Slashdot Mirror
UPS Denies Helping the NSA 'Interdict' Packages
An anonymous reader writes "When Glenn Greenwald's book came out recently, one of the most startling revelations was that the NSA has been intercepting shipments of networking gear to add spyware. Cisco was one of the vendors whose gear was altered, and now their shipping provider has spoken up about it: 'UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law. "UPS' long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests," UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments." In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.' That sounds like carefully parsed language to me. 'Did not voluntarily,' 'unless it is required to do so by law.' Perhaps they're bound by a National Security Letter?"
Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.
If the device is made (or packaged in the US) and is being shipped overseas, the NSA can grab it at customs, there is nothing the shipper can do about it.
I was once a fool to think I could believe anything the Government, or Corporations told the public. No more.
This is how resentment is nourished, and enemies are made! How can they not know this is bad in the long run?
Excuse my ignorance, I am not from the U.S., but I thought only the F.B.I. could serve National Security Letters. Can the NSA also serve them?
I watched sneakers a couple days ago (it's on netflix) and nearly shit my pants at the end when Robert Redford reveals the magic decryptor box isn't for spying on the russians, it's "for spying on us". (Of course, they meant the NSA was spying on the FBI/CIA but still... future predicted).
Do you even lift?
These aren't the 'roids you're looking for.
When you weaponize U.S. technology products to the extent that the NSA has, don't be surprised when no one wants to buy those products in the future.
What foreign CEO or government official wants U.S. technology in control of their banking industry? Their communications infrastructure? Their manufacuring base? Their electrical power and distribution network?
Can you imagine the U.S. response if the critical infrastructure items such as those listed above were found out to be backdoor and controllable at will by the Russians? Chinese? Indians?
The U.S. has a serious reputation problem right now. We need to stop this nonsense immediately if we expect our tech industry to survive.
It takes a second to destroy a reputation - it takes years, sometimes decades to build it back.
"Perhaps they're bound by a National Security Letter?"
Maybe. It could also be exactly what they say - When presented by an actual warrant to intercept items (EG for goods purchased with stolen credit cards or contraband) they follow it. That WOULD include national security incidents too but, as they say "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments" and I'd think a gag order would prevent them from affirming or denying the issue.
Because we know the NSA never does anything without a valid court order.
Just like Google, Microsoft, Apple, etc, etc. Nobody wants to fess up, but some appear to be "trying" to step up to the NSA now.
I wonder if they (private companies) secretly allowed it(NSA infiltration) to happen under fear of the NSA using whatever power they have to get the companies shut down if they didn't follow suit. Now that the public has been informed, the companies are using all the plausible deniability they can to prevent lawsuits. In the case of the UPS, I don't think there's any plausible deniability to use...It's not a software system that the NSA could exploit per-se.
Or is it the case these companies really are just as corrupt as the NSA?
I really don't see any other alternative, unless you want to argue that Snowdens docs were fake (Highly unlikely).
Isn't UPS pretty much made up entirely of mailroom dudes?
The only thing in the statement of possible value is that UPS don't break security for just anyone. Well, isn't that expected... law and part of conditions of posting? If not, then there is possibility of interpreting this statement at face value.
However, if secure postage in terms of the law is guarenteed anyway then this statement says _nothing_. And if a statement says nothing then the purpose is clear - they are desperately trying to sub communicate under a gag order. Trying hard to highlight the problem to those who can read between the lines to bring attention to the economic damage gag orders are having to the economy.
I don't know if UPS ensure any security of packages so I don't know which it is - maybe you do.
A blog I run for the wealth
Would the NSA be bold enough to physically interdict trucks? Guys with badges and guns tell you they need something in your truck, tell you you never saw them and by the way, driver Fred, you did a nice job on that new downstairs bathroom, tile job looks real professional, I'll bet your wife and daughter really like how nice it is there.
Or is it even remotely practical to identify specific package/truck combinations?
Seems to me that unless the law prohibits it, tech companies will need to start using tamper evident packaging. Then it won't matter if the NSA, CIA, FBI or other 3 letter agencies intercept the product during shipping. Perhaps glitter embedded in varnish painted over critical screws/fasteners, then photographed from various angles and posted to a web page, or emailed to the customer prior to shipping. Then if the item is intercepted the 3 letter agency will have a rather ... difficult ... time bypassing those seals such that careful examination upon receipt against the photographs received earlier won't reveal any tampering.
Of course they're gagged by a National Security Letter. This whole process is disgusting.
"Stories on rearranged routing yielded great overstatement today. For UPS customers keep invaluable. No government necessitated said law!"
Cisco could make life miserable for the NSA by warehousing its gear in countries that won't cooperate with the US. Non-US orders could be filled from the closest such warehouse.
Non-cooperating countries that spring to mind include Russia (for European orders), China (for Asia), Venezuela (for S. America) and maybe Palestine (for the Middle East and Africa). I don't believe there are any N. American countries that the US can't coerce, so maybe the affected countries should use other network vendors.
The downside is that delivery times for overseas orders might become quite long :-) and/or spendy.
In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.
This just beggars belief. It's well known that all US couriers have security divisions that work with federal and state government agencies. They routinely help with investigations of suspicious packages containing drugs, counterfeit products, explosive materials, firearms, etc.
Here's what one UPS executive, customs and brokerage manager Norman T. Schenk, had to say in a Congressional hearing in 2000 on how to stop illegal drugs from being delivered by mail:
Our partnership with the Customs Service has dramatically ...
curtailed the flow of contraband. Today, Mr. Chairman, we urge
you to ensure that the Customs Service has the 21st century
tools it needs to maintain the extraordinary growth of commerce
in this new millennium. Last year, the United States received
21 million commercial shipments. By 2004, that number is
projected to climb to 50 million. Customs simply cannot inspect
each shipment by hand.
Mr. Chairman, full funding of the new automation system
known as ACE, the Automated Commercial Environment, is
essential for Customs to keep pace with the growth of commerce.
No technology can enable the Customs Service to inspect 50
million shipments, but ACE can help Customs leverage the power
of information to target its inspections efficiently and
precisely.
Our own experience at UPS shows the difference such a
system will make. Our advanced electronic manifesting procedure
provides Customs with extensive information from the
destination of a parcel to a description of its contents on
every package we transport to the United States before it
arrives at a UPS facility.
In addition to our work with Customs, UPS conducts an
aggressive and thorough drug interdiction program of our own.
We train delivery drivers to spot packages that may contain
illegal drugs. We screen for suspicious parcels. We routinely
work with the other law enforcement agencies like the FBI, DEA,
and State and local authorities, including providing them
information about any offender we identify.
So they not work with 3 letter federal agencies routinely, but they do it without the prompting of a subpoena, or NLS.
This all presupposes that Cisco wasn't sending these routers to Fort Meade to begin with, with the NSA re-shipping the routers to their final destination after modification.
Don't forget "It's our standard policy not to" which is NOT the same as "We didn't" of course.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
OK, so the NSL is basically a secret letter, that nobody wants to talk about. How do they (recipients) even know if/when they're legit. It's not like there's a 1-800-DIAL-NSA number to check it out.
What's to stop "shady group X" from getting some serious looking guys with suits, sunglasses, and some fake ID's+forms to drop by the local datacentre and say "OK, we're NSA and we need records/access from this group of servers here. Oh, and you can't talk about this to anyone. Delay us and very bad things will happen to your and/or your business"
And of course they are blaming the economic damage on getting caught as opposed to, well, what they were doing.
Of *course* they are. They're responsible for the consequences--but they also are right, Snowden's whistleblowing was also a cause. He has (with them) done probably billions of dollars of harm to the US tech industry.
Without him, it wouldn't have happened. Without them, it wouldn't have happened. They both did it for motives that they believed justified the cost.
In almost every way The National Security Organization is a lawless, limitless, overreaching mistake, with no applied checks and balanves. The NSA exemplifies the start of what can go wrong.
https://www.youtube.com/c/BrendaEM
Or... they could have received a National Security Letter.
By law, they have to deny the existence of the letter and its contents.
By law, if they have received a NSL, they have to say that they are "not aware of receiving any court orders or subpoenas from the NSA".
See, perfectly clear denial.
I don't read your sig. Why are you reading mine?
Or, they could have received a National Security Letter which requires them to deny the existence of the letter and its contents.
I don't read your sig. Why are you reading mine?
My takeaway is that UPS doesn't care what I ship, as long as it doesn't damage their business model. Unfortunately despite their size, they're not big enough to tell the gubberment to go get stuffed. Well, they could - once.
since the NSA also happens to slap gag orders on everyone too. Pointless.
That's as stupid as blaming the police for the crime rate because if the police didn't write up the reports the crimes wouldn't be counted.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
If they interdicted your router you'd never get it.
We have no authority to accept or implement NSLs at this company site. Please deliver them as an e-mail attachment to our government compliance department's (publicly readable) server.
Have gnu, will travel.
All sorts of things. A simple example that comes to mind is a patch to add an invisible extra user account with enable privileges.
Or, they could have received a National Security Letter which requires them to deny the existence of the letter and its contents.
I really want one of these companies to stand up and say "we got an NSL, so we can't tell you anything". Seriously, what would happen if Google did this? Does anybody really think that Larry Page would be sent to Gitmo?
They do threaten to send you to jail if you disclose anything about an NSL (even its existence).
I don't think anyone wants to take a chance with their life and liberty to test them and find out.
Best to just go along and cooperate with the man.
Just look at Snowden. On the run. Trapped in Russia. He disclosed the existence of warrant-less wiretapping and other dirty tricks.
I don't read your sig. Why are you reading mine?
A solution to this was invented centuries ago. Seal the packages of network hardware with tamper-proof seals (something involving smart cards that the NSA can't duplicate) from the manufacture. Make it impossible for the NSA to open the package without making the customer aware the package was opened in transit. If a package was opened in transit, return to sender and Cisco engineers can figure out how the NSA is implanting bugs.
You, sir, made my day :)
"If you have nothing to hide, you have nothing to fear." - Every fascist, ever
what else could they say. the only scenarios that exist are
A) they did do it as required by law, and are under gag order to not disclose that it happened
B) they didn't do it, but would if required by law.
That's it, they basically just said "we adhere to the law" nothing more nothing less.
You nailed it. UPS is scott-free. All UPS have secured federal facilities into which all cross-boarder shipment pass and "you don't need to know whats going on in there." Bahhhhh, don't piss on us and call it rain, we know better.
But who do they send to jail? The NSA does not show the security letter to every person at the company. It may not even show it to the CEO. The more people it's shown to the less secure it becomes. But if there's some significant activity that's going to happen then a lot of people have to know about it. You can not just have the foreman say "ignore the strange people who are opening the boxes against company policy" because questions will be asked. If anything unusual is happening from business-as-usual then someone will notice.
So if the NSA were doing things like this (it is still just an allegation) then it seems to me to be unlikely to be done through a shipping company.
Have you stopped beating your wife? That's similar to a lot of these types of questions; you get back a legal answer and someone is going to say "they didn't answer the specific question that was asked with a simple yes or no, so they must be hiding something." But that sort of answer is exactly the answer you will get if they were not cooperating with the NSA in any way. The problem comes with assuming the party must be guilty and the questions are just fishing for confirmation of guilt.
Much less exposure to just re-route the shipping to the NSA than to have NSA people at the manufacturers warehouse opening boxes.
NSLetters are addressed to the man in charge (CEO), he can't disclose to anyone without permission (i.e. I need to have Fred patch in your backdoor).
I don't read your sig. Why are you reading mine?
For real? I suppose denying knowledge of a government investigation via a NSL isn't lying even though you have knowledge of such an investigation (or request for information). NSLs require lying if a third part inquires about it.
"Those who can make you believe absurdities can make you commit atrocities." - Voltaire
UPS isn't stupid. If they really wanted to deny something, they would have used strong and clear language to do so.
SJW's don't eliminate discrimination. They just expropriate it for themselves.