Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses

Posted by timothy on from the name-is-smith-john-smith dept.

An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.

30 of 296 comments (clear)

  1. Not new by raftpeople · · Score: 5, Funny

    "We ship [boxes] to an address that's has nothing to do with the customer,"

    I know some other companies that seem to do this for about half my orders.

    1. Re:Not new by fictionpuss · · Score: 4, Insightful

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

    2. Re:Not new by hjf · · Score: 3, Insightful

      As a foreigner, I believe it is incumbent upon you as American citizens to OUTLAW THE FUCKING NSA.

      Seriously? A WORLD CLASS COMPANY SHIPPING TO DECOY ADDRESSES to avoid ILLEGAL GOVERNMENT SPYING?

      WHAT THE FUCK, AMERICA?

  2. How much to become a sensitive customer? by Iamthecheese · · Score: 5, Interesting

    I would be happy to pay a little extra for this service for non-critical hardware. But if I were actually concerned the NSA would want to twist my knickers there's no way in hell I would: It's a huge red flag for them. Instead I would bribe someone at a different company to accept my shipment and forward it to me.

    But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast. I'm happy to see extra services appearing for privacy-loving individuals but I don't think this particular one will help.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:How much to become a sensitive customer? by jedidiah · · Score: 4, Interesting

      I think this service is entirely pointless. If you are worried about interception using a common carrier, then you need to stop using common carriers. Full stop.

      You need to use a proper courier. You also need to work on making your gear more tamper resistant.

      --
      A Pirate and a Puritan look the same on a balance sheet.
  3. a bid to foil the NSA, John Stewart says by xxxJonBoyxxx · · Score: 3, Funny

    >> a bid to foil the NSA, security chief John Stewart says

    Both John Stewarts are funny guys.

    1. Re:a bid to foil the NSA, John Stewart says by Your.Master · · Score: 5, Funny

      The plural of John Stewart is John Stewarten.

  4. simple to thwart., more difficult with detection. by nimbius · · Score: 4, Interesting

    the actual plan is pretty secretive but crap like Smallco at Nowheresville is easy to catch. all the NSA has to do is take a spammers approach when sifting through UPS and FEDEX databases pertaining to Cisco. Using Sparse Orthogonal Bigrams or CRM114 with a combination of known customer addresses and contacts allows the NSA to quickly weed out any future attempt to subvert its practice.

    what isnt more difficult to thwart is a conscious customer, and thats the NSA's real problem. A shipment from San Francisco to Dallas for example, that takes a detour to Boson, could be good reason for suspicion. anti-tamper systems like tip-n-tell, environmental dyes, tamper seals, or a combination of these sytems as well as the much maligned DRM signed firmware could make the NSA's efforts substantially more difficult. Finally, getting out of lock-in technology monocultures like dell-everything shops and cisco-anything shops is helpful. a moving target is, after all, harder to hit.

    --
    Good people go to bed earlier.
  5. Re:Boxen? WTF? by Holi · · Score: 3, Funny

    In what fucking language. Pretty sure boxes is the pl. of box. But you know with everyone out there making up new spellings left and right how am I supposed to keep up. (I mean really "rediculous"???? why that one pisses me off so much I'll never know)

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  6. Re:boxen and Borg? by serviscope_minor · · Score: 4, Insightful

    What?

    You just lost you nerd cred, that's what. I sentence you to 5 hours of reading the jargon file.

    --
    SJW n. One who posts facts.
  7. No confidence by Anonymous Coward · · Score: 3, Insightful

    I still can't trust that mechanism. Cisco needs to offer tools to verify the devices are genuine.

  8. Re:boxen and Borg? by bill_mcgonigle · · Score: 3, Insightful

    What?

    "Editors"

    While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:

    1) the order would have to come in over an actual secure channel and be handled on known-secure systems.
    2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders.
    3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).

    Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.

    What other attacks are there on such a secure-delivery system using a common carrier?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  9. Why not just deliver it yourself? by NothingWasAvailable · · Score: 4, Interesting

    This strikes me as either silly (very James Bond), or an indication that Cisco doesn't even trust its own employees.

    Otherwise, why wouldn't Cisco just hand deliver the items using its own employees.

    Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

    1. Re:Why not just deliver it yourself? by magarity · · Score: 3, Interesting

      Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

      It also implies that the real problem is at UPS/FedEx/DHL? I'd like to know what the shippers have to say about these interceptions.

  10. NSA doesnt' know? by ugen · · Score: 5, Insightful

    Seriously, I would assume that NSA at least has a "mole" in the order processing/accounting/shipping dept. at Cisco. Unless Cisco pays a lot more than market to these rank-and-file employees or gives them benefits unheard of elsewhere, they aren't particularly hard to get to cooperate, I would guess.

  11. The NSA will respond by mark_reh · · Score: 4, Interesting

    by putting their stuff into the Cisco boxes in the factory. Wait, aren't they already doing that?

  12. And how, exactly, are they going to do that? by tacokill · · Score: 3, Interesting

    You see, the US Government is very keen about governing exports. They prohibit shipping many products into restricted countries and they actively police it in a serious manner. Anyone who's product gets found in a restricted country is in hot water. It doesn't matter if the product(s) was sold through an intermediary or 20 middle men, the manufacturer is 100% responsible for asserting, under penalty of law, that their products will not end up in a restricted country and that's that. The treasury department even publishes a monthly list of offenders they catch but I apologize as I cannot seem to find it on google.

    To address this issue, many companies that have been caught are required by the US Treasury Dept to document every single end user of their product. Yes, every single unit that is sold must be documented as to where it's final resting place is. I doubt Cisco is under this kind of requirement (unless they've been caught in the past) but it seems this new policy is a huge risk for them in that area. If you were an Iranian supply store trying to procure Cisco equipment, this seems like a good way to do it without anyone knowing or being able to track it --- and that's a serious risk for Cisco.

    The minute one of those units gets found in Iran (or any restricted country), all hell will break loose. Again, it doesn't really matter how it got there.....

    Here is a good overview of the requirements and Here is a company that has a good policy summary that they live by. Smart on them.

    Understand that this has nothing to do with NSA or espionage. This is just a basic requirement of doing business overseas and exporting products. Doesn't matter whether it's plastic dog poo, Intel CPU's, lab equipment, cranes, or other engineered equipment

  13. Re:Boxen? WTF? by plopez · · Score: 4, Insightful

    So what is the pl. of "ox"? "Oxes"? I think not.

    --
    putting the 'B' in LGBTQ+
  14. Re:Boxen? WTF? by fhage · · Score: 5, Insightful
    Kids these days... Digital Equipment Corporation (DEC) VAX.

    We had several Vaxen in our lab.

    It's used to show who groks tek. Sales dept use "Vaxes". Users say Vaxen.

    Now, get off my lawn. I just mowed it.

  15. Re:Boxen? WTF? by in10se · · Score: 4, Informative

    Have you never read The Jargon File. It's required reading for any hacker.

    --
    Popisms.com - Connecting pop culture
  16. Re:And credit card numbers will be securly stored by Minupla · · Score: 4, Funny

    No! Rot 13 is broken. Hey, Triple DES made DES secure again! We'll do quadrupedal Rot 13! That'll fix em!

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  17. Re:Boxen? WTF? by Anonymous Coward · · Score: 4, Informative

    Boxes is the plural of box only if you're talking about containers like cardboard or wooden boxes, etc.

    If you're talking about computer gear that happens to come in a vaguely box-shaped chassis (like a computer or a network switch), the plural is boxen. See also "vaxen".

    Keep up? The terminology is possibly older than you are.

  18. Plural of Box is Bice by Anonymous Coward · · Score: 5, Funny

    Mouse-> Mice
    Louse -> Lice
    House -> Hice
    Platapouse -> Platapice
    Faux -> Fauce
    Fox -> Fice
    Box -> Bice

  19. Re: Boxen? WTF? by Ksevio · · Score: 3, Funny

    Apparently it's foxen since anything that ends with "ox" it pluralized the same way

  20. Red Herring by Greyfox · · Score: 4, Interesting

    Does nothing if all hardware is compromised prior to shipping. Would they be allowed to tell you if it were? Would they even be aware if it was? Has the government ever looked at their code or received a report from them about potential security vulnerabilities as part of a disclosure required for a government contract or security certification? I'm guessing if they did, that report was sent directly to the NSA.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  21. Re:Boxen? WTF? by Molt · · Score: 4, Insightful

    I view it more as required reading for anyone who plans to spend time at MIT in the 1960s.

    --
    404 Not Found: No such file or resource as '.sig'
  22. Re: Boxen? WTF? by Anonymous Coward · · Score: 3, Funny

    No, the plural of vixen is "threesome".

  23. Trust by Anonymous Coward · · Score: 4, Insightful

    Good job NSA! Way to destroy not just any integrity we had left as a country, but also undermine trust in the products we sell as well.

  24. Don't ship, send an employee-courier by davidwr · · Score: 3, Insightful

    If it's THAT sensitive, either have the customer pick it up from a Cisco-controlled location or have a Cisco employee hand-deliver it to the customer.

    Use tamper-evident seals and use something like a "warrant canary"-like system so the delivery person can effectively tell the customer that to the best of his and Cisco's knowledge the shipment was not tampered with en route: The absence of a followup message from Cisco guaranteeing that the shipment and delivery were not intercepted would be treated as a message that it might have been intercepted.

    Speaking of "canaries" I wouldn't be surprised to see specialty shipping companies or specialty-arms of big-name shipping companies use "canaries" to guarantee that their shipments were delivered to an authorized person and not tampered with en route.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  25. Re:boxen and Borg? by DanielRavenNest · · Score: 3, Interesting

    Then the answer is not to send the hardware to empty buildings, but to install a GPS tracking device in the shipping container, and see where it goes off-course. Bonus points if you can track it all the way to the NSA modification warehouse, but at least if you know where it got diverted, you can figure out *how* it gets diverted. I suspect the truck drivers are in on it, but without tracking data, that is just a theory.