What the hell can be done with this trinity?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Dec 30 15:59:37 PST 2014


Badbiosvictim <badbiosvictim at ruggedinbox.com> writes:

>USPS interdiction of routers, computers, packages and mail has little over
>sight. USPS attempted to censor report of failure to follow safeguards.

There's actually a security standard that's supposed to deal with this sort of
thing, FIPS 140 (people who have seen my previous posts about what a waste
of... well, everything FIPS 140 is should see what's coming here :-).  If you
recall the Snowden-provided NSA photos of their people intercepting Cisco gear
in transit and adding supplementary functionality to it:

* The physical seals are applied after it reaches its destination.  You order
  a special "FIPS kit" consisting of (allegedly) tamper-evident stickers that
  you apply to the gear after the NSA has tampered with it.

* Since your $40,000 router doesn't come with the stickers that you need for
  FIPS 140 compliance, you have to order them specially.  No-one bothers (the
  description I got was "in the n years I've been involved with this, I can
  count the number of customers who've done it on the fingers of one hand").

* No-one who works with the gear has any idea what a tampered sticker would
  look like, but in any case they're never checked once applied.

Still, at least there's a government standard for it.

Peter.



More information about the cypherpunks mailing list