Could you email me your past posts on FIPS 140 and the NSA rule? I would like to include them in a future post on /r/badBIOS on reddit.com. Thanks. On December 30, 2014 6:59:37 PM EST, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
Badbiosvictim <badbiosvictim@ruggedinbox.com> writes:
USPS interdiction of routers, computers, packages and mail has little over sight. USPS attempted to censor report of failure to follow safeguards.
There's actually a security standard that's supposed to deal with this sort of thing, FIPS 140 (people who have seen my previous posts about what a waste of... well, everything FIPS 140 is should see what's coming here :-). If you recall the Snowden-provided NSA photos of their people intercepting Cisco gear in transit and adding supplementary functionality to it:
* The physical seals are applied after it reaches its destination. You order a special "FIPS kit" consisting of (allegedly) tamper-evident stickers that you apply to the gear after the NSA has tampered with it.
* Since your $40,000 router doesn't come with the stickers that you need for FIPS 140 compliance, you have to order them specially. No-one bothers (the description I got was "in the n years I've been involved with this, I can count the number of customers who've done it on the fingers of one hand").
* No-one who works with the gear has any idea what a tampered sticker would look like, but in any case they're never checked once applied.
Still, at least there's a government standard for it.
Peter.