Slashdot Mirror
Cisco, US DOJ Fire Another Salvo At Peter Adekeye
theodp writes "Citing the widespread practice of sharing passwords for expediency's sake, Cisco's Chief Security Officer proclaimed in 2007 that people 'need to be held accountable for their risk-taking,' noting that CEO John Chambers drives home the point that 'information security is everybody's responsibility' at Cisco. But instead of accepting responsibility after a Cisco employee provided his ID and password to ex-Cisco engineer Peter Alfred-Adekeye, the networking giant sic'ed the Feds on Adekeye, who was slapped with a five-count indictment by a Federal grand jury last week. Adekeye's crime, according to the Court filing, was using the login credentials the Cisco employee provided him with 'in excess of the specific use granted by the Cisco employee.' For his five downloads of different versions of Cisco IOS — four of which were launched within a 15-minute period in 2006 — the government is seeking a penalty of 5 years imprisonment for Adekeye, a $250K fine, and 3 years supervised release. It's the latest salvo fired in the war Cisco and US prosecutors have waged against Adekeye since he filed an antitrust suit against Cisco in December 2008."
With all the recent layoffs that Cisco has had recently, you'd think they'd find a better way to continue to save money rather than axing employees and then taking the saved salaries and redirecting it to the lawyers.
use Cisco, go to jail.
At least that's what I'll remember of this story.
So, an actual Cisco employee gave him his credentials, he logged into pull down the stuff he needed (and fairly quickly from the looks of it) and someone thinks that's worth 5 years in jail?
Charge the Cisco employee who gave him the password ... from the sounds of it, he did exactly what he was given the credentials for.
I don't get this. Are they alleging he illegally accessed the server? Or that he accessed more than he was supposed to?
Lost at C:>. Found at C.
At what point does a judge step in and (hopefully if he/she is sensible) but an end to these shennanigans?
What right does Cisco have to bring U.S. prosecutors over what is basically, in their world, a "violation" of the terms of use? Chrysler can't bring criminal a criminal suit against me if I drive my car like I'm in Project Gotham Racing.
Or is that another version of the MAFIAA?
this is the Computer Fraud and Abuse Act, which basically makes it a Federal Crime to 'do anything we dont like, with a computer'.
it is overly broad and probably unconstitutional.
that is, if someone would challenge it's constitutionality in court.
if you dont know about the Thomas Drake case, google it
same for the specific counts against Manning (i.e. the 'collateral murder' video, well, they are trying to get him on the exact same paragraph here, 18 usc 1030 a 2)
Anyone reading this should also read how Cisco lied and got him arrested in Canada ... there's a link right below the description but I'm posting it again here as well:
http://www.techdirt.com/articles/20110722/02351315202/how-cisco-justice-department-conspired-to-try-to-destroy-one-mans-life-daring-to-sue-cisco.shtml
http://arstechnica.com/tech-policy/news/2011/07/a-pound-of-flesh-how-ciscos-unmitigated-gall-derailed-one-mans-life.ars/1
But instead of accepting responsibility after a Cisco employee provided his ID and password to ex-Cisco engineer Peter Alfred-Adekeye, the networking giant sic'ed the Feds on Adekeye, who was slapped with a five-count indictment by a Federal grand jury last week.
Can someone explain to me why the company's CEO should be responsible for his employee wrongfully sharing his password? Disregarding the specific employee's fate for a moment (the link is dead at this time), how is "sic[ing] the Feds" an inappropriate response for someone who illegally penetrated their network?
For his five downloads of different versions of Cisco IOS — four of which were launched within a 15-minute period in 2006 — the government is seeking a penalty of 5 years imprisonment for Adekeye, a $250K fine, and 3 years supervised release.
Summary: Man penetrates corporate network with hot credentials, man copies software from illegally penetrated network, man complains when law enforcement gets involved.
It's the latest salvo fired in the war Cisco and US prosecutors have waged against Adekeye since he filed an antitrust suit against Cisco in December 2008.
Private citizens cannot file antitrust suits.
Insert comment about the quality of free slashdot submissions and obligatory lawn reference.
behold the stupidity that is the federal computer law
I got to the second page, when I saw they made a claim:
Did they even bother proof-reading it if they can't get the name of the company's domain name correct? This sort of sloppy work makes me wonder if the lawyers are incompetent, or if this is a joke.
Build it, and they will come^Hplain.
Seriously, this passed sanity a long time ago, someone has a chip on their shoulder.
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
because people do this all the time, (sharing passwords) at every company in america.
and 99.99999% of them dont get any jail time, and the federales dont care. they have better things to do, like going after Mara Salvatrucha and mexican drug lords.
it just is a bizarre coincidence when the one guy they do choose to go after just so happens to have been a small business man in competition with a behemoth that some would argue is guilty of violating the anti monopoly laws.
on the other hand i do agree with the rest of your post, the writing of the summary could be improved a great deal.
I hate cisco as much as the next IT geek, but the problem is the password sharing. This is such a problem and yet nothing has EVER been done in the last 10 years since the dotcom crash.
Here's what I think should happen...
1. No more passwords, for this to happen, shared secret systems must be EASY...
2. Shared secrets are stored in NFC devices (Phones, PDA's, Wristwatches, earrings, whatever) that all future equipment support interfacing with. These devices have a physical switch to enable the communication and when not enaged, simply don't work.
3. The physical device only acts as an authentication token, while the identity verification is done by next-generation Passports,Drivers Licenses, and Medical cards. (Eg, to get the authentication token, they go to one of the three issuing government agencies)
So in the future, passwords simply can't be "shared", when you become employed or fired from a company, they remove the shared secret from their system that is paired to your authentication token. When you want to login to gmail or your website, you just press the button on the device and hold it to the scanner.
I don't see this happening anytime soon, but the ridiculousness of passwords needs to die soon.
Cisco employee with valid credentials let's Adekeye log on for a few minutes to get what he needs. IMHO, firing the employee for a violation of policy is about the extent of the redress here.
Check out USC 15, Chapter 1, Section 15.
this is the Computer Fraud and Abuse Act, which basically makes it a Federal Crime to 'do anything we dont like, with a computer'.
Fair enough, but there is no way anyone can say Cisco is being hypocritical and "not taking responsibility" for the leak, when anyone who works security will say authentication credentials have to be secure or no matter what system is used. That's the purpose of credentials, after all; to allow access.
#fuckbeta #iamslashdot #dicemustdie
Normally I would, but Cisco has been proven to be complicit in lying and subterfuge in this case.
Check out the note above about what they did in Canada. They fed a boatload of lies to the DoJ which were then parroted to the Canadians to get him extradited here. The Canadian judge was PISSED when this was found out.
It was seriously evil and twisted. How's this: He is a British citizen traveling on a valid British passport. He sues Cisco. He lives in Switzerland and can't get back into the US legally until he resolves some immigration issues, which he has documentation he's been actively trying to do. So he can't come to the US to make a deposition in the case. Cisco doesn't want to go to Switzerland, so they arrange for Canada. Cisco/DoJ has him arrested and held for extradition in the middle of the deposition.
Here's a fun lie: The justification for this was that he refused to come into the US, so he had to be nabbed in Canada. But there is documentation showing he had been continually trying to come back to the US to run his company. A quick check with DHS would have shown the DoJ that Cisco was lying, but they didn't even bother. The judge in the antitrust case knew about the situation and had approved the Canadian deposition.
If they wanted him that badly, they could have just granted the visa, he would have entered the US, and he could have been arrested.
He's Nigerian by birth, but he had been a British citizen for years, and a successful executive with IBM, AT&T and then Cisco. Cisco brought him to the US on his British passport. Cisco then fed the DoJ a big story about this shady Nigerian who could flee at any moment if not nabbed in Canada and held there. Without checking, the DoJ passed this false story onto the Canadians.
I've read the Canadian court decision. It is downright scary what happened, Cisco colluding with the DoJ and lying to a sovereign country's courts in order to strongarm a person into giving up his antitrust suit.
It is the antitrust suit he had going against Cisco. Cisco had locked out any other company that might want to provide maintenance for Cisco products, and that was the business his company was in, so he sued. He had been gathering evidence to use in the case against Cisco, and of course Cisco didn't want that.
Can't he just get a restraining order from a Swiss judge against the two creeps (US, CSCO) stalking him?
After reviewing all of the facts of the case:
"Here we have a man who has no criminal record, who made every possible effort to comply with US immigration laws and procedures, but who dared to take on a multinational giant, rewarded with criminal charges that have been so grotesquely inflated as to make the average well-informed member of the public blanche at the audacity of it all"
The Computer Fraud and Abuse Act is just the tip of the iceberg for Manning. Unlike this guy, Manning has about 22 other charges against him, most of which pertain to violations of national security by someone in the military and/or holding a security clearance. The most serious one is "aiding the enemy" which that alone can get a soldier the death penalty.
The CFAA is just one of my tools they're using against Manning (assuming you are correct that it's a charge in his case). The prosecution could "quite magnanimously" drop it and Manning would still be so screwed he'd have no hope in hell of getting away with it.
He probably thought that a Cisco employee letting him in gave him some protection. It's not like he hacked or was even dishonest, basically asking a Cisco employee up front "can I use your account to see what I can get?" You don't do that if you have illegal purposes.
Sounds like he was playing private detective to discover what access engineers had, probably worried Cisco would switch around permissions if the info were asked for in the suit. Given that he would have had this type of access as a Cisco employee, I'm betting that he was checking to see if such access still existed for engineers, probably in response to Cisco saying engineers didn't have that kind of access.
You say: "people need to be held accountable for their risk-taking".
I say: "Yeah, like the bailout".
*cough*
there are a large number of counts against him that are CFAA, or the military equivalent (my favorite: "using a computer for other than its intended purpose")
imho, the CFAA charges against manning are not the tip of the iceberg - they are the iceberg.
Aiding the Enemy is the shiny barber pole sticking in the top of the iceberg, that everybody notices. Those other charges are there for bullshit reasons, one of which is apparently to set a precedent where nobody is allowed to blog about taking a shit without being put in prison for 10 years.
in a case like this will agree with user erroneous IMHO.
its sort of like the Drake case. the government is full of shit, but its really heavy sounding shit that makes you think Adekeye did something horrible.
then when you dig into the details, you find out, well, the government was just full of shit. and all of that heavy sounding tone was just some DOJ moron grandstanding and doing bullshit PR work to try to influence media coverage of the case.
'hey dude could you watch my house and my dog?'
'sure dude. gimme the key'
'ok bro'
two weeks pass...
'dude you took a shit in my toilet!'
'uhmm yeah? so what?'
'so! you violated the toilet fraud and abuse act! im gonna sue you! im gonna sue you in england!'
Who will foot the bill for the DOJ prosecution and his potential incarceration? Not the corporation Cisco since American corporations are expected to receive tax incentives from governments instead of paying any taxes to them. Certainly not the Cisco executives who are in a tax bracket of their own full of loop holes to preserve their imbalanced incomes. No, it will be the average American who will pay since they are alleged to be the main benefactor of imprisoning this individual in a case which should be at most a civil manor and not a criminal one. This is state captialism at it's worst.
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be-T J
has been told by their boss "oh just use my password... we applied to get you access 4 weeks ago but they still havent gotten back to us. and its off hours so nobody is there who can do it. and this has to be out by tonight"
and they dont get 5 years in prison for it
and Cisco's as well, and revealed that the DOJ was nothing less than armed thugs working at Cisco's direction.
I saw the video of the deposition in Canada. It was in Canada because the US wouldn't let Adekeye into the US. Both the Feds and Cisco knew that Adekeye had applied for permission to enter the US and was denied, but they didn't inform the Canadian police of that, leaving them with the impression that he was a fugitive from Justice. IF he were a fugitive they could have let him in and then captured him at the boarder. But, what they really wanted to do was further soil his reputation unjustly. So, they lied to Canada about his status. While he was being questioned by attorneys at the deposition a Canadian constable, uninformed of the situation, barged in and served a warrant for his arrest, interrupting the legal proceeding, which was itself unprecedented. Attorneys for Adekeye wanted to shut off the cameras, but attorneys for Cisco wanted them to run so they was have video "proof" of Adekeye's "guilt", as if being accused is the same as being guilty.
The judges ruling was a very strongly worded condemnation of Cisco and the DOJ, accusing them of collusion in the abuse of power. But, in a country where the government now does the bidding of its corporate overlords, the Canadian ruling bears no weight. It only stands as a moral indictment of both our judicial system and the corrupt corporate environment.
Running with Linux for over 20 years!