How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

30 million lines of code?!

[kaka.mala.vachva]

That is a lot of code, is that a realistic number for a router? I'm genuinely interested in knowing.

Re:30 million lines of code?!

It is a meaningless number without context (what language? did they count blank lines? etc)

Re:30 million lines of code?!

How else are they going to have all their proprietary protocols?

Re: 30 million lines of code?!

Considering that making routers is kinda their thing... What do you think? Best guess scenario is that it would be in the general ballpark no matter which way you go.

Re:30 million lines of code?!

[Lennie]

If you add enough protocols you'll eventually get there ?

Re:30 million lines of code?!

BSD base.

But a team of hundreds of highly talented people who are paid a full time wage to find vulnerabilities (you don't think the NSA has source too?) in everything from the application layer to the bare metal is going to do a better job of finding vulnerabilities than someone sent on a PR junket to "prove" that Cisco routers are secure.

This is, alas, a technological solution to a social problem, and one with a very finite lifespan.

In particular, observe that the first domino in the war against end-to-end encryption is about to fall: Great Britain. Other European countries will follow, and the US is not going to lag far behind. ("Oh, it'll never happen!" Oh, but it already is happening.) Is it because of some theoretical or practical breakthrough? No, it is because the law allows it.

The law gives effectively boundless permissions and resources to the executive. That's always going to defeat encryption-in-practice, which is limited by the wits of engineers and the boundaries of law.

Encryption-in-practicve is only useful - and it is very useful then - against those of limited means, whether a tin pot dictatorship or your competitor or your annoying roommate. More specifically, encryption-in-practice is something you use to protect you from your peers and from the corruptibility of institutions designed to serve you - in particular, public institutions. The moment a head of state says, as did David Cameron, that it's time to eliminate the first principle of rule of law - "as long as you obey the law, we will leave you alone" - the game has changed.

Then, your new task must be to educate the masses to oppose tyranny, because you will lose if you try to continue standing on your own.

tl;dr If the biggest corporations appear to sell protection from their own government as a security feature, they are either knowingly full of shit, or unknowingly full of shit.

Re:30 million lines of code?!

[realmolo]

I'd say it's realistic. Depends on the router.

A modern high-end router is really more of an IDS/IPS/firewall than just a router. There is a lot of stuff going on. And if you include all the code for the interface (both a console and a web-based interface), then it REALLY gets nutty.

Re: 30 million lines of code?!

They simply can't think logically.

Re:30 million lines of code?!

It's actually around 185 million lines of code across 13 current release trains.

So I hear.

Re:30 million lines of code?!

I suspect assembly.

Re:30 million lines of code?!

[Tablizer]

That is a lot of code, is that a realistic number for a router?

It's divided into:

A. 1 million lines that do real work.
B. 10 million lines to verify nobody tampered with "A".
C. 18 million lines to verify nobody tampered with "B".
D. 1 million lines to display a disclaimer that says if somebody tampers with "C", you are S.O.L.

Re: 30 million lines of code?!

[Tablizer]

At least their code is short:

10 DELETE GOVERNMENT
20 GOTO 10

Re:30 million lines of code?!

Seems Cisco has yet to discover the Turtle Algorithm.

Re: 30 million lines of code?!

[ArmoredDragon]

Not only realistic, but I myself would be concerned with what is going on inside of the asic, and finding out would be very non trivial, even if they revealed the schematics.

Also of concern is, how do we know they haven't received an NSL telling them to maintain two sets of code, with one of them being compromised and can't be shown to somebody without government clearance?

Re:30 million lines of code?!

It's actually around 185 million lines of code across 13 current release trains.

So I hear.

214M in the tarball I have, but that has the pre-release for the next iteration.

Re: 30 million lines of code?!

Just like it's the government's job to govern, so don't question anything they tell you....

Re:30 million lines of code?!

Considering the user interface and programmability of cisco routers, I'd say 30 million lines makes sense. They handle per-port configuration of various OSI stack settings, link speed, subnetting, router tables, etc...

Check out their CLI to get a feel for what even some of the dumb switches can do. Some also have a GUI that can be tapped into as well.

Re:30 million lines of code?!

[unixisc]

Do lines of code include comment lines?

Re:30 million lines of code?!

[unixisc]

BSD? I thought that Cisco used Linux, whenever it didn't use QNX. Juniper are the guys who use BSD

Re:30 million lines of code?!

[greenfruitsalad]

i have seen code where the comments were pretty much a discussion between developers over years. some comments were full arguments or mocking at somebody else's code.

Re:30 million lines of code?!

A modern high-end router is really more of an IDS/IPS/firewall than just a router.

No. Or maybe firewall in limited sense, but you certainly aren't going to find IDS from e.g. ASR 9000 (you know, those things that are actually high-end routers). You are likely thinking about next-gen firewall or whatever the buzzword is. They are very far from high-end routers, but they are better solution for far bigger user base (since most of people are fine with far less than 1Gbps of routing capacity and do not need BGP).

Re: 30 million lines of code?!

[AmiMoJo]

To be fair, I think a backdoor in an ASIC is unlikely. It would be hard to hide from all the people working on the product, and would make it easier for other people to hack Cisco gear. The NSA doesn't want to open the door for everyone.

That's why they were intercepting hardware being shipped to customers and planting bugs in it. Targeted, easy to update the bugs, easy to hide from Cisco engineers.

Re: 30 million lines of code?!

[DeathElk]

More like:

10 IF (!DELETE GOVT SPENDING ON EDUCATION) GOTO 100
20 DELETE GOVT SPENDING ON SOCIAL PROGRAMS
30 DELETE GOVT SPENDING ON VETERAN AFFAIRS WHILST QUEUING UP YOUNG PEOPLE FOR WAR
40 DELETE GOVT SPENDING ON PUBLIC TRANSPORT
50 PASS BILLS SUPPORTING CORPORATE MALFEASANCE
60 DENY HUMAN IMPACT ON CLIMATE WHILST DEFAMING/DEFUNDING RESEARCH TO THE CONTRARY
70 PERPETUATE FEAR AGAINST MINORITIES (ESP MUSLIM) THEREBY PERPETUATING ILLWILL
80 WIDEN THE GAP BETWEEN RICH AND POOR
90 GOTO 10
100 PROSPER
110 GOTO 100

Re: 30 million lines of code?!

To be fair, I think a backdoor in an ASIC is unlikely. It would be hard to hide from all the people working on the product, and would make it easier for other people to hack Cisco gear.

I suspect such a backdoor would take to form of an extra processor that you can load code into if you know what you are doing. Sometimes there is a lightweight 8-bit controller that is only used to load the program into the main memory for the real processor to take over or a dedicated controller to deal with some I/O-stuff.
It might be hard to realize that the code for a processor you didn't know existed is missing.

Re:30 million lines of code?!

That's a realistic number. Networking hardware consists of custom multi-core ASIC's for doing packet analysis, statistics, routing. So all of that will require a kernel, device drivers, a TCP/IP software library, unit tests, build configuration data, debugging tools, all the standard TCP/IP tools and commands (ifconfig, netstat, traceroute), and libraries to implement all the international standards like SNMP, telnet, ftp, remote-booting. If their code base supports multiple products and all their variants, plus unit tests, that's easily going to be 30 million lines.

Re:30 million lines of code?!

[haruchai]

I'm pretty sure the Nexus switches run Linux on the bare metal but the AsyncOS that powers the Ironport Web & Email appliances is supposedly running on top of FreeBSD.
But in neither case does the customer have access to underlying OS - as far as I'm aware.

Re:30 million lines of code?!

[shugah]

It's certainly not the UI.

Re:30 million lines of code?!

[edtice1559]

There are 15 million lines of code in the Linux kernel so this doesn't seem surprising at all. They probably have a smaller kernel and less userland but we're still within this order of magnitude.

Re:30 million lines of code?!

Here is a visualisation showing a lot of codebase sizes. Unfortunately, it doesn't include any routers, but considering that several routers have software built on Linux, you already have 5 - 15 million lines (depending on kernel version) from the start. Still, 30 million lines sounds like a lot.

http://www.informationisbeautiful.net/visualizations/million-lines-of-code/

Re: 30 million lines of code?!

we know because NSLs don't work that way

Re: 30 million lines of code?!

[IndustrialComplex]

A backdoor might be hard to hide, but a backdoor enabling flaw might not be. Just as with any problem, you don't always have to solve it in one go, you take "bite sized" pieces and solve them.

So you don't enable a backdoor, you just introduce a flaw which makes it easier to exploit another flaw downstream.

Re:30 million lines of code?!

[beastofburdon]

I'm pretty sure it runs a version of the Linux kernel, so yes, that is realistic.

30 million lines of code

In a router??? Bullshit. Windows 10 don't have 30 million lines of code.

Re:30 million lines of code

In a router??? Bullshit. Windows 10 don't have 30 million lines of code.

Yea but a Cisco router actually does work...

Re:30 million lines of code

[sims+2]

I also call bs. http://www.informationisbeauti...

Although windows 10 probably does have around 30 million lines.

Re:30 million lines of code

[AK+Marc]

I read it as "reporter mistakes all Cisco devices in the program sum to 30 million lines of code for a router has 30 million lines of code" If you had multiple different classes of switch, they may have very little code reuse. The old PIX ran of a standard Intel CPU (not sure about the newer ASA), ASICs differ between even different models in the same router line, so lots of code around those. Sum up all the different devices that they are opening up, and 30M lines of code sounds about right, though 30M lines of code for a single router seems a bit much.

Though, if you don't trust Cisco, how does opening the source code in such controlled circumstances help? Unless you can compile it yourself with a compiler you brought, you can never be sure there isn't a backdoor. There could be code swap between display and deployment, or a backdoor programmed into the compilers, to ensure no code review would ever find it. Or it's only in ASIC based systems, hidden in the chip, and the chip schematics aren't on display.

So the show is merely symbolic, so let's see how it goes.

Re:30 million lines of code

[GuB-42]

I suspect that DD-WRT is in the same ballpark, if only for the linux kernel (the latest release is nearly 20 million lines of code).
And DD-WRT is for home routers.

Pictures!

or it didn't happen...

Re:Sheldon Cooper will finally have sex

They will break up in the very next episode.

What does this have to do with the cisco or the nsa again?

...trying 'to prove the non-existence of god...

[ItsJustAPseudonym]

More like "the devil", in this case.

Re: Sheldon Cooper will finally have sex

The descent of Big Bang Theory into the Friends zone is complete. Sad.

It's the Law

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Re:It's the Law

[bill_mcgonigle]

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Well, assuming your premise the only thing that can be done is to show everybody the code and let somebody not under NSL seal disclose it.

Cisco's actions aren't inconsistent with that approach. The speculation is hardly proven, though.

Re:It's the Law

[swillden]

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Which law is that, exactly?

People on /. (and elsewhere) make a lot of invalid assumptions about what the law allows the government to do. National Security Letters, for example, are assumed to be able to compel anyone to do anything and keep their mouths shut about it. In fact, the law says that NSLs can only require the recipient to provide data already in possession (not set up long-lived back doors) and further can only demand metadata, not content. NSLs are only one legal vehicle for requests, but as far as I can tell there is no law that could compel Cisco to provide the NSA with built-in back doors.

Of course, the NSA can also potentially insert moles into companies and get them to add back doors, but Cisco actually may be able to convince people that that hasn't happened. It will be hard. Especially since the parent's incorrect view is very widespread, but AFAICT, there's no legal restriction making it impossible.

Re:It's the Law

[edtice1559]

They ship signed binaries and post the hashes. That's not a perfect solution since somebody could load a different binary with a rootkit that makes it look like the real one. But if you download the firmware and verify the signature, that's a pretty good start. We all hated TPM when MSFT tried to introduce it to kill Linux but now it's starting to make sense.

Re:It's the Law

https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

CALEA: Your telecom provider's equipment has been pre-pwned, by law, for over 20 years.

And that's just the "legitimate" legal part.

I'm actually curious how the illegal fiber-splitter-copies-everything-into-the-NSA-room part will continue to work when next-generation multi-core multi-mode fibers are deployed. Splicing a partial mirror into a single-core fiber is one thing, somehow stealing signal from 36 cores each bearing hundreds of carriers without breaking signal integrity is a little more physically... difficult. As will be processing hundreds of TB per second of data from them, but Moore's Law will magically fix that, right?

Re:It's the Law

[swillden]

https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Thank you. That's a specific law. Not one that applies to Cisco, though.

And that's just the "legitimate" legal part.

Which is the only relevant part for this thread. The GP's claim was that the law required Cisco to let the NSA in. It doesn't. Extra-legal actions the NSA make take are a different story; those Cisco is allowed to resist (though how successful they might be is an open question).

I'm actually curious how the illegal fiber-splitter-copies-everything-into-the-NSA-room part will continue to work when next-generation multi-core multi-mode fibers are deployed. Splicing a partial mirror into a single-core fiber is one thing, somehow stealing signal from 36 cores each bearing hundreds of carriers without breaking signal integrity is a little more physically... difficult. As will be processing hundreds of TB per second of data from them, but Moore's Law will magically fix that, right?

Well, by definition there won't be more data than the equipment owned by the legitimate users of the cable can process, so data volume growth will be constrained by processing capacities. Doesn't mean it'll be easy, or cheap, though.

Useless

[Lennie]

This might be useful only if I could bring my own compiler and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

Even than, the Cisco products includes hardware with sophisticated packet processing capabilities they could just built it into that.

Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

Re:Useless

[cfalcon]

> Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

I really and truly don't believe that is possible.

In fact, the whole thing seems unlikely to be taken seriously.

You need to be able to (at your site)- ensure the integrity of circuitry, ensure the integrity of code.

I mean, holy crap.

But when it comes to some random packing technique? No way.

Re:Useless

[bill_mcgonigle]

This might be useful only if I could bring my own compiler

You can (per the FAQ).

and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

If Cisco defines the hash of the build binary as their IP, then the whole thing is doomed. If you can reproduce their build, a hash collision isn't going to be an actual risk.

However:

Q: What technologies or products can be reviewed?
TVS includes all Cisco technologies, within the bounds of applicable Export Control Laws. Where
certain technologies from third-party OEMs are received encrypted, we may be unable to provide
greater visibility

The good news is this sounds like hardware is included (perhaps a way to work around the NSL problem.) The bad news is you're getting binary blobs anyway and you'll just have to trust _those_. Ouch.

Cisco is realizing that secret source and security applications are incompatible. That's good. Hopefully the next step is to embrace full openness (and therefore stay relevant). As usual, patent fears will probably keep them paralyzed instead and an open competitor (probably non-US) will start to eat their marketshare. Between the US patent system and the NSA taint, the secret-source US 'security' industry has a bleak future. #thanksobama

Re:Useless

> Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

I really and truly don't believe that is possible.

In fact, the whole thing seems unlikely to be taken seriously.

You need to be able to (at your site)- ensure the integrity of circuitry, ensure the integrity of code.

I mean, holy crap.

But when it comes to some random packing technique? No way.

Ship the router and the ROM (yeah yeah EPROM) separately. Have all the ROMs shipped to the local HQ and customers can fly in first class, pick up their 100 chips and carry on luggage them home. A first class ticket isn't a big add compared to the price of these enterprise perimeter devices after all. Or, you know, offer them an encrypted download binary blob to flash themselves.

What about shipped product?

I didn't read the article (shocker), but how exactly does Cisco plan on convincing customers that after they spend a few months straight locked into their facility and validated their source code (which I'm assuming includes the whole build chain source code), that the binaries that end up on their hardware match what was produced by the source code? Oh and also that there is no hardware backdoor (or is that also part of the 30 million lines of code).

I'd be seriously surprised if Cisco itself had the process documented and validated to the point where they could convince themselves that they're all clear, let alone their customers.

Re:What about shipped product?

[gumbi+west]

Yes, this is the flaw in a source code only audit. But just compile it yourself and use those binaries. Now, good luck finding a compiler that you know is clean. Even an OSS one can have code in it that recognizes when it is compiling itself and adds the back door to the newly compiled version of the compiler. So while the code is clean, you also have to know that the compiler that compiled the compiler was clean. and not the current version of its source but the binary.

Re:What about shipped product?

[StikyPad]

Even an OSS one can have code in it that recognizes when it is compiling itself and adds the back door to the newly compiled version of the compiler.

You're referring to the "Ken Thompson hack," but it's not a real threat. You would have to solve the halting problem for a compiler to know whether or not it is compiling itself, or a version of itself. That is to say, a compiler could recognize a copy of its source code. It could also recognize familiar strings that it can find, or worse (from a false negative standpoint) hashes of that code, or parts thereof ("signatures"), and as we (should) all know, signatures are easy to defeat, which is why antivirus software is great for detecting known threats, but not so useful for preventing future threats. A program cannot identify another program based on what the program actually does -- say, compile source code and output a binary -- else we would have solved the halting problem, and we would have bug-free code, and perfect antivirus, which would render the Ken Thompson hack ineffective anyway. Yay!

Moreover, regardless of the attack vector, even a compromised binary can't hide from disassembly and human inspection. And if you're incredibly paranoid, then you could use side-channel analysis to see if anything is happening that's not supposed to be happening, unless you think the NSA has also hacked physics, then nothing I can say matters anyway.

Good luck with that

[sasparillascott]

Just like the documents showing Microsoft handing over their customers communication data to the NSA...once you've been fingered as a good "partner" with the U.S. intelligence apparatus your shelf life as a company has been time bombed...ignition is just waiting on an alternative supplier that can be reasonably trusted (IMHO this could take some years, but its coming...the market is too big and valuable...if given a true choice nobody wants to buy gear from companies that were shown to be stooges for government snooping).

Re:Good luck with that

Snowden sure did us a favor with his revelations.

What did we do for him in return?

We threw him to the wolves.

Americans don't deserve whistle-blowers.

Re:Good luck with that

What sucks for Cisco is as far as we know, they weren't a "partner" to NSA and they weren't stooges either. Cisco didn't sell out their customers or else the whole interdiction process wouldn't have been necessary; NSA stole equipment out of the supply chain and modified it. I don't fault Cisco for that. Every bit of lost sales attributable to this story is 100% NSA's fault.

Re:Good luck with that

Duh, we didn't do it, the gov't did and we can't do anything about it

30 million lines of code??

If this is true, this is just mind-boggling.

I think the biggest project I ever worked on came in just under 500K lines of C, not counting whitespace, and this was a project that spanned the greater part of 7 years.

I doubt Windows 10 is anywhere near 30 million lines of code, but I might be wrong ??.

Re:30 million lines of code??

Cisco IOS (not to be confused with Apple iOS) is a huge operating system, 99% of which is completely unnecessary to operate a router.

It's called hashing

"But, considering that a Cisco router might have 30 million lines of code, "

Hash your firmware image, make a fingerprint. If hash(image) == fingerprint then you're good.

If you're having problems controlling your images then I'd advise you stop producing ambiguously configured OSS hackware and get started with an actual software process. Y'know, like those clueless 40 year old neckbeards used to.

Re:It's called hashing

I was thinking something similar. However, it looks like they're installing an additional device or component inside of the router/firewall so they may not have to tamper with software. I imagine tampering with software would be a lot harder across so many devices, firmware versions, etc. Also, I'm pretty sure, most Cisco devices check this themselves.

Re:It's called hashing

In no way would that show that there's purposefully built backdoors into the existing code.

NSL

It's guaranteed that cisco is compromised by NSLs. Until this law is fixed, no big vendor can be trusted.

Re:NSL

[slowdeath]

Is this less of a Cisco/Juniper problem and more of a FedEX/UPS/DHL problem?

When I ship a package via FedEx et al, I don't expect it to be detoured thru the local NSA office to be 'enhanced'.

I expect it to be delivered intact and not adulterated. Come on FedEx et al, do your job!

Re:NSL

[swalve]

Exactly. If they have back doors, why would they bother with the mess of interdicting a shipment? Assuming the Snowden info is actually real, of course.

General intelligence announcement

I will create it on Java multicore.

And just how does that do anything

[silas_moeckel]

The NSA was supposedly loading code onto hardware. Cisco is a pretty closed environment if they pown the bootloader just exactly how are you going to detect this? You can review all the code you want if your can not trust the hardware it does you no good.

Re:And just how does that do anything

[Billly+Gates]

Answer is easy. Cisco routers ship naked and Cisco images each one on site personally for an extra fee

Re:And just how does that do anything

[silas_moeckel]

If you intercept it in shipping and replace hardware or install a rooted rommon you can install all the trusted images you like. Ultimately you have to trust rommon that it's updating itself or that IOS is actually writing out a new copy.

Re:And just how does that do anything

[Billly+Gates]

No the Cisco guy wipes out when he images. Unless you think NSA will put an ROM or eprom in it?

Re:And just how does that do anything

Yes? Check out the leaked catalogues, they put in hardware bugs which interfaces via I2C on motherboards and other points.

Re:And just how does that do anything

[silas_moeckel]

I rather doubt the Cisco guy is plugging in a jtag programmer (or similar), even if they did that's a fairly high level interface and could be hacked to deliver whatever responses are expected (probably requiring hardware to do so). It's not like any recent cisco box has a removable rom anymore (few PC's for that matter).

CISCO

[hackus]

How about stop making and delivering interdicted custom gear for the NSA/CIA?

I know, I have seen the equipment hooked into AT&Ts network.

It isn't a joke what is happening. In the end we all know why this spying is happening and it is not to make you safer.

It really is all about industrial espionage and taxes, all in pursuit of western bogeymen, they create.

As long as they keep the bogeymen well funded expect more countries shredding freedom and liberty, and all of those that died before us to have given their lives in vain.

I mean look at what they are doing, France wants to rewrite it constitution. For what? Why?

Re:CISCO

[bluelip]

You haven't seen anything.

Read and _UNDERSTAND_ the article.

Re:CISCO

[AK+Marc]

Use only Huawei in the core and Cisco on the edge, with a firewall rule to block traffic to/from China to block the Huawei back doors. Or vice versa. You can't trust either, but hopefully both aren't compromised by the same group.

Re:CISCO

[cfalcon]

Mod parent up pls. This is a solid workaround based on realpolitik.

Re:CISCO

[wulfhere]

You DO realize that 'China' could have servers sitting somewhere connected via 'non-China' IPs, right?

Re:CISCO

[AK+Marc]

You are thinking too literally. "block traffic to/from China" I don't care whether the server is in China, but whether the control of the networking gear is not from my management systems. Typical Slashdot style, someone implies that the correct solution is wrong because the correct solution wasn't specified to an irrelevant level of detail, and the idiot Slashdotter assumes incompetent implementation.

Not everyone is as dumb as you. You don't blacklist your management system. You white list it. When you learn the basics of network management, come back and give it another try.

The point was, if you use Allot, Cisco and Huawei, chances are that Israeli, American, and Chinese boxes won't all be compromised in the same way by the same people.

Re:CISCO

[swalve]

This seems pretty simple. Can't you just make a box that looks at the data coming into a network and drops anything that is unexpected? Some kind of "firewall" between the trusted network and the untrusted?

Re:CISCO

[AK+Marc]

Yeah, but when the firewall is made by Cisco, how do you trust the firewall if you don't trust Cisco?

Re:CISCO

[vux984]

The solution was covered.

2 firewalls in sequence.

Cisco + Huewei

  Even if you trust neither to prevent the respective vendors government out, you can reasonably trust the cisco not to be in bed with the chinese, and the hauwei not to be in bed with the americans.

So either state actor is blocked. If the chinese and americans are working *together* to break into your network... you've probably got a situation where your network shouldn't be connected to the internet period... transferring your data via usb sticks ferried by carrier pigeons and children.

Re:CISCO

[hackus]

I understand alright.

Look at the original ARPA documents calling for a distributed non centralized architecture for the command and control of communications.

I also understand that CISCOs products are perfectly designed to be easily compromised on a small scale with gigantic affects.

The worse being the UCS manager. Who in there right mind would build a network where all you need is access to one box, and you can trash whole infrastructure.

These products coming out of companies, not just CISCO, are the darlings of future NSA black budget industrial espionage strikes.

They are not designed for your business.

Just UNDERSTAND that.

Re:CISCO

Hypothetically, supposing that the Huawei system has in fact been backdoored by Chinese authorities, what makes you think you'll be able to detect what the "management system" is? There's no rule saying the backdoor has to use a well-known port. It might look no different from a user doing web searches on baidu.com, as far as your Cisco firewall is concerned.

Re:CISCO

[AK+Marc]

So if I white list my management system as the only system that can talk to my routers, the firewall won't be able to see the traffic to China because it will use a different port.

I hope you don't use a computer for your day job.

Re:CISCO

[bluelip]

You still don't understand anything. Good effort though.

Cisco isn't "shipping and delivering interdicted" custom gear.

Try again. Maybe you'll get a bronze star this time. For effort.

Shipping to decoy addresses

[HighOrbit]

Back in March , in a related story, one of Cisco's VPs for security, John Stewart, was quoted in the press as saying that Cisco would ship to decoy addresses to circumvent interception by the Government. Supposedly, this was at a roundtable discussion during the Cisco-Live conference in Melbourne, but there is no video of the discussion on the Cisco-live website.

I've heard he was misquoted and they don't actually do it. Does anybody have link to actual video of this discussion? Are they still doing this? Has anybody used that service?

The original slashdot article is http://hardware.slashdot.org/s...

Re:Shipping to decoy addresses

[swalve]

I mean, it only makes sense. You place an order and have it shipped to your buddy who works at KMart. Cisco doesn't even have to know!

Just track the damn package!

[jtara]

Seen enough YouTube videos from cameras packed in shipments for the obvious answer...

These boxes are costly enough to justify packaging it with some device that will record GPS, video, and sound. Make sure there is some good cryptographic signature on the device. Attach it to the router, and put a nasty anti-tamper dye spray to boot. (Although might have some regulatory issues with the explosive device for that, hmmm...).

Give the customer a rebate for returning the tracking device. (After unlocking, of course.)

Of course, the tracking device will need solid cryptographic signature/protection, but would have a lot fewer millions of lines of code than the router!

Then the guy you see stumbling out of the FedEx office covered in dye... he's not with FedEx.

The best the spys can do, then, is to "lose" the device in shipment, pay off the carrier's insurance company (otherwise, insurance rates will go sky-high), and then try to sell the router in the black market to spy on somebody other than the original target.

Re:Just track the damn package!

Defenses trivially circumvented with opening the box in a darkened room, lots of warehouse / shipping white noise, and putting tape over the camera and mic. Dye packs will require some kind of mechanism for disabling for repair, or just do an electrical equivalent of lathroscopic rocket surgery through an expansion slot like the VWIC / HWIC spaces or even fan vents.

For high security installations, the correct path is for Cisco to offer direct courier shipping / pickup from factory along with options for fully potted hardware.

Heck, all of the layer 1 technologies have nearly zero protection against inductive / splice / tap pickups. The only reason to install into networking hardware is to sniff internal traffic not hitting wire you can jack (switches, routers, firewalls) and to listen to VPN traffic (routers, firewalls, etc.).

Re:Just track the damn package!

put a nasty anti-tamper dye spray to boot. (Although might have some regulatory issues with the explosive device for that, hmmm...).

But if you power it with a jack-in-a-box it will not increase your notoriety-level.

Re:Just track the damn package!

Fedex/UPS wouldn't want to have active electronic circuits in their vehicles.

What you are really trying to do is prevent fiddleware getting into the BIOS / firmware of the systems. It's easy enough to have these downloaded and reinstalled after delivery. It could be possible for a CPU or ASIC to calculate a checksum on a block of memory such as the BIOS ROM. But then anyfiddleware could just use some trash bytes to create the correct checksum.

Space Shuttle

I'm humbeled that I've exceeded this number. However, I think the shuttle had four redudant computers running off a common code base, and a fifth computer that had software developed independenty from the original four. The shuttle probably had somthing like 1M lines of code at the end of the day. After the glass-cockpit retrofits, I wouldn't be surprised if this number jumped passed 3M lines, easily).

And that number is what is on the actual spacecraft. I'm willing to bet the computers in Florida and Texas had equal, if not more complexity represented than what was on the actual orbiter.

What's to present a hacker from trying?

[gurps_npc]

Step 1) Hacker (or rather "cracker") takes them on the offer to test their equipment in a secure environment.

Step 2) Hacker understands how it works and notices a security issue, but does not reveal it.

Step 3) Return to private home where they design an exploit of that issue.

Frankly, their attempts to keep their security secret just make it harder for the white hats to detect the issues, without significantly affecting the black hats.

Re:What's to present a hacker from trying?

[AHuxley]

Thats the problem with trap doors and back doors mandated by 5 eye governments. Sooner or later ex staff, former staff, smart people, private sector security experts find the extra code and let the world know.
The UK has a plan to ban science that will try and extend the useful life of UK gov mandated trap doors and back doors.
The US gov is trying to make people feel better about the US private sector again while private sector help for collect it all is the only tool the gov has.
What can the public and private sector do globally to secure its own banking, product development, patents, science, technology, gov stats and data, medical, telco use, records from a 5 eye collect it all efforts?
Air gap, national computer centres of excellence that use domestic experts and generic products. Not as fancy, no big brands, lots of extra power use, heat, cooling, lots of extra coding but every line of code is understood and local developers have full employment.
Governments and brands just have to stop buying products that subvert their security as delivered and return to their own internal experts and shop around for secure products again.

30 million loc is realistic in my mind

[paulpach]

I don't know what those particular routers are running. Here is just me listing a few packages off the top of my head that could be in there:

There are 12 million LOC in the kernel alone (linux?)
Another million for libc
2 millions for web server
2 millions for php or whatever they use.
6 million for java.

I have not even included anything cisco might write themselves.
As you can see, it would not be too hard to get to the 30 million LOC mark. The backdoors can be installed in any of these packages not only in the stuff Cisco wrote.

I seriously doubt cisco wrote 30 million LOC for their routers, but once you start counting all the 3rd party software that runs inside those routers 30 million does not seem too far fetched.

Re:30 million loc is realistic in my mind

[jonwil]

Ummm, Cisco doesn't run Linux on their routers, they run IOS (no, not iOS from Apple) which is something Cisco invented themselves.

Re: 30 million loc is realistic in my mind

They now run IOSd under a Linux OS on the newer routers. IOSd is basically a virtualized IOS.

Re:30 million loc is realistic in my mind

[IndustrialComplex]

True, but it puts the scale of the SLOC into perspective. I doubt IOS is significantly smaller than the Linux kernel.

You can get hardware that isn't proprietary... but

it may not work for those who need serious power. ThinkPenguin sells a 100% free software friendly router you can flash a distribution called libreCMC on. The complete sources are available for everything including bootloader, wifi chipset, CPU, etc.

Checking the source code is no good

[CanadianMacFan]

What good is checking the source code when the NSA is shown to be modifying the gear after it leaves Cisco? You're checking the code that ships from Cisco before the NSA gets it, not what you receive. And what if the NSA isn't touching something in the code but putting in a piece of their own hardware?

Re:Checking the source code is no good

What good is checking the source code when the NSA is shown to be modifying the gear after it leaves Cisco? You're checking the code that ships from Cisco before the NSA gets it, not what you receive.

Could likely be solved by a re-flash after you receive the hardware. Seems like a decent approach.

And what if the NSA isn't touching something in the code but putting in a piece of their own hardware?

Probably no reliable way around that unfortunately..

Re:Checking the source code is no good

[ShanghaiBill]

You're checking the code that ships from Cisco before the NSA gets it, not what you receive.

Cisco could provide their customers with SHA-Checksums of the binaries, so they can be verified upon arrival.

Re:Checking the source code is no good

Especially since Cisco uses their own build of gcc. Are you gonna check if their gcc puts in a backdoor?

The site is IN THE USA

[Bruce66423]

Which means that they will be subject to all sorts of pressures to be 'helpful' about it. Let's be clear ladies and gentlemen, boys and girls, trusting any US produced hardware or software is a mistake if you want to be SECURE. That the tech firms haven't used this as excuse to move their domicile to somewhere with lower taxes as the real excuse for moving remains a surprise...

Re:The site is IN THE USA

[cfalcon]

You can trust free or open source software produced anywhere, because they give you the code.

Proprietary code and almost any hardware... eh....

Re:The site is IN THE USA

You mean somewhere with lower nominal tax rates? In the end most of the big guys aren't paying much in income taxes in the US.

Did they move their operations from the US

[EmperorOfCanada]

Did they move their operations from the US and fire all their US developers and only hire ones from countries with the strongest data protection laws and the weakest spy agencies?

No? Then they are NSA compromised. Here is a letter from the DOJ ordering you to cooperate with the NSA or go to jail. You can't show the letter to anyone or you go to jail. If you want to contest it you will first go to jail and then you will have to contest it in a special court where you can't get any evidence that is in your favour. So you stay in jail.

If companies like Siemens are using Cisco equipment then they are fools.

Too late

[NotDrWho]

Thank your government for the fact that no one in their right mind is ever going to trust any hardware coming out of the U.S. ever again. Ain't no putting that genie back in the bottle.

Re:Too late

[CCIEemeritus]

There are two versions of Cisco's 5500 LAN controller software: 1) the normal version 2) the special version which is only recommended for Russia where "Data DTLS Payload encryption" is regulated by the Government. Ironic that Snowden fled the US and went to Russia. Which version of software do you want on the wireless infrastructure you use?

Are we talking about Real or Fake Cisco Routers?

Many people can't tell the difference between fake Chinese Cisco routers and the real thing.

Ask Ken Thompson how futile this is.

Nuff said.

Review the code all you like....

[ssimpson]

...Interdiction is where it's at: https://www.techdirt.com/artic...

Or maybe use IPSec / SSH with DH Group 19 - that's not looking too clever either: https://weakdh.org/imperfect-f...

All in all, if your threat model includes the NSA then reviewing 30m LOC may seem like a good place to start but in practice.....

Made in china

[Billly+Gates]

And I wonder if the NSA root kit will wipe out the Chinese one?

what good is reviewing the code?

In all honesty what good is reviewing the code. How do you know the code you are viewing is what was put in the device. Unless you can get the code and compile independently then verify some hash or check sum.

Yeah.

[WillAffleckUW]

No.

Look, an out of control surveillance regime which can't even stop terrorists from getting 1000 weapons in the US will spy because they can, no matter what they say.

There's your budget deficit.

Intercepted in shipping + Fake Cisco gear

[RubberDogBone]

The CIA and NSA specialize in intercepting items in transit, modifying them, carefully repacking them to hide any sign of tampering and sending them on to the end recipient.

None of that is impacted in the slightest bit if customers are coming to a warehouse in NC to test it. So it tests clean and they sign off on it. And what happens next? It gets shipped. And if they want to intercept it, they will. And what has been accomplished? Nothing.

And of course this is separate from the OTHER big Cisco issue of counterfeit fake Cisco products dropping into the channel from unclear origins in China. Nobody knows for sure what the hell is in that gear. Is it firmware with malware in it, or malware made to act like firmware? Keyloggers or full blown remote access? Nobody knows. But a lot of businesses have bought that stuff as genuine and installed it and trusted it. The truth is, all bets are off.

If the hardware is built by a U.S company

then it is compromised, either at manufacturing, or after being intercepted by NSA while in early transit, period.

Better idea

[TheCarp]

We already have "did this package get dropped" sensors. So take that to the next level.

Vacume seal an interior bag. Place a module inside the bag with:
1. Internal Battery
2. Sensor package including light and air pressure/composition sensors
3. A small amount of memory
4. A running program which will erase the memory if any of the sensors detect a change
5. a small transmitter, capable of answering a challenge.

Customer/Cisco generate a key using a key exchange protocol, key is loaded into box gaurdian module. Box is shipped. Customer uses an RF device to query the package to see if it has been tampered with, customer informs cisco for an immediate RMA, but accepts delivery, so as to be sure the box can be returned in tact for analysis.

Re: Sheldon Cooper will finally have sex

Suppose I told you about my comedy where a group of black friends get into all kinds of comical hijinks trying to interact with white people, interspersed with light-hearted comedy about how they're tired together by their love of purple drank, fried chicken, and watermelon?

That's about what BBT is to me, as a scientist: A show where "funny" is the socially retarded scientists trying to interact with normal people, mixed with stuff about what strange things those weird scientists do, and isn't it hilarious how stupid they are when they aren't doing scientisty-type things!

So what do you mean by "descent?" Dropping the faux-nerds angle and becoming a generic rom-com would be an improvement, but there's less competition in the nerd-blackface segment.

And if you actually find the NSA spyware...

You may not survive. Sign me up!

god?

God's name is spelled with a capital G. Of course, the godless people of today probably didn't know that.