Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dangerous Fakes

From: David Farber <dave () farber net>
Date: Sat, 15 Nov 2008 17:15:13 -0500


Begin forwarded message:


From: Gene Spafford <spaf () cerias purdue edu>
Date: November 15, 2008 5:04:06 PM EST
To: dave () farber net
Subject: Re: [IP] Dangerous Fakes

This is not a new threat.
Actually, many decades ago there were problems with (domestic) sub- standard parts being provided to the military, so the whole MIL-SPEC process came into being to ensure that items met necessary mission requirements.
As a matter of cost and speed most such standards seem to have been abandoned to choose COTS whenever possible without proper risk analysis. Of course, we have seen the damage to security and operations from so much dependence on COTS software. Only recently have policy-makers begun to realize it is also a problem for hardware.
The problem is not limited to failures from poor quality, but the ability of opponents to introduce items with tailored failure modes into the supply chain we use for critical parts. This could be catastrophic in time of conflict. This applies not only to items of a military nature, but items used in critical infrastructures.
Part of the problem is that when the strict standards were abandoned, we had not yet seen so many safety-critical and security- critical parts/software development move off-shore. Unfortunately for us, off-shore is not only where greater (other) government pressure can be exerted for malicious intent, but it is also where issues of counterfeiting and misrepresentation of quality are less strictly controlled -- and violations prosecuted. This isn't only an issue of electronics, but all sorts of products: think "lead paint" and "melamine" for examples.
The solution is to go back to setting high standards, require authentication of supply chain, and better evaluation of random samples. Unfortunately, this is expensive, and we re not in a state nationally where extra expense (except to line the pockets of Big Oil and Banking) is well tolerated by government. In some cases, the risk may warrant subsidizing the re-establishment of some manufacturing domestically (e.g., chip fabs). This doesn't need to be across the board, but it does required judicious risk-analysis to determine where critical points are -- or will be in the future.
I'm not going to hold my breath, however. Some of us have been complaining about issues like this for decades. The usual response is that we are making a big deal out of "rare events" or are displaying xenophobia. The sheer expense frightens off many from even giving it more than a cursory thought.
One of the factors that allegedly led to the decline of the Roman empire was the use of lead in pipes, and lead salts to make cheap wine more palatable for the masses.
Once we sufficiently poison our own infrastructure to save money and make the masses happier, how long do we last? 








-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: