On 7/2/2019 12:43 AM, John Long wrote:
On Tue, 2 Jul 2019 10:07:59 +0300
Mihai Popescu <mih...@gmail.com> wrote:
Hello,
I keep finding articles about some government bans against some
hardware manufacturers related to some backdoor for espionage. I know
this is an old talk. Most China manufacturers are under the search:
Huawei, ZTE, Lenovo, etc.
It seems painfully obvious what's driving all the bans and vilification
of Chinese hardware and software is that the USA wants exclusive rights
to spy on you and won't tolerate any competition.
Does anybody think maybe the reason Google and Facebook don't pay taxes
anywhere might have something to do with what they do with all that
info they collect? Is the "new" talk about USA banning any meaningful
encryption proof of how seriously they take security and privacy?
What do you think and do when using OpenBSD on this kind of hardware?
Lemote boxes are kinda neat but they're not the fastest in the world.
It beats the hell out of the alternatives if you can live with the
limitations.
Do you prefer Dell, HP and Fujitsu?
Your only choice is probably to pick the least objectionable entity to
spy on you. If you buy Intel you know you're getting broken, insecure
crap no matter whose box it comes in. Sure it runs fast, but... in that
case everybody is going to spy on you.
/jl
Assume everything is compromised. Don't trust something because someone
else said it was good. Really, the only way to test if a machine is
spying on you, do some kind of packet capture to watch its traffic until
you are satisfied. But also put firewalls in front of your devices to
ensure that if someone is trying to spy on you, their command and
control packets don't make it to the compromised hardware.
Besides, subverting a supply a hardware supply chain is a difficult and
expensive process. And if there is one thing I've learned in my career
as a security consultant, its that no matter how malevolent or
benevolent a government is, they are still, above all, cheap and lazy.
And in a world where everything is built with the first priority is
making the ship date, there are going to be so many security flaws to be
exploited. So much cheaper and easier to let Intel rush a design to
market or Red Hat push an OS release without doing thorough testing and
exploit the inevitable remote execution flaws.
Or intelligence agencies can take advantage of the average person's
tendency to laziness and cheapness by just asking organizations like
Google, Facebook, Comcast, Amazon to just hand over the data they
gathered in the name of building an advertising profile.
