OT: hardware war with manufacturers (espionage claims)

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: hardware war with manufacturers (espionage claims)

Mihai Popescu-3
Hello,

I keep finding articles about some government bans against some
hardware manufacturers related to some backdoor for espionage. I know
this is an old talk. Most China manufacturers are under the search:
Huawei, ZTE, Lenovo, etc.

What do you think and do when using OpenBSD on this kind of hardware?
Do you prefer Dell, HP and Fujitsu?
Is it just a marketing hype?

Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

John Long-4
On Tue, 2 Jul 2019 10:07:59 +0300
Mihai Popescu <[hidden email]> wrote:

> Hello,
>
> I keep finding articles about some government bans against some
> hardware manufacturers related to some backdoor for espionage. I know
> this is an old talk. Most China manufacturers are under the search:
> Huawei, ZTE, Lenovo, etc.

It seems painfully obvious what's driving all the bans and vilification
of Chinese hardware and software is that the USA wants exclusive rights
to spy on you and won't tolerate any competition.

Does anybody think maybe the reason Google and Facebook don't pay taxes
anywhere might have something to do with what they do with all that
info they collect? Is the "new" talk about USA banning any meaningful
encryption proof of how seriously they take security and privacy?

> What do you think and do when using OpenBSD on this kind of hardware?

Lemote boxes are kinda neat but they're not the fastest in the world.
It beats the hell out of the alternatives if you can live with the
limitations.

> Do you prefer Dell, HP and Fujitsu?

Your only choice is probably to pick the least objectionable entity to
spy on you. If you buy Intel you know you're getting broken, insecure
crap no matter whose box it comes in. Sure it runs fast, but... in that
case everybody is going to spy on you.

/jl

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

OpenBSD lists
On 7/2/2019 12:43 AM, John Long wrote:

> On Tue, 2 Jul 2019 10:07:59 +0300
> Mihai Popescu <[hidden email]> wrote:
>
>> Hello,
>>
>> I keep finding articles about some government bans against some
>> hardware manufacturers related to some backdoor for espionage. I know
>> this is an old talk. Most China manufacturers are under the search:
>> Huawei, ZTE, Lenovo, etc.
>
> It seems painfully obvious what's driving all the bans and vilification
> of Chinese hardware and software is that the USA wants exclusive rights
> to spy on you and won't tolerate any competition.
>
> Does anybody think maybe the reason Google and Facebook don't pay taxes
> anywhere might have something to do with what they do with all that
> info they collect? Is the "new" talk about USA banning any meaningful
> encryption proof of how seriously they take security and privacy?
>
>> What do you think and do when using OpenBSD on this kind of hardware?
>
> Lemote boxes are kinda neat but they're not the fastest in the world.
> It beats the hell out of the alternatives if you can live with the
> limitations.
>
>> Do you prefer Dell, HP and Fujitsu?
>
> Your only choice is probably to pick the least objectionable entity to
> spy on you. If you buy Intel you know you're getting broken, insecure
> crap no matter whose box it comes in. Sure it runs fast, but... in that
> case everybody is going to spy on you.
>
> /jl
>

Assume everything is compromised.  Don't trust something because someone
else said it was good.  Really, the only way to test if a machine is
spying on you, do some kind of packet capture to watch its traffic until
you are satisfied.  But also put firewalls in front of your devices to
ensure that if someone is trying to spy on you, their command and
control packets don't make it to the compromised hardware.

Besides, subverting a supply a hardware supply chain is a difficult and
expensive process.  And if there is one thing I've learned in my career
as a security consultant, its that no matter how malevolent or
benevolent a government is, they are still, above all, cheap and lazy.
And in a world where everything is built with the first priority is
making the ship date, there are going to be so many security flaws to be
exploited.  So much cheaper and easier to let Intel rush a design to
market or Red Hat push an OS release without doing thorough testing and
exploit the inevitable remote execution flaws.

Or intelligence agencies can take advantage of the average person's
tendency to laziness and cheapness by just asking organizations like
Google, Facebook, Comcast, Amazon to just hand over the data they
gathered in the name of building an advertising profile.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Brian Brombacher
Hardware implants go beyond just sending packets out your network card.  They have transceivers that let agents control or snoop the device from a distance using RF.

You need to scan the hardware with RF equipment to be sure.

Good luck!

> On Jul 2, 2019, at 12:27 PM, Misc User <[hidden email]> wrote:
>
>> On 7/2/2019 12:43 AM, John Long wrote:
>> On Tue, 2 Jul 2019 10:07:59 +0300
>> Mihai Popescu <[hidden email]> wrote:
>>> Hello,
>>>
>>> I keep finding articles about some government bans against some
>>> hardware manufacturers related to some backdoor for espionage. I know
>>> this is an old talk. Most China manufacturers are under the search:
>>> Huawei, ZTE, Lenovo, etc.
>> It seems painfully obvious what's driving all the bans and vilification
>> of Chinese hardware and software is that the USA wants exclusive rights
>> to spy on you and won't tolerate any competition.
>> Does anybody think maybe the reason Google and Facebook don't pay taxes
>> anywhere might have something to do with what they do with all that
>> info they collect? Is the "new" talk about USA banning any meaningful
>> encryption proof of how seriously they take security and privacy?
>>> What do you think and do when using OpenBSD on this kind of hardware?
>> Lemote boxes are kinda neat but they're not the fastest in the world.
>> It beats the hell out of the alternatives if you can live with the
>> limitations.
>>> Do you prefer Dell, HP and Fujitsu?
>> Your only choice is probably to pick the least objectionable entity to
>> spy on you. If you buy Intel you know you're getting broken, insecure
>> crap no matter whose box it comes in. Sure it runs fast, but... in that
>> case everybody is going to spy on you.
>> /jl
>
> Assume everything is compromised.  Don't trust something because someone
> else said it was good.  Really, the only way to test if a machine is
> spying on you, do some kind of packet capture to watch its traffic until
> you are satisfied.  But also put firewalls in front of your devices to
> ensure that if someone is trying to spy on you, their command and
> control packets don't make it to the compromised hardware.
>
> Besides, subverting a supply a hardware supply chain is a difficult and
> expensive process.  And if there is one thing I've learned in my career
> as a security consultant, its that no matter how malevolent or
> benevolent a government is, they are still, above all, cheap and lazy.
> And in a world where everything is built with the first priority is
> making the ship date, there are going to be so many security flaws to be
> exploited.  So much cheaper and easier to let Intel rush a design to
> market or Red Hat push an OS release without doing thorough testing and
> exploit the inevitable remote execution flaws.
>
> Or intelligence agencies can take advantage of the average person's tendency to laziness and cheapness by just asking organizations like Google, Facebook, Comcast, Amazon to just hand over the data they gathered in the name of building an advertising profile.
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Brian Brombacher
Oh and if the implant is smart, it’ll detect you’re trying to find it and go dormant.

Even more good luck!

> On Jul 2, 2019, at 1:24 PM, Brian Brombacher <[hidden email]> wrote:
>
> Hardware implants go beyond just sending packets out your network card.  They have transceivers that let agents control or snoop the device from a distance using RF.
>
> You need to scan the hardware with RF equipment to be sure.
>
> Good luck!
>
>>> On Jul 2, 2019, at 12:27 PM, Misc User <[hidden email]> wrote:
>>>
>>> On 7/2/2019 12:43 AM, John Long wrote:
>>> On Tue, 2 Jul 2019 10:07:59 +0300
>>> Mihai Popescu <[hidden email]> wrote:
>>>> Hello,
>>>>
>>>> I keep finding articles about some government bans against some
>>>> hardware manufacturers related to some backdoor for espionage. I know
>>>> this is an old talk. Most China manufacturers are under the search:
>>>> Huawei, ZTE, Lenovo, etc.
>>> It seems painfully obvious what's driving all the bans and vilification
>>> of Chinese hardware and software is that the USA wants exclusive rights
>>> to spy on you and won't tolerate any competition.
>>> Does anybody think maybe the reason Google and Facebook don't pay taxes
>>> anywhere might have something to do with what they do with all that
>>> info they collect? Is the "new" talk about USA banning any meaningful
>>> encryption proof of how seriously they take security and privacy?
>>>> What do you think and do when using OpenBSD on this kind of hardware?
>>> Lemote boxes are kinda neat but they're not the fastest in the world.
>>> It beats the hell out of the alternatives if you can live with the
>>> limitations.
>>>> Do you prefer Dell, HP and Fujitsu?
>>> Your only choice is probably to pick the least objectionable entity to
>>> spy on you. If you buy Intel you know you're getting broken, insecure
>>> crap no matter whose box it comes in. Sure it runs fast, but... in that
>>> case everybody is going to spy on you.
>>> /jl
>>
>> Assume everything is compromised.  Don't trust something because someone
>> else said it was good.  Really, the only way to test if a machine is
>> spying on you, do some kind of packet capture to watch its traffic until
>> you are satisfied.  But also put firewalls in front of your devices to
>> ensure that if someone is trying to spy on you, their command and
>> control packets don't make it to the compromised hardware.
>>
>> Besides, subverting a supply a hardware supply chain is a difficult and
>> expensive process.  And if there is one thing I've learned in my career
>> as a security consultant, its that no matter how malevolent or
>> benevolent a government is, they are still, above all, cheap and lazy.
>> And in a world where everything is built with the first priority is
>> making the ship date, there are going to be so many security flaws to be
>> exploited.  So much cheaper and easier to let Intel rush a design to
>> market or Red Hat push an OS release without doing thorough testing and
>> exploit the inevitable remote execution flaws.
>>
>> Or intelligence agencies can take advantage of the average person's tendency to laziness and cheapness by just asking organizations like Google, Facebook, Comcast, Amazon to just hand over the data they gathered in the name of building an advertising profile.
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Nathan Hartman
On Tue, Jul 2, 2019 at 1:28 PM Brian Brombacher <[hidden email]>
wrote:

> Oh and if the implant is smart, it’ll detect you’re trying to find it and
> go dormant.
>
> Even more good luck!


Well then the solution is obvious.

Design your own hardware.

Or learn to live off the land.
Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Brian Brombacher
I’m fine with hardware implants snooping on me.  But if I was a CISO for a huge company, I might go the extra mile to care about said implants.

I’ll continue living carefree.


> On Jul 2, 2019, at 1:42 PM, Nathan Hartman <[hidden email]> wrote:
>
> On Tue, Jul 2, 2019 at 1:28 PM Brian Brombacher <[hidden email]>
> wrote:
>
>> Oh and if the implant is smart, it’ll detect you’re trying to find it and
>> go dormant.
>>
>> Even more good luck!
>
>
> Well then the solution is obvious.
>
> Design your own hardware.
>
> Or learn to live off the land.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Raul Miller
In reply to this post by Brian Brombacher
Any sufficiently advanced technology is indistinguishable from noise,

https://en.wikipedia.org/wiki/Shannon%E2%80%93Hartley_theorem

Thanks,

--
Raul

On Tue, Jul 2, 2019 at 1:30 PM Brian Brombacher <[hidden email]> wrote:

>
> Oh and if the implant is smart, it’ll detect you’re trying to find it and go dormant.
>
> Even more good luck!
>
> > On Jul 2, 2019, at 1:24 PM, Brian Brombacher <[hidden email]> wrote:
> >
> > Hardware implants go beyond just sending packets out your network card.  They have transceivers that let agents control or snoop the device from a distance using RF.
> >
> > You need to scan the hardware with RF equipment to be sure.
> >
> > Good luck!
> >
> >>> On Jul 2, 2019, at 12:27 PM, Misc User <[hidden email]> wrote:
> >>>
> >>> On 7/2/2019 12:43 AM, John Long wrote:
> >>> On Tue, 2 Jul 2019 10:07:59 +0300
> >>> Mihai Popescu <[hidden email]> wrote:
> >>>> Hello,
> >>>>
> >>>> I keep finding articles about some government bans against some
> >>>> hardware manufacturers related to some backdoor for espionage. I know
> >>>> this is an old talk. Most China manufacturers are under the search:
> >>>> Huawei, ZTE, Lenovo, etc.
> >>> It seems painfully obvious what's driving all the bans and vilification
> >>> of Chinese hardware and software is that the USA wants exclusive rights
> >>> to spy on you and won't tolerate any competition.
> >>> Does anybody think maybe the reason Google and Facebook don't pay taxes
> >>> anywhere might have something to do with what they do with all that
> >>> info they collect? Is the "new" talk about USA banning any meaningful
> >>> encryption proof of how seriously they take security and privacy?
> >>>> What do you think and do when using OpenBSD on this kind of hardware?
> >>> Lemote boxes are kinda neat but they're not the fastest in the world.
> >>> It beats the hell out of the alternatives if you can live with the
> >>> limitations.
> >>>> Do you prefer Dell, HP and Fujitsu?
> >>> Your only choice is probably to pick the least objectionable entity to
> >>> spy on you. If you buy Intel you know you're getting broken, insecure
> >>> crap no matter whose box it comes in. Sure it runs fast, but... in that
> >>> case everybody is going to spy on you.
> >>> /jl
> >>
> >> Assume everything is compromised.  Don't trust something because someone
> >> else said it was good.  Really, the only way to test if a machine is
> >> spying on you, do some kind of packet capture to watch its traffic until
> >> you are satisfied.  But also put firewalls in front of your devices to
> >> ensure that if someone is trying to spy on you, their command and
> >> control packets don't make it to the compromised hardware.
> >>
> >> Besides, subverting a supply a hardware supply chain is a difficult and
> >> expensive process.  And if there is one thing I've learned in my career
> >> as a security consultant, its that no matter how malevolent or
> >> benevolent a government is, they are still, above all, cheap and lazy.
> >> And in a world where everything is built with the first priority is
> >> making the ship date, there are going to be so many security flaws to be
> >> exploited.  So much cheaper and easier to let Intel rush a design to
> >> market or Red Hat push an OS release without doing thorough testing and
> >> exploit the inevitable remote execution flaws.
> >>
> >> Or intelligence agencies can take advantage of the average person's tendency to laziness and cheapness by just asking organizations like Google, Facebook, Comcast, Amazon to just hand over the data they gathered in the name of building an advertising profile.
> >>
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Mihai Popescu-3
In reply to this post by Mihai Popescu-3
...

I asked for an answer more like "avoid using nVidia chipsets", not for theories.
So, again, do you consider brands when choosing hardware, like Dell
vs. Lenovo, etc. ?

Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Zack Lofgren
Mihai,

It depends on your threat model. You can’t absolutely trust any hardware because of low level firmware. However, that doesn’t matter if your threat model is low enough then that doesn’t matter. Are you an enemy of the state? If so, you probably shouldn’t trust any technology. If you’re just an average person, then using free software is probably enough with good practices like encryption is enough.

Right now, I use an old Thinkpad with OpenBSD and full disk encryption because it fits what I want. I have proprietary firmware for wireless because I care more about it working than distrusting it for now. If I had a higher threat level, I’d use an even older Thinkpad with coreboot/libreboot (not sure if OpenBSD is compatible) and a different wireless NIC.

Zack Lofgren

> On Jul 3, 2019, at 09:48, Mihai Popescu <[hidden email]> wrote:
>
> ...
>
> I asked for an answer more like "avoid using nVidia chipsets", not for theories.
> So, again, do you consider brands when choosing hardware, like Dell
> vs. Lenovo, etc. ?
>
> Thank you.
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Brian Brombacher
Mihai,

Do you want to protest companies by not buying their equipment?  That is the only feasible outcome from this conversation.

The other outcome would be you want advice on what models will work on OpenBSD.

-Brian

> On Jul 3, 2019, at 12:11 PM, Zack Lofgren <[hidden email]> wrote:
>
> Mihai,
>
> It depends on your threat model. You can’t absolutely trust any hardware because of low level firmware. However, that doesn’t matter if your threat model is low enough then that doesn’t matter. Are you an enemy of the state? If so, you probably shouldn’t trust any technology. If you’re just an average person, then using free software is probably enough with good practices like encryption is enough.
>
> Right now, I use an old Thinkpad with OpenBSD and full disk encryption because it fits what I want. I have proprietary firmware for wireless because I care more about it working than distrusting it for now. If I had a higher threat level, I’d use an even older Thinkpad with coreboot/libreboot (not sure if OpenBSD is compatible) and a different wireless NIC.
>
> Zack Lofgren
>
>> On Jul 3, 2019, at 09:48, Mihai Popescu <[hidden email]> wrote:
>>
>> ...
>>
>> I asked for an answer more like "avoid using nVidia chipsets", not for theories.
>> So, again, do you consider brands when choosing hardware, like Dell
>> vs. Lenovo, etc. ?
>>
>> Thank you.
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

ropers
In reply to this post by Raul Miller
::I put on my robe and tinfoil hat.::

What keeps me awake at night is the thought of code running on things
we traditionally don't even think of as having CPUs, like on SSDs, on
the integrated device electronics of SATA disks for example.
Or on the CPU inside your CPU, like the Minix computer inside just
about any recent Intel chip.

Also, do we think it's possible that, if a NIC is physically connected
to a wire or fibre, it could be signalling someone across that same
physical medium but totally out-of-band as far as canonical protocols
and frequencies are concerned? Granted, the expected behaviour of
routers is that they forward only what they forward, under the rules
of the game. But what if the exploit just had enough market
penetration so that some other NIC talking, say, "SnoopyNet" besides
TCP/IP could  be expected to be within physically-wired-up reach of
your SnoopyNet-talking NIC? With enough of a percentage of NICs pwned
by SnoopyNet, they could be talking a dog-whistling language we can't
hear and could be forwarding select data all the way to Fort Meade.
This might be even easier to do with wireless. Think of this as
software- (or firmware-)defined radio on steroids. To pick up on
Raul's point, even with a spectrum analyser hooked up to our
Suspiciously American(TM) NIC, SnoopyNet might be indistinguishable
from noise. SnoopyNet may not even be low-bandwidth. Remember when
people had acoustic and then line modems, and people thought a rate of
kilobits per second was about the limit, but then someone invented
DSL?

Heck, it's possible to build audio bugs no bigger than a grain of rice
and audio+video bugs no bigger than a pea, and even that may not be
the limit, though there will be limits due to optics and wavelength.
Also, any bug that doesn't just store recordings would have to have a
biggish antenna. Unless it's maybe close enough to a firmware-defined
radio running on a SnoopyNet-exploited NIC? Plus, absent the use of
detectable radioisotopes, battery size and endurance will be an issue
-- unless someone has written the mother of all RFID-like protocols
and is using a SnoopyNet-exploited NIC slash RFID-like reader to
actually power the nearby bug too?
OTOH, why even bother with any of that when y'all have smaaatphones,
amirite guise?

Honestly, I don't even know what crypto I can truly trust anymore.
That's mostly not even because of "bUt TeH nSa HaVe tEh qUaNtOoN
cOmPuTaR" rumours^W conspiracy theories; no, it's mainly simply
because of my own ignorance.
Serious question: If Alice and Bob already have a shared password,
what would you do to let them exchange messages without Eve finding
out the content, assuming the shared secret is not long enough to be a
one-time pad?

/doffs tinfoil hat

Ian

On 03/07/2019, Raul Miller <[hidden email]> wrote:

> Any sufficiently advanced technology is indistinguishable from noise,
>
> https://en.wikipedia.org/wiki/Shannon%E2%80%93Hartley_theorem
>
> Thanks,
>
> --
> Raul
>
> On Tue, Jul 2, 2019 at 1:30 PM Brian Brombacher <[hidden email]>
> wrote:
>>
>> Oh and if the implant is smart, it’ll detect you’re trying to find it and
>> go dormant.
>>
>> Even more good luck!
>>
>> > On Jul 2, 2019, at 1:24 PM, Brian Brombacher <[hidden email]>
>> > wrote:
>> >
>> > Hardware implants go beyond just sending packets out your network card.
>> > They have transceivers that let agents control or snoop the device from
>> > a distance using RF.
>> >
>> > You need to scan the hardware with RF equipment to be sure.
>> >
>> > Good luck!
>> >
>> >>> On Jul 2, 2019, at 12:27 PM, Misc User <[hidden email]>
>> >>> wrote:
>> >>>
>> >>> On 7/2/2019 12:43 AM, John Long wrote:
>> >>> On Tue, 2 Jul 2019 10:07:59 +0300
>> >>> Mihai Popescu <[hidden email]> wrote:
>> >>>> Hello,
>> >>>>
>> >>>> I keep finding articles about some government bans against some
>> >>>> hardware manufacturers related to some backdoor for espionage. I
>> >>>> know
>> >>>> this is an old talk. Most China manufacturers are under the search:
>> >>>> Huawei, ZTE, Lenovo, etc.
>> >>> It seems painfully obvious what's driving all the bans and
>> >>> vilification
>> >>> of Chinese hardware and software is that the USA wants exclusive
>> >>> rights
>> >>> to spy on you and won't tolerate any competition.
>> >>> Does anybody think maybe the reason Google and Facebook don't pay
>> >>> taxes
>> >>> anywhere might have something to do with what they do with all that
>> >>> info they collect? Is the "new" talk about USA banning any meaningful
>> >>> encryption proof of how seriously they take security and privacy?
>> >>>> What do you think and do when using OpenBSD on this kind of
>> >>>> hardware?
>> >>> Lemote boxes are kinda neat but they're not the fastest in the world.
>> >>> It beats the hell out of the alternatives if you can live with the
>> >>> limitations.
>> >>>> Do you prefer Dell, HP and Fujitsu?
>> >>> Your only choice is probably to pick the least objectionable entity
>> >>> to
>> >>> spy on you. If you buy Intel you know you're getting broken, insecure
>> >>> crap no matter whose box it comes in. Sure it runs fast, but... in
>> >>> that
>> >>> case everybody is going to spy on you.
>> >>> /jl
>> >>
>> >> Assume everything is compromised.  Don't trust something because
>> >> someone
>> >> else said it was good.  Really, the only way to test if a machine is
>> >> spying on you, do some kind of packet capture to watch its traffic
>> >> until
>> >> you are satisfied.  But also put firewalls in front of your devices to
>> >> ensure that if someone is trying to spy on you, their command and
>> >> control packets don't make it to the compromised hardware.
>> >>
>> >> Besides, subverting a supply a hardware supply chain is a difficult
>> >> and
>> >> expensive process.  And if there is one thing I've learned in my
>> >> career
>> >> as a security consultant, its that no matter how malevolent or
>> >> benevolent a government is, they are still, above all, cheap and lazy.
>> >> And in a world where everything is built with the first priority is
>> >> making the ship date, there are going to be so many security flaws to
>> >> be
>> >> exploited.  So much cheaper and easier to let Intel rush a design to
>> >> market or Red Hat push an OS release without doing thorough testing
>> >> and
>> >> exploit the inevitable remote execution flaws.
>> >>
>> >> Or intelligence agencies can take advantage of the average person's
>> >> tendency to laziness and cheapness by just asking organizations like
>> >> Google, Facebook, Comcast, Amazon to just hand over the data they
>> >> gathered in the name of building an advertising profile.
>> >>
>> >
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

chohag
ropers writes:
> ::I put on my robe and tinfoil hat.::

> ... Wow. The things you guys come up with ...

I mean yeah, I guess, in theory maybe?

Of course in order to achieve this level of evil you need highly competent governments and corporations but that's no problem right?

Matthew

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

ropers
On 04/07/2019, [hidden email] <[hidden email]> wrote:

> ropers writes:
>> ::I put on my robe and tinfoil hat.::
>
>> ... Wow. The things you guys come up with ...
>
> I mean yeah, I guess, in theory maybe?
>
> Of course in order to achieve this level of evil you need highly competent
> governments and corporations but that's no problem right?
>
> Matthew

Remember, you can have the effects of conspiracy without there being a
conspiracy, so long as the preconditions exist and things and people
lean a certain way. (after A. Goldman)

Honestly, with some of the stuff I just mentioned, and with "smart"
features soon to be included in just about any type of product by
default, I expect that sooner or later, **transistor pollution** will
become a real problem.

I could go on if people wanted to hear it, though this is OT.

Toodles.
Ian

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Stuart Longland
In reply to this post by John Long-4
On 2/7/19 5:43 pm, John Long wrote:
>> What do you think and do when using OpenBSD on this kind of hardware?
> Lemote boxes are kinda neat but they're not the fastest in the world.
> It beats the hell out of the alternatives if you can live with the
> limitations.

Gentoo was donated two Lemote Fulong 2Es back when I used to maintain
their MIPS port.  Compared to the other machines we supported at the
time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air.

Fast enough to actually do useful things on, even play Quake II (with 3D
acceleration … for about 10 seconds until X crapped itself).

The Loongson netbook was a backward step in terms of graphics hardware
though, and a lot of software has problems with MIPS regardless of ABI
(I've tried o32, n32 and n64).

Shame, because it is a nice enough platform.

As for espionage… unless you're going to sit there with sand you've
mined yourself, refine it, and make your own semiconductors, there's
always going to be an element of risk in terms of espionage from your
supply chain.

Basically your best bet: don't rely on a single vendor.  It's harder for
them to hide their espionage then as one vendor won't know how to hide
another vendor's dirty deeds.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Theo de Raadt-2
Stuart Longland <[hidden email]> wrote:

> On 2/7/19 5:43 pm, John Long wrote:
> >> What do you think and do when using OpenBSD on this kind of hardware?
> > Lemote boxes are kinda neat but they're not the fastest in the world.
> > It beats the hell out of the alternatives if you can live with the
> > limitations.
>
> Gentoo was donated two Lemote Fulong 2Es back when I used to maintain
> their MIPS port.  Compared to the other machines we supported at the
> time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air.
>
> Fast enough to actually do useful things on, even play Quake II (with 3D
> acceleration … for about 10 seconds until X crapped itself).
>
> The Loongson netbook was a backward step in terms of graphics hardware
> though, and a lot of software has problems with MIPS regardless of ABI
> (I've tried o32, n32 and n64).
>
> Shame, because it is a nice enough platform.
>
> As for espionage… unless you're going to sit there with sand you've
> mined yourself, refine it, and make your own semiconductors, there's
> always going to be an element of risk in terms of espionage from your
> supply chain.
 
And meanwhile, Intel added undocumented strong speculation to their
cpus, which are now easily CVE-identifiable as verifiable giant security
problems to a majority platform.  And the more we dig, more we realize
they did this as market force, ignoring the risks they identified at
conferences a decade earlier.

> Basically your best bet: don't rely on a single vendor.  It's harder for
> them to hide their espionage then as one vendor won't know how to hide
> another vendor's dirty deeds.

Precisely.  Most of the risks are in the bugs, and if you hit a problem
you'll be Dennis Muilenburg saying you didn't know (that phrase works
one way today, but if in the next few days he leaves his position, it
will work a different way).  The unknown risk factors are first unknown
and potentially accidental, and secondly unknown and now we are supposed
to guess it wasn't accidental.  Vendors are wired to increase
performance and noone judges security aspects, that the process where
the "accident" arises.  Maybe we should suddenly accuse absolutely
everyone of malpractice!  As if that will change anything...

So this is misc, which is full of lots of talk about nothing, by people
who can't change the ecosystem.  Having worried vocally about this
before, I know I can't change it.  Pretty sad to see people who are even
less capable find the energy to moan about it.  Especially americans.
Know what I mean?

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Patrick Dohman-4

> On Jul 5, 2019, at 10:49 PM, Theo de Raadt <[hidden email]> wrote:
>
> So this is misc, which is full of lots of talk about nothing, by people
> who can't change the ecosystem.  Having worried vocally about this
> before, I know I can't change it.  Pretty sad to see people who are even
> less capable find the energy to moan about it.  Especially americans.
> Know what I mean?

I currently suspect the well known Chinese conglomerates are not participating of industrial espionage.
At this point the trade war is an effort to continue with existing relationships that have existed for decades.
It’s well understood that the Agro business is a growing consideration for the likes of China & Vietnam & that manufacturing in those countries is a tug of war with demand.
As the predominance of fast food & connivence continues to explode it’s possible that American trade dominance may actually increase.
Regards
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

ropers
In reply to this post by Theo de Raadt-2
On 06/07/2019, Theo de Raadt <[hidden email]> wrote:
> Precisely.  Most of the risks are in the bugs, and if you hit a problem
> you'll be Dennis Muilenburg saying you didn't know (that phrase works
> one way today, but if in the next few days he leaves his position, it
> will work a different way).  The unknown risk factors are first unknown
> and potentially accidental, and secondly unknown and now we are supposed
> to guess it wasn't accidental.  Vendors are wired to increase
> performance and noone judges security aspects, that the process where
> the "accident" arises.  Maybe we should suddenly accuse absolutely
> everyone of malpractice!  As if that will change anything...

Hence, not only can you get the effect of conspiracy without there
being one, but it doesn't matter whether there is a conspiracy or not
when it won't change anything; and at any rate, most smart culprits
have figured out to maintain plausible deniability. Unless one is a
member of a jury tasked with deciding e.g. Dennis's guilt or
innocence, it doesn't matter one way or another.

> So this is misc, which is full of lots of talk about nothing, by people
> who can't change the ecosystem.  Having worried vocally about this
> before, I know I can't change it.  Pretty sad to see people who are even
> less capable find the energy to moan about it.

Few emotions are as powerful as impotent rage.
Impotent rage, rage, rage against the dying of the light.

Ian

PS: Don't die on us, Theo.

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Tomasz Rola
In reply to this post by Theo de Raadt-2
On Fri, Jul 05, 2019 at 09:49:02PM -0600, Theo de Raadt wrote:
> Stuart Longland <[hidden email]> wrote:
[...]

>
> > Basically your best bet: don't rely on a single vendor.  It's harder for
> > them to hide their espionage then as one vendor won't know how to hide
> > another vendor's dirty deeds.
>
> Precisely.  Most of the risks are in the bugs, and if you hit a problem
> you'll be Dennis Muilenburg saying you didn't know (that phrase works
> one way today, but if in the next few days he leaves his position, it
> will work a different way).  The unknown risk factors are first unknown
> and potentially accidental, and secondly unknown and now we are supposed
> to guess it wasn't accidental.  Vendors are wired to increase
> performance and noone judges security aspects, that the process where
> the "accident" arises.  Maybe we should suddenly accuse absolutely
> everyone of malpractice!  As if that will change anything...

While the problems of spying on individuals are important and have an
ugly side [1], I think nowadays [2][3] that long term, the real problem
will be autonomous hardware. Just like two recent catastrophes
involving Boeing. On the one side, it may be seen as unfortunate
sequence of human errors, fueled by greed (fueled by procreation
drive). On the other side, the very same decisions led to making a
machine, two of which killed more than six hundred people, before
someone turned the switch. As for now, there was a way to stop it.

I wait in terror for "our devices never stop".

[1] I am not sure, do they have a nice side? perhaps if certain
kind of crimes could be fought with it?

[2] This can change in the future - GIGO, FIFO, you all know it

[3] Oh, I did not come to it all by myself. If some of you have a
chance, try reading Stanislaw Lem. Some of his works have even been
translated to English (but I cannot say how well, opinions say very
well, but then again US editors like changing what they print from
original versions (anecdotic evidence, surprisingly too many to
ignore)). Do not be misled by his joking tone. The man survived in the
heart of WW2 and witnessed both post-war and Cold War. People mostly
take things at the face value. He told them jokes about humanity and
readers had a good time. Some, not so good.[4]

[4] For shortified super-short version, try Henry Kuttner's "Twonky".

> So this is misc, which is full of lots of talk about nothing, by people
> who can't change the ecosystem.  Having worried vocally about this
> before, I know I can't change it.  Pretty sad to see people who are even
> less capable find the energy to moan about it.  Especially americans.
> Know what I mean?

Humans, when faced with inevitable, do:
1. forget it is inevitable
2. phantasise about something nice, to kill time while waiting for it

Do not expect too much from a jello between the ears. For our
limitations, we came surprisingly far and long, albeit some are saying
there will be cost and paying the bills and dies irae et calamitatis.

Who knows. Nothing in nature is free, eh? I guess there is a lot of
shifting stuff around, so those who pay the bills are not those who
got the credit.

Sorry for being so much offtopic. On the other hand, we are living in
a future, so maybe this is more on topic than one would expect. People
here are involved in creating significant portion of our lifes. Not
that I see any way to make use of it, I am too apathetic for this.

--
Regards,
Tomasz Rola

--
** A C programmer asked whether computer had Buddha's nature.      **
** As the answer, master did "rm -rif" on the programmer's home    **
** directory. And then the C programmer became enlightened...      **
**                                                                 **
** Tomasz Rola          mailto:[hidden email]             **

Reply | Threaded
Open this post in threaded view
|

Re: OT: hardware war with manufacturers (espionage claims)

Tomasz Rola
On Sat, Jul 06, 2019 at 07:56:10PM +0200, Tomasz Rola wrote:
[...]
> machine, two of which killed more than six hundred people, before
> someone turned the switch. As for now, there was a way to stop it.

I have rechecked and the number of fatalities was 189 and 157,
totaling 346 people. Please excuse my error.

--
Regards,
Tomasz Rola

--
** A C programmer asked whether computer had Buddha's nature.      **
** As the answer, master did "rm -rif" on the programmer's home    **
** directory. And then the C programmer became enlightened...      **
**                                                                 **
** Tomasz Rola          mailto:[hidden email]             **