On Tue, 22 Dec 2015, Stephen Farrell wrote:
Unfortunately, Juniper released these images themselves as valid signed
images. So they would all just get a pass from any transparency system.
Right, but in the presence of a binary transparency
system, (that involved publishing the binary as well),
injecting attack code would presumably be a less
attractive attack as that could be spotted by the
unwashed public as a result.
But juniper already published their binary firemware for everyone to
download and diff/analyse. No one spotted the changes when they were
made. Now people are spotting the changes because compared to the previous
firmware, it are the _only_ changes in the binary.
Now if these firmware binaries had only been distributed to one particular
region or set of IP addresses, then yes, a binary logging system would
have detected these.
Paul
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
