Slashdot Mirror
FBI Says Military Had Counterfeit Cisco Routers
There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don't believe we can be so sure. "Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive... The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor... The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords."
Verification of the producer is essential here - and this is perhaps the moment where outsourcing will bite us in the ass. While you can only buy american made cisco routers, there is no doubt some chipsets made in it are manafactured overseas.
Somehow, I find it hard to believe that DARPA INTENTIONALLY planted vulnerable chips into potentially critical military systems.
This sounds like a case of spin worthy of Winston Smith from the Minstry of Truth.
From what I understand, the counterfeit routers are made in the same factories by the same people who make the real routers; they just keep the assembly line running past the hours that Cisco is paying them for.
In this case, if Cisco is comparing the counterfeit routers to their legit ones, they should always be the same.
The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
Are these the routers that the US was warning us about. The ones where China counterfeits Routers and sticks in evil commie coding? :D
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
I work for a company that sells used electronics on eBay. We'll occasionally buy cheap gear over eBay too, then resell it at a profit. For many months now we've had a huge problem with counterfeit Cisco cards. It's amazing how detailed the counterfeiters are. My boss wrote up a detailed guide on how to spot fakes. Google "counterfeit cisco wic".
... of the DARPA-hacked routers were any of the 'cisco experts' able to determine tampering?
That seems like a logical test, so I have to wonder if they have done it already... or not?
If they contain no backdoors, *THAT WE CAN FIND*, do we continue using them?
More like any company that outsources and doesn't perform internal quality control of what they are reselling should be made criminal in this instance of reselling to governmental agencies. Buy a Cisco, throw it in a private LAN sandbox, fire up Wireshark. Rinse, lather, repeat. Yawn...
Anne McCaffrey wrote a book called PartnerShip with a plot very similar to this situation. The villian provides chips to the Galaxy, including the military. When nearly everyone has upgraded, it turns out that he can remotely control every device, including military hardware, controlled by the chips. That's enough of a spoiler. How can such a grand and well planned scheme be defeated? You'll have to read to find out...
Be afraid. Be very afraid. Vote for those that seek to protect you.
This seems like a scare tactic to "warn" people about the dangers of fake hardware/software. Expect a big push around these types of "stories" as more bills like PRO-IP go through congress and as the creation of the IP & Copyright Czar in the Whitehouse gets a big push.
It's a concern but seems to point more to incompetence rather than some difficult-to-spot threat. Why are government agencies not buying directly from Cisco? Seems they should have some sort of corporate connection.
"We must protect our precious bodily fluids."
So that's why my crappy Linksys wifi access points have to be rebooted every week or so. Damn commies!!!
CIA slipped bugs to Soviets
Beauty is in the eye of the beerholder.
Outsourcing critical components is always bad,
but when you outsource DIRECTLY to countries that
A: do not like you and make little attempt to hide it
B: are actively engaging in espionage, known and unknown
C: have no distinctions between state and corporation, commerce and warfare
Hand in your commission and your cover, you fucked up.
You've hit the fubar trifecta. Your command is terminated.
There is no excuse for this in a trillion dollar army. Good day.
That said, it's pretty low on the list of likely threats. Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.
Since the hardware CAN do this, then it was designed to do this, it does do this, and always has. This is strictly a question of whether they would be able to detect one that was not theirs.
The meaning of your Life is up to you. Mean well. -- Me, 9/11/2001
For those of you who are interested, you can find more technical details of how we designed and implemented malicious hardware from here
-- computer scientists from University of Illinois
if your new rack mount routers and switches say "crisco" on the front you may have a problem.
actually I am happy to see you, however that is in fact a banana in my pocket.
On a more serious note, I think you should take some time to look at how the US government does procurement. Typically the US government is EXTREMELY rigorous (to the point of stupidity sometimes) in how they source, where they source from, the design of the products, how much will be paid and when. Generally speaking the US military and other security agencies are quite aware of the security risks of products designed overseas and generally speaking they take appropriate precautions. Being a supplier to the government can be lucrative (ask Haliburton) but it's also often a huge pain in the ass due to the security and regulations to (hopefully) keep ner-do-wells from ripping the government off or endangering national security.
Items with high capital costs don't work well as "open source;" basically, the manufacturing plants costs so many billions of dollars that no one who isn't doing proprietary work could afford it. Even if you could open source chip design (a dicey proposition, since there are many fewer EE Phds that want to donate time than there are CS Phds,) there are still difficulties with the actual manufacturing, and we would still need to guarantee the physical chips, which are individual, and cannot be "re-compiled;" if you think there may be an issue with a batch, you can't start over without paying for new chips.
Maybe, however, I am missing something about the procedure you are proposing; what parts would be open source?
I'm a concientious
The question is not whether Cisco routers have back doors. That has to be assumed. If I was running NSA over the last several decades, I would have my people deep inside every communication equipment manufacturer. The manufacturers management might not even know about it.
The NSA surely has arranged to have one or more back doors designed into virtually every kind of communications switch. The only Cisco employees who would know about them would be the NSA people who work inside Cisco, and some regular Cisco employees who have been cleared. If this has not been done, the NSA senior managers should be fired or jailed.
The real questions are: How many back doors are there? and who has the keys? The (assumed) NSA back door might not be the only one. There is a possibility that the Chinese or Indian chip-fab or software contractors have also installed back doors for their own governments.
With billion-gate machines, a few thousand extra gates would be hard to see. If the extra logic looks like instruction-cache, but just has a little extra code, it would be almost impossible.
Not counting the one you're replying to, he's already posted in this article with two other accounts, so YOU WILL hear him out, or else. He's probably compensated on a per-post, per-account basis.
At heart, twitter is really a xenophobe, and his "Communist China is evil" argument is an old one.
I think RMS summed up the current US relationship with China quite well:
The rise of "IP" and corporate interests over democracy in the US has never been clearer than in the last five years. Everything you own can be confiscated for suspicion of "making available" crappy RIAA music that can be found on any radio station. Your email, web browsing, phone conversations and church can all be monitored without a warrent. Those who object will be put on "non fly lists" that are used by banks, employers even the local gym, so the accused is essentially proscribed. The military is now authorized to act against US Citizens in "an emergency". Massive voter fraud has been proved in several major elections. In short, most of the bill of rights has been violated in the interest of government and corporate power. Trade with China has not made China more free, it has made us more like them.
Lets see. A non free society that can barley feed its people now. That has a huge number of people that is now comming into the industrial age and is going to NEED all the energy it can get its hands on very soon is an enemy to be to all who are near.
Why is it so hard to only have politicians for a few years, then have them go away?
I'm certain that if the Chinese haven't in fact installed back doors in bogus (or even real) Cisco routers that they manufacture, they at least have contingency plans for doing so. Their intelligence service wouldn't be doing their job properly if they hadn't. It's too good of an opportunity for intelligence gathering.
Conversely, I would fully expect the CIA or NSA to have programs in place to surreptitiously install back doors in routers for our use, either with or without the manufacturers' cooperation. After all, Cisco routers are installed all over the world. It seems only logical that they would find this opportunity every bit as enticing as the Chinese.
It's funny, how quickly corporate greed will make politicians forget history.
Some analyst say, that the sudden collapse of the USSR, Berlin Wall etc. was attributed to an American secret service mission, in which CIA secretly supplied the Russians with "smuggled" computer equipments, which were on the COCOM technology embargo list. These computers used rigged chips and in the eighties the US government demonstrated that they contorl key installations by sabotaging an oil transport system - and possibly others. The Russians got into a situation, when they had no idea how deeply their military, etc. infrastructure was compromised without any hope to regain control.
Americans forget very fast. How long do they think, other countries would do the same - especially, if production is sent to a country, which has been known for a long time as the biggest emerging future economic power, which also happens to be ruled by totalitarian political ideology? Is anyone surprized here? It took only a few governments in the USA to fall for the same trojan horse that they used themselves. But who cares, the shareholders are happy. For now.
The US invasion of Iraq has cost the US more than 4,000 servicemen and Iraq one million dead, 2.5 million refugees, an irreparable infrastructure and horrific civil war. If that's not bad enough for you, the advocacy and use of torture should be. Wake up! we are now a terrible abuser of human rights and we are doing it for oil, big fat "best year ever" oil. What we do to others we will do to ourselves sooner than later.
Beauty is in the eye of the beerholder.
Open Source Java DAO Generator
Sun has open-sourced the Niagra designs under the GPL, and you can license UltraSPARC from SPARC Inc. Unlike Xeons and Opterons, you can actually get SPARC CPUs from at least two manufacturers: Sun and Fujitsu.
And to see an example that makes your theory not very far-fetched at all, one only needs to look at the steganography in color laser printers, where almost all color laser printers embed identifying information into each page printed out, in the form of yellow dots. (More here at the Eff.)
It isn't like "New and improved: know which printer printed every page, whether you want it or not!" was a good marketing slogan.
If I have nothing to hide, don't search me
Of course they don't contain any backdoors, they're counterfeit Cisco routers
You seem to troll that China is not a threat.
I don't know about the future, but I know tomorrow's invaders won't be speaking Dutch!
-Billco, Fnarg.com
I think the past couple months of economic headlines are putting to rest that notion that destroying your manufacturing base is a good idea. We were a lot better off when a lot more stuff *was* US made.
... But they might be aided by Python.
Colorless green Cthulhu waits dreaming furiously.
Since contractors has been getting all of the money from the "War on Terrorism" this is the only way that Pentagon could afford "Cisco" routers.
Also could be getting these from back of cars and SUV down the street.
Damnit I knew they were counterfeiting when they said they made an Authentic Crisco Router
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
This is all coming down to the fact that we need to assume NO network is secure; that we may be subject to man-in-the-middle attacks even within our own networks.
The solution is not to verify every chip, because that's probably impossible. Somebody's going to sneak something in somewhere. The solution is to make all data that travels through the chip unintelligible -- e.g. point-to-point encryption for *all* connections.
Once you encrypt all communications, the biggest security concern becomes the endpoints, not the myriad of things in between.
keep mision critical systems off-line. Do I need to repeat it? Perhaps with wireless routers there is an issue, but the ones in the picture looked to be of the wired variety. If they are on closed systems, with good physical security, it doesn't matter how many back doors they have.
I could suggest that we start building our routers using inexpensive computers running open source *nix operating systems, but the firmware in the nic cards might be infected. The fine line between software and hardware means that malware can exist at any level. I would think that for engineers with no ethics, there is a wide open world of opportunity creating infected hardware for the future. I think we are on the brink of a "Warm War" where the weapons are computers and communications.
I guess film could be called "flash memory" after the flash went off.
RTFA below, the gear isn't the same, and do not use all the same parts and process which leads to the fakes having a higher failure rate. These probably aren't being produced in the same factory as the genuine gear, but probably a near by one that has contacts in the real factory to supply the plans etc.
http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml
========
CINC, 4th Penguin Legion
Lev Andropov: It's stuck, yes?
Watts: Back off! You don't know the components!
Lev Andropov: [annoyed] Components. American components, Russian Components, ALL MADE IN TAIWAN!
Nice post. Hardly any facts, no meaningful statistics, and certainly no coherent arguments but I'm the one "drinking the coolaid". Sure... You stated earlier that the US has no manufacturing left which is demonstrably wrong and now you are off on some useless rant about national debt, 30 year mortgages and MBAs. I've no idea what you're so pissed about but it clearly upsets you whatever it is. That's one of the more random bits of ranting I've read in quite a while.
Iran got to read its diplomatic cables in the press.
What did Cisco get to read?
http://english.ohmynews.com/ArticleView/article_view.asp?menu=A11100&no=381337&rel_no=1&back_url=
Domestic spying is now "Benign Information Gathering"
Oh, they most certainly are. Python is such a resource hog, it's driving up demand for bigger servers, which just happen to use parts manufactured behind the Great Wall.
Python and Ruby are real money makers.
-Billco, Fnarg.com
I told you I *remember*. Short mortgages and short car notes where the norm, not the exception. One chump change blue collar job was plenty of money to support a large family with just one spouse working, with full benefits, good savings accounts, being able to afford all those kids going to college, and etc. Now, think the economy can match that? I sure ain't seeing it. when I was a younger dude, two spouses working was *rare*, it just wasn't necessary, not a bit.
I've been listening to these globalist pirates lies for decades now. What do you dispute? That we aren't now the world's largest debtor nation, when a few decades ago we were the largest creditor nation? You catch the news the other day, they are projecting next year that 10% of the entire US population will be receiving food assistance. That's a good economy? You think crappy alleged service jobs and government make work jobs are actually better than the nuts and bolts manufacturing jobs with full benefits they shipped away by the multi millions?? Because that is all that is gaining is mostly McJobs and government drone jobs. Our biggest automakers slide nearer to being just totally bankrupt, always years behind the curve, because they got moribund, lead by wallstreet pirates and corrupt union heads out for short term profits with no forward looking. We got banks needing bailouts from the Fed on *huge* scales, and despite the bailouts tons of them are laying off right and left. This is good? You actually think having to bailout the largest banks is clear sign of a great thriving economy? You really expect me to dig upo links for that basic information, that's been in all the headlines for months now? We have personal bankruptcies and mortgage defaults at the highest levels in generations. the dollar continues to drop in worth daily, personal savings are at the lowest point since the great depression. This is good? that's all verifiable stuff but I ain't someone's personal google researcher either. this is basic, normal headlines information, I just have a memory that covers a longer timespan and can remember what stuff was like when the US actually made most of the stuff we found in the stores, and the economy was just overall better then. the drop has come about exactly parallel with killing off huge segments of the manufacturing base. Look at textiles, or furniture making, mostly gone. Hells bells, we don't even make ball bearing in the US anymore, or even TVs. Noprmal manufactuing things or normal consumer products. Mostly gone.
Is it all gone, nope, OK- I admit that, it isn't "all" gone, but ton of it gone and a lot of folks hurting and is the economy heavily skewed way towards the more controller class than ever? Heck ya it is and you'd have to be drinking more than a glass of that globalist koolaid to not admit it.
Now fair trade I could see, but this bullcrap they puish called "free" trade? Nope, scam, conjob, selling off the seedcorn, pawning your tools, just stupid.
Sure, I admit it is a rant, but that's all true stuff and it's a rant because of those globalist traitors and the lies they have pushed have about ruined it all. I *care* about my neighbors, even the ones I don't know personally, and it is hurting them and will continue to hurt them and it is going to get much worse...hence..the ranting tone. It is deserved, they deserve it. You watch once the buck slides down even more how much folks will be hurting because of fast price rises, just wait and see. This has been around 30 years or so in the making, and everything the bears (and me) said way back when is coming true, because it followed a simple logical progression and it clearly violated the number one principle of wealth-wealth is grown, mined, or manufactured, you can't busy work paper shuffle your way to wealth, not for very long anyway,that is a grifter's scam and is what they have been doing with their toxic waste paper financial products games that they pushed after they sold off and gave away the robust manufacturing base. I guess you had to see