Hacker News new | ask | show | jobs
by zobzu 3686 days ago
This isnt about security. Its about its was open source before and user modifiable and it no longer is. You can force wipe on flash for example.

They clearly changed stance to ensure users cannot play with the hardware and competitors cannot copy the code. Which is fine. But its always weird when the argument of security is used instead of being genuine.

You can copy the freaking key by removing the plastic of the yubikey4. you dont need a jtag port. you just connect to the pins. And guess what. its no big deal. You can't do that remotely and its not a device for 007 spies.
2 comments
uola 3686 days ago
"They clearly changed stance to ensure users cannot play with the hardware"

As per the statement (and earlier statements) you can't change the firmware unless you have a yubikey neo developer edition, which was only sold during 2012 and 2013. The change here is that the yubikey 4 doesn't run open source code (for the pgp part) as a result of changing platforms. The best way to show that you support open source is to buy the YubiKey NEO instead of the YubiKey 4.

link
xaduha 3686 days ago
> The best way to show that you support open source is to buy the YubiKey NEO instead of the YubiKey 4.

YubiKey NEO isn't a unique product, it's basically a cardreader and a java smartcard all-on-one, but there are plenty of vendors for both, it will probably can be even cheaper in some circumstances/regions.

If you support open source, then give https://github.com/philipWendland/IsoApplet a look instead.

A separate cardreader also means that you can use several smartcards for various things.

link
mindslight 3686 days ago
A feature the Yubi has over a smartcard is the button. You can get smartcard readers with pinpads etc, but not that fit into an Expresscard slot.

I was pretty close to getting a Yubi, until I realized that the default version couldn't modify the PGP applet, and didn't find exactly where to order the special "developer edition" either.

At this point it probably makes more sense to find/make a dongle based on an STM32 or the like. The problems with non-hardened hardware discussed in the article are real, but I'd bet the features/innovation enabled by a Free design will outweigh those tradeoffs (eg an audit log, indication of what you're signing/unlocking, actual encrypted key material when the device is "cold").

link
xaduha 3685 days ago
You can still have pin protected stuff, both Security Officer and ordinary user can have them, it's a part of PKCS #11 standard probably. Also, we were talking about Neo.

To me it makes more sense not to do crypto yourself, but trust in an established technology, which is a smartcard. They are used everywhere from sim cards to chip-and-pin credit cards.

link
mindslight 3685 days ago
Sure, but smartcards have traditionally fulfilled a narrow purpose - creating a notion of non-cloneable identity for some centralized top-down entity. The technology of a hardened mini computer could be applied to many other things, but the closed philosophy of the industry really hinders that. I'd love to get some samples of ST23 and create a board with an appropriate hardware UI for end-user signing, but alas this industry has not seen the light of Kerckhoff's principle.

My problem with PINs is twofold. First, the reader required to use them in a transparent manner does not fit with the form factor of a laptop. Second, they're obviously less secure than a passphrase - relying completely on hardened hardware. If I'm willing to enter a passphrase for every session, why should I be carrying around the key in the clear?

link
uola 3686 days ago
It's a unique product in the sense that it has nice form factor and holds additional functionality for more main stream uses. I have a number of these devices, including the external card reader, the usb key card reader and the integrated rubber usb key. Everyone can decide what they want of course, just don't be surprised when they discontinue the NEO.

If you read between the lines of how it went from closed, to very open, to less open, to now not open at all. It seems like they tried open source but failed. They were probably looking for people to integrate it into some e-mail client, chat application or even bitcoin wallet. Now they've gone back to focus on their core customer and using a cheaper more integrated chip.

link
xaduha 3686 days ago
Point being that if you support open-source, then Yubico isn't your champion. They failed in sense that it harms their business, not much more than that.

> just don't be surprised when they discontinue the NEO.

I'd say that Yubico isn't a big deal, therefore them discontinuing NEO isn't a big deal either.

link
uola 3686 days ago
If you care about crypto you should probably care what happens to the most appealing device out there and if you care about open source you should probably care what happens to companies that makes open sourcing part of their business.
link
xaduha 3686 days ago
This is getting nowhere, so let's stop. It's one of those "let's agree to disagree" moments. I certainly don't find yubikey particularly appealing and you already said that they "failed" when it comes to open-source, which I agreed with.
link
drazvan 3686 days ago
Feitian has a similar product with known keys and running JavaCard in the form of an USB token - http://www.ftsafe.com/product/epass/eJavaToken . Also much cheaper than the Yubikey, see http://javacardos.com/store/smartcard_eJavaToken.php . No NXP proprietary stuff on it and no NDA required either.
link
xaduha 3686 days ago
I did visit their site some weeks ago, but I'm not a fan of bundling a card reader with a card like that. It's better to buy a separate card reader, java cards themselves can go for as low as $2 each, maybe even cheaper.

NXP is just one of many vendors, they sell blank java cards too.

EDIT: $25 shipping fee is very inflexible.

link
mpnordland 3686 days ago
I use pgp on my mobile devices too, I would prefer something I could use for both my phone and my computer. The NEO would have filled that role. In my research I haven't found anything like that so far. I would love to be enlightened though if anyone knows about something that can do the same!
link
xaduha 3686 days ago
If your phone has NFC interface, then in theory it should be possible to access contactless java smart cards.

https://github.com/doc-rj/smartcard-reader

https://play.google.com/store/apps/details?id=com.inoapp.car...

Other than that there are java cards in microSD format such as these

https://news.ycombinator.com/item?id=9625862

http://www.cardomatic.de/epages/64510967.sf/en_GB/?ObjectPat...

Then there's also a shaky area of pkcs11 proxies.

link
BuildTheRobots 3686 days ago
> You can copy the freaking key by removing the plastic of the yubikey4

Any more information available? googling for "yubikey 4 takeapart" got me nowhere.

link
mahart 3686 days ago
The plastic dissolves in acetone, this is a neo not a 4: http://www.hexview.com/~scl/neo/
link
BuildTheRobots 3686 days ago
Found that link - though even after getting the Neo's circuit board exposed I didn't think it was as simple as "connecting the pins and reading the key out". Op also specifically says yubikey 4 :)
link