[Cryptography] OneRNG kickstarter project looking for donations
Ray Dillinger
bear at sonic.net
Thu Dec 18 12:23:21 EST 2014
On 12/15/2014 11:18 AM, ianG wrote:
> Some people say that they also intercept hardware
> during shipping to install spyware.
>
In fact it is known that they have done so - but as far as can be told
from the Snowden papers this only happens as part of TAO (Tailored
Access Operations). And TAO is used only as a last resort - when
there is a *specific* target whose information they have a pressing
need to get for some very specific reason, but whose computers they
can't otherwise break into.
TAO requires deploying agents in the field to get to single targets,
so it is VASTLY too risky and expensive for the kind of ubiquitous
surveillance that constitutes the threat for ordinary users.
We can hope that at some point TAO requires better controls than
expense, such as actual search warrants. But I'm not holding my
breath.
I'm vastly more worried about the fact that most computer hardware
is manufactured in countries whose human rights records are worse,
and whose governments are more corrupt and ruthless, than even the
United States. A few forced modifications in basic chip designs
at the major manufacturers are very easy to cover up. Get to the
chip mask, and not even the people making the chips have to know
about your backdoor, let alone the people who are actually
putting together the routers and switches, much less the trusting
souls who buy them. That would be very cheap (effectively no
marginal cost once the chip mask is substituted), effectively
risk-free, very hard to detect, and *DOES* lend itself to
ubiquitous surveillance.
So it would not be at all surprising to find that Chinese agencies
have even more capability to break into anything they want to and
perform mass surveillance than the NSA.
And that is the sort of threat, if you remember, that the NSA was
supposed to *defend* us from.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141218/a80c4f90/attachment.sig>
More information about the cryptography
mailing list