In order for Cisco to make products in China they need to share all of their IP with their Chinese partner, you need a Chinese partner company in order to do business in China.
I've seen people say that you don't need a Chinese partner, I've done business in China, I needed a partner company, and I was only doing software.
You need to share your IP with your Chinese Partner company. Your Chinese partner company is partially owned by the Chinese Government. When you share your IP with your Chinese partner company they share it with their owner, the Chinese Government. The Chinese Government then shares your IP with all the other Chinese companies that could benefit.
The Chinese haven't needed to steal Commercial IP because western companies have been handing it over to them willingly.
Making fakes
I got to know people at my Chinese partner company, and a relative of one guy was in the business of helping western companies manufacture in China. I was lucky enough to get a tour of a few "high end brand" factories. The relative was quite open about the fact that they right down the road was another factory, which I also toured, that looked almost identical to the first, where they were making similar products, almost identical to the first. The only difference was the leather, and quality of the fabric, and the hardware, you can't make a knock-off handbag if you use the same quality materials. The relative did allude to the fact that the cost of the second factory was buried in the cost of the first.
I didnt realize how bad it was till I read the counterstrike go source code from the most recent leak. It has a lot of code in it for their “partners” which is exclusive for valves one chinese partner and includes censorship and reporting to a database meant for the chinese government (reporting was for a bunch of things including cursing, cheating, and even playing on the same side as a cheater)
Edit: to clearify, this behavior is behind a flag and only happens in the chinese version of CS:GO
Since the GitHub repo is a top search result on Google, care to mention a filename?
All I see are lots of "removed for partner depot" comments which are the kind of thing that shows up when code has been stripped down for public/semipublic sharing
Why do companies do this? It's not as if this is a secret. Is access to the Chinese market and manufacturing really worth losing your IP and having knock-offs made at scale?
Do you have any references to back this up? There are many large US and European companies doing business in China, and it is very hard to believe they all hand over all their IP willingly.
> There are many large US and European companies doing business in China
The rush into China 20+ years ago forced the less willing to follow, just to stay cost competitive. And it's not like the original flood of businesses went in agreeing to give up all their IP, or expecting to wed themselves to Chinese manufacturing. They all went in chasing gold--cheaper production, access to what was to become the world's largest market. And like every gold rush in history expectations were foiled and people ended up making compromises they wouldn't have otherwise made.
I remember a graduation party I attended in 2000. A friend's parents flew in from India, where they owned several textile factories. I asked the father some questions about the direction of Indian and Chinese manufacturing, which caused him to launch into a long lament about the speculative investments flowing into China. So many investments were flowing into China they were making garments below the cost of inputs, and that's with the already low cost of labor, and without government financial aid. It made it impossible for him to compete fairly in the global markets.
The Chinese government knew what it was doing. They deliberately hyped the prospect of the Chinese domestic market to no end, holding it out as bait, and American businesses bought it hook, line, and sinker. They situated not only their most crucial industrial assets in China, but sent boatloads of cash and, more importantly, expertise on top of it. It's hard to exaggerate the irrational exuberance that played out over two decades.
Slowly, but surely, these mistakes are becoming apparent--not that any American MBA would ever admit to a personal error in judgment, or that they're prepared to make an about-face. This notion that it will all be worth it some day as the Chinese market matures still holds sway.
Of course, the potential of the Chinese market was always there, and still is. The error in judgement was believing China was dumb enough to just hand it over to the West, and to do so without exacting a price. That price is turning out to be far larger, and the first-mover advantages far more meager, than if the integration of China into the global market had occurred more organically and gradually, without American industry falling over themselves clambering across the Pacific, easy targets for industrial exploitation. Japan seems to have done a better job of it, as have many other countries. It's mostly the Americans that look like idiots.
I think we also can’t overlook the competition factor. If you main competitor is relocating production to China at 1/10 of the price then you really have no choice, but to follow.
Just a Google away... this isn’t exactly a new topic. I don’t think they all hand over IP exactly as the GP stated, but it effectively happens through various means including what the GP said:
I've not met a (large) company that didn't take active measures against IP theft in China. Its not highlighted anywhere for the same reason security back home isn't highlighted: you don't want to share any info and you don't want to make a hard relationship any harder (by offending Chinese leadership).
A large portion of what they produce has backdoors and large companies in china are government owned to some degree due to its different system of governance, this makes it more comparably to one large (and aggressively anti-compedative) company doing all of this rather than a country.
I can't find the source for it now but there was a story on Marketplace probably a year ago about how a lot of Western companies were scared to report the theft for years to their respective governments due to the fear that if the Chinese government found out, they could be at risk of losing their license to operate in China.
Do some digging and it’s easy to find. During the Carly days the people I was friendly with at HP were all fired up about a bunch of their network and storage connectivity components being pirated by the manufacturing partner.
The management at these companies in general are pretty dumb.
There’s a reason why in an age where all of the things are being computerized, most computer companies perform very poorly. When I followed this industry segment closely, Macs made more profit than HP, Dell, Lenovo and Asus combined.
Chinese forced technology transfer is “market for technology” policy, not manufacture in China for market policy. Even if you manufacture within United States but want to sell to Chinese markets, the law applies.
You can manufacture in China, without transferring IP (apart from what is needed to reveal for the ability to manufacture it). But if you want to sell in Chinese markets, you must transfer some technology.
Tesla builds factory in China because wants to _sell_ in Chinese markets.
Mid-1990s I was running a boutique software company that made drivers and add-on tools for the graphics library that came with what at the time was the most popular PC desktop compiler tools (Pascal, C, C++). Got a frantic email from a customer one Friday night explaining he was on site (a steel mill) in China and ran across an obscure bug in my code. He was frantic - he was leaving China on Monday and needed a fix ASAP. So I worked through the weekend, fixed the code, sent him an update, all is well. Over the course of the following days he was most grateful and answered some of my questions about doing business in China - remember, this was like 1995-ish. The first thing he told me was that he fully expected the Chinese steel company to steel his code and pass it along to the government for the rest of the industy to use
"If you know they are going to steal from you, why do business over there?" I asked.
His reply: "I need this sale".
35 years later our industry is still having this conversation.
Cisco has set things up to protect against this by basically killing the secondhand martket.
I used to put up with Cisco's "you need to pay for ongoing support (SmartNet contracts) to get any updates/firmware - including for bug fixes and firmware upates for the modem etc." even for my home equipment when I had my CCNA and was still drinking the Kool-Aid trying to keep one foot in the Cisco ecosystem. And you couldn't buy used off eBay because they wouldn't sell you that SmartNet contract on it to get the updates/firmware.
I had a Cisco 877W modem/router/WiFi for ages back when I had DSL and, not only was it outrageously overpriced (I think I paid like $1000 for it), I also needed to buy SmartNet for it to get the firmware for the modem part of it to work properly with my ISP even new out of the box (Annex N support if I remember correctly).
TBH even if Ubiquiti's EdgeRouter stuff was the same price as Cisco I'd still buy it these days if it was my money instead because it is soo liberating to just be able to go to the website and download the firmware updates free forever. My EdgeRouter Lite was not only like 1/8th the cost of an equivilent Cisco but it is still getting free updates without even needing to register a login with them 5 years after I bought it and I haven't had a single problem with it in that time...
> the verification of non-existence of "backdoor" functionality is also not trivial; requiring a considerable amount of technical investigative work
With the recent news about removing Huawei from UK cell networks, it got me wondering...is there a feasible way to verify there aren't backdoors in infrastructure hardware like this other than manufacturers open sourcing (this doesn't mean open licensing) software, firmware, microcode, chip designs, board designs, and compilers so researchers can see what you did and verify production matches the source?
How would you defend your IP with it being so out-in-the-open? Competitors seeing your code probably wouldn't be so much of a problem, and it wouldn't be so much of a problem for large players in first world countries, but China has a reputation for knockoffs, and they wouldn't hesitate producing counterfeit hardware for domestic use.
> ...is there a feasible way to verify there aren't backdoors in infrastructure hardware like this other than manufacturers open sourcing (this doesn't mean open licensing) software, firmware, microcode, chip designs, board designs, and compilers so researchers can see what you did and verify production matches the source?
Even open sourcing all that wouldn't necessarily be enough to verify the non-existence of a backdoor. IIRC, clever back doors are deliberately designed to look like unintentional 0-day security flaws.
You don't need to make it open source, you just need to make it available to researchers. Microsoft shares some source code with the US government, among others.
How do you verify that the fab didn't insert any backdoors and made your part strictly to-spec? Fabrication-time attacks are an interesting vein of content to research. There are some good papers and talks out there if you do some quick searching.
If you eliminated vulnerabilities due to evil doping, you can use a free electron laser to holographically capture the 3 dimensional structure inside, and then you can compare the enlarged+scanned/digitally-captured patterns with those that you expect from simulating the holographic imaging.
In certain settings this should work non-destructively, but that might require something like lapped (grinding the backside after fabrication to thin out the substrate) non-stacked >=22 nm chips.
Perhaps (though doubtful) you could verify if there are no backdoors in the chip design, microcode or firmware source.
But that's not sufficient since you can't reasonably verify if a particular piece of hardware has the design, microcode or firmware that it is supposed to have. For all you know there's a tricky modification there that's not in the documents you got. There is published research on nearly undetectable alterations of chips during manufacturing, altering its functionality; chips can lie about the firmware they have, etc.
It was my understanding that most "fakes" come out of the same factories as the originals. So Cisco orders 1000 switches, but the factory has a secret midnight shift that assembles another 500 that go out the back door. It would take pretty tight supply chain controls to make sure that this isn't happening. As a consumer you wouldn't really care since you're getting the same product.
I have a friend who worked for Cisco on co-op in college. He was working in support, and had access to a physical lab.
One day he gets a call and is in the middle of debugging when he asks for a particular device's serial number. He copies it down, and looks at his desk. That device is sitting on his desk. Asks the customer to confirm, and even gets a snapshot of the physical label which matches what was said by firmware.
Double Runs where the manufacturing partner builds your devices twice (or more) and sells the remaining ones on the gray market exist. You can have genuine cisco products and still not have genuine cisco products.
I'm wondering, what's to gain in all this? Does switching to slightly different parts (e.g. Micron vs Spansion flash module) make the final BOM so much cheaper that it's worth manufacturing a fake Ethernet switch?
Just by taking a look at PCB pictures it looks like the counterfeiter managed to get their hands on some scrap or older revision boards and even went through more hoops (like that "modchip" design) to make them boot. Seems so overkill for a switch that goes for 250$ used - am I missing something?
Cisco basically sells software that only runs on their hardware. Slight exaggeration, but the reason old Cisco switches and routers are dirt cheap online is because it's usually a license violation to use them. The software on a Cisco device is licensed to the person or company who purchases it from Cisco or an authorized Cisco partner, and it's non-transferrable. (Also, you can't get software updates unless you have an active support contract or can identify a specific vulnerability and prove that you were the original purchaser of the unit in question in a support TAC.)
Which means if you buy an aftermarket Cisco device, you're pirating the software on it unless you go through Cisco's pricey relicensing process... which mostly makes it cost you as much as buying a brand new device anyways. Obviously, homelab folks and test lab folks don't care too much, and Cisco doesn't mind them, but enterprises can't use used Cisco hardware.
As such, counterfeit Cisco hardware makes sense: It's basically software piracy, but they have to provide hardware that'll trick it into running.
I would like to add that on almost anything made by Cisco that is smaller than 4U there really is not any kind of hardware secret sauce. Small switches like 2960 are little more than off-the shelf switching fabric from one of the well-known vendors of such a thing and software. And really only interesting thing about the software on the device is the Cisco “feeling” and branding.
Also counterfeit Cisco hardware seems to be a major issue for Cisco since at least nineties. It is the reason why there are hologram stickers on almost anything. Then there is the observation that a lot of Cisco hardware contain some kind of completely unnecessary FPGA/ASIC implementing some comparatively trivial functionality, I suspect that the whole reason for this is to make counterfeiting harder.
The secret sauce has nothing to do with router size, but rather port density, bandwidth, and feature scale. For instance, Cisco’s latest generation of routers, the Cisco 8000 series, gets you 10.8 Tbps in a 1 RU fixed form factor.
What larger routers do provide is hardware redundancy, which is important when it comes to minimizing downtime.
The <4U size was meant as approximation of the expected market segment and the number itself came to me as “anything smaller than smallest 6k5”. In fact I just wanted to avoid the “entry-level” moniker.
Another question is router vs. switch. And as for routers I'm still somewhat discontent with Cisco's marketing wrt. CEF which on “small-ish” Cisco platforms simply meant implementing routing logic in software in exactly same way as any OS with BSD derived IP stack instead of the original IOS braindead implementation.
And as for hardware redundancy: I have large amount of stories that somewhat discredit the idea of low level redundancy (ie. you remove the SPOF and replace it with another failure point in the fail over logic that is guaranteed to fail in ways that nobody understands). And two of these stories with largest impact involve Cisco hardware.
Licensing agreements like this always make me wonder how companies are supposed to handle the accounting for depreciation on hardware. Since the license isn't transferable, the effective resale value of the expensive hardware you just bought is zero as soon as you open the box.
Accounting depreciation for assets is not directly related to resale value.
Depreciation is intended to be an allocation of the purchase price across the whole expected usefulness term of that asset, it reflects the notion that in this year you "used up" some portion of an asset that will last for more years, so it makes sense to allocate just a part of the total cost to this year's cost of doing business. The intended purpose of that asset is to serve your business, not to resell it, so the fact that nobody would would buy that asset does not matter.
I think Cisco's in-house refurbishment center might be an option, it's the only way you can legitimately buy used Cisco hardware.
(I also feel like we should give a shoutout to HP/Aruba in this thread. No support contract needed, they straight-up warranty and support most of their network hardware for like 100 years.)
Mind you aruba is not in the same playing field as cisco.
These conveluted license schemes are mainly designed for the higher end datacenter and connectivity hardware. (And with that hardware comes support).
It's the same reason optics are whitelisted (how bullshittish that might be). If you are a datacenter or L1 IXP, spending a couple of grand on licenses is nothing compared to the cost of running the rest of the infrastructure. Not to mention you need the support when shit really hit's the fan.
My experience with aruba's support has been lackluster, while both cisco and juniper offer excellent support in my experience. (at a cost ofcourse).
I believe the have "advanced replacement" where they will cross ship warrantied items instead of waiting until they receive the bad one to send the good one.
However, I think that ends at the EOL of the item. Usually when they stop manufacturing it.
You're missing Cisco's margins from the gain. Cisco is taking an easy 50-70% markup above base hardware costs... That switch is $2.5k USD "new". Even if it costs you $300 for parts and a bunch of hours you're still making a ridiculous amount of money.
It can be complicated. When you are sourcing parts in bulk for manufacturing the price needs to be negotiated through a personal relationship. It could be the case that the vendors making parts for Cisco do not want to endanger their existing business relationship and will not sell (or insist on a heft markup), it could also be the case that the counterfeiters have better connections with a different supplier who is willing to give them a better unit price (large corporations can typically negotiate a better unit price since they can guarantee larger and more consistent volumes). There are a lot of potential reasons why you might want to swap a component.
I once worked at a well known Cisco training company who had fake interface cards for 2600 series routers and knew it, but didn't care as long as they worked. It's not a new problem.
“ we identified the full exploit chain that allowed one of the forged products to function: a previously undocumented vulnerability in a security component allowing for the devices Secure Boot restrictions to be bypassed.”
I’m not following. Why wouldn’t a forged device function?
I have no information about Cisco in particular, but a very common tactic to ensure the device is genuine is with some sort of security chip.
The security chip has a private key embedded in it in such a way that private key can be used to sign stuff, but cannot be extracted directly. The (publically downloadable) software contains matching public key, and on boot, verifies that the known public key matches the private key embedded in security chip. Even if counterfeiters can buy the same kind of security chip, they'd have no private key to program there. And this means counterfeit devices would be detected on boot.
To prevent the software check from being disabled altogether, the vendor adds Secure Boot which is supposed to detect software tampering. But as this article shows, it can be bypassed as well.
It seems weird that they'd see this as a vulnerability. If it's a counterfeit device then the manufacturer controls the hardware and the secure boot process and there is no vulnerability there, the device is working as intended and is trusting the manufacturer of the counterfeit device. This doesn't mean the genuine device is vulnerable.
The security platform is vulnerable in that minor modifications to the original device would permit loading of non-genuine boot images; the fact that the counterfeits used the same vulnerability to make it look like they were loading a genuine boot image on counterfeit hardware doesn't change that.
The platform is vulnerable because this is a condition that the designers intended to engineer against - it's vulnerable in the sense that Sony's PS2 platform turned out to be vulnerable to circumvention with modchips.
Technically Secure Boot is the firmware verifying the bootloader -- not related to hardware. You can disable this on manufacturing but if the end user applies a Cisco update in the future that re-flashes the firmware, your changes will be gone.
Cisco has spent about $1b and millions of man hours to figure out the seconds market. As the first bootleg hits market, Cisco releases its next gen piece.
Always buy from authorized dealers.
I've seen people say that you don't need a Chinese partner, I've done business in China, I needed a partner company, and I was only doing software.
You need to share your IP with your Chinese Partner company. Your Chinese partner company is partially owned by the Chinese Government. When you share your IP with your Chinese partner company they share it with their owner, the Chinese Government. The Chinese Government then shares your IP with all the other Chinese companies that could benefit.
The Chinese haven't needed to steal Commercial IP because western companies have been handing it over to them willingly.
Making fakes
I got to know people at my Chinese partner company, and a relative of one guy was in the business of helping western companies manufacture in China. I was lucky enough to get a tour of a few "high end brand" factories. The relative was quite open about the fact that they right down the road was another factory, which I also toured, that looked almost identical to the first, where they were making similar products, almost identical to the first. The only difference was the leather, and quality of the fabric, and the hardware, you can't make a knock-off handbag if you use the same quality materials. The relative did allude to the fact that the cost of the second factory was buried in the cost of the first.
Never China.