NSA able to compromise Cisco, Juniper, Huawei switches
brandon at rd.bbc.co.uk
Wed Jan 1 14:37:11 UTC 2014
> If legal, consider risk to NSA. Official product ran inside company to add
> requested feature, hundred of people aware of it. Seems both expensive to
> order such feature and almost guaranteed to be exposed by some of the
> Alternative method is to presume all software is insecure, hire 1 expert whose
> day job is to search for vulnerabilities in IOS. Much cheaper, insignificant
> Which method would you use?
I'd also look at having people work in the factory in china
designing test or at (/own) the QA/test equipment manufacturer as when
they connect the product jtag to test you can give a little extra. Both
smaller groups of people and nobody knows what they do anyway but they
do get legit access to the product perhaps with low level details
handed on a plate.
> If this is as widespread as claimed, and if we'll gain knowledge how to see if
> you are affected, there are potentially repercussions on geopolitical scale,
> as I'm sure many on these lists would go public and share information if
> they'd find being targeted.
Would they leave them out there gathering data for as long as possible
or remove the evidence as soon as people start looking (then put some
back later once the fuss has died down)?
More information about the NANOG