[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RS232 Crypto Dongle (idea for widely accessible crypto technology)

> I had this in mind too. But there's a problem -- if we have to depend
> on commercial manufacturers to build these things, how will we know if
> we can really trust them? ...
> Unless, of course, we can get the technology to build PCMCIA cards
> ourselves out of readily available parts...

There's an implied assumption in the above that "we" and "commercial
manufacturers" are not the same people, and that if "we" could build
the cards "ourselves", then "we" could trust them.  But any of "us"
builds PCMCIA cards and offers them to "us" for sale, they will have
to satisfy "us" that "we" truly understand its level of security.

Enough pronouns?  The point is that we can't trust ourselves any more
than faceless manufacturers.  It's more likely the manufacturers won't
make some bonehead mistake that renders the system easy to break.  And,
as dramatized in "Sneakers", even the best people can be pressured by
the government if they or their loved ones are vulnerable.

John Draper was proposing to manufacture rs232 random number
generators -- would you buy a used random number from this man?  If
you could see its design, you might.  If not, probably not.

There's a tradition that security software has to be made available
in source form because the customers insist on it.  Let's continue this
trend and make sure it applies to hardware, too.