How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

30 million lines of code?!

[kaka.mala.vachva]

That is a lot of code, is that a realistic number for a router? I'm genuinely interested in knowing.

Re:30 million lines of code?!

[Lennie]

If you add enough protocols you'll eventually get there ?

Re:30 million lines of code?!

BSD base.

But a team of hundreds of highly talented people who are paid a full time wage to find vulnerabilities (you don't think the NSA has source too?) in everything from the application layer to the bare metal is going to do a better job of finding vulnerabilities than someone sent on a PR junket to "prove" that Cisco routers are secure.

This is, alas, a technological solution to a social problem, and one with a very finite lifespan.

In particular, observe that the first domino in the war against end-to-end encryption is about to fall: Great Britain. Other European countries will follow, and the US is not going to lag far behind. ("Oh, it'll never happen!" Oh, but it already is happening.) Is it because of some theoretical or practical breakthrough? No, it is because the law allows it.

The law gives effectively boundless permissions and resources to the executive. That's always going to defeat encryption-in-practice, which is limited by the wits of engineers and the boundaries of law.

Encryption-in-practicve is only useful - and it is very useful then - against those of limited means, whether a tin pot dictatorship or your competitor or your annoying roommate. More specifically, encryption-in-practice is something you use to protect you from your peers and from the corruptibility of institutions designed to serve you - in particular, public institutions. The moment a head of state says, as did David Cameron, that it's time to eliminate the first principle of rule of law - "as long as you obey the law, we will leave you alone" - the game has changed.

Then, your new task must be to educate the masses to oppose tyranny, because you will lose if you try to continue standing on your own.

tl;dr If the biggest corporations appear to sell protection from their own government as a security feature, they are either knowingly full of shit, or unknowingly full of shit.

Re:30 million lines of code?!

[realmolo]

I'd say it's realistic. Depends on the router.

A modern high-end router is really more of an IDS/IPS/firewall than just a router. There is a lot of stuff going on. And if you include all the code for the interface (both a console and a web-based interface), then it REALLY gets nutty.

Re: 30 million lines of code?!

[ArmoredDragon]

Not only realistic, but I myself would be concerned with what is going on inside of the asic, and finding out would be very non trivial, even if they revealed the schematics.

Also of concern is, how do we know they haven't received an NSL telling them to maintain two sets of code, with one of them being compromised and can't be shown to somebody without government clearance?

Re: 30 million lines of code?!

[AmiMoJo]

To be fair, I think a backdoor in an ASIC is unlikely. It would be hard to hide from all the people working on the product, and would make it easier for other people to hack Cisco gear. The NSA doesn't want to open the door for everyone.

That's why they were intercepting hardware being shipped to customers and planting bugs in it. Targeted, easy to update the bugs, easy to hide from Cisco engineers.

Re:30 million lines of code?!

[haruchai]

I'm pretty sure the Nexus switches run Linux on the bare metal but the AsyncOS that powers the Ironport Web & Email appliances is supposedly running on top of FreeBSD.
But in neither case does the customer have access to underlying OS - as far as I'm aware.

...trying 'to prove the non-existence of god...

[ItsJustAPseudonym]

More like "the devil", in this case.

Re: Sheldon Cooper will finally have sex

The descent of Big Bang Theory into the Friends zone is complete. Sad.

It's the Law

How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

Re:30 million lines of code

In a router??? Bullshit. Windows 10 don't have 30 million lines of code.

Yea but a Cisco router actually does work...

Useless

[Lennie]

This might be useful only if I could bring my own compiler and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

Even than, the Cisco products includes hardware with sophisticated packet processing capabilities they could just built it into that.

Maybe they should first find a way to ship the product in such a way that it can't be tampered with.

Re:Useless

[bill_mcgonigle]

This might be useful only if I could bring my own compiler

You can (per the FAQ).

and could keep the resulting binary and I could install that myself on the hardware (never going to happen).

If Cisco defines the hash of the build binary as their IP, then the whole thing is doomed. If you can reproduce their build, a hash collision isn't going to be an actual risk.

However:

Q: What technologies or products can be reviewed?
TVS includes all Cisco technologies, within the bounds of applicable Export Control Laws. Where
certain technologies from third-party OEMs are received encrypted, we may be unable to provide
greater visibility

The good news is this sounds like hardware is included (perhaps a way to work around the NSL problem.) The bad news is you're getting binary blobs anyway and you'll just have to trust _those_. Ouch.

Cisco is realizing that secret source and security applications are incompatible. That's good. Hopefully the next step is to embrace full openness (and therefore stay relevant). As usual, patent fears will probably keep them paralyzed instead and an open competitor (probably non-US) will start to eat their marketshare. Between the US patent system and the NSA taint, the secret-source US 'security' industry has a bleak future. #thanksobama

Good luck with that

[sasparillascott]

Just like the documents showing Microsoft handing over their customers communication data to the NSA...once you've been fingered as a good "partner" with the U.S. intelligence apparatus your shelf life as a company has been time bombed...ignition is just waiting on an alternative supplier that can be reasonably trusted (IMHO this could take some years, but its coming...the market is too big and valuable...if given a true choice nobody wants to buy gear from companies that were shown to be stooges for government snooping).

Re:Good luck with that

Snowden sure did us a favor with his revelations.

What did we do for him in return?

We threw him to the wolves.

Americans don't deserve whistle-blowers.

And just how does that do anything

[silas_moeckel]

The NSA was supposedly loading code onto hardware. Cisco is a pretty closed environment if they pown the bootloader just exactly how are you going to detect this? You can review all the code you want if your can not trust the hardware it does you no good.

Shipping to decoy addresses

[HighOrbit]

Back in March , in a related story, one of Cisco's VPs for security, John Stewart, was quoted in the press as saying that Cisco would ship to decoy addresses to circumvent interception by the Government. Supposedly, this was at a roundtable discussion during the Cisco-Live conference in Melbourne, but there is no video of the discussion on the Cisco-live website.

I've heard he was misquoted and they don't actually do it. Does anybody have link to actual video of this discussion? Are they still doing this? Has anybody used that service?

The original slashdot article is http://hardware.slashdot.org/s...

Just track the damn package!

[jtara]

Seen enough YouTube videos from cameras packed in shipments for the obvious answer...

These boxes are costly enough to justify packaging it with some device that will record GPS, video, and sound. Make sure there is some good cryptographic signature on the device. Attach it to the router, and put a nasty anti-tamper dye spray to boot. (Although might have some regulatory issues with the explosive device for that, hmmm...).

Give the customer a rebate for returning the tracking device. (After unlocking, of course.)

Of course, the tracking device will need solid cryptographic signature/protection, but would have a lot fewer millions of lines of code than the router!

Then the guy you see stumbling out of the FedEx office covered in dye... he's not with FedEx.

The best the spys can do, then, is to "lose" the device in shipment, pay off the carrier's insurance company (otherwise, insurance rates will go sky-high), and then try to sell the router in the black market to spy on somebody other than the original target.

Re:30 million lines of code

[AK+Marc]

I read it as "reporter mistakes all Cisco devices in the program sum to 30 million lines of code for a router has 30 million lines of code" If you had multiple different classes of switch, they may have very little code reuse. The old PIX ran of a standard Intel CPU (not sure about the newer ASA), ASICs differ between even different models in the same router line, so lots of code around those. Sum up all the different devices that they are opening up, and 30M lines of code sounds about right, though 30M lines of code for a single router seems a bit much.

Though, if you don't trust Cisco, how does opening the source code in such controlled circumstances help? Unless you can compile it yourself with a compiler you brought, you can never be sure there isn't a backdoor. There could be code swap between display and deployment, or a backdoor programmed into the compilers, to ensure no code review would ever find it. Or it's only in ASIC based systems, hidden in the chip, and the chip schematics aren't on display.

So the show is merely symbolic, so let's see how it goes.

30 million loc is realistic in my mind

[paulpach]

I don't know what those particular routers are running. Here is just me listing a few packages off the top of my head that could be in there:

There are 12 million LOC in the kernel alone (linux?)
Another million for libc
2 millions for web server
2 millions for php or whatever they use.
6 million for java.

I have not even included anything cisco might write themselves.
As you can see, it would not be too hard to get to the 30 million LOC mark. The backdoors can be installed in any of these packages not only in the stuff Cisco wrote.

I seriously doubt cisco wrote 30 million LOC for their routers, but once you start counting all the 3rd party software that runs inside those routers 30 million does not seem too far fetched.

Re:CISCO

[AK+Marc]

Use only Huawei in the core and Cisco on the edge, with a firewall rule to block traffic to/from China to block the Huawei back doors. Or vice versa. You can't trust either, but hopefully both aren't compromised by the same group.

Re:30 million lines of code

[GuB-42]

I suspect that DD-WRT is in the same ballpark, if only for the linux kernel (the latest release is nearly 20 million lines of code).
And DD-WRT is for home routers.

Checking the source code is no good

[CanadianMacFan]

What good is checking the source code when the NSA is shown to be modifying the gear after it leaves Cisco? You're checking the code that ships from Cisco before the NSA gets it, not what you receive. And what if the NSA isn't touching something in the code but putting in a piece of their own hardware?

Did they move their operations from the US

[EmperorOfCanada]

Did they move their operations from the US and fire all their US developers and only hire ones from countries with the strongest data protection laws and the weakest spy agencies?

No? Then they are NSA compromised. Here is a letter from the DOJ ordering you to cooperate with the NSA or go to jail. You can't show the letter to anyone or you go to jail. If you want to contest it you will first go to jail and then you will have to contest it in a special court where you can't get any evidence that is in your favour. So you stay in jail.

If companies like Siemens are using Cisco equipment then they are fools.

Too late

[NotDrWho]

Thank your government for the fact that no one in their right mind is ever going to trust any hardware coming out of the U.S. ever again. Ain't no putting that genie back in the bottle.

Re:CISCO

[wulfhere]

You DO realize that 'China' could have servers sitting somewhere connected via 'non-China' IPs, right?

Made in china

[Billly+Gates]

And I wonder if the NSA root kit will wipe out the Chinese one?

Re:CISCO

[AK+Marc]

Yeah, but when the firewall is made by Cisco, how do you trust the firewall if you don't trust Cisco?

Re:CISCO

[vux984]

The solution was covered.

2 firewalls in sequence.

Cisco + Huewei

  Even if you trust neither to prevent the respective vendors government out, you can reasonably trust the cisco not to be in bed with the chinese, and the hauwei not to be in bed with the americans.

So either state actor is blocked. If the chinese and americans are working *together* to break into your network... you've probably got a situation where your network shouldn't be connected to the internet period... transferring your data via usb sticks ferried by carrier pigeons and children.

Better idea

[TheCarp]

We already have "did this package get dropped" sensors. So take that to the next level.

Vacume seal an interior bag. Place a module inside the bag with:
1. Internal Battery
2. Sensor package including light and air pressure/composition sensors
3. A small amount of memory
4. A running program which will erase the memory if any of the sensors detect a change
5. a small transmitter, capable of answering a challenge.

Customer/Cisco generate a key using a key exchange protocol, key is loaded into box gaurdian module. Box is shipped. Customer uses an RF device to query the package to see if it has been tampered with, customer informs cisco for an immediate RMA, but accepts delivery, so as to be sure the box can be returned in tact for analysis.