This may be coming from a place of ignorance but what guarantees are there that there is not some kind of security flaw on a hardware level? I don’t know what kind of audits or protections are there now but with Chinese suppliers in particular, I would be leery of potential issues. There was rumors/claims of certain server mobos being built with extra chips or exploits a couple years back.
Since nobody seemed to actually answer your question: the answer is that ram is actually really simple electrically. Modern DDR5 is very difficult and expensive to manufacture at scale, but is very simple to design.
If someone were to try and poison a memory package, it would be massively obvious by virtue of the package being larger, being very electrically noisy, or by sucking an order of magnitude more power to function.
DRAM sockets are not generic pci busses, and cannot be used on a typical motherboard to load arbitrary hardware the way USB or PCIE can.
Also, the way ram works, you really couldn’t do much more than read contents and relay via an on-dir radio, which would have to be super short range. Even something as “simple” as Bluetooth or wifi would be too big, too slow and take too much power to still function as a memory die.
You should be way more scared of cloud services, appliances, or iot devices than a stick of DDR5.
Tl/DR: it’d be prohibitively expensive and itd have nowhere to go, if it could even work at all without Corsair noticing.
Thanks for the in-depth response, I learned a little bit from you. :)
I’m reminded of the old black hat proof of concepts about reading bits of data via network adapter LEDs, or about listening to sound cards in other rooms doing their signal processing.
I low key kind of love the idea of an evil exfiltration scheme to use a local sound card to receive information about memory contents and then try to pass it somehow desperately over the internet, only now to be thwarted by a mute button. 🤣
IOW one installs their DRAM and it comes with LED lights. Those require their software to control. One should be far more concerned with the RGB software doing something nefarious than the hardware.
Ok awesome, thanks for explaining that. I didn’t know what could be the attack vector (if any). After the supermicro(?) thing a few years back, it made me question what we actually know about the security of physical hardware.
Do I really care if Microsoft (I have to have office for work), Google, Adobe and all the other American observance companies have my data vs the Chinese having my data? The way I see it, the US is a much bigger threat than China.
If I have to live with three or four holes in my canoe hull that let water leak in, because I literally have no choice, I guess I accept it. If someone offers me a cheaper oar but it adds a new leaking hole to the hull, I can choose not to take it; it’s at least worth considering not taking on the additional hole.
We dont have to ask that question, because we already KNOW that the US mandated manufacturers to put backdoors into commercial and consumer hardware for years. So we have got “guaranteed to be a threat actor” vs “maybe a threat actor” hmmmm idk man, seems like an easy choice.
Chinese law mandates that businesses do intelligence gathering and that all encryption has a backdoor. So the question you should be asking is do you want to support a government that openly slaughters those who oppose it and use slavery to lower labour prices, or do you want to support China?
Yes, that is highly likely. That’s why I’m always surprised that it’s almost exclusively Chinese products that come under suspicion in public debate. Not that we shouldn’t have safety concerns here as well, but it’s exactly as you say: With U.S. products, it’s at least just as appropriate to fundamentally distrust the manufacturers, especially since the country is obviously ruled by a criminal regime that has absolutely no scruples and blackmails other countries with everything at its disposal.
almost exclusively Chinese products that come under suspicion
Its not that complicated. “China bad, US good” is the mantra of all the politicians in the west. Even with Trump in power going crazy they are still loyal dogs for the US.
Bro have you been reading the news? The West basically hates America right now. Actively ramping up funding arms and software intiatives to de-american their supply chains.
Ah yeah thats why they keep exempting all the big tech companies from privacy laws and why we keep doubling down on US fossil imports despite the obvious need for more renewables.
The EU populations hates the US, but the leadership is still very divided.
Yes, and the reason for that is lobbying, aka corruption.
This clearly illustrates the extent to which our politicians are selling out the interests of citizens for their own gain. Right now would be the ideal time to finally promote digital sovereignty, especially since products that don’t come from China or the U.S. could use that trust as a selling point. Unfortunately, however, everything remains the same because our politicians allow themselves to be bribed by criminals in the U.S.
Nothing, I don’t know what (if any controls) are in that now. I do know Benn Jordan did a video about the robot dogs the other day and they had HUGE backdoors and security implications that go back to servers in mainland China. That’s what prompted my reply. I don’t trust any of my equipment to be unadulterated anymore but where there is a history of having backdoors in place, I am extra leery.
Yeah, I am worried about the US, whether it be from the supplier of the chips, the os, third party applications, or my ISP, I can almost guarantee there is someone in my network who shouldn’t be. I don’t have to like it or make it any easier for there to be more of them though.
On RAM? I’m not aware of any. I’m sure you could implement something, but I feel like it would have to be really, really specifically targeted to go unnoticed.
Yeah, I don’t know how it compares to other oems. It was meant as more of a curiosity than an accusation.
It’s an economy of scale though, with more data to pull from, you are more likely to get something interesting. On the flip side, you also increase your chances of getting caught.
Again, I am coming from a place of ignorance here. This is not my wheelhouse.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
No game suggestions, friend requests, surveys, or begging.
No Let’s Plays, streams, highlight reels/montages, random videos or shorts.
No off-topic posts/comments, within reason.
Use the original source, no clickbait titles, no duplicates.
(Submissions should be from the original source if possible, unless from paywalled or non-english sources.
If the title is clickbait or lacks context you may lightly edit the title.)
This may be coming from a place of ignorance but what guarantees are there that there is not some kind of security flaw on a hardware level? I don’t know what kind of audits or protections are there now but with Chinese suppliers in particular, I would be leery of potential issues. There was rumors/claims of certain server mobos being built with extra chips or exploits a couple years back.
Since nobody seemed to actually answer your question: the answer is that ram is actually really simple electrically. Modern DDR5 is very difficult and expensive to manufacture at scale, but is very simple to design.
If someone were to try and poison a memory package, it would be massively obvious by virtue of the package being larger, being very electrically noisy, or by sucking an order of magnitude more power to function.
DRAM sockets are not generic pci busses, and cannot be used on a typical motherboard to load arbitrary hardware the way USB or PCIE can.
Also, the way ram works, you really couldn’t do much more than read contents and relay via an on-dir radio, which would have to be super short range. Even something as “simple” as Bluetooth or wifi would be too big, too slow and take too much power to still function as a memory die.
You should be way more scared of cloud services, appliances, or iot devices than a stick of DDR5.
Tl/DR: it’d be prohibitively expensive and itd have nowhere to go, if it could even work at all without Corsair noticing.
Thanks for the in-depth response, I learned a little bit from you. :)
I’m reminded of the old black hat proof of concepts about reading bits of data via network adapter LEDs, or about listening to sound cards in other rooms doing their signal processing.
I low key kind of love the idea of an evil exfiltration scheme to use a local sound card to receive information about memory contents and then try to pass it somehow desperately over the internet, only now to be thwarted by a mute button. 🤣
Those types of attacks are called “side-channel” attacks. If you wanted to look up stories of more. Fascinating history there.
IOW one installs their DRAM and it comes with LED lights. Those require their software to control. One should be far more concerned with the RGB software doing something nefarious than the hardware.
Ok awesome, thanks for explaining that. I didn’t know what could be the attack vector (if any). After the supermicro(?) thing a few years back, it made me question what we actually know about the security of physical hardware.
Do I really care if Microsoft (I have to have office for work), Google, Adobe and all the other American observance companies have my data vs the Chinese having my data? The way I see it, the US is a much bigger threat than China.
If I have to live with three or four holes in my canoe hull that let water leak in, because I literally have no choice, I guess I accept it. If someone offers me a cheaper oar but it adds a new leaking hole to the hull, I can choose not to take it; it’s at least worth considering not taking on the additional hole.
Both. Both are the same
What are there for Samsung or TSMC?
I don’t know, I said as much in my post.
Shouldn’t we ask the same question about products from the U.S.?
Yes, we should be asking that for all suppliers.
We dont have to ask that question, because we already KNOW that the US mandated manufacturers to put backdoors into commercial and consumer hardware for years. So we have got “guaranteed to be a threat actor” vs “maybe a threat actor” hmmmm idk man, seems like an easy choice.
Chinese law mandates that businesses do intelligence gathering and that all encryption has a backdoor. So the question you should be asking is do you want to support a government that openly slaughters those who oppose it and use slavery to lower labour prices, or do you want to support China?
Yes, that is highly likely. That’s why I’m always surprised that it’s almost exclusively Chinese products that come under suspicion in public debate. Not that we shouldn’t have safety concerns here as well, but it’s exactly as you say: With U.S. products, it’s at least just as appropriate to fundamentally distrust the manufacturers, especially since the country is obviously ruled by a criminal regime that has absolutely no scruples and blackmails other countries with everything at its disposal.
Its not that complicated. “China bad, US good” is the mantra of all the politicians in the west. Even with Trump in power going crazy they are still loyal dogs for the US.
Bro have you been reading the news? The West basically hates America right now. Actively ramping up funding arms and software intiatives to de-american their supply chains.
Ah yeah thats why they keep exempting all the big tech companies from privacy laws and why we keep doubling down on US fossil imports despite the obvious need for more renewables.
The EU populations hates the US, but the leadership is still very divided.
Yes, and the reason for that is lobbying, aka corruption.
This clearly illustrates the extent to which our politicians are selling out the interests of citizens for their own gain. Right now would be the ideal time to finally promote digital sovereignty, especially since products that don’t come from China or the U.S. could use that trust as a selling point. Unfortunately, however, everything remains the same because our politicians allow themselves to be bribed by criminals in the U.S.
You dont burn your hardware backdoor on RAM marketed for gamers.
If they have an exploit, they will put it in hardware targeted for servers and workstations/notebooks for corporations
Or everywhere. So they dont seem different apart from marketing and packaging.
Um, what guarantees it now? Everything’s made in China.
And you weren’t worried about Peace and Democracy USA??
https://en.wikipedia.org/wiki/Clipper_chip
Oh I’m sure they learned their lesson then!
Nothing, I don’t know what (if any controls) are in that now. I do know Benn Jordan did a video about the robot dogs the other day and they had HUGE backdoors and security implications that go back to servers in mainland China. That’s what prompted my reply. I don’t trust any of my equipment to be unadulterated anymore but where there is a history of having backdoors in place, I am extra leery.
Yeah, I am worried about the US, whether it be from the supplier of the chips, the os, third party applications, or my ISP, I can almost guarantee there is someone in my network who shouldn’t be. I don’t have to like it or make it any easier for there to be more of them though.
Motherboard maybe, but not on a stick of ram. A lot of work for something easy to notice.
On RAM? I’m not aware of any. I’m sure you could implement something, but I feel like it would have to be really, really specifically targeted to go unnoticed.
As much gurantee as there is with other suppliers, none.
But random foreigners are of less interest to the chinese government than we are to our own governments.
Yeah, I don’t know how it compares to other oems. It was meant as more of a curiosity than an accusation.
It’s an economy of scale though, with more data to pull from, you are more likely to get something interesting. On the flip side, you also increase your chances of getting caught.
Again, I am coming from a place of ignorance here. This is not my wheelhouse.
Would they really gain any info they can’t buy from facebook or reddit?
Unless you work on top secret projects its a pointless thought exercise until we have some sort of meaningful privacy enforcement