-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > autonomous malware. What evidence do we have that USB controllers are > reprogrammable once they leave the factory?
The better question, at least from a security perspective, is what evidence do you have that your particular vendor's USB token is not? I mentioned this a few days ago, but my day job involves security testing of electronic voting machines for the National Science Foundation [*]. We have to deal with the issue of whether a given machine is reprogrammable and under what circumstances it can be reprogrammed. History tells us that skepticism is warranted when it comes to this issue. See, for instance, the work of Harry Hursti or Ed Felten. Most USB token vendors are not concerned with security. Most of them don't care if their devices can carry malware. There are no citizen review boards to examine the product and hold vendors accountable. I am deeply skeptical of claims that USB controllers are not reprogrammable. I'm not saying they must be reprogrammable... only that until we see strong evidence that a particular vendor's hardware is not reprogrammable we should assume that it is. [*] I'm not speaking for the NSF, all opinions are my own, any inferences you draw about my feelings towards electronic voting machines are entirely yours. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iFYEAREIAAYFAkYwvvAACgkQf2XByo0Cu7ObbQDghnGXhW5WP+VuQRNs9f0Nplj8 cieUPmqE4xOZ1ADdEpxtKbwWBUg5Lz0Xj6DFuOw3lqulBMCing2tBokBHAQBAQgA BgUCRjC+8AAKCRC3APSC/q+BCXLcCADZr4oc2H7oTcr2jtxYDoNRy2O2Ccii3hFb DA40BRwroIW+rnCy7IuTToBbJBvLU2YW0Rwsapj2CqiBNoTysrdXpD7xeH7fAq44 Tuzjw3ivonu4w3zRyvpScgTbPHJNzUcoTgUKBRZAgyk4psuvo2JumbqrhQVUqO09 tMqL1+bCfcaxcL5WbqNPCLMRmxXxSq8FiRUlfiBOn3kpJnPhCqi7X+lZctzA4dmr bGNzuZOBvDxWM9gcWQnbaKz8Jy/mNI6uJ++m2deE0zQ/m3IWhNwJxnrnUhbaqOV6 1rBHtQ2urbONRRphIIVFjRJMFrgya1tF00vZOSMNs75PkeN7NhjK =q72e -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
