Hacker News new | past | comments | ask | show | jobs | submit login

I don't really see what's new here, that made the author "withdraw his endorsement". It's an issue from 2014, about a device that has always been fully proprietary? Ok, so they make other devices that was in some small way open, and ran Free software. Great. But the yubikey devices have never AFAIK really been open in any meaningful sense. So, really this isn't so much yubikey changing what they do, but rather the author not understanding what these devices were in the first place?

As far as I can tell, if you got one of these in the mail, there'd be no meaningful way you could verify that it hadn't been tampered with anyway. So you'd just have to make a leap of faith, and assume it was "secure"? If you were prepared to do that, then fine use the yubikeys. If not, perhaps you should take a deeper look at your usb mouse and keyboard too. Did you verify that your keyboard isn't running some code that might compromise your security?




Presumably if you plug a keyboard or mouse in and it starts reading /secret, somebody will notice and generally you can deny the device the ability to do that technical means. I'll be honest, I'm not sure how open these things are at the moment, but I imagine if a device registers as a mouse, it should have limited functionality.

That said, your point is largely on the money that, were're taking great faith that your computing device is secure. But at the same time, I'd put more stock into a device that handles my super secret key and attempts to make reading it and tampering impossible / unfeasible from the devices I plug it into.

Thusly, it's perfectly resonable to care more about your yubikey than your mouse, from a security perspective.


> I'm not sure how open these things are at the moment, but I imagine if a device registers as a mouse, it should have limited functionality.

You should read all about "BadUSB". What you imagine is not the way that the world, in particular USB, actually works.


Whilst that's interesting, it's not what I was talking about and it's actually the opposite. For example, just because I can tell your device that it should read /secret, doesn't mean the computer it's plugged into will let it.

With that said, I wouldn't be suprised if you were right either, but that's going to need a different google search. Thanks for the link nonetheless.


I'm not sure how useful a keyboard that doesn't register key presses is. Even if we generally don't want it to record those key presses. The point is that usb keyboards have enough electronics in them that it's difficult to show they don't record.


I think you missed my point which was why your downvoted. So, yes, I want my keyboard to reigster key pressed. That's what it's there for.

I don't want it to read abitary files from my system and then call home and it's resonable to assume and desire that the computer does not allow that to happen.


My point is still that these devices (yubikeys) have always been black boxes. Nothing has really changed.

Yes, I prefer open and Free systems. I don't like running on Intel chips, because they come with a back door monitoring chip that's hard to keep track of, especially on systems with an integrated network card. Yes, it's nice to have the PCB, hw design and code of a device whose purpose it is to "do crypto".

But I still don't see how things changed wrt. yubikey here. They have always been upfront about selling magic crypto beans so to speak: either you trust them, or you don't. There's no real transparency. There's not even (AFAIK) an easy way to know you have an actual yubikey device, and not a device that just looks like a yubikey[1] - but in fact contains different, or modified hw that does a little more than you would like. And so is the case with keyboards on which you enter your secret communication (as well as passwords and pass-phrases).

This isn't new, it's been yubikey's business model to be a company you trust to "do crypto". I still think it is much more likely that a yubikey isn't compromised than the rest of your system. And I think it does buy you some security. I'd even go so far as to say I probably trust a small proprietary system by experts, more than the behemoth that's the jvm/jdk/javacard.

I'll also note, that it is probably easier to spot a yubikey "read abitary files from my system and then call home", than it is to spot a yubikey answering to a secret 40-digit number and disclose all session keys it's generated up to that point, along with any private keys stored on the system. Which is the kind of thing you'd probably not want it to do, when handled by Egyptian secret police, or whomever it is you've pissed off.

[1] https://www.yahoo.com/news/report-nsa-intercepts-computer-de...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: