* Randy Bush:
Clay Kossmeyer here from the Cisco PSIRT.
shoveling kitty litter as fast as you can, eh?
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s...
"The article does not discuss or disclose any Cisco product vulnerabilities."
this is disengenuous at best. from the nsa document copied in der spiegel and now many other places:
"JETPLOW is a firmware persistence implant for Cisco PIX series and ASA firewalls ..."
There's a limit to what can reasonably be called a *product* vulnerability. If you physically plant a bug in a phone, does it exploit a vulnerability in the phone? I don't think so. Theoretically, the manufacturer could have filled it completely with glue. But the next step up is drilling out some of that to place the bug, and then you're looking at tamper evidence, and that's an extremely difficult matter. Routers are expected to be modular, so it's difficult to avoid that they have exposed buses with something that approaches DMA capability. On-site debugging hooks through JTAG ports or similar might be essential to reduce downtime in case of severe problems, so I doubt one can get rid of them. Same for firmware downgrade and recovery options. In the end, the defense has to be political, not technical. "We don't want to do this because it's wrong", and not "we can't do this because it's impossible". After all, what's possible can change very quickly. Appeasement in the form of lawful intercept turned out to be failure: even if you comply, it's likely that your own, domestic intelligence agencies consider your infrastructure, you and your colleagues legitimate targets.