Hacker News new | ask | show | jobs
by dcliu 219 days ago
That's a strong claim for not looking into it at all.

From a brief glance at the white paper it looks like they are using TEE, which would mean that the root of trust is the hardware chip vendor (e.g. Intel). Then, it is possible for confidentiality guarantees to work if you can trust the vendor of the software that is running. That's the whole purpose of TEE.
2 comments
jiveturkey 218 days ago
I guess you're unaware that Intel TEE does not provide physical protection. Literally out of scope, at least per runZero CEO (which I didn't verify). But anyway, in scope or not, it doesn't succeed at it.

And I mean I get it. As a not-hardware-manufacturer, they have to have a root of trust they build upon. I gather that no one undertakes something like this without very, very, very high competence and that their part of the stack _is_ secure. But it's built on sand.

I mean it's fine. Everything around us is built that way. Who among us uses a Raptor Talus II and has x-ray'd the PCB? The difference is they are making an overly strong claim.

link
9dev 219 days ago
It doesn’t matter either way. Intel is an American company as well, and thus unsuitable as a trust root.
link
bangaladore 219 days ago
A company of what country would you prefer?

Everyone likes to dunk on the US, but I doubt you could provide a single example of a country that is certainly a better alternative (to be clear I believe many of the west up in the same boat).

link
9dev 218 days ago
A European one. Pulling the kind of tricks the NSA does is considerably harder if you don’t have a secret court with secret orders.
link
bangaladore 213 days ago
You might want to look into what GCHQ, DGSE, and BND (as examples) actually do. Europe is not some surveillance-free zone.
link
jiveturkey 218 days ago
> Intel is an American company

Literally.

link
brookst 218 days ago
If you’re moving the goalposts from tech implementation to political vibes, it’s just more post-fact nabobism.
link
9dev 218 days ago
"SSL added and removed here :-)"

It’s not about vibes, but clear proof of a strategy to undermine global information security. Is anyone suppose to believe they don’t do that anymore?

link