[wepple]

Maybe NitroKey are surfacing something useful and potentially concerning, but they way they do it is so cheap that it completely turns me off their brand. It’s a bunch of negativity-hype with a “so buy our phone” tacked on.

If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.

[_rdvw]

> surfacing

IZAT NLP concerns have been known for many years now, my DivestOS hasn't included it for 6+ years: https://gitlab.com/divested-mobile/divestos-build/-/commit/a...

[flangola7]

Aren't Nitrophones just rebranded GrapheneOS Pixels?

[kornhole]

Yes they provide the service of flashing GrapheneOS onto a Pixel for people who are not confident enough to do it themselves. I think they kick back some of the revenue to the GrapheneOS project. It is a needed service for people who want the most secure, private, yet functional phone but not the hassle of setting it up.

[at-fates-hands]

I remember seeing a pen-test that was done way back in the mid aughts that identified a bunch of vulnerabilities. It was so long ago, I wonder if they were mitigated or just given lip service.

EDIT: I found it. Pretty interesting read: https://cure53.de/pentest-report_nitrokey.pdf

This penetration test against the Nitrokey Storage firmware, as well as the Nitrokey desktop app, was performed by a team of three penetration-testers and took eleven days in total to complete. The test is part of a larger series of security assessments. In later phases, security-focused assignments will include tests against the hardware itself, alongside detailed look into other models of the Nitrokey and its accompanying applications and tools.

[DANmode]

So everyone is considering the same points: are you saying this in knowledge of their published audits?

[wepple]

I am

Edit: to elaborate, I think it’s great that they published audits, that should be a minimum baseline but in fact it’s a fairly rare thing at this point. Also Cure53 are no joke, they have some great people who generally do good work.

That said, having spent a decade doing security assessments in a past life, they’re point in time and always have a particular scope and are time-limited. A researcher or adversary has more time, a broader (infact infinite) scope, and lacks a lot of the restrictions of a formal security assessment.

[ksec]

I am just sad with the modern era of marketing and PR.

[hammyhavoc]

It's been this way for decades, and we thought it was tacky even back then.