Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
On 31/07/13 03:52 AM, Peter Gutmann wrote: Marcus Brinkmann marcus.brinkm...@ruhr-uni-bochum.de writes: If you trust anonymous leaks to the Financial Review by members of your favourite spying agency network, then I guess its evidence. More importantly, look at the dates: The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented 'back-door' hardware and 'firmware' vulnerabilities in Lenovo chips. In the mid-2000's, Lenovo PCs were still IBM Thinkpads (the sale to Lenovo happened in 2005). ZOMG! IBM backdoored them, not the Chinese! And to think that they've always been the most patriotic of computer manufacturers (Watson turned IBM over to the USG in both WWI and WWII). It was all a trick! On IBM's watch, right. But the Thinkpads were manufactured by Lenova in China well before that; what IBM sold was the franchise rights. Did they discover, as did google, that they had lost control of the situation, and easing out was the better deal? So either the analysis found completely normal design features in IBM parts, or it's the usual USG paranoia about the Chinese. Yawn. Next story about the Yellow Peril due in six to eight weeks. Lather, rinse, repeat. It's definitely a Yellow Peril story, as well as whatever else it might be. Some context: This came out of Australia. There (from memory) the government has embarked on the project to get 93% of all homes connected with fiber. This is the biggest infra project ever financed by the government in AU, and is a political make-or-break deal. It's big enough to topple the government, and the price is big enough to move the government from safest in the world into budget impaired land [0]. The opposition is making a lot of hay over the fiber project. Especially, as their #2 man is an Internet ISP squillionaire, and he is tech business competent. Here's the crux: *The government banned Huawai out of the backbone work*. Huawai hasn't taken this lying down, and has cozied up to the opposition. So the revelations about Lenova are being clearly created to protect this situation. They are not lightly made, these are politically-instructed leaks. I'd suggest that the claims made to AFR as leaks had better be true reliable, otherwise the leaks are going to effect the government's credibility in the overall scheme of things. iang [0] Especially, note that the economy of AU is driven by mining which is driven by China. As China stalls, so does AU, and its super-clean wot crisis? reputation slips into the mud. Poignant... Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
On IBM's watch, right. But the Thinkpads were manufactured by Lenova in China well before that; what IBM sold was the franchise rights. And so where does Cisco and Juniper gear come from again... ? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
On 31/07/13 11:46 AM, grarpamp wrote: On IBM's watch, right. But the Thinkpads were manufactured by Lenova in China well before that; what IBM sold was the franchise rights. And so where does Cisco and Juniper gear come from again... ? Indeed. Methinks the Australian pollies have been seduced by the industrial-military-cyber complex, yet again. They have good track record. The real answer at the core of this is that old saw: follow the money. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
2013/7/31 grarpamp grarp...@gmail.com And so where does Cisco and Juniper gear come from again... ? Let's not argue about whether Taiwan is China or The People's Republic of China is China ;) They do use foxxcon, but it's not clear whatfor. I can imagine they use foxconn for non-sensitive things. (Like European electronics hahaha). And they might've moved production in 2000. Or used parts from China. Regardless of this being rumor mongering, I'm pretty sure the Chinese are exploiting, backdooring, etc. anything they can. reg. Australia, of course there's massive amounts of wink-wink going on in that contract. I hope they give it to a domestic company, like every government should do. Especially not give it to those contract hungry Chinese semi-communist central planning extended government monopolistcorps. Huawei can suck it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
grarpamp grarp...@gmail.com wrote: And so where does Cisco and Juniper gear come from again... ? Cisco has factories in China, in at least Suzhou Hefei. They also have RD centers in at least Shanghai Hefei: http://cisco-news.tmcnet.com/news/2011/11/25/5954051.htm ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] evidence for threat modelling -- street-sold hardware has been compromised
It might be important to get this into the record for threat modelling. The suggestion that normally-purchased hardware has been compromised by the bogeyman is often poo-pooed, and paying attention to this is often thought to be too black-helicopterish to be serious. E.g., recent discussions on the possibility of perversion of on-chip RNGs. This doesn't tell us how big the threat is, but it does raise it to the level of 'evidenced'. http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL Computers manufactured by the world’s biggest personal computer maker, Lenovo, have been banned from the “secret” and ‘‘top secret” networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked. Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company being used in “classified” networks. The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
On 07/30/2013 01:07 PM, ianG wrote: It might be important to get this into the record for threat modelling. The suggestion that normally-purchased hardware has been compromised by the bogeyman is often poo-pooed, and paying attention to this is often thought to be too black-helicopterish to be serious. E.g., recent discussions on the possibility of perversion of on-chip RNGs. This doesn't tell us how big the threat is, but it does raise it to the level of 'evidenced'. Not much evidence in the article. This is the relevant part: Members of the British and Australian defence and intelligence communities say that malicious modifications to Lenovo’s circuitry – beyond more typical vulnerabilities or “zero-days” in its software – were discovered that could allow people to remotely access devices without the users’ knowledge. The alleged presence of these hardware “back doors” remains highly classified. If you trust anonymous leaks to the Financial Review by members of your favourite spying agency network, then I guess its evidence. Reading the actual classified reports would be more useful. Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 30, 2013, at 4:07 AM, ianG i...@iang.org wrote: It might be important to get this into the record for threat modelling. The suggestion that normally-purchased hardware has been compromised by the bogeyman is often poo-pooed, and paying attention to this is often thought to be too black-helicopterish to be serious. E.g., recent discussions on the possibility of perversion of on-chip RNGs. This doesn't tell us how big the threat is, but it does raise it to the level of 'evidenced'. Evidence of what, though? The rumor isn't a new one. A bunch of government agencies dropped ThinkPads from approved lists when they were sold from IBM to Lenovo, and that was pure ooo-scary-Chinese stuff, not with any actual evidence. It's reasonable enough, and jibe with their general mistrust of Huawei, etc. It was a pre-emptive move away from ThinkPads. That mistrust ranges from the reasonable to the quasi-reasonable to whatever. I can understand completely removing ThinkPads from fast track approval to needing testing etc. once they were sold to Lenovo in 2005. This sounds like nothing but rumor mongering based on that. Evidence would be something like a Black Hat preso. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: windows-1252 wj8DBQFR98MAsTedWZOD3gYRAsssAJoCqOCNwDLrIGlk0IQqj2kOL+XQTwCg7BZc tkFk68doeFMPtaLSCDomeX0= =Gy/J -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
Marcus Brinkmann marcus.brinkm...@ruhr-uni-bochum.de writes: If you trust anonymous leaks to the Financial Review by members of your favourite spying agency network, then I guess its evidence. More importantly, look at the dates: The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented 'back-door' hardware and 'firmware' vulnerabilities in Lenovo chips. In the mid-2000's, Lenovo PCs were still IBM Thinkpads (the sale to Lenovo happened in 2005). ZOMG! IBM backdoored them, not the Chinese! And to think that they've always been the most patriotic of computer manufacturers (Watson turned IBM over to the USG in both WWI and WWII). It was all a trick! So either the analysis found completely normal design features in IBM parts, or it's the usual USG paranoia about the Chinese. Yawn. Next story about the Yellow Peril due in six to eight weeks. Lather, rinse, repeat. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography