[Cryptography] Anyone else seen some odd shipping delays?

Phillip Hallam-Baker phill at hallambaker.com
Fri Dec 4 11:10:57 EST 2015

On Fri, Dec 4, 2015 at 10:37 AM, Thierry Moreau <
thierry.moreau at connotech.com> wrote:

> Hi!
> Is paranoia a productive feeling?
> Two propositions:
> a) you missed a simple explanation for delays and apparent non-sense,
> b) irrespective of your findings, you will remain suspicious of what's
> inside these boxes full of firmware with peripheral access to potential
> subliminal channels.

Well I would not use the box for code development. This is a RAID array for
the home theater. The source code is going to be managed on SourceForge and
there is a firewall between my office and the rest of the house.

> Is your day job about designing crypto key management schemes where the
> most critical operations are performed in computing environments (e.g. an
> "open source HSM") where critical secret leakage risk is manageable?

Yes it is.

Which is why I do not have any connection to the operational environment.

I am very interested in open source HSM efforts. But that isn't currently
my focus.

What is in my scope is considering supply chain security and the risks of
precisely this type of compromise. I do build my development machines
myself but that only ups the work factor rather than being a protection. I
like these Raspberry Pi devices as I can load them with an O/S build of my
choice from a reasonably secure media. Again, not perfect proof.

Thing is that I have attended MIT workshops where we discuss this sort of
thing with people who retired from the most senior positions of certain
three letter agencies. One of the hypotheses I put forward at that meeting
is that

1) China has good reason to fear cyber attack from Russia (look at a map,
all those countries between them are highly unstable and have large Russian
and Han minorities)

2) China's policy of stealing IP has prevented the country developing a
native design capability. We hire lots of Chinese engineers who can't find
work at home to do anything apart from reverse engineering.

3) Therefore, China has to get the US/Germany/etc. to do the R&D for the
cyber defense technologies it needs so it can steal them.

4) China has no purchasing power because it steals everything.

5) Therefore China's optimal cyber strategy is to attack the West in the
very open manner we see in the expectation that this causes us to develop
the cyber defense technologies they need.

So maybe they are just attempting to use the strategy I suggested to apply
my thought to the supply chain problem they would like to see me solve
rather than the other problems they do not want to see solved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151204/cfc60e50/attachment.html>

More information about the cryptography mailing list