FBI Says Military Had Counterfeit Cisco Routers 186
There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don't believe we can be so sure. "Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive... The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor... The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords."
And outsourcing.... (Score:5, Interesting)
Re:And outsourcing.... (Score:5, Informative)
Re:And outsourcing.... (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Lets say you have the FPGA code for a FPGA for a firewall. All it takes is put a bit comparator to next to the input buffer (which could be hidden with the checksum hardware) and when the magic packet hits it, it sends a reset to the filter section causing it to default into a "pass all" mode. The real pro
Re: (Score:2)
Can you imagine the paranoid Soviet reaction if they believed a nuclear-like enemy attack had already taken place?
You misunderstand. It was the Soviets who built the gas pipeline and installed the western (i.e. American) pumping turbines and software that their KGB agents had bought through intermediary companies in violation of export restrictions (i.e. they used cloak and dagger to acquire the technology, hence the reason for the United States to introduce the 'bug' into the system...to prevent their thieving ways from paying off when they stole the fruits of our national defense technology research). It was the US
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
The intuitive interface bit might still work.
Re:free software distributes the effort. (Score:5, Insightful)
Maybe, however, I am missing something about the procedure you are proposing; what parts would be open source?
Re: (Score:2)
Items with high capital costs don't work well as "open source;" basically, the manufacturing plants costs so many billions of dollars that no one who isn't doing proprietary work could afford it.
That's counter to the reality of the current market. Almost all "computers," including routers and many other types of specialized systems are manufactured on contract. Lots of the components are manufactured on contract too, TSMC and IBM are some of the largest contract semiconductor manufacturers in the world. The ginormous capital costs of manufacturing plants and fabs are amortized over years of contract manufacturing.
Even if you could open source chip design (a dicey proposition, since there are many fewer EE Phds that want to donate time than there are CS Phds,)
I think we are beyond the point where "working for free" is assumed to be a requi
Re: (Score:2)
Re: (Score:3, Interesting)
The solution is not to verify every chip, because that's probably impossible. Somebody's going to sneak something in somewhere. The solution is to make all data that travels through the chip unintelligible -- e.g. point-to-point encryption for *all* connections.
Once you encrypt all communications, the biggest security concern becomes the endpoints,
Re:And outsourcing.... (Score:5, Interesting)
As the NSA already seems to be certifying comm. gear in the military (or might even make the chips for it). Perhaps even for other departments like the FBI. I see one possibility of this that the NSA certifies routers (or makes them itself) or at least makes them in the USA. I don't work with routers nor am I familiar with their manufacturer. I guess my last point, pertaining at least to the FBI investigation, would be invalid if Cisco makes some routers in the USA except, as you indicate, for some chipsets. Though even on chipset in itself could pose a significant risk.
I'm just surpised that the FBI is even making a "presentation" to anyone on this; regardless of wether the presentation leaked or not.
Re: (Score:3, Insightful)
The outsourcing boogeyman has nothing to do with this - relying on the "USA A-OK" school of thought as some sort of defense against malicious hardware is obviously not a good idea.
Re: (Score:2, Insightful)
It's worth noting you can do everything a Cisco router can do with a Linux box. I just built a box with Zebra and a solid state hard drve along with a 4 port network card. I have some pretty good throughput with that and I would have no trouble adding additional cards for connections to OC48s and higher.
Cisco is becoming increasingly irrelevant. They don't bring anything to the table that isn't already out there and they segment it all so it's a lot harder to manage than it needs to be.
Anyone else notic
Re: (Score:2)
Re: (Score:2)
Re:And outsourcing.... (Score:5, Insightful)
Except connect to a SONNET network. Or a DS3 interface. Or aggregate multiple T1s. Or suport terabit switching and routing speeds.
Re: (Score:3, Informative)
SONET, DS3, and DSUs in any quantity can be purchased for a computer without a problem. When you get into the terabit range you still have a lot of options.
For switching Cisco makes zero sense, HP gives you higher through-put for less money and they aren't the only ones. Let the router do the routing and the switch can do the switching.
The only reason Layer 3 and 4 switches are becoming commonplace is because routers get more and more expensive the higher up the stack you go. There is nothing worse than
Re: (Score:2)
I see you didn't mention Call Manager with Cisco VOIP. Software updates causing random breaks. CM requires a complete regression test before you can deploy it, especially if you have 3rd party tools. If someone doesn't work right you have a 50/50 shot at getting a good Cisco tech to help you.
I've run into a lot of hardware related issues with my Cisco equipment, so much so that it mostly all got replaced with HP switching gear. Right now an HP switch does all the routing at each site but my Zebra setup is
Re: (Score:2)
You seriously think you can't do QoS or have IPS/IDS all at the same time on a Linux box? Seriously? You think it doesn't scale? Honestly, Cisco got to where it is today because there was no alternative before. Now there is real competition from all over the place and Cisco's offerings are anything but leading the industry. They always take an idea, we'll use OSPF for example and make a proprietary protocol which I will grant is a little more efficient but it is indeed proprietary and locks customers into u
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:And outsourcing.... (Score:5, Interesting)
Re:And outsourcing.... (Score:5, Informative)
Re: (Score:3, Insightful)
Flash memory... cold war? Surely you must be joking
They used a camera with a roll of film, which they then had to develop
Re: (Score:2)
Re: (Score:2)
I know US photo copiers had to be certified and locked down. After there would be two and uncertified one for routine office paperwork,and a certified one. You had to get permission to use either.
We've always been at war with Eurasia (Score:2)
This sounds like a case of spin worthy of Winston Smith from the Minstry of Truth.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
"Counterfeit" not an issue... (Score:5, Interesting)
In this case, if Cisco is comparing the counterfeit routers to their legit ones, they should always be the same.
The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
"Partnership" (Score:4, Interesting)
Re: (Score:2)
If you're looking for more: "This ship who *" and "The city who fought"
Re: (Score:2)
Seriously, what did you expect how this scheme is foiled? What I described is SOP for this situation.
Re: (Score:2)
The only other thing you need is an awkward, sexually frustrated adolescent boy genius to pilot it and you're golden.
Re: (Score:2)
Re: (Score:2)
Anne McCaffrey wrote a book called PartnerShip [amazon.com] with a plot very similar to this situation. The villian provides chips to the Galaxy, including the military. When nearly everyone has upgraded, it turns out that he can remotely control every device, including military hardware, controlled by the chips. That's enough of a spoiler. How can such a grand and well planned scheme be defeated? You'll have to read to find out...
Microsoft agress to roll out a beta service patch on auto-update early, when all the evil machines start choking on it, heroes come in with manually-controlled weapons to blow them up and save the day.
Re:"Counterfeit" not an issue... (Score:5, Interesting)
Government purchasing (Score:2)
I am generally for free trade and against protectionism, but I am leaning more and more towards the need for a law that makes it mandatory that all gear (guns, routers, computers, coffee makers, etc.) purchased by the Government for any use that is even remotely sensitive be made in the US by US owned companies. That won't necessarily solve this kind of problem, but it would certainly make it far easier to prosecute entities who do things that threaten our national security.
As for "prosecuting" the military has weapons for that sort of thing. Lot cheaper to send a team of Navy Seals to handle a situation than to insist everything be US made.
On a more serious note, I think you should take some time to look at how the US government does procurement. Typically the US government is EXTREMELY rigorous (to the point of stupidity sometimes) in how they source, where they source from, the design of the products, how much will be paid and when. Generally speaking the US military an
Re: (Score:2)
Ha. Yeah. Let's send the military after, say, China where a significant amount of the goods the US consumes are made.
Notwithstanding the economic and trade disaster that would ensue (take a look at who owns US debt these days), they could fuck us up militarily. They've got nukes, they've got a way, way larger army than we do, and ain't
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
would be a radical departure from the free reign allowed to companies WRT to outsourcing the manufacture of devices that are critical to national defense and infrastructure.
Such as? Seriously, I'm curious about your experiences. I've got a lot of experience with global sourcing though mostly in the private sector. I've also had exposure to government procurement though it's not my main expertise. I'm aware of many instances of defense infrastructure being outsourced (recent example: the Northrop/EADS tanker contract) but I'm hardly an expert on the matter. What have you seen outsourced that is genuinely critical and you feel should not be outsourced? No joke, I'd like t
Re: (Score:2)
As for my experiences, those were mostly with providing people, consulting and services to the Government, not gear. I seriously can
Re: (Score:2)
Not only would it help keep some manufacturing jobs here but it would just make me feel a lot safer.
I understand. Believe it or not I used to feel the same way. I had to be involved in global sourcing for quite a while to come to terms with the idea that maybe, just maybe, it's ok if we buy some stuff elsewhere. It is not an intuitive idea, that's for sure and it IS a little unsettling to rely on something manufactured in a country you might not totally trust.
Certainly there are critical items that absolutely should never be manufactured anywhere but in the US. But I'd submit that some less critical
Re: (Score:2)
In general I'm all for free trade. I could care less if call centers move to India, or if we buy toys made in China (lead free please!). When it comes to cricital components though, they should be a bit closer to home. That goes for any network hardware used by the Government, too.
US made (Score:2)
Re: (Score:2)
I think the past couple months of economic headlines are putting to rest that notion that destroying your manufacturing base is a good idea.
Where did you get the idea that the US manufacturing base has been "destroyed"? Sure, a lot of labor intensive work has migrated to locations with low labor cost. But US manufacturing output has increased in the last 10 years. For example manufacturing output in Michigan rose 6.6% from 2001-2006 [nam.org] and Michigan is one of the harder hit states in the recent economic downturn. Employment in manufacturing has fallen but actual output has increased quite steadily. It's no different than the farm industry. F
Re: (Score:2)
Re: (Score:2)
Re:"Counterfeit" not an issue... (Score:5, Interesting)
If I did purchase a card or Cisco product that did pass the Andover test, then chances are that it was manufactured on the same assembly line, but then you would most likely see a report of a duplicate mac address on a "genuine" Cisco product somewhere. So yes it's a possibility, but highly unlikely IMHO.
Selling out the back door (Score:5, Informative)
That said, it's pretty low on the list of likely threats. Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.
Re: (Score:2)
Pretty hard to know exactly what gear will be placed where and what it will give you access to. Plus even with a back door, places with sensitive data are more likely to be monitoring the traffic which is harder to hide.
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
Re: (Score:2)
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle
Which presumes the entity making the modifications has access to the device and the upgrade schedule - rather a stretch I think. Plus, our government isn't exactly known for rapid upgrades. Timeliness of any information would be a huge issue.
-- or, they might all have a kill switch built in, so someone can remotely take out ALL routers.
Which presumes that all such said routers can receive such signals. Possible? I suppose, but incredibly unlikely. And even if it happened what are the effects? Hard to predict but probably not devastating. Now if it can disable warships? That's a problem.
There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
They
Re:"Counterfeit" not an issue... (Score:5, Informative)
Re: (Score:2)
Clearly these two boards are not from the same manufacturing line.
There more detailed photos here [andovercg.com].
IMHO the extent of differences they are talking about (The brand mark on the RJ-45 connector, the font of the barcode sticker, and suchlike) could easily be explained by a completely normal mid-production change in suppliers. I would say it is far from clear that the two boards are not from the same manufacturing line. Indeed, it would be hard to make two such identical boards without the original CAD data.
Just my $0.02
Re: (Score:2)
Take a closer look. Just eye-balling it quickly...
* The metal flange is different.
* The flange screws are different.
* The silkscreened writing placement is different.
* Most of the major components are in the same places, but not all of them.
Sure, if a few cans had been soldered crooked, maybe. But really, take a close look. Not the same board at all.
Re: (Score:2)
Not a big surprise. (Score:5, Informative)
Re: (Score:2)
BTW, where can I get some of this generic equipment?
They aren't the same (Score:2)
http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml [andovercg.com]
Question is... (Score:2, Interesting)
That seems like a logical test, so I have to wonder if they have done it already... or not?
If they contain no backdoors, *THAT WE CAN FIND*, do we continue using them?
Fear Fear Fear (Score:4, Insightful)
This seems like a scare tactic to "warn" people about the dangers of fake hardware/software. Expect a big push around these types of "stories" as more bills like PRO-IP go through congress and as the creation of the IP & Copyright Czar in the Whitehouse gets a big push.
It's a concern but seems to point more to incompetence rather than some difficult-to-spot threat. Why are government agencies not buying directly from Cisco? Seems they should have some sort of corporate connection.
"We must protect our precious bodily fluids."
Re:Fear Fear Fear (Score:4, Insightful)
2) It's a concern when you consider the potential effects of this kind of infiltration. Buying directly from Cisco, in no way, protects you from this problem. The hardware is still made overseas in some factory by a bunch of people who may not like the US very much (which is true of 99% of the planet right now).
Apparently you lack the imagination to see how ugly this can get. Fortunately DARPA isn't run by you.
Re: (Score:3, Interesting)
Having said that - I would agree that counterfeit gear is a real issue with real potential
Re: (Score:2)
2) He was arguing from a sardonic "government spin" perspective. What you say is true; he's trying to point out how the PR groups will avoid that fact.
I take it you didn't get the Dr. Strangelove reference.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
/Light Bulb Flashes Overhead (Score:5, Funny)
Re: (Score:2)
You reap what you sow (Score:4, Interesting)
Technical details of malicious hardware (Score:5, Informative)
-- computer scientists from University of Illinois
it is important to carefully inspected new gear. (Score:5, Funny)
Re:it is important to carefully inspected new gear (Score:2)
Re:it is important to carefully inspected new gear (Score:2)
How many back doors? Who has the keys? (Score:4, Interesting)
The question is not whether Cisco routers have back doors. That has to be assumed. If I was running NSA over the last several decades, I would have my people deep inside every communication equipment manufacturer. The manufacturers management might not even know about it.
The NSA surely has arranged to have one or more back doors designed into virtually every kind of communications switch. The only Cisco employees who would know about them would be the NSA people who work inside Cisco, and some regular Cisco employees who have been cleared. If this has not been done, the NSA senior managers should be fired or jailed.
The real questions are: How many back doors are there? and who has the keys? The (assumed) NSA back door might not be the only one. There is a possibility that the Chinese or Indian chip-fab or software contractors have also installed back doors for their own governments.
With billion-gate machines, a few thousand extra gates would be hard to see. If the extra logic looks like instruction-cache, but just has a little extra code, it would be almost impossible.
the real thing probably also has back doors--ours (Score:2)
Conversely, I would fully expect the CIA or NSA to have programs in place to surreptitiously install back doors in routers for our use, either with or without the manufacturers' cooperation. A
Re:the real thing probably also has back doors--ou (Score:2)
It isn't like "New and improved: know which printer printed every page, whether you want it or not!" was a good marketing slogan.
You got Crypto AGed (Score:2)
What did Cisco get to read?
http://english.ohmynews.com/ArticleView/article_view.asp?menu=A11100&no=381337&rel_no=1&back_url= [ohmynews.com]
Re: (Score:3, Interesting)
Re: (Score:2, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
So uh, which country are you alleging is neither brutal nor tyrannical?
Re: (Score:2)
http://dictionary.reference.com/search?r=2&q=Tyranny [reference.com]
China, though I haven't researched the matter thoroughly, might qualify.
If you think the US a tyranny, then I wish you could go live in an actual tyranny, briefly, for comparison.
Re: (Score:3, Insightful)
If you think the US a tyranny, then I wish you could go live in an actual tyranny, briefly, for comparison.
arbitrary or unrestrained exercise of power; despotic abuse of authority. - check! It's just in other countries. the government or rule of a tyrant or absolute ruler. - check! The executive branch has been heading towards full dictatorial powers and can now "legally" seize them in case of an emergency, in so many words. oppressive or unjustly severe government on the part of any ruler. - check! In my opinion just the laws against victimless crime are sufficient to qualify. One percent of our population i
Re: (Score:2)
I could also be potentially hit by a jet aircraft.
Is my government, in addition to being tyrannical, negligent concerning overall safety, by permitting, in its despotic abuse of authority by an absolute ruler, this obviously dangerous air travel above my head?
You sig nearly causes me to dump this thread, but let me leave you with a link to a rather fashionable refutation of your charge of tyranny:
http://www.zazzle.c [zazzle.com]
Re: (Score:3)
Is the goal here to trade examples of hyperbole, or to engage in a thorough critical analysis of some arguably crappy policy decisions and tragedies that resulted therefrom?
I had subscribed to RMS's politcal RSS feed for a while, but the continuous stream of unhelpful thought along the lines of your quoted fragment became too much.
Clinton, Bush, et al. are just flexing the http://en.wikipedia.org/wiki/War_ [wikipedia.org]
Re: (Score:2, Informative)
Re: (Score:3, Informative)
You know twitter, my dad and his brothers lived through Argentina's "Dirty War". I didn't really understand what they went through until I was a little older and he asked me to play (and pay attention to) one of his old LP records. It's amazing how a simple song will open our
Re: (Score:2)
If what you say were true, you would know how these things start and your relatives would be very nervous right now. Friends of mine are survivors/refugees of Nazi Germany, the Soviet Union, Franco's Spain, Palestine, Vietnam and Guatemala. All of them that I'm in touch with are terrified of what they see. Which violations do you defend? Invasion of privacy, newspapers being raided, repression of opposition groups, rampant paranoia, torture and conquest, what do you think are appropriate for your new ho