Cisco To Pay $8.6 Million Fine For Selling Hackable Surveillance Tech (sfgate.com) 37
Cisco has agreed to pay $8.6 million to settle a claim that it sold video surveillance software it knew was vulnerable to hackers to hospitals, airports, schools, state governments and federal agencies. SFGate reports: The tech giant continued to sell the software and didn't fix the massive security weakness for about four years after a whistleblower alerted the company about it in 2008, according to a settlement unsealed Wednesday with the Justice Department and 15 states as well as the District of Columbia.
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn. The settlement marks the first time a company has been forced to pay out under a federal whistleblower law for not having adequate cybersecurity protections.
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn. The settlement marks the first time a company has been forced to pay out under a federal whistleblower law for not having adequate cybersecurity protections.
Always better (Score:1)
To ask for forgiveness than ask for permission. Has there ever been a corporate fine that has deterred future actions. It's all just cost of doing business.
Re: (Score:1)
To ask for forgiveness than ask for permission. Has there ever been a corporate fine that has deterred future actions. It's all just cost of doing business.
This is one of the reasons hardware with OSS software is just better. If you find bugs in the software, even a decade after the company is gone, you can, if it makes economic sense fix it, then reinstall all the software.
Most of this stuff should be to the point where you can basically plug a semi customized USB drive in, or maybe press a button to force a reload from a server that could only be reached from the private LAN. There are security details to deal with there, but nothing that hard.
Re: (Score:2)
Corporate fines are a really shitty way of handling quality. Maybe a few cases, but in general, these cases are much better handled via standards.
Imagine if we didn't have any building codes, professional engineers, professional trades... Companies and projects would come up all the time that bridges and buildings would collapse. Sure, you could sue the company, but bankrupting firms and firing workers is no good. Plus it's costly and time consuming and most importantly it wouldn't bring up the lost lives o
Profit! (Score:5, Funny)
Step 1) Mandate backdoors
Step 2) Prosecute for having hackable tech
Step 3) Profit!!!
Re: (Score:1)
Duty of Care -almost Negligence (Score:1)
What a weak fine. They knew, they did nothing. The consequences were foreseeable.
They perhaps even get away with not sending an email to all customers saying they lost a court case, and sat on their asses for four years.
Oh, and the backdoors and extra accounts thing. How about refunding those 'software maintenance fees as well, with interest.
The lawyers should have asked about software maintenance fees over the 4 years.
Purchasers should evaluate, and score suppliers 'reliability in everything'. Cisco has so
That will help (Score:5, Insightful)
If anything, this will encourage them to continue their shoddy and malicious business practices and intensify them. That fine is a complete joke and will probably not even influence the bonus of the people that made all these bad decisions.
Re: (Score:2)
Cisco tech should be banned from all government use. Every other country should ban imports.
Maybe when they have demonstrated a complete change of culture, proper external security audits, and they are willing to share source code with foreign agencies they can start to be rehabilitated.
Re: (Score:2)
Indeed. But I doubt they can be rehabilitated. Too corrupt and rotten. Let them die.
This is about BroadWare, not Cisco (Score:1)
Cisco just got stuck holding the bag on an acquisition. Shame on them for sucking at due diligence.
According to the complaint, at the time of disclosure, this was a BroadWare product, and Cisco hadn't even legally acquired them yet.
The timing was all about gaming the system, waiting until a highly profitable target could be found, since BroadWare wasn't profitable or big at the time.
Considering that surveillance software in question was dismantled and effectively rewritten within a year (not four) it's kin
What about all the other shitty software? (Score:2)
A drop in the bucket (Score:2)
"Cisco has agreed to pay $8.6 million to settle a claim..."
$8.6 million? Shit, that's not even a rounding error in Cisco's bookkeeping.
They likely made hundreds of millions or more from the sale of this vulnerable equipment.
The moral of the story is, "Crime pays!"
If it's not OSS, you can't trust it (Score:2)
Ideally it should be Free Software so that you know you can reasonably build your code from sources.
I have a Linksysisco wifi router, I would never ever have bought it if I couldn't load openwrt et al. And then I did that. Trusting Cisco is right up there with the all-time blunders, like starting a land war in Asia.
Better call (Score:2)
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected
"YOU HAVE TO STOP HIM! Mr. White can't keep getting away with it!"