[This was supposed to be posted over here but an accidental tab scroll ended it up here instead, and the spam detector won’t allow me to move it to another thread. Just as well. Perhaps this is actually a more appropriate thread.]
Thanks for the meaty thread. I think we need to consider that:
-
Conspiracy happens, especially in places like China where the state exerts maximum control. It’s very easy to silence people who have no human rights to begin with in order to get them to work in a coordinated manner to interfere in a manufacturing process. (You think I’m kidding? They’re starting to use brainwave monitoring on the manufacturing floor in some facilities in order to “assist” troubled workers. Google it.)
-
Malware injection in software, firmware, or hardware is the holy grail but generally superfluous. All we need is a floor board ready to buckle as soon as someone puts enough weight on it. That much has been engineered by accident as Rowhammer and all its various manifestations have proven. Imagine if a well-funded group actually tried.
-
There seems to be this assumption that either (1) Purism is too small to care about or (2) Purism’s customers are implicitly high-value and so therefore nation state actors really care. We should be honest with ourselves and admit that we just don’t know.
-
This problem should be attacked, at first and perhaps exclusively, through packet sniffing. We could all actually participate if Purism offered a router with builtin sniffing functions. That’s not strictly necessary, as this sort of testing could be done at Purism to some degree, but it would explode the number of eyeballs analyzing outgoing traffic, and total outbound bandwidth. It would also avoid the problem of malware or flaws only being injected late into the production run, after initial samples have passed authentication. Purism Internet Telescope, anyone?