True Crypt is Not Secure

[Steve Kinney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/28/2015 07:22 PM, Seth wrote:
> On Tue, 28 Jul 2015 15:40:55 -0700, oshwm 
> <oshwm at openmailbox.org> wrote:
> 
>> So is anyone working on building an 'openfab' or is it such
>> a big task that everyone just backs away in horror? :D
> 
> My understanding is that the capital costs involved with 
> building and operating a chip fabrication plant are 
> astronomical, although the situation may be getting better. 
> [1]
> 
> [1] 
> http://spectrum.ieee.org/semiconductors/design/the-new-economics-o
f-semiconductor-manufacturing

If
>
> 
a market is willing to pay enough to support and grow the
project, it can be done.  Are there potential partners and large
scale consumers for "top security through total transparency" to
make an open hardware project viable today?

One potential route would be to broker a deal to pool the
resources of specialty hardware integrators who already have a
market base for high security "solutions."  The Open Office
project pulled off something similar years ago, obtaining major
funding and support from IBM and others who wanted Microsoft out
of their hair.  So, who wants a shot at defending some of their
digital assets from outfits like NSA and GHCQ, badly enough to pay
for it?

The first place I would start shopping this "crypto anarchist"
project around would be State security services - pretty much any
small to mid-sized outfit not in BRICS or FVEYE could be a
potential market for auditable scrambler phones for military
commanders, senior elected officials, diplomatic corps and
double-nought spies.  From there to high performance servers and
workstations would be a natural progression.

I haven't looked at how the Black Phone folks are doing lately,
but that looks like the kind of product line where open hardware
might find its first viable home.

Another consideration:  One needs not necessarily own the facility
where the chips are made:  ISO quality assurance programs already
in place support client access for audit and validation.  A
contract that specifies the client's intrusive presence during
every phase of production and handling would cost extra, but a QA
process that assumes the presence of hostile actors on the shop
floor is definitely possible.  Such a process would also be needed
at a dedicated facility:  One must assume the presence of hostile
actors there, too.

:o)

Steve



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVuC2NAAoJEDZ0Gg87KR0LBwoQAIJfgVPARltMa8b/sMMnpe3G
IO4aJd65b/24P6zLvngnpb+uy1Lo/7JwbWc2bNY6lbCEEUVRiZHYywSPeRvMf7zu
T1WZzZnBVvCMv7m/3rO1J3g+6ImvX0bCvbrn3yi2W14J1K4cBYOFJ9f0yYFH2rPi
HTL7Zboraazm4s3isgk5KJq2dIO69eXUartrGoVDuTzeO/L3nKNVCn262b3HdmGe
UyFamR25s8sY10y8BLnerRqOlWM2ZDdsKtbycyz73igfUDVlx3t+0KAWNMI59JDc
AumjXP+WqNexU0/Cm244hcu6hEEtsexBUAHzdy3l148YPoRbB8ZkZyhyRCCvz48U
T2F6eGJMy0ACv5pfOBB4WmRgYGlQzscMPJkGYGOyz1iOhCb1fc+06nDGF8mwsrqp
FI8MVumrVr2WE6jW4cX13dQ7x0RRzZzL3tBbPJ0I2c9Nz4MvkDe9pAZHFGQPiMHv
Prw+MjWBsmAOIKmKCGKA3b41JY8SX6OXGTarjenyfic1QcmhsyEUkXzhfIGUD0+6
8TDKxamo57NZXNueNkaJdS/zb4sdyfRHR1WzsbQziqB3b/2OYoq6CmIM8mAUZXm1
6jKF5FENIvIx9JOxA4l2tBTZgWzEb5WaNVi0Ok4qs4ilKaYEEnvk2p8eatnZFX56
Jqg+hScNrbW8tVfQWS/9
=hdOW
-----END PGP SIGNATURE-----