
YubiKey 4C - ta_dhee
https://www.yubico.com/product/yubikey-4c/
======
escapologybb
I REALLY wish it were possible to use one of these devices without using your
hands. I'm quadriplegic and would love to use one of these to unlock my
computer, bank passwords etc etc. But you have to touch a finger to almost all
of them to trigger the OTP, or whichever authentication and they happen to be
using. I would absolutely love to be able to lock and unlock my Mac without an
able-bodied person helping me, because really what is the point of me having a
password if I tell it to a third party?!

Obviously the vast majority of people who use these devices are able-bodied
and are able to use them as designed, but if somebody solves this problem
there really is a market for it. They are great products, and if it weren't
for this one stumbling block I would definitely be using them in my daily
life. The inside of my laptop is the only privacy I have, and being able to
have complete control over the locking and unlocking of it would be amazing.

It would be great if Apple made it possible to use the accessibility software
on the login screen, that way I could tap in my own password but you can't use
the accessibility software until you are inside the OS. Grrr.

Anybody got any ideas about how I could solve this, or any direction I could
investigate?

(Sorry for mildly hijacking the thread, but thought it was somewhat relevant)

~~~
Cenk
You could buy an Apple Watch and use that to unlock your Mac based on
vicinity: [https://support.apple.com/en-
us/HT206995](https://support.apple.com/en-us/HT206995) Only works on newer
MacBook though.

~~~
gcb0
1\. enter company you don't work at and steal laptop at lunch hour

2\. walk to cafeteria with laptop that looks like any other. let owner watch
unlock it for you.

3\. profit!

4\. optional, return laptop before lunch is over for full stealth.

~~~
mattnewton
There are a lot of attacks one can imagine when you have physical access to
hardware inside the building. Why not just boot to a thumb drive and install
malware?

~~~
dingo_bat
Because the computer is locked?

~~~
pmoriarty
There have been successful attacks on locked macs via the thunderbolt port.

I'm thinking of one in particular which I can't find at the moment, but I
remember seeing a really fantastic video where one guy described in detail how
he reverse engineered the mac thunderbolt interface and was able to flash
malware bootcode on to it even when locked. Once that malware was installed,
it could do pretty much anything, including get encryption keys to your hard
drive, intercept all keystrokes, etc.

If anyone has a link to that, please post it here.

Also, there this:

[https://news.ycombinator.com/item?id=7123121](https://news.ycombinator.com/item?id=7123121)

------
IgorPartola
Until these things work well with phones, I can't buy into them. I have a U2F
key that I use as a shortcut for accessing things like Google's services. But
I am sticking to always using either Google Authenticator or SMS, if it's
available, as a primary option. When I am looking at a website in bed on my
phone, and my YubiKey is in my laptop downstairs, I can't say I am happy that
I can't access my account.

I think the form factor for these things is just wrong. I don't always have my
keys with me. I do have my phone much more frequently. Even more frequently I
have things like my Pebble. Maybe some kind of NFC interface with a wrist
watch would be a better alternative.

~~~
ci5er
I think I'm not understanding the problem. I have cloned keys (for backup +
two locations), with Yubico Authenticator. Is the problem NFC on iOS or that
you don't want to clone your keys?

~~~
IgorPartola
My problem is that while I can reasonably guarantee that my YubiKey will be
near my laptop when I use it, I generally can't guarantee that my YubiKey will
be near my phone or tablets when I use them. I also don't really want to keep
plugging in a physical key into my phone every time I want to log into, say,
American Airlines to check the status of my flight, or into PapaJohns.com
every time I want to order a pizza.

NFC makes this a little easier, but I still usually don't keep my keychain
(that is my physical keychain with my house and car key) on my nightstand,
while I do keep my phone there.

tl;dr: Laptop + 2nd Factor = YubiKey. That's OK and it works.

Phone/tablet + 2nd Factor = ???

~~~
ci5er
Makes sense. Thanks. It seems as if what I would consider "natural usage" is a
bit different than yours. I don't use my phone to access anything critical --
the attack surface is too big and changes too rapidly (sometimes outside of my
control) for me to keep track of -- and I wouldn't worry about safety when
checking a flight.

~~~
IgorPartola
I consider most things critical. I treat my dating profile or my HN
credentials the same way I treat me main email account's credentials.

------
NikolaNovak
Do they work any better on iPhones?

\-----

I decided couple of months ago to secure entire family. Bought half dozen
Neos, worked out all the kinks on my computer + Android phone first, put
everything in LastPass (I know, I know, I know... but you have to consider the
target audience ;).... only to discover on "go-live" that my wife's iPhone 6s
is bloody useless with the thing. Apparently iPhone doesn't fully grok NFC or
something? Not sure... :-/

~~~
Freak_NL
Apple decided that users cannot use the NFC chip in it except for Apple Pay
(for the foreseeable future). You don't really 'own' an Iphone in that sense.

~~~
NikolaNovak

      users cannot use the NFC chip in it except for Apple Pay 
    

That... boggles my mind :-O

Thanks for the info. My wife is unfortunately locked into iPhone due to work
standard, but something to keep in mind long-term.

~~~
nickik
For U2F at least, Bluetooth solutions should be arriving. If Yubico does its
on (they have said that they are working on it) they might additionally let
you use the OTP stuff.

That said, LassPass says that when Firefox supports U2F, they will also try to
support it. So maybe the OTP stuff is not that important.

Dashlane Password Manager already supports it.

------
tptacek
Note that this isn't just a U2F key; if you're looking for a token principally
to log into web services with, this isn't what you want, and the token that
does that costs less than half as much (it's the U2F-only token).

You want a Y4 if:

* You SSH into sensitive machines.

* You log into a VPN that you control and can configure to use the Y4.

* You're actually relying on PGP.

~~~
StavrosK
Does anyone have a guide on how to store an SSH key on it? I only found PGP
key guides (and I have my key on it), but not much for SSH. I also think it
doesn't do ECC...

~~~
pfg
You can use the GPG key on the device for SSH authentication through gpg-
agent. Here's their documentation[1] for this feature.

ECC keys should work, but haven't tried that (I use RSA-4096).

[1]:
[https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)

~~~
StavrosK
Thank you, I seem to recall trying gpg-agent but I'm not sure I went anywhere
with it. Will try again.

------
avenoir
So I got one 4 months ago and quickly found out that I understand next to
nothing about it. I really thought it was going to be a plug-n-play solution
but it was far from it. It took me nearly an hour to get my google account
setup to use it. For some reason the little wizard thing on Google that
"syncs" your yubikey was giving me trouble. After I finally got that part
working i pretty much forgot about the whole thing. I had plans to also use it
with KeePass in addition to Google but after reading that you basically have
to hack this thing to work with both I pretty much decided it wasn't worth the
effort. It's really sad how great this little thing is and how much of a pain
it is to actually get any use out of it.

------
buddylw
I don't think that the people complaining about the price of this key
appreciate all that it can do. Most of those people would probably be better
off with the cheaper FIDO U2F Security Key.

I haven't found anything else that manages RSA Keys, TOTP auth and U2F in a
single package. I'm going to buy this because it plugs into my pixel phone and
it seems like it'd be more secure and convenient than my current Neo with NFC.

~~~
tptacek
Annoying nerd pedantry: It's only sort of doing TOTP (Yubikeys don't have
batteries, so need a software client to provide the clock), and on a slack
with almost 300 crypto nerds in it, I don't know any of them that use the Y4
for TOTP (I'm preparing myself to be surprised in a minute when someone there
reads this). TOTP is something you do on your phone.

~~~
moreentropy
TOTP with Yubikeys is great. You just need the Yubico Authenticator app to
access the TOTPs. Works fine on phone using NFC as well as on my (Linux)
desktop using USB. New phone? Install YK Authenticator, tap the YK and use
your TOTPs.

~~~
nickik
How do you do TOTP on linux with your Yubikey? I keep using my phone.

~~~
moreentropy
Yubico Authenticator for Desktop:

[https://www.yubico.com/support/knowledge-
base/categories/art...](https://www.yubico.com/support/knowledge-
base/categories/articles/yubico-authenticator-download/)

If you're on Ubuntu you can use the package yubioath-desktop from this PPA:

[https://launchpad.net/~yubico/+archive/ubuntu/stable](https://launchpad.net/~yubico/+archive/ubuntu/stable)

------
jupp0r
Until there's a YubiKey 4C nano, I'll wait. Having something of that size
sticking out of my computer is not really practical. Not having it inserted
defeats the whole point.

~~~
treve
I'm kind of wondering what the benefit is over having something like Yubikey
at all instead of something that's just software when you just leave it in all
the time.

~~~
tptacek
Your computer can in theory get owned up without you losing your SSH or VPN
keys, even if your keystrokes are logged.

~~~
homakov
Get owned = SSH is hikacked = I don't need your keys and can run any commands
on your behalf.

This thing might protect from keyloggers but useless against proper malware
that just waits for you to authenticate.

~~~
nickik
If your SSH private key is on the Yubikey then you will not lose your private
keys. Even in the case of U2F, the attacker will not figure out your U2F
private keys or even all the places you are registered.

~~~
tptacek
His point, which is correct, is that you'll persistently lose access to your
server anyways, because a backdoored SSH client is almost as bad as a
compromised key. I use a Y4 for SSH, but it's good to be clear-eyed about the
limitations.

------
jgrahamc
Why are Yubikeys so expensive? I have one and use them but the price always
gets in the way of having more.

~~~
nickik
They do lots of stuff. A YubiKey 4 has GPG Smartcard, U2F, PIV (SSH,CA,
Windows Remote Login), Static Password, Yubikey OTP, Challenge Response Mode
(HMAC) and HOTP. It does a lot of stuff, I am amazed how cheap they are.

Pure U2F sticks can be done much cheaper. The Yubikey one only costs 18$, but
the U2F standards was designed for cheap devices. You can get U2F sticks for
less then 10$ on amazon.

~~~
rconti
Yup. they're a bargain compared to most solutions

------
abhv
alternative is u2fzero, available on amazon for 8$, and totally open source.
the difference is that yubi uses an nxp secure coprocessor, whereas the
u2fzero uses atmel. there is the possibility of side-channel attacks on the
u2fzero.

but for your family, it is better than nothing and much more cost effective.

~~~
Freak_NL
> […] there is the possibility of side-channel attacks on the u2fzero.

Interesting. How does that work? Have you any references to that?

~~~
abhv
The Atmel chips do not claim that they have implemented counter-measures for
power analysis, etc. Power analysis on a key operation is a dangerous attack
if proper counter-measures are not taken. You can literally read off the 0/1
of each bit of the key as the key operation is underway if you monitor the
power/timing.

The NXP chips inside the yubikey claim to be hardened against several such
attacks (although I have not confirmed).

NXP is a cagey company. For example, I am a researcher, and I wanted to get
the yubi-key's unlocked to write and test new u2f protocols on their hardware.
They wouldnt sell me development keys, and claimed that the restriction was
placed on them by NXP. I wrote half-a-dozen requests to the NXP people, and
they never replied.

------
hollander
I have a Yubikey, but almost never use it. I still don't get it fully, don't
have a use-case where it totally works for me. Having one key is maybe part of
the problem. If I lose it, what then?

~~~
tptacek
Some people will tell you to buy two Yubikeys and leave one as a backup. I
don't think that's necessary. No matter what, you should generate a backup
software key and keep it on offline encrypted storage; if you lose the token,
just use the backup key until your replacement arrives.

It's even easier for Github and Google Mail. For web services, the right stack
is:

* Hardware U2F token

* Backup software TOTP (Duo or Google Authenticator or whatever)

* Backup printed (or saved on offline USB key) passcodes

* Disabled SMS.

Unlike SMS, which is devastating to security even as a fallback, having a
software TOTP option is basically fine; most of what U2F buys you is
unphishability. This leaves you with two levels of backup, one of which is
reasonably secure indefinitely.

~~~
danjoc
Can you disable SMS on google? I've tried and have been unsuccessful. Phone is
required to enable 2FA. Once that is enabled, I can add yubikeys. After adding
yubikeys, I am unable to remove phone as a 2FA alternative.

~~~
pfg
It's possible to disable SMS-based 2FA. Perhaps you need another backup option
before you're allowed to remove the SMS option. In my case, I was able to do
it with two U2F keys, TOTP and backup codes enabled.

You might need to remove it as an account recovery number as well. Those can
effectively downgrade your login to one factor.

~~~
danjoc
>you need another backup option before you're allowed to remove the SMS
option.

This was the answer. Google prompt isn't allowed with hardware tokens. Backup
codes evidently don't count. So the only way is to set up Google Authenticator
on a phone. Authenticator from f-droid works. After I set up Authenticator, I
no longer got the "Something went wrong. Try again" toast when trying to
delete the sms number.

Edit: Just realized what Yubico Authenticator is for :)

------
esseti
I've a yubikey4 but i'm not sure how/why i should use it. I get the 2FA case,
where it provides the One Time Password to login in some services, sort of
what the phone does with the authy app (or am I wrong?). But, what about the
ssh access? Should the key be used to decrypt the ssh key when accessing a
server? so that, if i grab anycomputer i can login on my server if I've the
yubikey with me? if so, how should this work and how can I set it up?

~~~
pfg
You can actually store the key you use for SSH authentication on the Yubikey
[1]. The main advantage is that the key never leaves the device, so even if
your computer is compromised, your key is still safe.

Same thing goes for anything else involving GPG keys - email, signing git
commits or tags, software releases, etc.

I don't personally use it for OTP. I do use it for services that support U2F
(which is different from OTP, and has the main advantage of being immune to
phishing).

[1]:
[https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)

~~~
esseti
i'll give it a look. the potetntial of this device is still not clear to me.

------
_joel
Is it still closed source?

~~~
bogle
Yes, still closed source.

~~~
_joel
/me closes tab and gets on with day :)

[edit] Interested to know why people find the need to downvote this, I asked a
question and got an answer. Please enlighten me so I don't err again.

~~~
Freak_NL
> /me closes tab and gets on with day :)

Rude dismissive instant messaging language, that doesn't contribute anything
to the discussion.

This wouldn't have received any downvotes:

> Ah shame. That's a deal breaker for me. Having open source programming on
> the device itself is a must-have for me because of [insert reason].

~~~
_joel
Thanks for the clarification, I didn't think/mean it to be rude/dismissive but
I can see how that was taken.

I'll refrain from inserting IRC commands in future too :)

------
bergie
Great to have a USB-C option available, though bummer they didn't include NFC
in this one

------
ruimarinho
Here's my hands-on review with the new YubiKey 4C:
[https://news.ycombinator.com/item?id=13637771](https://news.ycombinator.com/item?id=13637771)

------
baccredited
Do any of these RSA alternatives have an LCD display showing the id? Our work
computers are locked down and USB is not an option.

~~~
drewg123
The OTP functions basically as a USB HID keyboard. So you can plug it into
something that is not locked down (like a phone or tablet), and then just copy
the code.

The drawback is that the code could be _long_. A few years ago, the codes were
just 6 digits. My latest nano spits out a very long (20 char?) alpha-numeric
string.

~~~
pmoriarty
I wouldn't mind a 20 char string. I regularly type passphrases significantly
longer than that.

------
serg_chernata
It looks neat, can someone share personal experience or recommendations? Is
this worth it? Is there a better alternative?

~~~
simias
I use a Yubikey 4 with the GnuPG smartcard applet to secure all my password,
sign my emails and connect to remote computers with SSH. It's super convenient
and I'd never go back.

That being said I got a bit concerned about the use of closed source
components in newer yubikeys (I believe that the yubikey 4 is open source and
the later ones aren't, but don't trust me on that).

For this reason I also bought a nitrokey as a backup. It's a bit slower than
the yubikey (I use 4096bit keys) but it works well. I really don't like the
plastic cap on the nitrokey though, I feel like I'd lose it within a week if I
started using it as my main key. The Yubikey doesn't have any protection at
all but it looks sturdy enough that it doesn't really matter. It's been on my
keyring for months and it seems to handle the abuse just fine.

~~~
jordskott
To be honest, Yubikey was never really open source. Sure, they open sourced
_some_ compomnents before but you coulnd't do anything with the source.

------
crusso
I was just looking around yesterday for a programmatic way to encrypt/decrypt
a file with a USB fob. I used an Aladdin fob a while back for a similar
project. The encryption was symmetric but the fob kept the key and it couldn't
be exported - so it was safe enough for my application.

Is this Yubikey capable of something similar?

~~~
wyager
You could do OpenPGP encryption. It will generate a symmetric key, encrypt the
data with it, and then encrypt the symmetric key for the yubikey's pubkey.

------
mrmondo
I wish you could use these with macOS's CoreStorage to unlock FileVault 2's
full disk encryption in combination with a password. I wonder if it'll be
possible at any point...

~~~
MikeKusold
I've done OSX authentication (mainly adding 2FA to the login screen), and
Apple doesn't provide any mechanism to interact with unlocking FileVault.

However, with the Yubikey you can type in your password, then have the Yubikey
enter your static password. That way you sort of get 2FA for the unlock
screen.

------
chrisacky
I bought a HyperFido but it just doesn't work on Ubuntu...

Was expecting to be able to use it to log in to Google using their 2FA key..
but only works on Windows from what I can see...

Anyone know anything about this?

~~~
nickik
Probably a udev problem, you need:

[https://developers.yubico.com/libu2f-host/](https://developers.yubico.com/libu2f-host/)

or maybe even better:

[https://github.com/amluto/u2f-hidraw-
policy](https://github.com/amluto/u2f-hidraw-policy)

On the Yubikey its also possible to deactivate individual modes. If somehow
U2F mode was disabled, it should not work anywhere, but if you don't use the
other modes, maybe deactivate them. In earlier version there were some
problems.

Probably its the first one.

------
tckr
Make the price $5 and these will sell.

~~~
nickik
These keys will never be $5 but pure U2F only keys are almost already there.
You can get U2F keys for 8-10$ already.

------
Nullabillity
Kind of useless to have a C-only device this early. An A/C-hybrid would be
much more useful, like Kingston's MicroDuo[1] series.

[1]:
[http://www.kingston.com/us/usb/personal_business/DTDUO3C](http://www.kingston.com/us/usb/personal_business/DTDUO3C)

~~~
kentiko
It's an authentication key, not a flash drive.

~~~
michaelmior
The same point still applies.

------
philip1209
They appear to be sold out already.

------
ionised
What are the current alternatives to Yubikey?

Preferably looking for something open-source and in no way associated with
Google.

~~~
rogerbinns
I haven't used it, but Trezor looks interesting, and there is a Trezor 2
coming soon. [https://trezor.io/](https://trezor.io/)

The sweet spot is for Bitcoin wallets, but it does the other stuff (U2F, ssh,
gpg, passwords). Hardware is interesting. Everything open source. You can add
your own "apps".

U2F: [https://blog.trezor.io/secure-two-factor-authentication-
with...](https://blog.trezor.io/secure-two-factor-authentication-with-
trezor-u2f-e940fd5a60af)

~~~
nickik
I use both this and Yubikeys.

The external screen add even more security and that is very cool. UAF/U2F both
have support for external monitors in the protocol, so its really good
security.

The ssh/gpg stuff is less advanced then that of the Yubikey, all guides
suggest running some special scripts. With the Yubikey you can set it all up
so this is not needed. Maybe this works with the Trezor, but I didn't find any
guides for this.

I really want Trezor to support UAF as well, given that it has a PIN entry
system, this should work.

If you need a Bitcoin Wallet, Trezor is cool, if you want a tool primary for
login (U2F/OTP/TOTP), a Yubikey is preferable.

------
eecc
I still don't get how people are ok using these things without a fingerprint
reader...

~~~
bogle
Wouldn't that make it 3FA? I'd need my password, my physical key _and_ my
fingerprints?

~~~
JumpCrisscross
One could then argue the Google Authenticator app running on my iPhone is 3FA,
as one needs to be able to unlock my iPhone to access it.

~~~
falcor84
I would definitely argue that it's 3FA.

* Something you know - the service's password

* Something you have - the phone with the authenticator

* Something you are - your fingerprint

EDITED - formatting

------
Sir_Cmpwn
Remember that closed source security-related products are a complete joke and
you should spend your money somewhere else.

~~~
KirinDave
Reminder that open source projects are not provably more secure, nor is it
easy (or even possible in many cases) to assert the source you see made the
binary in question.

Yubikey has been around a long time and has made every effort to be a
transparent company with a support for open source. Truth is, that is
sometimes hard to do.

I found this article rather interesting, back when it first came out:
[https://www.yubico.com/2016/05/secure-hardware-vs-open-
sourc...](https://www.yubico.com/2016/05/secure-hardware-vs-open-source/)

~~~
Sir_Cmpwn
I've seen that article and it's a heap of crap. There's no reason they
couldn't make the firmware read-only so you could verify it, then publish the
source to audit and verify against.

>Reminder that open source projects are not provably more secure, nor is it
easy (or even possible in many cases) to assert the source you see made the
binary in question.

I can (and do) read the code for security-related software, and I can at least
check for obvious backdoors and flaws myself. With reproducable builds it is
possible to assert the source you see made the binary in question (and
security related software _must_ support reproducable builds for this reason).

If you want to convince yourself the product is secure, that's up to you, but
it's not.

~~~
KirinDave
You obviously didn't read the article. There is no way for you to actually do
that. And the secure platforms themselves have NDAs around their specs and
software tooling.

So yeah, there is a reason they didn't do that. The hardware they're using
specifically makes it difficult to do the verification you want to do. Which
is directly related to foiling the kind of attacks they want to foil.

> If you want to convince yourself the product is secure, that's up to you,
> but it's not

I think we have the same goal, but you have a conviction that open source
stops "obvious back doors." It in no way would help that at all in this case.
The hardware is configured before it is shipped, then locked in a way designed
to prevent rewriting or inspection. You have no rational basis for the belief
that the source code on a website and the binary a malicious and deceptive
actor would deploy to the hardware are the same thing.

Being open source only affects the way security auditing can be done. It
doesn't guarantee better quality.

~~~
Sir_Cmpwn
I have read the article, several times, thank you very much. Don't take the
easy way out by dismissing the opposition as ignorant.

>So yeah, there is a reason they didn't do that. The hardware they're using
specifically makes it difficult to do the verification you want to do. Which
is directly related to foiling the kind of attacks they want to foil.

Then they've chosen the wrong hardware. This doesn't make it more secure, it
just explains why their product is _insecure_.

>I think we have the same goal, but you have a conviction that open source
stops "obvious back doors." It in no way would help that at all in this case.
The hardware is configured before it is shipped, then locked in a way designed
to prevent rewriting or inspection. You have no rational basis for the belief
that the source code on a website and the binary a malicious and deceptive
actor would deploy to the hardware are the same thing.

I already addressed this - reproducable builds. I don't have to take anyone's
word for it.

~~~
KirinDave
> Then they've chosen the wrong hardware. This doesn't make it more secure, it
> just explains why their product is insecure.

If the hardware is more resistant to hardware and software attacks, it seems
odd to then deem it less secure just because you don't get source code that
isn't guaranteed to correspond to a given binary.

> reproducable builds

There's so much literature on how this methodology fails, some of it quite
famous. There is no assurance that your device conforms to the build you can
reproduce, unless you can arbitrarily inspect the state of the entire device
at each step. Being able to do that would defeat the purpose of these devices.

~~~
Sir_Cmpwn
>If the hardware is more resistant to hardware and software attacks, it seems
odd to then deem it less secure just because you don't get source code that
isn't guaranteed to correspond to a given binary.

It may be, but there's no guarantee it behaves the way it claims to. There's
no guarantee it's not backdoored. There are powerful actors involved in these
areas.

>There's so much literature on how this methodology fails, some of it quite
famous. There is no assurance that your device conforms to the build you can
reproduce, unless you can arbitrarily inspect the state of the entire device
at each step. Being able to do that would defeat the purpose of these devices.

Care to cite some of this literature?

~~~
KirinDave
> It may be, but there's no guarantee it behaves the way it claims to. There's
> no guarantee it's not backdoored. There are powerful actors involved in
> these areas.

It renders your point about source code moot though, doesn't it. Security is
ultimately the art of trust propagation.

> Care to cite some of this literature?

The most famous discourse here is the "untrustworthy compiler problem." Most
famous citation is by none other than Thompson:
[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

Trust chains are their weakest link, and people often put a lot of trust in
compilers without really asking what it is doing. Not unlike crypto, we're
told not to roll our own.

People have proposed ways around this, but they're not very good
([http://imgur.com/a/BWbnU#0](http://imgur.com/a/BWbnU#0)). The moral of the
story is that at some point, you extend trust to someone. Security is never
absolute.

~~~
Sir_Cmpwn
>It renders your point about source code moot though, doesn't it. Security is
ultimately the art of trust propagation.

I don't see how that follows. If I can audit the source code and confirm that
the same code is running on the device, the weak link is reduced to my ability
to aduit it (combined with everyone else who's auditing it as well and might
publish their findings).

>The most famous discourse here is the "untrustworthy compiler problem."

I thought this might be what you're talking about, but this is ridiculous. Do
you really think that the Yubikey folks have backdoored my copy of gcc? Dude.

~~~
KirinDave
> the weak link is reduced to my ability to aduit it (combined with everyone
> else who's auditing it as well and might publish their findings).

And if the hardware itself has microcode that overrides your code?

> but this is ridiculous. Do you really think that the Yubikey folks have
> backdoored my copy of gcc?

Actually, I think the first and foremest threat would be, "Could someone
insert a yubikey into a malicious device that changed its behavior such that
it now leaks information and does not provide actual security."

Because those kinds of attacks actually exist. Ultimately, what you're arguing
for is the pleasure and moral superiority of being able to do that audit. Not
only does that audit not give you many guarantees, but giving you the ability
to do that audit opens you up to much more sinister attacks.

~~~
Sir_Cmpwn
>And if the hardware itself has microcode that overrides your code?

Hard to defend against this, but it can be helped by using well understood
architectures and letting us confirm that the microcode being run is the same
microcode that the upstream CPU vendors are publishing.

>Actually, I think the first and foremest threat would be, "Could someone
insert a yubikey into a malicious device that changed its behavior such that
it now leaks information and does not provide actual security."

I'm not going to keep entertaining this discussion if you keep disregarding
everything I've already said. I've already said I'm only asking for _read-
only_ access. In any case, defending against physical compromise is close to
impossible anyway.

~~~
KirinDave
> if you keep disregarding everything I've already said. I've already said I'm
> only asking for read-only access.

And I've addressed that.

> In any case, defending against physical compromise is close to impossible
> anyway.

This is a non-statement. I think your religion is getting in the way of
further discussion. Goodbye.

