[sigmar]

>They say they are increasing the security by things like this: disabling user-loading of new firmware (which could be a bad actor loading bad firmware), using hardware with built-in side-channel countermeasures, and disabling JTAG ports (which could be used for key extraction).

Are all of those listed features only possible with secret code? And if yes, once someone unobscures the code or methods, they'll be able to defeat the security. Isn't that the exact definition of 'security through obscurity'?

[pritambaral]

I think what Yubico meant is that they aren't closing code for the sake of closing code, but since it can't be loaded onto the devices anyway, there's no need for the code to remain open.

[sigmar]

Oh. Now I'm reading davideous' comment much differently. But the title of the blog post (ie "vs") makes it seem like they aren't making it open source so that the hardware is secure.

[davideous]

Yes, pritambaral described what I'm trying to point-out.

In think the "vs" in the title is saying this: they had to choose between open source (that is functional meaning you can really use the code and re-flash the device) and the secure hardware. It was a trade off of one "vs" the other, and this is their reasoning behind that trade-off.

[sigmar]

Open source doesn't necessarily mean that you can put it on the device. I'm sure a lot of Yubico's critics would be happy with seeing the code even if it can't be flashed.

[davideous]

Yes, it would technically meet the Open Source Initiative's definition (https://opensource.org/osd), but if there was no way to re-flash the device, no way to verify the binary on the device, or possibly even no way build a binary (which may require proprietary tools under NDA from the chip manufacturer) -- I think a lot of critics would still be critics, but I could be wrong.

If Yubico did this it would be very interesting to see the reaction.

[jevinskie]

It would allow a third party to discover a vulnerability similar to the one in the Neo just by just reading the code.

[mavhc]

The general issue is when all hardware has software in, in the end it has to be open source. Going even further: The distinction between hardware, firmware, and software is logically irrelevant in terms of trust.