
Tell HN: Somu is live. Tiny, FIDO2, open source security key - ecesena
Somu is live on Crowd Supply [1].<p>Somu is the micro version of Solo [2]. We were inspired to make a secure Tomu [3], so we took its tiny form factor, we added the secure microcontroller and firmware of Solo, et voilà! Here we have Somu.<p>(clickable links in comment)
======
ecesena
(links)

[1]
[https://www.crowdsupply.com/solokeys/somu](https://www.crowdsupply.com/solokeys/somu)

[2] [https://solokeys.com](https://solokeys.com)

[3] [https://tomu.im](https://tomu.im)

------
jack12
Hmm, that $100K stretch goal is pretty much required for me to be able to use
this instead of a yubikey. I wonder how likely it is to be met?

The whole "we have to avoid GPL3 code so we're able to keep 'normal' people
'safe'" angle feels pretty icky. But I know lots of people believe in the
whole 'trusted' movement. And I suppose having a 'hacker' version /available/
is at least a bit better than what yubico offers.

~~~
amluto
Unfortunately, it’s not totally nuts. Designing a system that has replaceable
firmware and retains the security properties one would want is nontrivial.
Malicious software should _not_ be able to reflash the device without genuine
user consent, and any reflagging should wipe all key material. They could do a
JavaCard like thing where different apps have different security domains, but
that needs either hardware help or complicated software.

IIRC Chromium OS has a little washer that can be physically removed to allow
end-user rekeying. Without that washer removed, if you put it in dev mode, you
get a warning on the display. Doing this for a reasonable price in the tiny
form factor would be tough.

~~~
hackerb9
Tough, but not insurmountable. Especially compared to the work of
reimplementing GPG and actually having it be trustworthy. (They mention it is
harder than they thought, but they are continuing on. That says to me they
have not yet thought hard enough about it!)

Here's an idea: If you look at the metal ring on the Somu, you'll see it is
actually two separate pieces with a small gap between them. In hardware, they
are two touch buttons, but the software treats them as identical.

Maybe they could manufacture the Somu with the gap between them soldered
closed. If someone wants to put it in "dev mode", they have to first cut the
solder bridge apart.

I think that would satisfy the GPL3: user has ultimate control, but also meet
the security concern that the user might not know the implications of what
they're doing.

------
bradknowles
Is there a USB-C/Thunderbolt-3 version?

~~~
ac29
The original Solo has a USB-C option:
[https://solokeys.com/collections/all/products/solo](https://solokeys.com/collections/all/products/solo)

------
Scaevolus
Why use silicone instead of an epoxy case?

~~~
ecesena
The benefit is that we can have multiple colors without inventory mess.

For Solo we had silicone cases and decided to stay with the same manufacturer.

------
Tomte
> (clickable links in comment)

Please do it the other way around: do a regular URL submission, then add your
comments as – well, a comment.

~~~
ecesena
Don't take it the wrong way, but the intention was to keep our link visible
for a little bit of time.

Making a ready-to-manufacture hardware project takes significant more effort
than just writing a blog post or recording a video.

Links posted in HN tend to disappear in a matter of minutes from the new and
even if you hit the front page hardly anything remains visible for more than a
day.

When we launched Solo, our Show HN was taken down because Show HN should be
something people can interact with and crowdfunding was not acceptable. We
learned it the hard way and this time around we respected the policy and
didn't create a Show HN. (For comparison, I'm just looking at Show HN now and
there are video projects, that I can't try nor interact with.)

If projects like Solo/Somu, open source, security, and implementing a real-
world applications like FIDO2 don't qualify as interesting for a hacker
community, I'm more that happy to respect that and not waste anyone's time
posting. But if they do, like I think, they should have a way to be showcased
properly.

~~~
Tomte
Still, don't do it. It's against the unwritten rules. You don't get to game
the system.

Solo is interesting to the HN audience. But not more interesting than
everything else. If you truly believe you deserve special treatment, mail
hn@ycombinator.com. They can boost visibility in other ways, although I doubt
they would do so here.

And Show HNs do not disappear quite as quickly.

~~~
ecesena
Please re-read my comment, you clearly didn't:

1) Show HN can't be used because there are written rules that we're respecting

2) We don't need any special treatment

3) There's no gaming involved. There's just a form with 2 options and we chose
the most favorable for us, explaining why

I'm afraid I can't cope with unwritten rules, because there's no way for me to
guess them.

