Cisco Shipping Hardware To Bogus Addresses To Throw Off NSA Intercept-And-Implant Efforts

from the 1324-Middle-Finger-Extended-Blvd. dept

Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors.

It moved quickly to mitigate the damage, sending a letter to the President asking him and his administration to institute some safeguards and limitations to protect US tech companies from the NSA's backdoor plans. To date, there has been no direct response. So, Cisco has decided to handle the problem itself.
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.

The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers…

"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.

"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."
Stewart acknowledges that Cisco's modified dead drop shipping operations aren't foolproof, but will at least force the agency to do a little more research before intercepting packages. Stewart also noted that some customers aren't taking any chances, opting to pick up their hardware from Cisco directly.

There are also variables Cisco simply can't control, like the possibility of inbound components from upline manufacturers arriving pre-compromised. But it's doing what it can to ensure that "Cisco" isn't synonymous with "spyware."

Then there's always the possibility that the government may find Cisco's new routing methods to be quasi-fraudulent and force the company to plainly state where each package is actually going. No response has been issued by the ODNI or NSA to this news, and most likely, none will be forthcoming. Any statement on Cisco's fictitious routing would tip its hand.

Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound, but this seems to be more a public display of pique than a surefire way to eliminate most of the NSA's hardware interceptions. It also sends a message to the NSA, one it's been hearing more and more of over the last couple of years: the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    Violynne (profile), 20 Mar 2015 @ 10:32am

    the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.

    Yet, it's okay for tech companies to sell our "anonymous" data, thereby making "surveillance" a double-edged sword.

    Tough luck on tech companies. Maybe they should have thought about Pandora's Box before making "metadata" synonymous with loss of privacy.

    Tech companies don't get the privilege of crying when the NSA abuses them.

    Just desserts. Screw them all.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 11:06am

      Re:

      > Screw them all.

      ...says the person posting a comment on a Web site, over the Internet, from a Web browser. There are so many "tech companies" involved in that operation it would make your head spin, yet obviously you continue using them.

      If you want to put *specific* pressure on *specific* firms for *specific* inappropriate behavior, please feel free to advocate for that.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 12:28pm

      Re:

      Tech companies weren't thinking with their heads when they were "asked" for the metadata what they were thinking with what was downstairs.... The accounting department! ...And the the lucrative revenue stream that continues pad their bottom line.

      Mo Money! Mo Money! Mo Money! Cha-Ching!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 10:48am

    It would be amusing how naive this is, where it not also so sad. Shamefully, whenever a corp or gov these days speaks about "addressing peoples concerns"- they mean just that; the "concerns" are addressed rather then the issues that causes those concerns. People should feel insulted and placated when hearing this phrase, or seeing such an action, but it seams to slip by most unnoticed.

    reply to this | link to this | view in chronology ]

  • identicon
    alan turing, 20 Mar 2015 @ 10:57am

    the real shame

    I've been seeing more and more press on how the majority of Americans are okay with the level of surveillance and actually would be okay with more.

    Really America? Really?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Mar 2015 @ 11:28am

      Re: the real shame

      Ah, but the thing is, most of them either:

      a) Have bought the lie that 'unless you're doing something wrong, you have nothing to worry about'.

      And/or b) Don't understand just what the mass spying really entails, and what's possible with the data gathered.

      Tell most people that you're 'gathering metadata on internet activity to better track terrorists and criminals', and you're likely to get some head-nodding and general vague agreements that that doesn't sound too bad.

      Explain that that 'metadata' can be used to accurately identify people the vast majority of the time as long as you have enough of it, it can be used to track where people go online, what they do, and give at least relatively accurate outline of who they're talking to, including doctors, political affiliations, various other groups, and in particular make sure to point out that the only thing keeping random strangers from having access to this pile of data is generally ridiculously poor security, if it exists in the first place, and laughably loop-hole ridden laws, and I imagine most people might be a bit more concerned.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 1:14pm

      Re: the real shame

      Majority of Americans? I think your believing US government propoganda. Most American's are ready for a "Snowden Day" in his honor vs. the WH "terrorist" line. Just because there isn't rioting in the streets doesn't mean they are ok with this either.

      The bigger reality is that there isn't much choice.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Mar 2015 @ 7:06pm

        Re: Re: the real shame

        You need to widen your circle. In the heartland people don't give a rat's ass about mass surveillance unless they are involved in tech and have a realistic worldview of the scope of what metadata actually garners those that gather it.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Mar 2015 @ 9:20pm

        Re: Re: the real shame

        The majority of Americans openly support torture. What makes you think they give a shit about privacy?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 Mar 2015 @ 9:13am

          Re: Re: Re: the real shame

          We face a continuous barrage of bullshit from our corporate overlords, I don't think they need your help. Please do not do their dirty work for them.

          If one is to make a claim, perhaps it would benefit others to include a source. The MSM propaganda creators do not provide much to substantiate their conclusions, why in the hell should anyone else - right?

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 11:01am

    The problems of maliciously modified hardware (or in fact hardware designed for malicious intent) are another reason for having free hardware designs: http://www.wired.com/2015/03/need-free-digital-hardware-designs/ (article by Richard Stallman).

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 20 Mar 2015 @ 8:21pm

      Re:

      The problems of maliciously modified hardware (or in fact hardware designed for malicious intent) are another reason for having free hardware designs:

      How would that help, unless you manufacture it yourself?

      reply to this | link to this | view in chronology ]

  • identicon
    Michael, 20 Mar 2015 @ 11:06am

    "We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to,"

    In a related story, DHL sues Cisco for copyright infringement.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 11:13am

    ALL PR. Assumes Cisco not willingly helping.

    ALL major corporations have already been assimilated. That this alleged effort is made public is proof enough of fake.

    Same with hard drive manufacturers: they came up with a story that the NSA gets in only after leaves the factory.

    Requires only a half-dozen corrupt people in each company to see that a few bytes of code are put in among tens of thousands.

    You have no independent way to verify any corporate claim, so should believe none.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 1:29pm

      Re: ALL PR. Assumes Cisco not willingly helping.

      > You have no independent way to verify any corporate claim, so should believe none.

      Er... not so much.

      Talking about products, or shipping, or service, there are two participants, the corporation and the customer. If you don't trust the one, you can still learn from (or be) the other.

      Seems verifiable to me.

      reply to this | link to this | view in chronology ]

      • identicon
        Terry, 20 Mar 2015 @ 8:31pm

        Re: Re: ALL PR. Assumes Cisco not willingly helping.

        @Anonymous Coward

        All well and good to say the customer can verify the tampering. The question is, how sophisticated is the NSA's tampering and how easy for a customer to detect it. It is said the NSA tampered with disk drive firmware. How many people in the is country are can reverse engineer a drive's firmware. I am thinking not too many. The NSA only has to break a small number of things, whereas their adversaries have to verify everything. Not any easy job.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 1:09pm

    NSA is bad for business. Tech companies realize that people will get their tech outside the US. One more economic hit in the US.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 2:18pm

    We have met the enemy, and it is us. Snowden 2016.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 2:45pm

    Nice corporate PR, that's it. It simply does not matter until corporations make it absolutely clear with demands that get attention and the needed actions out of congress, what they say.

    It will be assumed that it comes rigged with spyware. Corporations took the money and all was fine until the public learned of actions. Suddenly when profit margins start dropping and only then do they get religion.

    The deal with the devil was done in many cases with full knowledge. All will be assumed to be painted with the same brush of complicity until major changes are made. Even then it will be years if ever that American corporations will ever re-earn the trust of their customers. While I can not control everything there is one thing I can do. I can pick those parts up for computers and build it myself. While no 100% guarantee, it will have a higher unlikely hood to have been visited by the repackaging team.

    Globally, people will start refusing American products that can be done this way. Foreign governments can and will refuse American products over it. Long term contracts will be changed when they reach termination for other choices.

    The damage is already done.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 4:53pm

    when the u.s. govt has put our tech companies out of business we will begin to see the true cost.

    reply to this | link to this | view in chronology ]

  • identicon
    David Brown, 20 Mar 2015 @ 4:54pm

    CISCO

    I guess not everyone appreciates the new police state ... execs at Cisco had better be careful or they'll wind up in the slammer like Qwest CEO Joseph Nacchio.

    reply to this | link to this | view in chronology ]

  • icon
    John Strosnider (profile), 20 Mar 2015 @ 5:53pm

    Separate the HW from the SW

    It seems to me that it would be better to ship the devices unflashed and let the client go to Cisco's website, download the firmware, verify it against published hashes, and flash the device themselves. Then, it wouldn't matter if the NSA had intercepted it en route. Wouldn't that be cheaper and more effective than double-shipping the hardware?

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 20 Mar 2015 @ 8:24pm

      Re: Separate the HW from the SW

      It seems to me that it would be better to ship the devices unflashed and let the client go to Cisco's website, download the firmware, verify it against published hashes, and flash the device themselves. Then, it wouldn't matter if the NSA had intercepted it en route.

      What if the NSA is adding hardware as well?

      reply to this | link to this | view in chronology ]

      • icon
        John Strosnider (profile), 20 Mar 2015 @ 9:23pm

        Re: Re: Separate the HW from the SW

        Cisco's SW would not be accessing the added hardware, so somehow the NSA's hardware would need to be able to inject packets into the outgoing traffic without disrupting the underlying software. While I suppose that's technically possible, that seems extremely unfeasible especially if they want it to continue working with future firmware updates. It also seems like something that a firmware update could easily detect and disable once Cisco became aware of such a modification.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 Mar 2015 @ 8:23am

          Re: Re: Re: Separate the HW from the SW

          the NSA's hardware would need to be able to inject packets into the outgoing traffic without disrupting the underlying software.
          No, the NSA's hardware just needs to make the finished system exploitable. They could, for example, add a "secret ROM" like on the first Xbox: it would replace the boot vector such that at startup it would run some code, then turn itself off and run the real bootloader. The running system would think it booted using the normal one, but some register would be configured in a weird way: maybe the DRAM refreshing would be adjusted to allow a rowhammer attack, or the CPU firmware would be rolled back to allow some formerly-fixed user-to-supervisor transition. Or they could hook some data line so they can watch for a specific packet, then glitch the CPU power.

          But I disagree that what you suggest is infeasible. To read and inject packets, you probably just need to attach to the data lines. The router will occasionally be idle, and when it is, just start dumping data onto those lines. Or with a mux, you could disconnect the main CPU and take over a data line. Remember that the NSA don't need to control the data stream completely: they're monitoring the entire internet, so they just need to replace or glitch the occasional bit in a way they can detect. Errors happen, and unless Cisco knows exactly what to look for, it would be pretty hard to detect attacks and know they're not the usual random glitches.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 21 Mar 2015 @ 8:33am

            Re: Re: Re: Re: Separate the HW from the SW

            It's still a good idea, though, to ship the hardware and software separately: it makes the NSA's job harder. To improve your suggestion, they should ship it before they know who the customer is. E.g., ship to international warehouses or retail stores, then to final customers. And do it for all customers, not just "sensitive"/paranoid ones. If companies send their IT people to a store with cash, it would be very difficult for the NSA to intercept the shipments.

            Cisco could also include printed private keys with each purchase that the customer could use to verify software images/updates, in case they do need to download something. It's an arms race, but we can set it up so that the NSA needs to be almost perfect to avoid detection. If customers can detect something wrong, at least, they can return the product to Cisco who can implement detection/workaround measures.

            reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 20 Mar 2015 @ 8:25pm

    How does this work?

    Maybe I'm being dense but I don't understand the scheme. Are they shipping hardware to addresses that don't exist? How does that help protect the hardware that's going to places the NSA is interested in? Or if this is a way to sneakily ship it somewhere without the NSA being able to tell where, how do they do that?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 9:01pm

    I don't understand what this two hop shipping process is supposed to accomplish. So Cisco addresses hardware to (1234 USA Street). The package is then shipped from (1234 USA Street) to (9876 China Street).

    Hmmmm, we all know how good the NSA is at counting multiple hops, so I don't get what this accomplishes. This must be a PR publicity stunt to fool the simpletons working at multibillion dollar IT companies who are ordering Cisco's products...

    reply to this | link to this | view in chronology ]

  • icon
    Kal Zekdor (profile), 20 Mar 2015 @ 9:11pm

    Mitigation, not Prevention

    Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound...

    I don't agree. Cisco is well aware of NSA capabilities, and they know that this plan isn't enough to prevent tampering en route. With enough tracking/surveillance/infiltration of Cisco operations/personnel, the NSA can and likely will still find, intercept, and tamper with intended targets.

    In that case, why did Cisco bother? Two reasons. First, which was touched on in the article, is to simply make a statement. They are proclaiming to the world and to the NSA that they're not willing to sit idly by while the surveillance state drives their reputation (and their bottom line) into the ground. This is a symbolic protest as much as an actual mitigation.

    Second, yes, this is a mitigation. These precautions won't make it impossible for resourceful (in both meanings) third parties to intercept equipment, but they will make it more difficult, and thus costlier. Even the NSA only has so many man-hours it can direct. If it now takes twice as many man-hours (an over-estimation, I'm sure, but no matter) in order to backdoor a router en route, then they are only able to do so half as often.

    Cisco, or any US based company, can only do so much to thwart the surveillance state. Any pushback, however minor or symbolic, is to be applauded. On the same note, any willful collusion should be considered a betrayal of their customers, and the public at large.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Mar 2015 @ 3:23am

    The Human Race SUCKS

    If there's anything worse than an all out self-important person who thinks they are better than everyone else, its got to be a plethora of them in the same room so fucking paranoid that they stoop so low as to spy on everyone in the world in order to preserve their self-importance OR maybe the sorry suckers who do their dirty work.. Its no wonder this beautiful planet that so steadfastly rotates in space while revolving around a star somewhere out on an arm of an indescribable galaxy that is also spinning eternally in the universe is heading for such a disaster.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 21 Mar 2015 @ 11:45am

    NSA opinion of this development

    ROFL

    reply to this | link to this | view in chronology ]

  • identicon
    lew, 23 Mar 2015 @ 1:33am

    What shipper allows the intercept?

    Why does nobody ask the question of 'how does the NSA intercept packages between shipper and customer?'

    Are those shippers immune to a suit for damages for allowing the harm of replacing the BIOS or putting a backdoor on the system?

    It can't be only Cisco or Cisco's customers are harmed -- Any manufacturer who ships to customers that NSA finds interesting.

    Why no law suits? Why are businesses not working to hinder NSA and the military coup they represent in every way possible?

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 23 Mar 2015 @ 7:19am

      Re: What shipper allows the intercept?


      Are those shippers immune to a suit for damages for allowing the harm of replacing the BIOS or putting a backdoor on the system?


      Maybe the telco immunity law applies to shippers too. Totally making stuff up though, I don't know if it does.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Mar 2015 @ 4:34am

    If the NSA can't see the final destination, how does anyone else in order for package to reach its' destination?

    Smells like bullshit to me.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.