Made In China
-
Major service providers and operators of critical infrastructure have recently disallowed hardware made in china to be used in their systems.
As security concerns increase across the globe, what thoughts do you all have regarding use of ALIX boards and other equipment which is made in China?
Are there any US Manufacturers we should know about?
-
Due to???
-
As security concerns increase across the globe, what thoughts do you all have regarding use of ALIX boards and other equipment which is made in China?
Isn't everything made in China nowadays? :-) Or contain at least some components made in China?
-
Source?
-
1. Who would put an ALIX board in a "critical infrastructure" position?
2. Who would put any hardware in a "critical infrastructure" position where you don't have a live/hot/cold spare (depending on the uptime requirements of your environment)?
3. Who are these service providers and what are they using (because just about everything is made in China)?
-
Different things are "Critical" to different people. For a small business, their infrastructure is critical.
For a medium business that uses ALIX systems at the homes of telecommuters, their infrastructure is critical.
Security Fears Kill Chinese Bid in U.S.: http://online.wsj.com/article/SB10001424052748704353504575596611547810220.html
"The Defense Department and some U.S. lawmakers have been increasingly concerned about the two companies' ties to the Chinese government and military, and the security implications of letting their equipment into critical U.S. infrastructure.
Some officials argue China's military could use Huawei or ZTE equipment to disrupt or intercept American communications."
-
That article is not about banning all equipment made in China. It is about Sprint excluding two specific Chinese companies from bidding on an infrastructure contract and lawmakers potentially extending that ban on the two companies to other contracts.
-
My point is that government and large businesses have raised concerns about security when it comes to network equipment made in China.
My question was are there any US manufacturers of equipment equivalent to the PC Engines ALIX boards.
-
What about from countries in Europe? Wouldn't that be OK, too?
-
Made in Europe sounds better than made in China.
Do you know of any US Manufacturers though?
-
Aren't PC Engines located in Switzerland?
-
If you're going to be that worried then you also need to look at where the manufacturer's source their parts. Frankly however unless you're a government organisation or large business I doubt you have much to really worry about.
-
It's an interesting question though. Would it be possible for some agency or manufacturer to place a component on a motherboard that secretly records and sends information or some sort of hard coded backdoor? Possible, yes, likely, no.
Consider what type of component it would have to be. Some relatively large IC. No capacitor or inductor is going to send your bank details to Russia! I would think it would have to be a processor or a network interface in order to have sufficient access to system resources. Maybe some rogue bios that got loaded before the main bios.
Whatever way you look at it it's a massive amount of effort to go to and you'd have to make sure it was undetectable.
Steve
-
… not to mention that the detection of any such subterfuge would be inevitable and the company responsible for selling the compromised parts would be crushed (first by the media, second by all the angry idiots on 4chan, and third by all the companies that will now refuse to deal with them).
You're making a big deal out of nothing. Buy the parts that fit your needs and stop worrying about where they're made.
-
I dont think its about transmitting data…..
I think it would be to shutdown major networks and that way around block all communication via the internet....
That is pretty easy if its hardcoded to a motherboard.
-
Proof of concept?
http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/21/Presentation-at-Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmwareSteve
-
The USAF started limiting what hardware can be used a long time ago. We have an entire entity that puts every piece of hardware through an accreditation process before being allowed to be purchase. Being able to put hardware on a network is a second separate step within this process.
During an audit knockoff hardware was found. Legit hardware was also found doing some funky things. This was around 4 years ago.
I'm sure these things are still going on. Governments are targets of espionage so in a way who would be irresponsible to think that manufactures don't do funny things with their hardware, especially from countries that don't enforce standards for corporations like China. Governments aren't the only entity targeted, I'm sure companies are too.Unfortunately all documentation created on these findings are unavailable to the public. I guess if your worried about hardware security you test it, tear it apart, and research it.
-
I was watching something (on CSPAN) about 3Com being bought by a Chinese company and they mentioned that the CIA bought some Lenovos and used them for unclassified data, it came out that Lenovo bypassed their security using the motherboard software hardware and downloaded stuff to their servers.
I wasnt able to find any info on this when I saw this so I couldnt get specifics, found it interesting though.
