Lpc2000

--- In lpc2000@yahoogroups.com, Jayasooriah <jayasooriah@...> wrote:
>
> I like to point out to Brendan that my argument does (and should) 
not 
> become any stronger (or weaker) by virtue of who I am.  This is not 
how forums work.
> 

Maybe in an ideal world our points would be accepted at face value, 
but the reality is different. How the points are made, and who makes 
them will always influence the value people place on them. A simple 
example: I'd suggest that a post by a Philips employee to this forum 
carries a lot more weight than one by some anonymous contributor. 

Whether it deserves any more weight is of course a different question!

> --- In lpc2000@yahoogroups.com, "brendanmurphy37" <brendan.murphy@> 
wrote:
>  > A set of "facts" that may or may not be
>  > either true or relevant does not an argument make.
> 
> If there are any "facts" (F1 through F5) that are not true, or not 
relevant 
> for that matter, please point this out.
> 

I deliberately chose not to do a point-by-point comment on your own 
analysis as I believe that it is based on a flawed premise, namely 
that you can produce a valid analysis of a system for security flaws 
based on making assumptions and suppositions about its internal 
structure. By countering the points, I implicitely accept the 
premise. However, to give one example (T3/C1 in message 
13287): "Explanation of the "T" and "G" test features that made their 
way to the field does point to absence (or failure) of processes 
and/or measures that ensure quality of boot loader". This is a 
supposition on your part, not a fact. The fact is, as Philips have 
confirmed, that there are commands in the boot loader that are used 
for manufacturing and test. This is quite normal: most complex 
electronic parts and systems have similar test and diagnostic modes 
that are undocumented (with good reason). If you could show a 
mechanism of how the existence of these commands might compromise CRP 
then fair enough. In this case the "fact" you quote is both incorrect 
and irrelevant. I'd accept a point about lack of processes to ensure 
quality if you or someone else had conducted an audit of those 
processes, but you haven't claimed to have done this. 

The burden of proof on someone making a claim is on the person making 
the claim. 

The same goes for other suppositions, such as the claimed non-
standard startup sequence of the boot-loader. You have presented no 
evidence whatsoever that this has anything to do with CRP issues 
(chances are it hasn't), much less that it is somehow an effort to 
overcome some (unspecified) threat mechanism.

>  > If you can't get the degree of re-assurance you feel you need, 
either
>  > based on publicly available information, or through an NDA with
>  > Philips, then you can make your own mind up and go elsewhere.
> 
> I am not seeking any assurance.  I simply made an assessment, as I 
> routinely do for clients in the course of my work.  It so happens I 
chose 
> to share one of these (with the client's permission) here in 
response to 
> battering from certain quarters.

I was making a general not a personal point (i.e. the choice faced by 
any customer): if you're not happy with publicly available 
information, ask the vendor. If your still not happy, even with 
additional information that may be provided under NDA, then go 
elsewhere. I take your point, though (i.e. if you're not qualified to 
form a view on the acceptability of a product feature, then get some 
expert advice). The fact that not everyone agrees with a particular 
assessment is not exactly surprising.

> 
>  > There's
>  > little point though in berating them continuously on this forum 
when
>  > they've absolutely no reason to respond further.
> 
> The purpose of the assessment is not to berate Philips.  If what 
you say is 
> right, there is little point in posting in this forum an opinion 
that is 
> not flattering to Philips.  As an independent I prefer to call it 
as it is 
> without fear or favour.
> 

I'm sure your purpose isn't to berate Philips. However, the effect of 
continuously claiming that they somehow have questions to answer, 
knowing full well that they are unlikely to answer the ones posed 
(with very good reasons), is precisely that.

> It is their responses (and not my questions) that undermines (or 
> strengthens) their claims.

I think we'll just have to agree to differ on this one. I don't 
believe there is anything sinister or deliberately misleading in the 
answers Philips have provided to date. I'd be fairly sure though that 
the reason there's been no further comment is that there's a 
realisation in Philips that (a) it will suck up considerable 
resources just to provide the answers and, more importantly (b) some 
people will never be satisfied: it'll become a full time job, with 
absolutely no payback. 

Now, speaking of resources, I can't afford to spend any more time on 
this discussion (apart from the fact it has bored the pants off  
and/or annoyed many people). I'd suggest we close it now. I know this 
isn't the first time this has been suggested, and in fact I stated 
before I wouldn't contribute further, but I promise to follow my own 
advice this time. If you or someone else wants to post a final 
response to this to have a final say, then fair enough, but I 
absolutely promise not to respond.

Best regards

Brendan