October 13, 2013

"DoD relies on millions of devices to bring network access and functionality to its users."

"Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread."

(Via Instapundit.)


Stephen A. Meigs said...

It makes sense to me that this is the largest problem security-wise. As I understand encryption, the way a secure connection between (say) you and me would work is that my computer would send your computer a number which allows your computer to construct an encrypting machine whose encryptions only my computer knows how to decrypt. Similarly, your computer would send my computer instructions (via a number) on how to construct an encrypting machine whose encryptions only your computer knows how to decrypt. For what it's worth, I have much faith in inability of third parties to decrypt these encryption machines, if things are done fairly intelligently (like RSA encryption) using a method that employs fairly lengthy numbers as instructions. I'm not expert, but the main problem, it seems to me, is that maybe each of our computers could actually be talking to an intermediate computer in between us, connected to some router or another, so in fact each of us would be having (relayed) secure connections with this third computer. And of course another big vulnerability would be if some keylogging virus, etc., were on one of our computers.

JackOfVA said...

It's probably worse than that.

In the extreme case, perhaps Intel and AMD were "leaned on" by the NSA folks to embed back doors into the hardware or firmware of the CPUs that are at the center of nearly all the computers we use.

Of course, if this were to have happened it would be not impossible for intelligence agencies of other countries to have discovered how to access the same back doors.

And, given that so many chips are fabricated in China these days, it's within the realm of reasonableness to assume that Chinese intelligence agencies may have slipped similar back doors into chips made for Intel or other companies.

Andy Freeman said...

Well-designed crypto systems aren't vulnerable to man-in-the-middle attacks. Backdoors aren't MiTM, they're watching at one end.