On Thu, Jun 13, 2013 at 03:55:24PM -0700, Adrian wrote:
Extraordinary claims require extra ordinary proof.
Thanks for the pointers; most enlightening. (And I say that even before coffee has taken full effect. I'll re-read once it has.) However, and perhaps I should have explained this in my original message, whether or not this was an oops! of leftover debugging, whether or not the Chinese actually did this, whether or not the chip meets military operational temperature requirements, etc., are all secondary to the point I was (poorly) trying to make. Let me try again. (1) There is often a presumption, when, let's say, a particularly sophisticated piece of malware is analyzed, or a large botnet is detected, or a security hole is uncovered in a piece of software, that it's the worst one -- because it's the worst one *publicly known to date*. But that's wishful thinking. There's probably a nastier piece of malware out there. There's probably a larger botnet. There's probably a bigger security hole in that piece of software. Whatever the severity distribution of these is (and I don't think that's knowable) it would be amazing if we just happened to hit on the one that's at the extreme end of the curve. Reality is usually not that convenient. Thus however bad these things are, and we can certainly debate that (and we have) (and we will), there's probably something worse that we're not debating because we don't know about it. (2) As Bruce Schneier has observed, attacks always get better. So even if, against the odds, we happen to be lucky enough to be looking at something that really, really is at the far end of the severity distribution -- tomorrow there will be something worse. ---rsk