Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear (csoonline.com)

Posted by samzenpus on from the and-stay-out dept.

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

14 of 130 comments (clear)

  1. 30 million lines of code?! by kaka.mala.vachva · · Score: 4, Interesting

    That is a lot of code, is that a realistic number for a router? I'm genuinely interested in knowing.

    1. Re:30 million lines of code?! by Lennie · · Score: 4, Funny

      If you add enough protocols you'll eventually get there ?

      --
      New things are always on the horizon
    2. Re:30 million lines of code?! by Anonymous Coward · · Score: 3, Interesting

      BSD base.

      But a team of hundreds of highly talented people who are paid a full time wage to find vulnerabilities (you don't think the NSA has source too?) in everything from the application layer to the bare metal is going to do a better job of finding vulnerabilities than someone sent on a PR junket to "prove" that Cisco routers are secure.

      This is, alas, a technological solution to a social problem, and one with a very finite lifespan.

      In particular, observe that the first domino in the war against end-to-end encryption is about to fall: Great Britain. Other European countries will follow, and the US is not going to lag far behind. ("Oh, it'll never happen!" Oh, but it already is happening.) Is it because of some theoretical or practical breakthrough? No, it is because the law allows it.

      The law gives effectively boundless permissions and resources to the executive. That's always going to defeat encryption-in-practice, which is limited by the wits of engineers and the boundaries of law.

      Encryption-in-practicve is only useful - and it is very useful then - against those of limited means, whether a tin pot dictatorship or your competitor or your annoying roommate. More specifically, encryption-in-practice is something you use to protect you from your peers and from the corruptibility of institutions designed to serve you - in particular, public institutions. The moment a head of state says, as did David Cameron, that it's time to eliminate the first principle of rule of law - "as long as you obey the law, we will leave you alone" - the game has changed.

      Then, your new task must be to educate the masses to oppose tyranny, because you will lose if you try to continue standing on your own.

      tl;dr If the biggest corporations appear to sell protection from their own government as a security feature, they are either knowingly full of shit, or unknowingly full of shit.

    3. Re: 30 million lines of code?! by ArmoredDragon · · Score: 3, Insightful

      Not only realistic, but I myself would be concerned with what is going on inside of the asic, and finding out would be very non trivial, even if they revealed the schematics.

      Also of concern is, how do we know they haven't received an NSL telling them to maintain two sets of code, with one of them being compromised and can't be shown to somebody without government clearance?

  2. ...trying 'to prove the non-existence of god... by ItsJustAPseudonym · · Score: 5, Funny

    More like "the devil", in this case.

  3. It's the Law by Anonymous Coward · · Score: 5, Interesting

    How can they convince anyone that they can keep the NSA out when the Law says they have to let the NSA in?

  4. Good luck with that by sasparillascott · · Score: 3, Insightful

    Just like the documents showing Microsoft handing over their customers communication data to the NSA...once you've been fingered as a good "partner" with the U.S. intelligence apparatus your shelf life as a company has been time bombed...ignition is just waiting on an alternative supplier that can be reasonably trusted (IMHO this could take some years, but its coming...the market is too big and valuable...if given a true choice nobody wants to buy gear from companies that were shown to be stooges for government snooping).

    1. Re:Good luck with that by Anonymous Coward · · Score: 5, Interesting

      Snowden sure did us a favor with his revelations.

      What did we do for him in return?

      We threw him to the wolves.

      Americans don't deserve whistle-blowers.

  5. And just how does that do anything by silas_moeckel · · Score: 3, Insightful

    The NSA was supposedly loading code onto hardware. Cisco is a pretty closed environment if they pown the bootloader just exactly how are you going to detect this? You can review all the code you want if your can not trust the hardware it does you no good.

    --
    No sir I dont like it.
  6. Just track the damn package! by jtara · · Score: 5, Interesting

    Seen enough YouTube videos from cameras packed in shipments for the obvious answer...

    These boxes are costly enough to justify packaging it with some device that will record GPS, video, and sound. Make sure there is some good cryptographic signature on the device. Attach it to the router, and put a nasty anti-tamper dye spray to boot. (Although might have some regulatory issues with the explosive device for that, hmmm...).

    Give the customer a rebate for returning the tracking device. (After unlocking, of course.)

    Of course, the tracking device will need solid cryptographic signature/protection, but would have a lot fewer millions of lines of code than the router!

    Then the guy you see stumbling out of the FedEx office covered in dye... he's not with FedEx.

    The best the spys can do, then, is to "lose" the device in shipment, pay off the carrier's insurance company (otherwise, insurance rates will go sky-high), and then try to sell the router in the black market to spy on somebody other than the original target.

  7. Re:30 million lines of code by AK+Marc · · Score: 3, Insightful

    I read it as "reporter mistakes all Cisco devices in the program sum to 30 million lines of code for a router has 30 million lines of code" If you had multiple different classes of switch, they may have very little code reuse. The old PIX ran of a standard Intel CPU (not sure about the newer ASA), ASICs differ between even different models in the same router line, so lots of code around those. Sum up all the different devices that they are opening up, and 30M lines of code sounds about right, though 30M lines of code for a single router seems a bit much.

    Though, if you don't trust Cisco, how does opening the source code in such controlled circumstances help? Unless you can compile it yourself with a compiler you brought, you can never be sure there isn't a backdoor. There could be code swap between display and deployment, or a backdoor programmed into the compilers, to ensure no code review would ever find it. Or it's only in ASIC based systems, hidden in the chip, and the chip schematics aren't on display.

    So the show is merely symbolic, so let's see how it goes.

    --
    Learn to love Alaska
  8. Re:CISCO by AK+Marc · · Score: 4, Interesting

    Use only Huawei in the core and Cisco on the edge, with a firewall rule to block traffic to/from China to block the Huawei back doors. Or vice versa. You can't trust either, but hopefully both aren't compromised by the same group.

    --
    Learn to love Alaska
  9. Did they move their operations from the US by EmperorOfCanada · · Score: 4, Insightful

    Did they move their operations from the US and fire all their US developers and only hire ones from countries with the strongest data protection laws and the weakest spy agencies?

    No? Then they are NSA compromised. Here is a letter from the DOJ ordering you to cooperate with the NSA or go to jail. You can't show the letter to anyone or you go to jail. If you want to contest it you will first go to jail and then you will have to contest it in a special court where you can't get any evidence that is in your favour. So you stay in jail.

    If companies like Siemens are using Cisco equipment then they are fools.

  10. Better idea by TheCarp · · Score: 3, Interesting

    We already have "did this package get dropped" sensors. So take that to the next level.

    Vacume seal an interior bag. Place a module inside the bag with:
    1. Internal Battery
    2. Sensor package including light and air pressure/composition sensors
    3. A small amount of memory
    4. A running program which will erase the memory if any of the sensors detect a change
    5. a small transmitter, capable of answering a challenge.

    Customer/Cisco generate a key using a key exchange protocol, key is loaded into box gaurdian module. Box is shipped. Customer uses an RF device to query the package to see if it has been tampered with, customer informs cisco for an immediate RMA, but accepts delivery, so as to be sure the box can be returned in tact for analysis.

    --
    "I opened my eyes, and everything went dark again"