437

Counterfeit Cisco gear ended up in US military bases, used in combat operations (arstechnica.com)

submitted 2 months ago by jeffw@lemmy.world to c/technology@lemmy.world

37 comments fedilink hide all child comments

top 37 comments

sorted by: hot top controversial new old

[-] tal@lemmy.today 92 points 2 months ago

This sounds like a lot of things were going wrong. Okay, first you had the guy committing fraud.

But why is the military sourcing its network hardware from random small resellers off Amazon? Like, even if the hardware were authentic, that seems like a route for potential trouble.

And it sounds like questionable stuff is getting into Cisco's official supply chains, too:

That same year, Al Palladin, Cisco's legal director of global brand protection, told CRN that even authentic Cisco channel partners were acquiring products outside of Cisco-authorized means because it was faster.

[-] RobotToaster@mander.xyz 42 points 2 months ago* (last edited 2 months ago)

The military isn't buying from Amazon, they buy from "xyz hardware supplies ltd", who buy from Amazon and charge three times the price to the military.

Some will be companies that specialise in sourcing obsolete hardware, who just buy shit off Amazon/eBay and issue the correct paperwork.

I've read that the US government has to give preference in contract bids to small businesses, veteran owned, woman owned, etc, businesses, which is great in theory, but it can create situations like this.

[-] Transporter_Room_3@startrek.website 19 points 2 months ago

It's insane to me all the different ways the government procures things.

Just get it straight from the manufacturer. Then if anything ever goes wrong there isn't the "who is REALLY to blame on this long chain of people" it's "hey this shit is broken, YOU are responsible for it"

Of course sometimes they do it as a form of opsec, if you distribute parts across many small time sellers it's easier to hide something than one big order from the primary source.

[-] RobotToaster@mander.xyz 17 points 2 months ago

I suspect the plausible deniability of responsibility is a feature not a bug to many of the bureaucrats.

[-] CheeseNoodle@lemmy.world 14 points 2 months ago

The beurocracy must expand to meet the increasing needs of the growing beurocracy.

[-] rottingleaf@lemmy.zip 5 points 2 months ago

And more complexity is always good for corruption, since every additional kind of complexity introduces gray areas where it's unclear who's to blame.

[-] catloaf@lemm.ee 0 points 2 months ago

Did you not read the comment you're replying to? They mentioned obsolete hardware. Cisco does not sell obsolete hardware.

[-] kent_eh@lemmy.ca 13 points 2 months ago

but it can create situations like this.

Only if proper vetting of the contractor isn't done. That part of the process should happen regardless of who the contractor is.

[-] rottingleaf@lemmy.zip 7 points 2 months ago

I'm sorry, but such things happen in countries with no preference to small businesses and veterans etc.

I'm almost confident that somebody involved in choosing that supplier got a cut.

After all, US military budget is so ridiculously big that not having such kinds of corruption would be weird.

[-] JJROKCZ@lemmy.world 9 points 2 months ago* (last edited 2 months ago)

I’ve bought Cisco equipment from verified vendor partners before, put in legit Cisco SFPs, router bricked itself and when I opened the TAC case they said it was mimic device and sent me a new one to arrive within 4 hours since it had been ordered from an approved partner. This shit happens somehow

[-] just_another_person@lemmy.world 9 points 2 months ago

Probably a fairly sophisticated espionage operation.

[-] No_Eponym@lemmy.ca 3 points 2 months ago* (last edited 2 months ago)

Al Palladin

[-] Daqu@lemm.ee 51 points 2 months ago

These fake cisco devices might be less vulnerable than the real devices.

[-] s7ryph@kbin.social 18 points 2 months ago

Love the sentiment but they were flashing old devices so the likely had lots of vulnerabilities.

[-] Jas91a@lemmy.world 37 points 2 months ago

That's capitalism with a military contractor increasing their profits.

[-] RememberTheApollo_@lemmy.world 3 points 2 months ago

But capitalism good!

[-] lud@lemm.ee 2 points 2 months ago

Or it's a surveillance attempt by someone.

[-] bravesilvernest@lemmy.ml 30 points 2 months ago* (last edited 2 months ago)

I read this as "counterfeit Costco gear" and the only thing* I can think is that they'll at least have plenty of giant bags of chips

[-] jeffw@lemmy.world 8 points 2 months ago

At one point I had Cisco and Costco in my stock portfolio and that was pretty confusing lol

[-] possiblylinux127@lemmy.zip 25 points 2 months ago

That's.... Bad. Like really bad.

Why is this allowed by the DoD?

[-] randombullet@programming.dev 19 points 2 months ago

Because the DoD isn't as organized as many perceive. Source: me

[-] BaroqueInMind@lemmy.one -2 points 2 months ago

How are you your own source? Doesn't make sense.

[-] randombullet@programming.dev 10 points 2 months ago

I'm a network engineer in the DoD lol

[-] nrezcm@lemmy.world 1 points 2 months ago

Sources on this?

[-] BaroqueInMind@lemmy.one -2 points 2 months ago

That dude gives "trust me bro, my dad works for Nintendo" vibes.

[-] CyberDine@lemmy.world 9 points 2 months ago

The DoD will soon be requiring itself and Contractors to start following Rev 5 of the NIST SP 800-53 Risk Management Framework. In this revision are more robust controls for Supply-side security, which the DoD has been trying to incorporate for over 10 years.

Americans should know that the military and DOD and it's contractors do their best to purchase authentic hardware from reputable vendors, but there are exceptions and alternate procurement allowances if the need is great and the standard more secure lines are unavailable or simply on back order.

It's usually then that some of the fake hardware makes it into use

[-] naticus@lemmy.world 4 points 2 months ago

800-53 Rev 5 is such a pain in the ass to implement fully but holy shit is it much needed. Bad actors out there everywhere and if followed to the letter, those controls will save you almost every step of the way. "Almost" because there will always be a new method to infiltrate an organization or agency, but the damage control built into these controls should lessen the impact regardless.

[-] henfredemars@infosec.pub 5 points 2 months ago

It’s big and complicated. Keeping track of where supplies are coming from is a difficult task. You can’t police every employee at all times let alone every purchase.

[-] possiblylinux127@lemmy.zip 2 points 2 months ago

You can at least avoid Amazon

[-] Notyou@sopuli.xyz 4 points 2 months ago

Haha. This is a good one. They used to (maybe still) not allow 3rd party sellers like eBay, but Amazon has been used for a long time. I'm not sure why one was okay but not they other. Anyway, they would take a big operational hit, if they couldn't use Amazon.

Say a system goes down during a critical time, either training or a real mission. They need a part that they could order overnight and have it up by morning or maybe sooner if it's on that Amazon now thing. Or they could wait and try to source it out. Hope you can contact them, depending on the time. A lot of places that make equipment for the government have business hours. Depending on contracts and everything there would be a lot to get into, but the point is buying for Amazon is sometimes the best place to get the item from in a quick manner.

[-] possiblylinux127@lemmy.zip 2 points 2 months ago

Ands that's why you have backups and spares.

[-] Notyou@sopuli.xyz 3 points 2 months ago* (last edited 2 months ago)

I agree and there is for certain known vital pieces that go down. Sometimes other parts go down or a part and the backup won't work.

The DOD has been trying to save money by lowering the on hand stock of the using unit and having most of what they need at a higher level. That higher level might be off and not able to support.

[-] catloaf@lemm.ee 3 points 2 months ago

It's not.

[-] tearsintherain@leminal.space 20 points 2 months ago

$$$$$ "The 2022 audit, released in November, marked the fifth year the Pentagon had failed its audit (the process started in 2017)."

Jon Stewart blasts ‘corruption’ in Pentagon spending

“Now, I may not understand exactly the ins and outs, and the incredible magic of an audit. But I’m a human being who lives on the Earth and can’t figure out how $850 billion to a department means that the rank and file still have to be on food stamps,” Stewart said. “To me, that’s fucking corruption. And I’m sorry. And, if like, that blows your mind and you think that’s like a crazy agenda for me to have, I really think that that’s institutional thinking, and that it’s not looking at the day-to-day reality of the people that you call the greatest fighting force in the world.”>

[-] lud@lemm.ee 12 points 2 months ago

I wonder why they can't just buy straight from Cisco, surely they are big enough and the equipment is sensitive enough for that to make sense.

[-] umbrella@lemmy.ml 12 points 2 months ago

this almost 100% means someone was gathering inteligence.

counterfeit or otherwise messed with hardware wont just pop up on military operations.

[-] pewgar_seemsimandroid@lemmy.blahaj.zone 4 points 2 months ago

nortel 2.0.

this post was submitted on 04 May 2024

437 points (98.9% liked)

Technology

55674 readers

3004 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS