"To Protect and Infect" - the edges of privacy-invading technology

[Hannes Frederic Sowa]

On Tue, Dec 31, 2013 at 11:04:19PM -0800, coderman wrote:
> On Tue, Dec 31, 2013 at 8:02 PM, Hannes Frederic Sowa
> <hannes at stressinduktion.org> wrote:
> >...
> > Most of the implants are installed without we surely know if the vendors
> > did know about that or am I missing something?
> 
> are you only considering this 30C3/catalog set of docs?

I was just referring to the Snowden documents.

> venally complicit to conveniently compromised to blissfully ignorant
> compromise of hardware vendors goes back to CryptoAG and as recently
> as the BULLRUN leaks.  a bit too long and complicated a thread for
> this list, i think...

Ok, CryptoAG is a story of its own, I agree. But they are not that much of a
major hardware vendor, either. Depends on which customer base you consider.

> > I also don't count RSA as a hardware vendor in this case, as the
> > backdoored RNG was included in their bSafe suite, which is purely
> > software.
> 
> sure, just another example of in scope target for a "compromise all
> the things" approach.
> 
> my point was to highlight their response as particularly deceptive and
> inexcusable when observing how the various parties not only respond,
> but act, in response to these leaks. (e.g. Google deploying crypto
> over their internal fibers is positive action.  sitting silent or
> deflecting criticism not confidence inspiring...)

Agreed, but in the end it is important how they act in the long term. But
that needs more time to come until conclusions can be drawn. It is much more
difficult for hardware vendors to strike such good PR stunts as Google did.

Also, I guess, Google had this change in the works for a longer time,
otherwise I don't know if they could make the switch to crypto for
their internal cross-DC links so rapidly. It still seems a lot of work
+ testing and their services seem highly depending on good latency.

Greetings,

  Hannes