Slashdot Mirror
Cisco, US DOJ Fire Another Salvo At Peter Adekeye
theodp writes "Citing the widespread practice of sharing passwords for expediency's sake, Cisco's Chief Security Officer proclaimed in 2007 that people 'need to be held accountable for their risk-taking,' noting that CEO John Chambers drives home the point that 'information security is everybody's responsibility' at Cisco. But instead of accepting responsibility after a Cisco employee provided his ID and password to ex-Cisco engineer Peter Alfred-Adekeye, the networking giant sic'ed the Feds on Adekeye, who was slapped with a five-count indictment by a Federal grand jury last week. Adekeye's crime, according to the Court filing, was using the login credentials the Cisco employee provided him with 'in excess of the specific use granted by the Cisco employee.' For his five downloads of different versions of Cisco IOS — four of which were launched within a 15-minute period in 2006 — the government is seeking a penalty of 5 years imprisonment for Adekeye, a $250K fine, and 3 years supervised release. It's the latest salvo fired in the war Cisco and US prosecutors have waged against Adekeye since he filed an antitrust suit against Cisco in December 2008."
With all the recent layoffs that Cisco has had recently, you'd think they'd find a better way to continue to save money rather than axing employees and then taking the saved salaries and redirecting it to the lawyers.
use Cisco, go to jail.
At least that's what I'll remember of this story.
So, an actual Cisco employee gave him his credentials, he logged into pull down the stuff he needed (and fairly quickly from the looks of it) and someone thinks that's worth 5 years in jail?
Charge the Cisco employee who gave him the password ... from the sounds of it, he did exactly what he was given the credentials for.
I don't get this. Are they alleging he illegally accessed the server? Or that he accessed more than he was supposed to?
Lost at C:>. Found at C.
this is the Computer Fraud and Abuse Act, which basically makes it a Federal Crime to 'do anything we dont like, with a computer'.
it is overly broad and probably unconstitutional.
that is, if someone would challenge it's constitutionality in court.
if you dont know about the Thomas Drake case, google it
same for the specific counts against Manning (i.e. the 'collateral murder' video, well, they are trying to get him on the exact same paragraph here, 18 usc 1030 a 2)
Anyone reading this should also read how Cisco lied and got him arrested in Canada ... there's a link right below the description but I'm posting it again here as well:
http://www.techdirt.com/articles/20110722/02351315202/how-cisco-justice-department-conspired-to-try-to-destroy-one-mans-life-daring-to-sue-cisco.shtml
http://arstechnica.com/tech-policy/news/2011/07/a-pound-of-flesh-how-ciscos-unmitigated-gall-derailed-one-mans-life.ars/1
behold the stupidity that is the federal computer law
Four words: D M C A.
I got to the second page, when I saw they made a claim:
Did they even bother proof-reading it if they can't get the name of the company's domain name correct? This sort of sloppy work makes me wonder if the lawyers are incompetent, or if this is a joke.
Build it, and they will come^Hplain.
That's not what they're saying. They're saying that the person who shared the password should be responsible. Did you even read TFS?
Your hair look like poop, Bob! - Wanker.
Private citizens cannot file antitrust suits.
So we'll just ignore everything else you wrote, since that's likely made up too.
http://dockets.justia.com/docket/california/candce/5:2008cv05391/209307/
im not clear on these points also. Is it true that every time i log in to my slashdot account I have penetrated a corporate network?
Summary: Man penetrates corporate network with hot credentials, man copies software from illegally penetrated network, man complains when law enforcement gets involved.
Not only that, but he was let into the network to recommend his company become a preferred partner of Cisco. Why he decided to d/l software he was not authorized to possess is beyond me, but you would think he would realize that was likely to piss off Cisco.
There is more to this story than meets the eye; Cisco would not bother to do this unless there was something else at stake. My guess is there was some concern about how he planned to use the information he had gotten; or over the initial establishment of his company.
Of course, at /. big corporation bad is the general response...
I'm a consultant - I convert gibberish into cash-flow.
Seriously, this passed sanity a long time ago, someone has a chip on their shoulder.
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
because people do this all the time, (sharing passwords) at every company in america.
and 99.99999% of them dont get any jail time, and the federales dont care. they have better things to do, like going after Mara Salvatrucha and mexican drug lords.
it just is a bizarre coincidence when the one guy they do choose to go after just so happens to have been a small business man in competition with a behemoth that some would argue is guilty of violating the anti monopoly laws.
on the other hand i do agree with the rest of your post, the writing of the summary could be improved a great deal.
Who says they didn't punish that employee? Secondly, how does that change the fact that this guy did something he was not authorized to do? So if you give me a key to your house to bring in your mail I can steal your TV without any consequences since you gave me the key to the front door?
Cisco employee with valid credentials let's Adekeye log on for a few minutes to get what he needs. IMHO, firing the employee for a violation of policy is about the extent of the redress here.
Check out USC 15, Chapter 1, Section 15.
Because "corporate personhood" is a terrible idea? Because a corporation by definition must behave as a sociopath? Maybe that's why.
this is the Computer Fraud and Abuse Act, which basically makes it a Federal Crime to 'do anything we dont like, with a computer'.
Fair enough, but there is no way anyone can say Cisco is being hypocritical and "not taking responsibility" for the leak, when anyone who works security will say authentication credentials have to be secure or no matter what system is used. That's the purpose of credentials, after all; to allow access.
#fuckbeta #iamslashdot #dicemustdie
He was authorized. A representative of Cisco gave him credentials to use for that purpose. That Cisco representative may not have been authorized to grant said permission, but that is not Peter Alfred-Adekeye's fault.
Money is the motivation. Very likely in the form of Multiven. Mr. Alfred-Adekeye the founder and CEO of Multiven.
UNIX/Linux Consulting
Go back to Gamilus.
I would say that on the surface, the employee who gave him the credentials to log in and download whatever those credentials allow was a representative of Cisco and that the access Adekeye enjoyed was both authorized and legal. And if that's not the case, then NO access granted by any employee of a company short of the CEO or President of the company and signed by the company's attorney is subject to being considered unauthorized and illegal.
Normally I would, but Cisco has been proven to be complicit in lying and subterfuge in this case.
Check out the note above about what they did in Canada. They fed a boatload of lies to the DoJ which were then parroted to the Canadians to get him extradited here. The Canadian judge was PISSED when this was found out.
It was seriously evil and twisted. How's this: He is a British citizen traveling on a valid British passport. He sues Cisco. He lives in Switzerland and can't get back into the US legally until he resolves some immigration issues, which he has documentation he's been actively trying to do. So he can't come to the US to make a deposition in the case. Cisco doesn't want to go to Switzerland, so they arrange for Canada. Cisco/DoJ has him arrested and held for extradition in the middle of the deposition.
Here's a fun lie: The justification for this was that he refused to come into the US, so he had to be nabbed in Canada. But there is documentation showing he had been continually trying to come back to the US to run his company. A quick check with DHS would have shown the DoJ that Cisco was lying, but they didn't even bother. The judge in the antitrust case knew about the situation and had approved the Canadian deposition.
If they wanted him that badly, they could have just granted the visa, he would have entered the US, and he could have been arrested.
He's Nigerian by birth, but he had been a British citizen for years, and a successful executive with IBM, AT&T and then Cisco. Cisco brought him to the US on his British passport. Cisco then fed the DoJ a big story about this shady Nigerian who could flee at any moment if not nabbed in Canada and held there. Without checking, the DoJ passed this false story onto the Canadians.
I've read the Canadian court decision. It is downright scary what happened, Cisco colluding with the DoJ and lying to a sovereign country's courts in order to strongarm a person into giving up his antitrust suit.
You just press the button on the device and hold it to the scanner.
And the info sent by the scanner can't be intercepted? The device can't be stolen or cloned? It's just a fancy-dancy password.
It is the antitrust suit he had going against Cisco. Cisco had locked out any other company that might want to provide maintenance for Cisco products, and that was the business his company was in, so he sued. He had been gathering evidence to use in the case against Cisco, and of course Cisco didn't want that.
Can't he just get a restraining order from a Swiss judge against the two creeps (US, CSCO) stalking him?
After reviewing all of the facts of the case:
"Here we have a man who has no criminal record, who made every possible effort to comply with US immigration laws and procedures, but who dared to take on a multinational giant, rewarded with criminal charges that have been so grotesquely inflated as to make the average well-informed member of the public blanche at the audacity of it all"
The Computer Fraud and Abuse Act is just the tip of the iceberg for Manning. Unlike this guy, Manning has about 22 other charges against him, most of which pertain to violations of national security by someone in the military and/or holding a security clearance. The most serious one is "aiding the enemy" which that alone can get a soldier the death penalty.
The CFAA is just one of my tools they're using against Manning (assuming you are correct that it's a charge in his case). The prosecution could "quite magnanimously" drop it and Manning would still be so screwed he'd have no hope in hell of getting away with it.
You just press the button on the device and hold it to the scanner.
And the info sent by the scanner can't be intercepted? The device can't be stolen or cloned? It's just a fancy-dancy password.
It can't be intercepted if they do the protocol right - your device should sign their (unique) authentication request with your private key, then they verify the request with your public key. Someone can intercept the transaction, but they can't replay it because each authentication request is unique, they'd need your private key to impersonate you.
The device could be stolen, but would presumably be protected with a password and the user would soon notice and report it stolen so it would have a limited lifetime and would immediately arise scrutiny to see what areas the account accessed after the device was reported stolen.
Use biometrics (fingerprint, iris scan, etc) to protect the passkey stored on the NFC device, and then even if the user wants to share it with another user, he can't. (otherwise he could just give his device+password to a whoever he wants to share access with)
The device could be stolen, cloned, and seamlessly returned to the user, but this kind of attack is so difficult that it's not worth the trouble for most secrets (no one is going to creep into your house at night, steal your NFC device, clone it and return it to your house by morning just so they can download a few IOS images). Tamper resistant devices that resist cloning and reverse engineering make it even harder to do this without the user knowing that the device was compromised. They may be able to cut it open and extract your private key, but putting it back together and having it still work is harder.
You're out of your damn mind.
Do this and you've 1) assigned ultimate control of all passwords to the government, and 2) assigned everyone a bar code. Sounds like a great idea, Stalin.
How about this (policy at my company since we can't afford a decent auth token solution) - share your password, lose your job. Period. IT occasionally conducts "stings" (i.e., social engineering pen tests) to find out if anyone will do it, thereby keeping awareness and paranoia at a healthy high.
Otherwise, let's not get city hall involved in this, please. Auth tokens are great, but let's keep control in the hands of the organization, or at most a (private) group of central authentication companies.
Deja Moo: The distinct feeling that you've heard this bull before.
Surely the purpose is to deflect responsibility from the investors, not the people who make the decisions directly..?
He probably thought that a Cisco employee letting him in gave him some protection. It's not like he hacked or was even dishonest, basically asking a Cisco employee up front "can I use your account to see what I can get?" You don't do that if you have illegal purposes.
Sounds like he was playing private detective to discover what access engineers had, probably worried Cisco would switch around permissions if the info were asked for in the suit. Given that he would have had this type of access as a Cisco employee, I'm betting that he was checking to see if such access still existed for engineers, probably in response to Cisco saying engineers didn't have that kind of access.
there are a large number of counts against him that are CFAA, or the military equivalent (my favorite: "using a computer for other than its intended purpose")
imho, the CFAA charges against manning are not the tip of the iceberg - they are the iceberg.
Aiding the Enemy is the shiny barber pole sticking in the top of the iceberg, that everybody notices. Those other charges are there for bullshit reasons, one of which is apparently to set a precedent where nobody is allowed to blog about taking a shit without being put in prison for 10 years.
in a case like this will agree with user erroneous IMHO.
its sort of like the Drake case. the government is full of shit, but its really heavy sounding shit that makes you think Adekeye did something horrible.
then when you dig into the details, you find out, well, the government was just full of shit. and all of that heavy sounding tone was just some DOJ moron grandstanding and doing bullshit PR work to try to influence media coverage of the case.
'hey dude could you watch my house and my dog?'
'sure dude. gimme the key'
'ok bro'
two weeks pass...
'dude you took a shit in my toilet!'
'uhmm yeah? so what?'
'so! you violated the toilet fraud and abuse act! im gonna sue you! im gonna sue you in england!'
Who will foot the bill for the DOJ prosecution and his potential incarceration? Not the corporation Cisco since American corporations are expected to receive tax incentives from governments instead of paying any taxes to them. Certainly not the Cisco executives who are in a tax bracket of their own full of loop holes to preserve their imbalanced incomes. No, it will be the average American who will pay since they are alleged to be the main benefactor of imprisoning this individual in a case which should be at most a civil manor and not a criminal one. This is state captialism at it's worst.
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be-T J
has been told by their boss "oh just use my password... we applied to get you access 4 weeks ago but they still havent gotten back to us. and its off hours so nobody is there who can do it. and this has to be out by tonight"
and they dont get 5 years in prison for it
and Cisco's as well, and revealed that the DOJ was nothing less than armed thugs working at Cisco's direction.
I saw the video of the deposition in Canada. It was in Canada because the US wouldn't let Adekeye into the US. Both the Feds and Cisco knew that Adekeye had applied for permission to enter the US and was denied, but they didn't inform the Canadian police of that, leaving them with the impression that he was a fugitive from Justice. IF he were a fugitive they could have let him in and then captured him at the boarder. But, what they really wanted to do was further soil his reputation unjustly. So, they lied to Canada about his status. While he was being questioned by attorneys at the deposition a Canadian constable, uninformed of the situation, barged in and served a warrant for his arrest, interrupting the legal proceeding, which was itself unprecedented. Attorneys for Adekeye wanted to shut off the cameras, but attorneys for Cisco wanted them to run so they was have video "proof" of Adekeye's "guilt", as if being accused is the same as being guilty.
The judges ruling was a very strongly worded condemnation of Cisco and the DOJ, accusing them of collusion in the abuse of power. But, in a country where the government now does the bidding of its corporate overlords, the Canadian ruling bears no weight. It only stands as a moral indictment of both our judicial system and the corrupt corporate environment.
Running with Linux for over 20 years!
im not clear on these points also. Is it true that every time i log in to my slashdot account I have penetrated a corporate network?
Yes, and that's the only time you hear the words "slashdot account" and "penetrated" in the same sentence.
*rimshot*
To have a right to do a thing is not at all the same as to be right in doing it
Because "corporate personhood" is a terrible idea? Because a corporation by definition must behave as a sociopath? Maybe that's why.
You do know that corporations are only collections of actual human beings?
To have a right to do a thing is not at all the same as to be right in doing it