Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Saku Ytti <saku () ytti fi>]

On (2013-12-31 23:04 +0000), Warren Bailey wrote:

> that RSA had a check cut for their participation (sell outs..), would it
> be out of the realm of possibility cisco knowingly placed this into their
> product line? And would it be their mistake to come out with a “we had no
> idea!” rather than “guys with badges and court orders made us do it!”?

Is this legal? Can NSA walk in to US based company and legally coerce to
install such backdoor? If not, what is the incentive for private company to
cooperate?

If legal, consider risk to NSA. Official product ran inside company to add
requested feature, hundred of people aware of it. Seems both expensive to
order such feature and almost guaranteed to be exposed by some of the
employees.

Alternative method is to presume all software is insecure, hire 1 expert whose
day job is to search for vulnerabilities in IOS. Much cheaper, insignificant
risk.

Which method would you use?

> techniques isn’t a surprise to me, what is a surprise to me is the level
> of acceptance the IT community has shown thus far on NANOG.

This seems like generalization, majority opinion seems to be, government has
no business spying on us.

Someone contacted me yesterday, after reading how I'd love to see some of
these attacks dissected and analysed to gain higher quality data than
screenshot of PDF.
He told me, he and his employer are cooperating with their vendor right now
looking at attack done against router they operate and claimed they are aware
of other operators being targeted. Unfortunately he couldn't share any
specifics, so hopefully we'll soon have situation where someone can dissect
publicly any of the attacks.

If this is as widespread as claimed, and if we'll gain knowledge how to see if
you are affected, there are potentially repercussions on geopolitical scale,
as I'm sure many on these lists would go public and share information if
they'd find being targeted.

-- 
  ++ytti