> I don't think it targets the überparanoid, given that you can't trust it > entirely because it's epoxied and runs closed firmware (although even if > the firmware wasn't, you still wouldn't know that what you were given > ran the firmware you thought it did.) I don't think it is possible to > target such people. Well, target them with products, anyway. > > (Disclaimer: I wasn't directly involved in the engineering of this > product, but I do work with Daniel.)
Hi, The uber-paranoid do not see that why one seeks security is economic security - it is why there are locks on car and house doors, but they don't each have to be a bank safe. We will end up going towards uber-paranoia as some of our projects get further along, but at this stage common sense and economics dictates what can be done, and design so that there are no secrets that are not well protected that are the 'entire kitty'. For the 'mass of users' we target, we would prefer to steer them towards an open source operating system, for example, than the common Windows. Even Windows has come a long way since the days of Windows 98 when the operating system alone was enough to get your e-gold stolen. Yet e-gold ran Windows servers to my recollection and never got hacked to my knowledge. Today's Windows 7, shipping with firewall on by default and most users being behind a standard broadband modem has certainly upped the security profile out there although one could argue that it likely has 'total remote control' built in. I shudder at the latest Intel technology that is being promoted to 'remotely disable your machine' via some low level back door. Entropy seems to me to be the lowest common denominator followed by untrusted code that takes control of the CPU at root layer. The second problem can only be solved for dedicated paranoid types who don't mind, for example, that they cannot have Outlook. The first did not have a cheap and easy solution other than the randomsound entropy gathering daemon or one of the timer based entropy gathering daemons on Linux. Sorry to ramble on, but I'm just trying to make some points here that could be useful to the economic model that Simtec is pursuing. It would help if they could state that they have never had any shareholding, funding or heavy economic dependence on any government agency or government contract. I, for one, would love to see them become successful. More session keys negotiated with better entropy out there, the better for all of us. I was just joking with one of our developers that given the output of PHP's rand function on Windows, it really does not matter if you have chosen AES256 or DES: http://www.random.org/analysis/ [see second set of images]. Simtec people reading this can create a service like random.org with daily updated picture of the randomness of one of their keys. That visual is compelling. Best, Ray -- Rayservers http://www.rayservers.com/ Zurich: +41 43 5000 728 London: +44 20 30 02 74 72 Panama: +507 832 1846 San Francisco: +1 408 419 1978 USA Toll Free: +1 888 265 5009 10:00 - 24:00 GMT We prefer to be paid in gold Globals™ and silver Isles™ Global Standard™ - Global Settlement Foundation http://www.global-settlement.org/ Our PGP key 0x079CCE10 on http://keyserver.rayservers.com/ _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
