| > I'd say it's not irrational to consider the possibility that these firms either are directly or via the Taiwanese government cooperating with US cyberattacks. But to be totally clear: that's no more than speculation. It's also not irrational to consider the possibility that there's been no cooperation but that the certificates were stolen. > It's also possible that unicorns exist. Considering that certificates have been "stolen" from Taiwanese firms multiple times [2] Malware that uses stolen certificates is less unique than once thought. If a group building a bank trojan can steal certs, I'm sure state intelligence agencies can too. https://arstechnica.com/information-technology/2017/11/evasi... There is also some reason to think their certificates would be targeted for theft, because code signed by those firms would be some of the least conspicuous. There are a lot of Taiwanese firms that make a lot of low-profile specialized support silicon that's literally everywhere (Sound, USB, Wifi, etc), and a driver signed by one will arouse less suspicion. Inconspicuousness would be a high priority for a nation-state hacker trying to avoid detection. The possibility that the Stuxnet and Duqu certs were stolen is speculation too, but it's less inflammatory and more likely in my judgement. It's also worth noting that getting explicit cooperation from a company to use their certificate would be risky for clandestine nation-state operation, since the more organizations that know about aspects of it, the more likely it will fail. If word got out that a particular code signing cert was shared, a rival actor could focus attention on suspicious code signed by that cert and be more likely to detect it. >> The implication is that American silicon itself is backdoored. > There was no such implication. Compromising hardware never makes sense unless you can intercept the hardware en route (something the NSA has been known to do [1]). That's wrong. If the silicon is comprised from the get-go, there's no need for an interception step. |