[Cryptography] trojans in the firmware

grarpamp grarpamp at gmail.com
Wed Feb 25 07:07:19 EST 2015 

On Tue, Feb 24, 2015 at 8:53 PM, Jerry Leichter <leichter at lrw.com> wrote:
> On Feb 24, 2015, at 2:24 AM, Ryan Carboni <ryacko at gmail.com> wrote:
>> Fighting against a nation state using equipment you cannot design
>> yourself or anyone you know could design... don't.

> But in fact you can't design or manufacture *everything*.  Do you
> need control of your chips all the way back to mining the sand?

Aren't there really only a couple ways to solve this?


A) Somewhat similar to the IAEA, everyone pick their own trusted
and knowledgeable people, then assemble everyone's people together
with orders:

1) Respect whatever soverign secrets you see
 [profits, design advantages, etc]
2) Just tell us what we want to know
 [do the chips that come out of the fab equal the  designs that went
 into it, and are those designs free of trust issues]

This is complicated by needing to insert yourself into those legacy
areas, as well as verify essentially that of B below.


B) Contact your favorite billionaires and pitch the case for a truly
open fab. And yes, that could include starting from ...

> Do you need control of your chips all the way back to mining the
> sand? [...] build a computer out of [...] simple logic gates
> JK-flipflops

Since that tech is already discovered, it would just be an open
rapid physical rebuild of history from transistor to today. Maybe
that would take 10 years of dedicated work to create a trusted fab
that matches todays tech and can replicate itself.

And if you think about it, it could be a profitable venture because
if you did it right, you'd be able to openly and certifiably create
trusted Orange Book / CC style hardware... something governments,
large entities and even users have always wanted but haven't been
able to obtain in affordable quantites and purposes.

This may be easier because there's no legacy to remediate.
And there's no reason you couldn't manufacture private chips too,
the only restriction being that terms that would compromise the fab
are not allowed.


https://en.wikipedia.org/wiki/International_Atomic_Energy_Agency
https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
https://en.wikipedia.org/wiki/Trusted_computing_base
http://cm.bell-labs.com/who/ken/trust.html
https://en.wikipedia.org/wiki/Backdoor_(computing)
https://en.wikipedia.org/wiki/Open-source_hardware

More information about the cryptography mailing list