Hardware generators was: your mail
In message Sat, 18 Jun 94 19:30:35 EDT, Adam Shostack <adam@bwh.harvard.edu> writes:
Making it PC only shuts out the Mac/UNIX market for your devices. There are probably lots of folks in the research/scientific community who use UNIX & would buy a random number dongle that hangs off the serial port. For $25, I'd probably get our lab to buy 3 or 4.
If you put it on a PC card, you're cutting out all other computers from using it.
Adam's points are correct, and I thought of them before I posted the initial message. My thinking was that about 90% of all computers sold are Intel PCs, and to get my manufacturing costs down, I need volume and simplicity. So by addressing the 90% solution first, I have a larger market without the complexity of multiple platforms. Once I've sold thousands of Hardware random number generators, then I can afford the design effort for other platforms, if they still exist then :-) Pat Pat Farrell Grad Student pfarrell@cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include <standard.disclaimer>
You wrote: | My thinking was that about 90% of all computers sold are Intel PCs, and | to get my manufacturing costs down, I need volume and simplicity. | So by addressing the 90% solution first, I have a larger market without | the complexity of multiple platforms. | | Once I've sold thousands of Hardware random number generators, then I can | afford the design effort for other platforms, if they still exist then :-) Understood, but its not a matter of addressing 90% or the other 10%, its a matter of "Is the security gain in building a card that only hands out each number once worth cutting out 10% of the market?" I think that if you are worried about rouge code on your machine, you aren't going to run on a computer that can't protect its memory from random browsing. (I can still access all of a PC's memory from normal code, can't I?) Thus, building a PC card doesn't really afford you a gain in security if I can use my hostile code to read PGP's memory locations. If you agree with that, then there is no good reason not to build a serial port dongle, and include me in your potential customers. :) Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.
-----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, adam@bwh.harvard.edu writes:
Understood, but its not a matter of addressing 90% or the other 10%, its a matter of "Is the security gain in building a card that only hands out each number once worth cutting out 10% of the market?" I think that if you are worried about rouge code on your machine, you aren't going to run on a computer that can't protect its memory from random browsing. (I can still access all of a PC's memory from normal code, can't I?) Thus, building a PC card doesn't really afford you a gain in security if I can use my hostile code to read PGP's memory locations. If you agree with that, then there is no good reason not to build a serial port dongle, and include me in your potential customers. :)
The card design isn't so much security as avoiding scarce real estate on a PC (which, at somewhere over 130 million units fielded, is a not inconsiderable market segment). If this were a dongle device, I'd want it on a parallel port. Many machines don't have a spare serial port, and transparent dongles would be harder to do there, anyway. But transparent parallel port dongle technology is already established. - -- Roy M. Silvernail | #include <stdio.h> | PGP 2.3 public roy@sendai.cybrspc.mn.org | main(){ | key available | int x=486; | upon request | printf("Just my '%d.\n",x);} | (send yours) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLgRkdhvikii9febJAQFLeAQAitqR4viAo/o/zxVzV/ixxvDZiTtO8R3u FrxtuNWHAnxoNivuGOJ0zkyYEGOeMFuw2s8ZFKhpGdJwLn2zFl/m9C6H7WKbjaJv gtMAjEr1QFvmhm5KUSB9aARIWHn2kvwyqCZae829y29jH9jiNxRgIxnaezbPd5gA xNVImYKQZOo= =Hz6T -----END PGP SIGNATURE-----
The card design isn't so much security as avoiding scarce real estate on a PC (which, at somewhere over 130 million units fielded, is a not inconsiderable market segment). If this were a dongle device, I'd want it on a parallel port. Many machines don't have a spare serial port, and transparent dongles would be harder to do there, anyway. But transparent parallel port dongle technology is already established.
I agree. I have constructed a parallel port RNG that sampled a blank AM radio band for its source. The data lines give plenty of power to the device, and there are dedicated feedback lines (busy, paper_out, &c). However, I had a very informative discussion with Eric Hughes at CF '94 where I learned that this was the wrong way to go to get good random numbers. Maybe he would like to comment since I don't believe I can do justice to his argument.
-----BEGIN PGP SIGNED MESSAGE----- From the keyboard of: roy@sendai.cybrspc.mn.org (Roy M. Silvernail)
If this were a dongle device, I'd want it on a parallel port. Many machines don't have a spare serial port ...
How about a SCSI device instead. Most UNIX boxes and Macs nowadays have a few unused SCSI IDs. The great majority of DOS machines with SCSI (all those new ones with CD-ROMs, etc.) have unused SCSI IDs. SCSI has the advantage of being rather fast, and is a cross-platform solution. Richard -----BEGIN PGP SIGNATURE----- Version: 2.3a-sterno-bait iQCVAgUBLgSNmPobez3wRbTBAQFWzAP/aLr0VY6hyenhzek6SI8h/+WoB4WPh7qw HRhnCGQEjzFPVPgvD6ZR6va6pnjjCzchH16I6vM3vEDZ9rbU5blLMCT9a+PzemL4 iBRjuyFhWZP30YekazX96utgLfZqg/nK2Q+WyY9IKvDgR3kvTlM+sTRJ4jggpDKC +gSvwqOam3Y= =oE3j -----END PGP SIGNATURE----- -- Loudyellnet: Richard Johnson | Sneakernet: ECNT1-6, CB 429, CU Boulder Phonenet: +1.303.492.0590 | Internet: Richard.Johnson@Colorado.EDU RIPEM and PGP public keys available by server, finger or request Speaker to avalanche dragons. Do you really think they listen?
-----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, quoth Richard.Johnson@Colorado.EDU (Richard Johnson):
From the keyboard of: roy@sendai.cybrspc.mn.org (Roy M. Silvernail)
If this were a dongle device, I'd want it on a parallel port. Many machines don't have a spare serial port ...
How about a SCSI device instead. Most UNIX boxes and Macs nowadays have a few unused SCSI IDs. The great majority of DOS machines with SCSI (all those new ones with CD-ROMs, etc.) have unused SCSI IDs. SCSI has the advantage of being rather fast, and is a cross-platform solution.
Now I have machine envy... (so SCSI here yet) But maybe a generalized product line? SCSI and IDE, as well as parallel dongle. Whatever kind of port you happen to have laying about. And not using up slots is really a Good Thing. My 486 is full right now, and I use all of it, so pulling a card isn't an option. - -- Roy M. Silvernail [] roy@sendai.cybrspc.mn.org It's just this little chromium switch....... -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLgTXIxvikii9febJAQHvgAQApJpVi3SqZg9QVefA4iS31tpi0mc+rj+7 7ZJCyqQBbFe0g0C5GH1nWumHfIc5UzLpti9RWsxMVNqHQ87MTcq3eQ1tvLh6cAQO ReEj2RqappfxgRa9seQkDNrOsrb1IuxMTtDRJBBSCvuxF+vhUiECrZV087aSUdTu GpH+AZtFrhg= =LWo7 -----END PGP SIGNATURE-----
participants (5)
-
Adam Shostack -
Pat Farrell -
Richard Johnson -
roy@sendai.cybrspc.mn.org -
SINCLAIR DOUGLAS N