How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

30 million lines of code?!

[kaka.mala.vachva]

That is a lot of code, is that a realistic number for a router? I'm genuinely interested in knowing.

Re:30 million lines of code?!

It is a meaningless number without context (what language? did they count blank lines? etc)

Re: 30 million lines of code?!

Considering that making routers is kinda their thing... What do you think? Best guess scenario is that it would be in the general ballpark no matter which way you go.

Re:30 million lines of code?!

[Lennie]

If you add enough protocols you'll eventually get there ?

Re:30 million lines of code?!

BSD base.

But a team of hundreds of highly talented people who are paid a full time wage to find vulnerabilities (you don't think the NSA has source too?) in everything from the application layer to the bare metal is going to do a better job of finding vulnerabilities than someone sent on a PR junket to "prove" that Cisco routers are secure.

This is, alas, a technological solution to a social problem, and one with a very finite lifespan.

In particular, observe that the first domino in the war against end-to-end encryption is about to fall: Great Britain. Other European countries will follow, and the US is not going to lag far behind. ("Oh, it'll never happen!" Oh, but it already is happening.) Is it because of some theoretical or practical breakthrough? No, it is because the law allows it.

The law gives effectively boundless permissions and resources to the executive. That's always going to defeat encryption-in-practice, which is limited by the wits of engineers and the boundaries of law.

Encryption-in-practicve is only useful - and it is very useful then - against those of limited means, whether a tin pot dictatorship or your competitor or your annoying roommate. More specifically, encryption-in-practice is something you use to protect you from your peers and from the corruptibility of institutions designed to serve you - in particular, public institutions. The moment a head of state says, as did David Cameron, that it's time to eliminate the first principle of rule of law - "as long as you obey the law, we will leave you alone" - the game has changed.

Then, your new task must be to educate the masses to oppose tyranny, because you will lose if you try to continue standing on your own.

tl;dr If the biggest corporations appear to sell protection from their own government as a security feature, they are either knowingly full of shit, or unknowingly full of shit.

Re:30 million lines of code?!

[realmolo]

I'd say it's realistic. Depends on the router.

A modern high-end router is really more of an IDS/IPS/firewall than just a router. There is a lot of stuff going on. And if you include all the code for the interface (both a console and a web-based interface), then it REALLY gets nutty.

Re:30 million lines of code?!

It's actually around 185 million lines of code across 13 current release trains.

So I hear.

Re:30 million lines of code?!

[Tablizer]

That is a lot of code, is that a realistic number for a router?

It's divided into:

A. 1 million lines that do real work.
B. 10 million lines to verify nobody tampered with "A".
C. 18 million lines to verify nobody tampered with "B".
D. 1 million lines to display a disclaimer that says if somebody tampers with "C", you are S.O.L.

Re: 30 million lines of code?!

[Tablizer]

At least their code is short:

10 DELETE GOVERNMENT
20 GOTO 10

Re: 30 million lines of code?!

[ArmoredDragon]

Not only realistic, but I myself would be concerned with what is going on inside of the asic, and finding out would be very non trivial, even if they revealed the schematics.

Also of concern is, how do we know they haven't received an NSL telling them to maintain two sets of code, with one of them being compromised and can't be shown to somebody without government clearance?

Re:30 million lines of code?!

[unixisc]

Do lines of code include comment lines?

Re:30 million lines of code?!

[unixisc]

BSD? I thought that Cisco used Linux, whenever it didn't use QNX. Juniper are the guys who use BSD

Re:30 million lines of code?!

[greenfruitsalad]

i have seen code where the comments were pretty much a discussion between developers over years. some comments were full arguments or mocking at somebody else's code.

Re: 30 million lines of code?!

[AmiMoJo]

To be fair, I think a backdoor in an ASIC is unlikely. It would be hard to hide from all the people working on the product, and would make it easier for other people to hack Cisco gear. The NSA doesn't want to open the door for everyone.

That's why they were intercepting hardware being shipped to customers and planting bugs in it. Targeted, easy to update the bugs, easy to hide from Cisco engineers.

Re: 30 million lines of code?!

[DeathElk]

More like:

10 IF (!DELETE GOVT SPENDING ON EDUCATION) GOTO 100
20 DELETE GOVT SPENDING ON SOCIAL PROGRAMS
30 DELETE GOVT SPENDING ON VETERAN AFFAIRS WHILST QUEUING UP YOUNG PEOPLE FOR WAR
40 DELETE GOVT SPENDING ON PUBLIC TRANSPORT
50 PASS BILLS SUPPORTING CORPORATE MALFEASANCE
60 DENY HUMAN IMPACT ON CLIMATE WHILST DEFAMING/DEFUNDING RESEARCH TO THE CONTRARY
70 PERPETUATE FEAR AGAINST MINORITIES (ESP MUSLIM) THEREBY PERPETUATING ILLWILL
80 WIDEN THE GAP BETWEEN RICH AND POOR
90 GOTO 10
100 PROSPER
110 GOTO 100

Re: 30 million lines of code?!

To be fair, I think a backdoor in an ASIC is unlikely. It would be hard to hide from all the people working on the product, and would make it easier for other people to hack Cisco gear.

I suspect such a backdoor would take to form of an extra processor that you can load code into if you know what you are doing. Sometimes there is a lightweight 8-bit controller that is only used to load the program into the main memory for the real processor to take over or a dedicated controller to deal with some I/O-stuff.
It might be hard to realize that the code for a processor you didn't know existed is missing.

Re:30 million lines of code?!

[haruchai]

I'm pretty sure the Nexus switches run Linux on the bare metal but the AsyncOS that powers the Ironport Web & Email appliances is supposedly running on top of FreeBSD.
But in neither case does the customer have access to underlying OS - as far as I'm aware.

Re:30 million lines of code?!

[shugah]

It's certainly not the UI.

Re:30 million lines of code?!

[edtice1559]

There are 15 million lines of code in the Linux kernel so this doesn't seem surprising at all. They probably have a smaller kernel and less userland but we're still within this order of magnitude.

Re: 30 million lines of code?!

[IndustrialComplex]

A backdoor might be hard to hide, but a backdoor enabling flaw might not be. Just as with any problem, you don't always have to solve it in one go, you take "bite sized" pieces and solve them.

So you don't enable a backdoor, you just introduce a flaw which makes it easier to exploit another flaw downstream.

Re:30 million lines of code?!

[beastofburdon]

I'm pretty sure it runs a version of the Linux kernel, so yes, that is realistic.

...trying 'to prove the non-existence of god...

[ItsJustAPseudonym]

More like "the devil", in this case.

Re: Sheldon Cooper will finally have sex

The descent of Big Bang Theory into the Friends zone is complete. Sad.

It's the Law

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Re:It's the Law

[bill_mcgonigle]

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Well, assuming your premise the only thing that can be done is to show everybody the code and let somebody not under NSL seal disclose it.

Cisco's actions aren't inconsistent with that approach. The speculation is hardly proven, though.

Re:It's the Law

[swillden]

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Which law is that, exactly?

People on /. (and elsewhere) make a lot of invalid assumptions about what the law allows the government to do. National Security Letters, for example, are assumed to be able to compel anyone to do anything and keep their mouths shut about it. In fact, the law says that NSLs can only require the recipient to provide data already in possession (not set up long-lived back doors) and further can only demand metadata, not content. NSLs are only one legal vehicle for requests, but as far as I can tell there is no law that could compel Cisco to provide the NSA with built-in back doors.

Of course, the NSA can also potentially insert moles into companies and get them to add back doors, but Cisco actually may be able to convince people that that hasn't happened. It will be hard. Especially since the parent's incorrect view is very widespread, but AFAICT, there's no legal restriction making it impossible.

Re:It's the Law

[edtice1559]

They ship signed binaries and post the hashes. That's not a perfect solution since somebody could load a different binary with a rootkit that makes it look like the real one. But if you download the firmware and verify the signature, that's a pretty good start. We all hated TPM when MSFT tried to introduce it to kill Linux but now it's starting to make sense.

Re:It's the Law

[swillden]

https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Thank you. That's a specific law. Not one that applies to Cisco, though.

And that's just the "legitimate" legal part.

Which is the only relevant part for this thread. The GP's claim was that the law required Cisco to let the NSA in. It doesn't. Extra-legal actions the NSA make take are a different story; those Cisco is allowed to resist (though how successful they might be is an open question).

I'm actually curious how the illegal fiber-splitter-copies-everything-into-the-NSA-room part will continue to work when next-generation multi-core multi-mode fibers are deployed. Splicing a partial mirror into a single-core fiber is one thing, somehow stealing signal from 36 cores each bearing hundreds of carriers without breaking signal integrity is a little more physically... difficult. As will be processing hundreds of TB per second of data from them, but Moore's Law will magically fix that, right?

Well, by definition there won't be more data than the equipment owned by the legitimate users of the cable can process, so data volume growth will be constrained by processing capacities. Doesn't mean it'll be easy, or cheap, though.

Re:30 million lines of code

In a router??? Bullshit. Windows 10 don't have 30 million lines of code.

Yea but a Cisco router actually does work...

Useless

[Lennie]

This might be useful only if I could bring my own compiler and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

Even than, the Cisco products includes hardware with sophisticated packet processing capabilities they could just built it into that.

Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

Re:Useless

[cfalcon]

> Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

I really and truly don't believe that is possible.

In fact, the whole thing seems unlikely to be taken seriously.

You need to be able to (at your site)- ensure the integrity of circuitry, ensure the integrity of code.

I mean, holy crap.

But when it comes to some random packing technique? No way.

Re:Useless

[bill_mcgonigle]

This might be useful only if I could bring my own compiler

You can (per the FAQ).

and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

If Cisco defines the hash of the build binary as their IP, then the whole thing is doomed. If you can reproduce their build, a hash collision isn't going to be an actual risk.

However:

Q: What technologies or products can be reviewed?
TVS includes all Cisco technologies, within the bounds of applicable Export Control Laws. Where
certain technologies from third-party OEMs are received encrypted, we may be unable to provide
greater visibility

The good news is this sounds like hardware is included (perhaps a way to work around the NSL problem.) The bad news is you're getting binary blobs anyway and you'll just have to trust _those_. Ouch.

Cisco is realizing that secret source and security applications are incompatible. That's good. Hopefully the next step is to embrace full openness (and therefore stay relevant). As usual, patent fears will probably keep them paralyzed instead and an open competitor (probably non-US) will start to eat their marketshare. Between the US patent system and the NSA taint, the secret-source US 'security' industry has a bleak future. #thanksobama

Re:30 million lines of code

[sims+2]

I also call bs. http://www.informationisbeauti...

Although windows 10 probably does have around 30 million lines.

Good luck with that

[sasparillascott]

Just like the documents showing Microsoft handing over their customers communication data to the NSA...once you've been fingered as a good "partner" with the U.S. intelligence apparatus your shelf life as a company has been time bombed...ignition is just waiting on an alternative supplier that can be reasonably trusted (IMHO this could take some years, but its coming...the market is too big and valuable...if given a true choice nobody wants to buy gear from companies that were shown to be stooges for government snooping).

Re:Good luck with that

Snowden sure did us a favor with his revelations.

What did we do for him in return?

We threw him to the wolves.

Americans don't deserve whistle-blowers.

NSL

It's guaranteed that cisco is compromised by NSLs. Until this law is fixed, no big vendor can be trusted.

Re:NSL

[slowdeath]

Is this less of a Cisco/Juniper problem and more of a FedEX/UPS/DHL problem?

When I ship a package via FedEx et al, I don't expect it to be detoured thru the local NSA office to be 'enhanced'.

I expect it to be delivered intact and not adulterated. Come on FedEx et al, do your job!

Re:NSL

[swalve]

Exactly. If they have back doors, why would they bother with the mess of interdicting a shipment? Assuming the Snowden info is actually real, of course.

And just how does that do anything

[silas_moeckel]

The NSA was supposedly loading code onto hardware. Cisco is a pretty closed environment if they pown the bootloader just exactly how are you going to detect this? You can review all the code you want if your can not trust the hardware it does you no good.

Re:And just how does that do anything

[Billly+Gates]

Answer is easy. Cisco routers ship naked and Cisco images each one on site personally for an extra fee

Re:And just how does that do anything

[silas_moeckel]

If you intercept it in shipping and replace hardware or install a rooted rommon you can install all the trusted images you like. Ultimately you have to trust rommon that it's updating itself or that IOS is actually writing out a new copy.

Re:And just how does that do anything

[Billly+Gates]

No the Cisco guy wipes out when he images. Unless you think NSA will put an ROM or eprom in it?

Re:And just how does that do anything

[silas_moeckel]

I rather doubt the Cisco guy is plugging in a jtag programmer (or similar), even if they did that's a fairly high level interface and could be hacked to deliver whatever responses are expected (probably requiring hardware to do so). It's not like any recent cisco box has a removable rom anymore (few PC's for that matter).

CISCO

[hackus]

How about stop making and delivering interdicted custom gear for the NSA/CIA?

I know, I have seen the equipment hooked into AT&Ts network.

It isn't a joke what is happening. In the end we all know why this spying is happening and it is not to make you safer.

It really is all about industrial espionage and taxes, all in pursuit of western bogeymen, they create.

As long as they keep the bogeymen well funded expect more countries shredding freedom and liberty, and all of those that died before us to have given their lives in vain.

I mean look at what they are doing, France wants to rewrite it constitution. For what? Why?

Re:CISCO

[bluelip]

You haven't seen anything.

Read and _UNDERSTAND_ the article.

Re:CISCO

[AK+Marc]

Use only Huawei in the core and Cisco on the edge, with a firewall rule to block traffic to/from China to block the Huawei back doors. Or vice versa. You can't trust either, but hopefully both aren't compromised by the same group.

Re:CISCO

[cfalcon]

Mod parent up pls. This is a solid workaround based on realpolitik.

Re:CISCO

[wulfhere]

You DO realize that 'China' could have servers sitting somewhere connected via 'non-China' IPs, right?

Re:CISCO

[swalve]

This seems pretty simple. Can't you just make a box that looks at the data coming into a network and drops anything that is unexpected? Some kind of "firewall" between the trusted network and the untrusted?

Re:CISCO

[AK+Marc]

Yeah, but when the firewall is made by Cisco, how do you trust the firewall if you don't trust Cisco?

Re:CISCO

[vux984]

The solution was covered.

2 firewalls in sequence.

Cisco + Huewei

  Even if you trust neither to prevent the respective vendors government out, you can reasonably trust the cisco not to be in bed with the chinese, and the hauwei not to be in bed with the americans.

So either state actor is blocked. If the chinese and americans are working *together* to break into your network... you've probably got a situation where your network shouldn't be connected to the internet period... transferring your data via usb sticks ferried by carrier pigeons and children.

Re:CISCO

[hackus]

I understand alright.

Look at the original ARPA documents calling for a distributed non centralized architecture for the command and control of communications.

I also understand that CISCOs products are perfectly designed to be easily compromised on a small scale with gigantic affects.

The worse being the UCS manager. Who in there right mind would build a network where all you need is access to one box, and you can trash whole infrastructure.

These products coming out of companies, not just CISCO, are the darlings of future NSA black budget industrial espionage strikes.

They are not designed for your business.

Just UNDERSTAND that.

Re:CISCO

[AK+Marc]

So if I white list my management system as the only system that can talk to my routers, the firewall won't be able to see the traffic to China because it will use a different port.

I hope you don't use a computer for your day job.

Re:CISCO

[bluelip]

You still don't understand anything. Good effort though.

Cisco isn't "shipping and delivering interdicted" custom gear.

Try again. Maybe you'll get a bronze star this time. For effort.

Shipping to decoy addresses

[HighOrbit]

Back in March , in a related story, one of Cisco's VPs for security, John Stewart, was quoted in the press as saying that Cisco would ship to decoy addresses to circumvent interception by the Government. Supposedly, this was at a roundtable discussion during the Cisco-Live conference in Melbourne, but there is no video of the discussion on the Cisco-live website.

I've heard he was misquoted and they don't actually do it. Does anybody have link to actual video of this discussion? Are they still doing this? Has anybody used that service?

The original slashdot article is http://hardware.slashdot.org/s...

Re:Shipping to decoy addresses

[swalve]

I mean, it only makes sense. You place an order and have it shipped to your buddy who works at KMart. Cisco doesn't even have to know!

Just track the damn package!

[jtara]

Seen enough YouTube videos from cameras packed in shipments for the obvious answer...

These boxes are costly enough to justify packaging it with some device that will record GPS, video, and sound. Make sure there is some good cryptographic signature on the device. Attach it to the router, and put a nasty anti-tamper dye spray to boot. (Although might have some regulatory issues with the explosive device for that, hmmm...).

Give the customer a rebate for returning the tracking device. (After unlocking, of course.)

Of course, the tracking device will need solid cryptographic signature/protection, but would have a lot fewer millions of lines of code than the router!

Then the guy you see stumbling out of the FedEx office covered in dye... he's not with FedEx.

The best the spys can do, then, is to "lose" the device in shipment, pay off the carrier's insurance company (otherwise, insurance rates will go sky-high), and then try to sell the router in the black market to spy on somebody other than the original target.

What's to present a hacker from trying?

[gurps_npc]

Step 1) Hacker (or rather "cracker") takes them on the offer to test their equipment in a secure environment.

Step 2) Hacker understands how it works and notices a security issue, but does not reveal it.

Step 3) Return to private home where they design an exploit of that issue.

Frankly, their attempts to keep their security secret just make it harder for the white hats to detect the issues, without significantly affecting the black hats.

Re:What's to present a hacker from trying?

[AHuxley]

Thats the problem with trap doors and back doors mandated by 5 eye governments. Sooner or later ex staff, former staff, smart people, private sector security experts find the extra code and let the world know.
The UK has a plan to ban science that will try and extend the useful life of UK gov mandated trap doors and back doors.
The US gov is trying to make people feel better about the US private sector again while private sector help for collect it all is the only tool the gov has.
What can the public and private sector do globally to secure its own banking, product development, patents, science, technology, gov stats and data, medical, telco use, records from a 5 eye collect it all efforts?
Air gap, national computer centres of excellence that use domestic experts and generic products. Not as fancy, no big brands, lots of extra power use, heat, cooling, lots of extra coding but every line of code is understood and local developers have full employment.
Governments and brands just have to stop buying products that subvert their security as delivered and return to their own internal experts and shop around for secure products again.

Re:30 million lines of code

[AK+Marc]

I read it as "reporter mistakes all Cisco devices in the program sum to 30 million lines of code for a router has 30 million lines of code" If you had multiple different classes of switch, they may have very little code reuse. The old PIX ran of a standard Intel CPU (not sure about the newer ASA), ASICs differ between even different models in the same router line, so lots of code around those. Sum up all the different devices that they are opening up, and 30M lines of code sounds about right, though 30M lines of code for a single router seems a bit much.

Though, if you don't trust Cisco, how does opening the source code in such controlled circumstances help? Unless you can compile it yourself with a compiler you brought, you can never be sure there isn't a backdoor. There could be code swap between display and deployment, or a backdoor programmed into the compilers, to ensure no code review would ever find it. Or it's only in ASIC based systems, hidden in the chip, and the chip schematics aren't on display.

So the show is merely symbolic, so let's see how it goes.

30 million loc is realistic in my mind

[paulpach]

I don't know what those particular routers are running. Here is just me listing a few packages off the top of my head that could be in there:

There are 12 million LOC in the kernel alone (linux?)
Another million for libc
2 millions for web server
2 millions for php or whatever they use.
6 million for java.

I have not even included anything cisco might write themselves.
As you can see, it would not be too hard to get to the 30 million LOC mark. The backdoors can be installed in any of these packages not only in the stuff Cisco wrote.

I seriously doubt cisco wrote 30 million LOC for their routers, but once you start counting all the 3rd party software that runs inside those routers 30 million does not seem too far fetched.

Re:30 million loc is realistic in my mind

[jonwil]

Ummm, Cisco doesn't run Linux on their routers, they run IOS (no, not iOS from Apple) which is something Cisco invented themselves.

Re: 30 million loc is realistic in my mind

They now run IOSd under a Linux OS on the newer routers. IOSd is basically a virtualized IOS.

Re:30 million loc is realistic in my mind

[IndustrialComplex]

True, but it puts the scale of the SLOC into perspective. I doubt IOS is significantly smaller than the Linux kernel.

Re:30 million lines of code

[GuB-42]

I suspect that DD-WRT is in the same ballpark, if only for the linux kernel (the latest release is nearly 20 million lines of code).
And DD-WRT is for home routers.

Checking the source code is no good

[CanadianMacFan]

What good is checking the source code when the NSA is shown to be modifying the gear after it leaves Cisco? You're checking the code that ships from Cisco before the NSA gets it, not what you receive. And what if the NSA isn't touching something in the code but putting in a piece of their own hardware?

Re:Checking the source code is no good

[ShanghaiBill]

You're checking the code that ships from Cisco before the NSA gets it, not what you receive.

Cisco could provide their customers with SHA-Checksums of the binaries, so they can be verified upon arrival.

The site is IN THE USA

[Bruce66423]

Which means that they will be subject to all sorts of pressures to be 'helpful' about it. Let's be clear ladies and gentlemen, boys and girls, trusting any US produced hardware or software is a mistake if you want to be SECURE. That the tech firms haven't used this as excuse to move their domicile to somewhere with lower taxes as the real excuse for moving remains a surprise...

Re:The site is IN THE USA

[cfalcon]

You can trust free or open source software produced anywhere, because they give you the code.

Proprietary code and almost any hardware... eh....

Did they move their operations from the US

[EmperorOfCanada]

Did they move their operations from the US and fire all their US developers and only hire ones from countries with the strongest data protection laws and the weakest spy agencies?

No? Then they are NSA compromised. Here is a letter from the DOJ ordering you to cooperate with the NSA or go to jail. You can't show the letter to anyone or you go to jail. If you want to contest it you will first go to jail and then you will have to contest it in a special court where you can't get any evidence that is in your favour. So you stay in jail.

If companies like Siemens are using Cisco equipment then they are fools.

Too late

[NotDrWho]

Thank your government for the fact that no one in their right mind is ever going to trust any hardware coming out of the U.S. ever again. Ain't no putting that genie back in the bottle.

Re:Too late

[CCIEemeritus]

There are two versions of Cisco's 5500 LAN controller software: 1) the normal version 2) the special version which is only recommended for Russia where "Data DTLS Payload encryption" is regulated by the Government. Ironic that Snowden fled the US and went to Russia. Which version of software do you want on the wireless infrastructure you use?

Review the code all you like....

[ssimpson]

...Interdiction is where it's at: https://www.techdirt.com/artic...

Or maybe use IPSec / SSH with DH Group 19 - that's not looking too clever either: https://weakdh.org/imperfect-f...

All in all, if your threat model includes the NSA then reviewing 30m LOC may seem like a good place to start but in practice.....

Made in china

[Billly+Gates]

And I wonder if the NSA root kit will wipe out the Chinese one?

Yeah.

[WillAffleckUW]

No.

Look, an out of control surveillance regime which can't even stop terrorists from getting 1000 weapons in the US will spy because they can, no matter what they say.

There's your budget deficit.

Intercepted in shipping + Fake Cisco gear

[RubberDogBone]

The CIA and NSA specialize in intercepting items in transit, modifying them, carefully repacking them to hide any sign of tampering and sending them on to the end recipient.

None of that is impacted in the slightest bit if customers are coming to a warehouse in NC to test it. So it tests clean and they sign off on it. And what happens next? It gets shipped. And if they want to intercept it, they will. And what has been accomplished? Nothing.

And of course this is separate from the OTHER big Cisco issue of counterfeit fake Cisco products dropping into the channel from unclear origins in China. Nobody knows for sure what the hell is in that gear. Is it firmware with malware in it, or malware made to act like firmware? Keyloggers or full blown remote access? Nobody knows. But a lot of businesses have bought that stuff as genuine and installed it and trusted it. The truth is, all bets are off.

Better idea

[TheCarp]

We already have "did this package get dropped" sensors. So take that to the next level.

Vacume seal an interior bag. Place a module inside the bag with:
1. Internal Battery
2. Sensor package including light and air pressure/composition sensors
3. A small amount of memory
4. A running program which will erase the memory if any of the sensors detect a change
5. a small transmitter, capable of answering a challenge.

Customer/Cisco generate a key using a key exchange protocol, key is loaded into box gaurdian module. Box is shipped. Customer uses an RF device to query the package to see if it has been tampered with, customer informs cisco for an immediate RMA, but accepts delivery, so as to be sure the box can be returned in tact for analysis.

Re:What about shipped product?

[gumbi+west]

Yes, this is the flaw in a source code only audit. But just compile it yourself and use those binaries. Now, good luck finding a compiler that you know is clean. Even an OSS one can have code in it that recognizes when it is compiling itself and adds the back door to the newly compiled version of the compiler. So while the code is clean, you also have to know that the compiler that compiled the compiler was clean. and not the current version of its source but the binary.

Re:What about shipped product?

[StikyPad]

Even an OSS one can have code in it that recognizes when it is compiling itself and adds the back door to the newly compiled version of the compiler.

You're referring to the "Ken Thompson hack," but it's not a real threat. You would have to solve the halting problem for a compiler to know whether or not it is compiling itself, or a version of itself. That is to say, a compiler could recognize a copy of its source code. It could also recognize familiar strings that it can find, or worse (from a false negative standpoint) hashes of that code, or parts thereof ("signatures"), and as we (should) all know, signatures are easy to defeat, which is why antivirus software is great for detecting known threats, but not so useful for preventing future threats. A program cannot identify another program based on what the program actually does -- say, compile source code and output a binary -- else we would have solved the halting problem, and we would have bug-free code, and perfect antivirus, which would render the Ken Thompson hack ineffective anyway. Yay!

Moreover, regardless of the attack vector, even a compromised binary can't hide from disassembly and human inspection. And if you're incredibly paranoid, then you could use side-channel analysis to see if anything is happening that's not supposed to be happening, unless you think the NSA has also hacked physics, then nothing I can say matters anyway.