funsec mailing list archives
Re: Can you trust Chinese computer equipment?
From: Valdis.Kletnieks () vt edu
Date: Sun, 14 Feb 2010 19:14:47 -0500
On Sat, 13 Feb 2010 21:48:31 PST, "Tomas L. Byrnes" said:
The corollary of the "test baseline" in my prior post is that EVERY piece of hardware that comes into my networks gets reflashed and reloaded with MY gold master disks/config.
That just pushes the problem around. How do you know that basically unaudited IOS you just flashed into that Cisco doesn't have a very subtle back door in it, left by some Chinese-agent coder (who could possibly be a disgruntled white dude) back in IOS 11? And yes, there are organizations where that level of tinfoil-hat paranoia is called for...
Not only does this eliminate preinstalled malware, but I also get zero crapware going into production.
It's hard enough to find a version of IOS that actually *works* - most sites end up settling on one that only has non-debilitating issues in their environment. But the fact that Cisco box is probably not loaded with the one IOS version that actually works in your network is reason enough to reflash it.
Security is a degenerate case of traffic and configuration management.
I'd hassle you about that one, except that Verizon study that showed config issues contributed to 90% of the breaches. Damn pesky facts. ;)
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Can you trust Chinese computer equipment? Robert Portvliet (Feb 05)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 05)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 13)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Valdis . Kletnieks (Feb 14)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 14)
- Re: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)
- Re: Can you trust Chinese computer equipment? Benjamin Brown (Feb 05)
- <Possible follow-ups>
- FW: Can you trust Chinese computer equipment? Tomas L. Byrnes (Feb 13)