Re: [liberationtech] How to defend against attacks on chips?
On 16-06-13 04:12, Waitman Gobble wrote: On Sat, 15 Jun 2013 17:19:14 -0500, Anthony Papillion wrote: But how do we handle hardware attacks? For example, what happens when a chip maker, say Intel, collaborates with the government to allow access to users systems from the chip level? How can we defend against this? Unless it's tamper resistant hardware, there is always the electron microscope to verify the chips itself. It's a big job but could be an ongoing graduation project at a few universities in China/Russia/Iran/Iraq. I bet they love to present the evidence of tampering in an Intel processor. Other options: in addition to open source, use open hardware designs in a FPGA. It's slow and expensive (compared to a standard processor) but good enough for GPG. Use the untrusted processor only for entertainment, ie decoding movies and playing 3D games. When the progress in printed (on paper) circuits progresses or self printed 3d chips comes of age, we don't have to worry about potential backdoors in Intel processors anymore. Guido. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] tools for meta-data protection
On Fri, Jun 14, 2013 at 11:13:43PM -0700, Jonathan Wilkes wrote: > Is there a list somewhere for software that gives a user more privacy > regarding their meta-data? > > If not then here's a three-pronged start: > > 1) Peer-reviewed, stable: > * Tor - https://www.torproject.org/ > > 2) Not (yet) peer-reviewed(?): > * torchat - https://github.com/prof7bit/TorChat > * torfone - http://torfone.org/ > * Bitmessage - https://bitmessage.org/wiki/Main_Page > * Open Transactions - https://github.com/FellowTraveler/Open-Transactions Depending on your understanding of "meta-data", this might or might not be another interesting project: https://mat.boum.org/ Cheers, Philipp -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] How to defend against attacks on chips?
On Sun, 2013-06-16 at 11:54 +0200, Guido Witmond wrote: > On 16-06-13 04:12, Waitman Gobble wrote: > > On Sat, 15 Jun 2013 17:19:14 -0500, Anthony Papillion > > wrote: > >> > >> But how do we handle hardware attacks? For example, what happens when a > >> chip maker, say Intel, collaborates with the government to allow access > >> to users systems from the chip level? How can we defend against this? > >> > > Unless it's tamper resistant hardware, there is always the electron > microscope to verify the chips itself. It's a big job but could be an > ongoing graduation project at a few universities in > China/Russia/Iran/Iraq. I bet they love to present the evidence of > tampering in an Intel processor. Let's say we could fully automate the process of converting an an electron microscope image of the >1B transistors on a recent Intel CPU to about a billion lines of Verilog "source code". Let's divide that by a generous factor of 50 to account for a lot of this being highly repetitive patterns like cache. Now we simply have to audit 20 million lines of source code. Given that we're hopelessly bad at auditing the millions of lines of source code we already have, this seems like a doomed process. That's before we even start to consider any of the ways that Intel could obfuscate the process. Bear in mind that Intel can't even fully verify their own designs, despite having complete access to the design. This is how we get things like the Pentium FDIV bug, which is only the most famous of the thousands of bugs discovered in their CPUs. And yes, a bunch of those bugs have been remotely-exploitable security holes: https://encrypted.google.com/search?q=intel+cpu+security+errata (One could argue that the NSA doesn't need Intel to backdoor their CPUs because Intel is already doing that by accident on a regular basis.) -- Mathematics is the supreme nostalgia of our time. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] FT: Companies scramble for consumer data (personal data are so cheap... why bother to protect them)
Does all this really mean that if we can just create a system for privately paying parties ~$0.25, their services will actually be *more* profitable to run than in the current age of dataveilance? The major problem is of course that micropayment is currently neither private nor seamless... So in addition to your money, you also *still* have to pay with your PII *and* your time.. P.S. Amusingly I couldn't actually read the article below because of a paywall + "give us your PII" signup click-through. Yosem Companys: > From: Toon Vanagt > > I stumbled on this FT article with 'volume pricing' for personal data and a > convenient estimation tool: > http://www.ft.com/cms/s/0/f0b6edc0-d342-11e2-b3ff-00144feab7de.html#axzz2W5QWgUuR > > Basically, if you're a millionaire, your personal data is worth about $ 0.123 > (if you're not, you start at: $ 0.007). > > The FT has build an interactive data value estimation tool. For example by > adding ADHD to my profile I gained a stunning $ 0.200. Consider it extra > money for 'salting data set' :) > > 3 Quick thoughts: > > "The Financial Times will not collect, store or share the data users input > into the calculator." Despite this disclaimer I wonder what the FT really > does with the harvested data on its web servers or considered the risk of > 'leaking logs'? At the end of their 'game', I'm invited to share my private > 'data worth' on Twitter, which exposes how much Marketers would pay > approximately for your data: and conveniently allows third parties to > identify me... When linked with their identifiable FT subscriber profile, > there's no need for a tweet to link the results to a person. > Check https://twitter.com/search?q=%23FTdataworth&src=typd <- public search > result. Great for marketeers. Also has the potential to reverse engineer > profiles.. > Prices in the article & calculator seem very low and suggest that your > 'personal data' are not really valuable to companies in a consumer society > That is if you're not obese, don't subscribe to a gym, don't own a plane... > Due to competition the broker prices are said to trending towards > 'worthless'.. Data brokers seem to suggest we should not bother to protect > something of so little economic value... > > Let me know if my reading between the lines is wrong. > > Does anybody know about a personal data value calculator that is not based on > broker volume pricing, but reveals how much companies pay for qualified leads > in different industries (mortgage, insurance, cruise travel, fitness, car > test drive, hotel booking,...) The outcome of such an 'intent cast valuator' > would be much higher and more of an economic incentive to raise awareness of > data value. > > Cheers, > > @Toon > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Mike Perry -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
