Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses

Posted by timothy on from the name-is-smith-john-smith dept.

An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.

13 of 296 comments (clear)

  1. Re: Boxen? WTF? by bws111 · · Score: 1, Insightful

    No, it isn't. Boxen means related to the boxwood tree. Boxes is the plural of box. Boxen is only used by people who want to sound smarter than they are.

  2. Re:boxen and Borg? by serviscope_minor · · Score: 4, Insightful

    What?

    You just lost you nerd cred, that's what. I sentence you to 5 hours of reading the jargon file.

    --
    SJW n. One who posts facts.
  3. No confidence by Anonymous Coward · · Score: 3, Insightful

    I still can't trust that mechanism. Cisco needs to offer tools to verify the devices are genuine.

  4. Re:boxen and Borg? by bill_mcgonigle · · Score: 3, Insightful

    What?

    "Editors"

    While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:

    1) the order would have to come in over an actual secure channel and be handled on known-secure systems.
    2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders.
    3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).

    Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.

    What other attacks are there on such a secure-delivery system using a common carrier?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. NSA doesnt' know? by ugen · · Score: 5, Insightful

    Seriously, I would assume that NSA at least has a "mole" in the order processing/accounting/shipping dept. at Cisco. Unless Cisco pays a lot more than market to these rank-and-file employees or gives them benefits unheard of elsewhere, they aren't particularly hard to get to cooperate, I would guess.

  6. Re:Not new by fictionpuss · · Score: 4, Insightful

    If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

  7. Re:Boxen? WTF? by plopez · · Score: 4, Insightful

    So what is the pl. of "ox"? "Oxes"? I think not.

    --
    putting the 'B' in LGBTQ+
  8. Re:Boxen? WTF? by fhage · · Score: 5, Insightful
    Kids these days... Digital Equipment Corporation (DEC) VAX.

    We had several Vaxen in our lab.

    It's used to show who groks tek. Sales dept use "Vaxes". Users say Vaxen.

    Now, get off my lawn. I just mowed it.

  9. Re:Boxen? WTF? by in10se · · Score: 2, Insightful

    How can you call yourself a /. reader having not read The Jargon File?

    --
    Popisms.com - Connecting pop culture
  10. Re:Boxen? WTF? by Molt · · Score: 4, Insightful

    I view it more as required reading for anyone who plans to spend time at MIT in the 1960s.

    --
    404 Not Found: No such file or resource as '.sig'
  11. Trust by Anonymous Coward · · Score: 4, Insightful

    Good job NSA! Way to destroy not just any integrity we had left as a country, but also undermine trust in the products we sell as well.

  12. Don't ship, send an employee-courier by davidwr · · Score: 3, Insightful

    If it's THAT sensitive, either have the customer pick it up from a Cisco-controlled location or have a Cisco employee hand-deliver it to the customer.

    Use tamper-evident seals and use something like a "warrant canary"-like system so the delivery person can effectively tell the customer that to the best of his and Cisco's knowledge the shipment was not tampered with en route: The absence of a followup message from Cisco guaranteeing that the shipment and delivery were not intercepted would be treated as a message that it might have been intercepted.

    Speaking of "canaries" I wouldn't be surprised to see specialty shipping companies or specialty-arms of big-name shipping companies use "canaries" to guarantee that their shipments were delivered to an authorized person and not tampered with en route.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:Not new by hjf · · Score: 3, Insightful

    As a foreigner, I believe it is incumbent upon you as American citizens to OUTLAW THE FUCKING NSA.

    Seriously? A WORLD CLASS COMPANY SHIPPING TO DECOY ADDRESSES to avoid ILLEGAL GOVERNMENT SPYING?

    WHAT THE FUCK, AMERICA?