- Legit: debugging/monitoring. Other legit uses are theoretically possible but the device has severe limitations that likely make them impractical or unwise.
- Surreptitious: This is clearly where the value proposition of this device lies. An optic could be "unknowingly" swapped out on an interesting link to snoop on or infiltrate a network.
Swapping out optics in a large network is not uncommon as they do fail. More often they are swapped out as a troubleshooting step where the original optic may not even be bad. This way log messages indicating link flap and replacement of an optic could likely go unnoticed.
Ehh this chonker doesn’t look very surreptitious. I can only think of one other device that sticks out even further in front of the switch. Said device is a very old SFP+ to 10G 100m copper module with a huge heatsink and an external power brick!
That aside, I could imagine a gov’t agency programming these things and forcing ISPs to put them on customer ports. No need to wait for a maintenance window or free up rack space.
This is one reason why I am a big proponent of network engineers physically visiting their equipment periodically. In large networks that may never happen, data center techs (often not even your own employees) are the only ones who ever see the racks in person.
Even if the 3rd party tech notices something unusual about the optic the certainly aren't going to touch it without a ticket and will probably not even mention it.
Looking at the pictures this thing isn't exactly the typical SFP form factor, it protrudes ~5 cm or so over a normal SFP. So if you swap one of these out it's going to stick out like the proverbial sore thumb.
Who says you can see the side they swapped the optic on? For datacenter cross connect links, its not uncommon for the other side of the link to be somewhere you can't see/have access to.
- Legit: debugging/monitoring. Other legit uses are theoretically possible but the device has severe limitations that likely make them impractical or unwise.
- Surreptitious: This is clearly where the value proposition of this device lies. An optic could be "unknowingly" swapped out on an interesting link to snoop on or infiltrate a network.
Swapping out optics in a large network is not uncommon as they do fail. More often they are swapped out as a troubleshooting step where the original optic may not even be bad. This way log messages indicating link flap and replacement of an optic could likely go unnoticed.