I guess it depends on what the fine is for not complying. For your above scenario to make sense, the fine itself would have to be more than the cost of installing the line. Otherwise, they would just pay the fine and forget about it. Also, there would need to be timelines for how long they can take to get the service working. If you have to live in the house a year without good internet before they get the service up and running then the law isn't very helpful. Also, what happens if you move in in December and they can't install the lines until March when the ground has thawed? Also, there's no law saying how much they are allowed to charge you, and they often don't charge the same fees for everybody. Once they've installed your lines, you're basically a slave to paying that provider's rates. If they want to jack up the rate 6 months down the road to recoup costs, there isn't much you can do about it, other than try to get some other provider to put in lines as well.
Actually there was only one important caveat: "Pass a law that if a service provider says that they offer service to an address they must do so by law." So the goal is not to get service to every address in the US, the goal is to make paying the fines more painful than generating a correct national broadband map. Correct map in hand, consumers can make a more informed choice and national providers will have a more flimsy straw man from which to argue behind.
Any civilisation that in 5000 years never managed to invent the fork and carried on using 2 sticks to eat with isn't that great.
Any civilisation that after 5000 years still makes food so hard to eat that it needs to be poked, chopped, ripped, etc AFTER the chef is done, isn't that great. Chopsticks are not a symptom of lack of refinement, the food that passes as "prepared" in western cultures is.
If our government actually did something about stuff like this, I think people would believe in their government a bit more, but as it stands, it seems like the NSA and such only want to either spy on us or topple governments that don't tow the line for the US.
I cannot imagine that finding these criminals is beyond the abilities of the US Government, it just seems like they don't even try.
The thing is, if they did, you would never know about it. It may seem like they don't even try, and they might not be, but they could also be defeating 95% of it. With a mission that is by design clandestine, no one may ever know until our kids get a peek at the public records dump 50 years from now.
Yes, but if they had an NDA they should be suing for breaking the NDA, not theft of trade secrets.
Given that they had to redact a good bit of the material in the suit, my guess is that they are doing both. And why not? Trade secrets are internationally recognized as property, and property law is pretty easy to assert. If they can show a clear paper trail, they will probably win.
You're a fucking shitheel. The vast majority of passwords are cracked offline. The only things saving you, the user, when (not if) shit gets hacked are using strong passwords and not reusing them across services. "2-factor" authentication doesn't do fuck shit because the company got fucking hacked anyway - you can't trust that the keys for the RSA clocks weren't taken at the same time the user table was.
Of course any passwords that get cracked are cracked offline, it has been a long long time since even the most poorly architected of sites had an auth service capable of responding fast enough to brute force. The point is that more often still, passwords are lifted out of databases that don't bother to encrypt them at all, or passwords are "Cracked" by exploiting a poorly built password reset system to overwrite them. In those cases (which account for almost all of the malicious per-account activity), it doesn't matter at all how complex (or uncomplex) your password is.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
Are you secretly planning to use it as a Dunning-Kruger meter and avoid all that self-rate as 10 out of 10? Because if you think you'll get anything else useful out of it, I want some of what you're smoking...
Both are farcical. Good catch.
The point is that a site could very easily be giving you great password strength advice and then proceed to do something totally stupid with it (storing it with such a poor cipher that can be bruteforced in seconds.)
Sorry, but password complexity matters a great deal. When a website's passwords get hacked, they're going to compare hashes and find all the easiest ones first (password, hunter2, 123456, etc). If yours is 15 characters of random letters, numbers, etc, yours will not get cracked first. Now, if someone like the NSA is targeting YOU, then it doesn't matter how complex it is; it will get cracked. But in a list of 5,000,000 passwords, having a complex password can help make sure yours is not one of those cracked.
This is my exact point. You are right if and only if the provider didn't bother to use an effective salt, which renders rainbow tables pointless. Why isn't that part of the meter? "Your password is stored in a hash of type XXX that is ### bits long, hashed for ### rounds, and salted with ### bits during each round." would tell the user all they need to know about how well their password is going to be protected, and they can make a more informed decision.
In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified
Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.
That's my exact point. If a system is compromised and they are going after user data unnoticed, you are boned even if can't brute force your 5000 character epic passpoem, detailing the life and works of seven mythical Norse heroes (apologies to http://www.schneierfacts.com/f...). The only thing keeping you safe in that instance is staying the fuck away from downright terrible and negligent providers.
Not sure how that got butchered but the link to the article about passwords being stored by providers in clear or near-cleartext is http://techcrunch.com/2015/01/...
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.
Brute forcing offline is only a scenario that can take place after a breach has occurred. In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified(http://techcrunch.com/2015/01/...) make complexity 100% pointless, which is what I am getting at here.
123Password is very strong because it uses numbers and upper and lower case letters. Those meters are stupid.
As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
How can you claim something is a trade secret if you show it to others? If you want to keep your design proprietary, patent it.
Via a handy catch-all called an NDA. Facebook is in trouble if it stipulated something like "BRG is presenting designs in confidence and all material is proprietary and not to be copied for any reason... Facebook will be held liable for any material/tangential loss due to disclosure of included designs..." etc since Facebook has allegedly shared their "secret modular designs" with the construction firm that won the bid, and Open Compute Project.
Doesn't matter (but would help their case if it were). Note that the lawsuit isn't for infringement (patent or copyright) but for breach of contract and theft of trade secrets (that Facebook allegedly only had access to in confidence, i.e. via aforementioned contract). It all depends on if Facebook's agents signed anything similar to a NDA when negotiating with BRG for a design contract, in order to review a proposal using their "modular techniques". If BRG was smart they would have papered it up very specifically before they showed any sensitive bits to Facebook.
Like TFS says we don't have enough info to know if something super specific about the design was copied (like some allegedly optimal ratio of airflow to floorspace to TDP). This is most likely just a contract chase, hoping that the words of whatever Facebook signed are broad enough to catch them for designing anything similar to what BRG had proposed.
Wouldn't be the first time that Mark had blatantly stolen someone else's idea.
Next up, BRG will abandon their ridiculous claims, be put on trial for fraud, cut off their monitoring anklets and tape them to a broom handle mounted on a ceiling fan. You know, for fun. CYA in Belize!!!
In the history of "conservation" no one has managed to turn the ability to use less of a product, into the *practice* of using less of a product. How often do you let the empty ketchup bottle "ride" in the fridge and squeeze a few faint drops on each hot dog hoping to get the last of it, while really only putting 1/10th your normal amount on? Yep. Now, you can get your full ketchup fix on time, every time. And when the bottle is gone it's gone, no more "maybe one more blob of salt-tomato-vinegar heaven, if I shake it just right!" instead, it's on to the next new bottle, and the next full load of ketchup on your bratwurst, and even BETTER sales for Kraft/Heinz.
RAM *is* faster (by far) than any persistent media 9SSD, HD...). So whatever the test, the algorithm is probably bad,
I read this summary as "when the goal is to write a string to disk, building it in memory first is slower than just writing it to the damn disk in the first place".
Followed by a "does this mean my cafeteria meal card is going to get renewed?" at the end.
It's easy. You just use "vi [filename]" and then inside the file you hit lower case i to actually edit it and then escape to stop editing it and then ctrl to activate the command prompt inside vi and w to write it and exclamation mark because youre sure you want to save it and then q to quit.
And after that I have configured resolv.conf and apt.sources to the point where I can just install nano and get back to work.
The article says nothing about what happens during the summer months. You just shut down the servers then? (HTTP 707 Error: Server on summer break).
They probably install a duct to just circulate outdoor air through the unit. In The Netherlands the average high temp doesn't get past 70F/21C so there are few times when you would have waste heat that you couldn't use.
Plus, these are no doubt highly distributed redundant systems (cloud, as it were) so turning them off and relying on servers elsewhere is a viable option.
Per the "projects that do not generate commercial profits" description, major motion pictures can now use it free of charge thanks to the favorable slant of Hollywood Accounting! What's not free about that?
Entirely true. It would just make more sense if they developed technology that could be retrofitted in to any car instead of just their newest line.
There are a fucking million of them but, what good is a device that goes for around $100 when you can sell [announcer voice] aaaaaaaa new caaaaaaar! [/announcer voice].
Then the answer is not to send the hardware to empty buildings, but to install a GPS tracking device in the shipping container, and see where it goes off-course. Bonus points if you can track it all the way to the NSA modification warehouse, but at least if you know where it got diverted, you can figure out *how* it gets diverted. I suspect the truck drivers are in on it, but without tracking data, that is just a theory.
Why on earth wouldn't you just presume that they are sitting in the CBP cargo control office waiting for anything marked Cisco? Secret warehouse? What is this, a Bond movie? It's a guy with a laptop and a cubicle at the port of Los Angeles who sifts through manifests and then saunters out for a few hours when he spots a ripe container, does his flashy flashy, puts some pretty tape back on the box, and no one is the wiser. The guy who works in Memphis at the border control office for the Fedex hub has it even easier, he just waits for the box to come down the conveyor and "inspects" it for a few minutes and sends it on its way.
You make a good point though, Cisco doesn't seem to have any problem with the premise that US intelligence agencies can basically do anything with their products after they leave the warehouse, but is glad to set up an extra layer of work (for a fee!) to help (not really) remedy it. If they wanted to actually stop this from happening they would take a completely different approach, like just doing final assembly over seas, since all the freaking parts come from Asia anyway.
If I were Cisco I'd send a rep to a few customers believed to be likely targets (at no cost to the customer), have them check the firmware on site w/ JTAG and if it doesn't match, take the firmware apart and publish the malware. Would serve NSA right.
TSA goon 1: Oh, youre with cisco, and you're headed to Iran? (chris hansen voice) Why don't you take a seat over there? TSA goon 2: Nice JTAG interface you have there. Shame if anything happened to it (h4x0r flash with firmware to hide modified cisco firmware) TSA goon 1: Have a nice trip!
While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:
1) the order would have to come in over an actual secure channel and be handled on known-secure systems. 2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders. 3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).
Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.
What other attacks are there on such a secure-delivery system using a common carrier?
The most obvious one: they will just intercept everything leaving Cisco and not heading to a reputable US company (scratch that, they probably target reputable us companies too). If they can intercept and MitM one box they can surely do it to a thousand. Why should they care if they don't even know where it's going, they can needlessly bug 1000 routers for every 1 that gets inside the right place and still have enough money in the budget to buy donuts on friday.
Where did you get criteria 2 and 3 from? It's pretty clear from the description that Cisco thinks the NSA will be thrown off the trail based on the premise that they are using a (From==Cisco && To==Iran) style filter to do these intercepts, and won't think to do ((From==Cisco && To==Pier 4, NYC) || (From==Pier 4, NYC && To==Iran)). The thinking is similar to bitcoin laundering services Underestimating the NSA in this regard is pretty sad, given that the leaks are only a fraction of their secretive doings.
Slashdot Mirror
Being dressed as women has nothing to do with putting 'penetration' in quotes, unless there is some sort of joke I'm missing. Why is it in quotes?
Because it's not clear from the statement what exactly took place. Did they bump a barricade lightly while trying to peacefully leave the checkpoint, and in turn get pursued by the guards and shot to death despite being unarmed and showing no actual malice? We will have to wait for more details to emerge.
I guess it depends on what the fine is for not complying. For your above scenario to make sense, the fine itself would have to be more than the cost of installing the line. Otherwise, they would just pay the fine and forget about it. Also, there would need to be timelines for how long they can take to get the service working. If you have to live in the house a year without good internet before they get the service up and running then the law isn't very helpful. Also, what happens if you move in in December and they can't install the lines until March when the ground has thawed? Also, there's no law saying how much they are allowed to charge you, and they often don't charge the same fees for everybody. Once they've installed your lines, you're basically a slave to paying that provider's rates. If they want to jack up the rate 6 months down the road to recoup costs, there isn't much you can do about it, other than try to get some other provider to put in lines as well.
Actually there was only one important caveat: "Pass a law that if a service provider says that they offer service to an address they must do so by law." So the goal is not to get service to every address in the US, the goal is to make paying the fines more painful than generating a correct national broadband map. Correct map in hand, consumers can make a more informed choice and national providers will have a more flimsy straw man from which to argue behind.
Any civilisation that in 5000 years never managed to invent the fork and carried on using 2 sticks to eat with isn't that great.
Any civilisation that after 5000 years still makes food so hard to eat that it needs to be poked, chopped, ripped, etc AFTER the chef is done, isn't that great. Chopsticks are not a symptom of lack of refinement, the food that passes as "prepared" in western cultures is.
/flame on
...they went after these criminals.
If our government actually did something about stuff like this, I think people would believe in their government a bit more, but as it stands, it seems like the NSA and such only want to either spy on us or topple governments that don't tow the line for the US.
I cannot imagine that finding these criminals is beyond the abilities of the US Government, it just seems like they don't even try.
The thing is, if they did, you would never know about it. It may seem like they don't even try, and they might not be, but they could also be defeating 95% of it. With a mission that is by design clandestine, no one may ever know until our kids get a peek at the public records dump 50 years from now.
Yes, but if they had an NDA they should be suing for breaking the NDA, not theft of trade secrets.
Given that they had to redact a good bit of the material in the suit, my guess is that they are doing both. And why not? Trade secrets are internationally recognized as property, and property law is pretty easy to assert. If they can show a clear paper trail, they will probably win.
You're a fucking shitheel. The vast majority of passwords are cracked offline. The only things saving you, the user, when (not if) shit gets hacked are using strong passwords and not reusing them across services. "2-factor" authentication doesn't do fuck shit because the company got fucking hacked anyway - you can't trust that the keys for the RSA clocks weren't taken at the same time the user table was.
Of course any passwords that get cracked are cracked offline, it has been a long long time since even the most poorly architected of sites had an auth service capable of responding fast enough to brute force. The point is that more often still, passwords are lifted out of databases that don't bother to encrypt them at all, or passwords are "Cracked" by exploiting a poorly built password reset system to overwrite them. In those cases (which account for almost all of the malicious per-account activity), it doesn't matter at all how complex (or uncomplex) your password is.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
Are you secretly planning to use it as a Dunning-Kruger meter and avoid all that self-rate as 10 out of 10? Because if you think you'll get anything else useful out of it, I want some of what you're smoking...
Both are farcical. Good catch.
The point is that a site could very easily be giving you great password strength advice and then proceed to do something totally stupid with it (storing it with such a poor cipher that can be bruteforced in seconds.)
Sorry, but password complexity matters a great deal. When a website's passwords get hacked, they're going to compare hashes and find all the easiest ones first (password, hunter2, 123456, etc). If yours is 15 characters of random letters, numbers, etc, yours will not get cracked first. Now, if someone like the NSA is targeting YOU, then it doesn't matter how complex it is; it will get cracked. But in a list of 5,000,000 passwords, having a complex password can help make sure yours is not one of those cracked.
This is my exact point. You are right if and only if the provider didn't bother to use an effective salt, which renders rainbow tables pointless. Why isn't that part of the meter? "Your password is stored in a hash of type XXX that is ### bits long, hashed for ### rounds, and salted with ### bits during each round." would tell the user all they need to know about how well their password is going to be protected, and they can make a more informed decision.
In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified
Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.
That's my exact point. If a system is compromised and they are going after user data unnoticed, you are boned even if can't brute force your 5000 character epic passpoem, detailing the life and works of seven mythical Norse heroes (apologies to http://www.schneierfacts.com/f...). The only thing keeping you safe in that instance is staying the fuck away from downright terrible and negligent providers.
Not sure how that got butchered but the link to the article about passwords being stored by providers in clear or near-cleartext is http://techcrunch.com/2015/01/...
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.
Brute forcing offline is only a scenario that can take place after a breach has occurred. In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified(http://techcrunch.com/2015/01/...) make complexity 100% pointless, which is what I am getting at here.
123Password is very strong because it uses numbers and upper and lower case letters.
Those meters are stupid.
As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
How can you claim something is a trade secret if you show it to others? If you want to keep your design proprietary, patent it.
Via a handy catch-all called an NDA. Facebook is in trouble if it stipulated something like "BRG is presenting designs in confidence and all material is proprietary and not to be copied for any reason... Facebook will be held liable for any material/tangential loss due to disclosure of included designs..." etc since Facebook has allegedly shared their "secret modular designs" with the construction firm that won the bid, and Open Compute Project.
Did BRG have that concept patented?
Doesn't matter (but would help their case if it were). Note that the lawsuit isn't for infringement (patent or copyright) but for breach of contract and theft of trade secrets (that Facebook allegedly only had access to in confidence, i.e. via aforementioned contract). It all depends on if Facebook's agents signed anything similar to a NDA when negotiating with BRG for a design contract, in order to review a proposal using their "modular techniques". If BRG was smart they would have papered it up very specifically before they showed any sensitive bits to Facebook.
Like TFS says we don't have enough info to know if something super specific about the design was copied (like some allegedly optimal ratio of airflow to floorspace to TDP). This is most likely just a contract chase, hoping that the words of whatever Facebook signed are broad enough to catch them for designing anything similar to what BRG had proposed.
Wouldn't be the first time that Mark had blatantly stolen someone else's idea.
Next up, BRG will abandon their ridiculous claims, be put on trial for fraud, cut off their monitoring anklets and tape them to a broom handle mounted on a ceiling fan. You know, for fun. CYA in Belize!!!
In the history of "conservation" no one has managed to turn the ability to use less of a product, into the *practice* of using less of a product. How often do you let the empty ketchup bottle "ride" in the fridge and squeeze a few faint drops on each hot dog hoping to get the last of it, while really only putting 1/10th your normal amount on? Yep. Now, you can get your full ketchup fix on time, every time. And when the bottle is gone it's gone, no more "maybe one more blob of salt-tomato-vinegar heaven, if I shake it just right!" instead, it's on to the next new bottle, and the next full load of ketchup on your bratwurst, and even BETTER sales for Kraft/Heinz.
Further reading: energy efficiency != energy conservation: http://freakonomics.com/2015/0...
RAM *is* faster (by far) than any persistent media 9SSD, HD...). So whatever the test, the algorithm is probably bad,
I read this summary as "when the goal is to write a string to disk, building it in memory first is slower than just writing it to the damn disk in the first place".
Followed by a "does this mean my cafeteria meal card is going to get renewed?" at the end.
It's easy. You just use "vi [filename]" and then inside the file you hit lower case i to actually edit it and then escape to stop editing it and then ctrl to activate the command prompt inside vi and w to write it and exclamation mark because youre sure you want to save it and then q to quit.
And after that I have configured resolv.conf and apt.sources to the point where I can just install nano and get back to work.
The article says nothing about what happens during the summer months. You just shut down the servers then? (HTTP 707 Error: Server on summer break).
They probably install a duct to just circulate outdoor air through the unit. In The Netherlands the average high temp doesn't get past 70F/21C so there are few times when you would have waste heat that you couldn't use.
Plus, these are no doubt highly distributed redundant systems (cloud, as it were) so turning them off and relying on servers elsewhere is a viable option.
Non-commercial use? How the fuck is that "free"?
Per the "projects that do not generate commercial profits" description, major motion pictures can now use it free of charge thanks to the favorable slant of Hollywood Accounting! What's not free about that?
Entirely true. It would just make more sense if they developed technology that could be retrofitted in to any car instead of just their newest line.
There are a fucking million of them but, what good is a device that goes for around $100 when you can sell [announcer voice] aaaaaaaa new caaaaaaar! [/announcer voice].
Then the answer is not to send the hardware to empty buildings, but to install a GPS tracking device in the shipping container, and see where it goes off-course. Bonus points if you can track it all the way to the NSA modification warehouse, but at least if you know where it got diverted, you can figure out *how* it gets diverted. I suspect the truck drivers are in on it, but without tracking data, that is just a theory.
Why on earth wouldn't you just presume that they are sitting in the CBP cargo control office waiting for anything marked Cisco? Secret warehouse? What is this, a Bond movie? It's a guy with a laptop and a cubicle at the port of Los Angeles who sifts through manifests and then saunters out for a few hours when he spots a ripe container, does his flashy flashy, puts some pretty tape back on the box, and no one is the wiser. The guy who works in Memphis at the border control office for the Fedex hub has it even easier, he just waits for the box to come down the conveyor and "inspects" it for a few minutes and sends it on its way.
You make a good point though, Cisco doesn't seem to have any problem with the premise that US intelligence agencies can basically do anything with their products after they leave the warehouse, but is glad to set up an extra layer of work (for a fee!) to help (not really) remedy it. If they wanted to actually stop this from happening they would take a completely different approach, like just doing final assembly over seas, since all the freaking parts come from Asia anyway.
If I were Cisco I'd send a rep to a few customers believed to be likely targets (at no cost to the customer), have them check the firmware on site w/ JTAG and if it doesn't match, take the firmware apart and publish the malware. Would serve NSA right.
TSA goon 1: Oh, youre with cisco, and you're headed to Iran? (chris hansen voice) Why don't you take a seat over there?
TSA goon 2: Nice JTAG interface you have there. Shame if anything happened to it (h4x0r flash with firmware to hide modified cisco firmware)
TSA goon 1: Have a nice trip!
What?
"Editors"
While admiring Cisco's efforts here, this seems hard. At least these criteria would need to be satisfied:
1) the order would have to come in over an actual secure channel and be handled on known-secure systems.
2) the payment could not be processed until the delivery was made. Once the payment is made, the delivery location is compromised for future orders.
3) the shipment would have to be to a location that does not appear on the MLS. The receiver would have to follow tracking and send a courier out to meet the delivery driver (a easy expense for the right customers).
Driving to a distributor for pickup also seems like a good idea, so long as #2 is adhered to, since it amplifies the required effort of an attack to intercept several palettes of gear.
What other attacks are there on such a secure-delivery system using a common carrier?
The most obvious one: they will just intercept everything leaving Cisco and not heading to a reputable US company (scratch that, they probably target reputable us companies too). If they can intercept and MitM one box they can surely do it to a thousand. Why should they care if they don't even know where it's going, they can needlessly bug 1000 routers for every 1 that gets inside the right place and still have enough money in the budget to buy donuts on friday.
Where did you get criteria 2 and 3 from? It's pretty clear from the description that Cisco thinks the NSA will be thrown off the trail based on the premise that they are using a (From==Cisco && To==Iran) style filter to do these intercepts, and won't think to do ((From==Cisco && To==Pier 4, NYC) || (From==Pier 4, NYC && To==Iran)). The thinking is similar to bitcoin laundering services Underestimating the NSA in this regard is pretty sad, given that the leaks are only a fraction of their secretive doings.