Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Networking Government Privacy Security

UPS Denies Helping the NSA 'Interdict' Packages 207

Posted by Soulskill
from the what-can-brown-do-for-you dept.
An anonymous reader writes "When Glenn Greenwald's book came out recently, one of the most startling revelations was that the NSA has been intercepting shipments of networking gear to add spyware. Cisco was one of the vendors whose gear was altered, and now their shipping provider has spoken up about it: 'UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law. "UPS' long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests," UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments." In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.' That sounds like carefully parsed language to me. 'Did not voluntarily,' 'unless it is required to do so by law.' Perhaps they're bound by a National Security Letter?"
This discussion has been archived. No new comments can be posted.

UPS Denies Helping the NSA 'Interdict' Packages

Comments Filter:
  • Guilty (Score:5, Insightful)

    by Noah Haders (3621429) on Friday May 30, 2014 @08:40AM (#47128181)
    Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.
    • Re:Guilty (Score:5, Informative)

      by jythie (914043) on Friday May 30, 2014 @08:48AM (#47128249)
      Because 'we will never allow XYZ', while it makes for a good speech, would not be truthful or accurate, in fact it would be downright deceitful. I would consider such a statement to be a far greater indicator of guilt then even staying quiet since it is legally not an option.

      There is a huge difference between 'yeah, we will voluntarily do XYZ when asked' and 'we will comply with the law when required'.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        There is a huge difference between 'yeah, we will voluntarily do XYZ when asked' and 'we will comply with the law when required'.

        As it has become more and more clear that the Executive Branch believes that we are not under a rule of law but a rule of men, then it becomes more and more clear that "comply with the law" and the Executive Branch's "I am the law" basically makes all those "we will comply with the law' equivalent to "voluntarily do XYZ". I mean, sure, I have no doubt that the telecoms are run by

      • Maybe they are trying to make it obvious that they have been coerced into cooperating with the NSA using the only language they can legally apply?

        • Re:Guilty (Score:4, Informative)

          by Frobnicator (565869) on Friday May 30, 2014 @01:19PM (#47130539) Journal

          Reading the rest of the article (yeah, who does that) has more of the little gems.

          The quotes fro the headlines were from a PR drone. They write PR, but they don't know the actual secrets. They are not the ones who are called in to a private executive meeting with the legal team.

          When they question Mark Chandler, the executive general counsel who does hear the legal secrets:

          “We ought to be able to count on the government tonot interfere with the lawful delivery of our products in the form in which we have manufactured them,” Chandler wrote. “To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry.”

          We ought to trust... people need to trust... because that is good for business.

          Chandler didn’t say if the company knew of the NSA interdiction program, nor did the executive acknowledge if Cisco participated in the interception of packages delivered to certain customers.

      • Interpretation of carefully worded equivocations is important specifically in this context of American corporations which are being compelled to do certain things and then not speak of them.

        Is there anything close RFC 2119 for the language that these companies are using. Or can we make one?

        We could help companies create stronger press releases and we could give journalists a primary source for parsing bullshit statements like "we are not collecting".

        Would anyone like to help start this project with me?

    • Re:Guilty (Score:4, Informative)

      by Anonymous Coward on Friday May 30, 2014 @08:52AM (#47128289)

      Yup. "required by law" is called an NSL.

      And you aren't allowed to talk about it either.

      • Except that they went on to state that they are not aware of any such court orders for their tech shipments.

        As I read it they are outright claiming that they have not allowed the NSA to inspect any of their Cisco shipments.

    • "Not voluntarily unless required by law"

      The phrase isn't a direct statement from the company PR but from an indirect quote ("said that"):

      "UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law."

      Sloppy writing not doublespeak

    • Makes you wonder if the new UPS employment applications will ask if you are an agent of a foreign or domestic government. Also it's interesting that with the brouhaha over the NSA's tapping Merkle's cell phone that the Deutsche Post that they couldn't just flat out say "No."

      • who is "they" that would want to say "no"?
        • who is "they" that would want to say "no"?

          "they" would be,

          The Deutsche Bundespost was the federal German government postal service created in 1947 as a successor to the Reichspost. On 1 July 1989 as part of a post office reform, Deutsche Bundespost was split into three divisions (also called public enterprises), one being Deutsche Bundespost Postdienst. ...
          November 2000, Deutsche Post AG went public. It was the largest initial public offering of the year in Germany and the third-largest worldwide. ....
          Currently,[when?] 24.8% of its shares a

    • by mpe (36238)
      Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

      What if the required by law, either in general or on a case by case basis, includes "claim it never happened"?
    • Re:Guilty (Score:4, Informative)

      by geekmux (1040042) on Friday May 30, 2014 @10:12AM (#47128917)

      Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

      Uh, no. I'd rather know about it so then we can at least attempt to do something about it. Not knowing would do nothing to resolve the issue.

      And it's quite the serious issue. Where we used to have only the government legally allowed to sit behind the bullshit excuse of "cannot confirm or deny", they have now expanded that standard legal waiver (via NSLs) to every American corporation they touch.

      And the secret monitoring will be legally allowed to continue without your knowledge. Sorry, but until they dismantle secret courts, Snowdens revelations haven't done a damn thing to change policy or weaken the NSAs capability at all.

    • Re:Guilty (Score:5, Insightful)

      by NotDrWho (3543773) on Friday May 30, 2014 @10:18AM (#47128969)

      Here is the quote from the article:

      “UPS’ long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests,” UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. “UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments.”

      When you parse the language and translate it from PR-speak/legalese, you realize that this is basically a meaningless statement. The first sentence is boilerplate BS, and has nothing to do with the allegation at hand at all. "We have a long-standing policy not to do X" *IS NOT* the same as saying "We didn't do X" (though that's what they want you to believe they're saying, of course). The second part of the statement only tells us that the NSA didn't get a court order to do this, *NOT* that UPS didn't let them do it anyway without a court order.

      And what the whole statement is absolutely NOT is an actual denial. In short, if UPS *REALLY* didn't let the NSA intercept their packages, they could have released a very simple statement saying "UPS did not and does not let the NSA intercept our packages." What they released was some vague boilerplate BS that basically says fuck all.

      • If they were going to lie about it they would have no need to use such tricky wording; they would simply come out and lie. I dont know of any reason there would be consequences for lying in a PR statement; lying isnt illegal.

      • Huh? That is not what I interpreted it to mean. What I saw was this:

        We deeply respect your privacy and we want to deliver your goods unmolested by everyone except the lazy loader who throws your box around but does not open it... and of course for subpoenas, but you already knew that. What you did not not know is that we are in actuality being forced, via National Security letters, to allow the Federal Government to molest your packages.

        Definitely not meaningless. The meaning is clear as day. They are being

    • Because lawyers were involved. That's how big corps work.

    • Re:Guilty (Score:4, Insightful)

      by Charliemopps (1157495) on Friday May 30, 2014 @10:28AM (#47129071)

      Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

      Maybe that's the entire point. They're not allowed to complain out loud because of an NSL but they can make it clear what's going on and that it's hurting them with a statement like this.

      It's long past time for us to decide our government should not be keeping secrets. They clearly cause far more harm than they help. At worst, some criminals get away. How does that saying go? It's better to free 100 guilty men than imprison 1 innocent?

      • by JWW (79176)

        How does that saying go? It's better to free 100 guilty men than imprison 1 innocent?

        That's no longer really true. According to the NOT.ONE.MORE movement, we should impinge the rights of 100 in order to forbid the 1 potential criminal to take action. Even if impinging on their rights in the end may have absolutely no impact.

        In the end ALL our freedoms will be destroyed by FEAR because we're demanding security and, well, fuck liberty.

        And in the end the governments just giving us what we want. So what if it happened to be executed by secret laws, using secret courts that issue secret orders

    • Kind of helps if you keep it in context and include this part:

      "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments."

      • the problem with this whole post-snowden NSA techno world we live in - it's impossible for any government agency or company to deny anything. because there exists a secret court that signs secret warrants for information and it's illegal for anybody to talk about the secret warrants, there's no way to deny that government intrusion has happened.
    • Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

      No, we should be applauding this. Look at the recent 'IBM' denial. They are very specific about what they're not doing, making it plainly obvious what they are doing without violating their NSL.

  • by headhot (137860) on Friday May 30, 2014 @08:41AM (#47128187) Homepage

    If the device is made (or packaged in the US) and is being shipped overseas, the NSA can grab it at customs, there is nothing the shipper can do about it.

    • by Cassini2 (956052) on Friday May 30, 2014 @08:59AM (#47128351)

      Many (all?) custom's warehouses are operated by third-party companies. This will be a little bit more complicated than inspecting luggage. However, the companies (subsidiaries) that operate those warehouses get their entire revenue from allowing people to transport goods across borders. I suspect the NSA can get away with almost anything in that environment.

      • by Anonymous Coward on Friday May 30, 2014 @09:42AM (#47128675)

        When you say Custom's warehouse, I think you actually mean the two types of regulated facilities which are bonded and foreign-trade zone warehouses.

        Bonded warehouses are only allowed to store imported goods. The importer files customs entry forms for the goods prior to storing them within the warehouse and must paid the owed duties prior to removing the goods from the warehouse. This is the most common type. Basically it is where you put things while you pay your entry fees.

        Foriegn-trade zone (FTZ) warehouses allow both domestic and foreign cargo to be stored. Small manufacturing can be performed within the FTZ too. You would use this if you plan to re-export the goods or the product you manufacture have a mixture of domestic and foreign parts and it would be cheaper to import the finished product than each individual part. The goods are not considered imported until they leave the warehouse for a domestic address. A lot of global manufacturers have FTZ facilities and despite what the parent comment implied, this facility is operated by the manufacturer or a contracted agent for the manufacturer. It is not a place where customs or the NSA can freely enter and have access to any of the goods.

        Yes I used to make a living in this field.

    • You nailed it. UPS is scott-free. All UPS have secured federal facilities into which all cross-boarder shipment pass and "you don't need to know whats going on in there." Bahhhhh, don't piss on us and call it rain, we know better.
  • by Gibgezr (2025238) on Friday May 30, 2014 @08:41AM (#47128199)

    Excuse my ignorance, I am not from the U.S., but I thought only the F.B.I. could serve National Security Letters. Can the NSA also serve them?

  • by Anonymous Coward on Friday May 30, 2014 @08:43AM (#47128213)

    When you weaponize U.S. technology products to the extent that the NSA has, don't be surprised when no one wants to buy those products in the future.

    What foreign CEO or government official wants U.S. technology in control of their banking industry? Their communications infrastructure? Their manufacuring base? Their electrical power and distribution network?

    Can you imagine the U.S. response if the critical infrastructure items such as those listed above were found out to be backdoor and controllable at will by the Russians? Chinese? Indians?

    The U.S. has a serious reputation problem right now. We need to stop this nonsense immediately if we expect our tech industry to survive.

    It takes a second to destroy a reputation - it takes years, sometimes decades to build it back.

    • by jythie (914043) on Friday May 30, 2014 @08:49AM (#47128259)
      And of course they are blaming the economic damage on getting caught as opposed to, well, what they were doing.
      • And of course they are blaming the economic damage on getting caught as opposed to, well, what they were doing.

        Of *course* they are. They're responsible for the consequences--but they also are right, Snowden's whistleblowing was also a cause. He has (with them) done probably billions of dollars of harm to the US tech industry.

        Without him, it wouldn't have happened. Without them, it wouldn't have happened. They both did it for motives that they believed justified the cost.

        • by rogoshen1 (2922505) on Friday May 30, 2014 @11:19AM (#47129447)

          No. A person exposing a crime is not responsible for the consequences.

          A guy starts driving home from a bar while being completely hammered. Someone sees him swerving on the road and calls the cops. The drunk driver can't go back and sue to the person who reported him for damages stemming from the DUI fine and loss of driving privileges.

          Eventually what the NSA would have been found out, and the piper would have to paid. Snowden did us ALL a huge favor by getting this out in the open and hopefully stopped.

          Stop covering for these asshats. The damage to the tech industry is on the NSA, and maybe on us for allowing such secretive government agencies to exist in the first place. The founding fathers would have been absolutely aghast at the IDEA of a NSL.

        • That's as stupid as blaming the police for the crime rate because if the police didn't write up the reports the crimes wouldn't be counted.

  • Possibly... (Score:4, Insightful)

    by the_skywise (189793) on Friday May 30, 2014 @08:44AM (#47128221)

    "Perhaps they're bound by a National Security Letter?"

    Maybe. It could also be exactly what they say - When presented by an actual warrant to intercept items (EG for goods purchased with stolen credit cards or contraband) they follow it. That WOULD include national security incidents too but, as they say "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments" and I'd think a gag order would prevent them from affirming or denying the issue.

    • ""UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments" [Emphasis Mine]

      The National Security Agency (NSA) [wikipedia.org] is a U.S. intelligence agency responsible for providing the United States government with encrypted communications (information assurance) and the reading of encrypted communications (signals intelligence) of other nations.

      The NSA is not and AFAIK, does not contain within it, any Federal Tribunals [wikipedia.org].

      As such, the NSA cannot issue a court order [wikipedia.org]. One might assume that other mechanisms can be used to coerce both individuals and/or corporations to submit to the will of the NSA

  • yeah, whatever (Score:4, Interesting)

    by phillk6751 (654352) on Friday May 30, 2014 @08:45AM (#47128229)
    Just like Google, Microsoft, Apple, etc, etc. Nobody wants to fess up, but some appear to be "trying" to step up to the NSA now.

    I wonder if they (private companies) secretly allowed it(NSA infiltration) to happen under fear of the NSA using whatever power they have to get the companies shut down if they didn't follow suit. Now that the public has been informed, the companies are using all the plausible deniability they can to prevent lawsuits. In the case of the UPS, I don't think there's any plausible deniability to use...It's not a software system that the NSA could exploit per-se.

    Or is it the case these companies really are just as corrupt as the NSA?

    I really don't see any other alternative, unless you want to argue that Snowdens docs were fake (Highly unlikely).
    • by nabsltd (1313397)

      I wonder if they (private companies) secretly allowed it(NSA infiltration) to happen under fear of the NSA using whatever power they have to get the companies shut down if they didn't follow suit.

      Companies like Microsoft have as much power over the US government as the government has over them.

      Microsoft could firewall off access to Windows Update and Windows Activation servers for all US government IP addresses. I'm sure there is something in the Microsoft EULA that would allow them to do this legally. Sure, the government could work around the issue, but the reality is that it would be a lot less work just to drop whatever pressure they were putting on Microsoft.

  • Would the NSA be bold enough to physically interdict trucks? Guys with badges and guns tell you they need something in your truck, tell you you never saw them and by the way, driver Fred, you did a nice job on that new downstairs bathroom, tile job looks real professional, I'll bet your wife and daughter really like how nice it is there.

    Or is it even remotely practical to identify specific package/truck combinations?

    • by oodaloop (1229816)

      Or is it even remotely practical to identify specific package/truck combinations?

      Maybe. But also know who is driving ahead of time and know their address, relatives, etc? Less likely.

      • UPS drivers have assigned routes that they drive, so barring vacation and sick time any given address is serviced by the same driver every day. Knowing which truck is similarly easy, since all that would be needed is to track the first few stops to get the truck number - and if required, the driver of the day's name. Knowing the day is a function of UPS' own tracking systems, it will tell you when a package is out for delivery.

        So here is a theoretical setup:

        1) Identify the route of the target - the company who ordered the part
        2) Order a delivery scheduled for the same day to a company earlier in the route
        3) Watch the second company, identify the truck number and driver
        4) Run a background on the driver to find out family, friends, brand of toilet paper
        5) Meet driver en route and perform the stop as above
    • Why interdict the trucks? The requirements to be a UPS driver are likely much lower than the requirements to be an NSA agent. Have an agent get hired by UPS as a driver, then have that driver "specially handle" packages headed to certain locations. Unless the package is a rush delivery, is a recipient really going to notice that it took an extra couple hours or even an extra day to travel between Cisco's manufacturing or shipping location and their home or office?

      Then just because one UPS employee knows tha

      • by nabsltd (1313397)

        Unless the package is a rush delivery, is a recipient really going to notice that it took an extra couple hours or even an extra day to travel between Cisco's manufacturing or shipping location and their home or office?

        An extra hour, no. An extra day, most definitely.

        I get an e-mail the day before any UPS package is going to be delivered to my house. If it doesn't show up the next day, I want to know why. I'm just an individual, not a business. If you are a business, UPS offers a lot more features like that.

    • Actually, that wouldn't be that hard. Trucks are routinely inspected at weigh stations, and in 8 years, I had my seals broken and my loads inspected against my paperwork and re-sealed.
      It is only a small step to confiscate the load from there.

      "Or is it even remotely practical to identify specific package/truck combinations?"

      Absolutely. Most load information is in computers on both sides, shipping and receiving, as well as the drayage when it goes local from long haul. The trucking firm, truck number, trailer
  • Seems to me that unless the law prohibits it, tech companies will need to start using tamper evident packaging. Then it won't matter if the NSA, CIA, FBI or other 3 letter agencies intercept the product during shipping. Perhaps glitter embedded in varnish painted over critical screws/fasteners, then photographed from various angles and posted to a web page, or emailed to the customer prior to shipping. Then if the item is intercepted the 3 letter agency will have a rather ... difficult ... time bypassing th

  • by plazman30 (531348) on Friday May 30, 2014 @09:47AM (#47128711) Homepage
    Of course they're gagged by a National Security Letter. This whole process is disgusting.
  • by mvw (2916) on Friday May 30, 2014 @09:48AM (#47128719) Journal

    "Stories on rearranged routing yielded great overstatement today. For UPS customers keep invaluable. No government necessitated said law!"

  • Cisco could make life miserable for the NSA by warehousing its gear in countries that won't cooperate with the US. Non-US orders could be filled from the closest such warehouse.

    Non-cooperating countries that spring to mind include Russia (for European orders), China (for Asia), Venezuela (for S. America) and maybe Palestine (for the Middle East and Africa). I don't believe there are any N. American countries that the US can't coerce, so maybe the affected countries should use other network vendors.

    The dow

    • by dj245 (732906)

      Cisco could make life miserable for the NSA by warehousing its gear in countries that won't cooperate with the US. Non-US orders could be filled from the closest such warehouse.

      Non-cooperating countries that spring to mind include Russia (for European orders), China (for Asia), Venezuela (for S. America) and maybe Palestine (for the Middle East and Africa). I don't believe there are any N. American countries that the US can't coerce, so maybe the affected countries should use other network vendors.

      The downside is that delivery times for overseas orders might become quite long :-) and/or spendy.

      Most stable countries which don't cooperate with the US are also countries in which relatively small bribes will get you into any warehouse. This would actually be worse. In the US strange people in warehouses would eventually get noticed by somebody- maybe a dockworker, inventory manager, or a forklift operator would start asking questions. In Russia, China, Venezuela, you just pay off everybody who needs paying off.

  • by Anonymous Coward on Friday May 30, 2014 @09:55AM (#47128787)

    In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.

    This just beggars belief. It's well known that all US couriers have security divisions that work with federal and state government agencies. They routinely help with investigations of suspicious packages containing drugs, counterfeit products, explosive materials, firearms, etc.

    Here's what one UPS executive, customs and brokerage manager Norman T. Schenk, had to say in a Congressional hearing in 2000 on how to stop illegal drugs from being delivered by mail:

    Our partnership with the Customs Service has dramatically
    curtailed the flow of contraband. Today, Mr. Chairman, we urge
    you to ensure that the Customs Service has the 21st century
    tools it needs to maintain the extraordinary growth of commerce
    in this new millennium. Last year, the United States received
    21 million commercial shipments. By 2004, that number is
    projected to climb to 50 million. Customs simply cannot inspect
    each shipment by hand.
            Mr. Chairman, full funding of the new automation system
    known as ACE, the Automated Commercial Environment, is
    essential for Customs to keep pace with the growth of commerce.
            No technology can enable the Customs Service to inspect 50
    million shipments, but ACE can help Customs leverage the power
    of information to target its inspections efficiently and
    precisely.
            Our own experience at UPS shows the difference such a
    system will make. Our advanced electronic manifesting procedure
    provides Customs with extensive information from the
    destination of a parcel to a description of its contents on
    every package we transport to the United States before it
    arrives at a UPS facility. ...
    In addition to our work with Customs, UPS conducts an
    aggressive and thorough drug interdiction program of our own.
    We train delivery drivers to spot packages that may contain
    illegal drugs. We screen for suspicious parcels. We routinely
    work with the other law enforcement agencies like the FBI, DEA,
    and State and local authorities, including providing them
    information about any offender we identify
    .

    So they not work with 3 letter federal agencies routinely, but they do it without the prompting of a subpoena, or NLS.

    • "So they not work with 3 letter federal agencies routinely, but they do it without the prompting of a subpoena, or NLS."

      If they discover an illegal shipment and DON'T report it, then they become complicit in it's transport.
  • by Guppy06 (410832) on Friday May 30, 2014 @10:16AM (#47128947)
    This all presupposes that Cisco wasn't sending these routers to Fort Meade to begin with, with the NSA re-shipping the routers to their final destination after modification.
  • by phorm (591458) on Friday May 30, 2014 @10:22AM (#47129011) Journal

    OK, so the NSL is basically a secret letter, that nobody wants to talk about. How do they (recipients) even know if/when they're legit. It's not like there's a 1-800-DIAL-NSA number to check it out.

    What's to stop "shady group X" from getting some serious looking guys with suits, sunglasses, and some fake ID's+forms to drop by the local datacentre and say "OK, we're NSA and we need records/access from this group of servers here. Oh, and you can't talk about this to anyone. Delay us and very bad things will happen to your and/or your business"

    • Fear of authority is often used by confidence men. The vast majority of people who see a shiny badge or ID that says "FBI" don't take the time to actually verify that it's legit.

  • by BrendaEM (871664) on Friday May 30, 2014 @11:01AM (#47129323) Homepage

    In almost every way The National Security Organization is a lawless, limitless, overreaching mistake, with no applied checks and balanves. The NSA exemplifies the start of what can go wrong.

  • since the NSA also happens to slap gag orders on everyone too. Pointless.
  • If they interdicted your router you'd never get it.

  • by PPH (736903)

    We have no authority to accept or implement NSLs at this company site. Please deliver them as an e-mail attachment to our government compliance department's (publicly readable) server.

  • A solution to this was invented centuries ago. Seal the packages of network hardware with tamper-proof seals (something involving smart cards that the NSA can't duplicate) from the manufacture. Make it impossible for the NSA to open the package without making the customer aware the package was opened in transit. If a package was opened in transit, return to sender and Cisco engineers can figure out how the NSA is implanting bugs.

Any given program, when running, is obsolete.

Working...