
Betrusted: A Security Enclave for Humans - DyslexicAtheist
https://betrusted.io/
======
canada_dry
I almost missed that this project is supported by Andrew "Bunnie" Huang.

That alone has me very interested.

As most ycnews readers already know Andrew has made it his mission to direct
his considerable talents on projects that push up against oppression - instead
of focusing his energy on helping unicorns. I'm a huge fan/supporter of his
work (e.g. Novena, NeTV, Safecast) and will likely pick one of these up when
it goes GA.

~~~
bradknowles
And funded by NLnet. At the bottom of the linked page:

The Betrusted team is funded in part by the NLnet Foundation via Privacy &
Trust Enhancing Technologies grants.

------
russfink
A TPM is not a "secure enclave." It is a smart card bonded to the motherboard,
used for platform attestation, and some basic encryption. It provides no
enclave to speak of. (Maybe they meant SGX or TrustZone?)

~~~
dathinab
I think the word enclave is just being used in more then on way. I have seen
that "secure core" many ARM devices have being referred to as secure enclave
and secure coprocessor which both isn't quite right but people go with it
anyway.

(I mean that additional Cortex-M0/3? core which run in a super previleged mode
and often implements the EFI, DRM bs, and sometimes a TPM module)

So I guess we just have to live with it ;)

Edit: through yes secure enclave, secure element and TPM are not the same but
they have in common that the represent mistrust in the rest of the hardware.

------
grizzles
Phones are such incredibly personal devices. This should be what your phone is
but economics has made phones untrustworthy because of their complexity.

So I've always wondered why we haven't seen more projects like this.

In my opinion, they should drop the hardware keyboard in favor of a d-pad or a
few Yes/No type buttons and an onscreen keyboard. If the hardware is to be
trusted this shouldn't matter to the trust calculus. And the market has proved
the blackberry segment is niche.

~~~
sneak
My guess is that there isn’t a very big addressable market for privacy, and
hardware requires a lot of up-front investment. It has to be someone who
believes that the world will be better if it exists, not simply the highest
$/hour ROI on building it.

There is more money in surveillance, as we’ve seen, than privacy.

~~~
hutzlibu
Oh, but people care about privacy. Just not enough, to pay significantly more
money for it and suffer performance loss.

But this is also because a mobile is a black box for them, and it would give
them a big headache to try and understand that site about that phone. In the
end, for them, they still have to trust the developers, so they stick with the
ones they know by the corporations.

------
nickik
I really like the idea of using something like as a U2F authenticator that
allows me to define a additional local PIN. There are whole number of
application this would be useful for.

I strongly recommend this talk by Andrew "Bunnie" Huang it gives a lot of
background on his thinking about Open Hardware/Software:

[https://www.youtube.com/watch?v=zXwy65d_tu8](https://www.youtube.com/watch?v=zXwy65d_tu8)

~~~
ecesena
fwiw in fido2, successor of u2f, you can opt in for an additional pin on your
security key.

~~~
nickik
Yes, that was what i was referring to. Sorry if that was not clear.

------
dang
Related from yesterday:
[https://news.ycombinator.com/item?id=21891056](https://news.ycombinator.com/item?id=21891056)

Video:
[https://news.ycombinator.com/item?id=21898061](https://news.ycombinator.com/item?id=21898061)

------
morphle
36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware

[https://www.youtube.com/watch?v=Hzb37RyagCQ](https://www.youtube.com/watch?v=Hzb37RyagCQ)

------
VectorLock
Bunnie's blog post has really good description of it as well
[http://bunniestudios.com/blog/?p=5706](http://bunniestudios.com/blog/?p=5706)

The FPGA is the weak link as he says. Everything else is cool (like the
physical keyboard and LCD you can inspect with a light) but you can't validate
the FPGA. I'd assume it'd be harder for a threat actor to compromise (make a
compromised FPGA would take more resources than compromising the keyboard,
etc)

------
reilly3000
This feels like the future to me. Today's smartphone platforms have given a
canonical ID to the user, and often their location. Location tracking is
starting to become a really hot issue for the general public. I think its a
gateway drug to digital security. The model of a dedicated secure device that
uses external communications accomplishes a lot technically, but also 'fits'
comfortably in the habits of millions of people. Such a device could fit right
in with phone, wallet, and keys, and it could be an ideal tool for storing
your on-the-go crypto. People trust things they can touch and can audit.

The first team that can ship a universal, secure hardware wallet that 'just
works' for $50-$150 could sell 5 million units in a year. In 7 years there
could be billions of them, selling for $10+ a unit; a consumable like a
traditional wallet.

I would keep one on my person at nearly all times, and have it replicate state
to another at home, and a third in some vault service (like a connected safety
deposit box). They devices would establish a physical pairing by creating an
irreversible key-pair on the hardware itself. The replication could be a
sequential log (like mysql binlog or git), and the integrity of that log could
be additionally verified by bringing the devices within close proximity. All
that is to say, there needs to be a secure, peer-based way to mitigate
inevitable loss, damage or theft of the physical device- without centralizing
the data or losing state. It would do well to be dummy-proof and make fun
sounds when performing the above pairing and verifying operations. Megacorps
shouldn't get to be in charge of syncing everything for us.

Let's take back the autonomy that has been stolen from us during these awkward
teenage years of a digitally-driven society, and this time let's keep it in
our own hands.

------
stevewillows
Interesting to see a mobile hardware keyboard with a Dvorak layout.

------
bawolff
Interesting. But it seems like it would add a lot of attack surface if all
these things are within the secure enclave.

------
robryk
I am confused by the threat model here. It seems that we want to assure (among
others) confidentiality of the data the user is inputting. However, I don't
think any of the planned data input channels would be hard to eavesdrop on
from the POV of the user's phone:

a) input via hardware keyboard, if the betrusted is a part of the phone case,
should be simple to eavesdrop on based on microphone and/or accelerometer
readings in the phone: different keys on the keyboard will likely be different
enough. b) input via voice can be eavesdropped on by the phone' microphone.

Do I misunderstand the guarantees betrusted intends to provide or something
else?

~~~
Iv
[https://www.youtube.com/watch?v=Hzb37RyagCQ](https://www.youtube.com/watch?v=Hzb37RyagCQ)

He starts talking about betrusted at 30:00

------
snowedin
Impressed by the practical approach the author is taking to this problem.

Please add: \- Hardware switches for RF modules as well as microphones \-
Separate RAM for baseband SOC

------
deugtniet
So as I read this, this is a device you have to carry next to your phone for
your secure communications. Sounds interesting and for the security minded, it
seems it could have some real added value. But for the average consumer it
adds a layer of inconvenience that you don't want when contacting your
grandmother. Are high powered individuals with strict security requirements
the target market for this device?

~~~
rossdavidh
Any device (or software for that matter) which makes a security one of its
selling points, is not aiming at the mass market.

------
irq-1
Could this use a software keyboard? If so, it could eventually be incorporated
into phones; I'm thinking of a SOC that takes complete control of the screen,
bus, etc...

~~~
RL_Quine
Samsung already did this with some ARM core that could get complete control.
How do you know you’re not looking at a software emulation of the secure
elements display though?

~~~
dimensi0nal
There could be an LED controlled by the secure element that indicates it has
control of the hardware.

~~~
RL_Quine
It’s a matter of training the user to look for that though.

