On Tue, 23 Dec 2025 at 23:08, heasley via NANOG <nanog@lists.nanog.org> wrote:
I'd expect that, from a security perspective, one problem is that BMCs are often neglected by both the customer and the mfg. eg, they often never receive a s/w update for the life of the product or the update procedure is arcane and unautomatable; both like smc and unacceptable.
Security is a very good argument to throw around whenever you're against something for whatever reason. Not only does no one ever ask if the defending is more expensive than the realised risk. Neither does anyone offer metrics to measure the performance of the security investment and roll it back, if it doesn't perform. You can always just add more security, the power of the bark. Only really effective security we have, online and offline, is building an environment and policies where motivation to be a bad actor is reduced. The safest societies in the world aren't those with the most LE investment (US pays much more per capita on LE, healthcare than west, and has absolutely abysmal murder close ratios. Going under 50% last year, while countries like Finland hover at 99% with much smaller LE investments) but those who invest on fundamentals on why those bad actors exist in the first place. Security is snakeoil men selling fear. Personally, I don't care about BMC security, it's not important. People are asking it to be CLI only, it was, so was CMP, BMC and CMP were what we wanted, we just didn't bother figuring it out. -- ++ytti