Forgot your password?
typodupeerror
Security United States Hardware

FBI Concerned About Implications of Counterfeit Cisco Gear 273

Posted by timothy
from the now-watch-these-chickens-well dept.
SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.
This discussion has been archived. No new comments can be posted.

FBI Concerned About Implications of Counterfeit Cisco Gear

Comments Filter:
  • Well that's a change. For once a counterfeited items seems a little bit dangerous.

    That's a much better job as scaring us to support the anticounterfeit capains than the previous stuff.

    I mean, I've seen those ads saying "counterfeited items can kill" with a teddy bear ready to burn a child alive because he's not fireproof, and I must say it felt a little bit too much.

    The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who
    • > The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?

      That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake ... it's exactly the opposite. When the flunky working the counter at Blockbuster is wearing a good-as-real Rolex, suddenly the brand isn't worth quite as much, and if you're some hotshot looking to make a statement about exactly how much disposable income you have, maybe you'll go buy something else -- something more difficult to fake, something with more intrinsic value -- instead. That's the real worry for high-end brands. It's not the lost sales, it's the damage to the brand that inevitably occurs when average folks get their grubby little McDonalds-covered paws on them.

      Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.
      • Re: (Score:2, Interesting)

        by Anonymous Coward
        There was an interesting article in Science News a couple of weeks ago about fake drugs from China - apparently up to 40% of the malaria and other drugs sold in Asia are fakes. The article talked about how they traced some to a factory in China that they shut down. But "fakes kill" could be a real message here if these drugs either do nothing or are just contaminated.
        • Oh I agree. But the political pressure -- and I think money as well -- behind the counterfeit-interdiction efforts (at least in the U.S.) is coming from high-end brands. They're using the drugs as a ruse to get attention, but then insisting that inspectors waste time looking for faux Rolexes and handbags.

          Fake drugs, aircraft and machine parts, and to a lesser extent IT infrastructure components, are all serious issues. I didn't mean to understate the seriousness of any of them. But there is a huge difference between a counterfeit drug that's actually poison, and a counterfeit handbag that's made without the permission of the trademark-holder. The first represents a clear and obvious danger; the latter is a vague intellectual-property crime at worst. I'm very concerned that enforcement efforts spurred by the former are actually being used for the latter.
    • by QMO (836285)

      how many people who buy a fake Rolex could afford a real one?
      [tongue-in-cheek]Just the ones that actually work for their money.[/tongue-in-cheek]
    • by jorghis (1000092) on Tuesday April 22, 2008 @11:11AM (#23158716)
      The counterfeit thing is nonsense. The chinese could just as easily modify a non-counterfeit router as a counterfeit one.

      The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)

      Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.
      • Re: (Score:3, Insightful)

        by sleigher (961421)
        Maybe it's high time America starts to look at how its manufacturing gets done. We spent all this time and money to offshore our manufacturing at the expense of American jobs because of our bottom line. Now we are reaching "long term" and it is going to wind up costing us more than if we kept it here at home. Maybe, just maybe, the corporations will start to look at their long term outlook in a different light. Just because you are getting cheap labor today does not necessarily mean you will save money
    • by rbanzai (596355) on Tuesday April 22, 2008 @11:16AM (#23158786)
      I think you have not heard of counterfeit brake-pads. Counterfeits are a significant danger when they move beyond the more visible realm of watches and bags. I would not be surprised if at least 50% of all manufactured items are subject to counterfeiting and it goes all the way down to mundane but important things like o-rings, cotter pins, bolts, cables, etc.

      The problem remains the same whether it is a simple or sophisticated item: something has been compromised. But what exactly? Finish, fit, function? Do you want to gamble your life on it? Your property? Your data?

      I don't care about watches and bag. The rest has me concerned.
  • by neoform (551705) <djneoform@gmail.com> on Tuesday April 22, 2008 @10:15AM (#23157808) Homepage

    It's not fair, if people are using the Chineese pre-wiretapped routers, we can't get people to use OUR specially pre-wiretapped routers!
  • Nightmare (Score:5, Insightful)

    by chrome (3506) <chrome.stupendous@net> on Tuesday April 22, 2008 @10:16AM (#23157820) Homepage Journal
    This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have?

    This is going to keep a lot of people awake at night.
    • Re:Nightmare (Score:4, Insightful)

      by Arccot (1115809) on Tuesday April 22, 2008 @10:21AM (#23157922)

      This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have? This is going to keep a lot of people awake at night.
      Indeed. Even if you tried to flash the firmware on your routers to clean them, who is to say the "bad" firmware isn't designed to look like it was flashed, but really do nothing to get rid of any backdoors?

      If you can't trust the hardware, you can't trust anything. Scary stuff.
      • by jandrese (485)
        I think the concerns run deeper. What if the modifications are in the ASICs instead of in the flash?

        Luckily, while there is a theoretical possibility of an attack using that vector, it seems unlikely to me once I consider the difficulty of adding a full speed packet sniffer on a Cisco that doesn't impact performance noticeably and has some way to get data out of a network you don't know. It's not like the government says "I'm buying this router to install in classified network X", rather they buy from a
        • by Megane (129182)

          allows an IP address through

          Or maybe a back-doored packet forwarding ASIC which ignores all ACLs to filter a particular netblock, like say 203/8 or 202/7, of which large chunks are in China? (or something more specific if you prefer)

          As for the parent post, you should be able to tell that your firmware got flashed by loading a different feature set. The trouble is, what if it's the hardware that is subtly subverted, regardless of the firmware, as in my example?

      • by sjames (1099)

        Who says the real Cisco made in the same factory by the same people isn't just as thoroughly hacked?

        Perhaps it's time to INSIST that those jobs come back to the U.S.

      • Re: (Score:3, Insightful)

        by samkass (174571)
        It doesn't even have to be a sniffer or anything. They could simply have put something in the power supplies such that some sort of signal (maybe from a satellite?) would trigger all the routers to turn off, or something in any of the ASIC that would fry them on command. Just as our carriers are rushing to Taiwan's defense, *poof* all C2, logistics, and situational awareness capabilities revert to the early 20th century.
    • Re: (Score:3, Funny)

      by neoform (551705)
      The solution: Buy a router from every major router maker, then use them all chain-linked together. That way you get super-ultra firewall protection.. and unless the Chinese AND the NSA are working together, you can't be hacked! FLAWLESS VICTORY!
    • Re:Nightmare (Score:4, Insightful)

      by sm62704 (957197) on Tuesday April 22, 2008 @10:24AM (#23157978) Journal
      You can only trust software that you have examined the code and compiled yourself, and people you trust who have examined and compiled the code themselves.

      I trust neither Cisco nor the FBI.
    • Re:Nightmare (Score:4, Insightful)

      by jdunn14 (455930) <jdunn@igTOKYOuanaworks.net minus city> on Tuesday April 22, 2008 @10:25AM (#23158004) Homepage
      It's really nothing new, and there is no real solution other than you have to trust someone at some point. For an entertaining paper about this exact problem in the software world, check out "Reflections on Trusting Trust" by Ken Thompson [cmu.edu]
      • by chrome (3506)
        yeah, i've read a lot of Ken's work. I'm as old enough that I'm getting grey hairs. Naturally, not through stress. Though I do wonder about that C compiler I user at work a lot ...
        • Re: (Score:3, Funny)

          by TheLink (130905)
          The grey hairs are because even your very DNA is being subverted and counterfeited.

          That's what you get with cheap clones.

          Just wait till Monsanto and friends catch up with you. Unauthorized reproduction and all that.
    • Re:Nightmare (Score:5, Insightful)

      by demachina (71715) on Tuesday April 22, 2008 @10:29AM (#23158068)
      I think you are just getting a dose of turn about is fair play. The CIA and NSA have tampered with electronics being sold to America's adversaries for years. Countries like China and Brazil have zero confidence in Windows because of the possibility of back doors allowing the NSA and CIA access, which is why Linux is so popular in these countries, especially for government use.

      I'm not exactly sure why counterfeit Cisco routers are considered more of a security threat than real Cisco routers since Cisco, like a lot of American companies, are outsourcing so much of their hardware manufacture and software development to China. The Chinese government can just as easily put an agent in to any of these companies and slip back doors in to the real products.

      All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years.
      • Re: (Score:3, Insightful)

        by couchslug (175151)
        "All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years."

        At this point the adversary relationship is our choice, and as China becomes more powerful we should consider its functional value rather than our post-Colonial nostalgia for White power in Asia. We have a mutual cultural enemy in Islam, and far more interests in common than otherwise. (Tibet is functionally expendable. It needs us but we don't need Tibet.)
        Time to quit h
      • Re:Nightmare (Score:5, Interesting)

        by ZorroXXX (610877) <`moc.liamg' `ta' `ladvolh'> on Tuesday April 22, 2008 @01:22PM (#23160592)

        I think you are just getting a dose of turn about is fair play.
        I would rather call this unfair play.

        The CIA and NSA have tampered with electronics being sold to America's adversaries for years.
        I hate USA for forcing the yellow dots [eff.org] "feature" on all colour laserjet printers, making it (almost?) impossible to buy one without, even when I do not live in USA.

        I mean, one thing is what a government does to its own citicents; it sort of have authority to do whatever it wants except as limited by international agreements. But one country should not be able to force its own politics upon other countries. Just recently usage of wi-fi has been restricted in Russia [slashdot.org]. What if a country, say Burma, made usage of wi-fi illegal, should then other countries suddenly be forced to make it illegal as well?

        As my old HP Laserjet 6L is clearly showing its age on the printouts, I am currently actively searching for a replacement and would like to have a colour laserjet. Does anyone have tips for getting an affordable one, without the yellow dots?

      • Re:Nightmare (Score:4, Insightful)

        by aurispector (530273) on Tuesday April 22, 2008 @01:39PM (#23160820)
        Agree. And don't forget the chinese have been the beacons of freedom for the last 60 years, spreading democracy and human rights at every turn.
    • Re:Nightmare (Score:5, Interesting)

      by Kadin2048 (468275) <[slashdot.kadin] [at] [xoxy.net]> on Tuesday April 22, 2008 @10:37AM (#23158186) Homepage Journal
      > This is going to keep a lot of people awake at night.

      As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.

      I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

      Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)

      It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.
      • Re:Nightmare (Score:4, Insightful)

        by chrome (3506) <chrome.stupendous@net> on Tuesday April 22, 2008 @10:41AM (#23158262) Homepage Journal
        Yeah, I agree 100% here. It will never happen of course, because real, serious threats like this get brushed under the rug while other, spurious ones get an inordinate amount of attention, almost as if to say, he look! we're doing something.
      • Re: (Score:3, Interesting)

        by evanbd (210358)

        How much more tax money are you willing to spend? 10x? 100x? What about for the stuff that's important, but not national security important? Are you willing to live with the fact that the results will cost 100x as much and be 1/10th the speed? The government has been there and done that, at least for some sorts of components, and decided it couldn't afford to. Now, they might be wrong, but they might not be. It might be cheaper and easier to attempt to make the commercial gear secure, realize that won

        • Re:Nightmare (Score:4, Insightful)

          by Kadin2048 (468275) <[slashdot.kadin] [at] [xoxy.net]> on Tuesday April 22, 2008 @12:44PM (#23160056) Homepage Journal

          Are you willing to live with the fact that the results will cost 100x as much and be 1/10th the speed? The government has been there and done that, at least for some sorts of components, and decided it couldn't afford to. Now, they might be wrong, but they might not be.
          I guess it was implicit in my earlier post that no, I don't think they're right about that. I think they're really, really wrong, and I think the litany of security breaches we've seen in the public sector over the past few years, and the ones I expect to see in the future, are an indictment of the dominant mindset in government IT procurement.

          If we want to take advantage of electronic information-processing technologies, we need to find ways of making them secure. If we can't do that, then we shouldn't use the technology. Security shouldn't be optional: either it's feasible to do something securely, or it's too expensive, in which case the system shouldn't be constructed and alternatives should be considered, including not automating at all.

          I would quite frankly rather see large sections of the government switch back to using paper, which at least the average member of the civil service has a clue about securing, than use electronic systems that aren't secure -- and worse than that, that the users don't realize aren't secure.

          It might be cheaper and easier to attempt to make the commercial gear secure, realize that won't completely work, and deal with the occasional problem -- even at a national security level.
          You're right, it might be. But how do you quantify a potential national-security risk? It's possible to try and come up with after-the-fact estimates, but even then they're subject to a lot of guesswork. [1] Even something not normally considered to be a 'secure' system -- stuff like contracts-management, procurement, or contractor payroll -- could be used to effectively shut down or render ineffective large swaths of the government by an adversary who was interested in exploiting it.

          These costs need to be weighed very, very carefully, and I can tell you from first-hand experience that they aren't. Not even close. It's pants-shittingly bad in some cases, and the decisions are being made by people who are (in addition to frequently being just plain incompetent) so far down the chain of responsibility that they only consider the impact that a particular decision might have to their fiefdom. There is precious little in the way of coordination, and the sooner that changes, the better.

          I'm not holding my breath, though.

          [1] Just as an example, how would you go about trying to quantify 9/11? You could come up with the direct costs of the increased airline security, the DHS, the wars in Iraq and Afghanistan, but how do you quantify the lives lost? The economic damage? The people who decided not to get on planes, or the time spent waiting in longer lines? Then after that, you'd get into arguments about whether the event could be linked to the dollar's slide, or if that's totally independent, which might be another cost. The point being: it's difficult to quantify even afterwards what the costs of a particular event are; how are you going to quantify them for a potential event?
      • Re: (Score:2, Interesting)

        by wprowe (754923)
        Are we sure this isn't already being done in some way? Perhaps not in the exact manner you describe. Why assume they are not already working with these hardware and software manufacturers?
      • I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

        That's probably excessive. You only need a from-scratch compiler to be just powerful enough to compile some version of, say, GCC. That solves the bootstrap problem. Then you need to audit the source for the version(s) of GCC you use, which is non-trivial but surely easier than writing a compiler from scratch.

      • Re: (Score:3, Interesting)

        by Lord Ender (156273)

        they never should have allowed the production of critical national-security infrastructure components to be outsourced
        If we built these things in America, we would have to raise taxes to pay for them, producing jobs, improving national security, and lowering the trade deficit along the way.

        How any jesus-loving American think raising taxes is ever a good idea? What are you, one of them durn libruls?
    • by LWATCDR (28044)
      Maybe somethings shouldn't be COTS?
      Maybe Cisco should open a factory in the US and sell a line of super secure routers. You can only buy them from Cisco and they are shipped right from Cisco to the buyer.
      Or maybe some other company should do that.

      I am just waiting for some group to slip some bot code into all those linksys/netgear home routers. Now that would be a bot net that would be hard to even detect. Who runs malware detection on their router?
    • by olddotter (638430)
      If you like in the world of Spys and Spooks, then you are used to being worried/paranoid. Its just like breathing.

      I do think these people should be concerned about their laptops, ipods, and anything else made in China. This is almost like us buying our equipment from Russia during the cold war.

      China is a "communist" country with a capitalist economy, a different and scary beast. One that makes the toys we and our government loves to buy. And the question is what have we forgotten how to make because we w
  • How is it, concern? Is there any evidence of shadow access to the cloned hardware or not? At the very least it should be rather easy to know if the cloned firmware is an exact copy of the Cisco firmware or not. I can understand the concern of cloned equipment in general, but to speak about a particular case and be so vague means for me that there is in fact no evidence of any type of backdoor.
    • Re: (Score:3, Informative)

      by Trigun (685027)
      IIRC, the gear was not counterfeit, but merely not licensed by Cisco. The same factories made X units, Cisco bought X units, everything else made it to the black market, and was considered counterfeit, due to the fake Cisco packaging, etc.
    • Re: (Score:3, Informative)

      by kcelery (410487)
      Please keep any eye on the Xerox repairman as well as the router guy.


      http://www.interesting-people.org/archives/interesting-people/199909/msg00020.html [interesting-people.org]

    • by sjames (1099)

      How is it, concern? Is there any evidence of shadow access to the cloned hardware or not? At the very least it should be rather easy to know if the cloned firmware is an exact copy of the Cisco firmware or not. I can understand the concern of cloned equipment in general, but to speak about a particular case and be so vague means for me that there is in fact no evidence of any type of backdoor.

      OK, I give up, how? How do they know the flash chip package doesn't have 2 banks. One that is normally presented as being the whole thing and a shadow copy that is presented when it recieves a particular access sequence?

      The only tests they have can tell them it WAS a clean router before the destructive tests.

  • Really (Score:3, Insightful)

    by TheRealMindChild (743925) on Tuesday April 22, 2008 @10:19AM (#23157882) Homepage Journal
    Really, if it is *that much* of a concern, quit buying from a third party vendor. License a spec, rent a manufacturing facility, put some people to work, and create your own Cisco Certified Uber Network Gear eXtreme, Uncle Sam Edition
    • by macklin01 (760841)

      Really, if it is *that much* of a concern, quit buying from a third party vendor. License a spec, rent a manufacturing facility, put some people to work, and create your own Cisco Certified Uber Network Gear eXtreme, Uncle Sam Edition

      By the article, Cisco has no direct sales--only gold/silver partners who they claim to train train themselves. However, some of the counterfeit equipment was purchases through gold/silver partners. -- Paul

  • FUD (Score:2, Interesting)

    by conan1989 (1142827)
    presume FUD until given proof. and check the source of any "proof" too, never trust those who stand to gain
    • Re: (Score:3, Funny)

      Yeah? And I think you're a CHINESE SPY!
       
      ;)
    • by ScentCone (795499)
      never trust those who stand to gain

      So, what do YOU stand to gain by portraying the feds' concerns about prospective threats to government infrastructure and everything that rides on it as bogus? How does your characterization (implied) that counterfeit routing equipment used to protect systems on which lives depend is just fine, and not a concern, benefit you? You seem to have a vested interest in devaluing the concerns of the people that are asked to protect national interests in this respect - possibly
    • by kcelery (410487)
      After your GM stocks fell, the Bear Stearns shrunk to almost nothing, son of your neighborhood got shot in Iraq .... one couldn't help casting some doubt over our position.
    • by PPH (736903)

      Could be that the Chinese stripped out all the CALEA-mandated hooks to make the stuff safe for their markets and now the FBI is having a hissy fit about clean equipment finding its way back onto the US market.

  • by Yvanhoe (564877) on Tuesday April 22, 2008 @10:21AM (#23157934) Journal
    I can think and think over it, there seems to be but one solution:
    Now is time for US Department of Sensitive Things to stop buying hardware and start buying blueprints. Buy VHDL and CAD files from CISCO, scrutinize them for threats then produce it yourselves.

    China is great for cheap production but there is a reason why military approved stuff are more expensive : among other resons, you can't let anyone build them.
    And if you want certified and cheap stuff, it is time to begin building robotic factories.
    • by Lonedar (897073) on Tuesday April 22, 2008 @10:26AM (#23158022)
      Ah, yes. A robotic factory would be a great solution to this problem indeed.
      In order to cut the costs to a bare minimum I recommend we order the robots from China.
      • by Yvanhoe (564877)

        In order to cut the costs to a bare minimum I recommend we order the robots from China.
        That's less of a problem. It is harder to put a malicious behavior in an unconnected device than on an internet router. The worst that could happen is the robot putting random bugs in designs. It is not an equipment that sees gigabytes of sensitive data per day.
    • Re: (Score:2, Informative)

      by Pascoea (968200)
      Sorry, not going to happen. I've personally built and troubleshot their competitors (Juniper) equipment and we didn't even have access to the VHDL, Boot Prom, OS, or any other software documentation. There is now way in hell that they are going to hand this information over to the government.

      Besides, the issue is not within the design itself. (I know, this point is arguable... but that is a different thread) the issue is non-trustworthy people building unauthorized reproductions of Cisco equipment.

      As

      • by Yvanhoe (564877)

        Sorry, not going to happen. I've personally built and troubleshot their competitors (Juniper) equipment and we didn't even have access to the VHDL, Boot Prom, OS, or any other software documentation.

        I am sure that there is a price to this. Make it a government policy that every military hardware must come with its full VHDL, schematics and firmware code. I honestly thought it was the case. I guess it is for very sensitive techs like missiles or planes. Maybe all we need to is to learn that network equipment can be very sensitive stuff as well.

        What do you think builds them? The only thing hand built is the high level assembly and inspection.

        And this is because of this high level assembly that there is a human labor cost that can be a huge part of the overall cost. Because this part is significant,

  • Uhhh... (Score:3, Funny)

    by Kingrames (858416) on Tuesday April 22, 2008 @10:23AM (#23157972)
    Who cares about counterfeit Disco gear?
    • by neoform (551705)
      Sure, say that now, just wait till you play a record on a chinese turn table that turns out to be playing at 78rpm, next thing you know everyone on the dance floor will be dancing like their on speed or something.
    • Re: (Score:3, Funny)

      by everphilski (877346)
      Disco Stu only buys the genuine article. Oh yea, baby...
  • you cant expect it to be secure...
  • by hyades1 (1149581) <hyades1@hotmail.com> on Tuesday April 22, 2008 @10:30AM (#23158086)

    The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get. Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?

    Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.

    The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.

    • by Ice Tiger (10883)
      The 1st world is increasingly giving up the ability to self sustain in the possibility of a cold or conventional war with the 2nd or 3rd world.

      For example a conflict with china over Taiwan needs only a boycott from China to the USA and a few undersea data cable severances to wreck the US economy. With manufacturing and back office functionality moved overseas the ability of a large military to protect borders becomes irrelevant when economic vulnerable points lie outside of those borders.
    • Re: (Score:3, Interesting)

      by tinkerghost (944862)

      The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get.

      When I was working w/ a company that made security Holograms for UL, one of our R&D people went to Bejing, where they happily showed him the R&D Hologram lab, where they were trying to duplicate our security Hologram. They also were more than happy to show him samples of a dozen or so other holograms they had already cloned.

      From his description, they

  • Oh No! (Score:3, Funny)

    by UncleWilly (1128141) <UncleWilly07.gmail@com> on Tuesday April 22, 2008 @10:31AM (#23158102)
    I also suspect my Lenovo/Thinkpad..whenever I'm in the room it seems to be...watching me.
    • by TubeSteak (669689)

      I also suspect my Lenovo/Thinkpad..whenever I'm in the room it seems to be...watching me.
      Don't worry, you can blind the bastard with judicious application of tinfoil and masking tape.
  • Really? ebay? (Score:3, Insightful)

    by esocid (946821) on Tuesday April 22, 2008 @10:35AM (#23158164) Journal

    ...originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies
    Are our government agencies seriously buying anything from ebay? I'm not even sure how legal, much less smart, it is to buy equipment that will be used in a federal agency from joe blow, or even kim lee (equivalent of jow blow) in china. An average user probably wouldn't have to worry, if in fact the stuff worked, but the Pentagon may have a problem.
    To any federal agency monitoring this (NSA), please stop buying your network and computing gear from yard sales and ebay.
  • the USA issues counterfeit money. "Why it will hardly buy you anything these days, says octogenarian Edna Pumpernickle. But I hear they have great money in Europe."
  • by hackus (159037) on Tuesday April 22, 2008 @10:40AM (#23158244) Homepage
    Security cannot be achieved with closed source or closed hardware. The problem of security is too difficult, so it is best to create a "culture" of security based around a simple set of rules:

    1) All software implemented in Network Systems must be open and source code must be peer reviewed on a regular basis.

    2)Hardware should be as generic as possible and should be built upon agreed standards so you can mix and match components.

    3) Cultural security is laid at the foundations of software and hardware. Once everyone knows the foundations any single individual or group will find it very hard to con an entire community.

    Even if they succeed it will not take long for the culture to detect the deception.

    Personally, I am glad the Chinese are screwing Cisco. Remember folks, we are talking about the same company that sold the Chinese government a ton of security products to hunt down and kill/torture or imprison political dissidents.

    Last year I got rid of the final pieces of Cisco gear in my network and everything is working just fine with Open Source equivalents.

    I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades.

    I really do know what my routers are doing.

    How many here can say that?

    -Hack
  • I reckon the job of the spies has been a whole lot easier because they could rely on the US gov't buying Cisco-branded equipment. More diversity in the network equipment landscape would have made things more difficult.
  • Ahh, that old military paranoia strikes again.

    We didn't make it, we don't know what it does. It must be a threat.

    The wonderful thing about this (apart from the certainty that it will involve giving the security organisations more money) is that you don't have to prove anything. Just say "it's possible" (not even probable), or that they're "concerned" or that there "might be a threat" and suddenly everyone is running around as if the sky is falling.

    Time to stop watching the James Bond movies guys. Go bac

  • by Doc Ruby (173196) on Tuesday April 22, 2008 @10:54AM (#23158478) Homepage Journal
    Clinton and the Republican 1990s Congress sold us Most Favored Nation and "Fast Track" status for China on the appeal that the US would be manufacturing high-tech gear like Cisco routers and selling it into the emerging Chinese market. Making China dependent on US manufacturing and retailers so we could dictate political terms to them, like not torturing Tibetan monks.

    They got it. Then they flipped the script. Now the US is dependent on Chinese manufacturing. Stepping up the game, Bush and the Republican 2000s Congress sent us $9 TRILLION into Federal debt (after a Clinton left him with a surplus), making $400 BILLION in debt bought by China necessary to keep the illusion that our economy hasn't collapsed - an illusion rapidly vaporizing, even before China applies much pressure to force us to comply with their Communist mafia government's global expansion plans. Meanwhile the Chinese are not just torturing monks (or stopping us from torturing around the world), they're also sending weapons, including machetes, to fuel a slaughter in Zimbabwe [independent.co.uk].

    They baited and switched us. And by "they", I mean a lot of Americans with Washington addresses, and now obviously Chinese bank accounts.
    • It gets worse (Score:4, Interesting)

      by WindBourne (631190) on Tuesday April 22, 2008 @11:13AM (#23158730) Journal
      China in return agreed to allow their money to float free, but created "the basket" that they then control to an unknown formula. Considering that yuan has gone up a whopping 17% against the dollar over 5 years, while most other moneies have gone up more than 100%, it says a lot. In addition, they were required to drop their tariffs over 2 years ago (they asked for 5-7 years). We are now pushing 8 and they are asking for another 3-5 years of them.

      The good news is that EU has seen what has happened to us and is pushing several issues; 1) the chinese firewall and the tariffs 2) the money issue 3) the carbon issue. As such, they are about to slap a major carbon tax on everything based on their Point of origin as well as a tariff against chinese good because of the firewall and tariffs.
      • by Doc Ruby (173196)
        I'm glad to see Europe finally start to do more global work that has been left to the US for so long, since WWII. Especially that (continuing) ghastly collapse in their backyard in Yugoslavia, which the US bailed their region out of.

        They've got the money, and the interest in self-defense. Though it really all looks like Orwell's _1984_ with the spyglass turned around: now it's Eurasia's turn to always have been at war with Eastasia.
    • Quick correction (Score:2, Insightful)

      by hassanchop (1261914)

      Now China is dependent on US purchasing.


      There are tons of other countries that can manufacture our goods. The same cannot be said of US purchasing power.

      Don't be upset though, your mistake is common amongst those with only a cursory knowledge of the subject like you have.
  • There is no way to "trust" software, unless you've hand-assembled an assembler, used that assembler to create a better assembler, used that assembler to create a basic C compiler, and use that C compiler to build your real C compiler. And, additionally, audited all the code.

    Then, you have to look at ever line of every tool source as well as all the source of everything. Even then, you need to verify hardware, BIOS, etc.

    It is a hard job. Maybe impossible.

    The first step, however, is to STOP buying aggregate d
  • Don't forget Huawei (Score:4, Interesting)

    by HockeyPuck (141947) on Tuesday April 22, 2008 @11:10AM (#23158710)
    http://www.theregister.co.uk/2004/07/29/cisco_huawei_case_ends/ [theregister.co.uk]

    While Cisco dropped this lawsuit claiming "a victory for the protection of intellectual property rights."

    This was after Huawai photocopied IOS Configuration guides and "portions of its IOS source code found its way into Huawei's operating system for its Quidway routers and switches. Cisco claimed the Huawei OS included text strings, files names and bugs that were identical with Cisco's IOS source code. The suit alleges that Huawei is infringing at least five Cisco patents."

    *RING BELL* Round 2

  • That they are hostile foreigners who hold favoured nation trading status...
  • by ktappe (747125) on Tuesday April 22, 2008 @11:56AM (#23159336)
    Equipment that will handle sensitive data should be purchased by the Government only from manufacturers who make it within our borders. Yes, this would increase costs. But it would help ensure that no "special" Chinese chips get inserted into the devices. It would also bring a few manufacturing jobs back to our shores. Of course, I'm assuming here that the very last of our electronics manufacturing infrastructure has not been dismantled...
  • How hard will be for Cisco and us GOV to make custom firmware that makes it so any counter gear / other firmware hacks don't open up holes in the network?
  • by Karl Cocknozzle (514413) <kcocknozzle@hotmail . c om> on Tuesday April 22, 2008 @02:46PM (#23161892) Homepage
    ...right around the time these stories really started getting mass-publicity...

    And was shocked to find that, for example, my 3745 had, among other things, 4 VWIC-2MFT-T1 interfaces... Three of the four were counterfeit--but all were bought through Cisco Gold partners.

    Until I saw this with my own eyes, I had no idea how wide this issue reached.

Aren't you glad you're not getting all the government you pay for now?

Working...