Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Government Networking Hardware

To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses 296

An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.
This discussion has been archived. No new comments can be posted.

To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses

Comments Filter:
  • Not new (Score:5, Funny)

    by raftpeople ( 844215 ) on Thursday March 19, 2015 @09:57AM (#49291799)
    "We ship [boxes] to an address that's has nothing to do with the customer,"

    I know some other companies that seem to do this for about half my orders.
    • Re:Not new (Score:5, Insightful)

      by fictionpuss ( 1136565 ) on Thursday March 19, 2015 @10:33AM (#49292141)

      If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

      • If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

        Perhaps, but I believe it is incumbent upon us as American citizens to make their job as difficult as possible. The more steps they have to take to get at our information, the better. The ultimate aim should be to make their data collection so difficult that they have to ration their efforts.

      • If the NSA does not already have access to Cisco's obfuscated address system, then they are not doing their job.

        It doesn't help that the list of addresses that would totally be plausible recipients of an order of big, fancy, networking gear is markedly smaller than the list of addresses.

        Even if you ruled out cracking Cisco(which the NSA obviously wouldn't), bulk characterization of addresses by demographic is something that those sleazy abhumans in 'direct mail marketing' have been doing since before 'spammer' was even a term. Purely by collating publicly available information(or just hiring one of the existing da

  • by Iamthecheese ( 1264298 ) on Thursday March 19, 2015 @10:01AM (#49291833)
    I would be happy to pay a little extra for this service for non-critical hardware. But if I were actually concerned the NSA would want to twist my knickers there's no way in hell I would: It's a huge red flag for them. Instead I would bribe someone at a different company to accept my shipment and forward it to me.

    But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast. I'm happy to see extra services appearing for privacy-loving individuals but I don't think this particular one will help.
    • Or maybe Cisco just needs some free advertising?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      How much to pick up product as a will-call at the manufacturing facility?

    • But let's be honest, if the NSA is interested enough in you to install extras on your hardware, they probably already know your favorite porn, your underwear size, and what you had for breakfast.

      Because there's nothing more competent than a government bureau safe from inspections. Which, apparently, is intercepting your shipments just because, seeing how it already knows everything. It wishes you to see it as omnipotent so you won't even try. In reality, it couldn't even hold the loyalty of one of its own.

    • by jedidiah ( 1196 ) on Thursday March 19, 2015 @10:58AM (#49292379) Homepage

      I think this service is entirely pointless. If you are worried about interception using a common carrier, then you need to stop using common carriers. Full stop.

      You need to use a proper courier. You also need to work on making your gear more tamper resistant.

    • Yeah, this sounds like a great idea until Cisco receives a subpoena for a list of all customers that used this service.

      Whoops!

  • by plopez ( 54068 ) on Thursday March 19, 2015 @10:04AM (#49291847) Journal

    They will be cloudified using super secret double Rot13 encryption.

  • by xxxJonBoyxxx ( 565205 ) on Thursday March 19, 2015 @10:04AM (#49291851)

    >> a bid to foil the NSA, security chief John Stewart says

    Both John Stewarts are funny guys.

  • by nimbius ( 983462 ) on Thursday March 19, 2015 @10:08AM (#49291881) Homepage
    the actual plan is pretty secretive but crap like Smallco at Nowheresville is easy to catch. all the NSA has to do is take a spammers approach when sifting through UPS and FEDEX databases pertaining to Cisco. Using Sparse Orthogonal Bigrams or CRM114 with a combination of known customer addresses and contacts allows the NSA to quickly weed out any future attempt to subvert its practice.

    what isnt more difficult to thwart is a conscious customer, and thats the NSA's real problem. A shipment from San Francisco to Dallas for example, that takes a detour to Boson, could be good reason for suspicion. anti-tamper systems like tip-n-tell, environmental dyes, tamper seals, or a combination of these sytems as well as the much maligned DRM signed firmware could make the NSA's efforts substantially more difficult. Finally, getting out of lock-in technology monocultures like dell-everything shops and cisco-anything shops is helpful. a moving target is, after all, harder to hit.
    • A shipment from San Francisco to Dallas for example, that takes a detour to Boson...

      Didn't they only just recently discover that? [wikipedia.org]

  • Really... when was the last time any of us thought Cisco was the best choice for a project?
    • by cdrudge ( 68377 )

      Anytime the Cisco account manager stopped by or called.

    • by Strider- ( 39683 )

      Really... when was the last time any of us thought Cisco was the best choice for a project?

      Actually it can be a great deal... I'm in the process of building up a campus network for a non-profit, that will eventually have some 25 switches (Core and access), and 3 or 4 routers. All of it Cisco. Why? Because Cisco's support policies are such that there is tons of perfectly serviceable EoL/EoS equipment available on the secondary market that suits our needs, and available for very little $$$.

  • If you are sophisticated enough to intercept shipments to known addresses what is to stop you from intercepting those to unknown ones and ignoring those to good addresses. It's a bit different than saying lets get boxes to X and ignore YZ to get any not going to YZ? More labor intensive, but some cross referencing of unknown addresses and intel work could still allow an intercept operation to continue.

    Alternatively, a little human engineering where a big buyer of Cisco products in the US government says "Fi

  • No confidence (Score:3, Insightful)

    by Anonymous Coward on Thursday March 19, 2015 @10:12AM (#49291921)

    I still can't trust that mechanism. Cisco needs to offer tools to verify the devices are genuine.

  • I expected him to go into politics or something like that. But I guess Cisco security chief is not that bad. Not as funny probably, although I do laugh at some of their obscenely overpriced stuff.
    Quick question, how exactly do they establish these fake identities? It would not be such a good scheme if all it does is flag shipments for NSA "hey, look at this, we don't want you to know where it is going"...

  • by NothingWasAvailable ( 2594547 ) on Thursday March 19, 2015 @10:17AM (#49291981)

    This strikes me as either silly (very James Bond), or an indication that Cisco doesn't even trust its own employees.

    Otherwise, why wouldn't Cisco just hand deliver the items using its own employees.

    Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

    • by Ksevio ( 865461 )
      Probably because Cisco doesn't want to move into the courier business.
    • by magarity ( 164372 ) on Thursday March 19, 2015 @11:43AM (#49292755)

      Taking this cloak-and-dagger approach implies that if anyone at Cisco knows who's receiving the hardware, then it is at risk, meaning that Cisco is compromised and knows it.

      It also implies that the real problem is at UPS/FedEx/DHL? I'd like to know what the shippers have to say about these interceptions.

      • I'd like to know what the shippers have to say about these interceptions.

        They probably can't say anything because they've been served with National Security letters and aren't allowed to talk about anything under threat of prosecution or worse.

    • by mcrbids ( 148650 )

      It's a company, not a military. Of *course* they're compromised! Or at least, compromisable! I mean, every single employee comes to work because they are getting paid. So the NSA leaves a suitcase full of cash at an employee's house, and is asked to leak data, and is offered full legal immunity for doing so.

      You wouldn't take an extra $20,000 risk free? If not, you don't know somebody at work who would? Many people would do this for much less.

  • NSA doesnt' know? (Score:5, Insightful)

    by ugen ( 93902 ) on Thursday March 19, 2015 @10:19AM (#49291999)

    Seriously, I would assume that NSA at least has a "mole" in the order processing/accounting/shipping dept. at Cisco. Unless Cisco pays a lot more than market to these rank-and-file employees or gives them benefits unheard of elsewhere, they aren't particularly hard to get to cooperate, I would guess.

  • The NSA will respond (Score:5, Interesting)

    by mark_reh ( 2015546 ) on Thursday March 19, 2015 @10:21AM (#49292021) Journal

    by putting their stuff into the Cisco boxes in the factory. Wait, aren't they already doing that?

  • Better solution: include an iPhone and backup battery in the shipment. Use Find my iPhone.

    Or just use FedEx's or UPS's real time tracking [blogspot.com] :-)

  • by tacokill ( 531275 ) on Thursday March 19, 2015 @10:31AM (#49292121)
    You see, the US Government is very keen about governing exports. They prohibit shipping many products into restricted countries and they actively police it in a serious manner. Anyone who's product gets found in a restricted country is in hot water. It doesn't matter if the product(s) was sold through an intermediary or 20 middle men, the manufacturer is 100% responsible for asserting, under penalty of law, that their products will not end up in a restricted country and that's that. The treasury department even publishes a monthly list of offenders they catch but I apologize as I cannot seem to find it on google.

    To address this issue, many companies that have been caught are required by the US Treasury Dept to document every single end user of their product. Yes, every single unit that is sold must be documented as to where it's final resting place is. I doubt Cisco is under this kind of requirement (unless they've been caught in the past) but it seems this new policy is a huge risk for them in that area. If you were an Iranian supply store trying to procure Cisco equipment, this seems like a good way to do it without anyone knowing or being able to track it --- and that's a serious risk for Cisco.

    The minute one of those units gets found in Iran (or any restricted country), all hell will break loose. Again, it doesn't really matter how it got there.....

    Here [doc.gov] is a good overview of the requirements and Here [hostgator.com] is a company that has a good policy summary that they live by. Smart on them.

    Understand that this has nothing to do with NSA or espionage. This is just a basic requirement of doing business overseas and exporting products. Doesn't matter whether it's plastic dog poo, Intel CPU's, lab equipment, cranes, or other engineered equipment
  • Seems easy to circumvent. The [GOVERNMENT ABBREVIATION] monitors the original online or phone order and knows who ordered it. Who cares where it's being delivered.

    • by Dunbal ( 464142 ) *
      OK, and how will that help them intercept the shipment and install their spyware on the product?
      • by in10se ( 472253 )

        The exact same way they are doing it now.
        (I have no idea.)

        The summary seems to say that only high-value targets are being intercepted, and that Cisco is trying to protect those customers by shipping to somewhere other than their place of business. If that's their new form of protection, it doesn't change anything if the NSA knows who it belongs to.

  • Slashdot needs a "pudger rockin' a fedora" icon for autist keyboard operator submissions
  • Someone needs to put some reigns on this out of control horse.

  • The NSA seems to have its fingers up so many people's hoo-has, that it could easily sort this out. It's amazing what an agency can accomplish when it's not held accountable for ignoring the Constitution. Fucking traitors.

  • Red Herring (Score:5, Interesting)

    by Greyfox ( 87712 ) on Thursday March 19, 2015 @11:06AM (#49292457) Homepage Journal
    Does nothing if all hardware is compromised prior to shipping. Would they be allowed to tell you if it were? Would they even be aware if it was? Has the government ever looked at their code or received a report from them about potential security vulnerabilities as part of a disclosure required for a government contract or security certification? I'm guessing if they did, that report was sent directly to the NSA.
    • Well, maybe you're right and Cisco want to put a false feeling of "anonymity" to compromise more high profile targets with their preinstalled backdoors. Or maybe it's just a way for Cisco to make more money on the back of its customers. In any way, their method cannot guarantee anything, since the shipment is just the last step of an order, and the order can be compromised at so many earlier steps.
    • ..if we forget about all the serious stuff related to it. Summary: "We don't like all this cloak and dagger spy stuff. We want to distance ourselves from intelligence agencies, and show that we're nothing like them. So here's what we're going to do. The shipment will first be sent to the location disclosed by our asset in the field. Refer to challenge-handshake protocol in the self-destructing memo dispatched last week by home office. After delivering the football, the site will be monitored by an eli
  • Start visiting locations of concerned customers, tear-down their units, check for implants, pull chips, put them in readers, verify firmware, etc. etc.

    Figure out what changes are being made to the equipment and then warn customers to check for them upon receipt. Tactics will then change, so check new shipments again 6mos. later.

  • Trust (Score:4, Insightful)

    by Anonymous Coward on Thursday March 19, 2015 @11:57AM (#49292877)

    Good job NSA! Way to destroy not just any integrity we had left as a country, but also undermine trust in the products we sell as well.

  • This is, at best, like putting a band-aid on a festering, infected wound. This will change nothing. At best, they might stop a few interceptions, after which they will be served with a "national security letter" or something along those lines telling them to cooperate with the three letter agencies or else.

    The only way to fix this problem is to go to the source and reform our three letter agencies, and the ho-hum reaction to the Snowden revelations suggests that it won't happen anytime soon.

    Think about it

  • by davidwr ( 791652 ) on Thursday March 19, 2015 @12:41PM (#49293269) Homepage Journal

    If it's THAT sensitive, either have the customer pick it up from a Cisco-controlled location or have a Cisco employee hand-deliver it to the customer.

    Use tamper-evident seals [wired.com] and use something like a "warrant canary"-like system so the delivery person can effectively tell the customer that to the best of his and Cisco's knowledge the shipment was not tampered with en route: The absence of a followup message from Cisco guaranteeing that the shipment and delivery were not intercepted would be treated as a message that it might have been intercepted.

    Speaking of "canaries" I wouldn't be surprised to see specialty shipping companies or specialty-arms of big-name shipping companies use "canaries" to guarantee that their shipments were delivered to an authorized person and not tampered with en route.

"Kill the Wabbit, Kill the Wabbit, Kill the Wabbit!" -- Looney Tunes, "What's Opera Doc?" (1957, Chuck Jones)

Working...