[117733] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: Build a better OTP?

daemon@ATHENA.MIT.EDU (Sunder)
Thu Sep 9 15:35:53 1999

Message-ID: <37D8097D.3827421D@brainlink.com>
Date: Thu, 09 Sep 1999 15:24:45 -0400
From: Sunder <sunder@brainlink.com>
MIME-Version: 1.0
To: Anonymous <nobody@replay.com>
CC: cypherpunks@cyberpass.net
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Reply-To: Sunder <sunder@brainlink.com>



Anonymous wrote:

> The facts remain that open source has never been a source of security,
> that big business has good reason to produce trustworthy parts and
> mechanisms to do so, and that paranoia must be tempered with realism.

IMHO, the above is total bullshit.  While, yes, there are shitware open source
programs in terms of security, the fact that something is open source allows
everyone and their dog to read the source and find the holes.  And that is a
reality.  Without open source of various tools such as PGP, you wouldn't know
if there were a back door.  For security, see www.openbsd.org. IMHO, they've
done an excellent job at securing an OS.
 
> The risks of intentional backdoors are no worse with the Intel RNG than
> with many other hardware and software components we use all the time.

That doesn't mean that we should accept yet another possibly compromised
component just because the risks are already there in other components.

> The design is strong, and the mechanisms in place to detect accidental
> failures are extensive and appropriate, according to the independent
> review.  

But, we ourselves cannot verify this.  We only have their word.

> A company like Intel can achieve market penetration of their RNG
> technology beyond anything imaginable for any add-on board.  This is by
> far the best approach for getting secure, reliable random numbers into
> the maximum number of systems.

This is precisely why we should mistrust them.  Backdoors placed in common
systems achive much wider penetration. That and the serial number along with a
future promise of an RSA key in every chip makes me cringe.

I agree that whitening is best done in software, and THAT software should be
open sourced.  As it is they're not gaining anything by hiding the opcode
sequence to get at the random bits in terms of the competition.

If AMD were to include a hardware rng in tomorrow, they could simply wire
their own module to make it interface the same way.  It's pointless to marry
an operating system to a processor.  If you do that, then no, you won't have
widespread reliable random numbers.  You'll only have them on wintel systems.

-- 
---------------------------- Kaos Keraunos Kybernetos -------------------- 
 + ^ +  Sunder              "The real aim of current policy is to     /|\ 
  \|/   sunder@brainlink.com ensure the continued effectiveness of   /\|/\ 
<--*--> -------------------- OF US information warfare assets against\/|\/ 
  /|\   You're on the air.   individuals,businesses and governments   \|/ 
 + v +  Say 'Hi' to Echelon  in Europe and elsewhere" -- Ross Anderson 
---------------------------- http://www.sunder.net -----------------------
"The day that Microsoft makes a product that doesn't suck is the same day
they start making vacuum cleaners."


home help back first fref pref prev next nref lref last post