Slashdot Mirror
FBI Concerned About Implications of Counterfeit Cisco Gear
SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.
MABASPLOOM!
This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have?
This is going to keep a lot of people awake at night.
They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.
Really, if it is *that much* of a concern, quit buying from a third party vendor. License a spec, rent a manufacturing facility, put some people to work, and create your own Cisco Certified Uber Network Gear eXtreme, Uncle Sam Edition
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
presume FUD until given proof. and check the source of any "proof" too, never trust those who stand to gain
I can think and think over it, there seems to be but one solution:
Now is time for US Department of Sensitive Things to stop buying hardware and start buying blueprints. Buy VHDL and CAD files from CISCO, scrutinize them for threats then produce it yourselves.
China is great for cheap production but there is a reason why military approved stuff are more expensive : among other resons, you can't let anyone build them.
And if you want certified and cheap stuff, it is time to begin building robotic factories.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
> The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?
... it's exactly the opposite. When the flunky working the counter at Blockbuster is wearing a good-as-real Rolex, suddenly the brand isn't worth quite as much, and if you're some hotshot looking to make a statement about exactly how much disposable income you have, maybe you'll go buy something else -- something more difficult to fake, something with more intrinsic value -- instead. That's the real worry for high-end brands. It's not the lost sales, it's the damage to the brand that inevitably occurs when average folks get their grubby little McDonalds-covered paws on them.
That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake
Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Who cares about counterfeit Disco gear?
If you can read this, I forgot to post anonymously.
IIRC, the gear was not counterfeit, but merely not licensed by Cisco. The same factories made X units, Cisco bought X units, everything else made it to the black market, and was considered counterfeit, due to the fake Cisco packaging, etc.
The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get. Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?
Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.
The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
I also suspect my Lenovo/Thinkpad..whenever I'm in the room it seems to be...watching me.
To any federal agency monitoring this (NSA), please stop buying your network and computing gear from yard sales and ebay.
Absolute power corrupts absolutely. indymedia
Security cannot be achieved with closed source or closed hardware. The problem of security is too difficult, so it is best to create a "culture" of security based around a simple set of rules:
1) All software implemented in Network Systems must be open and source code must be peer reviewed on a regular basis.
2)Hardware should be as generic as possible and should be built upon agreed standards so you can mix and match components.
3) Cultural security is laid at the foundations of software and hardware. Once everyone knows the foundations any single individual or group will find it very hard to con an entire community.
Even if they succeed it will not take long for the culture to detect the deception.
Personally, I am glad the Chinese are screwing Cisco. Remember folks, we are talking about the same company that sold the Chinese government a ton of security products to hunt down and kill/torture or imprison political dissidents.
Last year I got rid of the final pieces of Cisco gear in my network and everything is working just fine with Open Source equivalents.
I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades.
I really do know what my routers are doing.
How many here can say that?
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Nice red herring there. We need to put those who want authority over us under a different, much more strict set of rules. It's our only way of protecting ourselves from the all too frequent abuses.
What?
Clinton and the Republican 1990s Congress sold us Most Favored Nation and "Fast Track" status for China on the appeal that the US would be manufacturing high-tech gear like Cisco routers and selling it into the emerging Chinese market. Making China dependent on US manufacturing and retailers so we could dictate political terms to them, like not torturing Tibetan monks.
They got it. Then they flipped the script. Now the US is dependent on Chinese manufacturing. Stepping up the game, Bush and the Republican 2000s Congress sent us $9 TRILLION into Federal debt (after a Clinton left him with a surplus), making $400 BILLION in debt bought by China necessary to keep the illusion that our economy hasn't collapsed - an illusion rapidly vaporizing, even before China applies much pressure to force us to comply with their Communist mafia government's global expansion plans. Meanwhile the Chinese are not just torturing monks (or stopping us from torturing around the world), they're also sending weapons, including machetes, to fuel a slaughter in Zimbabwe.
They baited and switched us. And by "they", I mean a lot of Americans with Washington addresses, and now obviously Chinese bank accounts.
--
make install -not war
Even the Federal Government is not as big as the free software community. If they are not free to modify the source for any purpose and share those modifications with everyone else in a free way, they lose the benefits of freedom and become an unpaid bug fixer for Cisco. Malice can slip through in obfuscated form, they can't make it do what they want and they will have a hard time being sure what they audit is what they run.
http://www.theregister.co.uk/2004/07/29/cisco_huawei_case_ends/
While Cisco dropped this lawsuit claiming "a victory for the protection of intellectual property rights."
This was after Huawai photocopied IOS Configuration guides and "portions of its IOS source code found its way into Huawei's operating system for its Quidway routers and switches. Cisco claimed the Huawei OS included text strings, files names and bugs that were identical with Cisco's IOS source code. The suit alleges that Huawei is infringing at least five Cisco patents."
*RING BELL* Round 2
The counterfeit thing is nonsense. The chinese could just as easily modify a non-counterfeit router as a counterfeit one.
The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)
Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.
http://www.interesting-people.org/archives/interesting-people/199909/msg00020.html
China in return agreed to allow their money to float free, but created "the basket" that they then control to an unknown formula. Considering that yuan has gone up a whopping 17% against the dollar over 5 years, while most other moneies have gone up more than 100%, it says a lot. In addition, they were required to drop their tariffs over 2 years ago (they asked for 5-7 years). We are now pushing 8 and they are asking for another 3-5 years of them.
The good news is that EU has seen what has happened to us and is pushing several issues; 1) the chinese firewall and the tariffs 2) the money issue 3) the carbon issue. As such, they are about to slap a major carbon tax on everything based on their Point of origin as well as a tariff against chinese good because of the firewall and tariffs.
I prefer the "u" in honour as it seems to be missing these days.
I think you have not heard of counterfeit brake-pads. Counterfeits are a significant danger when they move beyond the more visible realm of watches and bags. I would not be surprised if at least 50% of all manufactured items are subject to counterfeiting and it goes all the way down to mundane but important things like o-rings, cotter pins, bolts, cables, etc.
The problem remains the same whether it is a simple or sophisticated item: something has been compromised. But what exactly? Finish, fit, function? Do you want to gamble your life on it? Your property? Your data?
I don't care about watches and bag. The rest has me concerned.
Under FIPS, not only must the vendor use specific encryption standards -- those standards must be implemented using specific approved code libraries which have gone through an audited security certification process.
In at least one major application that I'm aware of, if you set the system to be "FIPS" compliant, users who have the newest client can't send encrypted data to users who have older versions because even though they can read it just fine because they do support the standard of encryption -- the libraries used on the older client versions wasn't FIPS compliant. Its a nightmare in terms of implementation and transition from version to version.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
This just goes to show that we go screwed with open trade relations with communist China. DO NOT TRADE WITH YOUR SWORN ENEMY!
Whenever possible (and I do check), I do not buy Chinese made products. I pay more to avoid or do without.
Athiesm is a religion like not collecting stamps is a hobby.
How are you on the internet then? I'd wager a bet that > 50% of the products you use on a daily basis are at least partly made in China.
But back up a minute, since when was China the sworn enemy of the US? If the US didn't trade with countries it viewed with suspicion, then they'd pretty much only be trading with Canada, and even then it'd be a begrudging trade arrangement.
I hate printers.
Equipment that will handle sensitive data should be purchased by the Government only from manufacturers who make it within our borders. Yes, this would increase costs. But it would help ensure that no "special" Chinese chips get inserted into the devices. It would also bring a few manufacturing jobs back to our shores. Of course, I'm assuming here that the very last of our electronics manufacturing infrastructure has not been dismantled...
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
There are tons of other countries that can manufacture our goods. The same cannot be said of US purchasing power.
Don't be upset though, your mistake is common amongst those with only a cursory knowledge of the subject like you have.
One round through Cisco's Quality Machine should be more than sufficient to test the authenticity of counterfeit products, probably even from anywhere on the internet. I worked on some of there test automation systems and they chart how much is automated, the results and even where the problems occured and by whom.
That works better for software than for hardware. After you've checked the VHDL for back doors, how do you tell that the actual device matches it? You either have your own fab or you look at millions of transistors under a microscope. And the recent Usenix paper showed that it takes very few gates to put a remote root backdoor into a CPU.
Maybe it's high time America starts to look at how its manufacturing gets done. We spent all this time and money to offshore our manufacturing at the expense of American jobs because of our bottom line. Now we are reaching "long term" and it is going to wind up costing us more than if we kept it here at home. Maybe, just maybe, the corporations will start to look at their long term outlook in a different light. Just because you are getting cheap labor today does not necessarily mean you will save money tomorrow.
All points of time and space are connected.
Oh come on, you've gotta include Israel in that list.
The GP has a perfectly good point though. We didn't trade with the USSR. We still don't trade with Cuba and they're harmless! We are the biggest hypocrites ever for trading with China, who has a human rights and oppression record that Stalin or Castro would admire, and we ignore that it's in China's best interests to destroy us to make oil cheaper for them.
Govt security managers and auditors are being ordered by their PHB bosses to give out passing grades on systems than cannot pass muster. And this is under duress of losing their jobs if they don't do as ordered, but they're still held responsible for any security breaches. In essence, the security managers are being forced to bear full responsibility while at the same time being stripped of the proper authority needed to conduct their jobs.
Awesome, way to take what I said and change the meaning. I never said I hated foreigners. I was pointing out that Americans have lost 1 million jobs in the last year alone. I have no problem with foreigners but is it not my duty as a citizen of a nation to want my fellow citizens and my country to prosper? You should be working for one of these presidential campaigns. You seem good at taking a statement someone says and making it mean something entirely different.
All points of time and space are connected.
...right around the time these stories really started getting mass-publicity...
And was shocked to find that, for example, my 3745 had, among other things, 4 VWIC-2MFT-T1 interfaces... Three of the four were counterfeit--but all were bought through Cisco Gold partners.
Until I saw this with my own eyes, I had no idea how wide this issue reached.
Who did what now?
A number of countries have MFN with us, even though they are in tier 3. In particular, China was given it because it was though that china had turned over a new leaf. Keep in mind that our economy was going to push democracy there. Nobody in either Poppa Bush or Clinton's admin thought this would be turned against us. In the past, whatever countries we have allowed economically close to use has prospered and generally it has stabilized and pushed them to democracy. The problem is that china is the first communist country (though a few have been dictators) and the only one larger than ourselves. Basically, we have bitten off more than we can chew. To make matters worse, W. is close to bankrupting us, by our trade AND fed deficits. As it is, China is keenly aware that our military is for the first time in almost 150 years, spent. All in all, had we not given China MFN/WTO, not invaded iraq, or had a more responsible president been in place of W (and both of them were better), this would not be happening. We are just in the perfect storm that happens to favor China in all aspects.
I prefer the "u" in honour as it seems to be missing these days.