How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

Good luck with that

[sasparillascott]

Just like the documents showing Microsoft handing over their customers communication data to the NSA...once you've been fingered as a good "partner" with the U.S. intelligence apparatus your shelf life as a company has been time bombed...ignition is just waiting on an alternative supplier that can be reasonably trusted (IMHO this could take some years, but its coming...the market is too big and valuable...if given a true choice nobody wants to buy gear from companies that were shown to be stooges for government snooping).

And just how does that do anything

[silas_moeckel]

The NSA was supposedly loading code onto hardware. Cisco is a pretty closed environment if they pown the bootloader just exactly how are you going to detect this? You can review all the code you want if your can not trust the hardware it does you no good.

Re:30 million lines of code

[AK+Marc]

I read it as "reporter mistakes all Cisco devices in the program sum to 30 million lines of code for a router has 30 million lines of code" If you had multiple different classes of switch, they may have very little code reuse. The old PIX ran of a standard Intel CPU (not sure about the newer ASA), ASICs differ between even different models in the same router line, so lots of code around those. Sum up all the different devices that they are opening up, and 30M lines of code sounds about right, though 30M lines of code for a single router seems a bit much.

Though, if you don't trust Cisco, how does opening the source code in such controlled circumstances help? Unless you can compile it yourself with a compiler you brought, you can never be sure there isn't a backdoor. There could be code swap between display and deployment, or a backdoor programmed into the compilers, to ensure no code review would ever find it. Or it's only in ASIC based systems, hidden in the chip, and the chip schematics aren't on display.

So the show is merely symbolic, so let's see how it goes.

Re: 30 million lines of code?!

[ArmoredDragon]

Not only realistic, but I myself would be concerned with what is going on inside of the asic, and finding out would be very non trivial, even if they revealed the schematics.

Also of concern is, how do we know they haven't received an NSL telling them to maintain two sets of code, with one of them being compromised and can't be shown to somebody without government clearance?

Did they move their operations from the US

[EmperorOfCanada]

Did they move their operations from the US and fire all their US developers and only hire ones from countries with the strongest data protection laws and the weakest spy agencies?

No? Then they are NSA compromised. Here is a letter from the DOJ ordering you to cooperate with the NSA or go to jail. You can't show the letter to anyone or you go to jail. If you want to contest it you will first go to jail and then you will have to contest it in a special court where you can't get any evidence that is in your favour. So you stay in jail.

If companies like Siemens are using Cisco equipment then they are fools.