Hacker News new | ask | show | jobs
by aeno 1392 days ago
How long until they try to sue his ass?

The whole story sounds so damn stupid, I can't believe no one in the whole production process stood up and said "Wait, shouldn't we make our own keys for encryption?". There must be a deeper meaning in all this. Honestly, how can they be so stupid?
3 comments
fxtentacle 1392 days ago
My personal guess would be that some manager successfully "reduced costs" and got a big promotion and bonus payments by outsourcing all of the development to the cheapest company they could find, meaning it was likely outsourced to college graduates with no practical experience somewhere in India.

Plus most low-level hardware components are built in China and nowadays also designed in China, so most likely the hardware design shop in Shenzhen sent them a firmware example with Chinese documentation.

But management and oversight is in Seoul, South Korea. Thanks to that 3-way language barrier, I'm pretty sure the supervisor on this project had no actual clue as to what the hardware and software were doing. But he didn't need to. The most important aspect of his job was to keep his mouth shut and not delay production roll-out.

In my imaginary set-up, is there any actor who has any incentive to produce a secure solution? I don't see one. I believe for everyone involved, the illusion of security was "good enough". So here we area with "good enough" in production.

link
mdp2021 1387 days ago
> the illusion ... was "good enough"

But this should be grounds for legal action, because the customer is paying for a service, not for the illusion of it.

link
mdp2021 1387 days ago
> how can they be so stupid

Because so very many are, Aeno, and because of the psychological phenomenon of projecting your features in others, their stupidity is not immediately recognized, thus endangering yourself and everyone collectively.

There exists a direct need for a war against stupidity which is not waged because it is not properly seen.

link
fxtentacle 1392 days ago
As for the legal aspect, I don't think they can successfully sue someone for disclosing the NIST example keys because they are considered public information anyway.
link