FBI Concerned About Implications of Counterfeit Cisco Gear 273
SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.
Nightmare (Score:5, Insightful)
This is going to keep a lot of people awake at night.
They should have known it all along. (Score:5, Insightful)
They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.
Really (Score:3, Insightful)
Re:Nightmare (Score:4, Insightful)
If you can't trust the hardware, you can't trust anything. Scary stuff.
Time for state-sponsored fablabs (Score:5, Insightful)
Now is time for US Department of Sensitive Things to stop buying hardware and start buying blueprints. Buy VHDL and CAD files from CISCO, scrutinize them for threats then produce it yourselves.
China is great for cheap production but there is a reason why military approved stuff are more expensive : among other resons, you can't let anyone build them.
And if you want certified and cheap stuff, it is time to begin building robotic factories.
Lost sales aren't the issue for brands. (Score:5, Insightful)
That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake
Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.
Re:Nightmare (Score:4, Insightful)
I trust neither Cisco nor the FBI.
Re:Nightmare (Score:4, Insightful)
Re:Nightmare (Score:5, Insightful)
I'm not exactly sure why counterfeit Cisco routers are considered more of a security threat than real Cisco routers since Cisco, like a lot of American companies, are outsourcing so much of their hardware manufacture and software development to China. The Chinese government can just as easily put an agent in to any of these companies and slip back doors in to the real products.
All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years.
Not a good decision (Score:4, Insightful)
The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get. Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?
Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.
The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.
Really? ebay? (Score:3, Insightful)
To any federal agency monitoring this (NSA), please stop buying your network and computing gear from yard sales and ebay.
Re:Nightmare (Score:5, Insightful)
Closed Systems and Black Boxes (Score:5, Insightful)
1) All software implemented in Network Systems must be open and source code must be peer reviewed on a regular basis.
2)Hardware should be as generic as possible and should be built upon agreed standards so you can mix and match components.
3) Cultural security is laid at the foundations of software and hardware. Once everyone knows the foundations any single individual or group will find it very hard to con an entire community.
Even if they succeed it will not take long for the culture to detect the deception.
Personally, I am glad the Chinese are screwing Cisco. Remember folks, we are talking about the same company that sold the Chinese government a ton of security products to hunt down and kill/torture or imprison political dissidents.
Last year I got rid of the final pieces of Cisco gear in my network and everything is working just fine with Open Source equivalents.
I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades.
I really do know what my routers are doing.
How many here can say that?
-Hack
Re:Nightmare (Score:4, Insightful)
Re:Ha Ha! (Score:4, Insightful)
Supposed to Be the Other Way Around (Score:4, Insightful)
They got it. Then they flipped the script. Now the US is dependent on Chinese manufacturing. Stepping up the game, Bush and the Republican 2000s Congress sent us $9 TRILLION into Federal debt (after a Clinton left him with a surplus), making $400 BILLION in debt bought by China necessary to keep the illusion that our economy hasn't collapsed - an illusion rapidly vaporizing, even before China applies much pressure to force us to comply with their Communist mafia government's global expansion plans. Meanwhile the Chinese are not just torturing monks (or stopping us from torturing around the world), they're also sending weapons, including machetes, to fuel a slaughter in Zimbabwe [independent.co.uk].
They baited and switched us. And by "they", I mean a lot of Americans with Washington addresses, and now obviously Chinese bank accounts.
Re:The FBI Followed Up With (Score:5, Insightful)
Re:They should have known it all along. (Score:5, Insightful)
The thing is, if they are auditing the hardware and software, they can as easily validate the fake Ciscos as the real ones. They're made in the same factory by the same people.
If they cannot validate the fake ones, then they should be just as afraid of the real ones.
That's not good enough. (Score:3, Insightful)
Even the Federal Government is not as big as the free software community. If they are not free to modify the source for any purpose and share those modifications with everyone else in a free way, they lose the benefits of freedom and become an unpaid bug fixer for Cisco. Malice can slip through in obfuscated form, they can't make it do what they want and they will have a hard time being sure what they audit is what they run.
Re:Well that's a change (Score:5, Insightful)
The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)
Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.
Re:Nightmare (Score:3, Insightful)
Re:Someone had to say it (Score:3, Insightful)
Whenever possible (and I do check), I do not buy Chinese made products. I pay more to avoid or do without.
Government should mandate American-made (Score:3, Insightful)
Quick correction (Score:2, Insightful)
There are tons of other countries that can manufacture our goods. The same cannot be said of US purchasing power.
Don't be upset though, your mistake is common amongst those with only a cursory knowledge of the subject like you have.
Re:That's not good enough. (Score:4, Insightful)
Do you have a silly walk as well?
Validating pre-built products (Score:4, Insightful)
Re:Well that's a change (Score:3, Insightful)
Re:Nightmare (Score:4, Insightful)
If we want to take advantage of electronic information-processing technologies, we need to find ways of making them secure. If we can't do that, then we shouldn't use the technology. Security shouldn't be optional: either it's feasible to do something securely, or it's too expensive, in which case the system shouldn't be constructed and alternatives should be considered, including not automating at all.
I would quite frankly rather see large sections of the government switch back to using paper, which at least the average member of the civil service has a clue about securing, than use electronic systems that aren't secure -- and worse than that, that the users don't realize aren't secure.
These costs need to be weighed very, very carefully, and I can tell you from first-hand experience that they aren't. Not even close. It's pants-shittingly bad in some cases, and the decisions are being made by people who are (in addition to frequently being just plain incompetent) so far down the chain of responsibility that they only consider the impact that a particular decision might have to their fiefdom. There is precious little in the way of coordination, and the sooner that changes, the better.
I'm not holding my breath, though.
[1] Just as an example, how would you go about trying to quantify 9/11? You could come up with the direct costs of the increased airline security, the DHS, the wars in Iraq and Afghanistan, but how do you quantify the lives lost? The economic damage? The people who decided not to get on planes, or the time spent waiting in longer lines? Then after that, you'd get into arguments about whether the event could be linked to the dollar's slide, or if that's totally independent, which might be another cost. The point being: it's difficult to quantify even afterwards what the costs of a particular event are; how are you going to quantify them for a potential event?
Re:Nightmare (Score:3, Insightful)
At this point the adversary relationship is our choice, and as China becomes more powerful we should consider its functional value rather than our post-Colonial nostalgia for White power in Asia. We have a mutual cultural enemy in Islam, and far more interests in common than otherwise. (Tibet is functionally expendable. It needs us but we don't need Tibet.)
Time to quit hatin' on the "Heathen Chinee". China never invaded the West and forced it to trade in opium, nor did China support any Kuomintang equivalents here. The screwing has been quite one-sided. No wonder they are pissed!
Re:Someone had to say it (Score:4, Insightful)
The GP has a perfectly good point though. We didn't trade with the USSR. We still don't trade with Cuba and they're harmless! We are the biggest hypocrites ever for trading with China, who has a human rights and oppression record that Stalin or Castro would admire, and we ignore that it's in China's best interests to destroy us to make oil cheaper for them.
Then it's about fucking time... (Score:1, Insightful)
Re:Nightmare (Score:4, Insightful)
Re:They should have known it all along. (Score:2, Insightful)
Re:Someone had to say it (Score:4, Insightful)
Re:That's not good enough. (Score:2, Insightful)
Re:Nightmare (Score:3, Insightful)