[Cryptography] OpenSSL CSPRNG work
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jul 9 07:56:32 EDT 2017
John Denker via cryptography <cryptography at metzdowd.com> writes:
>You are a businessman. You presumably know about scenario planning. Here are
>three scenarios to consider:
This is missing the one that actually occurs:
"Oh, you security geeks are always whining about something or other. We've
been shipping these things for 20 years without any problems. Besides, you've
just told me the problem is more or less unsolvable, so there's nothing we
could do even if we wanted to".
On the remote chance that the device gets compromised to a level where the
media pays attention and there's a need to do something, you issue an advisory
about putting them behind firewalls and promise updated firmware on the next
product rev, due in 2019 unless the schedule slips again. Or you just ignore
the issue, that works most of the time as well.
Note that this isn't a "lets all collectively groan at the hypothetical
businessman", this is in all probability what will actually happen in this
case.
>And you're being sued for negligence, for being an incubator and a vector
>whereby the malware attacked everybody else.
And when has that ever happened? For a very topical example, I was just
forwarded this:
https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/
So Broadcom or Google issue a fix, since it's Android most devices are never
updated and remain vulnerable to a remote code execution forever-day, and
nothing of any consequence happens to either Broadcom or Google.
Peter.
More information about the cryptography
mailing list