>
>> One tidbit from today's CRYPTO-GRAM is that embedded Linux devices are
>> inherently insecure. Cisco's PIX security firewall routers are child's
>> play to break into, and other vendors' are even easier to penetrate. >
> I don't think it's Linux fault per se, it's just what most of embedded platforms run;
> and updating firmware is complicated because of embedded specifics. >
> But yeah, i do prefer pfSense or plain *BSD based firewalls.
Hi Igor,
My preference tends towards *BSD [Berkeley Software Distribution, one of the canonical flavors of Unix - Mod] also.
With recent hardware advances you've multiple platform choices which
> can run unmodified *BSD without consuming more than 10-20W.
[Some routers consume] less than half that. My SheevaPlug units run
4W to 5W measured using a Kill-A-Watt and they are full servers on my LAN 24/7/365 but they have only one GiGE [Gigabit Ethernet - Mod] port. Another similar device from the same company is the OpenRD client using about 5 to 6 Watts and it has two GiGE ports and more and it's about the size of a small book whereas a SheevePlug is about the size of my coffee cup:
formatting link
formatting link
Also, in many cases NSA exploits assume initial access to the device
> to install exploit; at least this appears to be true for Cisco/Juniper/etc.;
> i agree that may consumer router vendors ship extremely insecure products.
The contents of the NSA ANT catalog reveal devices that insinuate themselves remotely using a variety of electromagnetic techniques -- that's scary. I recall once some spies were caught in a van behind Tymshare tech division on Bubb Road in Cupertino where I worked; the spies had receivers in their van in the parking lot that were capturing the images on CRTs located inside the building (e.g., from my and others' desks) -- apparently they could detect the CRT's -V scanning and reconstruct whatever was being displayed on the CRTs inside the building -- note this was in 1971.
[See
formatting link
- Mod]
> If you don't have time to read the entire CRYPTO-GRAM, read this
>> portion entitled "Security Risks of Embedded Systems" here:
>>
>>
formatting link
Here's an interesting tidbit from [that issue of] Crypto-gram:
Acoustic cryptanalysis "can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts."
In other recent NSA-related news, air-gapped computers can no longer be considered safe. "Air gap" means no Ethernet or other network attached supposedly rendering the computer secure -- not any more thanks to the NSA. :-)
Thad
--- End of forwarded message ---