Comment by nickpsecurity

7 years ago

"two OpenBMCs aren't purely IBM, and that's more than one example apart from RISC-V possibilities. BMC is particularly important, because remote access is critical for large-scale management, typically implemented with a lot of problems, and often exposed highly insecurely. "

Very, well said. I've definitely thought about this. I was just turning ideas around instead of digging super deep. Still, one problem I had was how to sell the security-enhanced solution to businesses that were already leveraging backdoored, low-quality products. I'm concerned there would be a lot of "who gives a shit" reaction to the product.

The trick I advocated long ago was to embed and/or disguise security products as stuff with (non-security benefit worth buying here). The trick would be to figure out whatever chip, PCI card, etc had useful functionality to add to their servers. And, btw, it also has an ultra-secure interface to the buggy management systems. Back in the day, people like the folks behind Diamondtek LAN got secure tunnels and management systems certified by NSA for this stuff. There might still be a tiny market. Nonetheless, I'd rather have a non-security benefit, esp performance or monitoring, to sell them on with the security features subsidized by its sales. This concept is partly inspired by Bell's "selfless acts of security."