packet forwarding ASIC which ignores all ACLs to filter a particular netblock, like say 203/8 or 202/7, of which large chunks are in China? (or something more specific if you prefer)

As for the parent post, you should be able to tell that your firmware got flashed by loading a different feature set. The trouble is, what if it's the hardware that is subtly subverted, regardless of the firmware, as in my example?

Re:Nightmare

[wprowe]

Are we sure this isn't already being done in some way? Perhaps not in the exact manner you describe. Why assume they are not already working with these hardware and software manufacturers?

Re:Nightmare

[adonoman]

Except as noted below, you can't necessarily trust the compiler. So you're stuck with either trusting that, or hand-coding a compiler bootstrapper in machine code, and going from there.

Of course then you're trusting that Intel or AMD don't have some hidden back doors in their microcode, so really you should be soldering transistors onto a circuit board (assuming that you checked that they are real transistors and not a microchip planted in a transistor case that usually acts like a transistor...

It's all about whom you're willing to trust.

Re:Nightmare

[sm62704]

Talk of trusting MS is like talk of trusting Sony-BMG, or trusting Hannibal Lecter not to eat you.

For those who don't trust Wikipedia, Here is another cannibal.

"How can a guy with that much money not afford contacts?" ~ Linus Torvalds on Bill Gates' coke bottle glasses

Re:Nightmare

[mistersooreams]

I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise. That's probably excessive. You only need a from-scratch compiler to be just powerful enough to compile some version of, say, GCC. That solves the bootstrap problem. Then you need to audit the source for the version(s) of GCC you use, which is non-trivial but surely easier than writing a compiler from scratch.

Re:Nightmare

[CowboyNealOption]

Sadly much of the manufacturing equipment has been sold and moved to China forever, a trend that is only getting worse:

http://findarticles.com/p/articles/mi_m1571/is_2_19/ai_96238185

Re:Nightmare

[thisissilly]

You can't even trust that, unless you wrote the compiler yourself. See Reflections on Trusting Trust by Ken Thompson, where he modified the C compiler to insert backdoor code into the Unix "login" command, and then modified the C compiler to insert the login-modification code into itself when someone was recompiling the C compiler, so even that source code read clean.

Re:Nightmare

[olddotter]

If you like in the world of Spys and Spooks, then you are used to being worried/paranoid. Its just like breathing.

I do think these people should be concerned about their laptops, ipods, and anything else made in China. This is almost like us buying our equipment from Russia during the cold war.

China is a "communist" country with a capitalist economy, a different and scary beast. One that makes the toys we and our government loves to buy. And the question is what have we forgotten how to make because we would prefer for the Chinese to make more cheaply?

Re:Nightmare

[Kadin2048]

You're correct, and this is what I was trying to get at, although I should have been more clear.

The NSA (or whomever) wouldn't need to write the whole compiler chain themselves, they would just need to audit it. At some points in the chain it might be easier to just write them from scratch rather than auditing existing code, but at some higher level of complexity I assume that would change.

Although it would be a substantial effort, I suspect it may be something that's been done already. (I assume that the NSA probably has systems that only run audited code from the bare metal on up, so the low-level bootstrapping would already be done.) But they probably wouldn't need to essentially duplicate GCC; being open source, they would just need to find people capable of stepping through the code and understanding it, and then compiling that code on a system that's been audited.

What I see as the biggest challenge wouldn't be the technical one, it would be organizational. The current everybody-for-themselves patchwork approach to security just isn't working, and there needs to be an overhaul. Security needs to be built into the infrastructure from the ground up, and that requires changing how people think of and deploy it. Doing that without just pasting an additional layer of bureaucracy onto what we have now would be a challenge (and to be blunt, I think it has zero chance of happening before there's some major crisis), but I think the stakes are too high not to start working on it.

Re:Nightmare

[speculatrix]

that's not even completely valid. there was a hack to the earliest unix C compilers which recognised if they were compiling login.c and inserted a back door. If the compiler detected it was compiling the compiler, it inserted the code which looked for compiling login. Then, the non-hacked compiler and login were put back to make the system look innocent. read more

So, you actually need to examine the program with a debugger. Oh wait, the debugger might be compromised too so as to hide the backdoor!

Re:Nightmare

[moeinvt]

And how do you know you're not really a replicant writing a modified compiler to compile the 'C' compiler to insert the backdoor when it compiles?

Re:Nightmare

[Kadin2048]

Are you willing to live with the fact that the results will cost 100x as much and be 1/10th the speed? The government has been there and done that, at least for some sorts of components, and decided it couldn't afford to. Now, they might be wrong, but they might not be. I guess it was implicit in my earlier post that no, I don't think they're right about that. I think they're really, really wrong, and I think the litany of security breaches we've seen in the public sector over the past few years, and the ones I expect to see in the future, are an indictment of the dominant mindset in government IT procurement.

If we want to take advantage of electronic information-processing technologies, we need to find ways of making them secure. If we can't do that, then we shouldn't use the technology. Security shouldn't be optional: either it's feasible to do something securely, or it's too expensive, in which case the system shouldn't be constructed and alternatives should be considered, including not automating at all.

I would quite frankly rather see large sections of the government switch back to using paper, which at least the average member of the civil service has a clue about securing, than use electronic systems that aren't secure -- and worse than that, that the users don't realize aren't secure.

It might be cheaper and easier to attempt to make the commercial gear secure, realize that won't completely work, and deal with the occasional problem -- even at a national security level. You're right, it might be. But how do you quantify a potential national-security risk? It's possible to try and come up with after-the-fact estimates, but even then they're subject to a lot of guesswork. [1] Even something not normally considered to be a 'secure' system -- stuff like contracts-management, procurement, or contractor payroll -- could be used to effectively shut down or render ineffective large swaths of the government by an adversary who was interested in exploiting it.

These costs need to be weighed very, very carefully, and I can tell you from first-hand experience that they aren't. Not even close. It's pants-shittingly bad in some cases, and the decisions are being made by people who are (in addition to frequently being just plain incompetent) so far down the chain of responsibility that they only consider the impact that a particular decision might have to their fiefdom. There is precious little in the way of coordination, and the sooner that changes, the better.

I'm not holding my breath, though.

[1] Just as an example, how would you go about trying to quantify 9/11? You could come up with the direct costs of the increased airline security, the DHS, the wars in Iraq and Afghanistan, but how do you quantify the lives lost? The economic damage? The people who decided not to get on planes, or the time spent waiting in longer lines? Then after that, you'd get into arguments about whether the event could be linked to the dollar's slide, or if that's totally independent, which might be another cost. The point being: it's difficult to quantify even afterwards what the costs of a particular event are; how are you going to quantify them for a potential event?

Re:Nightmare

[couchslug]

"All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years."

At this point the adversary relationship is our choice, and as China becomes more powerful we should consider its functional value rather than our post-Colonial nostalgia for White power in Asia. We have a mutual cultural enemy in Islam, and far more interests in common than otherwise. (Tibet is functionally expendable. It needs us but we don't need Tibet.)
Time to quit hatin' on the "Heathen Chinee". China never invaded the West and forced it to trade in opium, nor did China support any Kuomintang equivalents here. The screwing has been quite one-sided. No wonder they are pissed!

Re:Nightmare

[boombasticman]

You can only trust software that you have examined the code and compiled yourself, and people you trust who have examined and compiled the code themselves.

I trust neither Cisco nor the FBI. ...nor Microsoft.

Re:Nightmare

[aguenter]

I'll grab the foil.

Re:Nightmare

[Hatta]

I read that. It's interesting, but it requires you to have access to a trusted compiler, T. If you already have a trusted compiler, what's the point? Isn't T going to be vulnerable to the same "trusting trust" attack?

Re:Nightmare

[ZorroXXX]

I think you are just getting a dose of turn about is fair play.

I would rather call this unfair play.

The CIA and NSA have tampered with electronics being sold to America's adversaries for years.

I hate USA for forcing the yellow dots "feature" on all colour laserjet printers, making it (almost?) impossible to buy one without, even when I do not live in USA.

I mean, one thing is what a government does to its own citicents; it sort of have authority to do whatever it wants except as limited by international agreements. But one country should not be able to force its own politics upon other countries. Just recently usage of wi-fi has been restricted in Russia. What if a country, say Burma, made usage of wi-fi illegal, should then other countries suddenly be forced to make it illegal as well?

As my old HP Laserjet 6L is clearly showing its age on the printouts, I am currently actively searching for a replacement and would like to have a colour laserjet. Does anyone have tips for getting an affordable one, without the yellow dots?

Re:Nightmare

[cruelworld]

What country manufactured that tin foil?

Re:Nightmare

[aurispector]

Agree. And don't forget the chinese have been the beacons of freedom for the last 60 years, spreading democracy and human rights at every turn.

Re:Nightmare

[sjames]

I'll bet if one of the biggest buyers of secure networking equipment hints that it will only be interested in units made entirely in the U.S., they'll find a way to get it ramped up here. After all, China found a way to ramp it up there.

Re:Nightmare

[banished]

As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place.

Congress mandates these purchasing practices in the name of saving taxpayer dollars -- which they just spend on their own pet projects, I might add.

Re:Nightmare

[dissy]

But can you trust the compiler That's why you have to write your first compiler in assembly and key it in by hand!

Hmm... except to counter that, someone from china just has to come to the US and patent that process to stop everyone from using it.
Eek, now I'm scared ;}

Re:Nightmare

[Intron]

Short answer: yes.

Consider the case where a language has a very limited number of compilers, like Ada for example. The compiler is enormous to support the multitude of language features. Nobody can check all of the source by hand, and some of the code is automatically generated by other tools, so is quite opaque. I don't see Wheeler's idea giving us a trusted ADA compiler any time soon.

Re:Nightmare

[Lord+Ender]

When it comes down to it, you need to have overseen the design, manufacturing, and programming (at machine-code level) of every IC on every component of every computer in your network. Even then, who knows what "they" can do with the electromagnetic waves all your components give off.

In short, your philosophy toward security is demonstrably absurd.

Re:Nightmare

[Lord+Ender]

they never should have allowed the production of critical national-security infrastructure components to be outsourced If we built these things in America, we would have to raise taxes to pay for them, producing jobs, improving national security, and lowering the trade deficit along the way.

How any jesus-loving American think raising taxes is ever a good idea? What are you, one of them durn libruls?

Re:Nightmare

[petermgreen]

Or maybe a back-doored packet forwarding ASIC which ignores all ACLs to filter a particular netblock, like say 203/8 or 202/7, of which large chunks are in China? (or something more specific if you prefer)
A hole that wide would be very likely to get noticed and using just your own IP block would be painting a huge bullseye on you if it ever got found out and would prevent you switching ISPs (dodgy operations don't like to stay in one place for long).

Much better to use some kind of code that is fully within your control and unlikely to be generated by accident.

Re:Nightmare

[sm62704]

In short, your philosophy toward security is demonstrably absurd.

In short, you have to trust. There are no absolutes.

Re:Nightmare

is... your real name Kissinger?

Re:Nightmare

[DocSavage64109]

It's not just the software you have to worry about, you also need to fab your own hardware!

Re:Nightmare

[sgt_doom]

Not to worry, dood, the FBI was also concerned about the JFK assassination, the 9/11 attacks, that anthrax assassin.....

On the other hand.....

Re:Nightmare

[LWATCDR]

Well then maybe some other company should.

Re:Nightmare

[demachina]

"At this point the adversary relationship is our choice, and as China becomes more powerful we should consider its functional value rather than our post-Colonial nostalgia for White power in Asia."

While its true China was thoroughly abused by the west, that was a long time ago. My animosity to China isn't racial. Its based on the simple fact that they currently have a corrupt, repressive one party state. Many of their new billionaires got that way through their high positions in the Communist party not by their prowess as businessmen. For all the economic transformation they've undergone their government hasn't really changed at all since they were shunned by the West. The only thing they changed was they allowed ownership of capital and made it possible for Western capitalists to exploit their dirt cheap, huge, oppressed labor pool. Its interesting to not that Chinese workers had almost no rights until a new labor law was introduced in China in January. It appears China is going to lose some of its luster as the world's cheap labor pool, now that Chinese workers have rights and aren't for all practical purposes slave labor which is what they were until recently. Manufacturers are now looking for a new location besides the southern China coast for their factories and a new pool of dirt, cheap oppressed labor.

"China never invaded the West"

China did back North Korea's invasion of South Korea and they did most definitely attack U.N. forces in Korea. They have propped up a North Korean government that is one of the most brutal on earth.

Re:Nightmare

[ZorroXXX]

You should be concerned about those yellow dots only if you planning to violate the law.

I am concerned with this because I care about privacy and anonymity, both vital factors in a free society. If you have not already read the paper 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy I really recommend you to do that. The increasing attac on privacy and anonymity are sadly making similarities to 1984 more frequent.

and they laughed when I bought a linksys router

[genner]

Laughed they did.

Re:and they laughed when I bought a linksys router

[nonsequitor]

Linksys has been a division of Cisco for several years now. It's just another brand they own.

They should have known it all along.

[gnutoo]

They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.

Re:They should have known it all along.

[evanbd]

If you're a government customer with national security concerns, you can audit the source to commercial products as well. It's frequently a requirement, and the government is too large a customer. Of course, the code stays closed to the general public.

Re:They should have known it all along.

[sjames]

The thing is, if they are auditing the hardware and software, they can as easily validate the fake Ciscos as the real ones. They're made in the same factory by the same people.

If they cannot validate the fake ones, then they should be just as afraid of the real ones.

Re:They should have known it all along.

[evanbd]

Very true. All I'm saying is, open source doesn't help much here -- the government has the same level of access for auditing purposes anyway. (Well, it might help find bugs, but the concern is about bugs that aren't present in the source but appear in the manufacturing.)

Re:They should have known it all along.

[socketwiz]

Only free software can be audited, modified and trusted.

No, only "open source" software. Free software can still be proprietary. Open source authors can still be paid.

Re:They should have known it all along.

[Scrameustache]

They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.

Which is why intelligence agencies love nationally-owned, proprietary closed-source. They've been doing this for years, now they're worried that what goes around comes around.

Re:They should have known it all along.

[ChrisA90278]

The trouble is they can't validate EVERY unit they buy. They test out one model number and firmware revision and then expect every unit like that to be identical. With Fakes the assumption is no longer valid.

Re:They should have known it all along.

[petermgreen]

the problem is the same with either open source or propietry software. Even if you have audited the software source you simply cannot reasonablly do a thorough audit on every unit of hardware than the software runs on.

Re:They should have known it all along.

[sjames]

The trouble is they can't validate EVERY unit they buy. They test out one model number and firmware revision and then expect every unit like that to be identical. With Fakes the assumption is no longer valid.

The only difference between the fakes and the real thing is a contractural arrangement. They can't trust the real Cisco products made at the same factory by the same people any more than they trust the fakes.

Sounds like they should demand infrastructure componants made in the U.S.

Re:They should have known it all along.

[sjames]

Agreed, if you can't be sure the binary was generated from the source you have, you don't gain any security by having the source.

Re:They should have known it all along.

[Garridan]

Doesn't matter what the software looks like. If the hardware itself has backdoors, you've lost. The hardware can hide and mask compromised software. Further, it can be made to behave in a way that makes the software insecure. This is especially scary for chips that implement their own crypto. If somebody puts a backdoor into the chip's crypto, you're boned.

Re:They should have known it all along.

[Gr8Apes]

but, they can build the source into binaries and load them onto the hardware. Now if the hardware has backdoors....

Concern?

[OpenSourced]

How is it, concern? Is there any evidence of shadow access to the cloned hardware or not? At the very least it should be rather easy to know if the cloned firmware is an exact copy of the Cisco firmware or not. I can understand the concern of cloned equipment in general, but to speak about a particular case and be so vague means for me that there is in fact no evidence of any type of backdoor.

Re:Concern?

[Trigun]

IIRC, the gear was not counterfeit, but merely not licensed by Cisco. The same factories made X units, Cisco bought X units, everything else made it to the black market, and was considered counterfeit, due to the fake Cisco packaging, etc.

Re:Concern?

[Trigun]

Dammit That should read The same factories made X units, Cisco bought less than X units

Re:Concern?

[kcelery]

Please keep any eye on the Xerox repairman as well as the router guy.

http://www.interesting-people.org/archives/interesting-people/199909/msg00020.html

Re:Concern?

[sjames]

How is it, concern? Is there any evidence of shadow access to the cloned hardware or not? At the very least it should be rather easy to know if the cloned firmware is an exact copy of the Cisco firmware or not. I can understand the concern of cloned equipment in general, but to speak about a particular case and be so vague means for me that there is in fact no evidence of any type of backdoor.

OK, I give up, how? How do they know the flash chip package doesn't have 2 banks. One that is normally presented as being the whole thing and a shadow copy that is presented when it recieves a particular access sequence?

The only tests they have can tell them it WAS a clean router before the destructive tests.

Solution

Only use network gear that was built in the US. *snicker*

the real concern

[tankadin]

Probably the real concern is that they can't install their own backdoors into these routers.

Really

[TheRealMindChild]

Really, if it is *that much* of a concern, quit buying from a third party vendor. License a spec, rent a manufacturing facility, put some people to work, and create your own Cisco Certified Uber Network Gear eXtreme, Uncle Sam Edition

Re:Really

[macklin01]

Really, if it is *that much* of a concern, quit buying from a third party vendor. License a spec, rent a manufacturing facility, put some people to work, and create your own Cisco Certified Uber Network Gear eXtreme, Uncle Sam Edition

By the article, Cisco has no direct sales--only gold/silver partners who they claim to train train themselves. However, some of the counterfeit equipment was purchases through gold/silver partners. -- Paul

Re:Really

[tuxgeek]

I was also thinking along these lines. This story is a good example of the ramifications of outsourcing jobs and manufacture of products. The chinese are just being creative with corporate America's mentality to let cheap labor manufacture certain products we should be doing here.

All's fair in love and war, and if China can get away with brute force hacks to infiltrate sensitive networks, great. When the networks become more difficult to hack, sell them trojan hardware.

Re:Really

[petermgreen]

and what is there to stop the government setting up a central procurment department (if they don't already have one) and having that department join the partnet program.

FUD

[conan1989]

presume FUD until given proof. and check the source of any "proof" too, never trust those who stand to gain

Re:FUD

[TheVelvetFlamebait]

Yeah? And I think you're a CHINESE SPY!
 
;)

Re:FUD

[ScentCone]

never trust those who stand to gain

So, what do YOU stand to gain by portraying the feds' concerns about prospective threats to government infrastructure and everything that rides on it as bogus? How does your characterization (implied) that counterfeit routing equipment used to protect systems on which lives depend is just fine, and not a concern, benefit you? You seem to have a vested interest in devaluing the concerns of the people that are asked to protect national interests in this respect - possibly because you conflate that issue with, say, also having less maneuvering room to rip off movies, or something else tangental, like that. You're right: I don't trust you.

Re:FUD

[kcelery]

After your GM stocks fell, the Bear Stearns shrunk to almost nothing, son of your neighborhood got shot in Iraq .... one couldn't help casting some doubt over our position.

Re:FUD

[PPH]

Could be that the Chinese stripped out all the CALEA-mandated hooks to make the stuff safe for their markets and now the FBI is having a hissy fit about clean equipment finding its way back onto the US market.

Re:FUD

[conan1989]

it's good you don't trust me, trust is earned.. and i have not done that. what do i have to gain?, not much... maybe a wider spread in the lack of trust of govt and other parties with vested interests [directly and indirectly]. but yes, it is very possible. the Chinese or any other organization... including govt, corp and shady orgs. call me paranoid, but we're not told what we're not supposed to know

Time for state-sponsored fablabs

[Yvanhoe]

I can think and think over it, there seems to be but one solution:
Now is time for US Department of Sensitive Things to stop buying hardware and start buying blueprints. Buy VHDL and CAD files from CISCO, scrutinize them for threats then produce it yourselves.

China is great for cheap production but there is a reason why military approved stuff are more expensive : among other resons, you can't let anyone build them.
And if you want certified and cheap stuff, it is time to begin building robotic factories.

Re:Time for state-sponsored fablabs

[Lonedar]

Ah, yes. A robotic factory would be a great solution to this problem indeed.
In order to cut the costs to a bare minimum I recommend we order the robots from China.

Re:Time for state-sponsored fablabs

[Pascoea]

Sorry, not going to happen. I've personally built and troubleshot their competitors (Juniper) equipment and we didn't even have access to the VHDL, Boot Prom, OS, or any other software documentation. There is now way in hell that they are going to hand this information over to the government.

Besides, the issue is not within the design itself. (I know, this point is arguable... but that is a different thread) the issue is non-trustworthy people building unauthorized reproductions of Cisco equipment.

As far as I know, high end products like Cisco are still manufactured in the United States. So if you want to ensure that you are getting domestically produced product you need to take over the delivery chain, not the production chain.

Leave the production to the experts, thats what they do. it is time to begin building robotic factories What do you think builds them? The only thing hand built is the high level assembly and inspection.

Re:Time for state-sponsored fablabs

[Yvanhoe]

In order to cut the costs to a bare minimum I recommend we order the robots from China. That's less of a problem. It is harder to put a malicious behavior in an unconnected device than on an internet router. The worst that could happen is the robot putting random bugs in designs. It is not an equipment that sees gigabytes of sensitive data per day.

Re:Time for state-sponsored fablabs

[Yvanhoe]

Sorry, not going to happen. I've personally built and troubleshot their competitors (Juniper) equipment and we didn't even have access to the VHDL, Boot Prom, OS, or any other software documentation. I am sure that there is a price to this. Make it a government policy that every military hardware must come with its full VHDL, schematics and firmware code. I honestly thought it was the case. I guess it is for very sensitive techs like missiles or planes. Maybe all we need to is to learn that network equipment can be very sensitive stuff as well.

What do you think builds them? The only thing hand built is the high level assembly and inspection. And this is because of this high level assembly that there is a human labor cost that can be a huge part of the overall cost. Because this part is significant, it is made in China. Because it is made in China, it is China who owns the most robotic facilities. That is a problem.

Re:Time for state-sponsored fablabs

[street+struttin']

And if you want certified and cheap stuff, it is time to begin building robotic factories. What about when the robots turn against us? THEN who will build our stuff?

Re:Time for state-sponsored fablabs

[Pascoea]

I would agree, everything has it's price, and making it a requirement of obtaining a supplier contract would certainly coerce Cisco into coughing up the info. The amazing thing about how our government works: If you could convince Cisco to let the government build their own equipment you know damn well they would just contract it out to one of their defense contract mfgs. to build, which is more then likely the same company that builds them for Cisco right now.

Re:Time for state-sponsored fablabs

[ceroklis]

The NSA already does this. They have their own fab (the Special Processing Lab) that they use to manufacture sensitive ASICs for themselves and the DoD.

Lost sales aren't the issue for brands.

[Kadin2048]

> The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?

That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake ... it's exactly the opposite. When the flunky working the counter at Blockbuster is wearing a good-as-real Rolex, suddenly the brand isn't worth quite as much, and if you're some hotshot looking to make a statement about exactly how much disposable income you have, maybe you'll go buy something else -- something more difficult to fake, something with more intrinsic value -- instead. That's the real worry for high-end brands. It's not the lost sales, it's the damage to the brand that inevitably occurs when average folks get their grubby little McDonalds-covered paws on them.

Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.

Re:Lost sales aren't the issue for brands.

There was an interesting article in Science News a couple of weeks ago about fake drugs from China - apparently up to 40% of the malaria and other drugs sold in Asia are fakes. The article talked about how they traced some to a factory in China that they shut down. But "fakes kill" could be a real message here if these drugs either do nothing or are just contaminated.

Re:Lost sales aren't the issue for brands.

[Kadin2048]

Oh I agree. But the political pressure -- and I think money as well -- behind the counterfeit-interdiction efforts (at least in the U.S.) is coming from high-end brands. They're using the drugs as a ruse to get attention, but then insisting that inspectors waste time looking for faux Rolexes and handbags.

Fake drugs, aircraft and machine parts, and to a lesser extent IT infrastructure components, are all serious issues. I didn't mean to understate the seriousness of any of them. But there is a huge difference between a counterfeit drug that's actually poison, and a counterfeit handbag that's made without the permission of the trademark-holder. The first represents a clear and obvious danger; the latter is a vague intellectual-property crime at worst. I'm very concerned that enforcement efforts spurred by the former are actually being used for the latter.

Re:Lost sales aren't the issue for brands.

[ChrisA90278]

Have you ever bought a fake Rolex. I have. First off all parties tho the transaction know it is a fake. So after some efort I find a shop that has a suply of fakes and find that I get to pick between some horrible very poor quality fakes and some decent fakes but none are even close to "real". The poblem is that is costs a lot of money to ake a real rolex. I bought the fake more as a joke to show off back home "look what you can get in a poorer area of rural Korea for $15."

Cisco fakes are completely different. These fakes really are identical even to experts. And I'm sure only one party to the transaction knows they are fake.

Re:Lost sales aren't the issue for brands.

[Cramer]

Then they aren't very good experts. Spotting chinese fakes isn't impossibe. None that I've ever seen are 100% exact knock offs of genuine cisco hardware. There's always something out of place... unlabeled blackmarket chips -- every chip used by genuine cisco hardware has part and serial numbers on them, serial number labels in odd locations, odd looking serial numbers, unregistered serial numbers (yes, cisco has a database of every device they've ever made -- I've looked up AS-51's), no holofoil, etc., etc. Granted, it's rare for them to be so bad at making fakes that you can take one look at it and immediately know it's a fake. (if it's that obvious, they fix it in the next batch.)

Re:Lost sales aren't the issue for brands.

[pyrr]

There was an article last week about counterfeit motherboards. The problem is that, while it's easy to spot counterfeits made by people who are simply copying an item, it's nearly impossible to spot counterfeits produced by the OEM factory in China that the company outsourced manufacturing to. During the day, the assembly line produces legit products with serial numbers which are logged by Cisco; after hours, the same assembly line produces the same exact products, but the serial numbers are either duplicates or fakes. If that's the case with counterfeit Cisco equipment, it would take extensive knowledge of the product and cooperation from Cisco's record keeping department.

Re:Lost sales aren't the issue for brands.

[bentcd]

Fake drugs, aircraft and machine parts, and to a lesser extent IT infrastructure components, are all serious issues. No, they are not. This is another red herring. You touch upon the real issue when you continue with:

But there is a huge difference between a counterfeit drug that's actually poison, and (...) but I would continue that sentence with "(...) a counterfeit drug that actually works as advertised."

A drug that claims to be Viagra but is actually manufactured by someone other than the trademark holder for the mark "Viagra" is not a threat to anyone but the trademark holder /so long as/ it contains the same stuff that "real" Viagra does.

Therefore, what we need is /not/ a new set of laws to outlaw "counterfeit" products nor do we need a government crackdown on "counterfeit" products, what we need is a set of laws to outlaw the sale of poison masquerading as medicine. Funnily enough, I think that is actually already illegal. I don't know what's holding the crackdown back though.

Uhhh...

[Kingrames]

Who cares about counterfeit Disco gear?

Re:Uhhh...

[neoform]

Sure, say that now, just wait till you play a record on a chinese turn table that turns out to be playing at 78rpm, next thing you know everyone on the dance floor will be dancing like their on speed or something.

Re:Uhhh...

[everphilski]

Disco Stu only buys the genuine article. Oh yea, baby...

if you export jobs/manufacturing/industry

[night_flyer]

you cant expect it to be secure...

Not a good decision

[hyades1]

The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get. Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?

Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.

The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.

Re:Not a good decision

[Ice+Tiger]

The 1st world is increasingly giving up the ability to self sustain in the possibility of a cold or conventional war with the 2nd or 3rd world.

For example a conflict with china over Taiwan needs only a boycott from China to the USA and a few undersea data cable severances to wreck the US economy. With manufacturing and back office functionality moved overseas the ability of a large military to protect borders becomes irrelevant when economic vulnerable points lie outside of those borders.

Re:Not a good decision

[tinkerghost]

The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get.

When I was working w/ a company that made security Holograms for UL, one of our R&D people went to Bejing, where they happily showed him the R&D Hologram lab, where they were trying to duplicate our security Hologram. They also were more than happy to show him samples of a dozen or so other holograms they had already cloned.

From his description, they were rather proud to be making such good forgeries.

Re:Not a good decision

[LordSnooty]

This post more than anything else I've seen anywhere should make one sit up and take notice of the China issue. +1

Re:Not a good decision

[dadman]

The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get.

Just like Japan 30 years ago

Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?

You mean the Crusade, too?

Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.

And you think the issue is entirely on China and not the US companies such as this or this ?

The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.

No, obviously, more of a slave than a friend.

More, for these kind of trojans / backdoors, China is the late comer when compared to the US as you can see from other posts in this thread.

Re:Not a good decision

[hyades1]

If your questions are intended to by rhetorical and wryly ironic, they fail miserably. If they are intended seriously, they are unworthy of any answer beyond, "Get off your ass and do a little research. False analogies serve no useful purpose beyond misleading those who have no interest in delving deeply into the situation, and responding to an argument I do not make is equally misleading".

Or perhaps I should pose an illustrative question of my own: which "Crusade" do you mean, and what industrial base was extant during the Middle Ages to commit espionage against? FYI, there were at least nine Crusades occurring over a period of some 200 years, and they were essentially religious in nature. The Industrial Revolution occurred 500 years later.

Re:Not a good decision

[dadman]

Exactly! Since "committed and facilitated cold-blooded mass murder" has absolutely nothing to do with "industrial espionage". Those are driving from entirely different forces and demands, I failed to see your logic of relating one to another.

Stand back a little bit and take a look at the whole picture, not on one continent, and on a wider time span, then you shall have a better understanding of what's actually happening, why and how. It is always a global issue, not just between China and the US and is not only happened today.

Re:Not a good decision

[hyades1]

I'm afraid you're still missing my point. You were trying to draw parallels where there are none to be drawn sufficiently analogous to be of value. I'm sorry, but I don't have time to give you a history lesson (Your apparent belief that there was only one Crusade and failure to grasp the difference between religious and economic motivators leads me to believe you might be a little light in that particular area).

Concentrate on differences in kind rather than differences of degree and maybe you'll see what I mean. Governments that practice internal repression coupled with ungoverned rapacity toward other states are not unheard-of, but scale and motivation have more effect as technology increases. A madman with a spear and a madman with a rocket launcher may be equally bent on mayhem, but their potential impact is significantly different.

Oh No!

[UncleWilly]

I also suspect my Lenovo/Thinkpad..whenever I'm in the room it seems to be...watching me.

Re:Oh No!

[TubeSteak]

I also suspect my Lenovo/Thinkpad..whenever I'm in the room it seems to be...watching me. Don't worry, you can blind the bastard with judicious application of tinfoil and masking tape.

Really? ebay?

[esocid]

...originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies

Are our government agencies seriously buying anything from ebay? I'm not even sure how legal, much less smart, it is to buy equipment that will be used in a federal agency from joe blow, or even kim lee (equivalent of jow blow) in china. An average user probably wouldn't have to worry, if in fact the stuff worked, but the Pentagon may have a problem.
To any federal agency monitoring this (NSA), please stop buying your network and computing gear from yard sales and ebay.

Re:Really? ebay?

[oodaloop]

The people buying routers for DoD et al are not generals or other senior IT-clueless individuals. They are the systems geeks, many of them probably /.ers, or should be. I am a former Marine, currently a defense contractor, and being a geek myself I've met many IT people within DoD. Typically, there's a young super-smart geek who effectively runs the IT dep't, and whatever he wants to buy, the leadership will go along with. I don't think anyone outside the geeks who put together the network really have a clue where all the equipment comes from. Also, within DoD at least, having a router coming from China doesn't seem like too much of a threat to me. Most of our systems are not connected to the internet at all. If a Chinese router were installed in SIPRNet (Secure Internet Protocol Router Network), for instance, there's no way information would make it back or come from China. Everything is encrypted and separated from the internet. Aside from the few that would used on NIPRNet (Non-secure Internet Protocol Router Network: the lan we use to connect to the internet), I don't see the threat, but maybe I'm missing something. I didn't RTFA after all.

In other news...

[LM741N]

the USA issues counterfeit money. "Why it will hardly buy you anything these days, says octogenarian Edna Pumpernickle. But I hear they have great money in Europe."

New bumper sticker

[foobarbaz]

"Don't steal data; the government hates competition!"

Closed Systems and Black Boxes

[hackus]

Security cannot be achieved with closed source or closed hardware. The problem of security is too difficult, so it is best to create a "culture" of security based around a simple set of rules:

1) All software implemented in Network Systems must be open and source code must be peer reviewed on a regular basis.

2)Hardware should be as generic as possible and should be built upon agreed standards so you can mix and match components.

3) Cultural security is laid at the foundations of software and hardware. Once everyone knows the foundations any single individual or group will find it very hard to con an entire community.

Even if they succeed it will not take long for the culture to detect the deception.

Personally, I am glad the Chinese are screwing Cisco. Remember folks, we are talking about the same company that sold the Chinese government a ton of security products to hunt down and kill/torture or imprison political dissidents.

Last year I got rid of the final pieces of Cisco gear in my network and everything is working just fine with Open Source equivalents.

I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades.

I really do know what my routers are doing.

How many here can say that?

-Hack

Re:Closed Systems and Black Boxes

[street+struttin']

I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades. Hopefully you review the patches better than you review your posts.

Re:Closed Systems and Black Boxes

[ill+stew+dottied+ewe]

Your ideas intrigue me and I wish to subscribe to your newsletter. Seriously, I work with Cisco gear, and would love a cost effective replacement. What do you recommend? As for your sig, I suggest not trying any fancy moves in any vehicle produced by Geo.

Re:Closed Systems and Black Boxes

[sabt-pestnu]

There is no substitute for the mark one eyeball in the trusted head.

Open Source is only a security solution for those things that can be examined, and only to the extent they actually ARE examined, and by people "you" trust (for any given "you").

You've sort of waved a magic wand over hardware security here. If the security failure only has to happen once, then random chance can play a factor.

And you seem to be ignoring active sabotage. Substitute a compromised item for a normal item in the trusted supply chain, and all your open source "peer reviewed" benefits fly out the window.

Re:Closed Systems and Black Boxes

[kuom]

Would you mind sharing with the rest of us what you are using as your open source routers? And whether or not you have a support contract with a vendor to support your open source router? I know there are a few vendors out there like ImageStream, but I would like to see if you've got something else/better.

In my quest to push for more open source network components, my biggest obstacle is usually the lack of commercial support for bigger organizations...

Re:Closed Systems and Black Boxes

[XHIIHIIHX]

It's all good until I flip my quantum qubit which causes the qubit in the cisco router to activate a module which peer review didn't even know about.

Re:Closed Systems and Black Boxes

[hackus]

Yes, but I would remind you that the same applies to closed systems as well.

Open systems do not have that sort of baggage closed systems have in the same category.
(Secret changes to the source code that cannot be reviewed for example with Back Doors built into them.)

-Hack

Nobody ever got fired for buying top brand

[RAMMS+EIN]

I reckon the job of the spies has been a whole lot easier because they could rely on the US gov't buying Cisco-branded equipment. More diversity in the network equipment landscape would have made things more difficult.

Re:Ha Ha!

[iminplaya]

Nice red herring there. We need to put those who want authority over us under a different, much more strict set of rules. It's our only way of protecting ourselves from the all too frequent abuses.

How long are we going to let China pull this crap?

[LockeOnLogic]

I understand that the market (and by extension politicians) salivate at the thought of so many new consumers, but how long are we going to let this utterly flagrant counterfeiting continue? There are no profits to be made if China makes and sells our own damned products to us.

Great! let's class everything as a weapon.

[petes_PoV]

Ahh, that old military paranoia strikes again.

We didn't make it, we don't know what it does. It must be a threat.

The wonderful thing about this (apart from the certainty that it will involve giving the security organisations more money) is that you don't have to prove anything. Just say "it's possible" (not even probable), or that they're "concerned" or that there "might be a threat" and suddenly everyone is running around as if the sky is falling.

Time to stop watching the James Bond movies guys. Go back to worrying about monsters under the bed.

Supposed to Be the Other Way Around

[Doc+Ruby]

Clinton and the Republican 1990s Congress sold us Most Favored Nation and "Fast Track" status for China on the appeal that the US would be manufacturing high-tech gear like Cisco routers and selling it into the emerging Chinese market. Making China dependent on US manufacturing and retailers so we could dictate political terms to them, like not torturing Tibetan monks.

They got it. Then they flipped the script. Now the US is dependent on Chinese manufacturing. Stepping up the game, Bush and the Republican 2000s Congress sent us $9 TRILLION into Federal debt (after a Clinton left him with a surplus), making $400 BILLION in debt bought by China necessary to keep the illusion that our economy hasn't collapsed - an illusion rapidly vaporizing, even before China applies much pressure to force us to comply with their Communist mafia government's global expansion plans. Meanwhile the Chinese are not just torturing monks (or stopping us from torturing around the world), they're also sending weapons, including machetes, to fuel a slaughter in Zimbabwe.

They baited and switched us. And by "they", I mean a lot of Americans with Washington addresses, and now obviously Chinese bank accounts.

Re:Supposed to Be the Other Way Around

[Doc+Ruby]

No, it's you, Anonymous Republican Coward, who's making mud of the whole thing. The debt when Clinton left was nearly all Republican Reagan/Bush debt (more than every president before them combined). Clinton did indeed leave Bush with a budget surplus, in the hundreds of $billions. Bush has doubled that debt, never shown a surplus. But, like all you Republicans, Bush has lied every year to project a surplus to con us into living with yet more debt.

The current committed US debt (according to the laws written by Bush's Republican Congress, that sailed through his power monopoly) is between $45-65 TRILLION into the foreseeable future. Plus another $10+ TRILLION state/municipal/local debt, $10+ TRILLION credit card debt, $10+ TRILLION mortgage debt, and who knows how many $10s of TRILLIONS in corporate debt. Since you Republicans don't do math, I'll help you out: that's probably over $100 TRILLION in debt already, before our country collapses into first recession, and then likely even an extended depression. We only produce $14T a year, and that's with the dollar still retaining some value, with oil at "only" $115 a barrel. That means we're already committed to spending over 7 year's total production just to repay what we've already spent operating in the red, before we turn that red into a sea of blood. Not really like the 1990s boom Clinton managed into surpluses, not funded on mortgaging the next century to make quarterly reports look good enough to rip off the world.

I really wish you Republicans would shut up about money. You do nothing but steal and squander it every time you smell it. We don't have any left for you to beg for, pipe down already.

Re:Supposed to Be the Other Way Around

[khallow]

The debt when Clinton left was nearly all Republican Reagan/Bush debt (more than every president before them combined). Clinton did indeed leave Bush with a budget surplus, in the hundreds of $billions.

Not "on budget", Clinton didn't. And with the stock market crash in 2001, that wiped out a lot of the revenue that came in the 2000-2001 fiscal year.

Re:Supposed to Be the Other Way Around

[Doc+Ruby]

2001 was 7 years ago. And that stock market crash doesn't seem to have reduced bank profits any - not that they're paying taxes on those profits. Where's your sense of proportion?

Re:Supposed to Be the Other Way Around

[EmagGeek]

I don't know where you get your facts from, but there were two surpluses, of 1.9 Billion and 86.4 Billion in 1999 and 2000, respectively. I don't know where you get your plurality of "hundreds of billions" from. The only year (since 1968) there was an actual, real surplus compared to GDP was 2000, at a paltry 0.9%.

Also, corporate income tax revenue under Bush's first year in office was 150 Billion. By 2007, it grew to over 370 Billion, so corporate tax revenue more than doubled during Bush's tenure in office. Personal income tax revenue grew from 994 Billion to over 1160 Billion since Bush took office, so people are paying more in taxes now than they did before the tax cuts. That's a pretty big tax hike.

During Clinton, Personal income tax revenue doubled, from about 500 Billion to over a Trillion (that's an even BIGGER tax hike), while corporate income tax revenue went from 117 Billion to 207 Billion.

So, if what you are implying is true and the President is somehow responsible for budgets and spending, then Bush has increased taxes on corporations more than Clinton, and increased taxes less on individuals while Clinton DOUBLED them.

Those are the facts. Deal with it.

Re:Supposed to Be the Other Way Around

[Doc+Ruby]

The fact is that Bush's debt is now $9 TRILLION, while Clinton left it at under $6T.

Even your Iraq War only accounts for about a half-trillion of that so far.

How are we supposed to "deal with it" when you Republicans have stolen and wasted all the money we'd use to deal with it?

Re:Supposed to Be the Other Way Around

[khallow]

And I still hold some losers from 2001 to claim when I actually have real income.

Re:Supposed to Be the Other Way Around

[EmagGeek]

Why do you think I am a republican? I was just pointing out the numerous factual errors in your absurd diatribe. Now you have only further made an ass of yourself.

The FBI damn well better be concerned.

[ClioCJS]

I hate to embrace such technologies, but secure networking equipment probably need some sort of firmware DRM / Trusted Computing / game-console-like protection against modification.

Re:Someone had to say it

[Missing_dc]

I know this sounds un-PC and insensitive, but would not -_- be a little more accurate?

That's not good enough.

[gnutoo]

Even the Federal Government is not as big as the free software community. If they are not free to modify the source for any purpose and share those modifications with everyone else in a free way, they lose the benefits of freedom and become an unpaid bug fixer for Cisco. Malice can slip through in obfuscated form, they can't make it do what they want and they will have a hard time being sure what they audit is what they run.

Re:That's not good enough.

[evanbd]

I'm not trying to argue that open source isn't a good thing; I think this stuff should be open source. All I'm saying is that "proprietary software can't be audited" is a specious argument when talking about government agencies with national security concerns.

Re:That's not good enough.

[Tsar]

Even the Federal Government is not as big as the free software community. Back in 2000, there were about 13,500 developers in the free software community. And now they outnumber the federal government's three million employees? That's quite a growth spurt!

Do you have a silly walk as well?

Re:That's not good enough.

[petermgreen]

I bet a huge number of small fixes never get properly attributed in the source tree. Unless you contribute enough to a project that someone notices you and adds you to the credits file and that project is among the places scanned you won't be picked up.

Re:That's not good enough.

[fm6]

There's auditing and then there's auditing. What a government software audit? A few civil servants on a deadline who scan the code looking for likely security holes. By contrast, open source software is poked and prodded by hundreds, or even thousands, of well-motivated geeks.

Re:That's not good enough.

[Teufelsmuhle]

I have a feeling a very very small percentage of those 3 million government employees would be qualified to perform such an audit of code, and an even smaller percentage are actually tasked to do so.

Trusting "trust."

[mlwmohawk]

There is no way to "trust" software, unless you've hand-assembled an assembler, used that assembler to create a better assembler, used that assembler to create a basic C compiler, and use that C compiler to build your real C compiler. And, additionally, audited all the code.

Then, you have to look at ever line of every tool source as well as all the source of everything. Even then, you need to verify hardware, BIOS, etc.

It is a hard job. Maybe impossible.

The first step, however, is to STOP buying aggregate devices based on software. A Cisco router may be cheap, comparatively speaking, but an audited and verified version of Linux/FreeBSD running on a commodity P.C. with tested hardware would be a lot more trustworthy.

I mean, there is a lot of sci-fi threat out there, bogus CPUs that run their own programs, hacked network cards, hacked hard disks, etc. These things can be checked and while possible are implausible at the moment. A hacked Router? Come on, I can't believe it DOESN'T send information someplace. It would be just a few lines of code. With even more code, it could analyze the packets and be more selective, and possibly even encrypt and compress data sent.

Re:Trusting "trust."

[Slashcrap]

A Cisco router may be cheap, comparatively speaking, but an audited and verified version of Linux/FreeBSD running on a commodity P.C. with tested hardware would be a lot more trustworthy. I was going to argue with your assertion that a commodity PC (probably made in China) is necessarily more trustworthy. But then I noticed that you started the sentence by describing Cisco routers as cheap, and there just didn't seem much point in challenging the accuracy of the rest of it.

Re:Trusting "trust."

[mlwmohawk]

Cheap "Comparatively Speaking." The cost of the hardware is sometimes insignificant to the the cost of deployment. I did not intend to imply the units were a unit/dollar bargain, but that the techsupport, installation, etc. bring the costs to a predictable sum which is cheaper than the estimated cost of a "roll your own" deployment of Linux/FreeBSD

Don't forget Huawei

[HockeyPuck]

http://www.theregister.co.uk/2004/07/29/cisco_huawei_case_ends/

While Cisco dropped this lawsuit claiming "a victory for the protection of intellectual property rights."

This was after Huawai photocopied IOS Configuration guides and "portions of its IOS source code found its way into Huawei's operating system for its Quidway routers and switches. Cisco claimed the Huawei OS included text strings, files names and bugs that were identical with Cisco's IOS source code. The suit alleges that Huawei is infringing at least five Cisco patents."

*RING BELL* Round 2

Interesting contradiction

[Bullfish]

That they are hostile foreigners who hold favoured nation trading status...

It gets worse

[WindBourne]

China in return agreed to allow their money to float free, but created "the basket" that they then control to an unknown formula. Considering that yuan has gone up a whopping 17% against the dollar over 5 years, while most other moneies have gone up more than 100%, it says a lot. In addition, they were required to drop their tariffs over 2 years ago (they asked for 5-7 years). We are now pushing 8 and they are asking for another 3-5 years of them.

The good news is that EU has seen what has happened to us and is pushing several issues; 1) the chinese firewall and the tariffs 2) the money issue 3) the carbon issue. As such, they are about to slap a major carbon tax on everything based on their Point of origin as well as a tariff against chinese good because of the firewall and tariffs.

Re:It gets worse

[Doc+Ruby]

I'm glad to see Europe finally start to do more global work that has been left to the US for so long, since WWII. Especially that (continuing) ghastly collapse in their backyard in Yugoslavia, which the US bailed their region out of.

They've got the money, and the interest in self-defense. Though it really all looks like Orwell's _1984_ with the spyglass turned around: now it's Eurasia's turn to always have been at war with Eastasia.

Re:Why do you hate hard-working Americans?

[jedidiah]

No, we will just be buying less crap from Walmart.

Crap from Walmart is not as critical to the American Way of Live
as many people believe.

Buy American, if you can

[slugmass]

The United States was once a major manufacturer of all things high-tech. I can remember being within an hour drive of Digital Equipment, Data General, Apollo Computer, IMC Magnetics (computer fan maker), Clarostat (precision resistors), and many others. But the most relevent to this story is Cabletron (See wikipedia for a short description). This Rochester New Hampshire based compnay made ALL of it's products in Rochester New Hampshire. Soldered and assembled by Americans, designed by Americans, and built to last. Some of this gear still survives in the field. There is a legendary story out of Chicago of a bank that was flooded at the lower levels. All of teh Cabletron networking gear was assumed to be dead. After a few days of drying out, it was perfectly functional and resumed service. So teh lesson is, pay more to an American company with American designed and produced product and your security concerns will drop.

Not true. The new FIPS regulations change that.

[CFD339]

Under FIPS, not only must the vendor use specific encryption standards -- those standards must be implemented using specific approved code libraries which have gone through an audited security certification process.

In at least one major application that I'm aware of, if you set the system to be "FIPS" compliant, users who have the newest client can't send encrypted data to users who have older versions because even though they can read it just fine because they do support the standard of encryption -- the libraries used on the older client versions wasn't FIPS compliant. Its a nightmare in terms of implementation and transition from version to version.

DOD has PP on this too.

I have seen come across my email at work with similar warnings. I know that the military has identified how to distinguish the difference in the counterfeits and has taken steps to keep them from being added to the networks, it is worrisome however because they are trying to get them into DOD networks.

Re:Someone had to say it

[InsaneProcessor]

This just goes to show that we go screwed with open trade relations with communist China. DO NOT TRADE WITH YOUR SWORN ENEMY!

Whenever possible (and I do check), I do not buy Chinese made products. I pay more to avoid or do without.

Re:Someone had to say it

[MrNaz]

How are you on the internet then? I'd wager a bet that > 50% of the products you use on a daily basis are at least partly made in China.

But back up a minute, since when was China the sworn enemy of the US? If the US didn't trade with countries it viewed with suspicion, then they'd pretty much only be trading with Canada, and even then it'd be a begrudging trade arrangement.

Government should mandate American-made

[ktappe]

Equipment that will handle sensitive data should be purchased by the Government only from manufacturers who make it within our borders. Yes, this would increase costs. But it would help ensure that no "special" Chinese chips get inserted into the devices. It would also bring a few manufacturing jobs back to our shores. Of course, I'm assuming here that the very last of our electronics manufacturing infrastructure has not been dismantled...

Re:Government should mandate American-made

[cdrguru]

Today, virtually no electronics are actually manufactured within the US. There are potentially toxic and carcinogenic chemicals used in the manufacturing and soldering of circuit boards and we, as a nation, have seemingly decided that our fate would be better in the hands of others than allow these processes to take place within the US.

Just try to set up a new manufacturing line in California. Without serious bribes, you will never get the first permit. Even then, your factory may be shut down by protesters.

We have lost the possibility of the government purchasing sensitive gear from American sources. We get to take what we can get from overseas suppliers. Even Cisco's gear is manufactured offshore, so if someone wants to sneak stuff in it is almost certainly possible.

Re:Government should mandate American-made

[illama]

It would also bring a few manufacturing jobs back to our shores.

I often hear people make the argument "Buy American!" or in my case "Buy Canadian!" as a solution to economic problems.

The world is rapidly changing and international trade is the name of the game. Ever since World War II ended, trade barriers have been lowered and international trade has flourished as a result. The net result is that *everyone* gets richer. The basic idea is that every country produces what it produces best and they trade based on that.

In the name of progress... Jobs will be lost! If it's more efficient to get something made out of the country, it will be made there. What does this mean? It means that the days of high-school dropout making $35/hr screwing in a fender are limited.

What does this lead to? A more educated society. America and Canada are moving towards service based economies. The high-level work is still here and as long as we are the most educated and competent, will remain here.

Your accountant doesn't need to waste time filling out tedious tax forms. Someone in Banglore does it for him. He can now spend his time working on an investment strategy for your portfolio. The routine work moves offshore and the specialized stuff stays here.

India is getting richer. China is getting richer. America gets richer and benefits from cheaper products.

This is the way things are going and the trend won't be reversed. It is a *good* trend. The scribes were angry when the printing press came around and the horse-n-buggy makers weren't too fond of the automobile. Their jobs were lost in the name of progress.

Competition - you can choose to hide from it or you can embrace it. Be competitive and thrive.

How hard will be for Cisco and us GOV to make cust

[Joe+The+Dragon]

How hard will be for Cisco and us GOV to make custom firmware that makes it so any counter gear / other firmware hacks don't open up holes in the network?

Quick correction

[hassanchop]

Now China is dependent on US purchasing.

There are tons of other countries that can manufacture our goods. The same cannot be said of US purchasing power.

Don't be upset though, your mistake is common amongst those with only a cursory knowledge of the subject like you have.

Re:Quick correction

[Doc+Ruby]

The US purchasing power is now built on unsupportable borrowing power that is already hitting the wall. That purchasing power was never used to make China behave (except to behave as a global capitalist exploiter, now clearly the mutual plan all along), and now it's disappearing fast.

You shouldn't make so much noise about economics just because you're delusional that US indebtedness makes us strong, and Chinese manufacturing dominance makes them replaceable.

Ironic to see this

[g0bshiTe]

Mere days after having stumbled upon http://www.cse.ucsd.edu/users/swanson/WACI-VI/docs/08_slides.pdf There is a whitepaper out there by King and company describing indepth the breaks in our retail chain. ICS shipped from overseas etc, and how they are used in high level places where security is tight but these items could use little modification to provide a virtual back door that would almost never be found. Here is the abstract document. http://www.usenix.org/event/leet08/tech/full_papers/king/king.pdf

Quality Assurance for Authenticity

[c0d3r]

One round through Cisco's Quality Machine should be more than sufficient to test the authenticity of counterfeit products, probably even from anywhere on the internet. I worked on some of there test automation systems and they chart how much is automated, the results and even where the problems occured and by whom.

Validating pre-built products

[Beryllium+Sphere(tm)]

That works better for software than for hardware. After you've checked the VHDL for back doors, how do you tell that the actual device matches it? You either have your own fab or you look at millions of transistors under a microscope. And the recent Usenix paper showed that it takes very few gates to put a remote root backdoor into a CPU.

Re:Validating pre-built products

[evanbd]

It's a hard problem, no doubt about it. But open source vs closed source is completely irrelevant if you're the government trying to perform an audit -- you get access to it either way.

Re:Ha Ha!

[UncleTogie]

We need to put those who want authority over us under a different, much more strict set of rules. It's our only way of protecting ourselves from the all too frequent abuses.

Nice thought, but consider this:

The people that need policing are the only ones that can authorize/mandate it. Figure the odds...

Re:Someone had to say it

[danielsfca2]

Oh come on, you've gotta include Israel in that list.

The GP has a perfectly good point though. We didn't trade with the USSR. We still don't trade with Cuba and they're harmless! We are the biggest hypocrites ever for trading with China, who has a human rights and oppression record that Stalin or Castro would admire, and we ignore that it's in China's best interests to destroy us to make oil cheaper for them.

I love my linux router

[Visual+Echo]

IPTables FTW!

It's even worse than that....

Govt security managers and auditors are being ordered by their PHB bosses to give out passing grades on systems than cannot pass muster. And this is under duress of losing their jobs if they don't do as ordered, but they're still held responsible for any security breaches. In essence, the security managers are being forced to bear full responsibility while at the same time being stripped of the proper authority needed to conduct their jobs.

Is this really a surprise?

[indytx]

Chinese state-owned factories have been making counterfeit products for years. http://www.businessweek.com/2000/00_23/b3684007.htm

It's not just consumer stuff. There's a well publicized account of Chinese counterfeiters setting up a fake NEC in China which sold products that NEC never manufactured. http://www.nytimes.com/2006/05/01/technology/01pirate.html?pagewanted=all

How many products can only be made in the U.S. or E.U.? It really doesn't take that long to throw together a manufacturing plant. Honestly, with the huge numbers of educated engineers in China and its culture of IP theft, how long was it going to be before truly sensitive, high tech products were copied?

The FBI's fears remind me of a recent book, The Execution Channel. http://www.amazon.com/Execution-Channel-Ken-MacLeod/dp/0765313324

While it might be a lot of trouble to rewrite firmware in a legitimate product, what's to stop someone from writing malicious firmware into their own knockoff product?

Re:Is this really a surprise?

[shentino]

Corrupt as it may sound, I'm glad that the FBI has a taste of fear.

If they're going to be dishing out FUD on 9/11 warrantless wiretaps and NSL's, they deserve to take FUD.

Then it's about fucking time...

...we started manufacturing this stuff right here at home again. Fuck California and all the fucking tree huggers out there. Michigan right now will happily welcome any new electronics factories that wish to start up there.

Why trust Cisco??

[sunderland56]

Why is Cisco gear assumed to be "trustworthy"? Since this is all closed source software, maybe Cisco has been secretly spying on us all for years - and this has only come to light because of FUD spread about "chinese" routers.

since genuine Cisco boards are made in China ...

[swschrad]

by the same bunch of contractors-for-hire that make most of the rest of the international carrier supplier equipment, does it surprise anybody that there are counterfeits from China that get into supply chains?

would have been harder to do if these companies made their own stuff, as they used to.

Not so much...

[Hodr]

There is a reason that the majority of the slide show fucused on other issues than software threats, and the reason is that those threats are the least likely to cause a problem.

If I buy a counterfeit router and stick it in my secured network there is almost no chance that anyone will have the opportunity to exploit it. That is to say you would need physical access to a terminal within a secured area within a secured building on a secured post, you would need to defeat the access controls to use that system, and of course, you would need to know that your counterfeit hardware is in a usable position within the architecture. It doesn't help if a reliable firewall (juniper) blocks you before, or another (foundry) blocks you after you mannaged to get to your compromised one (cisco)(defense in depth / breadth anyone?).

Basically, for any secured network, anyone who would have the access to make use of a compromised router already has adequate access to do nasty things to the system.

A much bigger concern is the lesser build quality and the lack of vendor support.

Re:Not so much...

[lusiphur69]

"A much bigger concern is the lesser build quality and the lack of vendor support."

Not really. What is more of a threat is a hardware implementation of some kind of backdoor.

You assume that any compromised router will be deployed inside the internal routing framework - how do you know this to be the case? Your comment does not consider the threat if the 'hacked' router is sitting on the edge of a network. Granted, important DoD or DoE systems are generally completely within their own walled garden without any access points to the general internet, however for industrial espionage of your typical corporate network, this is a perfect and nigh-impossible to detect vector for attack.

Something to keep corporate admins thinking about their hardware sourcing - after all, as I am sure is elsewhere in these comments, no one ever got fired for buying (insert giant vendor here) and few corporate IT groups have the expertise / money / time to spare on deploying custom built Linux boxen on every access point.

Re:Not true. The new FIPS regulations change that.

[homer_ca]

I'm not sure standard code libs would help. If it's a good enough knockoff, you should be able to install Cisco firmware you download off their support website, thus wiping any backdoored Chinese firmware. If it's backdoored real well, it'll probably have some special boot loader and extra flash space that could subvert any trusted code you have in the system image.

Re:Someone had to say it

[WindBourne]

Interesting that you say cuba is harmless and then put stalin in the same basket as castro. Personally, with the new gov in cuba, I am thinking that we should loosen up the reign. But if it will, that will probably happen right after the election.

As to trade partners, we have many that are trustworthy. Probably our closest partner is the UK. THey would be tier 1. Canada, Australia, and Isreal would fall in tier 1B. Tier 2 is most of EU, Japan, Mexico, etc. Tier 3 has the bulk of the rest of the world including China. But China is slowly slipping itself into the bottom tier. Ultimately, I think that the amount and focus of spying will almost certainly push Chine into its own tier.

Re:Why do you hate hard-working Americans?

[superpulpsicle]

Your comment is just retarded. As if walmart is the only store that sells products from China. No CEO will ever turn down $1 million bonus. Going to China means $3 million bonus by reducing local expenses. US labor is expensive.

Re:Someone had to say it

[danielsfca2]

Tier 3 has the bulk of the rest of the world including China.

Then why did we give them "Most Favored Trading Partner" status?

I retired a few routers...

[Karl+Cocknozzle]

...right around the time these stories really started getting mass-publicity...

And was shocked to find that, for example, my 3745 had, among other things, 4 VWIC-2MFT-T1 interfaces... Three of the four were counterfeit--but all were bought through Cisco Gold partners.

Until I saw this with my own eyes, I had no idea how wide this issue reached.

Re:I retired a few routers...

[thogard]

No, 3 of them were the dodgy counterfeits. You still don't know about the 4th one since it could one of the properly made counterfeits.

Electronic voting.

[Irvu]

This is going to keep a lot of people awake at night.

Now sit and think that for almost 50% of Americans the only guarantee they have that their vote is counted is that the hardware and software "are correct". Given that the local network techs are able to poke and test CISCO routers in a way that out voting machines are not this means that for most American voters (and voters in many other countries) we have less guarantee that our votes are cast on authentic machines than we do that our routers are "clean".

That explains Microsoft's Vista pricing model...

[pyrr]

But the real question is, do pirated versions of an overpriced OS diminish the user experience and 1337ness of having a luxury OS, or does the OS diminish the user experience sufficiently on its own?

no evidence

[ctime]

Ya'll are crazy. Crazy I tell you. You can just do what the GOV does and wiretap your traffic for irregular behavior (related to root-kits and other malicious code) running on your network, at any layer. I'm sure the shady bastards in china have TRIED to put back doors in the software/hardware but there are ways to detect them. So, whenever you get a new piece of equipment, upgrade the code to whatever the vendor is offering (ie. at clean version) and do a little packet inspection to see what's really happening. Has anyone actually found any REAL evidence of what the article is proposing? A massive conspiracy of hardware and software-based back doors from the government of China..No. If it existed there would be more evidence of it. There isn't any that I'm aware of (public knowledge could be suppressed but that's another topic) This is not much better than 1950's McCarthy rampant speculation. It's healthy paranoia at best.

Re:Not really

[petermgreen]

What do the likes of cisco do about rejects, do they demand that they are all shipped to some authorised destruction center independent of the manufacturer or do they let the manufacturer dispose of them?

Why do you like assembling jobs better?

In a sense, what we have exported over to China the assembling jobs. "Made in China" should be more appropriately call "Assembled in China." Yeah... your iPod and Cisco routers are assembled in China; but all key components -- the VLSI chips -- are made in the U.S. What the Chinese workers do are just to put them together.

I don't know about you but I think these lines of work are just as low as the McDonald's jobs, and not glorifi-able at all. And it is just not much different than having automated robots do that. At the dawn of industry age, there were attcks against machines by workers. You don't mind the machines just because you are an engineer who (indirectly) sell the machines, rather than the one being replaced by the machines.

In fact, due to the low level (but not absence) of IP protections in China, businesses -- foreign or domestic -- are the ones who become very careful in revealing IPs over there.

I think you, as an engineer, should really start worrying when their IP protections become strong, because that's the time more real IP works will be done in China. So be careful what you wish for.

Re:Someone had to say it

[WindBourne]

A number of countries have MFN with us, even though they are in tier 3. In particular, China was given it because it was though that china had turned over a new leaf. Keep in mind that our economy was going to push democracy there. Nobody in either Poppa Bush or Clinton's admin thought this would be turned against us. In the past, whatever countries we have allowed economically close to use has prospered and generally it has stabilized and pushed them to democracy. The problem is that china is the first communist country (though a few have been dictators) and the only one larger than ourselves. Basically, we have bitten off more than we can chew. To make matters worse, W. is close to bankrupting us, by our trade AND fed deficits. As it is, China is keenly aware that our military is for the first time in almost 150 years, spent. All in all, had we not given China MFN/WTO, not invaded iraq, or had a more responsible president been in place of W (and both of them were better), this would not be happening. We are just in the perfect storm that happens to favor China in all aspects.

3 million federal what?

[gnutoo]

Are you sure you can scrape even 10,000 developers from those three million federal employees? I don't think so, and the free software community has continued to grow exponentially. Sourceforge alone has almost two million registered users.

Re:3 million federal what?

[dedazo]

Hi twitter,

Sourceforge alone has almost two million registered users.

Sourceforge also has 175K projects, but must of them are in the -3, Thinking about it stage.

You can't seriously be using that number to prop up your arguments. I mean, what is the purpose of trying to exaggerate this?

Re:Straw men are not arguments, no matter how you

[Doc+Ruby]

Blah blah blah. You're the one who tried to pull the straw man by lying about which of debt or deficit I was talking about.

But you Republicans are so corrupt and addled that I'm not even disappointed. You really should just shut up about either money or logic already. No one wants to hear it from you, after you voted that straw man (with scarecrow brains) into office twice, and ruined the country.

If you've got an apology to offer, then get it out there already. Otherwise all we want to hear from you is nothing.

If the answer was "no", then why bother at all?

[hassanchop]

You're the one who tried to pull the straw man by lying about which of debt or deficit I was talking about.

Please post the quote where I did this. I discussed neither debt nor a deficit, and I've already explained my point, you just can't seem to understand what you're reading.

But you Republicans

BZZZT, nice try though.

If you've got an apology to offer

Of course, I'm sorry I assumed you were capable of a civilized adult conversation, all evidence to the contrary.

Otherwise all we want to hear from you is nothing.

Of course, you were wrong, and you failed to refute me twice. I'm sure you'd like nothing better than for me to continue to draw attention to your intellectual failures.

Re:If the answer was "no", then why bother at all?

[Doc+Ruby]

No, I just don't bother giving you Republicans - oh, er, I meant libertarians - any more respect for your intellectual games. Not after what you've done to the country, and while you're still blathering like you deserve some respect.

I'm not going to justify anything to you. I'm just going to keep tagging you for your part in what you people have done to this country. Get used to it.

This is what happens, everyone.

[Khyber]

When companies export their labor to other countries, we end up with potentially disastrous security compromises coming back our way. If only there were a law that stated that "any company working with a government contract may not have their labor outsourced to a foreign country, ally or otherwise." then Americans would have more jobs and we'd have to worry less about external threats and more about internal threats.

In Related News

[pugugly]

The FBI has been assured that there is no way whatsover that these could be used in this manner, all investigations have been dropped as per new orders from the Justice Department and NSA and signed by Attorney General Hu Jintao . . .

heeyy waitaminute . . .

Pug

Shut it down!

[PacketScan]

My only question is is they know this hardware exists on these networks.
1. Why haven't they been shutdown / replaced
2. What could have been compromised? I hope your running a sniffer on your network and gateways.
3. WTF.

rumor?

[docwatson223]

That would make the infamous NIPR hack understandable....(but that was just a rumor, right?)

Buying Chinese goods says...

[FatSean]

..."Hey Mr. CEO, your idea of outsourcing manfacturing jobs to create lower prices is working great, outsource some more jobs please! I don't care about the future, I wanna save a buck on my plastic mop bucket NOW!"

My GGP post was a joke, I guess I needed more hyperbole...

Bingo

[not_hylas(+)]

FTFAs: ... counterfeit hardware such as corporate switches and routers from respectable manufacturers such as 3com and Cisco.

"So what kind of security risk would be involved here? If the copies are identical down to the individual parts we are looking at a change in firmware at the most."

Jesus Christ!, that only took 10 years, now will they wake up to the "legitimate" hardware already compromise - and in progress?
Should maybe only take 5 more years?
I predict nothing will be done until "the meltdown", then we'll be screaming at interrogators "DON'T TAZE ME BRO!" ;-)
Us, of course, being "part of the problem".
God save us - from ourselves.

Is that as far as they've gotten, yesterday's news? Crack teams, indeed - on crack, more likely. How long has it been since they've HAD their "eye on the ball"? Decades? Such trusting souls. Forgive my "scathe-y-ness, but they need to quit preening themselves and get some experts who know the score - obviously they've not the time to even realize there "is a curve" to getting up to speed.
Someone like Fred Cohen, who, could, at least, divine such a problem.

Morons.

This is a fake story IMO

[samsara]

I'm curious as to if anyone can back up this story? The site that the OP links to also covers stories involving the paranormal and conspiracy theories (eg. its a crackpot site).

The powerpoint presentation, which I believe is still available at:

http://www.donkeyonawaffle.org/OMB%20briefing%202008%2001%2011%20a.ppt ...displays an image that is watermarked to www.andovercg.com.

Andovercg is a used equipment reseller. It's my guess that the picture was originally a side by side comparison of two cisco router revisions. (ever had to work with 3com 3c905s? They've changed dramatically between revisions as well)

If I blow up that picture I can make out the following numbers on the model tag:

Left: 2461 8792 A
Right: 2461 8797 A

I believe the 2nd number is a revision number, which explains the difference in the appearances between the two boards. That's just my best educated guess though, I'd love to hear of an interpretation from someone that actually works with these boards.

Don't believe everything you read to be true...unless its backed up and verfied. This story, while more elaborate than most, fails to convince me its true (not to mention its hosted on a conspiracy theory website)

Re:Someone had to say it

[cowbutt]

We didn't trade with the USSR.

Lousy secondary source, I know, but Wikipedia says the titanium for the SR-71 was bought from the USSR