[kube-system]

A good risk assessment starts by evaluating possible attack vectors before they’re exploited. If you wait until they’re actively exploited, you might find yourself dealing with an incident response instead.

Another big component of risk is trustworthiness. You might evaluate a vendor’s reputation, test/qa processes, support channels, and the legal environment they operate in. If you don’t even know who the vendor is, that’s a big barrier to establishing much trust.

[jaclaz]

In other words, don't buy on Amazon, particularly by third-party marketplace.

[kube-system]

Not necessarily. Validating the authentication labels on a device might give someone enough confidence they can trust it for their particular threat model. While resellers add a definite uncertainty to the security of the supply chain, I think most people would find them to be more trustworthy than a counterfeiting manufacturer.