Talking about Cryptodevices... which one?

Matthias-Christian Ott ott at mirix.org
Wed Feb 4 23:12:04 CET 2015


On 2015-02-04 23:07, Peter Lebbing wrote:
> On 04/02/15 21:44, Matthias-Christian Ott wrote:
>> There are enough examples of vendors that introduced government backdoors in
>> their proprietary products to come to the conclusion that it is probably not
>> a good idea to use proprietary software or hardware if your threat model
>> includes government backdoors and you want to defend against them (of course
>> that doesn't mean that it is impossible to verify that a proprietary product 
>> does not contain a backdoor but it is unarguably a lot harder). So I don't
>> know how speculating that a particular vendor of proprietary hardware and
>> software implants backdoors in its products does move the discussion
>> forward.
> 
> What about non-governmental attackers who are able to update your reader
> firmware through an evil maid attack or the like? You seem to imply that hacked
> reader firmware is necessarily by a government or the manufacturer.

You could protect against this scenario by signing the firmware. In some
countries "the government" can legally force the manufacturer to sign
"the government's" firmware.

> I don't think "it's easier to hack than comparable equipment from competitors"
> is a particularly compelling argument, though, to be honest.

I didn't make this argument.

Regards,
Matthias-Christian




More information about the Gnupg-users mailing list