The grooming period is over
At some point Americans are going to wake up and see how they are being screwed by their high priests.
Cisco chief executive John Chambers has reportedly written to US President Obama, pointing out that the NSA tampering with kit it exports is not likely to result in more customer confidence or higher sales. The allegation that the NSA intercepts and fiddles with Cisco kit before it can reach offshore customers was raised last …
"At some point Americans are going to wake up and see ..."
... that the Earth far older than 6,000 years?
... that evolution by natural selection is real?
... that corporations are /not/ people?
... ... ...
Sorry, I don't think enough of my fellow Americans will be waking up. Critical thinking is not taught in the majority of our schools, nor is it nurtured in the majority of our families.
Why assume Cisco is the ONLY company whose products are subject to such tampering?
Since the FSB, Chinese government and Uncle Sam are all undoubtedly trying to fiddle with the products of lots of companies, this won't affect Cisco's competitiveness - because all their competitors' products have the same issue anyway!
I think the issue here is that America has been claiming that Huawei kit was suspect as the company was under the control/influence of the Chinese military and so had backdoors implanted at the factory, whereas American products were "clean".
With this latest Cisco revelation, the problem is that there are photographs of the American spooks* opening up American produced products to implant back doors into them. So the claims that American products are clean can no longer be taken at face value. Cisco may not be installing the back doors, but someone else is.
* The pictures I've seen show someone opening up a Cisco box, and a workstation. There's no indication as to who these people are (NSA, Cisco employees, A.N. Other) or what they are actually doing.
"* The pictures I've seen show someone opening up a Cisco box, and a workstation. There's no indication as to who these people are (NSA, Cisco employees, A.N. Other) or what they are actually doing."
They could, for example, be completely removing it's insides and replacing them with something totally different that has been designed or just cabled so the connectors are in the right places, then putting it back together again and putting it in a data centre / colo facility where it will look like just another Cisco box. I'm sure that idea has never occurred to them, not even once.
This is the "less interesting" assumption.
The more interesting and quite obvious conclusion here - this shows that the rumored level of cooperation between the three letter/two letter+number agencies and the "box" part of the telecoms industry is greately exaggerated.
If the router companies were as willing to stick a set of backdoors as some of the more paranoid commentards continue to allege, then why do brain surgery on exports?
The even more interesting conclusion is "if the routers to 'interesting customers' are backdoored, then why do we need sanctions on them in the firs place"? We might as well sell to Iran, North Korea and the like as much as we like and whatever we like.
> The even more interesting conclusion is "if the routers to 'interesting customers' are backdoored, then why do we need sanctions on them in the firs place"?
Because it's defence in depth.
And if you have someone who manages to get hold of a piece of sanctioned kit with great difficulty they are going to be more likely to trust that it hasn't been backdoored.
And also because sanctions are ethically more defensible.
"why do brain surgery on exports?"
Just out of curiosity, do embassies and consulates count as exports? It seems to me that the NSA would want to backdoor everything since it would be trivial for a diplomat to walk in to the nearest electronics shop and buy one off the shelf to act as a VPN endpoint to pass secrets back and forth with their own government.
It's a perception issue. Even if you think that all companies have been affected, you KNOW that Cisco has and that in itself is a huge black mark against the company. A bit like carnival rides. You think that they might all be somewhat unsafe, but when a particular one goes publicly bad, then that is the one you won't get on.
"There is no such agency that would be engaged in no such activity involving no such product for no such surveillance program in no such authorized fashion if any such authorization in fact had been contemplated, possible, or authorized ... "
Letter stamped "Return to Sender: Addressee Unknown"
If this issue is serious enough for Chambers to write a letter to POTUS in public acknowledgement then it would be good to see Cisco take the lead on producing kit that can be verified "gold".
MS have been pushing their (unloved) "trusted computing" platform for some time now but Cisco already have control over both hardware and software, so it should be easier for Cisco to do.
This is about more than SHA512 sums for firmware downloads, this is about being able to tell, with confidence, that you are running trusted code (that had been audited if it isn't open source) on hardware that hasn't been modified.
We have seen strongly worded statements on this topic from Huawei and Cisco now, but actions speak louder.
Because you would still have to trust Cisco themselves - a US corporation subject o national security letters, that relies on US government contracts for a lot of its INCOME.
The only way you could trust them would be if they moved to Switzerland, fired all their US citizen employees, banned all American shareholding, refused to sell to any US government customer..
Even then it would be prudent to assume it was all a front.
> Because you would still have to trust Cisco themselves
That was not what I was saying. The source code would need to be available and be shown verifiably to be what was running on verified hardware, or, if not open source, then audited by an independent third party.
The problem goes beyond where the kit is produced. I imagine there would be all kinds of holes in Swiss products too.
More important are the processes John Chambers' company use to generate product. So if he is serious about this problem then he needs to modify the process, not just write letters to his president.
On their premises where? Most of their kit is manufactured outside the US.
A cosy relationship with (eg) DHL or Fedex would be much more useful to the US government. It's not just Cisco stuff they'd like to be able to get their hands on, and just think how many embassies probably use commercial couriers to move things around.
I'm bitter and sceptical about this. Smells like a bunch of hand waving. How can a company who supplied the kit to make the great firewall of China have objections to the NSA getting their hands on their kit for "verification purposes" or whatever they're going to try sell it as.
Oh, my bad, it's not a moral objection, it's a financial one.
I've not read the article, so this may well be a stupid comment ;)
If it's software tinkering, surely flashing a new firmware (and checking the hashes) would eliminate any software issues, unless of course it is built with backdoors.
Have Cisco asked any customers to pull the firmwares OFF the devices and check the hashes against the published version that shipped out of the factory? Any differences be fairly obvious...(although standard MO is to unbox, flash current stable version and then test).
And shunting a firewall behind the device to monitor what (if anything) it tries to talk to might also be useful. One presumes any nasty mod (s/w or h/w) would be trying to call home at some point?
All your points were mine exactly.
I remember watching some senate hearing last month about some commented-out boilerplate DOD banner being "discovered" in the html source-code for the ACA webpage and the ensuing nonsense that followed, I realized that all the fact-based and logical arguments in the world don't matter at all.
No amount of rational explanations will make frightened morons stop being either.
How do you know the firmware the device lets you pull is the one it's actually executing? Or the only thing it's executing? If I were designing such a thing I'd insert the spying code as a wedge between the firmware's ethernet driver and the hardware. Flash a new firmware, reboot, looks good but you're still p0wned. Short of taking all the chips out of the device and extracting the data from the hardware side, there's no way to be sure.
For that matter, how do we know that it's not really a Decepticon masquerading as a Router/Switch. Or that the plastic isn't some sort of Lazarus plastic that records all the ambient sound in a room.
Maybe the whole thing has been made from entangled particles, and the NSA has its twin installed in their switch-room at their moon base.
There are lots of things to be worried about, this doesn't seem to be one of them. It seems unlikely that the NSA would have the schematics, personnel, replacements, and machines to pull off your proposed chip-change idea. I'm not saying they they can't do it, just that I don't think they are at that level of caring just yet. They have plenty of America's data to keep them gainfully employed for a while.
Since most Cisco stuff seems to be made in China, presumably the Chinese busily implant bugs before they ship to the US where the NSA does it too. The spying hardware in the average Cisco router probably draws more power than shuffling packets :-)
More realistically, I can't see how more than a tiny percentage of anyone's kit can be "jarked" this way. It's going to be a manual and highly skilled process....
As a citizen of one or more of the five eyes group of spiers (Did I just coin a word???) I think I'd prefer to have my router / phone / whatever spied on by the Chinese, thank you. That new P7 looks pretty flash... And guaranteed no NSA backdoors. I also need a new router soon... And it will NOT be a crisco. Or a de-linked Or a nutgear. It will probably also be a Huawei.
If the only thing happening were flashing with dodgy firmware there would be no need to open the box and the suggested procedure would be helpful and possibly curative. But the claim, as I recall it from a couple of months ago, was that NSA intercepted some kit destined for overseas purchasers and made hardware modifications to create back doors that could be exploited as part of their Tailored Access Operations. It is doubtful that they would do this very often given the hands on labor involved. That that such a claim is made suggests that the manufacturers themselves might be clean (other, of course, than providing out-of-band management ports that some might consider back doors and that might be usable as such given cooperation of the owner or vulnerability of the owners OOB network).
Given what Cisco is saying, and the US is charging some Chinese with spying. How long before other countries start charging the US with spying? And maybe including the British agencies also for good measure?
It just all seems like more game playng.... very dangerous to all players.
It appears the US government is charging five individuals, presumably named or otherwise identified, with specific offenses against named victims. It does not appear they are charging the Chinese government as such. That differs a bit from a general accusation of spying, not that there isn't likely plenty of that done by most governments that have any capability at all.
In this interesting link provided by fellow commentard Mother Hubbard a few months ago, we can read:
"The industry is facing a year-end deadline to add a government-approved back door into network gear. Vendors that don't provide this access risk losing export privileges."
The whole article deserves a detailed read, even if it was written in 1998!
I mean, come on! The only explanation that makes sense is that a 'normal customer' gets a unit backdoored at the Cisco factory, and 'special targets' get units 'tuned up' at these NSA facilities.
A pox on all of them!
Biting the hand that feeds IT © 1998–2021