Forgot your password?
typodupeerror
Businesses Privacy Security United States

Cisco Complains To Obama About NSA Adding Spyware To Routers 297

Posted by samzenpus
from the get-out-of-there dept.
pdclarry (175918) writes "Glenn Greenwald's book No Place to Hide reveals that the NSA intercepts shipments of networking gear destined for overseas and adds spyware. Cisco has responded by asking the President to intervene and stop this practice, as it has severely hurt their non-U.S. business, with shipments to other countries falling from 7% for emerging countries to over 25% for Brazil and Russia."
This discussion has been archived. No new comments can be posted.

Cisco Complains To Obama About NSA Adding Spyware To Routers

Comments Filter:
  • by Katatsumuri (1137173) on Monday May 19, 2014 @08:13AM (#47037151)

    Why does NSA have to do this? Can't they just order Cisco to install this in their factory?

    Or did they co-operate in this way to prevent whistle-blowing or counterintelligence at the factory?

    In any case, I doubt Cisco didn't know about this. They are probably trying to save their face after a third party uncovered this.

    • by CrimsonAvenger (580665) on Monday May 19, 2014 @08:16AM (#47037159)

      Why does NSA have to do this? Can't they just order Cisco to install this in their factory?

      Actually, no. They can ASK Cisco to do this, but they have no legal power to order them to do this.

      Now, they may quietly PRETEND they have the legal power to order this, and phrase their request as an order. But they really can't do much if Cisco ignores them.

      • by tuxut (3569129)
        Then you probably haven't read The Patriot Act.
        • by sumdumass (711423)

          What in the patriot act gives them this power?

          • by kilfarsnar (561956) on Monday May 19, 2014 @09:47AM (#47037729)

            What in the patriot act gives them this power?

            You don't need the power officially. They have ways of getting what they want.

            [Quest's CEO] says he refused to cooperate based on advice from his lawyers that such an action would be illegal, as the NSA would not go through the normal process of asking the Foreign Intelligence Surveillance Court for a subpoena. About this time, he says the company’s ability to win unrelated government contracts - something it did not have trouble with before the NSA meeting - slowed significantly.

            And here [dailycaller.com]

            I'm not saying anything in particular about Cisco's vulnerability to pressure from the NSA. I'm just saying they don't necessarily need explicit legal power to get what they want.

            • by CanHasDIY (1672858) on Monday May 19, 2014 @10:27AM (#47038029) Homepage Journal

              What in the patriot act gives them this power?

              You don't need the power officially. They have ways of getting what they want.

              [Quest's CEO] says he refused to cooperate based on advice from his lawyers that such an action would be illegal, as the NSA would not go through the normal process of asking the Foreign Intelligence Surveillance Court for a subpoena. About this time, he says the company’s ability to win unrelated government contracts - something it did not have trouble with before the NSA meeting - slowed significantly.

              In other words, once you start sucking on Satan's cock, you're not allowed to stop. Ever.

              There's a lesson to be learned there...

              • by Lumpy (12016) on Monday May 19, 2014 @10:40AM (#47038151) Homepage

                Actually you can, Cisco can start hiring contractor security firms and get more guns than the NSA. an NSA agent that has a M16 rifle pushed in his face by contractors and being told to "please leave the premises..... SIR!" has two options, he can leave or he can be killed in self defense.

                A large very rich corperation can get away with a hired army to protect themselves from the government.

                but that slippery slope is very steep and very very slippery.

            • by geekoid (135745)

              Or, he is blaming his incompetence on the government.

        • by Lumpy (12016) on Monday May 19, 2014 @10:37AM (#47038123) Homepage

          You cant, It's a criminal offense to actually read that part of the patriot act.

      • by Charliemopps (1157495) on Monday May 19, 2014 @08:47AM (#47037321)

        Why does NSA have to do this? Can't they just order Cisco to install this in their factory?

        Actually, no. They can ASK Cisco to do this, but they have no legal power to order them to do this.

        Now, they may quietly PRETEND they have the legal power to order this, and phrase their request as an order. But they really can't do much if Cisco ignores them.

        Except, you know, throw them in prison without a trial.
        An agency with no oversight, who's "requests" cannot be questioned openly without charges of treason, has the power to do anything they want to anyone they want.

        • by CrimsonAvenger (580665) on Monday May 19, 2014 @08:57AM (#47037379)

          An agency with no oversight, who's "requests" cannot be questioned openly without charges of treason, has the power to do anything they want to anyone they want.

          Several things:

          1) "whose". Illiteracy doesn't actually make your arguments better.

          2) Treason is defined by the Constitution. Article 3, Section 3. Learn it, love it, live it. There's a reason why people don't get charged with treason all that often. Note that Snowden did NOT get charged with treason. Do you really think anyone at Cisco can be charged with treason if they can't charge Snowden with it?

          3) thank you for agreeing with me. They have no legal power to do so, though they can PRETEND they do by phrasing requests as orders. Alas, ignoring them doesn't actually get you in trouble.

          • by Anonymous Coward

            The U.S. government is extremely corrupt. It is silly to talk about the constitution and law when there are many situations in which people operating with the power of the U.S. government do not feel bound by any law.

          • Alas, ignoring them doesn't actually get you in trouble.

            Not explicitly, and not obviously. It will, however, probably lead to you not being invited to quote for government pork-barrel business anymore, and more than one very lengthy visit from the IRS. It doesn't matter whether it's legal or not legal anymore, it only matters if you have more firepower (legal, political, or otherwise) than they do.

            • It doesn't matter whether it's legal or not legal anymore, it only matters if you have more firepower (legal, political, or otherwise) than they do.

              Anymore? This is the way it's always been. The good old Catch-22.

            • by JWW (79176)

              â¦. and no one has more firepower than they do.

          • by bill_mcgonigle (4333) * on Monday May 19, 2014 @10:02AM (#47037843) Homepage Journal

            Alas, ignoring them doesn't actually get you in trouble.

            Yeah, right.

            Joseph Nacchio [foxbusiness.com].

            Three Felonies a Day [amazon.com].

          • They have no legal power? The average person commits what, 23 Felonies a day. They just pick one, make it stick, and get you to play ball. If you still refuse, well I suggest looking up what happened to Qwest's CEO when he refused to play ball.

      • by symbolset (646467) *
        What they do is use their total information awareness to find some excuse to put the executives in prison for a completely different reason. The difference matters little to the executive.
      • by Lesrahpem (687242)

        Now, they may quietly PRETEND they have the legal power to order this, and phrase their request as an order. But they really can't do much if Cisco ignores them.

        That is like saying the mafia may quietly pretend to have the power to shut down your business if you don't do what they want. While the NSA may not have the authority, on paper, they certainly have the ability to press the issue by "extralegal" means and have verifiably done so in the past.

    • Cisco knew, they even had a 'choice' in the matter: cooperate with the government and keep your mouth shut about it or get your business ruined by that same government.
    • I doubt that the NSA would like Cisco to know how/what they are doing to their routers.

    • Why does NSA have to do this? Can't they just order Cisco to install this in their factory?

      Not if the factory is in China.

    • by NotDrWho (3543773) on Monday May 19, 2014 @08:44AM (#47037303)

      Why does NSA have to do this? Can't they just order Cisco to install this in their factory?

      Why risk someone at Cisco running to the press? Best to keep them out of the loop.

      • by AHuxley (892839)
        Yes "Best to keep them out of the loop." is very much needed from the NSA perspective.
        The outrage from investors, institutional investors, trust funds, technical staff, political leaders, ex staff, the legal teams has to be 100% real.
        The "Never believe in anything until it has been officially denied" has to look and sound real every decade.
        The academics have to stay tame, the political leaders have to legally make been a whistleblower in the US difficult, the end users stay unaware....
        Once the trick
        • by NotDrWho (3543773) on Monday May 19, 2014 @09:21AM (#47037551)

          If it weren't for Edward Snowden, Cisco would have never been able to complain--because no one would have ever known it was happening. Keep in mind that the NSA had been doing this kind of stuff for OVER 10 YEARS without a significant leak. So you can't blame them for functioning under the assumption that neither Cisco nor anyone else was ever going to know it was happening (until about 75 years from now, when it's finally declassified).

          • by AHuxley (892839) on Monday May 19, 2014 @09:57AM (#47037797) Homepage Journal
            They should have known. The ideas behind Project SHAMROCK and https://en.wikipedia.org/wiki/... [wikipedia.org] should have been a hint.
            The Martin and Mitchell defection in 1960 did offer the hint 'intercepting and deciphering the secret communications of its own allies"
            https://en.wikipedia.org/wiki/... [wikipedia.org]
            There where a few magazine and books over the 1970-80's that also offered a view of global telco reach, indexing, storage and tracking under ECHELON.
            Copper, optical it all has to move via some nations backhaul... that so cheap peering loop
            The reading back to the press of embassy traffic sent on trusted crypto should have been a hint.
            So "anyone else was ever going to know" seems to be a lot of nations where happy to see their telco systems entire output shared with 5 other nations (and a few others) for decades in some form as part of a mil deal.
      • by fredrated (639554)

        He never publically advacated for it, he was publiched posthumously.

    • by Anonymous Coward on Monday May 19, 2014 @08:51AM (#47037353)

      See Plausible deniability [wikipedia.org]

      Plausible deniability is a term coined by the CIA in the early 1960s to describe the withholding of information from senior officials in order to protect them from repercussions in the event that illegal or unpopular activities by the CIA became public knowledge.

      It's roots go back to Eisenhower's NSC Directive NSC 5412 of March 15, 1954, which defined "covert operations" as "...all activities conducted pursuant to this directive which are so planned and executed that any U.S. Government responsibility for them is not evident to unauthorized persons and that if uncovered the U.S. Government can plausibly disclaim any responsibility for them." [NSC 5412 was de-classifed in 1977, and is located at the National Archives, RG 273.]

      Otherwise known as "They think you're a fucking dumb cunt."

    • by Lumpy (12016)

      if Cisco was honest, they would send to each customer upon registering the product a nice file that will reinstall the clean OS and eradicate the crap the NSA is doing.

      But Cisco is far from honest as a company, so they are probably whining that they are not being PAID to install the back doors.

      • You hope it's only a firmware change. Altering hardware would be nearly impossible to detect by anybody but cisco and potentially very hard to do without destroying the part in the process.

        PS Cisco will send you the current firmware for a new product it's just a PITA if it does not have smartnet.

      • I would assume that whatever the NSA is doing to this equipment must make hardware changes. If reflashing with new IOS loads "fixed" NSA compromises, I would expect it wouldn't be a very successful program as firmware upgrades would close the back doors.

        They must be making changes to hardware in some way that are transparent to IOS and possibly not even visible to someone doing field replacement of internal modules.

        It's kind of crummy they do it at all, but it would be pretty fascinating to see how they ar

      • 1-That won't stop hardware changes. 2-If the NSA has access to the network (they do) then they can intercept your download attempt and insert their own code (again).
  • Hypocritical (Score:5, Interesting)

    by DaMattster (977781) on Monday May 19, 2014 @08:17AM (#47037165)
    I find it funny how the US government accused Huawei and ZTE of building in backdoor access while engaging in the exact same practice. I don't doubt that they do, they just haven't been caught red-handed. Pun full intended. I'm guessing that even if Obama were to issue an executive order halting the process, it would be largely for show. The actions will continue under renewed secrecy.
    • Re: (Score:2, Informative)

      by Scutter (18425)

      The NSA has not been caught red-handed, either. The article even points out that the pictures have not been independently verified.

      • The NSA wouldn't work with journalists / Wikileaks to redact documents obtained and delivered to them. Why would they work with similar organisations in this instance?

        At least they can't stand behind "Any disclosure puts people at risk" in this instance, unless "people" is the guy in the photo opening up Cisco kit and "in danger" means "desk duty".
    • by Lumpio- (986581)
      What the NSA is doing must be OK because it doesn't target the "American people". All the news and press conferences just concentrate on reassuring people that "American people" are not being spied on. It's OK to spy on people from all those foreign countries though.
      • Re:Hypocritical (Score:5, Insightful)

        by AmiMoJo (196126) * <(ten.3dlrow) (ta) (ojom)> on Monday May 19, 2014 @09:57AM (#47037799) Homepage

        I'm glad America approves me hacking American systems and spying on American people. After all, foreigners are fair game, and Americans are foreigner to me, so...?

    • Re:Hypocritical (Score:5, Insightful)

      by Anonymous Coward on Monday May 19, 2014 @08:25AM (#47037201)

      It takes one to know one. The US government was afraid of that kind of thing exactly because they knew they were doing it to everybody else.

    • Re:Hypocritical (Score:4, Interesting)

      by upuv (1201447) on Monday May 19, 2014 @08:29AM (#47037229) Journal

      How do you think the NSA found the Chinese back doors?

      Kinda of a duh moment don't you think?

      • How do you think the NSA found the Chinese back doors?

        The NSA has not found any Chinese backdoors.

        • by upuv (1201447)

          Can't help myself here. Using ridiculous reverse logic of a TV intelligence interrogator.

          So you are admitting that you are aware of Chinese back doors that are not currently known about by legitimate parties?
          Tell me what you know of these back doors.
          And tell me how we can use them.

    • Re:Hypocritical (Score:5, Interesting)

      by NotDrWho (3543773) on Monday May 19, 2014 @08:49AM (#47037325)

      I find it funny how the US government accused Huawei and ZTE of building in backdoor access while engaging in the exact same practice.

      It's funny. I was watching the news this morning and one of the lead stories was about the arrest of a bunch of Chinese officials for "cyberspying." And the first thing that I thought when I saw that was "I wonder what the Administration is trying to hide with this stunt." So I come on Slashdot and this is the first story I see this morning. Guess I know now why those Chinese dudes got arrested.

      Smart strategy. Whenever a story breaks about YOUR cyberspying, just stage a distraction stunt to highlight OTHER COUNTRY'S cyberspying.

    • I find it funny how the US government accused Huawei and ZTE of building in backdoor access while engaging in the exact same practice.

      It's not "funny", it's rational - as domestic people moved to Huawei equipment, they lost some of their ability to spy. Throw out a scare story, drive people back to the platforms with developed intercepts.

      If you have to choose between a government with police powers over your body knowing what you say in private and one half way across the world where you don't go knowing

  • What a freak show (Score:4, Informative)

    by ruir (2709173) on Monday May 19, 2014 @08:23AM (#47037183) Homepage
    It is rather obvious Cisco and Microsoft have backdoors. This seems like a political show because coming to the media saying "We dont have any backdoors" would not be politically correct. Any foreign government that uses this equipment is just dumb at best.
    • by AHuxley (892839)
      "Any foreign government that uses" sadly for many its a generational buy in.
      Some time during the cold war the telco system went more digital with US 'wiretap' friendly software and hardware to track everybody within that nation.
      Staff are trained, generals and the security services are happy, the next generation of staff are trained... after a while the political class just enjoys crypto junk they are handed by their nations best.
      How can a small set of a nations experts stand up to their own political c
  • Make the top of the case clear so that the physical modifications are easy to see and encourage reflashing of images to checksumed versions.

  • by NotSoHeavyD3 (1400425) on Monday May 19, 2014 @08:28AM (#47037221)
    Oh that's easy, your cisco hardware actually works. I'll be here all night folks. Try the fish.
  • In possibly related news, Russia is building their own Internet! [themoscowtimes.com] With central control! And domestic payment system! And in fact, screw the whole "inter" thing...

    Under a heart-warming name "Cheburashka". [wikipedia.org]

    Not sure if this is directly related to the 28% Cisco orders decrease.

  • Too late (Score:5, Insightful)

    by sjbe (173966) on Monday May 19, 2014 @08:42AM (#47037289)

    Problem is that there is pretty much no possible way Cisco can put the toothpaste back in the tube. They have no simple way to prove to potential customers that their gear hasn't been hacked or compromised in some way. The actions (real or perceived) of the NSA have basically screwed a number of US companies in overseas markets where security is any sort of a concern.

    Basically even the perception that the NSA may have compromised the equipment is enough to keep people from buying Cisco. Of course then the question becomes who do you trust? The Chinese make a lot of gear but they are probably trusted even less than the Americans if anything. Unless the gear is manufactured domestically under supervision it's unclear how you ensure that no one has introduced undesirable code/hardware.

    • They have no simple way to prove to potential customers that their gear hasn't been hacked or compromised in some way.

      Maybe ask Apple for help, since they allowed them to use the name "iOS" for their operating system. The essential parts of the operating system on iOS are signed with Apple's private key and don't work otherwise. Even if there was a "jailbreak", you can reset an iPhone and you know that all hacks are gone. The phone also allows new OS software only if it is signed by Apple. That should be equally possible on an Cisco router. (You can get around this with a jailbreak, but the important point is that at a cus

      • by yacc143 (975862)

        Well, as we already know, private keys in the US not necessarily private.

        Even a simple court order might end up with giving normal "law enforcement" personal access to the private key.

        The NSA does not operate with THAT much publicity.

      • The phone also allows new OS software only if it is signed by Apple. That should be equally possible on an Cisco router.

        If Cisco can monitor your gear, so can the NSA. You are presuming that Cisco actually is not in cahoots with the NSA. While it is certainly possible Cisco is not working with the NSA, a foreign buyer cannot assume that is true because they have no way to confirm.

    • by MobyDisk (75490)

      enough to keep people from buying Cisco

      Do we think that it is just Cisco routers that are affected?

    • It's really hard to believe Cisco did not know about this. They were either cooperating (even if just by turning a blind eye) or incredibly incompetent. As you say, it will indeed be very difficult for them to gain anyone's trust.

      It would probably take them all but 5 minutes to have one of their Chinese employees dump the firmware and compare the checksums to known vanilla sources. I can't believe a large company wouldn't have this as part of their regular process.

    • by drinkypoo (153816)

      You know, if you buy hardware and a support contract, you want to download the latest (and/or greatest) image for your device and reflash it yourself anyway. So how are all these people getting compromised in the first place? I never trust a cisco product will work properly until I flash IOS (or whatever) to it myself and see it flash without error.

    • The only solution is to have your military build your own network gear from scratch, using your own designs, using chips made in your own chip fab. Everything top to bottom designed and built by your own people. Then you can trust everything to work properly and not spy on you. Note that most countries are not willing or able) to manage this.
  • Don't complain. Sue. (Score:4, Interesting)

    by Karmashock (2415832) on Monday May 19, 2014 @08:50AM (#47037335)

    Don't complain. Sue.

  • Feeling ashamed (Score:5, Insightful)

    by Chewbacon (797801) on Monday May 19, 2014 @08:51AM (#47037347)

    ...to think 40 years ago we were on the brink of nuclear war with a country that did shit like this.

  • by felixrising (1135205) on Monday May 19, 2014 @08:53AM (#47037361)
    During the NBN infrastructure procurement process, apparently the USA provided intelligence to Australia indicating Chinese owned Huawei be excluded as a supplier . Not doubt to aid both Cisco's chances of winning the bid, whilst also providing an easy in for the NSA to get it's ears pre-installed in Australia's NBN well in advance. It certainly smells dirty to me...
    • by Spamalope (91802)
      And that gave the Aussies a hobson's choice. Be 0wned by the Chinese or Americans.

      It is possible that the Aussie spy agencies were working with the US to more thoroughly compromise Aussie network infrastructure.
  • by nimbius (983462) on Monday May 19, 2014 @09:05AM (#47037429) Homepage
    Organizational stagnation keeps cisco in the money. Their contracts are draconian, their prices are exorbitant, they bully IT departments that try to divest from them, and their support/documentation model is based on the 1970's approach to servicing a maytag washer. namely, that only the cloistered few shall have access.

    you might need them for carrier grade (whatever that means these days) equipment but largely their market share has diminished because of competition and open source. PF and IPTables solved the firewall part, CARP and keepalived solved redundancy, and asian companies like TPLink took what they learned from years of running Cisco factories and put it into a much more reasonable offering that doesnt include secret spy chips. that is unless you ask an american intelligence agency (whatever that means these days) in which case theyre riddled with evil and you need to keep buying Cisco.
  • Why! Cisco gear is actually manufactured in the USA. (As opposed to being outsourced to the cheapest outfit on the planet.)
  • Thank goodness Cisco has a champion of truth to appeal to.

    He'll, you know, speak truth to power! He'll battle the NSA on our behalf!

    He'll, he'll uh... Oh, never mind.

  • by Mark of the North (19760) on Monday May 19, 2014 @10:15AM (#47037951)

    Putting open source routing software on a rack-mount PC equipped with a few NICs is looking better all the time. Since the open source routing software solutions are getting quite good, this is doable. I did it and wouldn't go back:

    About three years ago I noticed that our Cisco routers were a bottle-neck, worryingly old, and I was the only member of my staff comfortable with their CLI. We definitely did not have the budget to buy new Cisco routers, so I looked into HP and D-Link layer-3 switches. They were still too expensive. We used OpenWRT on some wireless routers, so the idea of using open source routing software was not new to us. Tested using plain Linux as a router. That worked, but was (way) over my staff's head. Tried Vyatta on the same hardware. At that time Vyatta's web-interface was a joke, making it no better than plain Linux for our purposes. (The web-interface may have improved since then and as a virtual router in a VM environment, Vyatta looks quite good.) Untangle was decent, but all of the interesting features had to be bought, which nullifies most of the advantages of it being open source. Heard about pfSense on the Linux Action Show and gave it a try.

    Testing pfSense and learning its feature-set convinced us that it could do everything we needed (NAT, routing/firewalling between VLANs and the outside world) as well as do some other nice tricks (VPN concentrator, web caching/filtering, nice graphs of important stats, logging web usage, acting as a DHCP and DNS server, etc.). Basically, pfSense does everything that OpenWRT does and more since it expects to be run on more powerful standard hardware. Since it runs on standard hardware, the community isn't as fragmented as with OpenWRT, and more of pfSense's users are applying it in a professional environment, so the community support is quite good. The paid support is excellent. Being able to replace a failing router or NIC with something we had on the shelf is nice too.

    So we had an open source routing solution that fit our needs, and much better than Cisco's offerings. But shifting all of our routing from Cisco to pfSense was a bold move. The Huawei story was the clincher for us. If Huawei did it, Cisco could too. That realization lead to my decision to always use an open source solution on network edge devices. This story seems to support that decision.

  • by ogdenk (712300) on Monday May 19, 2014 @11:00AM (#47038307)

    Instead of buying backdoored equipment that's been tampered with by NSA employees, I replaced a $6,000 Cisco AVA box with a 1U dual-core atom box running pfSense for about a grand. I've also reflashed the various WRT-series routers in the field with DD-WRT. ....And now our official new IT policy is "thou shalt not buy Cisco/Linksys gear".

    Way to go NSA, you sank what little remains of the US tech industry. And it's not Snowden's fault in the least for revealing the crimes and assault on our liberty at the hands of the NSA. It's the NSA's fault for committing the serious crimes against their own people in the first place. They should be shut down, tarred, feathered and put on trial for becoming domestic terrorists. Don't tread on me.

    • by thygate (1590197)
      The incentive to switch to secured Linux flavors for ALL operations has never been so high in EU organizations, both private and government. Companies most affected by this will be MS, Cisco, Apple and the likes.. You did this to yourself USA, don't come crying now.
  • by gelfling (6534) on Monday May 19, 2014 @11:44AM (#47038667) Homepage Journal

    He can fix all the things.

He's dead, Jim.

Working...