Cisco Goes Straight To The President To Complain About The NSA Intercepting Its Hardware
from the NSA-vows-to-take-this-country-down-from-the-inside dept
One of the previously-unseen NSA documents released in conjunction with Glenn Greenwald's book, "No Place to Hide," contained this slide providing further details about the agency's interception of computer hardware.
As part of the NSA's Tailored Access Operations (TAO), shipments are grabbed en route and loaded up with physical spyware before they reach the end user. The slide notes that this "supply chain interdiction" is one of TAO's "most productive operations."
The people in the photo may have had their identities concealed, but there's no mistaking the logo and name on the side of the box. Here's a closer look:
Cisco was none too pleased to see its hardware being given a spyware payload by NSA operatives. Its general counsel, Mark Chandler, said the following in a blog post addressing the newly-leaked document.
As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.That the NSA has done what it can to ensure Cisco's world dominance (via its Huawei-related espionage) is probably of little comfort at this point. Anyone looking to purchase Cisco equipment has probably decided to take their business elsewhere. Cisco expressed some concern about the NSA's detrimental effect on its overseas sales last November. This photo only makes that situation worse.
Cisco has now decided to take its complaints right to the top.
Warning of an erosion of confidence in the products of the U.S. technology industry, John Chambers, the CEO of networking giant Cisco Systems, has asked President Obama to intervene to curtail the surveillance activities of the National Security Agency.Chambers goes even further than Cisco's counsel, decrying the NSA's tactics and the damage they're doing to his company's reputation.
In a letter dated May 15 (obtained by Re/code and reprinted in full below), Chambers asked Obama to create “new standards of conduct” regarding how the NSA carries out its spying operations around the world. The letter was first reported by The Financial Times.
“We simply cannot operate this way; our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote. “We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”The NSA's self-destructive "no one can touch us" attitude is finally beginning to hurt it -- and everyone it affects. This revelation will chase customers -- including potential targets -- to companies they believe are out of the agency's reach. American companies will be able to offer no assurances that their products have been intercepted/sabotaged. The entire situation is beyond their control, but they'll be the ones ultimately paying the price for the NSA's overreach.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: barack obama, interdiction, john chambers, mark chandler, nsa, surveillance, tao
Companies: cisco
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Note to self: Open every package from the bottom. :)
[ link to this | view in chronology ]
Re: Re:
My guess is they did the same thing to preserve the packing of each item in the box. (Documentation, software media, accessories, power, etc.,...)
[ link to this | view in chronology ]
Re:
Yeah, looks like UPS is up their eyeballs in this. UPS - now another 3 letter agency.
[ link to this | view in chronology ]
1) NSA gets forcibly reformed. (Unlikely)
2) Cisco becomes the next Qwest, John Chambers the next Joe Nacchio. (More likely)
3) Cisco mutes opposition, shortly thereafter granted big money no bid contracts. (Near certainty)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"The amount of money you would need to invest in a GPS tracking system that could not easily be subverted by the NSA not likely possible so probably not going to be invested in."
Such a system would not need to be prohibitively expensive, although it might double the cost of shipping, depending. However, that cost might be less than the loss of business will cost them.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Hell, even Amazon has tamper-resistant tape on their boxes.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
http://www.theguardian.com/technology/2014/may/19/us-chinese-military-officials-cyber-es pionage
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: US is pissing and moaning about China spying
[ link to this | view in chronology ]
Perfect for KoolAid
[ link to this | view in chronology ]
Re: Perfect for KoolAid
"Trust" will no longer be sufficient for what the government says nor for much of the tech made in the US. Instead, we're going to need to find ways to verify.
[ link to this | view in chronology ]
Re: Re: Perfect for KoolAid
You may not be able to tell if a given piece of hardware is compromised, but those beacons don't work by magic -- they have to communicate to pose any threat. A permanent sniffer would be able to stop that communication and raise an alarm.
[ link to this | view in chronology ]
Re: Re: Re: Perfect for KoolAid
Should be "would be able to spot". Sputid Lysdexia.
[ link to this | view in chronology ]
Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Perfect for KoolAid
That's not true in a security sense. In the security world, trust is used to designate those things that can harm you - if you don't trust something, you don't interact with it, so it's not relevant.
That is, it's a perfectly valid idea to verify trust... depending on your level of trust you may want to do it more or less often.
[ link to this | view in chronology ]
Re: Re: Re: Re: Perfect for KoolAid
It may make sense in-industry and as jargon, but it's not going to be understood that way by people not familiar with the industry enough to know the jargon, and I do find it rather questionable whether Reagan would have been using the term in that sense to betin with.
(I do acknowledge that there can be valid use for "trust the person you're talking to, but verify that that person is the person you think you're talking to", and the like, but in that case what you're trusting and what you're verifying are different things.)
[ link to this | view in chronology ]
Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Re: Re: Re: Re: Perfect for KoolAid
[ link to this | view in chronology ]
Short term, offer existing customers a SmartNet replacement and for larger government/commercial organizations offer a consultation service to ensure that none of the equipment has been tampered with.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
How is this different
[ link to this | view in chronology ]
Re: How is this different
"Because."
Any questions? (Cisco customers excluded)
[ link to this | view in chronology ]
Re: Re: How is this different
[ link to this | view in chronology ]
Re: How is this different
A sophisticated "chip and pin" scam run by criminal gangs in China and Pakistan.
On the other:
The NSA.
Your right, there is no difference!
[ link to this | view in chronology ]
USPS
[ link to this | view in chronology ]
Laughing My Ass Off
[ link to this | view in chronology ]
I see Collateral Damage
2) Cisco loses 100% of its non-US market
3) 60,000 employees out of a job
4) taxpayers foot the bill as Cisco sues the gov't
5) The USTR drops all "US Exports of Technology" from their negotiations - 'cause there won't be any.
And exactly how many REAL threats were thwarted by this?
[ link to this | view in chronology ]
Re: I see Collateral Damage
[ link to this | view in chronology ]
Winning a war
The reason the US won was because they had the strongest economy. In the Cold War the USSR couldn't even feed itself, while the USA was feeding a good portion of the whole world.
Economies, not arms, win wars. The NSA is doing serious damage to the US economy and deluding itself (and its thoughtless apologists) into thinking they are winning.
Short-sighted stupidity in the extreme.
[ link to this | view in chronology ]
Re: Winning a war
[ link to this | view in chronology ]
Re: Re: Winning a war
[ link to this | view in chronology ]
Re: Winning a war
But the people behind it are, and will continue to be, living high-on-the-hog. Stupidity pays off pretty well in the US for some people these days.
[ link to this | view in chronology ]
Re: Winning a war
Peace,
Arlene Johnson
Publisher/Author
[ link to this | view in chronology ]
post office
[ link to this | view in chronology ]
Are we still pretending Obama is going to fix government abuse?
[ link to this | view in chronology ]
Re: Your recent letter.
I have recently recieved a letter in which you expressed concern about how my people have beent reating your customers recent purchase. After much consideration, and serious contemplation, about your copmlaint I have finally decided in what way to resopnd;
Go Fuck Yourself!
Why? Because , Bitches! You cant do shit about it!
[ link to this | view in chronology ]
Obama is the one using the Espionage Act to prosecute whistle blowers to prevent leaks as retaliation.
He will not be interested in hearing Cisco's moans and groans until it costs his party financial funding and influence. If Cisco wants a cure, it best get on with the moving out of country. Nothing short of that is going to stop this until the entire economy is up in arms over this.
[ link to this | view in chronology ]
First Amazon, now Cisco
http://www.techdirt.com/articles/20140124/10564825981/nsa-interception-action-tor-developers- computer-gets-mysteriously-re-routed-to-virginia.shtml
... now Cicso. Wonder whom else is in the U.S. computer business is going to 'step up', Ebay?
[ link to this | view in chronology ]
yesterday's newscast on the FBI
[ link to this | view in chronology ]
Here goes the EU market.
The Titanic has just departed. Time to pop some corn...
[ link to this | view in chronology ]
Re: Here goes the EU market.
More like it has struck the Iceberg.
[ link to this | view in chronology ]
Re: Re: Here goes the EU market.
You might be right.
Anyway, "Nothing to see here, please, disperse".
[ link to this | view in chronology ]
Showtime
After all, Cisco is a big player behind the pushes to accuse Huawei of spying:
http://www.washingtonpost.com/business/technology/huaweis-us-competitors-among-those-pushing- for-scrutiny-of-chinese-tech-firm/2012/10/10/b84d8d16-1256-11e2-a16b-2c110031514a_story.html
That kind of protectionism goes hand in hand with doing what government wants.
[ link to this | view in chronology ]
Re: Showtime
[ link to this | view in chronology ]
Re: Re: Showtime
On the other hand, we know for a fact that the government has subverted at least some Cisco equipment.
[ link to this | view in chronology ]
Forbes just released (4 hours ago) a post about Cisco with hits on "product transitions" (no, I don't think they were joking) and "uncertain environments" (also I'm not thinking they realize the funny/sad) with no mention of the "hey, your products just got outted as being hijacked by the NSA".
...this is kind of important if you own Cisco stock, no?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
unscrambling image
[ link to this | view in chronology ]
Re: unscrambling image
[ link to this | view in chronology ]
Re: unscrambling image
[ link to this | view in chronology ]
Tamper proof seals mean nothing
They mean nothing. The NSA can just slap a sticker on it that says that Customs had to inspect the package. Or that it had been randomly selected by Customs for inspection.
[ link to this | view in chronology ]
Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Re: Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Re: Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Re: Re: Re: Tamper proof seals mean nothing
As I stated when the original story broke, this sort of technique by it's very nature isn't scalable and only works on a targeted basis. If all foreign shipments no longer have addresses identifying the who should receive it, it makes much harder to compromise it once it is outside of the point where they can assert their control.
[ link to this | view in chronology ]
Re: Re: Re: Re: Tamper proof seals mean nothing
...all fixed.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Tamper proof seals mean nothing
And second - so that Cisco would be able to plausibly deny any involvement.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Tamper proof seals mean nothing
I disagree though about the need for actual interception in the case of cooperation. The compromise doesn't have to occur on the production line. There could simply be a small number of units that are kept separate which are altered by a small team that is officially labeled as a "quality control" or "R & D" team and when requested, they package up one of their units to be shipped out instead of the one of the one's from the normal stock.
As for the argument about plausible deniability, this is the NSA we are talking about here. Their hubris is legendary. They never believe any of their secrets are going to get out. This is one of the reasons they are so bad at dealing with the fallout when they do. To assume the plausible deniability idea theory you would have to assume that the NSA assumed that the public was going to find out about it and wanted to put a cover in place to protect Cisco when that happened. I think that would be giving a little too much credit in the forethought department to a group that has repeatedly demonstrated that they are far more reactionary than they are proactive.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Tamper proof seals mean nothing
What make you think they aren't?
"in which case, interception would not be necessary as the compromise can be inserted before it is even packaged at the factory."
By letting the NSA do it off-premises, plausible deniability becomes much easier. It worked on you. See?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Tamper proof seals mean nothing
[ link to this | view in chronology ]
Photoshop anyone?
[ link to this | view in chronology ]
Re: Photoshop anyone?
...oh crap, Adobe's DRM has disabled Photoshop on me.
[ link to this | view in chronology ]
Re: Re: Photoshop anyone?
[ link to this | view in chronology ]
How will anyone believe in reforms?
[ link to this | view in chronology ]
Re: How will anyone believe in reforms?
Reeducation.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Public Relations
[ link to this | view in chronology ]
Irony Alert: US Filing Criminal Charges Against China For Cyberspying
thread.
Please disregard comment on this thread.
[ link to this | view in chronology ]
Srsly ... wtf were they thinking
[ link to this | view in chronology ]
nice story, but
Mike Masnick just hates it when copyright law is enforced.
[ link to this | view in chronology ]
"No politicians, governmental agencies, or laws can be relied on to protect security or privacy. Only technology that's able to be audited for vulnerabilites and backdoors can accomplish this goal.
That means being able to examine and compile the source code, then reflash the resulting binary code onto NAND memory.
Hardware documentation and schematics would also be a big help for auditing the security of a device. Seeing as none of this will probably happen, potential customers will have no choice but to blindly trust the manufacturer and the shipping process.
Unless Cisco figures out a way for customers to audit the binaries on flash NAND memory using hashes, but then again if the hardware is compromised then it could output falsified hash values to the customer. Similar to what happened in Iran, and the falsified PLC diagnostic equipment outputs during Stuxnet.
No, I suppose open source software and documented hardware is the only way to be secure. I suspect it's always been this way, but has just become more apparent post Snowden."
[ link to this | view in chronology ]
Only way to have government really listen
Yes, this means lay-offs to some extent, but perhaps employees are willing to move with the company. But having more and more companies moving out of United Spies of America will eventually get the government to pay attention.
And to be honest, life abroad can be pretty sweet too :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Cisco introduces IoT certification
This certification, together with the improvement of synergies among IoT stakeholders through engagements like the IoT international discussion board, has proven the tech’s giant’s strong affirmation of IoT’s function in the future of IT. The certification was made possible thru Cisco’s partnership with Rockwell foundation. http://pass4surekey.com/exam/400-101.html
The certification, called the Cisco Industrial Networking Specialist certification.
[ link to this | view in chronology ]
Braindumpskey provides good quality Dumps
[ link to this | view in chronology ]