[cryptography] Intel RNG

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Jun 18 23:28:53 EDT 2012


Tim Dierks <tim at dierks.org> writes:

>While this is all true, it's also why manufacturers who want persuasive
>analysis of their products hire consulting vendors with a brand and track
>record strong enough that the end consumer can plausibly believe that their
>reputational risk outweighs the manufacturer's desire for a good report.
>Cryptography Research is such a vendor.

There's also the law of diminishing returns for Intel.  Most users of their 
products are going to say "it's from Intel, it should be good enough".  A 
small number of users are going to say "it should be OK but I'd like a second 
opinion just to be sure".  A vanishingly small number are going to peek out 
from under their tinfoil hats and claim that the Bavarian Illuminati "fixed" 
the report and they still don't trust it, ignoring the fact that the app 
they're using the RNG with has to run as admin under Windows, opens a bunch of 
globally-accessible network ports, and has eight different buffer overflows in 
it.

The point at which it makes sense to stop is between the second and third
groups.

Peter.



More information about the cryptography mailing list