Re: OT: hardware war with manufacturers (espionage claims)
On Sat, Jul 06, 2019 at 07:56:10PM +0200, Tomasz Rola wrote: [...] > machine, two of which killed more than six hundred people, before > someone turned the switch. As for now, there was a way to stop it. I have rechecked and the number of fatalities was 189 and 157, totaling 346 people. Please excuse my error. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: OT: hardware war with manufacturers (espionage claims)
On Fri, Jul 05, 2019 at 09:49:02PM -0600, Theo de Raadt wrote: > Stuart Longland wrote: [...] > > > Basically your best bet: don't rely on a single vendor. It's harder for > > them to hide their espionage then as one vendor won't know how to hide > > another vendor's dirty deeds. > > Precisely. Most of the risks are in the bugs, and if you hit a problem > you'll be Dennis Muilenburg saying you didn't know (that phrase works > one way today, but if in the next few days he leaves his position, it > will work a different way). The unknown risk factors are first unknown > and potentially accidental, and secondly unknown and now we are supposed > to guess it wasn't accidental. Vendors are wired to increase > performance and noone judges security aspects, that the process where > the "accident" arises. Maybe we should suddenly accuse absolutely > everyone of malpractice! As if that will change anything... While the problems of spying on individuals are important and have an ugly side [1], I think nowadays [2][3] that long term, the real problem will be autonomous hardware. Just like two recent catastrophes involving Boeing. On the one side, it may be seen as unfortunate sequence of human errors, fueled by greed (fueled by procreation drive). On the other side, the very same decisions led to making a machine, two of which killed more than six hundred people, before someone turned the switch. As for now, there was a way to stop it. I wait in terror for "our devices never stop". [1] I am not sure, do they have a nice side? perhaps if certain kind of crimes could be fought with it? [2] This can change in the future - GIGO, FIFO, you all know it [3] Oh, I did not come to it all by myself. If some of you have a chance, try reading Stanislaw Lem. Some of his works have even been translated to English (but I cannot say how well, opinions say very well, but then again US editors like changing what they print from original versions (anecdotic evidence, surprisingly too many to ignore)). Do not be misled by his joking tone. The man survived in the heart of WW2 and witnessed both post-war and Cold War. People mostly take things at the face value. He told them jokes about humanity and readers had a good time. Some, not so good.[4] [4] For shortified super-short version, try Henry Kuttner's "Twonky". > So this is misc, which is full of lots of talk about nothing, by people > who can't change the ecosystem. Having worried vocally about this > before, I know I can't change it. Pretty sad to see people who are even > less capable find the energy to moan about it. Especially americans. > Know what I mean? Humans, when faced with inevitable, do: 1. forget it is inevitable 2. phantasise about something nice, to kill time while waiting for it Do not expect too much from a jello between the ears. For our limitations, we came surprisingly far and long, albeit some are saying there will be cost and paying the bills and dies irae et calamitatis. Who knows. Nothing in nature is free, eh? I guess there is a lot of shifting stuff around, so those who pay the bills are not those who got the credit. Sorry for being so much offtopic. On the other hand, we are living in a future, so maybe this is more on topic than one would expect. People here are involved in creating significant portion of our lifes. Not that I see any way to make use of it, I am too apathetic for this. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: OT: hardware war with manufacturers (espionage claims)
On 06/07/2019, Theo de Raadt wrote: > Precisely. Most of the risks are in the bugs, and if you hit a problem > you'll be Dennis Muilenburg saying you didn't know (that phrase works > one way today, but if in the next few days he leaves his position, it > will work a different way). The unknown risk factors are first unknown > and potentially accidental, and secondly unknown and now we are supposed > to guess it wasn't accidental. Vendors are wired to increase > performance and noone judges security aspects, that the process where > the "accident" arises. Maybe we should suddenly accuse absolutely > everyone of malpractice! As if that will change anything... Hence, not only can you get the effect of conspiracy without there being one, but it doesn't matter whether there is a conspiracy or not when it won't change anything; and at any rate, most smart culprits have figured out to maintain plausible deniability. Unless one is a member of a jury tasked with deciding e.g. Dennis's guilt or innocence, it doesn't matter one way or another. > So this is misc, which is full of lots of talk about nothing, by people > who can't change the ecosystem. Having worried vocally about this > before, I know I can't change it. Pretty sad to see people who are even > less capable find the energy to moan about it. Few emotions are as powerful as impotent rage. Impotent rage, rage, rage against the dying of the light. Ian PS: Don't die on us, Theo.
Re: OT: hardware war with manufacturers (espionage claims)
> On Jul 5, 2019, at 10:49 PM, Theo de Raadt wrote: > > So this is misc, which is full of lots of talk about nothing, by people > who can't change the ecosystem. Having worried vocally about this > before, I know I can't change it. Pretty sad to see people who are even > less capable find the energy to moan about it. Especially americans. > Know what I mean? I currently suspect the well known Chinese conglomerates are not participating of industrial espionage. At this point the trade war is an effort to continue with existing relationships that have existed for decades. It’s well understood that the Agro business is a growing consideration for the likes of China & Vietnam & that manufacturing in those countries is a tug of war with demand. As the predominance of fast food & connivence continues to explode it’s possible that American trade dominance may actually increase. Regards Patrick
Re: OT: hardware war with manufacturers (espionage claims)
Stuart Longland wrote: > On 2/7/19 5:43 pm, John Long wrote: > >> What do you think and do when using OpenBSD on this kind of hardware? > > Lemote boxes are kinda neat but they're not the fastest in the world. > > It beats the hell out of the alternatives if you can live with the > > limitations. > > Gentoo was donated two Lemote Fulong 2Es back when I used to maintain > their MIPS port. Compared to the other machines we supported at the > time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air. > > Fast enough to actually do useful things on, even play Quake II (with 3D > acceleration … for about 10 seconds until X crapped itself). > > The Loongson netbook was a backward step in terms of graphics hardware > though, and a lot of software has problems with MIPS regardless of ABI > (I've tried o32, n32 and n64). > > Shame, because it is a nice enough platform. > > As for espionage… unless you're going to sit there with sand you've > mined yourself, refine it, and make your own semiconductors, there's > always going to be an element of risk in terms of espionage from your > supply chain. And meanwhile, Intel added undocumented strong speculation to their cpus, which are now easily CVE-identifiable as verifiable giant security problems to a majority platform. And the more we dig, more we realize they did this as market force, ignoring the risks they identified at conferences a decade earlier. > Basically your best bet: don't rely on a single vendor. It's harder for > them to hide their espionage then as one vendor won't know how to hide > another vendor's dirty deeds. Precisely. Most of the risks are in the bugs, and if you hit a problem you'll be Dennis Muilenburg saying you didn't know (that phrase works one way today, but if in the next few days he leaves his position, it will work a different way). The unknown risk factors are first unknown and potentially accidental, and secondly unknown and now we are supposed to guess it wasn't accidental. Vendors are wired to increase performance and noone judges security aspects, that the process where the "accident" arises. Maybe we should suddenly accuse absolutely everyone of malpractice! As if that will change anything... So this is misc, which is full of lots of talk about nothing, by people who can't change the ecosystem. Having worried vocally about this before, I know I can't change it. Pretty sad to see people who are even less capable find the energy to moan about it. Especially americans. Know what I mean?
Re: OT: hardware war with manufacturers (espionage claims)
On 2/7/19 5:43 pm, John Long wrote: >> What do you think and do when using OpenBSD on this kind of hardware? > Lemote boxes are kinda neat but they're not the fastest in the world. > It beats the hell out of the alternatives if you can live with the > limitations. Gentoo was donated two Lemote Fulong 2Es back when I used to maintain their MIPS port. Compared to the other machines we supported at the time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air. Fast enough to actually do useful things on, even play Quake II (with 3D acceleration … for about 10 seconds until X crapped itself). The Loongson netbook was a backward step in terms of graphics hardware though, and a lot of software has problems with MIPS regardless of ABI (I've tried o32, n32 and n64). Shame, because it is a nice enough platform. As for espionage… unless you're going to sit there with sand you've mined yourself, refine it, and make your own semiconductors, there's always going to be an element of risk in terms of espionage from your supply chain. Basically your best bet: don't rely on a single vendor. It's harder for them to hide their espionage then as one vendor won't know how to hide another vendor's dirty deeds. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: OT: hardware war with manufacturers (espionage claims)
On 04/07/2019, cho...@jtan.com wrote: > ropers writes: >> ::I put on my robe and tinfoil hat.:: > >> ... Wow. The things you guys come up with ... > > I mean yeah, I guess, in theory maybe? > > Of course in order to achieve this level of evil you need highly competent > governments and corporations but that's no problem right? > > Matthew Remember, you can have the effects of conspiracy without there being a conspiracy, so long as the preconditions exist and things and people lean a certain way. (after A. Goldman) Honestly, with some of the stuff I just mentioned, and with "smart" features soon to be included in just about any type of product by default, I expect that sooner or later, **transistor pollution** will become a real problem. I could go on if people wanted to hear it, though this is OT. Toodles. Ian
Re: OT: hardware war with manufacturers (espionage claims)
ropers writes: > ::I put on my robe and tinfoil hat.:: > ... Wow. The things you guys come up with ... I mean yeah, I guess, in theory maybe? Of course in order to achieve this level of evil you need highly competent governments and corporations but that's no problem right? Matthew
Re: OT: hardware war with manufacturers (espionage claims)
::I put on my robe and tinfoil hat.:: What keeps me awake at night is the thought of code running on things we traditionally don't even think of as having CPUs, like on SSDs, on the integrated device electronics of SATA disks for example. Or on the CPU inside your CPU, like the Minix computer inside just about any recent Intel chip. Also, do we think it's possible that, if a NIC is physically connected to a wire or fibre, it could be signalling someone across that same physical medium but totally out-of-band as far as canonical protocols and frequencies are concerned? Granted, the expected behaviour of routers is that they forward only what they forward, under the rules of the game. But what if the exploit just had enough market penetration so that some other NIC talking, say, "SnoopyNet" besides TCP/IP could be expected to be within physically-wired-up reach of your SnoopyNet-talking NIC? With enough of a percentage of NICs pwned by SnoopyNet, they could be talking a dog-whistling language we can't hear and could be forwarding select data all the way to Fort Meade. This might be even easier to do with wireless. Think of this as software- (or firmware-)defined radio on steroids. To pick up on Raul's point, even with a spectrum analyser hooked up to our Suspiciously American(TM) NIC, SnoopyNet might be indistinguishable from noise. SnoopyNet may not even be low-bandwidth. Remember when people had acoustic and then line modems, and people thought a rate of kilobits per second was about the limit, but then someone invented DSL? Heck, it's possible to build audio bugs no bigger than a grain of rice and audio+video bugs no bigger than a pea, and even that may not be the limit, though there will be limits due to optics and wavelength. Also, any bug that doesn't just store recordings would have to have a biggish antenna. Unless it's maybe close enough to a firmware-defined radio running on a SnoopyNet-exploited NIC? Plus, absent the use of detectable radioisotopes, battery size and endurance will be an issue -- unless someone has written the mother of all RFID-like protocols and is using a SnoopyNet-exploited NIC slash RFID-like reader to actually power the nearby bug too? OTOH, why even bother with any of that when y'all have smaaatphones, amirite guise? Honestly, I don't even know what crypto I can truly trust anymore. That's mostly not even because of "bUt TeH nSa HaVe tEh qUaNtOoN cOmPuTaR" rumours^W conspiracy theories; no, it's mainly simply because of my own ignorance. Serious question: If Alice and Bob already have a shared password, what would you do to let them exchange messages without Eve finding out the content, assuming the shared secret is not long enough to be a one-time pad? /doffs tinfoil hat Ian On 03/07/2019, Raul Miller wrote: > Any sufficiently advanced technology is indistinguishable from noise, > > https://en.wikipedia.org/wiki/Shannon%E2%80%93Hartley_theorem > > Thanks, > > -- > Raul > > On Tue, Jul 2, 2019 at 1:30 PM Brian Brombacher > wrote: >> >> Oh and if the implant is smart, it’ll detect you’re trying to find it and >> go dormant. >> >> Even more good luck! >> >> > On Jul 2, 2019, at 1:24 PM, Brian Brombacher >> > wrote: >> > >> > Hardware implants go beyond just sending packets out your network card. >> > They have transceivers that let agents control or snoop the device from >> > a distance using RF. >> > >> > You need to scan the hardware with RF equipment to be sure. >> > >> > Good luck! >> > >> >>> On Jul 2, 2019, at 12:27 PM, Misc User >> >>> wrote: >> >>> >> >>> On 7/2/2019 12:43 AM, John Long wrote: >> >>> On Tue, 2 Jul 2019 10:07:59 +0300 >> >>> Mihai Popescu wrote: >> Hello, >> >> I keep finding articles about some government bans against some >> hardware manufacturers related to some backdoor for espionage. I >> know >> this is an old talk. Most China manufacturers are under the search: >> Huawei, ZTE, Lenovo, etc. >> >>> It seems painfully obvious what's driving all the bans and >> >>> vilification >> >>> of Chinese hardware and software is that the USA wants exclusive >> >>> rights >> >>> to spy on you and won't tolerate any competition. >> >>> Does anybody think maybe the reason Google and Facebook don't pay >> >>> taxes >> >>> anywhere might have something to do with what they do with all that >> >>> info they collect? Is the "new" talk about USA banning any meaningful >> >>> encryption proof of how seriously they take security and privacy? >> What do you think and do when using OpenBSD on this kind of >> hardware? >> >>> Lemote boxes are kinda neat but they're not the fastest in the world. >> >>> It beats the hell out of the alternatives if you can live with the >> >>> limitations. >> Do you prefer Dell, HP and Fujitsu? >> >>> Your only choice is probably to pick the least objectionable entity >> >>> to >> >>> spy on you. If you buy Intel you know you're getting broken, insecure >> >>> crap no matter
Re: OT: hardware war with manufacturers (espionage claims)
Mihai, Do you want to protest companies by not buying their equipment? That is the only feasible outcome from this conversation. The other outcome would be you want advice on what models will work on OpenBSD. -Brian > On Jul 3, 2019, at 12:11 PM, Zack Lofgren wrote: > > Mihai, > > It depends on your threat model. You can’t absolutely trust any hardware > because of low level firmware. However, that doesn’t matter if your threat > model is low enough then that doesn’t matter. Are you an enemy of the state? > If so, you probably shouldn’t trust any technology. If you’re just an average > person, then using free software is probably enough with good practices like > encryption is enough. > > Right now, I use an old Thinkpad with OpenBSD and full disk encryption > because it fits what I want. I have proprietary firmware for wireless because > I care more about it working than distrusting it for now. If I had a higher > threat level, I’d use an even older Thinkpad with coreboot/libreboot (not > sure if OpenBSD is compatible) and a different wireless NIC. > > Zack Lofgren > >> On Jul 3, 2019, at 09:48, Mihai Popescu wrote: >> >> ... >> >> I asked for an answer more like "avoid using nVidia chipsets", not for >> theories. >> So, again, do you consider brands when choosing hardware, like Dell >> vs. Lenovo, etc. ? >> >> Thank you. >> >
Re: OT: hardware war with manufacturers (espionage claims)
Mihai, It depends on your threat model. You can’t absolutely trust any hardware because of low level firmware. However, that doesn’t matter if your threat model is low enough then that doesn’t matter. Are you an enemy of the state? If so, you probably shouldn’t trust any technology. If you’re just an average person, then using free software is probably enough with good practices like encryption is enough. Right now, I use an old Thinkpad with OpenBSD and full disk encryption because it fits what I want. I have proprietary firmware for wireless because I care more about it working than distrusting it for now. If I had a higher threat level, I’d use an even older Thinkpad with coreboot/libreboot (not sure if OpenBSD is compatible) and a different wireless NIC. Zack Lofgren > On Jul 3, 2019, at 09:48, Mihai Popescu wrote: > > ... > > I asked for an answer more like "avoid using nVidia chipsets", not for > theories. > So, again, do you consider brands when choosing hardware, like Dell > vs. Lenovo, etc. ? > > Thank you. >
Re: OT: hardware war with manufacturers (espionage claims)
... I asked for an answer more like "avoid using nVidia chipsets", not for theories. So, again, do you consider brands when choosing hardware, like Dell vs. Lenovo, etc. ? Thank you.
Re: OT: hardware war with manufacturers (espionage claims)
Any sufficiently advanced technology is indistinguishable from noise, https://en.wikipedia.org/wiki/Shannon%E2%80%93Hartley_theorem Thanks, -- Raul On Tue, Jul 2, 2019 at 1:30 PM Brian Brombacher wrote: > > Oh and if the implant is smart, it’ll detect you’re trying to find it and go > dormant. > > Even more good luck! > > > On Jul 2, 2019, at 1:24 PM, Brian Brombacher wrote: > > > > Hardware implants go beyond just sending packets out your network card. > > They have transceivers that let agents control or snoop the device from a > > distance using RF. > > > > You need to scan the hardware with RF equipment to be sure. > > > > Good luck! > > > >>> On Jul 2, 2019, at 12:27 PM, Misc User > >>> wrote: > >>> > >>> On 7/2/2019 12:43 AM, John Long wrote: > >>> On Tue, 2 Jul 2019 10:07:59 +0300 > >>> Mihai Popescu wrote: > Hello, > > I keep finding articles about some government bans against some > hardware manufacturers related to some backdoor for espionage. I know > this is an old talk. Most China manufacturers are under the search: > Huawei, ZTE, Lenovo, etc. > >>> It seems painfully obvious what's driving all the bans and vilification > >>> of Chinese hardware and software is that the USA wants exclusive rights > >>> to spy on you and won't tolerate any competition. > >>> Does anybody think maybe the reason Google and Facebook don't pay taxes > >>> anywhere might have something to do with what they do with all that > >>> info they collect? Is the "new" talk about USA banning any meaningful > >>> encryption proof of how seriously they take security and privacy? > What do you think and do when using OpenBSD on this kind of hardware? > >>> Lemote boxes are kinda neat but they're not the fastest in the world. > >>> It beats the hell out of the alternatives if you can live with the > >>> limitations. > Do you prefer Dell, HP and Fujitsu? > >>> Your only choice is probably to pick the least objectionable entity to > >>> spy on you. If you buy Intel you know you're getting broken, insecure > >>> crap no matter whose box it comes in. Sure it runs fast, but... in that > >>> case everybody is going to spy on you. > >>> /jl > >> > >> Assume everything is compromised. Don't trust something because someone > >> else said it was good. Really, the only way to test if a machine is > >> spying on you, do some kind of packet capture to watch its traffic until > >> you are satisfied. But also put firewalls in front of your devices to > >> ensure that if someone is trying to spy on you, their command and > >> control packets don't make it to the compromised hardware. > >> > >> Besides, subverting a supply a hardware supply chain is a difficult and > >> expensive process. And if there is one thing I've learned in my career > >> as a security consultant, its that no matter how malevolent or > >> benevolent a government is, they are still, above all, cheap and lazy. > >> And in a world where everything is built with the first priority is > >> making the ship date, there are going to be so many security flaws to be > >> exploited. So much cheaper and easier to let Intel rush a design to > >> market or Red Hat push an OS release without doing thorough testing and > >> exploit the inevitable remote execution flaws. > >> > >> Or intelligence agencies can take advantage of the average person's > >> tendency to laziness and cheapness by just asking organizations like > >> Google, Facebook, Comcast, Amazon to just hand over the data they gathered > >> in the name of building an advertising profile. > >> > > >
Re: OT: hardware war with manufacturers (espionage claims)
I’m fine with hardware implants snooping on me. But if I was a CISO for a huge company, I might go the extra mile to care about said implants. I’ll continue living carefree. > On Jul 2, 2019, at 1:42 PM, Nathan Hartman wrote: > > On Tue, Jul 2, 2019 at 1:28 PM Brian Brombacher > wrote: > >> Oh and if the implant is smart, it’ll detect you’re trying to find it and >> go dormant. >> >> Even more good luck! > > > Well then the solution is obvious. > > Design your own hardware. > > Or learn to live off the land.
Re: OT: hardware war with manufacturers (espionage claims)
On Tue, Jul 2, 2019 at 1:28 PM Brian Brombacher wrote: > Oh and if the implant is smart, it’ll detect you’re trying to find it and > go dormant. > > Even more good luck! Well then the solution is obvious. Design your own hardware. Or learn to live off the land.
Re: OT: hardware war with manufacturers (espionage claims)
Oh and if the implant is smart, it’ll detect you’re trying to find it and go dormant. Even more good luck! > On Jul 2, 2019, at 1:24 PM, Brian Brombacher wrote: > > Hardware implants go beyond just sending packets out your network card. They > have transceivers that let agents control or snoop the device from a distance > using RF. > > You need to scan the hardware with RF equipment to be sure. > > Good luck! > >>> On Jul 2, 2019, at 12:27 PM, Misc User >>> wrote: >>> >>> On 7/2/2019 12:43 AM, John Long wrote: >>> On Tue, 2 Jul 2019 10:07:59 +0300 >>> Mihai Popescu wrote: Hello, I keep finding articles about some government bans against some hardware manufacturers related to some backdoor for espionage. I know this is an old talk. Most China manufacturers are under the search: Huawei, ZTE, Lenovo, etc. >>> It seems painfully obvious what's driving all the bans and vilification >>> of Chinese hardware and software is that the USA wants exclusive rights >>> to spy on you and won't tolerate any competition. >>> Does anybody think maybe the reason Google and Facebook don't pay taxes >>> anywhere might have something to do with what they do with all that >>> info they collect? Is the "new" talk about USA banning any meaningful >>> encryption proof of how seriously they take security and privacy? What do you think and do when using OpenBSD on this kind of hardware? >>> Lemote boxes are kinda neat but they're not the fastest in the world. >>> It beats the hell out of the alternatives if you can live with the >>> limitations. Do you prefer Dell, HP and Fujitsu? >>> Your only choice is probably to pick the least objectionable entity to >>> spy on you. If you buy Intel you know you're getting broken, insecure >>> crap no matter whose box it comes in. Sure it runs fast, but... in that >>> case everybody is going to spy on you. >>> /jl >> >> Assume everything is compromised. Don't trust something because someone >> else said it was good. Really, the only way to test if a machine is >> spying on you, do some kind of packet capture to watch its traffic until >> you are satisfied. But also put firewalls in front of your devices to >> ensure that if someone is trying to spy on you, their command and >> control packets don't make it to the compromised hardware. >> >> Besides, subverting a supply a hardware supply chain is a difficult and >> expensive process. And if there is one thing I've learned in my career >> as a security consultant, its that no matter how malevolent or >> benevolent a government is, they are still, above all, cheap and lazy. >> And in a world where everything is built with the first priority is >> making the ship date, there are going to be so many security flaws to be >> exploited. So much cheaper and easier to let Intel rush a design to >> market or Red Hat push an OS release without doing thorough testing and >> exploit the inevitable remote execution flaws. >> >> Or intelligence agencies can take advantage of the average person's tendency >> to laziness and cheapness by just asking organizations like Google, >> Facebook, Comcast, Amazon to just hand over the data they gathered in the >> name of building an advertising profile. >> >
Re: OT: hardware war with manufacturers (espionage claims)
Hardware implants go beyond just sending packets out your network card. They have transceivers that let agents control or snoop the device from a distance using RF. You need to scan the hardware with RF equipment to be sure. Good luck! > On Jul 2, 2019, at 12:27 PM, Misc User wrote: > >> On 7/2/2019 12:43 AM, John Long wrote: >> On Tue, 2 Jul 2019 10:07:59 +0300 >> Mihai Popescu wrote: >>> Hello, >>> >>> I keep finding articles about some government bans against some >>> hardware manufacturers related to some backdoor for espionage. I know >>> this is an old talk. Most China manufacturers are under the search: >>> Huawei, ZTE, Lenovo, etc. >> It seems painfully obvious what's driving all the bans and vilification >> of Chinese hardware and software is that the USA wants exclusive rights >> to spy on you and won't tolerate any competition. >> Does anybody think maybe the reason Google and Facebook don't pay taxes >> anywhere might have something to do with what they do with all that >> info they collect? Is the "new" talk about USA banning any meaningful >> encryption proof of how seriously they take security and privacy? >>> What do you think and do when using OpenBSD on this kind of hardware? >> Lemote boxes are kinda neat but they're not the fastest in the world. >> It beats the hell out of the alternatives if you can live with the >> limitations. >>> Do you prefer Dell, HP and Fujitsu? >> Your only choice is probably to pick the least objectionable entity to >> spy on you. If you buy Intel you know you're getting broken, insecure >> crap no matter whose box it comes in. Sure it runs fast, but... in that >> case everybody is going to spy on you. >> /jl > > Assume everything is compromised. Don't trust something because someone > else said it was good. Really, the only way to test if a machine is > spying on you, do some kind of packet capture to watch its traffic until > you are satisfied. But also put firewalls in front of your devices to > ensure that if someone is trying to spy on you, their command and > control packets don't make it to the compromised hardware. > > Besides, subverting a supply a hardware supply chain is a difficult and > expensive process. And if there is one thing I've learned in my career > as a security consultant, its that no matter how malevolent or > benevolent a government is, they are still, above all, cheap and lazy. > And in a world where everything is built with the first priority is > making the ship date, there are going to be so many security flaws to be > exploited. So much cheaper and easier to let Intel rush a design to > market or Red Hat push an OS release without doing thorough testing and > exploit the inevitable remote execution flaws. > > Or intelligence agencies can take advantage of the average person's tendency > to laziness and cheapness by just asking organizations like Google, Facebook, > Comcast, Amazon to just hand over the data they gathered in the name of > building an advertising profile. >
Re: OT: hardware war with manufacturers (espionage claims)
On 7/2/2019 12:43 AM, John Long wrote: On Tue, 2 Jul 2019 10:07:59 +0300 Mihai Popescu wrote: Hello, I keep finding articles about some government bans against some hardware manufacturers related to some backdoor for espionage. I know this is an old talk. Most China manufacturers are under the search: Huawei, ZTE, Lenovo, etc. It seems painfully obvious what's driving all the bans and vilification of Chinese hardware and software is that the USA wants exclusive rights to spy on you and won't tolerate any competition. Does anybody think maybe the reason Google and Facebook don't pay taxes anywhere might have something to do with what they do with all that info they collect? Is the "new" talk about USA banning any meaningful encryption proof of how seriously they take security and privacy? What do you think and do when using OpenBSD on this kind of hardware? Lemote boxes are kinda neat but they're not the fastest in the world. It beats the hell out of the alternatives if you can live with the limitations. Do you prefer Dell, HP and Fujitsu? Your only choice is probably to pick the least objectionable entity to spy on you. If you buy Intel you know you're getting broken, insecure crap no matter whose box it comes in. Sure it runs fast, but... in that case everybody is going to spy on you. /jl Assume everything is compromised. Don't trust something because someone else said it was good. Really, the only way to test if a machine is spying on you, do some kind of packet capture to watch its traffic until you are satisfied. But also put firewalls in front of your devices to ensure that if someone is trying to spy on you, their command and control packets don't make it to the compromised hardware. Besides, subverting a supply a hardware supply chain is a difficult and expensive process. And if there is one thing I've learned in my career as a security consultant, its that no matter how malevolent or benevolent a government is, they are still, above all, cheap and lazy. And in a world where everything is built with the first priority is making the ship date, there are going to be so many security flaws to be exploited. So much cheaper and easier to let Intel rush a design to market or Red Hat push an OS release without doing thorough testing and exploit the inevitable remote execution flaws. Or intelligence agencies can take advantage of the average person's tendency to laziness and cheapness by just asking organizations like Google, Facebook, Comcast, Amazon to just hand over the data they gathered in the name of building an advertising profile.
Re: OT: hardware war with manufacturers (espionage claims)
On Tue, 2 Jul 2019 10:07:59 +0300 Mihai Popescu wrote: > Hello, > > I keep finding articles about some government bans against some > hardware manufacturers related to some backdoor for espionage. I know > this is an old talk. Most China manufacturers are under the search: > Huawei, ZTE, Lenovo, etc. It seems painfully obvious what's driving all the bans and vilification of Chinese hardware and software is that the USA wants exclusive rights to spy on you and won't tolerate any competition. Does anybody think maybe the reason Google and Facebook don't pay taxes anywhere might have something to do with what they do with all that info they collect? Is the "new" talk about USA banning any meaningful encryption proof of how seriously they take security and privacy? > What do you think and do when using OpenBSD on this kind of hardware? Lemote boxes are kinda neat but they're not the fastest in the world. It beats the hell out of the alternatives if you can live with the limitations. > Do you prefer Dell, HP and Fujitsu? Your only choice is probably to pick the least objectionable entity to spy on you. If you buy Intel you know you're getting broken, insecure crap no matter whose box it comes in. Sure it runs fast, but... in that case everybody is going to spy on you. /jl
OT: hardware war with manufacturers (espionage claims)
Hello, I keep finding articles about some government bans against some hardware manufacturers related to some backdoor for espionage. I know this is an old talk. Most China manufacturers are under the search: Huawei, ZTE, Lenovo, etc. What do you think and do when using OpenBSD on this kind of hardware? Do you prefer Dell, HP and Fujitsu? Is it just a marketing hype? Thank you.