[cryptography] evidence for threat modelling -- street-sold hardware has been compromised

Jon Callas jon at callas.org
Tue Jul 30 09:43:25 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 30, 2013, at 4:07 AM, ianG <iang at iang.org> wrote:

> It might be important to get this into the record for threat modelling.  The suggestion that normally-purchased hardware has been compromised by the bogeyman is often poo-pooed, and paying attention to this is often thought to be too black-helicopterish to be serious.  E.g., recent discussions on the possibility of perversion of on-chip RNGs.
> 
> This doesn't tell us how big the threat is, but it does raise it to the level of 'evidenced'.

Evidence of what, though?

The rumor isn't a new one. A bunch of government agencies dropped ThinkPads from approved lists when they were sold from IBM to Lenovo, and that was pure ooo-scary-Chinese stuff, not with any actual evidence. It's reasonable enough, and jibe with their general mistrust of Huawei, etc. It was a pre-emptive move away from ThinkPads.

That mistrust ranges from the reasonable to the quasi-reasonable to whatever. I can understand completely removing ThinkPads from fast track approval to needing testing etc. once they were sold to Lenovo in 2005. This sounds like nothing but rumor mongering based on that.

Evidence would be something like a Black Hat preso.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: windows-1252

wj8DBQFR98MAsTedWZOD3gYRAsssAJoCqOCNwDLrIGlk0IQqj2kOL+XQTwCg7BZc
tkFk68doeFMPtaLSCDomeX0=
=Gy/J
-----END PGP SIGNATURE-----


More information about the cryptography mailing list