Page 1 of 1
Surreptitiously Tampering with Computer Chips
Posted: Sat 19 Oct 2013, 02:15
by Flash
Posted: Sat 19 Oct 2013, 07:11
by nooby
Flash thanks for letting us know.
It shows how utterly careful one have to be
if one have something to hide. Fortunately
I only have such secrets as being a total noob
and very naive and too talkative and verbose
but that is only a secret to me and obvious to
everybody else. Still integrity is important due to
the identity theft allowing people to buy things
in your name if they know enough about you.
Re: Surreptitiously Tampering with Computer Chips
Posted: Sun 20 Oct 2013, 19:23
by RetroTechGuy
But, would this hardware tampering "break" software driven PRNGs? (e.g. Schneier's Yarrow).
Posted: Mon 21 Oct 2013, 01:25
by Flash
I don't think so. I can see that it would be extremely time-consuming to determine just how "random" the numbers generated by a RNG really are. So anyone using a RNG just assumes the numbers are truly "random." But if the NSA know that an encryption program uses "random" numbers that are far less random than everyone assumes, it may make their job of breaking the encryption easier. Of course, it would make any snoop's job easier, and it would impact algorithms that have nothing to do with encryption or security but depend on the random number generator.
Posted: Mon 21 Oct 2013, 07:56
by Sylvander
QUOTE...
From 3rd link in 1st post:
"The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house.
It should not matter that the neighbor's door is unlocked."
It's my understanding that...
Under English and Scottish law...
You do not [cannot be accused of] breaking into an UNLOCKED premises/house.
e.g. If a stranger walks into to your unlocked house.
You can ask them to leave, and they MUST leave when asked, or...
You can use minimum force [and escalate if necessary] to get them out.
But they have committed no offense by entering.
Is it the same with computers?
Posted: Mon 21 Oct 2013, 13:13
by Flash
I don't know anything about English or Scottish law, but if you can't be accused of breaking and entering an unlocked house, surely you can be accused of trespassing. Any cop can find a law to suit the occasion.
Posted: Mon 21 Oct 2013, 13:50
by Jasper
Unchecked, from memory of exams well over 50 years ago - under English law "trespass" is a tort (of which the simple definition is "a civil wrong other than breach of contract", but it's far from simple).
Posted: Mon 21 Oct 2013, 19:42
by Sylvander
Trespass Scottish
QUOTE:
"
Section 3 of the Act makes it an offence for any person to lodge in any premises, or occupy or encamp on any land, being private property, without the consent of the owner or legal occupier. While the the use of the words lodge, occupy and encamp could be taken to imply a degree of permanency on the part of the trespasser, their scope could possibly be construed to apply to loitering by a determined lawyer if one did anything other than access, or cross over such property for example."
This is a whole different ball game from simply entering/accessing without breaking in, or tampering with a lock, or using something other than the "true key".
Posted: Mon 21 Oct 2013, 20:12
by RetroTechGuy
Flash wrote:I don't think so.
That's what I thought. If you rely on hardware encoding, you have a hardware "password" that can be cracked. If you rely entirely on software, that can be customized for every use (generate their own random number/keyring).
Depending on implementation, that may not prevent a targeted attack against an individual, but it would limit the ability to perform widespread snooping.
I can see that it would be extremely time-consuming to determine just how "random" the numbers generated by a RNG really are. So anyone using a RNG just assumes the numbers are truly "random." But if the NSA know that an encryption program uses "random" numbers that are far less random than everyone assumes, it may make their job of breaking the encryption easier. Of course, it would make any snoop's job easier, and it would impact algorithms that have nothing to do with encryption or security but depend on the random number generator.
Well, they numbers have to be pseudorandom, otherwise you can't ever reproduce the string. A true random "seed" is a good idea.
Schneier knows enough to avoid the main pitfalls -- that's how he broke the MS "secure server" that they touted as unbreakable. He broke their old/dated PRNG, which allowed him rapid access.
"Why Cryptography Is Harder Than It Looks"
https://www.schneier.com/essay-037.html