Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI Says Military Had Counterfeit Cisco Routers

kdawson posted more than 6 years ago | from the who-do-you-trust dept.

Security 186

There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don't believe we can be so sure. "Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive... The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor... The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords."

cancel ×

186 comments

Sorry! There are no comments related to the filter you selected.

Yeah yeah (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23352198)

The miliatary is evel and its a big consipiracy

Non free software and offshoring are evil. (0)

gnutoo (1154137) | more than 6 years ago | (#23352566)

The lesson applies to more than the military - if you can't verify it, you should not trust it. Using non free software on devices produced in Communist China might save you a few bucks but it will cost you much more in the long run.

The madness of the "IP" empire is most apparent in this specific case. Using machines produced by your enemy is stunning folly for any military.

Re:Non free software and offshoring are evil. (0)

Anonymous Coward | more than 6 years ago | (#23352846)

You seem to imply that China is the United States' enemy. I don't know about the future, but that is certainly not the case right now.

Re:Non free software and offshoring are evil. (0)

Anonymous Coward | more than 6 years ago | (#23352944)

It is the case right now WRT network security.

An Evil Competitor. (1, Insightful)

gnutoo (1154137) | more than 6 years ago | (#23352988)

I think RMS summed up the current US relationship with China quite well:

Rather than conserve oil, Bush is launching a new Cold War against Russia and China for control of the dwindling supplies. McCain has similar ideas. Unlike the first Cold War, in which countries that respected human rights most of the time opposed Communist dictatorships, this will be a contest between two groups of brutal tyrants, both of which deserve the opposition of all people of good will. I think these evil regimes will use this Cold War as an excuse to become even worse. Both sides will sponsor terrorists to attack the other side, and then both sides will use the "terrorist threat" as an excuse to further trample the human rights of their people.

The rise of "IP" and corporate interests over democracy in the US has never been clearer than in the last five years. Everything you own can be confiscated for suspicion of "making available" crappy RIAA music that can be found on any radio station. Your email, web browsing, phone conversations and church can all be monitored without a warrent. Those who object will be put on "non fly lists" that are used by banks, employers even the local gym, so the accused is essentially proscribed. The military is now authorized to act against US Citizens in "an emergency". Massive voter fraud has been proved in several major elections. In short, most of the bill of rights has been violated in the interest of government and corporate power. Trade with China has not made China more free, it has made us more like them.

Re:An Evil Competitor. (2, Insightful)

smitty_one_each (243267) | more than 6 years ago | (#23353168)

two groups of brutal tyrants
I find a considerable amount of what RMS has to say at least thoughtful and challenging, except on political topics.

Brutal US Actions. (1, Insightful)

gnutoo (1154137) | more than 6 years ago | (#23353698)

The US invasion of Iraq has cost the US more than 4,000 servicemen and Iraq one million dead, 2.5 million refugees, an irreparable infrastructure and horrific civil war. If that's not bad enough for you, the advocacy and use of torture should be. Wake up! we are now a terrible abuser of human rights and we are doing it for oil, big fat "best year ever" oil. What we do to others we will do to ourselves sooner than later.

Re:An Evil Competitor. (0)

Anonymous Coward | more than 6 years ago | (#23353178)

Get yer tin foil hats here, tin foil hats on sale!

Re:An Evil Competitor. (2, Informative)

Free the Cowards (1280296) | more than 6 years ago | (#23354124)

The military is now authorized to act against US Citizens in "an emergency".
I think that 1807 [wikipedia.org] is a little too far in the past to call "now".

Re:An Evil Competitor. (1)

hesaigo999ca (786966) | more than 6 years ago | (#23354316)

I couldn't agree more!

Re:Non free software and offshoring are evil. (2, Interesting)

Dishevel (1105119) | more than 6 years ago | (#23353006)

Lets see. A non free society that can barley feed its people now. That has a huge number of people that is now comming into the industrial age and is going to NEED all the energy it can get its hands on very soon is an enemy to be to all who are near.

Re:Non free software and offshoring are evil. (0)

Anonymous Coward | more than 6 years ago | (#23353142)

"gnutoo" is a twitter sockpuppet. He shifts from this [slashdot.org] to the post above to karma whore, but the message is the same. Use free software and all your problems will disappear. He doesn't understand nor does he care about capital costs or anything else - if only you would put your code on Sourceforge everything will be magically OK.



Not counting the one you're replying to, he's already posted in this article with two [slashdot.org] other [slashdot.org] accounts, so YOU WILL hear him out, or else. He's probably compensated on a per-post, per-account basis.


At heart, twitter is really a xenophobe, and his "Communist China is evil" argument is an old one.

Re:Non free software and offshoring are evil. (1)

billcopc (196330) | more than 6 years ago | (#23354598)

You seem to troll that China is not a threat.

I don't know about the future, but I know tomorrow's invaders won't be speaking Dutch!

I'll show you a trojan (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23352256)

lol first imo

And outsourcing.... (5, Interesting)

proudfoot (1096177) | more than 6 years ago | (#23352266)

Verification of the producer is essential here - and this is perhaps the moment where outsourcing will bite us in the ass. While you can only buy american made cisco routers, there is no doubt some chipsets made in it are manafactured overseas.

Re:And outsourcing.... (4, Informative)

moderatorrater (1095745) | more than 6 years ago | (#23352514)

While essential, it's not the only step. Automatic tests of the router hardware, random checking, and employee control are all necessary steps if we really want our government networks to be secure.

free software distributes the effort. (0)

inTheLoo (1255256) | more than 6 years ago | (#23352684)

If they were using free software they would not have to depend on Cisco being secure because they would have a pool of contributors, each of which should match identically regardless of hardware used. The sad fact of the matter is that DARPA showed that the current non free checks were not good enough - Cisco themselves were unable to tell the malicious parts from the "good" parts. Using free software would increase the effort any enemy must expend by the number of contributors who can compile the code, essentially to an impossible effort level.

Re:free software distributes the effort. (4, Insightful)

gartogg (317481) | more than 6 years ago | (#23352870)

Items with high capital costs don't work well as "open source;" basically, the manufacturing plants costs so many billions of dollars that no one who isn't doing proprietary work could afford it. Even if you could open source chip design (a dicey proposition, since there are many fewer EE Phds that want to donate time than there are CS Phds,) there are still difficulties with the actual manufacturing, and we would still need to guarantee the physical chips, which are individual, and cannot be "re-compiled;" if you think there may be an issue with a batch, you can't start over without paying for new chips.

Maybe, however, I am missing something about the procedure you are proposing; what parts would be open source?

Re:free software distributes the effort. (1, Informative)

Anonymous Coward | more than 6 years ago | (#23352958)

"inTheLoo" is a twitter sockpuppet. He shifts from this [slashdot.org] to the post above to karma whore, but the message is the same. Use free software and all your problems will disappear. He doesn't understand nor does he care about capital costs or anything else - if only you would put your code on Sourceforge everything will be magically OK.

Not counting the one you're replying to, he's already posted in this article with two [slashdot.org] other [slashdot.org] accounts, so YOU WILL hear him out, or else. He's probably compensated on a per-post, per-account basis.

At heart, twitter is really a xenophobe, and his "Communist China is evil" argument is an old one.

Re:free software distributes the effort. (1)

Jherek Carnelian (831679) | more than 6 years ago | (#23353662)

Items with high capital costs don't work well as "open source;" basically, the manufacturing plants costs so many billions of dollars that no one who isn't doing proprietary work could afford it.
That's counter to the reality of the current market. Almost all "computers," including routers and many other types of specialized systems are manufactured on contract. Lots of the components are manufactured on contract too, TSMC and IBM are some of the largest contract semiconductor manufacturers in the world. The ginormous capital costs of manufacturing plants and fabs are amortized over years of contract manufacturing.

Even if you could open source chip design (a dicey proposition, since there are many fewer EE Phds that want to donate time than there are CS Phds,)
I think we are beyond the point where "working for free" is assumed to be a requirement for opens source anything. The tens of thousands of engineers employed by Red Hat, HP, IBM, Sun, etc to work on open source systems sure aren't doing it for free.

still need to guarantee the physical chips, which are individual, and cannot be "re-compiled;" if you think there may be an issue with a batch, you can't start over without paying for new chips.
Which is the same regardless of whether the design is open or closed. The difference being that with an open design there is one less place for badware to be hidden and the opportunity for a really cautious customer to spend beaucoup bucks on their own manufacturing run of components under whatever conditions (armed guards, etc) they might feel is necessary.

Re:free software distributes the effort. (1)

njcoder (657816) | more than 6 years ago | (#23353926)

Even if you could open source chip design
You can open source chip design [wikipedia.org] .

Re:free software distributes the effort. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23354404)

Even if you could open source chip design ...


Sun has open-sourced the Niagra designs under the GPL, and you can license UltraSPARC from SPARC Inc. Unlike Xeons and Opterons, you can actually get SPARC CPUs from at least two manufacturers: Sun and Fujitsu.

Re:And outsourcing.... (4, Interesting)

CodeBuster (516420) | more than 6 years ago | (#23353642)

Even automatic checking and testing can be subverted by a determined adversary. For example consider the program, approved by President Reagan and beginning in 1982, whereby the CIA arranged for the Soviets, who were actively attempting to acquire western technology and hardware, to receive natural gas pipeline software and equipment that was designed to "go haywire" after a set amount of time in normal operation. When the pipeline software and hardware, which would have appeared totally normal at first even if the Soviets had bothered to test it, eventually went haywire (i.e. it ran the ultra high pressure scenario) the resulting explosion was so large that it was detected by satellites designed to monitor nuclear explosions from space. The following article [msn.com] from the Washington Post describes this and other programs and operations that took place during the Cold War as part of a coordinated CIA effort to slip bad technology to our enemies.

Re:And outsourcing.... (4, Interesting)

failedlogic (627314) | more than 6 years ago | (#23352644)

I would agree on this one 100%. Outsourcing is in part responsible for this, although, we can't ever be 100% sure of goods manufactured domestically. These companies could care less about counterfeiting Cisco routers so let's say Cisco were to pull the contract. What's to stop the outsourced producer from selling these counterfeits in their own country without the Cisco name? Maybe they already are because presumably (as I understand) because IP law is hard or impossible to enforce in some countries.

As the NSA already seems to be certifying comm. gear in the military (or might even make the chips for it). Perhaps even for other departments like the FBI. I see one possibility of this that the NSA certifies routers (or makes them itself) or at least makes them in the USA. I don't work with routers nor am I familiar with their manufacturer. I guess my last point, pertaining at least to the FBI investigation, would be invalid if Cisco makes some routers in the USA except, as you indicate, for some chipsets. Though even on chipset in itself could pose a significant risk.

I'm just surpised that the FBI is even making a "presentation" to anyone on this; regardless of wether the presentation leaked or not.

Re:And outsourcing.... (2, Insightful)

dave420 (699308) | more than 6 years ago | (#23353052)

As you say, even domestically-produced hardware can theoretically have trojans in it, so it should be standard practice to certify everything they use, regardless of where it came from.

The outsourcing boogeyman has nothing to do with this - relying on the "USA A-OK" school of thought as some sort of defense against malicious hardware is obviously not a good idea.

Re:And outsourcing.... (0)

Anonymous Coward | more than 6 years ago | (#23353084)

Make them in the USA, in plant manned with illegal alien workers.

Re:And outsourcing.... (0)

Anonymous Coward | more than 6 years ago | (#23354556)

... using chips imported from China.

Re:And outsourcing.... (2, Insightful)

Vancorps (746090) | more than 6 years ago | (#23353248)

It's worth noting you can do everything a Cisco router can do with a Linux box. I just built a box with Zebra and a solid state hard drve along with a 4 port network card. I have some pretty good throughput with that and I would have no trouble adding additional cards for connections to OC48s and higher.

Cisco is becoming increasingly irrelevant. They don't bring anything to the table that isn't already out there and they segment it all so it's a lot harder to manage than it needs to be.

Anyone else notice a sharp decline in the quality of Cisco products over the last 5 years?

Re:And outsourcing.... (1)

Mister Whirly (964219) | more than 6 years ago | (#23353646)

Their Aironet wireless access points are pretty solid still. I have one in a lab that has been up without a reset for almost a year straight.

Re:And outsourcing.... (0)

Anonymous Coward | more than 6 years ago | (#23354080)

Except have a megaGBPS backplane. On both counts.

Re:And outsourcing.... (1)

t0rkm3 (666910) | more than 6 years ago | (#23354342)

Not really in hardware... However in the fringe software configurations, yes.

I currently had 40 or so 42xx IPS/IDS, 12 pairs of ASA, and 4 MARS. We also have 250 ISR routers in our CSM deployment.

Problems? Every problem I've had was over software. Configurations that they didn't think we would use or something of that nature. Except with the MARS, the first gen MARS (Protego acquisition) was complete crap.

Re:And outsourcing.... (1)

currivan (654314) | more than 6 years ago | (#23352702)

For some applications, it might be better to sacrifice performance and cost, and implement most of the logic in FPGAs. Then only one chip needs to be verified, and it can be bought from lots that were fabricated before you even finished your design.

Re:And outsourcing.... (1)

mOdQuArK! (87332) | more than 6 years ago | (#23352820)

Uh...for a verifiable system, don't you want to be able to STOP someone from reprogramming your devices in the field? I don't think using an FPGA is going to be the best choice for a system like that.

Re:And outsourcing.... (1)

currivan (654314) | more than 6 years ago | (#23353424)

Interesting point, but it's probably no easier to replace the eprom that loads an FPGA than to make any other change to the device - routers have software already. And it wouldn't be an issue with an antifuse chip.

Re:And outsourcing.... (1)

redxxx (1194349) | more than 6 years ago | (#23353626)

You're totally right. Because there is no way to pole the configuration of an FPGA, it is impossible to generate a hash from it's configuration--which could easily be used to create a secure hash that ensures it only works when the FPGA is set up properly.

If you don't have site security, and people are going to have access to stuff in the field, they can break your hardware regardless of what it is. With FPGAs there just no way of telling if they reprogrammed it rather than breaking it.

Re:And outsourcing.... (5, Interesting)

UnknowingFool (672806) | more than 6 years ago | (#23352746)

I don't know if that will be enough. I remember there was a story from the Cold War on how the CIA spied on the KGB. The KGB used Xerox copiers in their offices. I don't know if the CIA convinced Xerox to modify the copier or they modified it before the KGB received it, but the copier would record all copies to flash memory. Every so often, the CIA would have to retrieve the memory. The KGB eventually got suspicious that one machine seemed to be serviced all the time while the other one wasn't. They weighed both machines and found a tiny difference in weights. Eventually they found an extra board. That's my recollection of it. I can't seem to google for the backstory. Even if you bought 100% American parts, there is not guarantee that it wasn't tampered with during a routine repair and maintenance or tampered with in the manufacturing process.

Great Case, if true. (0)

gnutoo (1154137) | more than 6 years ago | (#23352850)

It shows the difficulty of getting at non networked facilities of your enemy and the stupidity of trusting equipment made by them. Verifiable free software and hardware offer solutions to both of these problems and that's what the military should demand. Trusting the enemy with secrets you won't trust your customers with is insulting. It's insane when your client is the military.

Re:And outsourcing.... (2, Insightful)

everphilski (877346) | more than 6 years ago | (#23353300)

but the copier would record all copies to flash memory

Flash memory... cold war? Surely you must be joking ...

They used a camera with a roll of film, which they then had to develop ... whippersnappers! get off my lawn!

Re:And outsourcing.... (1)

UnknowingFool (672806) | more than 6 years ago | (#23354012)

Surely you can't expect me to remember all the details while remembering to keep kids off my lawn.

We've always been at war with Eurasia (1)

querist (97166) | more than 6 years ago | (#23352292)

Somehow, I find it hard to believe that DARPA INTENTIONALLY planted vulnerable chips into potentially critical military systems.

This sounds like a case of spin worthy of Winston Smith from the Minstry of Truth.

Re:We've always been at war with Eurasia (2, Interesting)

Ethanol-fueled (1125189) | more than 6 years ago | (#23352394)

I merely skimmed one article which said that Cisco examined the routers and found no backdoors. The Ministry of Peace is probably just trying to test the sneakiness of their own snooping electronics in the name of "national security". The trojans which are found are omitted and the ones which aren't found make it to the production runs. Oh, and before all of this happens, they have the Ministry of Truth spread FUD about Eastasia doing it "first", even though Cisco checked the counterfeit routers and found nothing suspicious. To paraphrase what another slashdotter said a little while ago, "...the government is using 1984 as an instruction manual." They even got Emmanuel Goldstein right: instead of making him advocate freedom, they chose a more unlikeable character(and will chose others like him): Osama Bin Laden.

Re:We've always been at war with Eurasia (1)

Ethanol-fueled (1125189) | more than 6 years ago | (#23352456)

* Clarification: "trojans" in the hardware or firmware as well as the software sense.

Re:We've always been at war with Eurasia (1)

spikedvodka (188722) | more than 6 years ago | (#23352622)

okay... that last post had my mind goind way down the wrong path... "Cisco examined the routers in depth, and didn't find any trojans, only a few durex wrappers"

Re:We've always been at war with Eurasia (1)

yukk (638002) | more than 6 years ago | (#23352626)

I hope you don't mean the ones with knots tied in them. They're all throw-aways.

"Counterfeit" not an issue... (5, Interesting)

Em Adespoton (792954) | more than 6 years ago | (#23352316)

From what I understand, the counterfeit routers are made in the same factories by the same people who make the real routers; they just keep the assembly line running past the hours that Cisco is paying them for.

In this case, if Cisco is comparing the counterfeit routers to their legit ones, they should always be the same.

The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?

They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.

"Partnership" (3, Interesting)

CustomDesigned (250089) | more than 6 years ago | (#23352488)

Anne McCaffrey wrote a book called PartnerShip [amazon.com] with a plot very similar to this situation. The villian provides chips to the Galaxy, including the military. When nearly everyone has upgraded, it turns out that he can remotely control every device, including military hardware, controlled by the chips. That's enough of a spoiler. How can such a grand and well planned scheme be defeated? You'll have to read to find out...

Re:"Partnership" (1)

spikedvodka (188722) | more than 6 years ago | (#23352648)

Great Book, great series of books, though it's been a long time since I've read them.

If you're looking for more: "This ship who *" and "The city who fought"

Re:"Partnership" (1)

Jesus_666 (702802) | more than 6 years ago | (#23353090)

Simple: One of the big carriers is too old to be fitted with the new chips as it faces decommission as a museum. When the bad guy shuts down almost all ships in the galaxy, this old ship is reactivated and sets out along with the few ships that weren't destroyed. Lead by the carrier's scruffy old commander and a teacher suffering from cancer, the remaining humans set out to find Earth.

Seriously, what did you expect how this scheme is foiled? What I described is SOP for this situation.

Re:"Partnership" (1)

Miseph (979059) | more than 6 years ago | (#23353628)

Uh, no, SOP is that they instead use the top secret prototype battle cruiser upon which all other battle cruisers are based, claerly indicating that it is the greatest fighting ship of all time, because by the nth time around design and manufacturing mistakes are always made which compromise the integrity of the original.

The only other thing you need is an awkward, sexually frustrated adolescent boy genius to pilot it and you're golden.

Re:"Partnership" (0)

Anonymous Coward | more than 6 years ago | (#23353578)

Does it involve Jeff Goldblum and a PowerBook?

Re:"Partnership" (1)

jollyreaper (513215) | more than 6 years ago | (#23354060)

Anne McCaffrey wrote a book called PartnerShip [amazon.com] with a plot very similar to this situation. The villian provides chips to the Galaxy, including the military. When nearly everyone has upgraded, it turns out that he can remotely control every device, including military hardware, controlled by the chips. That's enough of a spoiler. How can such a grand and well planned scheme be defeated? You'll have to read to find out...
Microsoft agress to roll out a beta service patch on auto-update early, when all the evil machines start choking on it, heroes come in with manually-controlled weapons to blow them up and save the day.

Re:"Counterfeit" not an issue... (5, Interesting)

dreamchaser (49529) | more than 6 years ago | (#23352526)

I am generally for free trade and against protectionism, but I am leaning more and more towards the need for a law that makes it mandatory that all gear (guns, routers, computers, coffee makers, etc.) purchased by the Government for any use that is even remotely sensitive be made in the US by US owned companies. That won't necessarily solve this kind of problem, but it would certainly make it far easier to prosecute entities who do things that threaten our national security.

Government purchasing (1)

sjbe (173966) | more than 6 years ago | (#23352856)

I am generally for free trade and against protectionism, but I am leaning more and more towards the need for a law that makes it mandatory that all gear (guns, routers, computers, coffee makers, etc.) purchased by the Government for any use that is even remotely sensitive be made in the US by US owned companies. That won't necessarily solve this kind of problem, but it would certainly make it far easier to prosecute entities who do things that threaten our national security.
As for "prosecuting" the military has weapons for that sort of thing. Lot cheaper to send a team of Navy Seals to handle a situation than to insist everything be US made.

On a more serious note, I think you should take some time to look at how the US government does procurement. Typically the US government is EXTREMELY rigorous (to the point of stupidity sometimes) in how they source, where they source from, the design of the products, how much will be paid and when. Generally speaking the US military and other security agencies are quite aware of the security risks of products designed overseas and generally speaking they take appropriate precautions. Being a supplier to the government can be lucrative (ask Haliburton) but it's also often a huge pain in the ass due to the security and regulations to (hopefully) keep ner-do-wells from ripping the government off or endangering national security.

Re:Government purchasing (1)

Reality Master 201 (578873) | more than 6 years ago | (#23352920)

As for "prosecuting" the military has weapons for that sort of thing. Lot cheaper to send a team of Navy Seals to handle a situation than to insist everything be US made.


Ha. Yeah. Let's send the military after, say, China where a significant amount of the goods the US consumes are made.

Notwithstanding the economic and trade disaster that would ensue (take a look at who owns US debt these days), they could fuck us up militarily. They've got nukes, they've got a way, way larger army than we do, and ain't nobody dumb enough to take our side in that little tussle. We've got the best weapons and a very well trained army. They've got numbers and weapons that are good enough.

Re:Government purchasing (1)

_Sprocket_ (42527) | more than 6 years ago | (#23353320)

You must've stopped reading before the second paragraph which begins "On a more serious note..."

Re:Government purchasing (1)

sjbe (173966) | more than 6 years ago | (#23353386)

Dude, lost and found called. They have your sense of humor whenever you want to pick it up.

Re:Government purchasing (1)

Reality Master 201 (578873) | more than 6 years ago | (#23354660)

Your mother fucks donkeys for money.

Re:Government purchasing (1)

dreamchaser (49529) | more than 6 years ago | (#23354490)

Yes, I know exactly how the Government does procurement, having had to deal with it often enough in a previous job. That has nothing to do with what I suggested, which would be a radical departure from the free reign allowed to companies WRT to outsourcing the manufacture of devices that are critical to national defense and infrastructure.

Re:"Counterfeit" not an issue... (1)

Machtyn (759119) | more than 6 years ago | (#23353256)

And that software and hardware should open-sourced. This will, hopefully, allow peer review for security, snafu, and waste. Granted, this may not be practical in all situations. However, I think the Linux/BSD community has shown that peer reviewed and community supported software can be very tight, security and otherwise.

Re:"Counterfeit" not an issue... (0)

Anonymous Coward | more than 6 years ago | (#23353744)

Obviously, except for Firefox plugins

Re:"Counterfeit" not an issue... (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23352664)

As being someone who recently has purchased several Cisco products on Ebay lately, I can tell you that the counterfeit items are not made on the same assembly line. There are several design differences between them.I use the "Andover test" to tell if I'm purchasing authentic Cisco cards.

If I did purchase a card or Cisco product that did pass the Andover test, then chances are that it was manufactured on the same assembly line, but then you would most likely see a report of a duplicate mac address on a "genuine" Cisco product somewhere. So yes it's a possibility, but highly unlikely IMHO.

Selling out the back door (5, Informative)

sjbe (173966) | more than 6 years ago | (#23352668)

the counterfeit routers are made in the same factories by the same people who make the real routers; they just keep the assembly line running past the hours that Cisco is paying them for.
That happens ALL the time. I've visited manufacturing plants in China and I've seen it happen with my own eyes. Selling out the back door is not surprising at all. In fact this is why I'm less worried than I might otherwise be about the gear having back doors or being otherwise compromised. Simplest explanation is just theft in one form or another.

does the LEGIT Cisco equipment contain back doors?
Very good question. Got to be worrisome to the US military and security agencies. Much/most off the shelf hardware is made outside the US where it wouldn't me much of a stretch to imagine backdoors have been added by foreign governments. Same worries that other governments have about US made/designed software and hardware. And of course if you really want to get tin-foil-hat about it one has to wonder if our own government has had back doors installed. Very unlikely to be sure, but clearly possible.

That said, it's pretty low on the list of likely threats. Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.

Re:Selling out the back door (1)

Em Adespoton (792954) | more than 6 years ago | (#23352872)

Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.

They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.

Re:Selling out the back door (1)

sjbe (173966) | more than 6 years ago | (#23353068)

They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle
Which presumes the entity making the modifications has access to the device and the upgrade schedule - rather a stretch I think. Plus, our government isn't exactly known for rapid upgrades. Timeliness of any information would be a huge issue.

-- or, they might all have a kill switch built in, so someone can remotely take out ALL routers.
Which presumes that all such said routers can receive such signals. Possible? I suppose, but incredibly unlikely. And even if it happened what are the effects? Hard to predict but probably not devastating. Now if it can disable warships? That's a problem.

There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
They wouldn't be able to check for everything even if they did manufacture everything themselves. If I was going to compromise a piece of equipment I'd get someone on the design staff if I could. Yes there are an almost infinite number of possible threats but a MUCH smaller number of feasible ones. My point is that it's easy to think of threats but most of them will be practically impossible to execute or not very useful in real life.

Re:"Counterfeit" not an issue... (4, Informative)

Frosty Piss (770223) | more than 6 years ago | (#23353574)

From what I understand, the counterfeit routers are made in the same factories by the same people who make the real routers; they just keep the assembly line running past the hours that Cisco is paying them for.
I keep hearing this. But look at the images of the hardware side by side [cachefly.net] ... Is it the same? No it's not. Clearly these two boards are not from the same manufacturing line.

Re:"Counterfeit" not an issue... (1)

xj (958167) | more than 6 years ago | (#23353606)

Ok so if a counterfeit router is just a back door sale with a fake serial number who cares. If a counterfeit made elsewhere I would be concerned, not about back doors, but just the quality and reliability of the equipment. If you are producing a counterfeit product you don't care about quality or how long the thing lasts so long as it is long enough for you to sell it. Warranty returns and tech support problems are going to fall on the company you are faking not yours.

Re:"Counterfeit" not an issue... (1)

Free the Cowards (1280296) | more than 6 years ago | (#23354216)

The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?
I see this sentiment expressed all over the place in these threads and I just don't get it. What is it about offshore manufacturing which somehow makes this such a problem? Why is it that you think these extreme checks are required if the equipment is made in China, but not if it's made in Kansas? Do you think that American workers are invulnerable to bribery, coercion, or just plain stupidity?

Evil Chinese Cisco routers? (1)

s0litaire (1205168) | more than 6 years ago | (#23352342)

Are these the routers that the US was warning us about. The ones where China counterfeits Routers and sticks in evil commie coding? :D

Not a big surprise. (5, Informative)

Smenj (648240) | more than 6 years ago | (#23352344)

I work for a company that sells used electronics on eBay. We'll occasionally buy cheap gear over eBay too, then resell it at a profit. For many months now we've had a huge problem with counterfeit Cisco cards. It's amazing how detailed the counterfeiters are. My boss wrote up a detailed guide on how to spot fakes. Google "counterfeit cisco wic".

Re:Not a big surprise. (1)

nbritton (823086) | more than 6 years ago | (#23354240)

Why call them fakes or counterfeits when they are exactly the same as the name brand stuff? How about labeling them as generic, as in generic drugs vs brand name drugs.

BTW, where can I get some of this generic equipment?

Question is... (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23352368)

... of the DARPA-hacked routers were any of the 'cisco experts' able to determine tampering?

That seems like a logical test, so I have to wonder if they have done it already... or not?

If they contain no backdoors, *THAT WE CAN FIND*, do we continue using them?

Twofo Gay Niggers (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23352376)

Eating my goatse'd penis! [twofo.co.uk]

That's right, you cock-smoking tea-baggers.

I for one..... (1)

cybvapor (1203306) | more than 6 years ago | (#23352420)

.....welcome our new counterfeit Cisco Router overlords.....

This is what we get (0, Flamebait)

Khyber (864651) | more than 6 years ago | (#23352436)

When we outsource everything to other countries, we run the risk of getting bad goods, made with a malicious intent. Any company that's outsourcing is potentially harming us. It should be made a crime.

Re:This is what we get (2, Interesting)

gregarican (694358) | more than 6 years ago | (#23352480)

More like any company that outsources and doesn't perform internal quality control of what they are reselling should be made criminal in this instance of reselling to governmental agencies. Buy a Cisco, throw it in a private LAN sandbox, fire up Wireshark. Rinse, lather, repeat. Yawn...

Re:This is what we get - Go one further (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23352612)

Outsourcing critical components is always bad,
but when you outsource DIRECTLY to countries that

A: do not like you and make little attempt to hide it
B: are actively engaging in espionage, known and unknown
C: have no distinctions between state and corporation, commerce and warfare

Hand in your commission and your cover, you fucked up.
You've hit the fubar trifecta. Your command is terminated.

There is no excuse for this in a trillion dollar army. Good day.

Fear Fear Fear (4, Insightful)

Anonymous Coward | more than 6 years ago | (#23352504)

Be afraid. Be very afraid. Vote for those that seek to protect you.

This seems like a scare tactic to "warn" people about the dangers of fake hardware/software. Expect a big push around these types of "stories" as more bills like PRO-IP go through congress and as the creation of the IP & Copyright Czar in the Whitehouse gets a big push.

It's a concern but seems to point more to incompetence rather than some difficult-to-spot threat. Why are government agencies not buying directly from Cisco? Seems they should have some sort of corporate connection.

"We must protect our precious bodily fluids."

Free Free Free, Liberate Yourself. (1)

Mactrope (1256892) | more than 6 years ago | (#23352790)

Trust your neighbors and give them what they need to verify your own intentions. The case here points out the problems of imaginary property more than it makes a case for trusting non free software.

Of course, an ethical country that cared about freedom would not be trading with China in the first place. It is right for us to fear the wrongs committed there as much as we fight those committed here.

Re:Fear Fear Fear (3, Insightful)

ahabswhale (1189519) | more than 6 years ago | (#23353058)

1) This has nothing to do with IP rights.

2) It's a concern when you consider the potential effects of this kind of infiltration. Buying directly from Cisco, in no way, protects you from this problem. The hardware is still made overseas in some factory by a bunch of people who may not like the US very much (which is true of 99% of the planet right now).

Apparently you lack the imagination to see how ugly this can get. Fortunately DARPA isn't run by you.

Re:Fear Fear Fear (2, Interesting)

_Sprocket_ (42527) | more than 6 years ago | (#23353492)

I wouldn't be so quick to dismiss the IP rights issue. Counterfeiting is all about IP rights. The law doesn't differentiate between you producing knock-off fashion items, work-alike network gear, or burning copies of a music album or movie. Expect these kinds of stories to show up more as pushes are made to put more teeth behind these laws. The same laws that most benefit hot-button topics for the Media industries.

Having said that - I would agree that counterfeit gear is a real issue with real potential impact.

Re:Fear Fear Fear (1)

Em Adespoton (792954) | more than 6 years ago | (#23353580)

1) ...yet.

2) He was arguing from a sardonic "government spin" perspective. What you say is true; he's trying to point out how the PR groups will avoid that fact.

I take it you didn't get the Dr. Strangelove reference.

Re:Fear Fear Fear (1)

ahabswhale (1189519) | more than 6 years ago | (#23354248)

The story leads off about how the FBI found counterfeit routers being used by the military and then goes on to talk about DARPA's research project to test and prevent this kind of infiltration. At no point does it discuss IP rights. Given the sheer volume of IP coverage on /., is it really necessary to introduce it to other topics like this? Do we need another Godwin's Law to cover this?

Re:Fear Fear Fear (1)

Free the Cowards (1280296) | more than 6 years ago | (#23354312)

You're the one who lacks imagination if you think that merely moving all production in-house and inside the US will completely eliminate the potential for this sort of problem.

Re:Fear Fear Fear (0)

Anonymous Coward | more than 6 years ago | (#23353588)

The gear was coming from the standard sales channel. Its not like .mil sites were buying them on eBay. I respect you opinion and might even agree with it in a sense but this is actually something to be concerned about. This is beyond the comprehension of the average voter so no politician would find value in speaking about it. If the high end gear can be duplicated and rigged, how difficult do you think it would be to rig the consumer grade stuff? This is a concern for those of us that work with this gear and make our living protecting our clients from the bad elements roaming the network.

/Light Bulb Flashes Overhead (4, Funny)

gregarican (694358) | more than 6 years ago | (#23352528)

So that's why my crappy Linksys wifi access points have to be rebooted every week or so. Damn commies!!!

Re:/Light Bulb Flashes Overhead (1)

davolfman (1245316) | more than 6 years ago | (#23352634)

No, that's because of the new vxworks firmware.

You reap what you sow (3, Interesting)

MarkGriz (520778) | more than 6 years ago | (#23352608)

Re:You reap what you sow (0)

Anonymous Coward | more than 6 years ago | (#23353608)

The Soviets were trying to acquire technology that we wouldn't have sold them. If they ended up with bogus stuff, then they simply were pwned and lost the round.

Occam's Razor (1)

tamrood (821829) | more than 6 years ago | (#23352800)

Since the hardware CAN do this, then it was designed to do this, it does do this, and always has. This is strictly a question of whether they would be able to detect one that was not theirs.

Technical details of malicious hardware (5, Informative)

Sam King (1263550) | more than 6 years ago | (#23352814)

For those of you who are interested, you can find more technical details of how we designed and implemented malicious hardware from here [uiuc.edu]

-- computer scientists from University of Illinois

it is important to carefully inspected new gear. (4, Funny)

atarione (601740) | more than 6 years ago | (#23352844)

if your new rack mount routers and switches say "crisco" on the front you may have a problem.

Re:it is important to carefully inspected new gear (1)

MarkGriz (520778) | more than 6 years ago | (#23353718)

if your new rack mount routers and switches say "crisco" on the front you may have a problem.
True, but you can bake the moistest, most delicious brownies right on top of them.

How many back doors? Who has the keys? (3, Interesting)

natoochtoniket (763630) | more than 6 years ago | (#23352926)

The question is not whether Cisco routers have back doors. That has to be assumed. If I was running NSA over the last several decades, I would have my people deep inside every communication equipment manufacturer. The manufacturers management might not even know about it.

The NSA surely has arranged to have one or more back doors designed into virtually every kind of communications switch. The only Cisco employees who would know about them would be the NSA people who work inside Cisco, and some regular Cisco employees who have been cleared. If this has not been done, the NSA senior managers should be fired or jailed.

The real questions are: How many back doors are there? and who has the keys? The (assumed) NSA back door might not be the only one. There is a possibility that the Chinese or Indian chip-fab or software contractors have also installed back doors for their own governments.

With billion-gate machines, a few thousand extra gates would be hard to see. If the extra logic looks like instruction-cache, but just has a little extra code, it would be almost impossible.

the real thing probably also has back doors--ours (1)

spirit_fingers (777604) | more than 6 years ago | (#23353070)

I'm certain that if the Chinese haven't in fact installed back doors in bogus (or even real) Cisco routers that they manufacture, they at least have contingency plans for doing so. Their intelligence service wouldn't be doing their job properly if they hadn't. It's too good of an opportunity for intelligence gathering.

Conversely, I would fully expect the CIA or NSA to have programs in place to surreptitiously install back doors in routers for our use, either with or without the manufacturers' cooperation. After all, Cisco routers are installed all over the world. It seems only logical that they would find this opportunity every bit as enticing as the Chinese.

Re:the real thing probably also has back doors--ou (1)

corsec67 (627446) | more than 6 years ago | (#23354418)

And to see an example that makes your theory not very far-fetched at all, one only needs to look at the steganography [wikipedia.org] in color laser printers, where almost all color laser printers embed identifying information into each page printed out, in the form of yellow dots. (More here [eff.org] at the Eff.)

It isn't like "New and improved: know which printer printed every page, whether you want it or not!" was a good marketing slogan.

not as good as the original (1)

surfi (1196953) | more than 6 years ago | (#23353240)

experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors
only the original Cisco routers have built-in back doors!

Deja vu - COCOM, Berlin Wall, anyone?! (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23353414)

It's funny, how quickly corporate greed will make politicians forget history.
Some analyst say, that the sudden collapse of the USSR, Berlin Wall etc. was attributed to an American secret service mission, in which CIA secretly supplied the Russians with "smuggled" computer equipments, which were on the COCOM technology embargo list. These computers used rigged chips and in the eighties the US government demonstrated that they contorl key installations by sabotaging an oil transport system - and possibly others. The Russians got into a situation, when they had no idea how deeply their military, etc. infrastructure was compromised without any hope to regain control.
Americans forget very fast. How long do they think, other countries would do the same - especially, if production is sent to a country, which has been known for a long time as the biggest emerging future economic power, which also happens to be ruled by totalitarian political ideology? Is anyone surprized here? It took only a few governments in the USA to fall for the same trojan horse that they used themselves. But who cares, the shareholders are happy. For now.

Backdoors or "bugs"? (0)

Anonymous Coward | more than 6 years ago | (#23353566)

Did they look for any "accidental" bugs which could have been abused?

re: contain no back doors (1, Funny)

Anonymous Coward | more than 6 years ago | (#23354422)

Of course they don't contain any backdoors, they're counterfeit Cisco routers
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>