back to article Cisco posts kit to empty houses to dodge NSA chop shops

Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking …

  1. thames

    Don't buy US kit

    "Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says."

    It won't do any good. The NSA will simply monitor connections to the order system and see who is placing the order to begin with, and then associate the dead drop address with the target. That's assuming that Cisco isn't in on the whole thing to begin with.

    This sort of answer by Cisco smacks of desperation. It sounds like Cisco is getting doors slammed in their faces by major foreign customers who don't want to get back-doored.

    I'm sure someone is going to comment along the lines of "but Huawei would just have Chinese back-doors". Well guess what? The Chinese have a lot less ability to do bad things to me than the Americans do. It's all a matter of balancing the risks and consequences, and at this time the US looks like the bigger risk.

    1. Trevor_Pott Gold badge

      Re: Don't buy US kit

      Also: for many of us the Chinese sniffing our data doesn't matter. We don't do business there and never will. But we do have to do business with the US, and they both have zero issue with using whatever questionable "evidence" they find to hassle you at the border and they conduct economic espionage.

      China isn't a threat to everyone. Only to the biggest players. The US is a threat to way more companies in the western world than China will ever be.

      1. A Non e-mouse Silver badge

        Re: Don't buy US kit

        Also: for many of us the Chinese sniffing our data doesn't matter. We don't do business there and never will.

        But what about the Chinese seeing what your company is doing then coming in and under cutting you (or under mining you...)?

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't buy US kit

          well here, an official in the Solomon Islands claimed that 5EYES not only knew of his governments 'word for word' negotiating strategy on some subjects, but had probably leaked the Solomon islands deals with Taiwan TO THE CHINESE.

          So that's 5EYES, and their tier partners, leaking stuff to 'the bad guys' allegedly. It looks like the worldwide Intelligence Community have their own eBay for OUR INFORMATION, sorry for shouting.

          according to Radio new Zealand

          http://www.radionz.co.nz/international/pacific-news/268966/solomons-official-%27suspected%27-nz-was-spying

          The chief of staff of the former Solomon Islands Prime Minister says he suspected New Zealand was spying on his emails well before the latest claims emerged...

          Robert Iroga, who works for the former PM, Gordon Darcy Lilo, said he was often frustrated in bilateral meetings with staff from New Zealand's Ministry of Foreign Affairs.

          He said they had information about the plans of how Solomons was using aid from Taiwan when New Zealand encouraged Solomons to be transparent in its dealings with China.

          He said he thinks New Zealand shared those communications with China.

          "New Zealand was bullying us in a lot of our negotiations. I was quite surprised that some of the information that they shouldn't know, they know already in some of the discussion and I won't tell what the information is but this all goes to tell you that they read exactly word for word what our discussions were and they had the upper hand."

          Mr Iroga said he challenges Foreign Minister Murray McCully to live up to the standards of transparency his country demands of others.

          are the Solomon Islanders "Terrorists" or "pedofiles" then?

        2. Trevor_Pott Gold badge

          Re: Don't buy US kit

          "But what about the Chinese seeing what your company is doing then coming in and under cutting you (or under mining you...)?"

          They don't need to see my data to do that. They can do that just buy buying the product or service and reverse engineering. They have functionally unlimited manpower. Highly trained, highly capable manpower. if the Chinese want to undercut me, there's not a damned thing I can do to stop them.

          The US, on the other hand, they have to play in the same economic ball park. If the US undertakes economic espionage that is a more direct threat, and one where mitigation would have some very real world benefits.

          You can't compete against the Chinese. Don't bother trying. But protecting yourself from the Americans means you still have a chance at pushing a product. Until it's successful. Then the Chinese will clone it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Don't buy US kit

            "They don't need to see my data to do that"

            But they potentially get your finances, the identifies of your customers and potential customers, your plans for your next kit....

            And why waste the time reverse-engineering when you can just copy down to the last rivet. (though "Chinese copy" is still a pejorative term?)

            1. thames

              Re: Don't buy US kit

              Anonymous Coward said: "But they potentially get your finances, the identifies of your customers and potential customers, your plans for your next kit...."

              Yes, the Americans and the Chinese can theoretically both do that. The Americans however already have sales and service networks set up here to take advantage of it, while the Chinese don't. This means the Americans can steal your data, outsource production to factories in China, and then undercut you.

              On the other hand, in most industries, the Chinese are simply acting as outsource contractors for western companies. They don't have their own sales network or well known brand names. This is assuming we're even talking about manufacturing rather than services, where the Chinese are almost non-existent.

              So given the balance of probabilities, for most companies the Americans are the bigger risk. We know that the "five eyes" are conducting economic espionage and sharing the results between them. This came out in the Snowden documents with respect to the Brazilian mining and oil industries.

              1. Anonymous Coward
                Anonymous Coward

                Re: Don't buy US kit

                Yeah, except for the tiny fact that American corps. and the NSA aren't a single entity, and the NSA doesn't feed industry any information. The NSA is just an information gathering entity in the US, whereas the Chinese govt. is _everything_ in China. You guys are also utterly ignoring the fact that every major govt. in the world is doing exactly the same thing the NSA is doing.

                1. Trevor_Pott Gold badge

                  Re: Don't buy US kit

                  Except for the part where there is lots of evidence of the US committing economic espionage and passing that information back to their own corporations. The Brazilian aerospace industry would be one example. There are many others.

                  That you, personally, believe the NSA doesn't commit industrial espionage isn't really relevant. They do it. Your belief is unnecessary.

                  To compound your error, the Chinese government is not "everything" in China. There is a strict separation between individual and state ownership in most cases, though the state does retain the right to hold shares in individual enterprises there just as it does in my home country of Canada. (For example, my local municipality owns a majority stake in a fairly large power generation and transmission company.)

                  And no, we're not ignoring that other governments hoover up information. Not at all. We're simply making risk assessments about which governments are most likely to directly (and negatively) affect us with that hoovering.

                  China, for example, can hoover all it wants and it doesn't negatively affect 99.9% of us. We just don't have to do business there, visit there or otherwise interact with China in any way. Most of us, however, do have to interact with the USA, visit there and otherwise interact with it in many, many ways. Especially those of us who own businesses.

                  As for my local country hoovering up data, well...they're doing it within the same legal jurisdiction as I reside. If they try to use what they find against me, I can sue them. If they try to sue or detain me, I have the right to defend myself. If they try to take my information and sell it to a competitor I'll take 'em to the cleaners.

                  As a Canadian, I don't have those rights in America. I'm a dirty foreigner. No rights...but still dependent on trade with the country run by lunatics in question.

                  So contrary to your assertion, this has all been thought through. We just came to a conclusion that wasn't blinded by patriotism. Which, you know, makes sense...seeing as how the US of A isn't our country.

                  1. Matt Bryant Silver badge
                    FAIL

                    Re: Potty Re: Don't buy US kit

                    LOL @ your naïveté.

                    ".....the Chinese government is not "everything" in China...." You really don't have a clue. I can relate my personal experience of working with a Chinese company, where every decision was sent back by the "management" to the real managers in the Chinese government, not one of those real managers being listed on any of the company's documents, financial reports or webpages. We dropped the project when the Chinese company got sued for copyright - their whole product line were blatant clones of American, British and Indian products, just at half the price.

                    ".....They do it....." And your proof is..... Oh, what a surprise, you have none. This is my surprised face, honest.

                    ".....China, for example, can hoover all it wants and it doesn't negatively affect 99.9% of us......" Tell that to the hundreds of Western companies every year that find out trying to stop Chinese companies ripping off their products is hopeless when so many members of the Chinese government have been shown to be involved in the scams (http://www.reuters.com/article/2011/05/18/us-usa-china-piracy-idUSTRE74H6CO20110518) and organized cybercrime (http://www.economist.com/blogs/democracyinamerica/2014/05/industrial-espionage).

                    I suggest you do a lot, lot more reading before posting anything so stupid again.

            2. Trevor_Pott Gold badge

              Re: Don't buy US kit

              "But they potentially get your finances, the identifies of your customers and potential customers, your plans for your next kit...."

              Go right ahead. What does seeing my finances get the Chinese? They don't regulate me. Canada does, and by imperialist extension (and the fact that they are irrational and fucking crazy about who they let into their country for business purposes) the US does as well. It's them I have to be worried about looking at my finances.

              As for my client list, well...hey, regardless of the industry I'm playing in, there are only so many players. Both as vendors and as customers. It won't be hard to guess my customer list or go after them/potential future customers.

              Again: if China wants my customer list and/or my finances I don't care. I only care when someone can - and will - use it against me. The Americans can, and they absolutely will.

              I am way - way - less concerned about some Chinese company knocking on the door of my customers saying "would you like a knockoff product/service" than I am some yank busybody at the borders denying me entry because one of my customers' customers' customers talked to the second cousin of the mother of a terrorist's nephew using encrypted e-mail. (Gasp!)

              I also think that I am going to provide better quality of service and support to my customers than the Chinese, and on that basis alone they're likely to pick me. I'm less sure about competing against the sort of American company that's big enough to benefit from US state economic espionage. They could put me out of business with a thought.

              So, again: China? Not a really big concern. The US: big concern.

              1. thames

                Re: Don't buy US kit

                @Trevor_Pott - Guess what story popped up in the Globe and Mail today?

                NSA trying to map Rogers, RBC communications traffic, leak shows

                http://www.theglobeandmail.com/news/national/nsa-trying-to-map-rogers-rbc-communications-traffic-leak-shows/article23491118/

                The NSA has been hacking into RBC (Royal Bank of Canada - Canada's largest bank) and Rogers (one of Canada's largest communications companies). Oh, and into Rolls Royce (giant UK aero engine manufacturer) and Rio Tinto (giant UK mining company). And that's just a selection of companies beginning with "R". That's a pretty good cross section of major multi-nationals who compete with American companies.

                Now I'm waiting for our usual AC commentard to tell us how it's vital for the US to hack into Canadian banks and British aerospace companies in order to protect the world from terrorism.

                1. boba1l0s2k9

                  Re: Don't buy US kit

                  Read the article you linked, it doesn't say they're hacking into those companies, it sounds more like they're watching their internet traffic to understand what IP's do what so they could hack later if needed. Note that the report was sent to CSE, so clearly they're not trying to imply they're hacking into them (CSE wouldn't allow that). Regarding corporate espionage again read the materials in question. It seems pretty clear they're talking about doing whatever is necessary to extract information about military projects (they actually mention it), most of which involve private defense contractors. I'm opposed to most of what the NSA does, but you seem to be putting words in their mouth and making them appear even worse than they are.

          2. chivo243 Silver badge

            Re: Don't buy US kit

            @Trevor_Pott

            "They have functionally unlimited manpower. Highly trained, highly capable manpower."

            You certainly have that correct. If there is one country I would fear on the Cyber warfare front, it is the Chinese.

      2. John Sturdy
        Black Helicopters

        Re: Don't buy US kit

        China seems to be a threat primarily to its own citizens, and the Taiwanese, Tibetans and other neighbours. In the west, we're more likely to be troubled by western spying.

      3. Ian Michael Gumby
        WTF?

        @Trevor Re: Don't buy US kit

        Please stick to your day job.

        Didn't you learn anything about the world history during the 20th Century when you were in school?

        Oh I forgot. You're a Cannuk.

        Trey Parker and Matt Stone had it right. ;-P

        1. Trevor_Pott Gold badge

          Re: @Trevor Don't buy US kit

          "Didn't you learn anything about the world history during the 20th Century when you were in school?"

          Sure I did: Americans are not the good guys. It's a pretty important lesson that you seem utterly incapable of learning.

          1. chivo243 Silver badge

            Re: @Trevor Don't buy US kit

            @Trevor_Pott

            The American gov't are the bad guys, not the Americans,

            Glad to fix that for you...

            1. Trevor_Pott Gold badge

              Re: @Trevor Don't buy US kit

              "The American gov't are the bad guys, not the Americans,"

              I don't see the American people banding together to do anything about their government. Or the excesses of their corporations. I see aught but apathy. For a significant chunk of your nation, I see strong support for the power-mad types causing the trouble.

              Maybe some Americans are good guys, but not remotely enough enough to make a difference...or to be worth viewing the populace as a whole in a positive light.

              1. thames

                Re: @Trevor Don't buy US kit

                @Trevor - Winston Churchill supposedly once said something along the lines of "the Americans can always be counted on to to the right thing, once they have exhausted all the other possibilities". Right now they're still near the top of the list of alternatives, and it's a very long list.

                This sort of story will put pressure on large American companies who will see their export markets melt away as IT technology become more and more vital and valuable. The fact that someone, somewhere else in the world may be worse isn't going to make customers trust them. It's like asking which of two paedophiles is the least bad one to babysit your children.

                Ultimately the real answer to the "Cisco-NSA" problem is going to have to be technological. People were already thinking along the lines that we need better security, but the Snowden revelations have given that process a big kick in the pants to move the process along. If the NSA can hack into your systems, then so can anyone else, including common criminals. Either you're secure, or you're not. Right now most companies and individuals are storing their data in the equivalent to a cash box in a desk drawer with the key taped to the top of it.

                1. Alan Brown Silver badge

                  Re: @Trevor Don't buy US kit

                  "This sort of story will put pressure on large American companies who will see their export markets melt away as IT technology become more and more vital and valuable."

                  The NSA revelations were a significant factor in breaking Cisco's stranglehold on equipment supply at my employer. The fact that they charge 3-5 times as much as the competition wasn't nearly as strong a factor.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: @Trevor Don't buy US kit

                    According to someone who knows, the UK has a nuclear deterrent for two reasons.

                    China

                    &

                    America.

                    1. John Bobbit
                      FAIL

                      Re: @Trevor Don't buy US kit

                      Well someone who knows doesn't know much then. The UK can't launch their nuclear deterrent without the USA giving explicit permission. That's what happens when you buy a nuclear launch system from a foreign power.

                    2. Trevor_Pott Gold badge

                      Re: @Trevor Don't buy US kit

                      I would suspect India should be on that list too. Most certainly Russia, if only because Putin's people actually support him being an utter crazypants. And that's pretty terrifying.

              2. chivo243 Silver badge

                Re: @Trevor Don't buy US kit

                @Trevor_Pott

                It boils down to the have and have nots.... The haves want more, more always more. The have not's don't have the resources to band to together. Plus America is a big place. By the time the have nots have banded together, they are out of resources. What then? Pitchforks and scythes? You do know that there are parts of America that have no running water, or electricity or internet? Or have you buried yourself so deep in hatred that you can't see the forest for the trees?

                Sorry to see you are so anti-American, and have so much pent up frustration. I wish you well with coming to terms with it.

                I am an American expat, I have lived outside the states for nearly 2 decades. I see the same thing in every country I visit. Downtrodden people falling deeper into a hole, and the haves are happy to let them fall as far as they will.

                I wish there was an icon for can't we all get along and live together...

                1. Trevor_Pott Gold badge

                  Re: @Trevor Don't buy US kit

                  "You do know that there are parts of America that have no running water, or electricity or internet?"

                  Sure I do. And some of them are great places to be. Some of them ain't. But in virtually every circumstance, the people occupy those places by choice in the US. Not every circumstance, but most.

                  The fact that the US has poor people - or a handful of innocent actually good people - doesn't change the fact that the overwhelming majority of America is either outright bad people or apathetic to a dangerous degree. And I absolutely classify the apathetic as equally complicit with the actively bad people who are out there trying hard to keep the masses poor and powerless.

                  The only thing necessary for the triumph of evil is for good men to do nothing.

                  If it makes you feel any better, I hold Australia in equal - if not worse - contempt. They keep electing Xenophobic asshats to power over and over and over. The UK isn't much higher in my esteem, what with their own brand of Xenophobic asshats being increasingly popular.

                  At least in Canada we have a piss poor excuse: over successive years we have been Jerrymandered so hard that the conservatives can get a majority in this country with less than 30% of the popular vote, but if either our centrist or our leftist party wants to win a majority they need 50% of the vote (taking into account the ridings that will never, ever change their colours.)

                  It's a shitty excuse - and we collectively deserve to have our asses kicked - but it's also an issue that Canadians are aware of and actively fighting. Electoral reform is a huge issue here. As are things like the TPP, spying and a whole host of other things that are anti-populace, but wholly embraced as "necessary" by the majority of American voters.

                  We also have an active enough political system that there are always three possible parties (right, center and left) with a plausible possibility of winning, and a few up-and-comers that are gaining strength. We don't just have "sort of centrist and right wing" as options (like the US) with the "right wing" party currently undergoing a civil war because half of the thing is off in fucking crazy cuckoo land and wants to drag the whole goddamned world damn with them.

                  So you go right ahead and call me anti-American. I am. But I am not "anti-American" as some form of reactionary diatribe where I "want what America has". No...I fear everything you have. I find you a danger to my nation's way of life. I find your culture to be an infection that is harder to combat every year and your xenophobia and paranoia to be dangerous to the stability of the world as a whole.

                  I am not merely irked with your country for teaching and preaching American exceptionalism. I'm irked because you lot actually believe that lunacy and because of it you are collectively unable to see the damage you do to yourselves and to the rest of the world.

                  Worse: other western nations are (for now) completely dependent on commerce with the US. That's slowly, but surely changing as BRICS countries rise to power, but it will be decades before any of us can really tell America to take it's one-sided "treaties" and go fuck themselves. Unfortunately, the damage you'll do to our countries in your desperate attempts to export your laws while you gaze about with your dull cow eyes blubbering over your waning international influence could still prove to be catastrophic.

                  We can only hope.

                  1. Matt Bryant Silver badge
                    FAIL

                    Re: Potty Re: @Trevor Don't buy US kit

                    ".....surely changing as BRICS countries rise to power...." LMAO!!!! I mean, your diatribe was too childishly amusing for words, but that bit about the BRICS just made my day! Shall we take a closer look at your BRICS?

                    Firstly Brazil, neck-deep in the brown stuff over government-aided mass corruption in their petrol industry, the (socialist) President holding on by her fingertips. Oh, and the same petrol industry that is rapidly caving under the pressure of the drop in oil prices almost as badly as Venzuela's.

                    Russia? Topping the list of human-rights abusers where political opponents just get shot in daylight. Putin doesn't even bother with 'disappearing' his victims. Oh, and also with an economy caving under the pressure of sanctions due to the illegal annexation of Crimea and the drop in oil prices, what's left of the rest of the economy having been picked over by Putin's chums the oligarchs.

                    India is a possible bright light if it could get over the fixations with Pakistan and China. Oh, and the fact that it has a staggering level of difference between the haves and the have-nots that makes the US look egalitarian by comparison. Throw in notoriously rampant nepotism and corruption so endemic they don't even try to hide it, and the continuing brain-drain because their brightest and best all want to study and work in the UK or US.

                    China? All sailing along fine in best sweatshop economy fashion as long as the American consumerism you spit bile about was in top gear, but dropped off a lot after 2008. Chinese growth is stalling and the even the drop in oil prices to half that of a year ago has not stimulated the Chinese economy in the way hoped. Meanwhile, the charge to catch up technologically with the West has caused massive damage to the Chinese environment (now officially the most polluted country on the planet), yet has only left them hobbled to the American economy and dependent on copying Western products and tech.

                    And South Africa? Teetering on the edge with the ruling political party bringing corruption and nepotism to the usual African levels. Most of their skilled and educated white workforce have long-since left for other countries and the gap is being filled by Chinese companies which are busy exploiting Third World countries with zero regard for anything other than the short term. Just ask Mozambique how the Chinese "helped" them.

                    You might know some of this if you actually read some news.

                  2. raphidae

                    Re: @Trevor Don't buy US kit

                    THANK YOU! I agree with this 100%

                    Americans will keep waving their little American flags all the while their country descends into a corporate theocracy (probably shouting "Freedom, fuck yeah!" too). We as foreigners can only hope they implode quickly at this point.

            2. ragnar

              Re: @Trevor Don't buy US kit

              Heh, this comment didn't age well

        2. Matt Bryant Silver badge
          Happy

          Re: IMG Re: @Trevor Don't buy US kit

          "Please stick to your day job....." You think Comrade Potty has a day job? How generous of you!

          ".....Didn't you learn anything about the world history during the 20th Century when you were in school?....." Potty and his ilk are still desperately trying to pretend the Berlin Wall didn't come down when that great socialist experiment by the Russians finally croaked.

          ".....Oh I forgot. You're a Cannuk....." Harsh! I do happen to know a few Canadians with their heads screwed on straight. A minority, I admit, but no need to tar all the moose-molesters with the same brush. Oh, and the Canadians did manage to burn the Whitehouse down (well, with English direction, and English assistance).

          ".....Trey Parker and Matt Stone had it right. ;-P" "Team America, fuck yeah!"? :)

        3. Alan Brown Silver badge

          Re: @Trevor Don't buy US kit

          "Didn't you learn anything about the world history during the 20th Century when you were in school?"

          I did - and the USA invaded far more countries than China ever did (it just stuck to skirmishes with its neighbours)

          Of course the Canucks could just burn the White House down again if they feel justified.

        4. MrDamage Silver badge

          Trey Parker and Matt Stone had it right

          You mean, the only people in the US with any common sense and intelligence are 4th graders?

      4. Anonymous Coward
        Anonymous Coward

        Re: Don't buy US kit

        "Also: for many of us the Chinese sniffing our data doesn't matter. We don't do business there and never will. But we do have to do business with the US, and they both have zero issue with using whatever questionable "evidence" they find to hassle you at the border and they conduct economic espionage."

        The chinese information cannot be admitted into court to even give me a parking ticket. The US information can.

        For the average guy on the ground , Local products (which probaby don't exist yet) are first choice, chinese knock offs second, and US products have the plague and are to be avoided under any circumstances.

      5. Matt Bryant Silver badge
        FAIL

        Re: Pottie Re: Don't buy US kit

        "......China isn't a threat to everyone. Only to the biggest players....." LMAO @ your blind naïveté:

        http://www.theregister.co.uk/2015/03/31/github_attack_day_4_activists_point_fingers_at_china/

    2. wilhil

      Re: Don't buy US kit

      I was thinking the same thing...

      All the shit the Americans were saying for years about Huawei back doors, and they were doing this!

      I am working with quite a few Asian manufacturers at the moment and I would personally feel safer (and my wallet would be much better off) buying Huawei over Cisco.

    3. SFC

      Re: Don't buy US kit

      Define bigger risk. The Chinese have proven they have absolutely no issues wholesale stealing your technology then selling it in their own market with no regard for copyright/trademark/patent law. The US, while they may want to find something to blackmail you with, won't be destroying your business by stealing your technology.

      If I'm concerned with hiding something illegal I'm doing, sure, Huawei is great. If I'm concerned with having a profitable business, give me Cisco and a backdoor from the NSA all day long. If I'm a government concerned about state secrets I wouldn't touch either one.

      1. Trevor_Pott Gold badge

        Re: Don't buy US kit

        "The US, while they may want to find something to blackmail you with, won't be destroying your business by stealing your technology."

        Prove it. According to my sources, the United States absolutely and without question does steal technologies and information from foreign companies for the benefit of their domestic corporations, a process known as industrial espionage. They do this. They do it a lot. And this is why anyone who uses American cloud computing is a goddamned idiot.

        Also, it does not matter whether or not you are doing things that are illegal, the US will twist and warp anything and everything they find to suit their needs. You don't have to be doing things illegal.

        A) The US believes its laws apply everywhere.

        B) In the US, everyone is guilty of something; the laws are designed that way. Nobody can know what all the laws are and everyone breaks a least one law per day.

        C) The US doesn't believe non-US citizens have any rights whatsoever. So you don't have the same rights to due process as Americans, and you don't have rights to privacy, not having your technology stolen or what-have-you. The only rights you'll ever get are the minimum rights required for them to make a show of whatever it is they want to make a show of.

        You are never going to get a fair hearing in the US. You are never going to get a fair trail. You are going to have your shit stolen and you will be presumed guilty unless proven innocent, especially if you're a "dirty foreigner".

        The United States of America are not the good guys. Not even fucking close. They are a necessary evil that must be tolerated because they happen to be the nexus of western commerce, but only a fool would ever - ever - trust them.

        I'm not saying China's any better. They're not, really...but most of us don't have any reason to have anything to do with China. So they can sit there and cultivate their own private insanity all they want, it doesn't affect anyone on our side of the world except those who have heaps and heaps of money already and are trying very hard to make even more.

        The US being dipshits affects every single citizen of a western nation and every single SMB. So, from a risk management standpoint, it is the Americans that need managing, as they are the most pressing risk.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't buy US kit

          Supply proof that the US is worse than any other entity in regards to stealing IP, or put down the crack pipe.

    4. Anonymous Coward
      Black Helicopters

      Re: Don't buy US kit

      Also we seem to be forgetting the 'spy' angle. Recently we are focusing on electronic intercepts and nobbling, but don't forget there is the time honored way of simply getting your person inside. I would be surprised if TLAs didnt also take this route. And I find it hard to imagine any competitive organisation restructuring itself internally and having the discipline to maintain the internal 'need-to-know' firewalling that would stop useful information just walking out the door.

      1. Steven Roper

        @GameCoder Re: Forgetting the spy angle

        There's a reason why compromised hardware is a much bigger concern than TLAs sneaking agents into your executive structure.

        Agents are expensive, and take a lot of effort to insert and maintain. The old adage about "for every sword raised at the front ten backs must bend in the field" applies equally in this case as well - for every agent in place, a support staff back at HQ has to be maintained to receive the agent's information, process it, and provide the agent with intel and orders.

        So this would only be a concern for big players. I'd be surprised if there weren't various TLA agents at or near the top of corporations like Microsoft, Amazon, Google and even Cisco. But the chances of ASIO going to the trouble of inserting an agent into our little back-street SMB are vanishingly small.

        Not so with hardware. Automated information processing is a far more serious threat to privacy, confidentiality and even liberty than any amount of manned spying, because it is far cheaper than manpower and a lot more global in scope.

        Consider a parallel: face-recognition software vs. a room full of security bods at a CCTV control centre. Security bods can't watch everyone all the time; they have a list of photos of wanted criminals and scan the camera feeds for them, ignoring everyone else. But face-recognition software tracks everyone, everywhere, all the time. And all it has to store is the metadata: Citizen 17548923 identified via Camera 6485 at Lat 34°55'22.7" S Lon 138°35'58.9" E on 2015-03-07 06:33:45 UTC. So it isn't about having to keep years of AV footage - such metadata can easily be retained on everyone for many years simply because it reveals a lot without taking up much storage.

        In the same way, hardware backdoors allowing remote software to regularly collect data means it doesn't matter if a human is looking at or using your information. Software analysis is a much greater threat than human observation, simply because it is orders of magnitude cheaper, more thorough, ubiquitous and far-reaching.

    5. joejack

      Re: Don't buy US kit

      Buy Chinese is your answer? If the Chinese do have backdoors, how long do you think before the NSA et al finds their way in?

  2. A Non e-mouse Silver badge

    Spy chips?

    Cisco has poked around is[sic] routers for possible spy chips

    Who said anything about spy chips? All the NSA has to do is implant a persistent software back door into the ROMMON firmware.

  3. Anonymous Coward
    Anonymous Coward

    Of course the NSA has a simply counter to tis strategy - they get a few tame Congress-criters to pass a law making it illegal to knowing send something to a non-existent address, with *huge* penalties if the law is broken.

    1. Phil O'Sophical Silver badge

      The addresses exist, they simply aren't necessarily associated with the end-user. Like me getting a surprise gift for my wife delivered to a workmate, so that the arrival of a mysterious parcel doesn't spoil the surprise.

      1. Anonymous Coward
        Coffee/keyboard

        You're still missing the point, just like Mr Stewart did

        It doesn't matter what the destination address is. It came off of your shipping dock, into a truck (FedEx/UPS/DHL) and contrary to that tracker app you update, it WILL spend 45 minutes in a location being poked, peeked, and/or prodded before being repackaged and put back onto said truck. One NSL to each company is all that it would take, so get off of your high horse, Mr. Stewart.

  4. Michael Habel

    >implying

    That these "Backdoors" aren't already set for the NSA / GHCQ & et-al long before the Code even leaves the QA Labs, let alone the actual Factory Floor...

    1. A Non e-mouse Silver badge

      Re: >implying

      Some of the Snowdon documents showed Cisco boxes being opened in transit. e.g. www.engadget.com/2014/05/16/nsa-bugged-cisco-routers/

      Of course, NSA would love to have backdoors baked in at the factory so they didn't have to do this extra leg work...

      1. Alan Brown Silver badge

        Re: >implying

        "NSA would love to have backdoors baked in at the factory so they didn't have to do this extra leg work..."

        They probably would if the factory wasn't in China.

  5. batfastad

    Support

    It's largely irrelevant anyway. Many sites I visit have Cisco gear that hasn't been updated since it was originally installed and the support has lapsed meaning you can't get the newer code anyway. Open season because of the unique way Cisco stuff seems to leave the factory full of bugs.

  6. Captain Scarlet Silver badge
    Big Brother

    Hmm

    Why don't Cisco ship these out with no OS on and let the customer flash them upon arrival.

    If they discover something already in flash return it.

    1. Anonymous Coward
      Anonymous Coward

      some of the tailored access products

      are impossible to find, unless you do a broadband RF entropy sweep for passive retroreflectors or can unscramble their active ultra-wide bandwidth = nearly invisible RF data packets. Some of these NSA/GCHQ 'ANT' products can be embedded in the chassis or a 19" rack handle, - they don't need to directly live in the main OS.

      Remember that in the Guardian destruction of a MacBook by GCHQ they took out the Keyboard & Bluetooth & trackpad chips, with an angle-grinder as well as other traditional memory devices...

    2. Charles 9

      Re: Hmm

      Because they'll just hide the stuff in another chip using mask concealments and other stuff to hide even from decapping and x-rays. And this stuff will just override anything you flash AND return false flags to anything you try to use to authenticate it.

  7. Micha Roon

    seal? anyone?

    the "unbroken seal" information has help prevent tampering since the middle ages. How come they haven't thought of that?

    I believe you have to open the box in order to install software on the ROM. Or they could make it so that it is necessary.

    1. thames

      Re: seal? anyone?

      The NSA was having the Cisco kit diverted to a location in I believe the Washington area, where they had a facility set up to open packages, install whatever it is they did, reseal the box, and send it on its way again. They apparently have copies of all the necessary Cisco seals and packing materials so you can't tell the difference. It's almost a small production line, not someone doing it at his desk at NSA headquarters. This was in the report which Cisco is trying to respond to in this story.

      1. Anonymous Coward
        Thumb Up

        Re: seal? anyone?

        Damn, I should have scanned the comments before posting above (and later than you.)

      2. Alan Brown Silver badge

        Re: seal? anyone?

        If you notice in the snowden photos the boxes are being opened from the bottom - looking closely there wouldn't go amiss.

  8. Anonymous Coward
    Anonymous Coward

    Prefered Method

    If I was the NSA I'd hire/blackmail someone to install the hardware &/or software as part of the production run.

    An annual brown envelope as a loyalty bonus and an occasional reminder of their naughty personal habits every time they get a little squeamish.

    This was it won't matter where the router gets sent.

    1. Michael Habel

      Re: Prefered Method

      The truth of this strangeness, is likely more likely then you'd think....

  9. Anonymous Coward
    Black Helicopters

    Another example of why the tech industry needs to oppose the NSA & friends...

    Instead of cooperating with them. The sigint agencies won't be happy until they have functionally destroyed trust in IT vendors.

  10. Anonymous Coward
    Anonymous Coward

    How gullible

    This is not the first week on the job for authorities pursuing crims. If you think the foolishness stated in this story is real, then you're too gullible to understand what is really happening daily to protect you're worthless arse.

    1. Scott Pedigo
      Holmes

      Re: How gullible

      Thankfully, we have these guys to protect us:

      http://www.nbc.com/chicago-pd

      http://www.sho.com/sho/homeland/home

      http://www.imdb.com/title/tt0285331/

      1. Anonymous Coward
        Anonymous Coward

        Re: How gullible

        Hey! Don't forget these guys!

        http://www.imdb.com/title/tt0058805/?ref_=fn_al_tt_2

        http://www.imdb.com/title/tt0083466/?ref_=nv_sr_1

  11. dogbeefporklamb

    Grammar pet peeve - it's boxii not boxen, as in virii not viruses

    Grammar pet peeve - it's boxii not boxen, as in virii not viruses

    Register staff please push tongue deeper into cheek

    1. John G Imrie

      Re: Grammar pet peeve - it's boxii not boxen, as in virii not viruses

      It's boxen.

      Box => Boxen

      as in

      Ox => Oxen

      1. Charles 9
        Trollface

        Re: Grammar pet peeve - it's boxii not boxen, as in virii not viruses

        Then why do we live in houses and not hice?

        House => Houses

        but

        Mouse => Mice

        Louse => Lice

  12. steward
    Boffin

    Wouldn't it be simpler...

    Just to create a hand-delivery section in Cisco to transport items to their sensitive customers, instead of entrusting it to any third party, not to mention dead drops?

    1. Charles 9

      Re: Wouldn't it be simpler...

      Courier services can be infiltrated or subverted, too.

  13. Cynic_999

    *If* Cisco is trusted, and intercepted boxes really is the main risk, Cisco could design their hardware to have its entire firmware on an SD card and no non-volatile storage whatsoever in the rest of the hardware. Any concerned customer can then source and burn their own SD card from a file downloaded from Cisco using a secure method after checking that there are no hardware additions present by referencing a securely downloaded photograph of what the board ought to look like.

    1. Charles 9

      Hide a sleeper piggyback inside another chip and overrule the SD. Try again.

    2. phil 27

      Your dreaming. Yes it looks like the factory board and it answers the same checksum when asked isnt exactly unforgeable if you have the appropriate resources to hand.

  14. Anonymous Coward
    Anonymous Coward

    The real story on this "data-retention" deal is going to be about the legions of 1337 warez fiends and their ub3r hax0r buddies "commandeering" the ever expanding plethora of storage capacity which is so conveniently located on site at a major telco's backbone network facilities ;)

    I'm sure that one can only imagine what it must've been like for the old AOL storage/mail admins back in it's hayday of ~1994! [Assuming those guys actually managed to figure out that there were hundreds of thousands of email boxes fully loaded with every App, Game, 'porn-pic', and AOL-Exploit Tool available at the time... And that Phishing, wide-spread use of remote-exploit techniques, and Social-Engineering- not to mention CP, really all got started on AOL, IN THE 90'S]

    baahhahaha

  15. Anonymous Coward
    Anonymous Coward

    I don't get it.

    Either the govt is allowed to install stuff on Cisco's kit or it isn't. If it is allowed, then surely obstruction is illegal, like jamming the cops' radio. If it is not allowed, then what it is doing is illegal and Cisco should sue. How can this game of cat and mouse of the govt vs its people take place at all?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get it.

      Because the fu***ng government fu***ing writes the fu***ng rules and the fu***ng judges fu***ng interpret them in fu***ng secret, that's why.

      Was it Gary Trudeau who said, regarding the word 'fuck,' that you use it like a comma.?

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't get it.

        in the UK 4 judges have just been sacked for allegedly accessing pr0n on their judicial computers; how many other judges (worldwide) have been informed by GCHQ/NSA that they won't be releasing this information to the DailyMail, just yet, should certain judgements go in the correct way...

        but remember folks, GCHQ only does things with complete judicial oversight and is fully legal....

        http://www.dailymail.co.uk/news/article-2998506/Three-judges-sacked-allegedly-viewing-PORN-official-computer-equipment.html

  16. Lee D Silver badge

    "We're going to announce what measures we're going to take to the world's press so the NSA can carry on doing what they're doing because they know exactly how we're working around them, but it looks like we're doing something about it".

    Sorry, if you don't want the NSA intercepting shipments then you need to build in-house. If you ship and you CAN'T tell if someone's tampered with your kit, there's a problem whatever fancy system you use. It takes ONE rogue employee, and this is a major spy agency we're talking about.

    But, easier, just move abroad and claim the NSA has destroyed your reputation by tampering with your commercial products, potentially illegally, for its own gain, and your taking your thousands of jobs with you when you leave.

    You're not small-fry. You run half the Internet. If YOU can't stop the NSA tampering with your own kit, than we can't trust you, and we can't use you. And we will struggle to have any kind of Internet at all either way.

    1. I. Aproveofitspendingonspecificprojects

      > If YOU can't stop the NSA tampering with your own kit, than we can't trust you, and we can't use you.

      It won't be all that long, I am sure, before the average computer user decides to learn how to make a modem/router/thingumy out of old parts. If I had a five year old I would make learning how to do that his first job if he ever wants pocket money.

      1. Charles 9

        What's to say the old parts aren't pwned either? Remember they've been at this kind of thing for DECADES. Backdoors all the way down...?

        1. raphidae

          CPU's are suspect too. Security researchers are buying Russian 486DX clones from the 90's, since that's believed to be the last known processor that isn't tampered with. Prices on these have skyrocketed.

          Any newer CPU can be tampered with in undetectable ways.

          See: https://www.schneier.com/blog/archives/2013/09/surreptitiously.html

          1. Anonymous Coward
            Anonymous Coward

            "CPU's are suspect too. Security researchers are buying Russian 486DX clones from the 90's, since that's believed to be the last known processor that isn't tampered with. Prices on these have skyrocketed."

            I wonder how long before they find THOSE were tampered with, too?

  17. Dr Patrick J R Harkin

    I've read about routers with backdoors installed but...

    I was never sure how to pronounce Huawei -so it's "sis-ko", is it?

  18. Barracoder

    There's no such thing as "government coin"

    It's called "my money".

  19. Anonymous Coward
    Anonymous Coward

    Boxen? Really?

    Was boxes that hard to use?

  20. Anonymous Coward
    Anonymous Coward

    Cisco on Silk Road?

    So Cisco is forced to act more and more like a drug dealer in this strange new world where building secure products is a crime. Too bad SR got shut down, might be a good channel for them to sell 'certified untampered' kit..

  21. Lexx Greatrex

    dead dropped

    AT&T: Our CRS-X router has gone down. If we lose any more backbone capacity half of the Eastern US will go dark.

    Cisco: One moment please... I'm so sorry, but we have no record of AT&T purchasing this model router.

    AT&T: We did purchase it! You delivered it to a bus shelter off the I-95 last month.

    Cisco: I see... ah... One more moment please... I thought you said you were AT&T? That router went to Hobo Enterprises.

    AT&T: Yes, yes. It was actually us. Remember? It was part of that dead drop thing... Remember?

    Cisco: Ohhh, I see. Hmm. [Laughs].

    AT&T: What's so funny? This is a serious problem. The whole country could be affected by this outage.

    Cisco: [Chattering and giggling in the background]. So sorry. It's just that we were all more than a little curious as to how an unknown startup could afford several $800,000 tier-1 routers.

    AT&T: For Christ's sake. Are you going to fix this or not?

    Cisco: Yes, certainly! Hobo Enterprises is one of our most valued customers. We'll have a technician dispatched to the bus shelter immediately.

    AT&T: [Click]

    Cisco: Hello? Hello?? Strange, the phone's gone dead... What? Everyone's phones are dead? This is so strange...

  22. rav

    Everybody is listening in; fortunately most of have nothing to say.....

    The best way for the NSA to tap the internet is to offer VPN and seedbox services. This way the spying costs are funded by subscriptions to supposedly secure and anonymous services.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like