DoJ Alleges Cisco Reseller Made $37 Million Selling Counterfeit Equipment

netbuzz writes "The latest scam involving stolen and/or fake Cisco equipment may also be one of the largest, as the Department of Justice says a 43-year-old San Jose-based reseller accumulated $37 million in ill-gotten gains over a period of years that he then poured into real estate and luxury cars. The feds say the guy also used part of the loot to set up college funds for his four children. At least four other such scams have been perpetrated against Cisco in recent years."

The moral of the story is...

[Capt.DrumkenBum]

Don't buy Cisco gear.
;)

Re:

[Dorianny]

Tough choice. Go with cisco and get spied on by the NSA or go with huawei and get spied on by the Chinese. Hmm at least the Chinese only want your money!

Re:

[Anonymous Coward]

Cisco engineer here. We don't modify our equipment for anybody beyond basic CALEA-type compliance requirements. We don't even market ourselves for interception/monitoring type roles in most cases. There is a ton of money in other, less politically contentious areas.

Hope this sets some of the record straight.

Re:The moral of the story is...

[ShanghaiBill]

Intel engineer here. We get the same shit. Everyone thinks we fill the chips with back doors when we don't.

As a low level engineer, why do you assume that you would know about the back doors?

Re:

[Anonymous Coward]

Why do you assume it's easy to engineer "back doors" into ICs?

Re:

[Shatrat]

It doesn't have to run a TCP/IP stack and phone home, it could be as simple as an undocumented instruction that would branch to an arbitrary memory location, allowing anyone who knows about it to write exploits against the system.

Re:

[ShanghaiBill]

And why do you assume he/she is "low level"?

Because she/he doesn't know about the back doors.

A quick question

[Okian Warrior]

Intel engineer here. We get the same shit. Everyone thinks we fill the chips with back doors when we don't.

Aircraft instrument software designer here.

I once took some time to consider what it would take to hack the software I was writing. IOW, if I wanted to put a backdoor or vulnerability that could knock a plane out of the sky, how would I do it?

I did some research into underhanded C [xcott.com] and such like, and tried to come up with a way that I could do it. (And came up empty - unlikely with so many eyes looking in-depth at the final product.)

Question for you: Have you ever done that? Have you looked at your dev proce

Re:

[vux984]

I once took some time to consider what it would take to hack the software I was writing. IOW, if I wanted to put a backdoor or vulnerability that could knock a plane out of the sky, how would I do it?

You aren't really in the ideal place to do the actual backdoor injection.

The simplest position to install the backdoors is just to load a custom altered firmware before shipping; or even after shipping at the reseller or maintenance level.

Re:

[Mashiki]

Considering most planes are done with fly-by-wire and PLC's, you're right. It would be easier to slap a modified firmware into the PLC and no one would even know.

Re:

[ShanghaiBill]

if I wanted to put a backdoor or vulnerability that could knock a plane out of the sky, how would I do it?

You don't put the backdoor in your code. Too many people would check that. Instead, you put it in the toolchain: you hack the compiler to insert the backdoor when it detects a certain innocuous pattern in the source code. Likewise, if you want to put a backdoor in an IC, you hack the Verilog/VHDL compiler to insert it.

The definitive description of this technique is Ken Thompson's talk, Reflections on Trusting Trust [bell-labs.com].

Re:

[Frosty Piss]

Cisco engineer here. We don't modify our equipment for anybody beyond basic CALEA-type compliance requirements.

That *you* know of.

Re:

[IndustrialComplex]

Cisco engineer here. ...We don't even market ourselves ... in most cases

In otherwords, we don't except when we do.

Re:

[Dorianny]

Couldn't a FISA warrant presumably be used to require cisco to install a backdoor on a costumers equipment? If so wouldn't anyone with knowledge of such actives be under a gag order by the court?

Re:

[Ian A. Shill]

HO scale engineer here. I'm sure the words posted AC on Slashdot has assuaged our ignorant misguided concerns and fears. I know I feel better already.

Cisco engineer here. We don't modify our equipment for anybody beyond basic CALEA-type compliance requirements. We don't even market ourselves for interception/monitoring type roles in most cases. There is a ton of money in other, less politically contentious areas.

Hope this sets some of the record straight.

Re:

[gweihir]

And we believe you why exactly? The problem is not that cooperation with the NSA would be profitable for you. The problem is that _not_ collaborating would be hugely unprofitable. And once you are in, they own you. If they leak that there are NSA back-doors in your products, you are done.

Sorry, but not credible. In addition, CALEA is bad enough. You have absolutely no business doing that. If there are such requests, it is the job of the owner of the equipment to copy a port or the like, but not yours.

Re:

[slashmydots]

I've never had a problem with Broadcom (mostly Asus then), Realtek, or Trendnet. Why does everyone assume big names = best choice as businesses? That's how business end up with Dell and HP PCs and we all know that's a huge mistake.

Re:

[Jane Q. Public]

"Tough choice. Go with cisco and get spied on by the NSA or go with huawei and get spied on by the Chinese. Hmm at least the Chinese only want your money!"

Not much of a choice. Don't you keep up with the news? Go with Cisco and get spied on by both the NSA and the Chinese (cheap chips with potential back doors) and Cisco!

Best to just stay away from them altogether.

Re:

[morgauxo]

Cisco is what my friends who want to be network admins buy shortly before their home networks (including their self-hosted mail servers) go offline because it takes them forever to figure out how to configure the #$@# things!

Scams against Cisco?

[h4rr4r]

How is this a scam against Cisco?
They won't let you put smartnet on a used device, so not like they have to support it. This is a scam on Cisco customers, not Cisco.

Re:

[CanHasDIY]

This is 'Merica, remember? That someone is receiving profits that should have gone to a corporation is far, far more important than the fact that some proles bought counterfeit goods.

And he had the nerve to use those ill-gotten gains to ensure an education for his offspring? SCUM! TRAITOR! To the gas chambers with him!

Re:Scams against Cisco?

[fuzzyfuzzyfungus]

I assume that it is treated as a 'scam against Cisco' because their precious, precious IP rights were violated in building and branding the counterfeit gear(I'm just guessing that counterfeit shops don't exactly bother with doing cleanroom re-implementations of 100% Cisco compatible gear, which might actually be legal, save any exciting patents involved; but would also be far more valuable to one of Cisco's competitors than it would be to some slimy flea-marketeer...) and the individual customers who got stiffed aren't the ones with the resources to push a successful investigation and prosecution.
 
(It's also possible that, depending on what parts were on offer, the customers didn't really suspect they were getting genuine goods; but the price was good enough that they didn't much care, in which case they probably aren't lining up to tell the feds their tale of woe.)

Re:

[mcgrew]

branding the counterfeit gear(I'm just guessing that

I'm offtopic here (checking the "no bonus" boxes), but I notice you continue to omit the needed space between "gear" and "(I'm just guessing)". Your comments would be more readable (and more easily taken seriously) if you followed centuries old proper formatting rules.

Minor nit, far better than some folks here's "todays special's" or "there car is over their". If I were moderating I'd probably have modded you up despite the rather annoying mistake.

Re:

[mcmonkey]

Minor nit, far better than some folks here's "todays special's" or "there car is over their".

Is that a joke or are you just really bad at grammar trolling?

Re:

[mcgrew]

Tough room... I'll get my coat.

Re:Scams against Cisco?

[Anonymous Coward]

So, if everyone else in this thread is done guessing or waxing idiotic, I'd like to point out that, per TFA, he was buying not just counterfeit equipment, but actual stolen Cisco goods from Cisco employees.

Re:

[h4rr4r]

You read the article?
Do you know where you are?

Re:

[swb]

I would bet that the people who were really scammed were the businesses that bought it. They paid Cisco prices for non-Cisco gear.

And I wonder how many purchasers were in on this, getting cash kickbacks for signing invoices for Cisco gear and getting hot/fake hardware.

I would bet that more of that goes on than you might think. There's so much hardware that nobody ever sees, it seems like it would be so easy to fill those remote wiring closets and field offices with counterfeit equipment, sign an invoice

Re:

[jon3k]

They won't let you put smartnet on a used device

I SmartNET used devices from NHR several times a month.

College Funds?

[Gopal.V]

Do you need to earn "Crime pays" kind of money to fund college funds for 4 children in America?

I don't know whether he wants his kids to have a good education or whether he thinks they'll make better master criminals with a degree & a job in Wall Street :)

But at the very least he thinks a child's education is important, which is more than most.

Re:College Funds?

[bmo]

Do you need to earn "Crime pays" kind of money to fund college funds for 4 children in America?

Yes. It's why there is a TRILLION dollars in student debt.

How much do Americans borrow/have borrowed for college?

There is roughly somewhere between $902 billion and $1 trillion in total outstanding student loan debt in the United States today. The Federal Reserve Bank of New York reports $902B while the Consumer Finance Protection Bureau reports $1T.

http://www.asa.org/policy/resources/stats/ [asa.org]

--
BMO

Re:

[WCMI92]

Yes. It's why there is a TRILLION dollars in student debt.

The education bubble is LONG overdue to bust. People are graduating with more student loan debt than a nice house costs and finding they can't get jobs (because what can you REALLY do with that degree in 16th Century Feminist Studies?)

Colleges and universities are going to have to prove their value from scratch again by remaking themselves to efficient operations that do not waste their customer's money and deliver their product at a reasonable cos

Most fake Cisco gear is real...

[Kenja]

Most of the "fake" Cisco hardware I've seen is the real stuff that failed a quality check and was rejected by Cisco. The manufacturers overseas tend to just sell these rejects out the backdoor rather then destroy them.

Re:

[K. S. Kyosuke]

The manufacturers overseas tend to just sell these rejects out the backdoor rather then destroy them.

Why don't they simply repair them? Is this "all or nothing" stuff applicable to everything today? When a carmaker builds a car and the final inspection reveals a cracked plastic on the steering wheel, do they scrap the whole car or what?

Re:

[qwijibo]

There are several hundred components and solder connections on any piece of hardware, any one of which could cause intermittent problems. The testing can be done as part of the assembly process, but that doesn't mean there are people in the factory who have the background and time to troubleshoot problems with any particular product.

Most things today are designed to be field replaceable units - the whole thing gets replaced if it's not working. A $10k product may have hardware that costs $50, so it's easy

Re:

[gweihir]

Too expensive as these things are not built to be repaired. Cars are as customers would not buy them otherwise, as they are too expensive.

They're just pissed off

[future assassin]

the counterfeits had no back doors for the NSA to snoop on through.

Re:

[gweihir]

Exactly! Wait until they charge the guy with "terrorism" and "aiding the enemy"!

This is impossible

[slashmydots]

So one single piece of fake gear breaks and you call cisco about it with the serial #. They say it's made up and they or you report the vendor to the FBI. They're in jail within days. How the hell would a fake cisco gear racket possibly work given that situation?

Re:

[Anonymous Coward]

Cisco sell and are supported by a number of "value added resellers" who will provide whole systems designed to a spec. So multiple bits of gear for the same installation all strung together. Also they become the first port of call for support. So you can get away with it for a while by having fake VAR's selling fake gear.

Pfft.... Cisco brought it on themselves, largely.

[King_TJ]

I'm not saying any of this counterfeiting of gear is legally or morally "ok" -- but Cisco has LONG been inflating the prices of their equipment FAR beyond what it's reasonably worth, given the components inside.

I remember at least 10 years ago opening up one of the Cisco PIIX firewalls our company had recently upgraded to, and discovering it was essentially a Pentium class PC motherboard and CPU inside. They were charging all that money for standard (outdated at that point) PC hardware, crammed into a Cisco labeled rack mount case.

More recently, one of our branch offices had their Cisco router/VPN die on me. The office moved to a new location and all I did was unplug the power to it, move it to the new office down the road, and plug it back in. It refused to power on at all .... totally dead. At first we assumed it might just be a bad AC power adapter, but nope. The whole unit was defective. (Finally found a CIsco tech document online mentioning the issue. Supposedly early revisions of this unit had a problem where they could get caught in an endless loop after a power cycle and never come back up. Nice!)

The worst part? All of the office's complex configuration settings were in the old, dead router. Luckily, they were saved on a CF memory card in the unit, so I took it apart and pulled the card out. When my boss went through the big song and dance to get Cisco to send us a replacement router and open an RMA for the dead one, I swapped the flash cards. It worked, but only sort of.... Turns out every connection made beyond the first 10 were getting nowhere, because all the licensing we had didn't transfer over. Cisco ties that part of each unit's serial number. So the office was down for hours while we fought again to get tech. support to do a license transfer to the replacement router.

I fail to see what point there was at all to forking out the money for real Cisco gear, when it failed us like that AND was made so artificially difficult to get back up and running again? If we had used some cheaper, off the shelf product (like D-Link or what not?), we could have easily gotten another new unit going with far less downtime and had the ability to keep a spare around for the price of the 1 Cisco.

The counterfeiters wouldn't be targeting Cisco so heavily if they weren't aware of the huge price markup on the stuff in the first place.

Re:

[Shatrat]

I'm not a Cisco fan, but you're not factoring in the cost of Cisco R&D, testing, documentation, software development, which all adds up to billions of dollars for them. Most of it is probably not very efficient any more due to their size, which is why younger companies like Juniper or Polycom or Cyan can offer more for less, depending on the type of equipment you're after. Still, it's not like Cisco could sell their products for 10% over the component cost and not immediately start hemorrhaging money.

Re:

[King_TJ]

So you're saying I:

#1. Should NOT be upset that a costly piece of critical networking infrastructure gear just went DoA by simply powering it down and back up again, despite only being a couple years old?

#2. Should have done some sort of backup which would easily let me restore all the settings into the replacement device AND allowed the licensing from the original unit to come over to the new one without Cisco's assistance?

#3. Yes, upset that the license was tied to a dead device and nobody on Cisco's p

re: sold something not needed

[King_TJ]

You make a valid point, in our situation, most likely. To be clear, we're just talking about one of Cisco's lower end VPN routers though, which Cisco itself claims is suitable for the purpose and scope of what we're doing with it. But my point is, even this device sells for north of $1,200 PLUS fees for maintenance contracts on it and more for the upgraded license allowing more than 10 simultaneous connections to be routed. The offices relying on these things have no more than 10-15 people in them, tops,

Re:

[jon3k]

"Priced inflated beyond worth" but they keep selling them. Does not compute. You don't seem to understand that Cisco is a software company and not just selling you a box filled with ASICs.

Great story of bad network administration by the way. You don't take config backups (using a free tool like rancid [shrubbery.net]) and don't know that your hardware has a software license key that needs to be transferred, but somehow your ignorance is Cisco's fault.

I really do not understand how people like you stay employed in

How can you counterfeit hardware?

[WCMI92]

Shouldn't it be obvious from the moment you try to get it TO WORK that the hardware is counterfeit and doesn't work?

How does such a "business" last long enough to make tens of millions of dollars?

Re:

[EmperorArthur]

Ah, you've never had the joy of working with Cisco gear have you?

There are so many different models out there, with different firmware. Each firmware supporting a lightly different feature set. Going from telnet to SSH can be a pain, and if you're on an older router and want to use private keys then you're sol. Add to that the fun command syntax ('no shutdown' is the same as ifconfig up) and you have a winner.

People buy Cisco because it's well known with good but expensive support contracts. No one got

4 kids

[morgauxo]

Well... with four kids to put through college at these day's rediculous prices... can you blame him?!?!