Slashdot Mirror
To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses
An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.
"We ship [boxes] to an address that's has nothing to do with the customer,"
I know some other companies that seem to do this for about half my orders.
What is a "boxen"?
What?
I would be happy to pay a little extra for this service for non-critical hardware. But if I were actually concerned the NSA would want to twist my knickers there's no way in hell I would: It's a huge red flag for them. Instead I would bribe someone at a different company to accept my shipment and forward it to me.
But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast. I'm happy to see extra services appearing for privacy-loving individuals but I don't think this particular one will help.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
They will be cloudified using super secret double Rot13 encryption.
putting the 'B' in LGBTQ+
>> a bid to foil the NSA, security chief John Stewart says
Both John Stewarts are funny guys.
Any links to share showing the actual hardware in use with backdoor installed?
Thx
If I were Cisco I'd send a rep to a few customers believed to be likely targets (at no cost to the customer), have them check the firmware on site w/ JTAG and if it doesn't match, take the firmware apart and publish the malware. Would serve NSA right.
the actual plan is pretty secretive but crap like Smallco at Nowheresville is easy to catch. all the NSA has to do is take a spammers approach when sifting through UPS and FEDEX databases pertaining to Cisco. Using Sparse Orthogonal Bigrams or CRM114 with a combination of known customer addresses and contacts allows the NSA to quickly weed out any future attempt to subvert its practice.
what isnt more difficult to thwart is a conscious customer, and thats the NSA's real problem. A shipment from San Francisco to Dallas for example, that takes a detour to Boson, could be good reason for suspicion. anti-tamper systems like tip-n-tell, environmental dyes, tamper seals, or a combination of these sytems as well as the much maligned DRM signed firmware could make the NSA's efforts substantially more difficult. Finally, getting out of lock-in technology monocultures like dell-everything shops and cisco-anything shops is helpful. a moving target is, after all, harder to hit.
Good people go to bed earlier.
Really... when was the last time any of us thought Cisco was the best choice for a project?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
If you are sophisticated enough to intercept shipments to known addresses what is to stop you from intercepting those to unknown ones and ignoring those to good addresses. It's a bit different than saying lets get boxes to X and ignore YZ to get any not going to YZ? More labor intensive, but some cross referencing of unknown addresses and intel work could still allow an intercept operation to continue.
Alternatively, a little human engineering where a big buyer of Cisco products in the US government says "Fine. Good idea. Customers will think we can't get at the boxes. Now, let us know the drop box addresses so we can continue doing this."
Alternatively, overseas shipments to odd addresses could be delayed while Customs makes sure they don't violate any export agreements..."
I'm a consultant - I convert gibberish into cash-flow.
I still can't trust that mechanism. Cisco needs to offer tools to verify the devices are genuine.
I expected him to go into politics or something like that. But I guess Cisco security chief is not that bad. Not as funny probably, although I do laugh at some of their obscenely overpriced stuff.
Quick question, how exactly do they establish these fake identities? It would not be such a good scheme if all it does is flag shipments for NSA "hey, look at this, we don't want you to know where it is going"...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
This strikes me as either silly (very James Bond), or an indication that Cisco doesn't even trust its own employees.
Otherwise, why wouldn't Cisco just hand deliver the items using its own employees.
Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.
Seriously, I would assume that NSA at least has a "mole" in the order processing/accounting/shipping dept. at Cisco. Unless Cisco pays a lot more than market to these rank-and-file employees or gives them benefits unheard of elsewhere, they aren't particularly hard to get to cooperate, I would guess.
by putting their stuff into the Cisco boxes in the factory. Wait, aren't they already doing that?
The author embiggened that article with his cromulent vocabulary.
If your packages are intercepted, isn't that the shipper's fault? How could they be intercepted except when in the shipper's custody? Seems like Cisco should be big enough to be pressuring UPS not to let NSA hijack their packages.
Better solution: include an iPhone and backup battery in the shipment. Use Find my iPhone.
Or just use FedEx's or UPS's real time tracking :-)
-- I was raised on the command line, bitch
You see, the US Government is very keen about governing exports. They prohibit shipping many products into restricted countries and they actively police it in a serious manner. Anyone who's product gets found in a restricted country is in hot water. It doesn't matter if the product(s) was sold through an intermediary or 20 middle men, the manufacturer is 100% responsible for asserting, under penalty of law, that their products will not end up in a restricted country and that's that. The treasury department even publishes a monthly list of offenders they catch but I apologize as I cannot seem to find it on google.
To address this issue, many companies that have been caught are required by the US Treasury Dept to document every single end user of their product. Yes, every single unit that is sold must be documented as to where it's final resting place is. I doubt Cisco is under this kind of requirement (unless they've been caught in the past) but it seems this new policy is a huge risk for them in that area. If you were an Iranian supply store trying to procure Cisco equipment, this seems like a good way to do it without anyone knowing or being able to track it --- and that's a serious risk for Cisco.
The minute one of those units gets found in Iran (or any restricted country), all hell will break loose. Again, it doesn't really matter how it got there.....
Here is a good overview of the requirements and Here is a company that has a good policy summary that they live by. Smart on them.
Understand that this has nothing to do with NSA or espionage. This is just a basic requirement of doing business overseas and exporting products. Doesn't matter whether it's plastic dog poo, Intel CPU's, lab equipment, cranes, or other engineered equipment
Seems easy to circumvent. The [GOVERNMENT ABBREVIATION] monitors the original online or phone order and knows who ordered it. Who cares where it's being delivered.
Popisms.com - Connecting pop culture
A while ago, I remember reading on /. that one of the top managers in Cisco was either ex-CIA or FBI or NSA employee.
It does not make fucking difference if they ship equipment to decoy addresses. Cisco shit already has back-doors build into a hardware.
Slashdot needs a "pudger rockin' a fedora" icon for autist keyboard operator submissions
Why not ship them with no firmware installed and let the customer download and flash them on their own. Then there would be no question as to the firmware installed.
We shifted completely to cisco when we realized that stability was cheaper than hardware.
Its up to me to setup a different address where my Cisco product can be delivered in order to "try" to protect it from the NSA? Go Amurica.
Someone needs to put some reigns on this out of control horse.
https://www.youtube.com/c/BrendaEM
The idea here is to use that NSA program to imply that the security risks are external to Cisco. Would you not install some undercover agents inside of Cisco?
The NSA seems to have its fingers up so many people's hoo-has, that it could easily sort this out. It's amazing what an agency can accomplish when it's not held accountable for ignoring the Constitution. Fucking traitors.
In another life I worked for a company that made some pretty sophisticated software that we sold together with the high end (at the time) Unix workstations it ran on. Our government sales guy (who happened to be ex-military) related a couple of times where the delivery was to an empty lot, to be picked up by another truck for delivery to unknown final destination.
It's also not uncommon for cases where gear needs manufacturer service that the service tech will be picked up in a (of course) black van and blindfolded until they're on-site at the destination ... so of course they'll have no idea where it is.
It's not all massive data centers in Utah or Virginia.
Mouse-> Mice
Louse -> Lice
House -> Hice
Platapouse -> Platapice
Faux -> Fauce
Fox -> Fice
Box -> Bice
Does nothing if all hardware is compromised prior to shipping. Would they be allowed to tell you if it were? Would they even be aware if it was? Has the government ever looked at their code or received a report from them about potential security vulnerabilities as part of a disclosure required for a government contract or security certification? I'm guessing if they did, that report was sent directly to the NSA.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
1). sneaker net - either Cisco delivers it personally or the customer comes to the factory and picks it up (cheaper and remove liability)
2). drones - amazon is experimenting with them already. Cisco types in the gps to delivery the product in parts to be assembled at the
customer site due to weight or in whole. The customer then puts their credit card in the drone and it flys back to cisco for the purchase department
to charge it and then flies it back (better yet the customer uses their loyality gift card which has money already on it and sends it to cisco)
3). make it - cisco sends them a data file of the product and the customer MD5's it to make sure no tampering (like anitvir) and loads it into their
3D printer which prints the whole circuit board/product with firmware and software on the spot and upon completion the file self deletes (one time use).
Erwin, what’s the plural for ox? Oxen. The farmer used his oxen. Brian? (chuckling) “What?” Brian, what’s the plural for box? Boxen. I bought 2 boxen of doughnuts. No, Brian, no! Let's try another one. Erwin, what's the plural for goose? Geese. I saw a flock... of geese." Brian! (Chuckling) Wha-at? "Brian, what's the plural for MOOSE?
"MOOSEN!! I saw a flock of moosen! There were many of 'em. Many much moosen. Out in the woods—in the woodes—in the woodsen. The meese wantin' the food. Food is to eatenesen!THE MEESE WANT THE FOOD IN THE WOODENESEN! THE FOOD IN THE WOODYENESEN!" "BRIAN! Brian,.. You're an imbecile." "Imbecilen!"
"What are you speaking? German, Brian?" "German. Jermain! Jermaine Jackson! Jackson Five. Tito!" "Brian, what the heck are you talking about!?" "I don't know. I don't know, really.."
One would hope that the NSA tradecraft is better than Cisco's.
It would be sad if this worked for the targets they are really interested in.
This is about Cisco marketing, not security.
why not catch the bastards in the act? Put GPS trackers and cameras in the shipping containers. You can find out the location of their operations, photograph the criminals in the act, and enable a proper court challenge against their actions.
A better tactic might be to sue the postal companies for breach of contract and possibly try to induce prosecution under mail fraud. Then rig the packages with dye bombs or something that lets the receiving party know if the package has been tampered with. Redirecting packages for purposes of tampering with the contents sounds highly illegal and should result in all kinds of unpleasantness for those responsible.
He's a sergeant in the Chinese Army.
If you trusted Cisco, you'd drive to a random store at a random time and buy a unit off the shelf.
However CISCO sell tech to the US government, and in turn are required to hand their code over to NSA we presume, and certainly have been deeply involved in NSA's cyber security stuff, so I think you have to consider their routers compromised.
http://www.nist.gov/itl/csd/nccoe-041513.cfm
"ROCKVILLE, Md. — In recognition of the critical need to protect private-sector intellectual property and other valuable business data from a growing number of cyber threats 11 major companies have formally established partnerships with the National Cybersecurity Center of Excellence (NCCoE). U.S. Senator Barbara Mikulski, U.S. Cyber Command Commander/National Security Agency (NSA) Director General KEITH B ALEXANDER, Maryland Governor Martin O’Malley, Montgomery County Chief Executive Isiah Leggett and Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher joined the new partners for a signing ceremony today at the NCCOE’s facilities in Rockville, Md."
"At the ceremony, representatives from the new partner companies – CISCO SYSTEMS Inc., Hewlett-Packard, HyTrust Inc., Intel Corp., McAfee Inc., Microsoft Federal Civilian Services, RSA, Splunk Inc., Symantec Corp., Vanguard Integrity Professionals and Venafi Inc. – pledged to contribute hardware and software components and share best practices and personnel with the center."
Onion routing for the Postal Service! Now throw me a couple billion dollars so I can spend it all on hookers and blow.
If you were me, you'd be good lookin'. - six string samurai
Start visiting locations of concerned customers, tear-down their units, check for implants, pull chips, put them in readers, verify firmware, etc. etc.
Figure out what changes are being made to the equipment and then warn customers to check for them upon receipt. Tactics will then change, so check new shipments again 6mos. later.
If they really want to prevent government surveillance, they could start by doing something about Lawful Intercept: http://www.cisco.com/c/en/us/tech/security-vpn/lawful-intercept/index.html The first sentence:
The term "lawful intercept" describes the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications...
Good job NSA! Way to destroy not just any integrity we had left as a country, but also undermine trust in the products we sell as well.
It's a fu**ed up kind of world isn't it
A shipment from San Francisco to Dallas for example, that takes a detour to Boson...
Didn't they only just recently discover that?
Nonaggression works!
..if we forget about all the serious stuff related to it. Summary: "We don't like all this cloak and dagger spy stuff. We want to distance ourselves from intelligence agencies, and show that we're nothing like them. So here's what we're going to do. The shipment will first be sent to the location disclosed by our asset in the field. Refer to challenge-handshake protocol in the self-destructing memo dispatched last week by home office. After delivering the football, the site will be monitored by an elite team of former KGB and CIA mercenaries. After the pickup, you're on your own. Proceed to the next delivery rendezvous point, and an agent will coordinate with you there. In the event that you are discovered after the pickup, there is a cyanide pill under the seat of your delivery truck."
If it ships from within the USA I won't trust it. Bottom line.
There was a 1950's-1960's british vacuum cleaner brand, named you know whawt, advertised with the tag line, "nothing sucks like a Vax".
Am I the only one ready to call out that Cisco just invented a Tor Network for physical objects?
The only way to fix this problem is to go to the source and reform our three letter agencies, and the ho-hum reaction to the Snowden revelations suggests that it won't happen anytime soon.
Think about it, we live in the country where the FDA raids Amish farmers, and you expect that the NSA will just sit back and let a multinational company with everything to lose interfere with their intentions. If you think that, you're hopelessly naive!
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
If it's THAT sensitive, either have the customer pick it up from a Cisco-controlled location or have a Cisco employee hand-deliver it to the customer.
Use tamper-evident seals and use something like a "warrant canary"-like system so the delivery person can effectively tell the customer that to the best of his and Cisco's knowledge the shipment was not tampered with en route: The absence of a followup message from Cisco guaranteeing that the shipment and delivery were not intercepted would be treated as a message that it might have been intercepted.
Speaking of "canaries" I wouldn't be surprised to see specialty shipping companies or specialty-arms of big-name shipping companies use "canaries" to guarantee that their shipments were delivered to an authorized person and not tampered with en route.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Considering the manufacturing is already in SE Asia and Eastern Europe, they could ship directly from those locations to their global markets. There's no reason to bring the product back to the U.S. and then send it out to Europe and Asia again.
Granted, the NSA would still be able to tamper with anything coming out of their North American warehouses, but this at least will satisfy the concerns of their foreign customer. And they may still be able to plant moles in those foreign locations, but that's no different than any location in NA so it's not exactly increasing attack surface.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Applause to Cisco for doing this, but I'll bet the NSA pushes for a law to make interfering with their operations like this illegal.
If by sheer stupidity such a law actually gets passed, expect it to get used against developers who release security patches not long after.
The right to protest the State is more sacred than the State.
Great, so now the level of paranoia is reaching epic proportions - we're having to protect ourselves from our own government. If Cisco believes this program is needed then they're basically saying that our government isn't acting in the best interests of anyone right now (or at least not any Cisco customer). The next headline is going to be "New law prevents anti-intercept techniques".
The NSA is really fucking up the whole world right now.
If it's that important for their customers, why don't they send someone to pick the stuff up instead of send it via a third party? Or have Cisco deliver it themselves.
Maybe CISCO should hire a Transporter :)
https://www.youtube.com/watch?...
just download a cicso product file, load it into a 3D printer and make one from scratch with all the firmware and software already installed. To make sure it's viral free just MD5 the 3D file before use. Then after after printe the file would self-destruct like mission impossible movies so that the user can only make one copy per use.
A better fix is to capture and prosecute all persons who ever did this and throw the Computer crimes book at them putting the in prison for decades. Following up have Congress do a deep probe of all such criminal activity of the NSA and monitor it heavily to reduce any and all such future behavior. This is completely criminal and needs to be stopped and with great energy.
I use to trade a lot of cisco equipment either used or parallel channel.
All the equipment that we sold were untargetable, as we didn't place orders with CIsco. We bought what ever someone had in their warehouse, then we sold it to our customer. No one knows who our end user was.... sometimes not even us. some companies where very cagy telling us anything....
this is an easy problem to solve.
I doubt they even use this stupid technique and Cisco is heavily compromised themselves anyway.
Smallco at Nowheresville is easy to catch.
I often send messages that appear as coming from my neighbors back to themselves by way of non-existent addresses.
Just place the recipients name in the "return address" and mail it to a bogus destination address, like:
Great Scott's Engineering
1701 Warp Drive
When the mail can't be delivered to the endpoint it makes the return trip and finds its way back to my desired neighbor. Mail is often marked with the starting zip code so one usually can't spoof the return-address to be some other zip code than where you mailed it.
"Would you look at this? The letter was returned to me for insufficient postage, but I didn't send anything to a Soylent Solutions on Selfie Destruct Drive."
"Oh, it's from AC. Says he didn't have a stamp so he sent it to me for free."
Because I am sure the NSA can afford to pay him a million a year to leak the information to them.
Really, try to tell me that boxen doesn't sound cool. N is also easier to follow into other words in a sentence than an S without that 'harsh cutoff' feel at the end of the word.
Cisco should just offer a pick-up service. you can't trust distributors. Retinal scan for pick-up. problem solved.
all equipment going into a nsa data center must be securely shipped tonensure that it's not tampered with. funny, eh?
I often wonder if some of these high tech companies have considered leaving the U.S in light of these types of campaigns.
Moving to a more friendly country that would ensure the sanctity of the company from these types of intrusions?
no matter how good it is, it is human nature always wants to make things better