Slashdot Mirror


To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses

An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.

181 of 296 comments (clear)

  1. Not new by raftpeople · · Score: 5, Funny

    "We ship [boxes] to an address that's has nothing to do with the customer,"

    I know some other companies that seem to do this for about half my orders.

    1. Re: Not new by Anonymous Coward · · Score: 1

      Wrong! They ship boxen!

    2. Re:Not new by fictionpuss · · Score: 4, Insightful

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

    3. Re:Not new by Anonymous Coward · · Score: 1

      Agreed. This is a PR stunt.

    4. Re:Not new by Anonymous Coward · · Score: 1

      Heh, I was gonna say ,one piece of paper and Cisco doesn't really have any authority to make these kind of guarantees.

    5. Re: Not new by Anonymous Coward · · Score: 1

      Cardboard boxen?

      in the hope that the NSA's interceptions are targeted.

      Nothing the NSA is targeted, unless you consider "targeting everyone and everything" targeting.

    6. Re:Not new by Phreakiture · · Score: 2

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

      Perhaps, but I believe it is incumbent upon us as American citizens to make their job as difficult as possible. The more steps they have to take to get at our information, the better. The ultimate aim should be to make their data collection so difficult that they have to ration their efforts.

      --
      www.wavefront-av.com
    7. Re:Not new by fuzzyfuzzyfungus · · Score: 2

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

      It doesn't help that the list of addresses that would totally be plausible recipients of an order of big, fancy, networking gear is markedly smaller than the list of addresses.

      Even if you ruled out cracking Cisco(which the NSA obviously wouldn't), bulk characterization of addresses by demographic is something that those sleazy abhumans in 'direct mail marketing' have been doing since before 'spammer' was even a term. Purely by collating publicly available information(or just hiring one of the existing data brokers do do it for them, since they offer exactly such services), it should be fairly easy to flag packages leaving Cisco for destinations that seem implausible in terms of expected demand for networking gear or ability to pay for it.

      There's also the issue, for Cisco, that drop sites in active use by their actual owners will be a bit of a customer service headache; but drop sites 'clandestinely' controlled by those 'sensitive' customers may or may not be as secret as the customers think, and random abandoned buildings aren't exactly ideal storage and transfer locations for expensive and moderately delicate shipments.

      Cisco also has the disadvantage that, if a shipment crosses borders, certain sorts of obfuscation with tax or export regulation implications potentially become legally risky (which a state adversary might well have fun with) and Cisco, because of their ongoing battle with clone components and grey market stuff, has a competing incentive to avoid throwing more mystery into their supply chain or compromising their cooperation with customs enforcement agencies and anti-counterfeiting law enforcement types. That isn't going to get any easier if there is supposed to be a 'Cisco-blessed' underground channel alongside the usual seedy resellers and dodgy discount hardware.

      They don't really have any alternative, if they want to keep customers who aren't pen pals with Uncle Sam; but their ability to talk the talk may well exceed their ability to act on it.

    8. Re:Not new by hjf · · Score: 3, Insightful

      As a foreigner, I believe it is incumbent upon you as American citizens to OUTLAW THE FUCKING NSA.

      Seriously? A WORLD CLASS COMPANY SHIPPING TO DECOY ADDRESSES to avoid ILLEGAL GOVERNMENT SPYING?

      WHAT THE FUCK, AMERICA?

    9. Re:Not new by Phreakiture · · Score: 1

      You will get no argument from me, but I also believe very strongly in attacking problems on as many fronts as you can manage.

      --
      www.wavefront-av.com
    10. Re:Not new by Nyder · · Score: 1

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

      Perhaps, but I believe it is incumbent upon us as American citizens to make their job as difficult as possible. The more steps they have to take to get at our information, the better. The ultimate aim should be to make their data collection so difficult that they have to ration their efforts.

      I find it funny how I was raised in the 70 & 80's being told this is the sort of stuff communist countries (ie. Russia/Soviet Union) do, not free countries. That America would never be like this.

      How fucking times changes.

      Thanks America, for showing me the real enemy is politics.

      --
      Be seeing you...
    11. Re:Not new by Trogre · · Score: 1

      This.

      many, many times this

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    12. Re:Not new by eric_harris_76 · · Score: 1

      Actually, it's already been outlawed. The Constitution, nominally the highest law in the land, does not authorize the vast majority of what the NSA does, and in places flat-out prohibits its behavior.

      As this is now post-constitutional America, what's not explicitly authorized, or is explicitly prohibited, hardly matters.

      --
      There's no time like the present. Well, the past used to be.
  2. How much to become a sensitive customer? by Iamthecheese · · Score: 5, Interesting

    I would be happy to pay a little extra for this service for non-critical hardware. But if I were actually concerned the NSA would want to twist my knickers there's no way in hell I would: It's a huge red flag for them. Instead I would bribe someone at a different company to accept my shipment and forward it to me.

    But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast. I'm happy to see extra services appearing for privacy-loving individuals but I don't think this particular one will help.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:How much to become a sensitive customer? by hcs_$reboot · · Score: 1

      Or maybe Cisco just needs some free advertising?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:How much to become a sensitive customer? by Anonymous Coward · · Score: 1

      I think this is more about sending a message.

      If Cisco has to provide this service to US companies it should be pretty evident what they consider to be the largest security threat to Americans.
      The next question is who has the responsibility to investigate organized threats like that? Is this somethings That FBI should look into and if so, why haven't they shut down the criminal elements of NSA yet?

    3. Re:How much to become a sensitive customer? by Anonymous Coward · · Score: 2, Interesting

      How much to pick up product as a will-call at the manufacturing facility?

    4. Re:How much to become a sensitive customer? by ultranova · · Score: 2

      But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast.

      Because there's nothing more competent than a government bureau safe from inspections. Which, apparently, is intercepting your shipments just because, seeing how it already knows everything. It wishes you to see it as omnipotent so you won't even try. In reality, it couldn't even hold the loyalty of one of its own.

      All the Powers That Be are funny like that: godlike when unopposed, but once their subjects begin fighting them, their fall is just a matter of time.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    5. Re:How much to become a sensitive customer? by jedidiah · · Score: 4, Interesting

      I think this service is entirely pointless. If you are worried about interception using a common carrier, then you need to stop using common carriers. Full stop.

      You need to use a proper courier. You also need to work on making your gear more tamper resistant.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    6. Re:How much to become a sensitive customer? by MachineShedFred · · Score: 2

      Yeah, this sounds like a great idea until Cisco receives a subpoena for a list of all customers that used this service.

      Whoops!

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    7. Re:How much to become a sensitive customer? by ultranova · · Score: 2

      Oh right. So when do you expect this "fall" to occur? Because there's not much sign of the three-letter gov agencies letting go of the world's private parts any time soon.

      And why would they, when you're signaling right here that you're simply going to submit without a fuss? The NSA will fall when it goes beyond what US citizens are willing to tolerate. Since you tolerate your state killing you, I suppose it might get a while to get there. Or not, as this very story demonstrates.

      I cite Obama's election promise of an end to mass surveillance, which went nowhere.

      Right. So why do you keep voting for the Two Parties? They hardly have a reason to change when, for all your "citing", they can count on your support no matter how they treat you.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    8. Re:How much to become a sensitive customer? by Anonymous Coward · · Score: 1

      I suspect that, at best, this is something Cisco does once in a blue moon. It's something they can tell the customers they do, as a way of reassuring the customers that the NSA isn't messing with their equipment.

      The problem with doing this consistently and uniformly is that it adds unwanted delays in fulfilling customer orders. That too is a customer concern and one that is present in the majority of commercial transactions. Oh, and if Cisco did this with all orders, that would make it possible for the Three Letter Agencies to identify exactly when, how and where all such redirection was taking place. And then the TLAs can devise countermeasures.

      Companies have behavioural patterns and mainstream, heavily used and predictable logistics. There's no viable way for Cisco to devise continuously variable shipping routes, unless they are also willing to sacrifice time to delivery, quality and efficiency. Which isn't going to happen. The demands of a competitive marketplace for networking gear won't allow that.

    9. Re:How much to become a sensitive customer? by Samuel+Dravis · · Score: 1

      From what I understand, the problem was that the NSA was intercepting the package and modifying the equipment before delivery. With a dedicated courier, even if they do get a list of who has what item, they will not be able to intercept the package as before.

    10. Re:How much to become a sensitive customer? by whoever57 · · Score: 1

      Right. So why do you keep voting for the Two Parties? They hardly have a reason to change when, for all your "citing", they can count on your support no matter how they treat you.

      You know that the US has these things called "Primaries", right? That's your opportunity to vote for a candidate who reflects your opinions better.

      Through the money of the Koch brothers, the Tea Party has pulled US politics to the right. It can be pulled back, but not if people give up on voting. In my opinion, those who don't vote have no right to express an opinion on any political matter.

      --
      The real "Libtards" are the Libertarians!
    11. Re:How much to become a sensitive customer? by Cramer · · Score: 1

      Enjoy your flight(s) to and from Mexico, Malaysia, etc. Very little of Cisco's gear is made in the USA.

      But yes, a "retail" market for these things would make it virtually impossible to target anyone. Having to intercept every shipment to Wal-Mart, Target, Best Buy, etc. would be a major pain in the ass, and their tampering would become very apparent. (by retail, I mean a place where you take it off the shelf yourself. Any mail order, and it's back to the NSA being able to get it before it reaches you.)

    12. Re:How much to become a sensitive customer? by MachineShedFred · · Score: 1

      No, but then some government body has a list of people that were so concerned with government eavesdropping that they went out of their way to prevent it. Sounds like a target list for investigation / abuse of power to me.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    13. Re:How much to become a sensitive customer? by eric_harris_76 · · Score: 1

      A recent alternative to electoral or judicial challenges sounds quite intriguing. No doubt a little sober reflection and discussion will remove some of the charm, but it has potential.

      Massive civil disobedience, with support that reduces the risk to the disobedient. This particular proposal is said to be more appropriate for some situations than others, but even so, yeah, let's give it a try. (You first.)

      Here's a podcast by the proponent: http://www.cato.org/multimedia...

      --
      There's no time like the present. Well, the past used to be.
  3. Re:Boxen? WTF? by plopez · · Score: 2, Informative

    box, pl. boxen

    --
    putting the 'B' in LGBTQ+
  4. And credit card numbers will be securly stored by plopez · · Score: 2

    They will be cloudified using super secret double Rot13 encryption.

    --
    putting the 'B' in LGBTQ+
    1. Re:And credit card numbers will be securly stored by Minupla · · Score: 4, Funny

      No! Rot 13 is broken. Hey, Triple DES made DES secure again! We'll do quadrupedal Rot 13! That'll fix em!

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  5. a bid to foil the NSA, John Stewart says by xxxJonBoyxxx · · Score: 3, Funny

    >> a bid to foil the NSA, security chief John Stewart says

    Both John Stewarts are funny guys.

    1. Re:a bid to foil the NSA, John Stewart says by Anonymous Coward · · Score: 1

      >> a bid to foil the NSA, security chief John Stewart says

      Both John Stewarts are funny guys.

      "Both Jon Stewart and John Stewart are funny guys".

      There, corrected it for you. :)

      By the way, John Stewart looks like Will Forte (SNL, Nebraska) dressed in 90's attire. (I work at Cisco)

    2. Re:a bid to foil the NSA, John Stewart says by Your.Master · · Score: 5, Funny

      The plural of John Stewart is John Stewarten.

    3. Re:a bid to foil the NSA, John Stewart says by sexconker · · Score: 1

      That would be "Both Johns Stewart..." if you want to be grammatically correct.

      "John Stewart" is the noun. "John Stewarts" is the plural form of the noun.
      "Johns Stewart" is a colloquial (slang, grammatically wrong) way of saying "All Johns with a last name of Stewart". It is not the same as pluralizing the proper noun "John Stewart".
      (And I believe one of the "John Stewarts" they're referring to is actually "Jon Stewart".)

  6. Please post some links showing the hardware. by Anonymous Coward · · Score: 1

    Any links to share showing the actual hardware in use with backdoor installed?
    Thx

    1. Re:Please post some links showing the hardware. by Bob+the+Super+Hamste · · Score: 1

      This should do

      Fun and games aside I have dealt with some very security conscious entities and was unlucky enough to be onsite when a box that was delayed arrived and had been opened while in shipment. That went right in the trash and the next trip that someone made there they brought new hardware with them on the flight.

      --
      Time to offend someone
  7. What I would do by Anonymous Coward · · Score: 1

    If I were Cisco I'd send a rep to a few customers believed to be likely targets (at no cost to the customer), have them check the firmware on site w/ JTAG and if it doesn't match, take the firmware apart and publish the malware. Would serve NSA right.

    1. Re:What I would do by Talderas · · Score: 1

      And think of the corporate goodwill it would build.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    2. Re:What I would do by Grishnakh · · Score: 1

      Could they do this? Surely the government would just send them a National Security letter and force them to comply under threat of being disappeared.

    3. Re:What I would do by jeffmeden · · Score: 1

      If I were Cisco I'd send a rep to a few customers believed to be likely targets (at no cost to the customer), have them check the firmware on site w/ JTAG and if it doesn't match, take the firmware apart and publish the malware. Would serve NSA right.

      TSA goon 1: Oh, youre with cisco, and you're headed to Iran? (chris hansen voice) Why don't you take a seat over there?
      TSA goon 2: Nice JTAG interface you have there. Shame if anything happened to it (h4x0r flash with firmware to hide modified cisco firmware)
      TSA goon 1: Have a nice trip!

    4. Re:What I would do by Bob+the+Super+Hamste · · Score: 2

      You give the TSA mouth breathers too much credit. This is a far more likely scenario:
      TSA goon: Waht is this? It looks expensive. (puts device in their pocket)

      or:
      TSA goon: What is this? Whoops! (drops device on the floor on accident)

      --
      Time to offend someone
  8. Re:boxen and Borg? by Anonymous Coward · · Score: 1

    "El Reg" prides itself on jargon...

  9. simple to thwart., more difficult with detection. by nimbius · · Score: 4, Interesting

    the actual plan is pretty secretive but crap like Smallco at Nowheresville is easy to catch. all the NSA has to do is take a spammers approach when sifting through UPS and FEDEX databases pertaining to Cisco. Using Sparse Orthogonal Bigrams or CRM114 with a combination of known customer addresses and contacts allows the NSA to quickly weed out any future attempt to subvert its practice.

    what isnt more difficult to thwart is a conscious customer, and thats the NSA's real problem. A shipment from San Francisco to Dallas for example, that takes a detour to Boson, could be good reason for suspicion. anti-tamper systems like tip-n-tell, environmental dyes, tamper seals, or a combination of these sytems as well as the much maligned DRM signed firmware could make the NSA's efforts substantially more difficult. Finally, getting out of lock-in technology monocultures like dell-everything shops and cisco-anything shops is helpful. a moving target is, after all, harder to hit.

    --
    Good people go to bed earlier.
  10. Or we just stop buying Cisco. by Kenja · · Score: 1

    Really... when was the last time any of us thought Cisco was the best choice for a project?

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Or we just stop buying Cisco. by cdrudge · · Score: 2

      Anytime the Cisco account manager stopped by or called.

    2. Re:Or we just stop buying Cisco. by Strider- · · Score: 2

      Really... when was the last time any of us thought Cisco was the best choice for a project?

      Actually it can be a great deal... I'm in the process of building up a campus network for a non-profit, that will eventually have some 25 switches (Core and access), and 3 or 4 routers. All of it Cisco. Why? Because Cisco's support policies are such that there is tons of perfectly serviceable EoL/EoS equipment available on the secondary market that suits our needs, and available for very little $$$.

      --
      ...si hoc legere nimium eruditionis habes...
    3. Re:Or we just stop buying Cisco. by Cramer · · Score: 1

      If you're going to go to the used market -- esp. for stuff the vendor (Cisco) will no longer support, there are plenty of non-cisco options as well. Bottom-line, YOU are more familiar with Cisco tech, so that's what you're using. But yes, it will be easy for anyone to come along after you that knows Cisco as well. (the same is true of Juniper, Brocade, Fortinet, etc.)

  11. Re:Boxen? WTF? by Holi · · Score: 3, Funny

    In what fucking language. Pretty sure boxes is the pl. of box. But you know with everyone out there making up new spellings left and right how am I supposed to keep up. (I mean really "rediculous"???? why that one pisses me off so much I'll never know)

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  12. Re: Boxen? WTF? by bws111 · · Score: 1, Insightful

    No, it isn't. Boxen means related to the boxwood tree. Boxes is the plural of box. Boxen is only used by people who want to sound smarter than they are.

  13. Ok, however by Registered+Coward+v2 · · Score: 1

    If you are sophisticated enough to intercept shipments to known addresses what is to stop you from intercepting those to unknown ones and ignoring those to good addresses. It's a bit different than saying lets get boxes to X and ignore YZ to get any not going to YZ? More labor intensive, but some cross referencing of unknown addresses and intel work could still allow an intercept operation to continue.

    Alternatively, a little human engineering where a big buyer of Cisco products in the US government says "Fine. Good idea. Customers will think we can't get at the boxes. Now, let us know the drop box addresses so we can continue doing this."

    Alternatively, overseas shipments to odd addresses could be delayed while Customs makes sure they don't violate any export agreements..."

    --
    I'm a consultant - I convert gibberish into cash-flow.
  14. Re: Boxen? WTF? by Holi · · Score: 1

    Go back to school.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  15. Re:boxen and Borg? by serviscope_minor · · Score: 4, Insightful

    What?

    You just lost you nerd cred, that's what. I sentence you to 5 hours of reading the jargon file.

    --
    SJW n. One who posts facts.
  16. No confidence by Anonymous Coward · · Score: 3, Insightful

    I still can't trust that mechanism. Cisco needs to offer tools to verify the devices are genuine.

  17. Re:boxen and Borg? by bill_mcgonigle · · Score: 3, Insightful

    What?

    "Editors"

    While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:

    1) the order would have to come in over an actual secure channel and be handled on known-secure systems.
    2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders.
    3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).

    Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.

    What other attacks are there on such a secure-delivery system using a common carrier?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  18. Re:Boxen? WTF? by zifferent · · Score: 2

    Geeklore, dude. If the plural of ox is oxen then the plural of box is boxen. Sheesh. Next you're going to tell me you don't know what borked is.

    --
    cat sig > /dev/null
  19. Ah, now I see why he quit the Daily Show by Ecuador · · Score: 1

    I expected him to go into politics or something like that. But I guess Cisco security chief is not that bad. Not as funny probably, although I do laugh at some of their obscenely overpriced stuff.
    Quick question, how exactly do they establish these fake identities? It would not be such a good scheme if all it does is flag shipments for NSA "hey, look at this, we don't want you to know where it is going"...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  20. Why not just deliver it yourself? by NothingWasAvailable · · Score: 4, Interesting

    This strikes me as either silly (very James Bond), or an indication that Cisco doesn't even trust its own employees.

    Otherwise, why wouldn't Cisco just hand deliver the items using its own employees.

    Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

    1. Re:Why not just deliver it yourself? by Ksevio · · Score: 1

      Probably because Cisco doesn't want to move into the courier business.

    2. Re:Why not just deliver it yourself? by magarity · · Score: 3, Interesting

      Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

      It also implies that the real problem is at UPS/FedEx/DHL? I'd like to know what the shippers have to say about these interceptions.

    3. Re:Why not just deliver it yourself? by Grishnakh · · Score: 2

      I'd like to know what the shippers have to say about these interceptions.

      They probably can't say anything because they've been served with National Security letters and aren't allowed to talk about anything under threat of prosecution or worse.

    4. Re:Why not just deliver it yourself? by mcrbids · · Score: 2

      It's a company, not a military. Of *course* they're compromised! Or at least, compromisable! I mean, every single employee comes to work because they are getting paid. So the NSA leaves a suitcase full of cash at an employee's house, and is asked to leak data, and is offered full legal immunity for doing so.

      You wouldn't take an extra $20,000 risk free? If not, you don't know somebody at work who would? Many people would do this for much less.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    5. Re:Why not just deliver it yourself? by Barlo_Mung_42 · · Score: 1

      This is why I only buy network hardware in person from a randomly selected retail establishment which I pay for with cash.

    6. Re:Why not just deliver it yourself? by Cramer · · Score: 1

      Exactly. They already pay numerous companies to do this. (Smartnet warehouses and couriers. Only in RTP or SJC are you likely to ever get anything direct from Cisco -- and the one time Cisco-proper replaced something of mine, it's because the RTP lab had the only one left [cat2926])

  21. Re:Boxen? WTF? by hcs_$reboot · · Score: 1

    My bet, despite them to be pretty far away, goes to a 'n' that surreptitiously replaced a 's'.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  22. NSA doesnt' know? by ugen · · Score: 5, Insightful

    Seriously, I would assume that NSA at least has a "mole" in the order processing/accounting/shipping dept. at Cisco. Unless Cisco pays a lot more than market to these rank-and-file employees or gives them benefits unheard of elsewhere, they aren't particularly hard to get to cooperate, I would guess.

    1. Re:NSA doesnt' know? by drunk_punk · · Score: 1

      Or a compromised Fedex/UPS/USPS. Flash a badge at a driver and tell him to deliver THIS package instead. This Op isnt going to skip a beat, and CISCO get's a few extra bucks.

    2. Re:NSA doesnt' know? by Anonymous Coward · · Score: 1

      It's not about the salary, it is about the pressure points they use.

      Let us know when a shipment is going out for xxx.inc and where it is going to. In return, we promise not to prosecute your 19 year old son for the child porn we detected on his laptop.

      Anyone who thinks they would never plant such child porn in order to get you to do what they want, you're naive. After all, if you do the 'right' thing, no one gets hurt, so what's the big deal?

    3. Re:NSA doesnt' know? by Cramer · · Score: 1

      More likely at customs. They're already "gubment", and it would be very easy for a package to pass through one of these uber-secret hack-points.

  23. The NSA will respond by mark_reh · · Score: 4, Interesting

    by putting their stuff into the Cisco boxes in the factory. Wait, aren't they already doing that?

    1. Re:The NSA will respond by frank_adrian314159 · · Score: 1

      Does it really matter? Does anyone really want to use Cisco gear?

      --
      That is all.
    2. Re:The NSA will respond by coofercat · · Score: 1

      No - that's the chinese ;-)

    3. Re:The NSA will respond by jedidiah · · Score: 1

      ...or Iranian democracy could have turned out like Egyptian democracy and all without our help.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    4. Re:The NSA will respond by courteaudotbiz · · Score: 1

      If I check their annual revenue report ($47BN between July 2013 and July 2014), well, some people buy Cisco gear...

    5. Re:The NSA will respond by frank_adrian314159 · · Score: 1

      Yeah, but do they really want to? I just can't see that.

      --
      That is all.
  24. Cheaper, faster, better, ... by fulldecent · · Score: 1

    Better solution: include an iPhone and backup battery in the shipment. Use Find my iPhone.

    Or just use FedEx's or UPS's real time tracking :-)

    --

    -- I was raised on the command line, bitch

    1. Re:Cheaper, faster, better, ... by xanthines-R-yummy · · Score: 1

      Yes, because NSA *surely* can't hack those types of sites, too...

  25. And how, exactly, are they going to do that? by tacokill · · Score: 3, Interesting

    You see, the US Government is very keen about governing exports. They prohibit shipping many products into restricted countries and they actively police it in a serious manner. Anyone who's product gets found in a restricted country is in hot water. It doesn't matter if the product(s) was sold through an intermediary or 20 middle men, the manufacturer is 100% responsible for asserting, under penalty of law, that their products will not end up in a restricted country and that's that. The treasury department even publishes a monthly list of offenders they catch but I apologize as I cannot seem to find it on google.

    To address this issue, many companies that have been caught are required by the US Treasury Dept to document every single end user of their product. Yes, every single unit that is sold must be documented as to where it's final resting place is. I doubt Cisco is under this kind of requirement (unless they've been caught in the past) but it seems this new policy is a huge risk for them in that area. If you were an Iranian supply store trying to procure Cisco equipment, this seems like a good way to do it without anyone knowing or being able to track it --- and that's a serious risk for Cisco.

    The minute one of those units gets found in Iran (or any restricted country), all hell will break loose. Again, it doesn't really matter how it got there.....

    Here is a good overview of the requirements and Here is a company that has a good policy summary that they live by. Smart on them.

    Understand that this has nothing to do with NSA or espionage. This is just a basic requirement of doing business overseas and exporting products. Doesn't matter whether it's plastic dog poo, Intel CPU's, lab equipment, cranes, or other engineered equipment

    1. Re:And how, exactly, are they going to do that? by tacokill · · Score: 1

      I didn't say foreign country, I said restricted foreign country. As in Syria, Iran, North Korea, and the rest. And yes, if equipment shows up in a restricted country, they will chase it back to the day it was made on the Cisco factory floor and they will question every single partner in the supply chain trying to figure out how it wound up in that country.

      You act as though Iran or other sanctioned countries can just go to eBay and buy whatever they want. That's not accurate as sanctions have real teeth (and costs for US companies that don't pay heed).

    2. Re:And how, exactly, are they going to do that? by Vadim+Makarov · · Score: 1

      USA also checks if the product is still where it was declared to be at the time of sale. I'm at a university in Canada. Last year my university had a visit by two men from the US Embassy in Ottawa, visiting various labs to see if the products sold under export control agreements were still there. I mocked the men a little bit.

      --
      17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
    3. Re:And how, exactly, are they going to do that? by Cramer · · Score: 1

      they will chase it back to the day it was made

      And Cisco will enter the serial number in their portal -- btw, used to be, anyone could lookup any serial number, only a Cisco Employee would be able to see who owns it, 'tho. That search will show it was sold to IBM: "we sold it to IBM in 1992. Go ask them how restricted technology ended up on eBay."

      (Shit happens. Remember the F-16 parts that ended up on eBay? The only way to know what they were, and that they were classified/restricted, was to look up the random-looking "part no.". (do you have the parts manifest for an F16?) To you, me, and apparently the junk recycler who put it on eBay, it's an ancient circuit board with some scrap discrete parts on it.)

    4. Re:And how, exactly, are they going to do that? by Cramer · · Score: 1

      Right. And everyone is supposed to declare the actual value of the item crossing the border. I laugh every time I get something at work from outside the country; that SSL crypto card is "$100", and the "web server" it goes in "$2000". "Value for customs only. Not for sell" No shit!

  26. Source of the order by in10se · · Score: 1

    Seems easy to circumvent. The [GOVERNMENT ABBREVIATION] monitors the original online or phone order and knows who ordered it. Who cares where it's being delivered.

    --
    Popisms.com - Connecting pop culture
    1. Re:Source of the order by Dunbal · · Score: 1

      OK, and how will that help them intercept the shipment and install their spyware on the product?

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Source of the order by in10se · · Score: 1

      The exact same way they are doing it now.
      (I have no idea.)

      The summary seems to say that only high-value targets are being intercepted, and that Cisco is trying to protect those customers by shipping to somewhere other than their place of business. If that's their new form of protection, it doesn't change anything if the NSA knows who it belongs to.

      --
      Popisms.com - Connecting pop culture
  27. Re:Boxen? WTF? by plopez · · Score: 4, Insightful

    So what is the pl. of "ox"? "Oxes"? I think not.

    --
    putting the 'B' in LGBTQ+
  28. Re:Boxen? WTF? by fhage · · Score: 5, Insightful
    Kids these days... Digital Equipment Corporation (DEC) VAX.

    We had several Vaxen in our lab.

    It's used to show who groks tek. Sales dept use "Vaxes". Users say Vaxen.

    Now, get off my lawn. I just mowed it.

  29. Boxen? Really? by l0ungeb0y · · Score: 1

    Slashdot needs a "pudger rockin' a fedora" icon for autist keyboard operator submissions

    1. Re:Boxen? Really? by courteaudotbiz · · Score: 1

      If you RTFA, you would notice that "boxen" is used in the original article. Also, "boxen" can be used as the plural for "box", but it is uncommon.

    2. Re:Boxen? Really? by Thud457 · · Score: 1

      "Technically correct" is the best kind of correct.

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    3. Re:Boxen? Really? by n6kuy · · Score: 1

      But to use it to refer to shipping boxes is a bit of a stretch. More commonly used to refer to (non-VAX) computers. As in, "Down in my parents' basement, I have 4 Linux boxen."

      "Boxen," of course is a more generalized term that follows from "Vaxen" which is a silly made up term to refer to a plurality of VAX computers, using the same plural-formation as Ox->Oxen.

      But, being a Slashdot reader, you already knew that...

      --
      If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
  30. Re:Boxen? WTF? by in10se · · Score: 2, Insightful

    How can you call yourself a /. reader having not read The Jargon File?

    --
    Popisms.com - Connecting pop culture
  31. Re:Boxen? WTF? by sumdumass · · Score: 2

    Years ago, this was a common mistake by people trying to touch type to fast for their skill level that actually became sort of a fad when talking about computers. Your boxen or my boxen actually refered to our computer hardware. Its also the reason we have lulz insted of lols.its now considered plural for lol but it was really just people trying to keep up with chat in busy chat rooms- where the originsl shorthand started before texting.

  32. Re:Boxen? WTF? by in10se · · Score: 4, Informative

    Have you never read The Jargon File. It's required reading for any hacker.

    --
    Popisms.com - Connecting pop culture
  33. When we realized that admins are more expensive by Anonymous Coward · · Score: 1

    We shifted completely to cisco when we realized that stability was cheaper than hardware.

  34. NSA, the Anti-American Agency by BrendaEM · · Score: 1

    Someone needs to put some reigns on this out of control horse.

    --
    https://www.youtube.com/c/BrendaEM
  35. Re:Boxen? WTF? by hcs_$reboot · · Score: 1

    It's in my dictionary: Appomattoxen Cloroxen Coxen Firefoxen Foxen Knoxen Maaloxen Maddoxen Wilcoxen Xeroxen boxen chatterboxen chickenpoxen cowpoxen coxen detoxen equinoxen flummoxen foxen gearboxen heterodoxen iceboxen jukeboxen letterboxen loxen lummoxen lunchboxen mailboxen matchboxen orthodoxen outfoxen oxen paradoxen phloxen pillboxen postboxen poxen sandboxen shadowboxen smallpoxen snuffboxen soapboxen soxen strongboxen tinderboxen toolboxen unorthodoxen

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  36. Re:Boxen? WTF? by Anonymous Coward · · Score: 4, Informative

    Boxes is the plural of box only if you're talking about containers like cardboard or wooden boxes, etc.

    If you're talking about computer gear that happens to come in a vaguely box-shaped chassis (like a computer or a network switch), the plural is boxen. See also "vaxen".

    Keep up? The terminology is possibly older than you are.

  37. Re:Boxen? WTF? by Anonymous Coward · · Score: 1

    In what fucking language. Pretty sure boxes is the pl. of box. But you know with everyone out there making up new spellings left and right how am I supposed to keep up. (I mean really "rediculous"???? why that one pisses me off so much I'll never know)

    Hand in your card and get the fuck out.

  38. Re: boxen and Borg? by ralphsiegler · · Score: 2

    Your use of "neckbeard" dates you, that was a hip term two years ago. I'm guessing you have a neckbeard fetish, there might be genre of porn just for you.

  39. Re:Boxen? WTF? by plopez · · Score: 1

    Whoosh! Thank you for playing....

    --
    putting the 'B' in LGBTQ+
  40. Re:Boxen? WTF? by DoofusOfDeath · · Score: 1

    In what fucking language. Pretty sure boxes is the pl. of box.

    Auf Deutsch. Seien Sie nicht so unglücklich sein nicht.

  41. Pointless. by DoofusOfDeath · · Score: 1

    The NSA seems to have its fingers up so many people's hoo-has, that it could easily sort this out. It's amazing what an agency can accomplish when it's not held accountable for ignoring the Constitution. Fucking traitors.

    1. Re:Pointless. by NMBob · · Score: 1

      The guy at Cisco that puts the packing tape on the boxen is probably NSA.

  42. Plural of Box is Bice by Anonymous Coward · · Score: 5, Funny

    Mouse-> Mice
    Louse -> Lice
    House -> Hice
    Platapouse -> Platapice
    Faux -> Fauce
    Fox -> Fice
    Box -> Bice

    1. Re:Plural of Box is Bice by marciot · · Score: 1

      No,

      Deer -> Dice.

      Stick with the program, man.

    2. Re:Plural of Box is Bice by David_Hart · · Score: 1

      No,

      Deer -> Dice.

      Stick with the program, man.

      A number of animals do not have plurals, they have a group name:

      Deer --> herd
      Fox--> skulk
      Rabbits --> warren
      Sheep --> Flock

      http://www.npwrc.usgs.gov/abou...

    3. Re:Plural of Box is Bice by marciot · · Score: 2

      A number of animals do not have plurals, they have a group name:

      A basement of geeks.

  43. Re: Boxen? WTF? by spongman · · Score: 1

    What's the plural of fox?

  44. Re:Boxen? WTF? by dugancent · · Score: 1
    --
    SJWs are the new boogeyman. -Me
  45. Re:Boxen? WTF? by NotInHere · · Score: 1

    No, its like with kid and kitten.

  46. Re:Boxen? WTF? by NMBob · · Score: 1

    It's a cow made by Volvo.

  47. Re: Boxen? WTF? by Ksevio · · Score: 3, Funny

    Apparently it's foxen since anything that ends with "ox" it pluralized the same way

  48. Red Herring by Greyfox · · Score: 4, Interesting

    Does nothing if all hardware is compromised prior to shipping. Would they be allowed to tell you if it were? Would they even be aware if it was? Has the government ever looked at their code or received a report from them about potential security vulnerabilities as part of a disclosure required for a government contract or security certification? I'm guessing if they did, that report was sent directly to the NSA.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Red Herring by courteaudotbiz · · Score: 1

      Well, maybe you're right and Cisco want to put a false feeling of "anonymity" to compromise more high profile targets with their preinstalled backdoors. Or maybe it's just a way for Cisco to make more money on the back of its customers. In any way, their method cannot guarantee anything, since the shipment is just the last step of an order, and the order can be compromised at so many earlier steps.

    2. Re:Red Herring by Anonymous Coward · · Score: 1

      Does nothing if all hardware is compromised prior to shipping.

      This point is really good because the disclosures are old. It's plausible we're hearing about a program they no longer need because they have enough Cisco 0-day.

      However the point doesn't mean you shouldn't respond to this attack. It only means you shouldn't feel much better after you've responded. (I also think their response isn't very good, but that's a separate comment.)

      Would they be allowed to tell you if it were? Would they even be aware if it was?

      and would they be inclined to? The answer to all three questions is "mostly no," based on my experience/speculation working at a company that's got a much stiffer spine than Cisco. Remember Cisco supplies equipment to China that has no purpose except to control and monitor populations. They're a Werner von Braun style company.

        - "Senator, we comply with the law," is the new version of "I don't recall."

        - When US gives a secret warrant to an employee, they pick a soft target and threaten the employee will be guilty if they share the secrent warrant even _within the company_ for example to get advice from the internal legal department.

        - The attitude of ${spineful_company} is, "we will respond, we will respond much better than average, and we will respond with a persistence the public's short attention span could never maintain, but our response is secret because news agencies are twisted bullies and we're tired of losing unfairly to schoolyard sophistry." The stiffer the spine the fatter the head. Either way, public doesn't get the story.

  49. Re:Boxen? WTF? by N!k0N · · Score: 1

    In what fucking language. Pretty sure boxes is the pl. of box. But you know with everyone out there making up new spellings left and right how am I supposed to keep up. (I mean really "rediculous"???? why that one pisses me off so much I'll never know)

    Hand in your card and get the fuck out.

    You assume GP was given a card in the first place. (And would give a king's ransom if I could remember my 5 digit UID :( )

  50. From Brian Regan Live: Stupid in School by Anonymous Coward · · Score: 1

    Erwin, what’s the plural for ox? Oxen. The farmer used his oxen. Brian? (chuckling) “What?” Brian, what’s the plural for box? Boxen. I bought 2 boxen of doughnuts. No, Brian, no! Let's try another one. Erwin, what's the plural for goose? Geese. I saw a flock... of geese." Brian! (Chuckling) Wha-at? "Brian, what's the plural for MOOSE?

    "MOOSEN!! I saw a flock of moosen! There were many of 'em. Many much moosen. Out in the woods—in the woodes—in the woodsen. The meese wantin' the food. Food is to eatenesen!THE MEESE WANT THE FOOD IN THE WOODENESEN! THE FOOD IN THE WOODYENESEN!" "BRIAN! Brian,.. You're an imbecile." "Imbecilen!"
    "What are you speaking? German, Brian?" "German. Jermain! Jermaine Jackson! Jackson Five. Tito!" "Brian, what the heck are you talking about!?" "I don't know. I don't know, really.."

  51. Re: boxen and Borg? by N!k0N · · Score: 1

    Your use of "neckbeard" dates you, that was a hip term two years ago. I'm guessing you have a neckbeard fetish, there might be genre of porn just for you.

    Refer to Rule34. HTH HAND.

  52. Re:Boxen? WTF? by qwijibo · · Score: 1

    Why it pisses you off is right in the spelling.

    Rediculous = something that is so maddeningly ridiculous that you turn red with murderous rage

    Example: how you feel when you see someone use "rediculous" in a sentence.

    =)

  53. Re: Boxen? WTF? by Anonymous Coward · · Score: 1

    Also notice vixen, hence Vaxen. Vax admin then started using boxen

  54. Re:Boxen? WTF? by Anonymous Coward · · Score: 1

    Have you never read The Jargon File. It's required reading for any hacker.

    Read it long ago, then realized that apparently I was "no true hacker" as I didn't fit much of their rather lengthy description of one.

  55. Re:how about an NSA honeypot? by bhlowe · · Score: 2

    Just address the shipping label to "Iran Institute of Centrifugal Studies" C/O Mailboxes Etc.

  56. Re:Boxen? WTF? by cayenne8 · · Score: 1

    I mean really "rediculous"???? why that one pisses me off so much I'll never know

    I think this one predates you my friend.

    That is the CORRECT pronunciation by our old friend Ricky Ricardo....shortly after uttering this, he'd tell Lucy she had some "Splaining to do".....

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  57. Nope... by tomhath · · Score: 1

    He's a sergeant in the Chinese Army.

    1. Re:Nope... by NMBob · · Score: 1

      Haha! Wait...they probably all work for the NSA too! Or are they CIA? It gets so confusing. Wait until we find out there a Something-A that we don't even know about.

  58. Cisco are in it up to their necks by Anonymous Coward · · Score: 2, Informative

    If you trusted Cisco, you'd drive to a random store at a random time and buy a unit off the shelf.

    However CISCO sell tech to the US government, and in turn are required to hand their code over to NSA we presume, and certainly have been deeply involved in NSA's cyber security stuff, so I think you have to consider their routers compromised.

    http://www.nist.gov/itl/csd/nccoe-041513.cfm

    "ROCKVILLE, Md. — In recognition of the critical need to protect private-sector intellectual property and other valuable business data from a growing number of cyber threats 11 major companies have formally established partnerships with the National Cybersecurity Center of Excellence (NCCoE). U.S. Senator Barbara Mikulski, U.S. Cyber Command Commander/National Security Agency (NSA) Director General KEITH B ALEXANDER, Maryland Governor Martin O’Malley, Montgomery County Chief Executive Isiah Leggett and Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher joined the new partners for a signing ceremony today at the NCCOE’s facilities in Rockville, Md."

    "At the ceremony, representatives from the new partner companies – CISCO SYSTEMS Inc., Hewlett-Packard, HyTrust Inc., Intel Corp., McAfee Inc., Microsoft Federal Civilian Services, RSA, Splunk Inc., Symantec Corp., Vanguard Integrity Professionals and Venafi Inc. – pledged to contribute hardware and software components and share best practices and personnel with the center."

  59. Re:Boxen? WTF? by Molt · · Score: 4, Insightful

    I view it more as required reading for anyone who plans to spend time at MIT in the 1960s.

    --
    404 Not Found: No such file or resource as '.sig'
  60. Perform tear-downs instead by DigitAl56K · · Score: 1

    Start visiting locations of concerned customers, tear-down their units, check for implants, pull chips, put them in readers, verify firmware, etc. etc.

    Figure out what changes are being made to the equipment and then warn customers to check for them upon receipt. Tactics will then change, so check new shipments again 6mos. later.

  61. Re: Boxen? WTF? by Anonymous Coward · · Score: 3, Funny

    No, the plural of vixen is "threesome".

  62. Trust by Anonymous Coward · · Score: 4, Insightful

    Good job NSA! Way to destroy not just any integrity we had left as a country, but also undermine trust in the products we sell as well.

  63. Re:boxen and Borg? by dpidcoe · · Score: 2

    Or just ship everything in boxes with tamper evident seals, then instruct the end user on inspection of said seals while informing them that anything with a broken seal will be replaced?

  64. Re:simple to thwart., more difficult with detectio by Joey+Vegetables · · Score: 1

    A shipment from San Francisco to Dallas for example, that takes a detour to Boson...

    Didn't they only just recently discover that?

  65. Also kind of funny.. by duck_rifted · · Score: 1

    ..if we forget about all the serious stuff related to it. Summary: "We don't like all this cloak and dagger spy stuff. We want to distance ourselves from intelligence agencies, and show that we're nothing like them. So here's what we're going to do. The shipment will first be sent to the location disclosed by our asset in the field. Refer to challenge-handshake protocol in the self-destructing memo dispatched last week by home office. After delivering the football, the site will be monitored by an elite team of former KGB and CIA mercenaries. After the pickup, you're on your own. Proceed to the next delivery rendezvous point, and an agent will coordinate with you there. In the event that you are discovered after the pickup, there is a cyanide pill under the seat of your delivery truck."

  66. Re: boxen and Borg? by ralphsiegler · · Score: 1

    well I'm not typing into google to find out, sometimes it even pulls up images automaticaly......ewwwwww

  67. does nothing to inspire confidence by Anonymous Coward · · Score: 1

    If it ships from within the USA I won't trust it. Bottom line.

  68. Re:Boxen? WTF? by orgelspieler · · Score: 1

    I'm waiting for Holi to ask wtf "grok" means next.

  69. Re: Boxen? WTF? by Anonymous Coward · · Score: 1

    No, a plural of vixen can lead to a threesome.

  70. Re: Boxen? WTF? by MachineShedFred · · Score: 1

    Yeah, because the English language is incredibly consistent, and is never contradictory in any way.

    Your argument fails on face value alone.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  71. Re:Boxen? WTF? by MachineShedFred · · Score: 1

    Lots of people keep saying this, but if it's only the last two letters that matter in distinguishing the plural form, then I submit to you:

    Goose is to geese, as horse is to ???

    A. Heese
    B. Horses
    C. You're an idiot
    D. Both B and C.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  72. Re:boxen and Borg? by worf_mo · · Score: 1

    0) Cisco would need to be sure that none of their staff is actually infiltrated and working for a TLA. Which I find hard to believe considering the importance.

  73. nothing sucks like a by mbkennel · · Score: 2


    There was a 1950's-1960's british vacuum cleaner brand, named you know whawt, advertised with the tag line, "nothing sucks like a Vax".

  74. Re:Boxen? WTF? by Anonymous Coward · · Score: 1

    Years ago, this was a common mistake by people trying to touch type to fast for their skill level that actually became sort of a fad when talking about computers. Your boxen or my boxen actually refered to our computer hardware.

    Sigh.
    You know you are old when you remember what a vax was.

  75. A band-aid on a festering wound by rock_climbing_guy · · Score: 1
    This is, at best, like putting a band-aid on a festering, infected wound. This will change nothing. At best, they might stop a few interceptions, after which they will be served with a "national security letter" or something along those lines telling them to cooperate with the three letter agencies or else.

    The only way to fix this problem is to go to the source and reform our three letter agencies, and the ho-hum reaction to the Snowden revelations suggests that it won't happen anytime soon.

    Think about it, we live in the country where the FDA raids Amish farmers, and you expect that the NSA will just sit back and let a multinational company with everything to lose interfere with their intentions. If you think that, you're hopelessly naive!

    --
    Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
  76. Re:how about an NSA honeypot? by rock_climbing_guy · · Score: 1

    And watch you lawsuit be thrown out because... "National Security!" This will not end unless and until reforms to the three letter agencies are codified into law, and then I have doubts that even that will stop it.

    --
    Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
  77. Re:Boxen? WTF? by friesofdoom · · Score: 1

    If 'boxen' is an acceptable plural of 'box', which it isn't unless you're a *nix script kiddie that likes making shit up, then why is everyone getting their knickers in a knot about SMS-style abbreviations ruining the English language?

    Ps. show me 'boxen' in a dictionary that you actually paid money for, not some online/free pos.

  78. Re:Boxen? WTF? by Crashmarik · · Score: 1

    I'll see your vax and raise a DEC-20

  79. Re:Boxen? WTF? by mrbester · · Score: 1

    Horsen of coursen.

    What's more fun is the collective nouns for goosen: flock if on the ground, skein if in flight...

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  80. Don't ship, send an employee-courier by davidwr · · Score: 3, Insightful

    If it's THAT sensitive, either have the customer pick it up from a Cisco-controlled location or have a Cisco employee hand-deliver it to the customer.

    Use tamper-evident seals and use something like a "warrant canary"-like system so the delivery person can effectively tell the customer that to the best of his and Cisco's knowledge the shipment was not tampered with en route: The absence of a followup message from Cisco guaranteeing that the shipment and delivery were not intercepted would be treated as a message that it might have been intercepted.

    Speaking of "canaries" I wouldn't be surprised to see specialty shipping companies or specialty-arms of big-name shipping companies use "canaries" to guarantee that their shipments were delivered to an authorized person and not tampered with en route.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  81. Re: boxen and Borg? by penandpaper · · Score: 1

    Your use of "neckbeard" dates you, that was a hip term two years ago. I'm guessing you have a neckbeard fetish, there might be genre of porn just for you.

    Refer to Rule34. HTH HAND.

    sauce or it didn't happen.

  82. Re:how about an NSA honeypot? by EdwardFurlong · · Score: 1

    I was thinking something like a security device that would alert cisco and the customer if the boxen were opened. Or even something simple like unique security tape. Seems like there is something out there that could either alert or prove it was tampered with.

  83. Re:Boxen? WTF? by jc42 · · Score: 2

    In what fucking language. Pretty sure boxes is the pl. of box. But you know with everyone out there making up new spellings left and right how am I supposed to keep up. (I mean really "rediculous"???? why that one pisses me off so much I'll never know)

    Hand in your card and get the fuck out.

    Yeah; methinks we're seeing the symptoms of a serious humo[u]r deficiency here. These things have a long history in the English-speaking world. Many of us are quite aware of the ridiculocities that can easily be found in the English language, and a lot of humo[u]rists have gotten audiences laughing by mocking some of the stupider things in our language. This especially applies to the irregular plurals, which of course are derived from plural forms that were once regular (and still are in German), but which became relics a millennium or so back when our ancestors settled on just the -[e]s as the plural marker, but stubbornly insisted on keeping a few hundred of the old plurals around to confuse children and foreigners.

    Maybe we should collect a list of links to some of the humorous things that have been written on the topic, and refer people to the list when they post complaints like we've been seeing here. Anyone wanna take on the task?

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  84. Re: Boxen? WTF? by skelly33 · · Score: 1

    It actually ties back to the bible, Genesis: ... and when God made the fox, he saw the ox and said, "F that". And then there were foxen...

  85. Re:boxen and Borg? by jeffmeden · · Score: 2

    What?

    "Editors"

    While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:

    1) the order would have to come in over an actual secure channel and be handled on known-secure systems.
    2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders.
    3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).

    Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.

    What other attacks are there on such a secure-delivery system using a common carrier?

    The most obvious one: they will just intercept everything leaving Cisco and not heading to a reputable US company (scratch that, they probably target reputable us companies too). If they can intercept and MitM one box they can surely do it to a thousand. Why should they care if they don't even know where it's going, they can needlessly bug 1000 routers for every 1 that gets inside the right place and still have enough money in the budget to buy donuts on friday.

    Where did you get criteria 2 and 3 from? It's pretty clear from the description that Cisco thinks the NSA will be thrown off the trail based on the premise that they are using a (From==Cisco && To==Iran) style filter to do these intercepts, and won't think to do ((From==Cisco && To==Pier 4, NYC) || (From==Pier 4, NYC && To==Iran)). The thinking is similar to bitcoin laundering services Underestimating the NSA in this regard is pretty sad, given that the leaks are only a fraction of their secretive doings.

  86. Re:Boxen? WTF? by ceoyoyo · · Score: 1

    http://www.wordfind.com/word/o...

    Oxes is a valid scrabble word.

    The -en pluralization used to be more common, but I think it's only used in two or three words now. Oxen is the oddity, not the rule.

  87. Re:simple to thwart., more difficult with detectio by steelfood · · Score: 1

    Considering the manufacturing is already in SE Asia and Eastern Europe, they could ship directly from those locations to their global markets. There's no reason to bring the product back to the U.S. and then send it out to Europe and Asia again.

    Granted, the NSA would still be able to tamper with anything coming out of their North American warehouses, but this at least will satisfy the concerns of their foreign customer. And they may still be able to plant moles in those foreign locations, but that's no different than any location in NA so it's not exactly increasing attack surface.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  88. Reactive Legislation by andymadigan · · Score: 1

    Applause to Cisco for doing this, but I'll bet the NSA pushes for a law to make interfering with their operations like this illegal.

    If by sheer stupidity such a law actually gets passed, expect it to get used against developers who release security patches not long after.

    --
    The right to protest the State is more sacred than the State.
  89. If it's that important... by viperidaenz · · Score: 1

    If it's that important for their customers, why don't they send someone to pick the stuff up instead of send it via a third party? Or have Cisco deliver it themselves.

  90. Re:Boxen? WTF? by Darinbob · · Score: 1

    You nerd identity card may need to be turned in. Ox -> oxen, VAX -> VAXen, box -> boxen. It's the classic nerd joke.

  91. No, you just need Jason Statham by dciman · · Score: 1

    Maybe CISCO should hire a Transporter :)

    https://www.youtube.com/watch?...

  92. Re:Boxen? WTF? by HappyHead · · Score: 1

    Well, the plural of Ox (the big smelly cow-like animal) is Oxen.

    Perhaps this is a hint that something about this whole thing stinks?

  93. Re:Boxen? WTF? by plopez · · Score: 1

    Old joke. MS named their Access DB engine a Jet Engine because it both sucks and blows at the same time.

    --
    putting the 'B' in LGBTQ+
  94. Re:boxen and Borg? by DanielRavenNest · · Score: 3, Interesting

    Then the answer is not to send the hardware to empty buildings, but to install a GPS tracking device in the shipping container, and see where it goes off-course. Bonus points if you can track it all the way to the NSA modification warehouse, but at least if you know where it got diverted, you can figure out *how* it gets diverted. I suspect the truck drivers are in on it, but without tracking data, that is just a theory.

  95. Re:Boxen? WTF? by Slashdot+Parent · · Score: 1

    In what fucking language. Pretty sure boxes is the pl. of box.

    A long, long, long, long time ago, system administrators of the various Unix-like OS's pluralized Unix-like machines as "boxen" instead of boxes. It was just sort of a quirky, geeky thing. Now, it sounds just really fucking stupid.

    --
    They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
  96. Re:Boxen? WTF? by Slashdot+Parent · · Score: 1

    People pay for dictionaries? You must be really, really old.

    --
    They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
  97. Re: Boxen? WTF? by painandgreed · · Score: 1

    A nonstandard plural of box formed by analogy with oxen.

    I be actual research into the history of the word will reveal a background of faux German, another example of which would be "der blinkenlights".

  98. Re: Boxen? WTF? by David_Hart · · Score: 1

    Any more than that leads to trouble...

  99. Re: Boxen? WTF? by mwehle · · Score: 1

    What's the plural of fox?

    More importantly, what does the fox say?

    --
    Wir sind geboren, um frei zu sein - Rio Reiser
  100. Re:Boxen? WTF? by plopez · · Score: 1

    We might as well start with Lewis Carrol

    --
    putting the 'B' in LGBTQ+
  101. Re:Boxen? WTF? by puzzled_decoy · · Score: 1

    I really think it's from this Brian Regan sketch.

  102. Re:Boxen? WTF? by jc42 · · Score: 2

    We might as well start with Lewis Carrol

    Or with this well-known one about the absurdities of English spelling:

    A plan for the improvement of spelling in the English language
    By Mark Twain

    For example, in Year 1 that useless letter "c" would be dropped to be replased either by "k" or "s", and likewise "x" would no longer be part of the alphabet. The only kase in which "c" would be retained would be the "ch" formation, which will be dealt with later. Year 2 might reform "w" spelling, so that "which" and "one" would take the same konsonant, wile Year 3 might well abolish "y" replasing it with "i" and iear 4 might fiks the "g/j" anomali wonse and for all.

    Generally, then, the improvement would kontinue iear bai iear with iear 5 doing awai with useless double konsonants, and iears 6-12 or so modifaiing vowlz and the rimeiniing voist and unvoist konsonants. Bai iear 15 or sou, it wud fainali bi posibl tu meik ius ov thi ridandant letez "c", "y" and "x"— bai now jast a memori in the maindz ov ould doderez —tu riplais "ch", "sh", and "th" rispektivili.

    Fainali, xen, aafte sam 20 iers ov orxogrefkl riform, wi wud hev a lojikl, kohirnt speling in ius xrewawt xe Ingliy-spiking werld.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  103. Re:how about an NSA honeypot? by AHuxley · · Score: 1

    A lot of nations will bait the Western networks with Operation Mincemeat http://en.wikipedia.org/wiki/O...
    or Operation Fortitude http://en.wikipedia.org/wiki/O...
    With Western signals intelligence been so good, automated and in everything as shipped, why not just have crews feeding the networks from vast fake bureaucracies using trusted US branded computer imports.
    The West needs, wants and has enjoyed total signals intelligence over the decades, why not just create a digital network just to feed the US and UK with 24/7?
    Lots of internal digital chatter about a few billions $ in contracts could be created. Load it up with hints about what China, Russia and the EU can offer :)

    --
    Domestic spying is now "Benign Information Gathering"
  104. Re:Boxen? WTF? by plopez · · Score: 1

    Remember the pl. of Unix is Unices

    --
    putting the 'B' in LGBTQ+
  105. better fix by samantha · · Score: 1

    A better fix is to capture and prosecute all persons who ever did this and throw the Computer crimes book at them putting the in prison for decades. Following up have Congress do a deep probe of all such criminal activity of the NSA and monitor it heavily to reduce any and all such future behavior. This is completely criminal and needs to be stopped and with great energy.

  106. Re:Boxen? WTF? by deesine · · Score: 1

    At least something makes you glad. Start buying wrinkle cream now.

    --
    damaged by dogma
  107. Re:Boxen? WTF? by Mal-2 · · Score: 1

    Dvorak.

    aoeuidhtns-

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  108. Untraceable Cisco equipment by HKcastaway · · Score: 1

    I use to trade a lot of cisco equipment either used or parallel channel.

    All the equipment that we sold were untargetable, as we didn't place orders with CIsco. We bought what ever someone had in their warehouse, then we sold it to our customer. No one knows who our end user was.... sometimes not even us. some companies where very cagy telling us anything....

    this is an easy problem to solve.

  109. We're commenting on a lame joke by dbIII · · Score: 1

    I doubt they even use this stupid technique and Cisco is heavily compromised themselves anyway.

  110. Re:boxen and Borg? by jeffmeden · · Score: 1

    Then the answer is not to send the hardware to empty buildings, but to install a GPS tracking device in the shipping container, and see where it goes off-course. Bonus points if you can track it all the way to the NSA modification warehouse, but at least if you know where it got diverted, you can figure out *how* it gets diverted. I suspect the truck drivers are in on it, but without tracking data, that is just a theory.

    Why on earth wouldn't you just presume that they are sitting in the CBP cargo control office waiting for anything marked Cisco? Secret warehouse? What is this, a Bond movie? It's a guy with a laptop and a cubicle at the port of Los Angeles who sifts through manifests and then saunters out for a few hours when he spots a ripe container, does his flashy flashy, puts some pretty tape back on the box, and no one is the wiser. The guy who works in Memphis at the border control office for the Fedex hub has it even easier, he just waits for the box to come down the conveyor and "inspects" it for a few minutes and sends it on its way.

    You make a good point though, Cisco doesn't seem to have any problem with the premise that US intelligence agencies can basically do anything with their products after they leave the warehouse, but is glad to set up an extra layer of work (for a fee!) to help (not really) remedy it. If they wanted to actually stop this from happening they would take a completely different approach, like just doing final assembly over seas, since all the freaking parts come from Asia anyway.

  111. Re:Boxen? WTF? by postglock · · Score: 1

    Slashdot sig boxes are far too short.

    Nice sig.

  112. Boxen? Because its a 'fun' word to say by PPalmgren · · Score: 1

    Really, try to tell me that boxen doesn't sound cool. N is also easier to follow into other words in a sentence than an S without that 'harsh cutoff' feel at the end of the word.

  113. Unsure why there is a war against our tech by teknosapien · · Score: 1

    I often wonder if some of these high tech companies have considered leaving the U.S in light of these types of campaigns.
    Moving to a more friendly country that would ensure the sanctity of the company from these types of intrusions?

    --
    no matter how good it is, it is human nature always wants to make things better