Slashdot Mirror
FBI Says Military Had Counterfeit Cisco Routers
There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don't believe we can be so sure. "Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive... The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor... The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords."
Verification of the producer is essential here - and this is perhaps the moment where outsourcing will bite us in the ass. While you can only buy american made cisco routers, there is no doubt some chipsets made in it are manafactured overseas.
Somehow, I find it hard to believe that DARPA INTENTIONALLY planted vulnerable chips into potentially critical military systems.
This sounds like a case of spin worthy of Winston Smith from the Minstry of Truth.
From what I understand, the counterfeit routers are made in the same factories by the same people who make the real routers; they just keep the assembly line running past the hours that Cisco is paying them for.
In this case, if Cisco is comparing the counterfeit routers to their legit ones, they should always be the same.
The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
Are these the routers that the US was warning us about. The ones where China counterfeits Routers and sticks in evil commie coding? :D
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
I work for a company that sells used electronics on eBay. We'll occasionally buy cheap gear over eBay too, then resell it at a profit. For many months now we've had a huge problem with counterfeit Cisco cards. It's amazing how detailed the counterfeiters are. My boss wrote up a detailed guide on how to spot fakes. Google "counterfeit cisco wic".
... of the DARPA-hacked routers were any of the 'cisco experts' able to determine tampering?
That seems like a logical test, so I have to wonder if they have done it already... or not?
If they contain no backdoors, *THAT WE CAN FIND*, do we continue using them?
.....welcome our new counterfeit Cisco Router overlords.....
When we outsource everything to other countries, we run the risk of getting bad goods, made with a malicious intent. Any company that's outsourcing is potentially harming us. It should be made a crime.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Anne McCaffrey wrote a book called PartnerShip with a plot very similar to this situation. The villian provides chips to the Galaxy, including the military. When nearly everyone has upgraded, it turns out that he can remotely control every device, including military hardware, controlled by the chips. That's enough of a spoiler. How can such a grand and well planned scheme be defeated? You'll have to read to find out...
Be afraid. Be very afraid. Vote for those that seek to protect you.
This seems like a scare tactic to "warn" people about the dangers of fake hardware/software. Expect a big push around these types of "stories" as more bills like PRO-IP go through congress and as the creation of the IP & Copyright Czar in the Whitehouse gets a big push.
It's a concern but seems to point more to incompetence rather than some difficult-to-spot threat. Why are government agencies not buying directly from Cisco? Seems they should have some sort of corporate connection.
"We must protect our precious bodily fluids."
So that's why my crappy Linksys wifi access points have to be rebooted every week or so. Damn commies!!!
The lesson applies to more than the military - if you can't verify it, you should not trust it. Using non free software on devices produced in Communist China might save you a few bucks but it will cost you much more in the long run.
The madness of the "IP" empire is most apparent in this specific case. Using machines produced by your enemy is stunning folly for any military.
CIA slipped bugs to Soviets
Beauty is in the eye of the beerholder.
Outsourcing critical components is always bad,
but when you outsource DIRECTLY to countries that
A: do not like you and make little attempt to hide it
B: are actively engaging in espionage, known and unknown
C: have no distinctions between state and corporation, commerce and warfare
Hand in your commission and your cover, you fucked up.
You've hit the fubar trifecta. Your command is terminated.
There is no excuse for this in a trillion dollar army. Good day.
That said, it's pretty low on the list of likely threats. Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.
Since the hardware CAN do this, then it was designed to do this, it does do this, and always has. This is strictly a question of whether they would be able to detect one that was not theirs.
The meaning of your Life is up to you. Mean well. -- Me, 9/11/2001
For those of you who are interested, you can find more technical details of how we designed and implemented malicious hardware from here
-- computer scientists from University of Illinois
if your new rack mount routers and switches say "crisco" on the front you may have a problem.
actually I am happy to see you, however that is in fact a banana in my pocket.
It shows the difficulty of getting at non networked facilities of your enemy and the stupidity of trusting equipment made by them. Verifiable free software and hardware offer solutions to both of these problems and that's what the military should demand. Trusting the enemy with secrets you won't trust your customers with is insulting. It's insane when your client is the military.
On a more serious note, I think you should take some time to look at how the US government does procurement. Typically the US government is EXTREMELY rigorous (to the point of stupidity sometimes) in how they source, where they source from, the design of the products, how much will be paid and when. Generally speaking the US military and other security agencies are quite aware of the security risks of products designed overseas and generally speaking they take appropriate precautions. Being a supplier to the government can be lucrative (ask Haliburton) but it's also often a huge pain in the ass due to the security and regulations to (hopefully) keep ner-do-wells from ripping the government off or endangering national security.
Items with high capital costs don't work well as "open source;" basically, the manufacturing plants costs so many billions of dollars that no one who isn't doing proprietary work could afford it. Even if you could open source chip design (a dicey proposition, since there are many fewer EE Phds that want to donate time than there are CS Phds,) there are still difficulties with the actual manufacturing, and we would still need to guarantee the physical chips, which are individual, and cannot be "re-compiled;" if you think there may be an issue with a batch, you can't start over without paying for new chips.
Maybe, however, I am missing something about the procedure you are proposing; what parts would be open source?
I'm a concientious
The question is not whether Cisco routers have back doors. That has to be assumed. If I was running NSA over the last several decades, I would have my people deep inside every communication equipment manufacturer. The manufacturers management might not even know about it.
The NSA surely has arranged to have one or more back doors designed into virtually every kind of communications switch. The only Cisco employees who would know about them would be the NSA people who work inside Cisco, and some regular Cisco employees who have been cleared. If this has not been done, the NSA senior managers should be fired or jailed.
The real questions are: How many back doors are there? and who has the keys? The (assumed) NSA back door might not be the only one. There is a possibility that the Chinese or Indian chip-fab or software contractors have also installed back doors for their own governments.
With billion-gate machines, a few thousand extra gates would be hard to see. If the extra logic looks like instruction-cache, but just has a little extra code, it would be almost impossible.
Not counting the one you're replying to, he's already posted in this article with two other accounts, so YOU WILL hear him out, or else. He's probably compensated on a per-post, per-account basis.
At heart, twitter is really a xenophobe, and his "Communist China is evil" argument is an old one.
I think RMS summed up the current US relationship with China quite well:
The rise of "IP" and corporate interests over democracy in the US has never been clearer than in the last five years. Everything you own can be confiscated for suspicion of "making available" crappy RIAA music that can be found on any radio station. Your email, web browsing, phone conversations and church can all be monitored without a warrent. Those who object will be put on "non fly lists" that are used by banks, employers even the local gym, so the accused is essentially proscribed. The military is now authorized to act against US Citizens in "an emergency". Massive voter fraud has been proved in several major elections. In short, most of the bill of rights has been violated in the interest of government and corporate power. Trade with China has not made China more free, it has made us more like them.
I'm certain that if the Chinese haven't in fact installed back doors in bogus (or even real) Cisco routers that they manufacture, they at least have contingency plans for doing so. Their intelligence service wouldn't be doing their job properly if they hadn't. It's too good of an opportunity for intelligence gathering.
Conversely, I would fully expect the CIA or NSA to have programs in place to surreptitiously install back doors in routers for our use, either with or without the manufacturers' cooperation. After all, Cisco routers are installed all over the world. It seems only logical that they would find this opportunity every bit as enticing as the Chinese.
It's funny, how quickly corporate greed will make politicians forget history.
Some analyst say, that the sudden collapse of the USSR, Berlin Wall etc. was attributed to an American secret service mission, in which CIA secretly supplied the Russians with "smuggled" computer equipments, which were on the COCOM technology embargo list. These computers used rigged chips and in the eighties the US government demonstrated that they contorl key installations by sabotaging an oil transport system - and possibly others. The Russians got into a situation, when they had no idea how deeply their military, etc. infrastructure was compromised without any hope to regain control.
Americans forget very fast. How long do they think, other countries would do the same - especially, if production is sent to a country, which has been known for a long time as the biggest emerging future economic power, which also happens to be ruled by totalitarian political ideology? Is anyone surprized here? It took only a few governments in the USA to fall for the same trojan horse that they used themselves. But who cares, the shareholders are happy. For now.
Did they look for any "accidental" bugs which could have been abused?
The US invasion of Iraq has cost the US more than 4,000 servicemen and Iraq one million dead, 2.5 million refugees, an irreparable infrastructure and horrific civil war. If that's not bad enough for you, the advocacy and use of torture should be. Wake up! we are now a terrible abuser of human rights and we are doing it for oil, big fat "best year ever" oil. What we do to others we will do to ourselves sooner than later.
Beauty is in the eye of the beerholder.
Open Source Java DAO Generator
Sun has open-sourced the Niagra designs under the GPL, and you can license UltraSPARC from SPARC Inc. Unlike Xeons and Opterons, you can actually get SPARC CPUs from at least two manufacturers: Sun and Fujitsu.
And to see an example that makes your theory not very far-fetched at all, one only needs to look at the steganography in color laser printers, where almost all color laser printers embed identifying information into each page printed out, in the form of yellow dots. (More here at the Eff.)
It isn't like "New and improved: know which printer printed every page, whether you want it or not!" was a good marketing slogan.
If I have nothing to hide, don't search me
Of course they don't contain any backdoors, they're counterfeit Cisco routers
I think the past couple months of economic headlines are putting to rest that notion that destroying your manufacturing base is a good idea. We were a lot better off when a lot more stuff *was* US made.
Linksys routers were crap back when they used to run Linux-based firmware too. I got tired of repeatedly rebooting my old early-generation original Linux-based firmware Linksys router and bought a cheap $39 Buffalo WiFi router at Bust Buy, and when I got it home and set it up, I was surprised to learn the Buffalo router was running a *BSD-based operating system. It's slow as hell to configure, but one set up and running, it is an unstoppable juggernaut. Best forty bucks I've ever spent on a piece of consumer grade network hardware.
I should paint it pink and stick a pair of ears on it, and a little toy bass drum in front of it, because it keeps going and going and going....
Since contractors has been getting all of the money from the "War on Terrorism" this is the only way that Pentagon could afford "Cisco" routers.
Also could be getting these from back of cars and SUV down the street.
And this is supposed to be my concern how? $20,000 for toilet seats and I'm supposed to worry about the military having counterfeit routers? I'd say they got took just like anyone else.
Move on. Stop violating our Constitution, stop torturing people. Comply with the Constitution of the United States and stay out of our lives.
You can lead a man with reason but you can't make him think.
Damnit I knew they were counterfeiting when they said they made an Authentic Crisco Router
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
I said what I said because it isn't theory to me or something I have to lookup on wikipedia, I can remember. You just keep on believing the wallstreet hustlers, they never lie....they are only out for you and the working dude....in fact, they are near charities! You just go on thinking 30 year mortgages are better and a better deal for people rather than 10 year mortgages (and paying near 50% of your income on housing is better than 25%), or that 5 year car loans are better now than 12 or 18 month car loans, or that health insurance so cheap that guys went door to door selling it and you had to go *out of your freekin way* to try and find a crappy job that didn't have it, is worse than today. You go ahead and compare an economy where one low to medium paying blue collar job was enough for a home and car and college education for multiple kids and vacations and still have enough left over for a good savings account, why, today two blue collar incomes to not do that is so much better, with added bonus some strangers raise your kids!
Sorry, I just can't relate to casino huckerstism, it is the most obvious of congames. We have an economy now designed to make billionaires out of millionaires and they've kept it propped up by selling off the seed corn and issuing credit and printing up dollars by the boatload. The dollar is worth shit and falling so fast we are in peril of it being the "petrodollar" for not much longer, and once that happens, have fun, great depression version 2 on crack and steroids.
We had a 50 state internal "common market" where we free traded around and it worked, because there wasn't a huge skewed difference in cost of living and pay scales, and by not exporting the cash so much it acted as a monetary force multiplier. Now? So far in debt they might as well give it up declare bankruptcy, print up more zeroes on the bills and pay them all off with the toilet paper it will be and start to rebuild.
Really, I am sorry, but you are pushing what is in essence a cult like mantra pushed by the masterminds who now need "liquidity injections" to stay solvent. They are *thieves* man, grifters, at the highest level, and I can't help it if you can't see it yet, but you are obviously hooked, swalloed that bait bigtime. ooh, and you mentioned dipshit north korea! Like that is the only other example or implying the US used to be like that? Whatever, it was lame, stupid really...sorry.. My only advice for you is step away from whatever you are reading and start from scratch with an open mind and go back and look at history, talk to a lot of older folks who aren't MBA wall street shills and assholes. You'll get a different perspective. We had hoovervilles a long time ago, and increasingly we are now starting to see "bushvilles", and you can look that one up. The economy is skewing from building the middle class to destroying the middle class in favor of just two classes, it is pure feudalistic in nature.
Here's a real big clue -> "debt" is not "produced wealth". When the US really produced wealth, and we were building the largest most truly wealthy middle class ever seen, we were the largest creditor nation..now it is the opposite. The exact opposite. That is the most basic simple clue I can offer. Being in hock past your eyeballs is just never a real swift move. Have a good day.
You probably still use closed-source, proprietary bread you buy from a store.
I insist on open-source, GPL bread, with recipes freely available. You can't know your food is safe unless you can debug the source yourself.
Compile times for sourdough are a bitch, tho.
Windoze lulz.
This is all coming down to the fact that we need to assume NO network is secure; that we may be subject to man-in-the-middle attacks even within our own networks.
The solution is not to verify every chip, because that's probably impossible. Somebody's going to sneak something in somewhere. The solution is to make all data that travels through the chip unintelligible -- e.g. point-to-point encryption for *all* connections.
Once you encrypt all communications, the biggest security concern becomes the endpoints, not the myriad of things in between.
Clearly this is a big issue. I expect a decleration of "war" against it soon.
Just say No!
(to drugs)
(to piracy)
(to premarital sex)
(to counterfit products)
Who protects the rest of the world from trojans the US built into routers?
The only sensible answer is:
Do not trust. If you are a governement, compile the software yourself!
Use Linux routers!
NSA has a key into Windows that they don't talk about (Google nsakey). It would be pretty hard for one employee to sneak a backdoor into a piece of gear given all the code reviews, QA builds, production builds, etc. Additionally, I never know what I'm going to be working on from month to month, and people would get suspicious if I started submitting code updates for unrelated stuff. You really need collusion from several people to make this happen.
maybe it's just some hype at all
freedom = no control/can't control/uncontrol
security = know all/apply all/absolute power
maybe 2 r against each other
trust = freedom + security
cheat = freedom - security
fake = security - freedom
keep mision critical systems off-line. Do I need to repeat it? Perhaps with wireless routers there is an issue, but the ones in the picture looked to be of the wired variety. If they are on closed systems, with good physical security, it doesn't matter how many back doors they have.
Looks like GWB, Chaney, Condie et al., have been nailed as pedofiles.
Only a few hours, and the whole middle-level of the Federal Gov will be nailed as well.
What a shame!
It will be fun seeing the dangling dead bodies from gallows on the Mall when all this goes to furition.
Toodles
I could suggest that we start building our routers using inexpensive computers running open source *nix operating systems, but the firmware in the nic cards might be infected. The fine line between software and hardware means that malware can exist at any level. I would think that for engineers with no ethics, there is a wide open world of opportunity creating infected hardware for the future. I think we are on the brink of a "Warm War" where the weapons are computers and communications.
Just one more reason to buy gear from the myriad other companies making top notch network hardware.
Shame on us all for building Cisco into what is has become; by blindly buying their gear for all the wrong reasons.
I guess film could be called "flash memory" after the flash went off.
I used to work for a reseller, which happened to be a Cisco Silver partner, as a Cisco auditor.
Counterfeit equipment became a huge problem. There are so many fakes floating around, it's not funny. Fear anything with an RJ-45 connector that says GLG in it.
Some of the fakes were so blatant, it wasn't funny. Things like mispelling 'Cisco' on the box label. We were getting stuff that was Factory Sealed from China (and since the customers wanted Factory Sealed, we didn't open and test it).
It got to the point where anything coming out of Asia was suspect. And some of the counterfeits are very very good. I had one set of 1721 Routers.. there was only one way I could *prove* beyond the shadow of a doubt they were fake. When I opened them up and took them apart, I tried to insert a DIMM (taken from an identical model 1721) into the fake ones... and they wouldn't fit. The tab in the slot was about a half inch to the right, just enough so that it wouldn't fit properly.
The worst part of it was that, knowing they were fake, we shipped them to the customer as legit anyway.
If you find a good deal on Cisco high-end WIC's, 2600XM Series routers, Gbics (both full sized and SPF's), take it with a grain of salt and caveat emptor. Even if it's from a reseller you do business with all the time, it may just be a matter of their auditing departments not knowing what to look for or their shady sales people trying to put one over on you.
RTFA below, the gear isn't the same, and do not use all the same parts and process which leads to the fakes having a higher failure rate. These probably aren't being produced in the same factory as the genuine gear, but probably a near by one that has contacts in the real factory to supply the plans etc.
http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml
========
CINC, 4th Penguin Legion
When they noticed it came with more than 90 days of warranty
Lev Andropov: It's stuck, yes?
Watts: Back off! You don't know the components!
Lev Andropov: [annoyed] Components. American components, Russian Components, ALL MADE IN TAIWAN!
Iran got to read its diplomatic cables in the press.
What did Cisco get to read?
http://english.ohmynews.com/ArticleView/article_view.asp?menu=A11100&no=381337&rel_no=1&back_url=
Domestic spying is now "Benign Information Gathering"
You're an idiot.
I told you I *remember*. Short mortgages and short car notes where the norm, not the exception. One chump change blue collar job was plenty of money to support a large family with just one spouse working, with full benefits, good savings accounts, being able to afford all those kids going to college, and etc. Now, think the economy can match that? I sure ain't seeing it. when I was a younger dude, two spouses working was *rare*, it just wasn't necessary, not a bit.
I've been listening to these globalist pirates lies for decades now. What do you dispute? That we aren't now the world's largest debtor nation, when a few decades ago we were the largest creditor nation? You catch the news the other day, they are projecting next year that 10% of the entire US population will be receiving food assistance. That's a good economy? You think crappy alleged service jobs and government make work jobs are actually better than the nuts and bolts manufacturing jobs with full benefits they shipped away by the multi millions?? Because that is all that is gaining is mostly McJobs and government drone jobs. Our biggest automakers slide nearer to being just totally bankrupt, always years behind the curve, because they got moribund, lead by wallstreet pirates and corrupt union heads out for short term profits with no forward looking. We got banks needing bailouts from the Fed on *huge* scales, and despite the bailouts tons of them are laying off right and left. This is good? You actually think having to bailout the largest banks is clear sign of a great thriving economy? You really expect me to dig upo links for that basic information, that's been in all the headlines for months now? We have personal bankruptcies and mortgage defaults at the highest levels in generations. the dollar continues to drop in worth daily, personal savings are at the lowest point since the great depression. This is good? that's all verifiable stuff but I ain't someone's personal google researcher either. this is basic, normal headlines information, I just have a memory that covers a longer timespan and can remember what stuff was like when the US actually made most of the stuff we found in the stores, and the economy was just overall better then. the drop has come about exactly parallel with killing off huge segments of the manufacturing base. Look at textiles, or furniture making, mostly gone. Hells bells, we don't even make ball bearing in the US anymore, or even TVs. Noprmal manufactuing things or normal consumer products. Mostly gone.
Is it all gone, nope, OK- I admit that, it isn't "all" gone, but ton of it gone and a lot of folks hurting and is the economy heavily skewed way towards the more controller class than ever? Heck ya it is and you'd have to be drinking more than a glass of that globalist koolaid to not admit it.
Now fair trade I could see, but this bullcrap they puish called "free" trade? Nope, scam, conjob, selling off the seedcorn, pawning your tools, just stupid.
Sure, I admit it is a rant, but that's all true stuff and it's a rant because of those globalist traitors and the lies they have pushed have about ruined it all. I *care* about my neighbors, even the ones I don't know personally, and it is hurting them and will continue to hurt them and it is going to get much worse...hence..the ranting tone. It is deserved, they deserve it. You watch once the buck slides down even more how much folks will be hurting because of fast price rises, just wait and see. This has been around 30 years or so in the making, and everything the bears (and me) said way back when is coming true, because it followed a simple logical progression and it clearly violated the number one principle of wealth-wealth is grown, mined, or manufactured, you can't busy work paper shuffle your way to wealth, not for very long anyway,that is a grifter's scam and is what they have been doing with their toxic waste paper financial products games that they pushed after they sold off and gave away the robust manufacturing base. I guess you had to see
A good way to guarantee that you do not purchase counterfeit equipment is to work with companies who are associated with organizations such as UNEDA. The United Network Equipment Dealer Association (UNEDA) is a worldwide alliance of more than 300 of the leading marketers of pre-owned networking equipment. Members represent the entire spectrum of the secondary market, from companies with hundreds of employees and millions of dollars in inventory to small, entrepreneurial organizations. Together their combined yearly buying clout exceeds $1 billion, representing the sale of millions of pieces of equipment to tens of thousands of customers. UNEDA members must adhere to a strict code of ethics that includes a firm policy against selling any equipment that is not legitimate.
Look at past IOS security holes. When has Cisco IOS ever been secure?
Looking at past Cisco security bugs (talk about plenty) and all the bugs SSH/SSL has been subjected to (random numbers and all); Wouldn't it be better if these bugs were not implemented, for the sake of our national security and all... It seems to me more and more that we ourselves have been making these security holes on purpose, and end up paying for it. The recent NSA server down might be due to SSH/SSL keys being subjected to this same bug, e.g. bad certificates that were generated with bad RNG code. -> Guessable secret keys, even for the bad guys who can make the database. -> Again we end up hitting our own feet.