Re: Can you trust Chinese computer equipment?

[Valdis.Kletnieks () vt edu]

On Sat, 13 Feb 2010 21:48:31 PST, "Tomas L. Byrnes" said:
> The corollary of the "test baseline" in my prior post is that EVERY
> piece of hardware that comes into my networks gets reflashed and
> reloaded with MY gold master disks/config.

That just pushes the problem around.  How do you know that basically
unaudited IOS you just flashed into that Cisco doesn't have a very subtle
back door in it, left by some Chinese-agent coder (who could possibly be
a disgruntled white dude) back in IOS 11?

And yes, there are organizations where that level of tinfoil-hat paranoia
is called for...

> Not only does this eliminate preinstalled malware, but I also get zero
> crapware going into production.

It's hard enough to find a version of IOS that actually *works* - most sites
end up settling on one that only has non-debilitating issues in their
environment.

But the fact that Cisco box is probably not loaded with the one IOS version that actually
works in your network is reason enough to reflash it. 

> Security is a degenerate case of traffic and configuration management.

I'd hassle you about that one, except that Verizon study that showed config
issues contributed to 90% of the breaches.  Damn pesky facts. ;)

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.