Nostr Web Client

Nice explanation. So here's a glimpse into my paranoia world.. I know that nothing is safe and all I can do is minimize the risk as much as possible. I usually tend to do this, by trying to stick with a supply or company that would be risking their business if a serious vulnerability was found in their supply chain or hardware. Eg. Lenovo. Yubikey. Bitwarden. Anything further, regarding IoT like components, usually gets a pass because it's not going to be able to pierce into anything sensitive just by doing what it's doing (like being a temperature sensor, or etc.).

Where my paranoia ratchets up in this case is when I think about using it for passwords and that it has USB access... Things that are core to my security posture. Could be a knee jerk reaction, as security becomes sometimes (ie.unknown USB passwords bad). Lol. Your explanation makes sense though..

Whether ST can be trusted and how to determine if it is a genuine ST or something that just looks the same. Or if China realizes the chip is being used for passwords and gives it a higher probability of a backdoor. Would ST have an economic reason not to have backdoors? Would purchasing from you vs. purchasing via other channels lessen the risk? How many people and companies use this particular chip and what do they tend to use it for? That's the kind of thinking that goes through my mind assessing this stuff..

Dr. Hax 2y ago

A backdoor found in any CPU would likely mean the death of the company, so your metric of the size of the company makes sense. Bigger companies have more to lose.

I don't have any metrics on how many chips ST Microelectronics sells, but they're pulling in $16 billion/year in revenue. Anicdotally, I can say the STM32 series are very widely used. So they have a lot of incentive to make sure their hardware is legit.

ST microelectronics also has their own fabs, which is better than them sending their designs to another company and having someone else make the hardware.

Counterfit CPUs would be more of a concern, but usually visual inspection will sort that out. The ICs often have different markings, dimples in the wrong places, poor quality screen proving, and so forth. The other tell is... they don't work. Like, at all.

Hackaday wrote a good piece on the topic a few years ago: https://hackaday.com/2020/10/22/stm32-clones-the-good-the-bad-and-the-ugly/

From that article: "If one orders MCUs and development boards from reputable sellers such as Digikey and Mouser, it’s also unlikely to be much of a concern."

I order mine from Mouser. I suppose ordering the parts yourself could be seen as slightly lower risk because you have no way to know I'm not lying and getting the chips from some sketchy source to try to save a few cents.

I think that speaks to all the hardware concerns you mentioned.

Reply to this note

Please Login to reply.

Discussion

cloud fodder 2y ago

nice, that's some good info there 🙏