back to article Networking giant in hot water for selling US govt buggy spy kit? Huawei again? No, it's Cisco

Cisco finds its bank balance $8.6m lighter after it agreed to settle a False Claims Act lawsuit in the US over its video surveillance software. On Wednesday, attorneys for whistleblower James Glenn announced that the networking giant's payout would settle the first ever US False Claims Act case to involve information security …

  1. alain williams Silver badge

    What will the orange Donald say to this ?

    Tell people not to do business with Cisco ?

    Why do I even bother to comment? Everyone knows that what he says is to push his current agenda, the truth is an inconvenience easily ignored.

  2. crayon

    One lucky whistleblower ...

    most others are in jail or in exile. This dude gets $1.6m for his troubles.

    1. Che van der Showa

      Re: One lucky whistleblower ...

      "For his trouble, Glenn (and his lawyers) stands to pocket $1.6m from the payout"

      I suspect the parentheses indicate where the bulk of that $1.6m will end up.

  3. Doctor Syntax Silver badge

    That'll be $1m for selling stuff with a bug, $7.6m for not telling the spooks so they could take advantage of it.

    1. Nick Kew Silver badge

      Who says they didn't tell the spooks? Or even that they didn't create it under the direction of the spooks?

  4. Will Godfrey Silver badge
    Facepalm

    Quite Ironic Really

    Oh, and we need a ROTFL icon.

  5. Grease Monkey

    Weasel

    "In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us."

    The weasel words are strong with this one.

    1. ARGO

      Re: Weasel

      I read that as "we know our security is crap and we expect our customers to fix it themselves"

      1. Anonymous Coward
        Anonymous Coward

        Re: Weasel

        Worse, "we won't tell our customers that our security is crap so they won't even know that they are expected to fix it themselves"

    2. Sureo

      Re: Weasel

      In other words, the software was so poorly designed and implemented that it couldn't be fixed.

  6. Walter Bishop Silver badge
    Facepalm

    Open architecture leads to hacking says Cisco

    Because of the open architecture, video feeds could theoretically have been subject to hacking.”

    Or theoretically Cisco doesn't know what it is talking about.

  7. Pascal Monett Silver badge

    "there is no evidence that any customer’s security was ever breached"

    If I read that correctly, the feed was open and accessible. I take it then that, if someone had been interested in hacking it, it would hardly be difficult if you have the technical know-how.

    In that case, I'm guessing there would not be much as far as traces are concerned, so what "evidence" could you possibly discover and have you actually looked for it instead of just spouting a variation of "we take our customer's security very seriously" ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "there is no evidence that any customer’s security was ever breached"

      I think you're misreading that - they never said that they actually went looking for anything. "There is no evidence" simply means "nobody walked up to us and slap us across the face with the evidence"...

  8. Anonymous Coward
    Anonymous Coward

    So, trying to understand what happened here, somebody stacked the boxes on the wrong side, and the label "BACKDOORED - EXPORT ONLY" was not visible?

  9. Cuddles Silver badge

    Not much of a defence

    "Cisco, for its part, says that the VSM products at issue have not been sold since 2014 and the flaw can actually be traced back to the original development of the software by Broadware, a company Cisco assimilated back in 2007."

    In response to being accused of not fixing, or notifying customers, a critical flaw between 2008-2011, their response is that the flaw was actually present from 2007-2014. How exactly did anyone think that was going to help their case?

  10. phuzz Silver badge
    Trollface

    Bug or feature?

    Q) How can you tell this was a bug?

    A) Because if Cisco made a product that allowed your to control an entire network, they'd charge you through the nose for it.

  11. adam payne Silver badge
    Joke

    While the details of the bug have not been shared, the complaint stated that a successful exploit would potentially allow for a complete network takeover.

    Well the US government want backdoors in other peoples software, so Cisco gave them an unintentional one.

    1. Jeffrey Nonken Silver badge

      Sure. Fair is fair.

    2. Tom -1

      Adam Payne, I'm surprised by your statement "Well the US government want backdoors in other peoples software, so Cisco gave them an unintentional one."

      What on earth makes you believe it was unintentional? They may even have been getting paid by some sub-organsation of the US government to provide such exploits? Perhaps the CIA? And/or the FBI? After all, those orgainsations visibly care not a joy obeying US law, they reckon they can do whatever they like or whatever their masters (not the people or the press) want them to do even if it is contrary to US law. ({Much lke most of the rest of the world, I guess.)

      As long ago as 2004 (or was it 2005 - I can't remember) introduced a rule that our company would no longer purchase (whether for ourselves or on behalf of our clients) anything provided by Cisco, because everyting we had from them appeared to me to be bug-riddled crap and totally insecure.

      I haven't yet met anyone who disagrees with that view of how Cisco's products were way back then, but I can't be certain that they haven't imporved in the last 10 years as I retired in 2009 and stopped worrying about such stuff - my home computers would never use anything provided by Cisco anyway, as their stuff is priced for large enterprise customers, not for retired old men.

  12. J. R. Hartley Silver badge

    Oh dear

    "The most critical flaw in the Cisco VSM allows the user of any video observation point, no matter how restricted, to gain access to the full contents of the system to which the central server is connected"

    That sounds pretty fucking critical to me.

  13. sanmigueelbeer Silver badge
    WTF?

    though there is no evidence that any customer’s security was ever breached

    Don't be silly. If a foreign nation had hacked into the system, they would want to keep a tight lid on it.

    The case started in 2011 only got resolved in 2019? Funny. Cisco must've been waiting for all the clients to replace the cameras before "caving in".

    I wonder what the result of the court case would've been if this involved an existing piece of equipment still in use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019