RSS
Twitter
Should We Be Concerned That The Military Will Use Counterfeit Routers Bought Off eBay?
from the it's-not-pretty dept
There was a story last week that got a lot of press about how the FBI discovered that the military was using a ton of counterfeit technology equipment, including thousands of fake Cisco routers. Dan Wallach has an excellent writeup looking at the security implications of what happened. From the description, it certainly doesn't sound like any of the equipment was found to include any kind of questionable technology for spying, but the point is that it would have been easy enough if someone had wanted to do so. Basically, the background is that while the government only buys equipment from approved vendors, those vendors can subcontract out the actual tech purchases to anyone. That leads to situations where (no joke) one subcontractor purchased a bunch of fake routers off of eBay and then resold them to the government via an authorized vendor. Or, try to follow the details of the case of the US Navy contracting with Lockheed Martin for equipment. Lockheed outsourced the deal to an unauthorized Cisco reseller as a subcontractor. That subcontractor turned to its own subcontractor who (yup, you guessed it) hired another subcontractor who shipped the equipment straight to the Navy. If you lost count, that's five layers deep, with most of those layers having no real oversight on what they did. You would think the government (and especially the military) would be a bit more careful in where it sourced its products from, but it certainly doesn't seem as though that's the case at all. Given all that, it's almost difficult to believe that compromised equipment hasn't been sold to the government at some point.
Reader Comments
(Flattened / Threaded)
All encryption is decipherable.
All equipment is or can be potentially compromised.
All ur bases r belong 2 us.
Clearly this breakdown of government contractors needs to be investigated and addressed, but one large lesson learned is the value of end-to-end encryption. Cryptography that stays technologically ahead of attempts to thwart it.
I hate to say that "obscurity" is the best solution, but if we continue to shake up our encryption protocols, dilute sensitive information in a flood of nonsensical garbage and challenge authenticity ultimately end to end, the equipment in the middle of a cloud is less of an attractive target.
(reply to this comment) (link to this comment)
Re:
Nothing wrong with obscurity. Just as long as it is not the only solution. There is nothing wrong with it being a part of the solution. People act as though it's a bad word all together.
(reply to this comment) (link to this comment)
If the military finds that the routers are substandard then they should return them, or get compensation from the FIRST contractor. The military has nothing to do with any sub contractors.
If they can enforce good quality with the first contractor, then they will get a good product, whatever the number of subcontractors.
(reply to this comment) (link to this comment)
Let's trust everything to computers!! Bank Accounts, Energy Production, National Defense, Vote Tallies..
sounds like a bad Sci-Fi, huh?
(reply to this comment) (link to this comment)
Outside of the security implications, how great is it that the government is overpaying for these services/products by such a huge margin, that four levels of markups can be charged along the way, while still coming in at a price that the government is willing to pay?
(reply to this comment) (link to this comment)
So Bruce Willis was right "Live Free or Die Hard"... it's a Fire Sale!
(reply to this comment) (link to this comment)
worse yet.....
What's really scary is that most equipment and work on overseas bases is provided by the host country.
When I was stationed in Korea I worked with Top Secret, intelligence gathering, computer systems that were basically the key to any war time decision making.
When we needed new equipment or needed any infrastructure work done we had to use Korean contractors. We did an upgrade of the entire system about halfway through my tour and most of the work was done by Korean contractors. Tell me how much sense that makes. Do you honestly think that they haven't planted equipment that allows them to see what we are working on?
Our govt acts as though they are concerned with national security yet they give away the keys to kingdom all the time. This stuff going on with fake routers doesn't surprise me one bit.
(reply to this comment) (link to this comment)
Re: worse yet.....
It's the same in Iraq and Afghanistan. Locals are hired for kitchen, laundry, and janatorial jobs and the MI officers stand around confused as to why motar attacks on the bases tend to be so accurate...
In 'Ghan they hire a local contractor to wire the metal storage containers that were converted to apartments (don't ask) and the whole thing is done with one color of wire, cables running through puddles, and no grounding.
I will not let a local anywhere near my communications networks and I buy the equipment myself and inspect each unit personally.
(reply to this comment) (link to this comment)
Re: Re: worse yet.....
Your are the exception... most Gov agencies hire it done, and if it works, and sometimes when it doesn't, writes a check. Then the equipment is out-of-site out-of-mind until there is a problem and then it is too late to go back to the contractor.
We had the same problem in Viet Nahm hiring locals who would pace off the size of the compound and any high-value targets. Next day the mortars would come in with pin-point accuracy.
To have integrity, the military need to do it all, that is why we have cooks, bakeries, laundry units, etc. in the military, and the soldiers have to take their turn at gurad, shit burning, etc.
Some day we will study the lessons learned from pat conflicts and apply them to current one...
nrk
(reply to this comment) (link to this comment)
Re: worse yet.....
maybe things have relaxed a bit since i was in the service in the 90's, but when it comes to classified materials the equipment that is cleared for classified is clearly marked and the equipment that is not cleared for classified material is also clearly marked. there are separate networks (data and voice) for classified material.
information about the systems that handle classifed material (hardware vendors, versions of unix, etc.) is also classified, so if the phony brand name of the equipment was leaked, chances are it was for non-classified (though possibly still sensitive) material.
(reply to this comment) (link to this comment)
Re: worse yet.....
Using the same suppliers and contractors as the South Korean government would be the best bet in that situation; if their security's been compromised by agents from the North you're screwed anyway.
(reply to this comment) (link to this comment)
Registration
Whats also pretty bad is Cisco has a pretty good registration system for their equipment. And like most higher end network equipment, Cisco maintains records of what vendor has sold what S/Ns. Yes in some circumstances registration is a bit cumbersome, but in most cases equipment needs to be registered with the inventory system anyway...its not that much of a stretch for supply officers to query the databases and confirm IDs with OEM on a routine basis.
(reply to this comment) (link to this comment)
Been there. Called the cops.
My IT manager here at *.gov (where we have substantial security concerns) has been sold counterfeit equipment. However, we bought it directly and saw it for what it was. A call to the U.S. Marshall's office straightened everything right out. IMHO, Federal acquisition regulations are partially responsible for taking the buying decisions out of the hands of people who might know what they're getting, and putting it in the hands of folks that want low bid. Procurement agents are notorious for using their own (uninformed) judgement when buying technology (e.g. "This item is NOT 'or equal' dammit!")
(reply to this comment) (link to this comment)
Re: Been there. Called the cops.
Brilliant Davey. Thanks, I needed a good laugh today.
Definition:e.g = for example: as an example; "take ribbon
snakes, for example"
Your e.g. is an opinion, not an example. It contains hostile emphasis and swearing in just seven words. Good thing your opinion is humble. Keep it that way.
(reply to this comment) (link to this comment)
Re: Re: Been there. Called the cops.
Lighten up, dude. He was giving an example of something that might be said after purchasing agents make a bad purchase. If someone's phrasing on a blog post isn't perfect, you don't have to point it out every time if you can still tell what he's trying to say.
(reply to this comment) (link to this comment)
Re: Re: Been there. Called the cops.
I just looked at your name, Technical Purchasing Manager, and now I realize you made that post not just because you're neurotically pedantic (though you may be), but because you were feeling attacked. In other words, this is probably based on emotion and not reason, so never mind.
(reply to this comment) (link to this comment)
PHB: How do you reboot this thing again ?
Dlbrt: Like I told you, turn it upside down and shake,
(reply to this comment) (link to this comment)
They probably got a really good price on the counterfeit routers. Maybe they only paid $200,000 each for them instead of $500,000 each...
(reply to this comment) (link to this comment)
Add Your Comment