Cisco Shipping Hardware To Bogus Addresses To Throw Off NSA Intercept-And-Implant Efforts
from the 1324-Middle-Finger-Extended-Blvd. dept
Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors.
It moved quickly to mitigate the damage, sending a letter to the President asking him and his administration to institute some safeguards and limitations to protect US tech companies from the NSA's backdoor plans. To date, there has been no direct response. So, Cisco has decided to handle the problem itself.
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.Stewart acknowledges that Cisco's modified dead drop shipping operations aren't foolproof, but will at least force the agency to do a little more research before intercepting packages. Stewart also noted that some customers aren't taking any chances, opting to pick up their hardware from Cisco directly.
The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers…
"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.
"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."
There are also variables Cisco simply can't control, like the possibility of inbound components from upline manufacturers arriving pre-compromised. But it's doing what it can to ensure that "Cisco" isn't synonymous with "spyware."
Then there's always the possibility that the government may find Cisco's new routing methods to be quasi-fraudulent and force the company to plainly state where each package is actually going. No response has been issued by the ODNI or NSA to this news, and most likely, none will be forthcoming. Any statement on Cisco's fictitious routing would tip its hand.
Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound, but this seems to be more a public display of pique than a surefire way to eliminate most of the NSA's hardware interceptions. It also sends a message to the NSA, one it's been hearing more and more of over the last couple of years: the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, fake addresses, interception, nsa, shipping, surveillance
Companies: cisco
Reader Comments
The First Word
“In a related story, DHL sues Cisco for copyright infringement.
Subscribe: RSS
View by: Time | Thread
Yet, it's okay for tech companies to sell our "anonymous" data, thereby making "surveillance" a double-edged sword.
Tough luck on tech companies. Maybe they should have thought about Pandora's Box before making "metadata" synonymous with loss of privacy.
Tech companies don't get the privilege of crying when the NSA abuses them.
Just desserts. Screw them all.
[ link to this | view in chronology ]
Re:
...says the person posting a comment on a Web site, over the Internet, from a Web browser. There are so many "tech companies" involved in that operation it would make your head spin, yet obviously you continue using them.
If you want to put *specific* pressure on *specific* firms for *specific* inappropriate behavior, please feel free to advocate for that.
[ link to this | view in chronology ]
Re:
Mo Money! Mo Money! Mo Money! Cha-Ching!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
the real shame
Really America? Really?
[ link to this | view in chronology ]
Re: the real shame
a) Have bought the lie that 'unless you're doing something wrong, you have nothing to worry about'.
And/or b) Don't understand just what the mass spying really entails, and what's possible with the data gathered.
Tell most people that you're 'gathering metadata on internet activity to better track terrorists and criminals', and you're likely to get some head-nodding and general vague agreements that that doesn't sound too bad.
Explain that that 'metadata' can be used to accurately identify people the vast majority of the time as long as you have enough of it, it can be used to track where people go online, what they do, and give at least relatively accurate outline of who they're talking to, including doctors, political affiliations, various other groups, and in particular make sure to point out that the only thing keeping random strangers from having access to this pile of data is generally ridiculously poor security, if it exists in the first place, and laughably loop-hole ridden laws, and I imagine most people might be a bit more concerned.
[ link to this | view in chronology ]
Re: the real shame
The bigger reality is that there isn't much choice.
[ link to this | view in chronology ]
Re: Re: the real shame
[ link to this | view in chronology ]
Re: Re: Re: the real shame
[ link to this | view in chronology ]
Re: Re: Re: Re: the real shame
[ link to this | view in chronology ]
Re: Re: the real shame
[ link to this | view in chronology ]
Re: Re: Re: the real shame
If one is to make a claim, perhaps it would benefit others to include a source. The MSM propaganda creators do not provide much to substantiate their conclusions, why in the hell should anyone else - right?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
How would that help, unless you manufacture it yourself?
[ link to this | view in chronology ]
In a related story, DHL sues Cisco for copyright infringement.
[ link to this | view in chronology ]
ALL PR. Assumes Cisco not willingly helping.
Same with hard drive manufacturers: they came up with a story that the NSA gets in only after leaves the factory.
Requires only a half-dozen corrupt people in each company to see that a few bytes of code are put in among tens of thousands.
You have no independent way to verify any corporate claim, so should believe none.
[ link to this | view in chronology ]
Re: ALL PR. Assumes Cisco not willingly helping.
Er... not so much.
Talking about products, or shipping, or service, there are two participants, the corporation and the customer. If you don't trust the one, you can still learn from (or be) the other.
Seems verifiable to me.
[ link to this | view in chronology ]
Re: Re: ALL PR. Assumes Cisco not willingly helping.
All well and good to say the customer can verify the tampering. The question is, how sophisticated is the NSA's tampering and how easy for a customer to detect it. It is said the NSA tampered with disk drive firmware. How many people in the is country are can reverse engineer a drive's firmware. I am thinking not too many. The NSA only has to break a small number of things, whereas their adversaries have to verify everything. Not any easy job.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It will be assumed that it comes rigged with spyware. Corporations took the money and all was fine until the public learned of actions. Suddenly when profit margins start dropping and only then do they get religion.
The deal with the devil was done in many cases with full knowledge. All will be assumed to be painted with the same brush of complicity until major changes are made. Even then it will be years if ever that American corporations will ever re-earn the trust of their customers. While I can not control everything there is one thing I can do. I can pick those parts up for computers and build it myself. While no 100% guarantee, it will have a higher unlikely hood to have been visited by the repackaging team.
Globally, people will start refusing American products that can be done this way. Foreign governments can and will refuse American products over it. Long term contracts will be changed when they reach termination for other choices.
The damage is already done.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CISCO
[ link to this | view in chronology ]
Separate the HW from the SW
[ link to this | view in chronology ]
Re: Separate the HW from the SW
What if the NSA is adding hardware as well?
[ link to this | view in chronology ]
Re: Re: Separate the HW from the SW
[ link to this | view in chronology ]
Re: Re: Re: Separate the HW from the SW
But I disagree that what you suggest is infeasible. To read and inject packets, you probably just need to attach to the data lines. The router will occasionally be idle, and when it is, just start dumping data onto those lines. Or with a mux, you could disconnect the main CPU and take over a data line. Remember that the NSA don't need to control the data stream completely: they're monitoring the entire internet, so they just need to replace or glitch the occasional bit in a way they can detect. Errors happen, and unless Cisco knows exactly what to look for, it would be pretty hard to detect attacks and know they're not the usual random glitches.
[ link to this | view in chronology ]
Re: Re: Re: Re: Separate the HW from the SW
Cisco could also include printed private keys with each purchase that the customer could use to verify software images/updates, in case they do need to download something. It's an arms race, but we can set it up so that the NSA needs to be almost perfect to avoid detection. If customers can detect something wrong, at least, they can return the product to Cisco who can implement detection/workaround measures.
[ link to this | view in chronology ]
How does this work?
[ link to this | view in chronology ]
Hmmmm, we all know how good the NSA is at counting multiple hops, so I don't get what this accomplishes. This must be a PR publicity stunt to fool the simpletons working at multibillion dollar IT companies who are ordering Cisco's products...
[ link to this | view in chronology ]
Mitigation, not Prevention
I don't agree. Cisco is well aware of NSA capabilities, and they know that this plan isn't enough to prevent tampering en route. With enough tracking/surveillance/infiltration of Cisco operations/personnel, the NSA can and likely will still find, intercept, and tamper with intended targets.
In that case, why did Cisco bother? Two reasons. First, which was touched on in the article, is to simply make a statement. They are proclaiming to the world and to the NSA that they're not willing to sit idly by while the surveillance state drives their reputation (and their bottom line) into the ground. This is a symbolic protest as much as an actual mitigation.
Second, yes, this is a mitigation. These precautions won't make it impossible for resourceful (in both meanings) third parties to intercept equipment, but they will make it more difficult, and thus costlier. Even the NSA only has so many man-hours it can direct. If it now takes twice as many man-hours (an over-estimation, I'm sure, but no matter) in order to backdoor a router en route, then they are only able to do so half as often.
Cisco, or any US based company, can only do so much to thwart the surveillance state. Any pushback, however minor or symbolic, is to be applauded. On the same note, any willful collusion should be considered a betrayal of their customers, and the public at large.
[ link to this | view in chronology ]
The Human Race SUCKS
[ link to this | view in chronology ]
NSA opinion of this development
[ link to this | view in chronology ]
What shipper allows the intercept?
Are those shippers immune to a suit for damages for allowing the harm of replacing the BIOS or putting a backdoor on the system?
It can't be only Cisco or Cisco's customers are harmed -- Any manufacturer who ships to customers that NSA finds interesting.
Why no law suits? Why are businesses not working to hinder NSA and the military coup they represent in every way possible?
[ link to this | view in chronology ]
Re: What shipper allows the intercept?
Are those shippers immune to a suit for damages for allowing the harm of replacing the BIOS or putting a backdoor on the system?
Maybe the telco immunity law applies to shippers too. Totally making stuff up though, I don't know if it does.
[ link to this | view in chronology ]
Smells like bullshit to me.
[ link to this | view in chronology ]