Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DARPA Looks To End the Scourge of Counterfeit Computer Gear

samzenpus posted about 7 months ago | from the knocking-out-knock-offs dept.

Crime 75

coondoggie writes "Few things can mess up a highly technical system and threaten lives like a counterfeit electronic component, yet the use of such bogus gear is said to be widespread. A new Defense Advanced Research Projects Agency (DARPA) program will target these phony products and develop a tool to 'verify, without disrupting or harming the system, the trustworthiness of a protected electronic component.'"

cancel ×

75 comments

Sorry! There are no comments related to the filter you selected.

Ted Nugent for President! (-1)

Anonymous Coward | about 7 months ago | (#46327805)

We need the Motor City Madman to kick Washington DC in the gonads.

What could be wrong with that? (2)

jhumkey (711391) | about 7 months ago | (#46327831)

Why did "remote kill switch" and "built in spying" just pop into my head?

Re:What could be wrong with that? (1)

Virtucon (127420) | about 7 months ago | (#46328269)

you're not wearing your AFDB [zapatopi.net] that's why.

Re:What could be wrong with that? (1)

davester666 (731373) | about 7 months ago | (#46331409)

I know, we need all electronics to be sent through an NSA hub, and there the components will be verified to be real, and then the product will be sent to the end-user.

Remember, this program will only work if ALL electronics go through it.

And if your device happens to need a couple of days in the hub, it's only because they are replacing some counterfeit chips.

Re:What could be wrong with that? (1)

epyT-R (613989) | about 7 months ago | (#46329511)

Because the federal government wants compromised equipment distributed throughout the market just as much as america's political enemies wish to distribute such equipment (for profit or surveillance)? Anything for a short term anvil to hold over citizens who might dare question their actions.

Re:What could be wrong with that? (0)

Anonymous Coward | about 7 months ago | (#46330391)

Why did "remote kill switch" and "built in spying" just pop into my head?

Ya, no kidding. What a joke.

Re:What could be wrong with that? (1)

JWSmythe (446288) | about 7 months ago | (#46331185)

Well, it's been nice knowing you. Agents will be at your house shortly.

Am I just not thinking about this correctly? (1)

fuzzyfuzzyfungus (1223518) | about 7 months ago | (#46327843)

Is this actually a proposal to provide a general solution to the halting problem for a potentially unpredictable(if parts of it are hidden by the bugged component) program running on logic that may deviate from expected behavior under unknown conditions, or is there some trick that makes it less hopeless?

Re:Am I just not thinking about this correctly? (1)

Anonymous Coward | about 7 months ago | (#46327947)

You don't have to solve the halting problem to find out if the hardware in your machine is identical to a trusted piece of hardware. You just have to compare them.

Now, if you want to know whether the trusted piece of hardware is actually trustworthy, that's harder.

Re:Am I just not thinking about this correctly? (4, Interesting)

Anonymous Coward | about 7 months ago | (#46330547)

Used to be easy back when ICs had few layers and feature sizes that were resolvable with optical light microscopy.

I used to verify ICs for trustable computing back in the day, We would take aligned dieshots, develop them, project them through a red filter, project the master copy of the dieshot through a blue filter, overlay them and look for any large red or blue bits indicative that the metal was not the same. In light of recently published dopant sabotaged parts, it is obvious the technique we used back then was flawed, and not really applicable to modern chips which have many metal layers.

Destructive testing of representative samples can yield verification of all metal layers, but still doesn't cover the dopant sabotage technique (which we were not aware of at the time), of course you could try and slip things through by only sabotaging 5% or 10% of the parts.

I think a much more prevalent problem is counterfeit parts for commercial gain than sabotage, for example taking some cheap MOSFET with similar but worse characteristics and relabelling it as some expensive MOSFET. This happens frequently (found a batch of fake BJTs when I was building an amplifier, as the fake part had the wrong CBE pinout). Another common technique is taking low speed-grade DRAM, assembling it on DIMMs and programming SPD data that claims to be highspeed DRAM, often they don't even bother to change the labels on the device packages, as they are covered by a heatsink on most modern DIMMs.

The problem with out-of-grade counterfeiting is that the different grades are produced from identical masks, and can only be differentiated by very careful measurement of the device parameters. In some cases the counterfeits even meet every parameter, as they are produced by binning in the same way the the original manufacturer bins the parts prior to labelling. There are opamps which cost $40/each, and they are binned from the same line which makes parts costing $1/each, the manufacturer is even up front about this. Sometimes, the line produces more parts that would qualify for the $40/each part number than there is demand for the $40/each part, so the manufacturer just bins them as a lower price part. If the counterfeiter was upfront about it like the OEM, they would relabel them as their own part, with some guarantee about performance like the OEM provides, but then they wouldn't be a counterfeiter, but a legitimate re-binning service.

An example of legitimate rebinning is many of the high end audio equipment or lab equipment manufacturers. They often use commercial grade parts, have an internal test jig, and resell or dispose of parts that don't meet their higher-than-spec required parameters.

Re:Am I just not thinking about this correctly? (1)

cheater512 (783349) | about 7 months ago | (#46331141)

Right so just pass scanning electron microscopes out to everyone? That will make it really dead easy for anyone to spot counterfeits right?

Re:Am I just not thinking about this correctly? (2)

icebike (68054) | about 7 months ago | (#46328079)

Is this actually a proposal to provide a general solution to the halting problem for a potentially unpredictable(if parts of it are hidden by the bugged component) program running on logic that may deviate from expected behavior under unknown conditions, or is there some trick that makes it less hopeless?

Well when you read the article its just comes down to a glorified Certificate of Authenticity:

DARPA said it eversions this dielet will be inserted into the electronic component's package at the manufacturing site or affixed to existing trusted components, without any alteration of the host component's design or reliability. There is no electrical connection between the dielet and the host component.

So yeah, the first thing that will be counterfeited will be these dielets.

But even baring that, since it has no connection to the actual electronics and firmware, simply seeing it on the package means nothing if the part you are using was compromised before it came out of manufacture, or passed through hands with the capability to compromise it before it hit your loading dock.

I suppose this solves the problem of those clone factories that manage to completely clone a functioning board or component to the point that it actually operates (at some level) and inserts these into the supply chain as a money grab. It probably doesn't save you from espionage on a grander level such as state sponsored.

Re:Am I just not thinking about this correctly? (2)

fuzzyfuzzyfungus (1223518) | about 7 months ago | (#46328175)

Even without any counterfeiting, it sure would be a bummer if your 'verified +++ Secure!' chip fell victim to some subtle modification [arstechnica.com] . Possibly even one that could be implemented by modifying the die after fabrication. Wouldn't be trivial; but if you only need to change a few hundred transistors and possess sufficient hardware and motivation...

I assume all electronics and computers are (-1)

Anonymous Coward | about 7 months ago | (#46327903)

counterfeit. I mean, after the first 3D printer went online, all old Luddite manufacturing techniques went the way of the dod. I think all electronics and computer parts are 3D printed now, right?

Re:I assume all electronics and computers are (0)

Anonymous Coward | about 7 months ago | (#46328041)

What the fuck is a dod?

Re:I assume all electronics and computers are (1)

_merlin (160982) | about 7 months ago | (#46328167)

Well, given this story mentions the Defense Advanced Research Projects Agency, I'd guess DoD in this context is the Department of Defense.

*sigh* (0)

Anonymous Coward | about 7 months ago | (#46328239)

... Pretty sure he meant "way of the dodo", as in the extinct bird.

Re:I assume all electronics and computers are (0)

Anonymous Coward | about 7 months ago | (#46329469)

What the fuck is a dod?

That's what everyone will be saying if the draft budget is passed.

Re:I assume all electronics and computers are (1)

nurb432 (527695) | about 7 months ago | (#46328533)

No, but when you buy from off-shore vendors and they ship back fake parts, it can hurt when a plane falls out of the sky.

Not going to happen (3, Insightful)

WilliamGeorge (816305) | about 7 months ago | (#46327939)

"SHIELD demands a tool that costs less than a penny per unit, yet makes counterfeiting too expensive and technically difficult to do"

and at the same time

"What SHIELD is seeking is a very advanced piece of hardware that will offer an on-demand authentication method never before available to the supply chain"

These appear to be mutually exclusive.

Easy (1)

killhour (3468583) | about 7 months ago | (#46328151)

Pfft. You're over thinking it. What they want already exists - it's called a checksum. Therefore, the answer is to create any hardware you need to be secure as a software emulator. Now, you'll need to get around the fact that most emulators have a Big O notation of O(N!) or so, but that's a problem for an engineer. I'm an idea guy.

Re:Easy (1)

WilliamGeorge (816305) | about 7 months ago | (#46328177)

Perhaps I should have highlighted the problem I see with their statements. They want "a very advanced piece of hardware" that "costs less than a penny per unit". This is the impossibility in their reasoning, not that it couldn't technically work in some way.

Re:Easy (1)

killhour (3468583) | about 7 months ago | (#46328209)

A checksum costs less than a penny. Also, :woosh:

Re:Easy (1)

WilliamGeorge (816305) | about 7 months ago | (#46328257)

Indeed, the 'woosh' appears appropriate here. From that I take it your response was meant in jest, though how I cannot tell (other than that your comment seemed largely to consist of techno-babble - but maybe that was intentional?). Anyway, I took it as serious and wanted to point out that I don't care how feasible the item they describe is... the cost they want is impossible for anything 'very advanced'.

If I have missed some grand joke, then I apologize :)

Re:Easy (0)

Anonymous Coward | about 7 months ago | (#46328319)

They should throw a hologram on it, and the message "Do not make illegal copies of this chip."

What could you do with $0.01 worth of ARM Cortex? (1)

IgnorantMotherFucker (3394481) | about 7 months ago | (#46329107)

The key words here are "PER UNIT".

I expect you know very well that just about all software costs less than a penny per unit to deliver into the hands of customers.

As I recall, in 2002 the Oxford Semiconductor OXFW911 Firewire/IDE storage bridge chip cost eight bucks apiece, when purchased in quantity. It was a little small than a dime.

For eight bucks, you got a 32-bit ARM7TDMI microprocessor, 64 kB of Flash for your firmware, 1800 bytes (yes, really: BYTES) of RAM, an IDE core for talking to your disk drive, a Firewire link-layer core (for talking the logical 1394A protocol), and a serial UART that was thrown in just for grins.

Now that was in 2002. What would that same chip cost now, if it were designed and manufactured today? Probably about ten cents.

However I expect the logic diagram, the physical design of the chip - that is, the mask pattern that is printed onto the silicon wafer - the verification of the design before manufacturing, a few rounds of bad silicon and design revision, cost tens of millions of dollars.

So in reality, it is quite possible that DARPA, or one of its contractors, could blow a billion dollars on the design of a chip, that when actually cast into silicon was a very small chip. The price of manufacturing just one chip is, for the most part, it's "real estate". That is, the physical area, like one square centimetre.

The wholesale price of the chip is then determined for the most part by how many you make. There are HUGE economies of scale in silicon manufacturing.

Re:Not going to happen (1)

bobbied (2522392) | about 7 months ago | (#46328279)

"SHIELD demands a tool that costs less than a penny per unit, yet makes counterfeiting too expensive and technically difficult to do"

and at the same time

"What SHIELD is seeking is a very advanced piece of hardware that will offer an on-demand authentication method never before available to the supply chain"

These appear to be mutually exclusive.

I don't think so. At least DARPA thinks it's possible to do. Despite being government engineers, the guys and gals at DARPA are a fairly bright bunch.

For digital systems, I'm thinking that there might be a way to put a small amount of ROM and logic that responds to specific stimulus in ways that are not easily duplicated if you don't know the logic design. Put a little bit of state information in the mix and it wouldn't be that hard to pragmatically validate the part, but hard to duplicate said part.

Re:Not going to happen (1)

WilliamGeorge (816305) | about 7 months ago | (#46328479)

I don't doubt the goal can be achieved at some cost, but they seem to want it for 'less than a penny per unit'. Considering that they admit it is 'a very advanced piece of hardware' I don't see how it could possibly be fabricated and installed for such a tiny cost.

Re:Not going to happen (0)

Anonymous Coward | about 7 months ago | (#46329531)

For digital systems, I'm thinking that there might be a way to put a small amount of ROM and logic that responds to specific stimulus in ways that are not easily duplicated if you don't know the logic design. Put a little bit of state information in the mix and it wouldn't be that hard to pragmatically validate the part, but hard to duplicate said part.

There is, it's called a digital signature function. You input a random number challenge, and it signs the challenge with it's internal private key stored in ROM, or more securely, in FLASH* . Examples of which are RSA and ECDSA. The problem are thus:

  • you can't really put a ROM in a MOSFET, MMIC or other three/four terminal devices without adding extra terminals,
  • it would consume significant die area in smaller parts,
  • and anyone who is going to the trouble to copy your mask set can put in the extra effort to extract the private key, since they've already gone to significant effort to extract your masks layer by layer by scanning microscopy and etching.

* Since the values are stored as electric charge, rather than metal wiring, they are more difficult to non-destructively image.

(ul tags don't seem to be displaying on /. today, and I can't be fucked figuring out why)

Re:Not going to happen (0)

Anonymous Coward | about 7 months ago | (#46329363)

Let me guess, they are building the SHIELD devices in china, right?
And the factory that produces them will just make an extra 100,000 and sell them to local distributors. This is the main source of "counterfeits". Not the imagined scenario where someone makes a dummy IC and sells it as the real thing.

https://www.sparkfun.com/news/395

Re:Not going to happen (1)

bill_mcgonigle (4333) | about 7 months ago | (#46334665)

SHIELD demands a tool that costs less than a penny per unit

They should also demand a replacement eye for Nick Fury, for all the good it'll do.

Given that its DARPA (0)

Anonymous Coward | about 7 months ago | (#46327963)

doesn't this seem like a job for the FCC or whatever the name of the government body that regulates business, trade and import/export makes it seem suspect?

this seems like a job for someone else entirely

Re:Given that its DARPA (1)

maliqua (1316471) | about 7 months ago | (#46328099)

perhaps you mean FTC?

Re:Given that its DARPA (0)

Anonymous Coward | about 7 months ago | (#46328203)

Surprisingly, the military is also interested in being able to detect untrustworthy equipment. Who knew.

Re:Given that its DARPA (0)

Anonymous Coward | about 7 months ago | (#46328255)

yes but having them run the program rather than someone trust worthy seems like a bad choice if a different government agency was given the same funding for the same project it would make more sense and seem less suspect

Re:Given that its DARPA (1)

mcl630 (1839996) | about 7 months ago | (#46328511)

From TFA, emphasis mine:

After a scan, an inexpensive appliance (perhaps a smartphone) uploads a serial number to a central, industry-owned server. The server sends an unencrypted challenge to the dielet, which sends back an encrypted answer and data from passive sensors-like light exposure-that could indicate tampering, DARP said.

DARPA won't be "running the program"

DARPA remote bugging tool .. (1)

DTentilhao (3484023) | about 7 months ago | (#46327991)

Do I really want DARPA putting a remote bugging tool in my computer, under the pretext of detecting counterfeit computer gear ..

Re:DARPA remote bugging tool .. (1)

sconeu (64226) | about 7 months ago | (#46328297)

It's not going in YOUR computer. It's going into mission-critical stuff for DoD use.

For example, would you really want to be flying an F-22 with a counterfeit CPU?

Re:DARPA remote bugging tool .. (1)

cyrano.mac (916276) | about 7 months ago | (#46329237)

LOL Do you really believe that?

Re:DARPA remote bugging tool .. (1)

sconeu (64226) | about 7 months ago | (#46329545)

Uh, yeah, I actually do. DARPA is looking for stuff for DOD, remember?

Re:DARPA remote bugging tool .. (1)

mcl630 (1839996) | about 7 months ago | (#46328545)

The manufacturer would be putting the toll in your computer or device, not DARPA. DARPA is just trying to invent the tech to do it. According to TFA, the validation would also be done by an "industry-owned server."

verify my ballsack too (0)

Anonymous Coward | about 7 months ago | (#46328035)

backdoors at home,
backdoors from afar.

i slap my ballsack in defiance.

Re:verify my ballsack too (0)

Anonymous Coward | about 7 months ago | (#46328083)

i support this cause
*slaps ball sack in support*

Re:verify my ballsack too (1)

Virtucon (127420) | about 7 months ago | (#46328331)

If you go here you can get a DC [yelp.com] as part of the entertainment.

"the trustworthiness" (0)

Anonymous Coward | about 7 months ago | (#46328123)

hahahahahahahaahahhaah

Whatever became of the counterfeit bolt problem? (3, Interesting)

IgnorantMotherFucker (3394481) | about 7 months ago | (#46328179)

It occurred quite a long time ago, but at the time no solution was proposed.

Regular steel bolts have hexagonal heads that are flat on top. Bolts made of high-strength steel are marked with three - if I recall correctly - radial lines.

You can see that it would be easy and cheap to mark a regular steel bolt with those three lines, then sell it for the high-strength premium.

This caused at least on death: a worker who was torquing a bolt while building the first Saturn car factory snapped the head off a bolt and fell to his death.

An Army general commented that when he took his battalions tanks out for training in the desert, their tracks were littered with bits of broken off bolts, as well as the occasional tank tread.

What they actually did about this was to test samples of bolt shipments, but such testing was very expensive and so could not provide good coverage.

However it has been years since I last heard about it. Has the counterfeit bolt problem been solved? If so how?

Re:Whatever became of the counterfeit bolt problem (1)

nurb432 (527695) | about 7 months ago | (#46328585)

This caused at least on death: a worker who was torquing a bolt while building the first Saturn car factory snapped the head off a bolt and fell to his death.

While still a bad thing, this should never have happened. He should have been wearing redundant safety gear so that no matter what failed, he would have been safe.

Re:Whatever became of the counterfeit bolt problem (1)

Anonymous Coward | about 7 months ago | (#46328643)

This caused at least on death: a worker who was torquing a bolt while building the first Saturn car factory snapped the head off a bolt and fell to his death.

While still a bad thing, this should never have happened. He should have been wearing redundant safety gear so that no matter what failed, he would have been safe.

While your point is still valid, it is hardly the only case where it is possible for a counterfeit high tensile bolt to cause a fatality.
It doesn't take much imagination to think of a problem. [nytimes.com]

USA! USA! USA! (1)

IgnorantMotherFucker (3394481) | about 7 months ago | (#46329127)

Actually that is precisely what the US Federal Occupational Safety and Health Administration is for.

Perhaps money changed hands.

Re:Whatever became of the counterfeit bolt problem (0)

Anonymous Coward | about 7 months ago | (#46332025)

this should never have happened. He should have been wearing redundant safety gear so that no matter what failed, he would have been safe.

Ahh, yes, the belt-and-suspenders approach. Which, although over-engineered to avoid the embarrasment of your pants falling down to expose your undershorts (or worse!), completely fails to protect against an inadvertently-left-unzipped fly.

Re:Whatever became of the counterfeit bolt problem (2)

EvilSS (557649) | about 7 months ago | (#46329213)

Increased awareness, new federal laws holding manufacturers responsible for meeting the marking of their items, etc. I suspect it's still a problem though, just not as widespread as it once was. There is a good pdf guide [jlab.org] from the gov on counterfeit bolts and other hardware items (I love the completely cosmetic gas cutoff valve on pg. 32)

DARPA is said to be looking for this man (1)

ArcadeMan (2766669) | about 7 months ago | (#46328225)

Because this man [ytimg.com] would be the perfect leader for their new project.

I can't understand the article (0)

Anonymous Coward | about 7 months ago | (#46328311)

Are they trying to detect counterfeit hardware, or are they trying to detect whether the hardware works as expected?
Those two aren't the same as far as I can tell.
Counterfeit hardware can be identical to non-counterfeit hardware simply because it can be made in the same factory by the same people, but just after "closing time".
Non-counterfeit hardware on the other hand can have all kinds of backdoors and whatever installed.

testing electronic components (0)

Anonymous Coward | about 7 months ago | (#46328325)

POW! "Yep, that cap's genuine"

Re:testing electronic components (1)

Bing Tsher E (943915) | about 7 months ago | (#46329877)

But marked backwards, eh?

Counterfeit? (3, Interesting)

Archangel Michael (180766) | about 7 months ago | (#46328425)

How can one discern between counterfeit and real, when both are coming off the same assembly line in China?

This is what is called "third shift" products, where the first two shifts make XYZ product for ABC corp, and the third shift makes XYZ Counterfeit for black market.

Re:Counterfeit? (0)

Anonymous Coward | about 7 months ago | (#46328865)

What if it is the right part, but someone else picked it up from the trash (because it fails the test at the corner cases) and sold it as good parts?
So it would pass any signature tests you throw at it, but fails when you use it in the deserts.
Are you going to re-run the full set of qualification tests on each part?

Re:Counterfeit? (0)

Anonymous Coward | about 7 months ago | (#46329561)

Parts should be marked with their QA signature after passing qualification. The problem of the legitimate OEM creating counterfeit parts is inherently unsolvable, though can be dealt with by contract enforcement if it can be proven.

Re:Counterfeit? (0)

Anonymous Coward | about 7 months ago | (#46329761)

There were cases when someone else buy legit CPU (or memory) and change their speed grade markings on the case and sell them at price premium.

Since the chips are made identically on same production line except for speed grade binning by actual test etc, you can't tell them apart even literally under a microscope. They are still counterfeits as their markings do not reflect what they really are.

Re:Counterfeit? (0)

Anonymous Coward | about 7 months ago | (#46330413)

But if the chips are programmed with digital signatures, like for example, Intel and AMD CPUs, then you can tell them apart during QA testing. The problem with counterfeit DRAM is that the speed grade is not programmed into the DRAM chips, but into a separate I2C ROM, called the SPD ROM, and unscrupulous manufacturers can reprogram or replace that ROM. If the DRAM ICs were burned with their speed grade during QA testing by the DRAM manufacturer it would not be possible to pass off lower binning parts (ok, it would probably be possible, but bypassing the counterfeit protections would hopefully be more expensive than just buying the desired grade).

One can only hope that with the coming of serial DRAM (and it's coming, I assure you, Micron HMC is already available for highspeed network applications), with the DRAM controller integrated in the package of each DRAM, that such anti-counterfeiting measures will be integrated, and therefore difficult to bypass or reconfigure. Each manufacturer could include an device ECDSA or RSA signature (which you can read out and validate) and device private key (which you cannot read out) signed with their manufacturer master key to prove that the chip was made and QA'd by that manufacturer.

This would ensure that even if the would-be counterfeiter extracted the individual device private key form the package, counterfeit devices would be detected, as counterfeit devices would contain duplicate private keys, where-as legitimate DRAM would have unique private keys for each device. Similar to how counterfeit money is often detected: they use a small selection of serial numbers that repeat to save on plates, counterfeiters would need to reuse private keys, as the alternative would be destructive reverse engineering an original DRAM for each counterfeit produced.

Actually all of this is rudimentary to anyone who understands PKI. Here is hoping some douchebag doesn't come along and try to patent such an obvious idea.

Re:Counterfeit? (1)

petermgreen (876956) | about 7 months ago | (#46329175)

Sometimes the giveaway is substitute parts, ABC corp will ony give the assembly line in china sufficint parts to make the legitimate products (plus a handful of spares for failures) so to make the counterfiets the factory has to source substitutes for custom parts, those substitutes may be slightly different from the slightly different from the legit parts.

Re:Counterfeit? (1)

DNS-and-BIND (461968) | about 7 months ago | (#46329973)

ABC corp doesn't give the parts to the factory, the factory sources them locally. What, you think parts are made in America? LOL. The anti-business crowd chased them out a long time ago.

Re:Counterfeit? (0)

Anonymous Coward | about 7 months ago | (#46330751)

The client ("ABC corp") doesn't literally ship the parts to the factory. However, the specific parts are chosen by the client, and often procured by them.

For any non-trivial production run, details such as cost, delivery schedule, defect rates, penalty clauses etc will be negotiated between the client and the supplier. The supplier will ship the parts to the factory, tagged for a specific contract.

On the lower-end stuff, the client may leave procurement to the factory, but that tends to be low-margin crap where you probably wouldn't care if they did run a third shift so long as they're cheaper than anyone else.

good luck, comrade! (0)

Anonymous Coward | about 7 months ago | (#46328649)

Russian Components, American Components, all made in Taiwan!

Tell me if will detect NSA (or other) caused BIOS (2)

MonsterMasher (518641) | about 7 months ago | (#46328757)

Let us not forget the very real problem with NSA practices in our field, and suddenly why your technical computing cluster stopped working, or other equipment screwed up. Our friendly hackers at NSA and any bios changed while providing snooping, changing timing on cpu, etc.

I already had problems with my land line which a firmly believe was because the NSA and small local phone company kept having technical issues leaving with out phone service for extended periods with what I will assume was interface problems with the regular phone equipment and the NSA equipment locked away. The problems started each after making email contact with Congressional Reps. Sometime later on, Sen. Sanders (VT) asked the question about spying on congress, which you should already know about.

After the 3rd time started I decided a cell was the option, though I hate the quality. But at least the damn this would dial 911 if I happen to need it, and I can get voice mail and make calls.. you know, what was working fine before on the better system.

All before Snowden NSA reveal, so my complaints were brushed away at the time. although many of us here who follow technical and networking hires/info had clear signs this was occurring long before Snowden came on scene.

So, let's all not worry about those NSA ass-holes, you got nothing to hide, right? Why object otherwise.

hope all it does is verifies... (1)

pouar (2629833) | about 7 months ago | (#46328761)

...instead of stopping the system if it doesn't verify (kill switch) or sending the results back to headquaters (spying), otherwise it's DRM. As long as the user has full control on what this thing does such as turning it off or changing what server it sends the info to or what it registers as counterfeit and what doesn't then it could be a good thing. But if this is used to lock the user out of his own hardware or prevent him from changing or modifying it then this is going to be a huge problem.

Re:hope all it does is verifies... (1)

pouar (2629833) | about 7 months ago | (#46328797)

The Linux kernel could use that GPLv3 license right about now.

Fairly easy and cheap. (3, Insightful)

jcochran (309950) | about 7 months ago | (#46328775)

It seems to me that most of you didn't bother to read the article. In a nutshell, DARPA wants a small electrically isolated chip that acts as a RFID chip and sends an encrypted response to an interrogation. Method of use

1. Specialized probe scans chip. Obtains serial number of chip.
2. Specialized probe sends serial number information to centralized server.
3. Centralized server sends back to probe query string.
4. Probe passes onto chip, the query string.
5. Chip sends back encrypted response to query string.
6. Probe passes back to centralized server, encrypted chip response.
7. Centralized server sends back to probe "good" or "bad" results.

Notice that the encryption key may be unique for each chip. The keys are known by the centralized server, but don't need to be known by anything else.

In order to create a counterfeit, the attacker needs to do one of two things.
1. Duplicate an existing chip to include the serial number and encryption key.
2. Create a new chip with a new serial number and encryption key and implant that serial number and key into the database maintained by the centralized server.

If an attacker is capable of compromising the central server, then it's game over. But the assumption is that is a "hard task". So the security is likely to be aimed at protecting the encryption key for each chip. Perhaps store the key in TLC Nand and arrange for the value to be corrupted if it's exposed to light (and of course, encapsulate the chip in an opaque material).

So when you manufacture a "non-counterfeit" component, you
1. Manufacture component.
2. Glue a chip to the component.
3. Register the chip with the centralized server.

To verify that a component isn't a counterfeit.
1. Scan for chip and do the entire song and dance to verify the chip.

Re:Fairly easy and cheap. (1)

Anonymous Coward | about 7 months ago | (#46332049)

2. Specialized probe sends serial number information to centralized server.

2a. The centralized server gets decomissioned.
2b. The centralized server is (D)DOSed.
2c. You have the same control over the centralized server as you do over your data stored on facebook, dropbox, s3, etc.
2d. Your credentials expire either because you stopped paying for protection^Wservice or you just forgot to change your password when you got IT's "your password is about to expire" email.

No one needs to read past Step 2 to realize this whole thing is a bad joke, right?

examples of the danger? (1)

rst123 (2440064) | about 7 months ago | (#46330389)

The summary and the article state that these counterfeit parts are so dangerous. Can anybody provide examples of harm done? And not just to somebody's bank account? I'm not saying I disagree, but if you tell me I should be afraid, at least point to examples of why I should be afraid.

Re:examples of the danger? (1)

Frobnicator (565869) | about 7 months ago | (#46331535)

The summary and the article state that these counterfeit parts are so dangerous. Can anybody provide examples of harm done? And not just to somebody's bank account? I'm not saying I disagree, but if you tell me I should be afraid, at least point to examples of why I should be afraid.

That's about it.

For commercial purposes, the claim is somehow that your cheap off-brand machines are obviously inferior to the brand name equipment made by the same assembly lines. It doesn't work well in practice, since chip clones and cheap knockoffs usually mean success for the brand they are impersonating.

Government agencies are trying to find a way to allow cheap manufacture of standard certified equipment, using untrustworthy, lowest-bidder, often foreign manufacturing plants, while at the same time ensure that people paying lots of money didn't install backdoors or spyware onto the chips. They want to know that their underpaid lowball bids aren't being subsidized by other spy agencies, while at the same time these agencies are doing exactly the same espionage to other nation's computers.

It is basically a bunch of spy-vs-spy crap, a race to the bottom where all of society loses if the insanity doesn't stop.

Re:examples of the danger? (0)

Anonymous Coward | about 7 months ago | (#46332683)

That's about it.

That's not just it.

There are plenty of parts that can be swapped out for much cheaper parts, for example MOSFETs, Opamps etc. And things will look like they are working, until those parts fail, or the operation is degraded.

There are plenty of component counterfeiters who take some transistor or opamp, etch the label off, print the label of a higher-spec part, and try and pass it off into the commercial supply chain.

The issue of spy-vs-spy exists, but so does the issue where your truck breaks down in the middle of the desert because some counterfeiter swapped out your automotive grade voltage regulator for a commercial grade voltage regulator with a lower maximum operating temperature, and it failed in the heat of the desert.

I have seen real-world counterfeit parts, the labels looked off, and after some work to build a test jig it was quite obvious they weren't the real part. In one case the pinout was wrong, which I noticed when I went to use it and the circuit I installed it in didn't work at all (collector and base were swapped on a BJT). Imagine that same part had made it into a mass production supply chain, and they had made 5000 boards before they noticed that none of them worked, and had to rework all 5000, that's a whole lot of money wasted.

Even worse is when it's not picked up during QA, and a whole batch has elevated failure rates. If it's going into some safety critical device, it could kill someone.

Re:examples of the danger? (1)

Frobnicator (565869) | about 7 months ago | (#46343405)

The DARPA project is not about protecting consumer-grade electronics from cheap knockoffs and badly-swapped ICs.

The project's stated purpose, and the DoD and other government acronym interests fall squarely inside the spy-vs-spy realm.

Sure, I suppose it is technically possible that businesses are going to invest in embedding this type of security inside critical chips, then spot-check every production run for authenticity. This might happen at bigger corporations for important big-budget projects.

But no, as per your stated example, the individual components of your consumer-grade assembly line automobile are not going to bear the cost of this type of security systems throughout every chip. Nor will your home PC feature such high security for every chip on the motherboard. For the big-budget chips you might see them for the main CPU, the GPU, and a few other expensive big-name parts; the little audio chip or the disk controller chip or the usb hubs and assorted other little components on the board, probably not.

The real scourge (0)

Anonymous Coward | about 7 months ago | (#46331501)

What we really need to do is end the scourge of faggotry. If we cannot protect men's anuses from being penetrated by erect penises then nobody is safe. Let's end the scourge of faggotry now!

What happened to the old way (0)

Anonymous Coward | about 7 months ago | (#46334043)

If you want something done right, do it yourself...

Fuck it if things get more expensive, that's the price you pay for the knowledge how it was made.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>