funsec mailing list archives
Re: Can you trust Chinese computer equipment?
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sat, 13 Feb 2010 21:48:31 -0800
The corollary of the "test baseline" in my prior post is that EVERY piece of hardware that comes into my networks gets reflashed and reloaded with MY gold master disks/config. Meaning the firmware is set to whatever the version is that I have preapproved for production, not by verifying that it matches some uname string, but by positive installation. Ditto for all Oses and app software. Not only does this eliminate preinstalled malware, but I also get zero crapware going into production. To those who know me, this will sound like a broken record: Security is a degenerate case of traffic and configuration management. From: Benjamin Brown [mailto:optikali () gmail com] Sent: Saturday, February 13, 2010 8:44 PM To: Tomas L. Byrnes Cc: Robert Portvliet; funsec () linuxbox org Subject: Re: [funsec] Can you trust Chinese computer equipment? I apologize for waxing n00b, but what exactly do you mean by "baseline"? Thanks! -Ben On Sat, Feb 13, 2010 at 10:48 PM, Tomas L. Byrnes <tomb () byrneit net> wrote: Las year, I had to clean out a client site due to a Trojan loaded on one of their employee's laptops from a kid's learning program that was duplicated in China. Clearly, the PRC is engaging in war by other means. YMMV, but I won't load anything into my network without a full baseline, and I no longer install software via any method except direct download from the manufacturer with hash code check. From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Benjamin Brown Sent: Friday, February 05, 2010 9:47 AM To: Robert Portvliet Cc: funsec () linuxbox org Subject: Re: [funsec] Can you trust Chinese computer equipment? I know a good deal of electronic equipment I have bought from Hong Kong and Mainland China have had Driver CDs or Tutorial CDs with Trojans. Then again this is only anecdotal evidence =P On Fri, Feb 5, 2010 at 12:30 PM, Robert Portvliet <robert.portvliet () gmail com> wrote: http://hardware.slashdot.org/story/10/02/05/1548226/Can-You-Trust-Chines e-Computer-Equipment _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Can you trust Chinese computer equipment? Robert Portvliet (Feb 05)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 05)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 13)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Valdis . Kletnieks (Feb 14)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 14)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 05)
- <Possible follow-ups>
- FW: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)