[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: BEWARE of SnakeOil (tm)
Jean-Francois Avon wrote:
>
> SNAKEOIL ALERT:
> Cc: [email protected]
>
> - beware of any product that has not been *extensively* peer-reviewed, with *all* the
> source code made public. Security breaches are *very* easy to overlook and no software
> should *ever* be used unless it was peer-reviewed.
>
I'm a bit surprised that I don't see quite as much concern expressed
about hardware. If security is the goal isn't HW part of the chain?
Yeah, yeah, I know, there was a blip a while ago about Intel chips,
Microsoft kernels and keyboard snooping but it had a depressingly short
half-life. Seems to me it would be pretty easy to create rfi on a chip
and get products through FCC approval with NSA blessing. Hell, you could
probably put a good amount of FLASH on a chip and give the OS a nice
safe place to store snooped stuff. The security gaps that could be
created in an operating system are as numerous as scoundrels in
Parliament.
> They try pursue anybody who violates ITAR in a public way. If I were to walk with a
> PGP diskette across the border outside Cana-USA, I would be liable under ITAR even if I
> never wrote a line of software in my life.
>
Literally true but we all know the analogy of borders and speedbumps...
> All the govts have vested interest in disseminating pseudo-strong cryptography. This
> statement is not paranoia, it is recent and regularly recurring history.
>
Doesn't this seem to point to the need for products with a CP seal of
approval? HW/SW/Tools?
Mike
I think that in the secure communications world I would rather be a wolf
amongst sheep in wolfskins than a wolf in sheep's clothing. It would
reduce the chances of my hide being nailed to the barn door. What I'm
trying to say in a less than literate way is that the issue will only be
closed when there are $99 consumer products that implement secure
systems.