nanog mailing list archives
Re: Trusting COTS - What's really in the box?
From: Randy Bush <randy () psg com>
Date: Mon, 7 Jun 2004 22:39:46 -0700
Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.netHow do you know what you get in the box is the same as what was shipped from the factory? Or was it just re-sealed and put back on the shelf with an altered configuration? http://www.securityfocus.com/archive/1/364977 If you buy your network equipment off Ebay, what are you really getting? Does it come with hitchhiking firmware pre-installed? The power of the Internet means the bad guys don't need to care who buys the tampered equipment, because it can "call home" and tell the bad guy where it ended up.
and, of course, there are no back doors in code directly from vendors, government standards (can you say clipper), ... [sounds of luftswineza] building from certifiable open source that has been inspected by many is the only half-credible scheme of which i am aware. randy
Current thread:
- Re: IT security people sleep well, (continued)
- Re: IT security people sleep well Henning Brauer (Jun 08)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- RE: IT security people sleep well Michel Py (Jun 07)
- RE: IT security people sleep well Dan Hollis (Jun 07)
- RE: IT security people sleep well Jason Frisvold (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- RE: IT security people sleep well Edward B. Dreger (Jun 07)
- Re: IT security people sleep well Adrian Chadd (Jun 07)
- Re: IT security people sleep well Suresh Ramasubramanian (Jun 07)
- Trusting COTS - What's really in the box? Sean Donelan (Jun 07)
- Re: Trusting COTS - What's really in the box? Randy Bush (Jun 07)
- Re: Trusting COTS - What's really in the box? Sean Donelan (Jun 10)
- Re: Trusting COTS - What's really in the box? Suresh Ramasubramanian (Jun 07)
- RE: IT security people sleep well Jason Frisvold (Jun 08)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- Re: IT security people sleep well Randy Bush (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)