<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Sat, Oct 6, 2018 at 3:20 PM Thierry Moreau <<a href="mailto:thierry.moreau@connotech.com">thierry.moreau@connotech.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/10/18 06:04 AM, grarpamp wrote:<br>
> <a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" rel="noreferrer" target="_blank">https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies</a><br></blockquote><div>.....</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Fake news or not, you still cannot trust any closed thing.<br></blockquote><div><br>Trust but verify... ;-)<br>But how to verify?<br>One strategy is protection in layers. While true Cisco makes big bucks for big hardware <br>Much of the world could benefit from more modest router and filtering hardware. <br><span style="color:rgb(102,102,102);font-family:Lato,"Helvetica Neue",Helvetica,Helvetica,Arial,sans-serif;font-size:12px;text-align:center;background-color:rgb(250,250,250)"> Ubiquiti Networks</span> makes some nice little inexpensive boxes that are open source (linux) enough to watch. <br>This same class of hardware can support VPN for point to point security. For many the issue is ex-filtration </div><div>of data in terabyte quantities. <br><br>Devices like the Xfinity cable routers and modems are something the national security folk need to watch.<br>Phone, security, data are a trifecta of risks. Cable modems are another risk, they are not dumb boxes.<br><br>As others noted grain of sand size devices are no longer caps. An interesting class of stuff can be built into </div><div>them and test points and debug ports are obviously interesting targets. <br>Automated imaging can detect changes at incoming inspection but managing of the 'gold' standard images will </div><div>demand encryption and verification (closed garden block chain?). <br><br>JTAG test chains need to have a quality cryptographic hash and signed.<br>Boards need to be designed for verification. <br><br><br></div></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"> T o m M i t c h e l l<br></div></div></div></div></div></div></div>