A story delivered by CompuServe's Executive News Service newswires through my
topic-filters into the "Security" in-box caught my eye yesterday afternoon:
"OTC 09/10 1606 Violent computer chip takeovers worry officials
SAN JOSE, Calif. (Sept. 10) UPI - The lucrative trade in computer chips has
captured the attention of the state's street gangs, luring them to
California's Silicon Valley where the armed takeover of supply warehouses has
become a common occurrence, authorities said Friday."
The article includes an interview with Julius Finkelstein, deputy district
attorney in charge of Santa Clara's High Tech Crime unit. Mr Finkelstein
thinks that there is a trend towards violent robberies of computer processors
in Silicon Valley because of the high demand for these chips. One of the
reasons the chips are so lucrative on the gray market is that they have no
serial numbers and cannot be traced to a stolen lot. The chips are as
valuable as cocaine on a weight-for-weight basis, he said.
The most recent case occurred on Thursday, 9 Sept 93, when six thieves
attacked Wyle Laboratory Inc. in Santa Clara in a well-planned, precise
operation which netted thousands of dollars of Intel CPUs. Apparently the
thefts have reached one a month so far, with signs of worsening as criminal
street gangs realize how low their risks are, either of capture, successful
prosecution or sentencing.
***
CPU chips, like pennies but not dollar bills, are fungible. That is, they are
indistinguishable and equivalent. When a manufacturer buys gray-market CPU
chips, there is no way to identify them as stolen because there is no way to
tell which chips came from where and how they got there.
How long will it be before this kind of RISK to workers and loss for
manufacturers leads to a cryptographically-sound system for imposing serial
numbers on microprocessors? In this case, a unique ID could not only save
money, it could save some innocent person's life.
Could the chip manufacturers engrave a unique ID on their chips during the
wafer stage using their normal electron-beam/resist/UV/acid production phase?
Each chip in a wafer would have a sequence number, and each wafer might have a
wafer number. For such ID to be effective in reducing the fungibility of
microprocessors, each manufacturer would have to keep secure records of their
products and where they shipped them, much as pharmaceutical manufacturers and
many others do. Would such an engraved number be readable once the chip were
encapsulated? Does anyone know if X-rays, for instance, could pick up the
engraved numbers?
Another approach might be to integrate a readable serial number in the
physical package in which the CPU is embedded. Perhaps a unique, IR-readable
information could be molded into the plastic or epoxy-resin package using
technology that has already been applied successfully to producing
access-control cards. Other technology that might be applicable includes the
Wiegand effect, where the orientation of ferromagnetic spicules in a plastic
matrix produces a characteristic and individual response to a radio-frequency
electromagnetic beam. Perhaps it would be wise for the industry to agree on
some standards to make it easier to read such numbers using a simple,
inexpensive technique.
How much would all this engraving and record-keeping cost? Surely the costs
would ultimately be borne by consumers; therefore, individual companies may
balk at identifiers because they could derive a short-term competitive edge by
continuing to manufacture fungible chips. In the long run, however, if theft
continues to increase, plants producing identical chips may become the
preferred targets of chip thieves.
Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ["Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> via risks-digest Volume 15, Issue 05]
19:10
#
G!
