
Supply Chain Security Is the Whole Enchilada, but Who’s Willing to Pay for It? - johnshades
https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/
======
dev_dull
I’m not a protectionist, but we need to start looking USA-based semiconductor
supply capacity as a national security imperative. We should never lose our
ability to manufacture these critical components, even it means policies that
might be viewed as “protectionist”.

~~~
mstolpm
How would that work in practice? Granted, the US might be able to manufacture
critical components itself. What abou Italy? Honduras? Liechtenstein? Nigeria?
Should they all produce their own hardware for national security concerns? And
why stop there? Wouldn’t your suggestion in essence lead to countries fully
self-supplying everything from food to cars to communication equipment to
power stations and so on and so on. And not just manufacture every single
component, but also source every base materials, crops, fertilizer and more.
Arguably food safety or energy supply safety might even be more critical than
semiconductor safety. Even when you reach at level of self-supply capability,
you still need a chain of trust to ensure that you’re not compromised by your
own government and intelligence agencies.

IMHO, such an concept would lead to a perfect protectionist regime while not
giving any real enhanced security at all.

~~~
nyolfen
>What abou Italy? Honduras? Liechtenstein? Nigeria? Should they all produce
their own hardware for national security concerns? And why stop there?

wrt computers, why not if they're capable and willing? it has increasingly
obvious and critical security considerations. russia already has a fledgling
domestic processor industry for these reasons:

[https://thenextweb.com/insider/2017/05/25/russia-
showcases-f...](https://thenextweb.com/insider/2017/05/25/russia-showcases-
first-computers-based-indigenous-elbrus-8s-processor/)

~~~
sct202
Russia's processor industry is also still dependent on foreign fabs like TSMC.
[https://en.wikipedia.org/wiki/Elbrus-8S](https://en.wikipedia.org/wiki/Elbrus-8S)

It seems like the main fabricators based in Russia are still working on
getting below 90nm.

~~~
vanviegen
Sure, not many nations would be producing current-gen chips anytime soon. But
in case the fan is hit, I imagine ~15 year old tech will make do just fine.

------
nickpsecurity
The DOD has been paying it through the Trusted Foundry Program. Probably not
enough use of that, though. ;)

[https://www.dmea.osd.mil/trustedic.html](https://www.dmea.osd.mil/trustedic.html)

~~~
Nasrudith
If you mean among themselves fine - but among others along the peripheral I
think it is for a good reason. It would be something of them isn't something
likely to be piggybacked on for several reasons - even aside from the
increased cost from overspeccing and reduced economies of scale the DOD easily
have the muscle to extort built in spyware to the specification to be trusted
to if they want big contracts.

And given history believing such is not paranoid and wise in a sense of 'not
being stupid' as opposed to prescience given the past history of exposed
similar moves and a lack of transparency. Probably a borderline 'blasphemous'
statement like other uncomfortable truths about things not working.

~~~
nickpsecurity
I had a recommendation for this during Snowden leaks: use hardware from threat
model's most capable opponents. As in, assume it's all backdoored by at least
one party. Most threatening are specific, nation states. Use their opponents'
hardware.

If stopping Chinese hackers, use stuff from Trusted Foundry running most
secure software you can.

If stopping Five Eyes and Israel, use Russian or Chinese hardware running most
secure stuff _they_ support.

If not trusting anyone, use a computer made before 1997 that's not on a
network and usually hidden in a tamper-evident compartment.

If paranoid, get rid of all electronic devices except those that detect
electronic devices and emissions. Keep it far away from you itself sealed so
it's not a point of attack. Periodically get it out to conduct a sweep. Your
brain, pencil, paper, and hiding places are what you trust in this model. Even
mechanical typewriters have acoustic and active RF weaknesses.

So, now you know how to be paranoid. Have at it. ;)

~~~
pmlnr
Why 1997?

~~~
nickpsecurity
As an opponent of NSA, I was studying them closely to assess capabilities.
Anderson, Schell, and Karger were pushing "COMPUSEC" in the 1970's on the
military who mostly didnt believe in it. They and NSA thought all you needed
was access controls on computers plus COMSEC between them. The BLACKER VPN
paper mentioned the rivalry between COMSEC vs COMPUSEC people, too. That was
somewhere between 1980-1990. It wasn't until around 1990 after many pentests
by INFOSEC pioneers and hackers in the media convinced them to hire their own
hackers. They were still focused on crypto and software flaws since they were
low-hanging fruit. I figured subversion would be high-profile targets only.

How Patriot act got passed was straight outta Nazi playbook. If a power grab,
I knew secret backdoors, surveillance, and disappearances would follow. They'd
launch USAP's forcing people to backdoor stuff or be held indefinitely under
Patriot Act. Despite Haydens work, NSA still moves slow. I figured a few years
before large-scale capabilities came online. Said 2004. Far as I recall,
nothing in Snowden leaks refuted that estimate.

What about TAO? Hayden was forcing management to listen to engineers. They'd
propose backdoors. Still software focused mostly, though. I estimated 1999.
Later article on TAO history said 1997 was their start. Damn. Now I say
1995-1997.

Only thing left off was use obscure, less-popular hardware IP holders and
terroristd probably werent using. Macs, Amigas, SGI... or just off-brand x86.

------
teddyh
“If it’s a core business function — do it yourself, no matter what.”

­— Joel Spolsky, talking about Not-Invented-Here programming

[https://www.joelonsoftware.com/2001/10/14/in-defense-of-
not-...](https://www.joelonsoftware.com/2001/10/14/in-defense-of-not-invented-
here-syndrome/)

~~~
dylan604
How does this apply to the types of programming like encryption where it is
oft advised to not roll-your-own?

~~~
curuinor
If encryption is a core business function, you need as a prerequisite to
having a business at all a couple of folks who know encryption well enough to
roll their own.

------
iambateman
Can someone explain why a semiconductor production facility would be
“punishingly” expensive to operate in the US?

Maybe the cost of electricity, but it seems like the labor cost wouldn’t make
a huge difference since most of the production work (I presume) is automated.

~~~
axaxs
I don't see how, either. TI, Intel, GloFo, and a few others have facilities
here. Sure China can do it cheaper, but IMO the race to the bottom is over.
People want quality, which explains why Apple and Samsung outsell, say, BLU.

------
rkagerer
Once upon a time computers came with a full schematic diagram and enthusiasts
could actually verify what they received. My point isn't so much the diagram
as it is the culture of [showing/]knowing what's inside your black box.

------
CPLX
This seems like as good an excuse as any to post a link to the seminal
“Reflections on Trusting Trust”:

[https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...](https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

It’s an absolute classic that I’m sure 97% of HN readers are familiar with,
but for the 3% that aren’t it’s a really great meditation on just how
difficult it is to trust any computing system, without somehow recursively
assessing the trustworthiness of everything that has ever happened before.

~~~
nickpsecurity
That was a paper reflecting on Paul Kargers compiler-compiler subversion he
did in the 1970's evaluation of MULTICS.

[https://www.acsac.org/2002/papers/classic-
multics.pdf](https://www.acsac.org/2002/papers/classic-multics.pdf)

The seminal paper on subversion in the lifecycle was from another high-
assurace, security researcher named Philip Myers in 1980:

[https://csrc.nist.gov/csrc/media/publications/conference-
pap...](https://csrc.nist.gov/csrc/media/publications/conference-
paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-
papers/myer80.pdf)

The recommendations were carefully specifying what things do, implementing
them in a structured way to inspect for backdoors, using safe languages to
block regular vulnerabilities, using covert-channel analysis to find leaks,
verifying things down to object code or transistors, letting people build from
crypto-signed source, and using couriers for the hardware from trusted
facilities onshore ("trusted trucks").

People ignored most of that. Even Thompson as he was obsessed with unsafe
language vs Wirth whose work let you choose per module. It's coming back to
bite everyone.

------
yc-kraln
This is the kind of attack that the trustless.ai guys are fighting. They've
secured their supply chain down to the silicon vendor at a fab in Italy.
Really cool project.

------
stcredzero
Is Apple willing to pay for supply chain security? Could they afford it?

    
    
        Writing for this week’s newsletter put out by the SANS Institute, 
        a security training company based in Bethesda, Md., editorial board 
        member William Hugh Murray has a few provocative thoughts:
    
        1. Abandon the password for all but trivial applications. 
        2. Abandon the flat network. 
        3. Move traffic monitoring from encouraged to essential.
        4. Establish and maintain end-to-end encryption for all applications. 
        5. Abandon the convenient but dangerously permissive default access control rule of “read/write/execute”

------
Animats
This is going to be a huge problem. If that backdoor exists, someone will find
it and use it. Not necessarily the people who put it there.

------
simplecomplex
The supply chain is secure. But that’s not FUD that sells. The gap between
mainstream news and tech news is closing.

------
maltalex
> Indeed, noted security expert Bruce Schneier calls supply-chain security “an
> insurmountably hard problem.”

Centrally, yes. But supply chain verification & tracking is one thing
blockchains are genuinely good at. There are actual blockchain-based products
on the market for that.

Imagine a company such as Apple forcing their suppliers to authenticate each
production step from raw material to shipped good on a proprietary blockchain.
It's certainly doable from a technical standpoint, and Apple's suppliers are
probably eager enough not to lose Apple's business to comply.

~~~
presscast
I don't understand how this solves the problem:

\- if all links in the supply-chain are _properly_ verifying/tracking
components, why can't they send this verif/tracking data to their client's
server?

\- if they're not making a good-faith effort, what does blockchain solve?

Blockchain is genuinely good at maintaining an immutable, trust-free ledger.
It's _NOT_ good at making sure the data that's written to it is true.

~~~
kuerbel
It does not, that's why a blockchain on it's own does not solve the problem
but in conjunction with other technologies it could. E.g. food - you have to
make sure your sensors (Temperature etc) are tamper proof, but you also have
to find a way to make it hard to seperate the sensor from the goods. Only then
it would make sense to use it as an oracle. Also if you make it hard enough to
cheat the sensor at some point it's just easier to cool the goods and
transport them accordingly.

~~~
presscast
Right, so it really doesn't solve anything. It just passes the buck further
down.

Blockchain is a solution in search of a problem, here.

