funsec mailing list archives

Re: Can you trust Chinese computer equipment?

From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sat, 13 Feb 2010 21:48:31 -0800

The corollary of the "test baseline" in my prior post is that EVERY
piece of hardware that comes into my networks gets reflashed and
reloaded with MY gold master disks/config.

 

Meaning the firmware is set to whatever the version is that I have
preapproved for production, not by verifying that it matches some uname
string, but by positive installation. Ditto for all Oses and app
software.

 

Not only does this eliminate preinstalled malware, but I also get zero
crapware going into production.

 

To those who know me, this will sound like a broken record:

 

Security is a degenerate case of traffic and configuration management.

 

 

From: Benjamin Brown [mailto:optikali () gmail com] 
Sent: Saturday, February 13, 2010 8:44 PM
To: Tomas L. Byrnes
Cc: Robert Portvliet; funsec () linuxbox org
Subject: Re: [funsec] Can you trust Chinese computer equipment?

 

I apologize for waxing n00b, but what exactly do you mean by "baseline"?

Thanks!
-Ben

On Sat, Feb 13, 2010 at 10:48 PM, Tomas L. Byrnes <tomb () byrneit net>
wrote:

Las year, I had to clean out a client site due to a Trojan loaded on one
of their employee's laptops from a kid's learning program that was
duplicated in China.

 

Clearly, the PRC is engaging in war by other means.

 

YMMV, but I won't load anything into my network without a full baseline,
and I no longer install software via any method except direct download
from the manufacturer with hash code check.

 

 

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Benjamin Brown
Sent: Friday, February 05, 2010 9:47 AM
To: Robert Portvliet
Cc: funsec () linuxbox org
Subject: Re: [funsec] Can you trust Chinese computer equipment?

 

I know a good deal of electronic equipment I have bought from Hong Kong
and Mainland China have had Driver CDs or Tutorial CDs with Trojans. 

Then again this is only anecdotal evidence =P

On Fri, Feb 5, 2010 at 12:30 PM, Robert Portvliet
<robert.portvliet () gmail com> wrote:



http://hardware.slashdot.org/story/10/02/05/1548226/Can-You-Trust-Chines
e-Computer-Equipment



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Can you trust Chinese computer equipment? Robert Portvliet (Feb 05)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 05)
  - Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
    - Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 13)
    - Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
    - Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
    - Re: Can you trust Chinese computer equipment? Valdis . Kletnieks (Feb 14)
    - Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 14)
- Re: Can you trust Chinese computer equipment? David Harley (Feb 05)
- Re: Can you trust Chinese computer equipment? Shawn Merdinger (Feb 14)
- <Possible follow-ups>
- FW: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)