The next presentation at GOVCERT.NL 2008 is Marchus Sachs's "Security in Supply Chain"; very interesting as well.
If the world weren't already 0wned due to bad software (see my account of the previous presentation), Marchus talks about how "0wning your supplier to 0wn you" will become more popular. Infected disk drives, picture frames, GPS units (!), laptops, USB keys, MP3 players, etc are a sign of it; the public one, that is. Real "pre-0wned" stuff is the stuff you never see ALL THE WHILE it gets incorporated into our critical systems (like the fake Cisco routers - this one somehow sounds very ominous to me...)
BTW, the one I have not heard is one about Apple iPods being shipped infected with Windows-based malware :-) WTH?
I also love his example of a chewing gum AND a USB stick lying on the floor.
Will you pick a stick of gum and stick it in your mouth? Ewwwgh...
How about a USB stick? Hmm...
So, will RBN (or its tomorrow's equivalent) go into a business of partnering with a fake MP3 player manufacturer AND produce players "pre-0wned" with custom malware? Just an idea ... "RBN-branded MP3 player" to make money two ways.
How do you solve this? More lawsuits?