On 7/2/2019 12:43 AM, John Long wrote:
> On Tue, 2 Jul 2019 10:07:59 +0300
> Mihai Popescu <mihscu@gmail.com> wrote:
>
>> Hello,
>>
>> I keep finding articles about some government bans against some
>> hardware manufacturers related to some backdoor for espionage. I know
>> this is an old talk. Most China manufacturers are under the search:
>> Huawei, ZTE, Lenovo, etc.
>
> It seems painfully obvious what's driving all the bans and vilification
> of Chinese hardware and software is that the USA wants exclusive rights
> to spy on you and won't tolerate any competition.
>
> Does anybody think maybe the reason Google and Facebook don't pay taxes
> anywhere might have something to do with what they do with all that
> info they collect? Is the "new" talk about USA banning any meaningful
> encryption proof of how seriously they take security and privacy?
>
>> What do you think and do when using OpenBSD on this kind of hardware?
>
> Lemote boxes are kinda neat but they're not the fastest in the world.
> It beats the hell out of the alternatives if you can live with the
> limitations.
>
>> Do you prefer Dell, HP and Fujitsu?
>
> Your only choice is probably to pick the least objectionable entity to
> spy on you. If you buy Intel you know you're getting broken, insecure
> crap no matter whose box it comes in. Sure it runs fast, but... in that
> case everybody is going to spy on you.
>
> /jl
>
Assume everything is compromised. Don't trust something because someone
else said it was good. Really, the only way to test if a machine is
spying on you, do some kind of packet capture to watch its traffic until
you are satisfied. But also put firewalls in front of your devices to
ensure that if someone is trying to spy on you, their command and
control packets don't make it to the compromised hardware.
Besides, subverting a supply a hardware supply chain is a difficult and
expensive process. And if there is one thing I've learned in my career
as a security consultant, its that no matter how malevolent or
benevolent a government is, they are still, above all, cheap and lazy.
And in a world where everything is built with the first priority is
making the ship date, there are going to be so many security flaws to be
exploited. So much cheaper and easier to let Intel rush a design to
market or Red Hat push an OS release without doing thorough testing and
exploit the inevitable remote execution flaws.
Or intelligence agencies can take advantage of the average person's
tendency to laziness and cheapness by just asking organizations like
Google, Facebook, Comcast, Amazon to just hand over the data they
gathered in the name of building an advertising profile.
No comments:
Post a Comment