Re: Trusting COTS - What's really in the box?

[Randy Bush <randy () psg com>]

> > Several third party firmwares for the linksys wrt54g wireless AP +
> > "router" (which, of course, is owned by brand C) implement sshd using
> > dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net
>
> How do you know what you get in the box is the same as what was
> shipped from the factory?  Or was it just re-sealed and put back
> on the shelf with an altered configuration?
>
> http://www.securityfocus.com/archive/1/364977
>
> If you buy your network equipment off Ebay, what are you really
> getting?  Does it come with hitchhiking firmware pre-installed?
> The power of the Internet means the bad guys don't need to care
> who buys the tampered equipment, because it can "call home" and
> tell the bad guy where it ended up.

and, of course, there are no back doors in code directly from
vendors, government standards (can you say clipper), ...
[sounds of luftswineza]

building from certifiable open source that has been inspected
by many is the only half-credible scheme of which i am aware.

randy