hngopher.com

       [HN Gopher] USB armory - The open source flash-drive-sized compu...
       ___________________________________________________________________
        
       USB armory - The open source flash-drive-sized computer by
       WithSecure Foundry
        
       Author : Nokinside
       Score  : 37 points
       Date   : 2023-06-03 11:15 UTC (11 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | pca006132 wrote:
       | Is there any hardware tamper resistant features that can prevent
       | third-party from getting the secrets? Like things mentioned here:
       | https://www.design-reuse.com/articles/51750/why-hardware-roo...
        
         | Nokinside wrote:
         | Yes. Secure boot (HABv4) and storage (SNVS), secure RAM, ARM
         | TrustZone(r), cryptographic accelerators,
        
           | nimbius wrote:
           | it depends on your threat profile and what youre protecting
           | against (and who ya trust)
           | 
           | - Secure Boot: Only secure so long as microsoft and friends
           | dont leak their keys https://hothardware.com/news/microsoft-
           | accidentally-leaks-go...
           | 
           | - SNVS: is just proprietary enclaving so implementation
           | standards matter here. most of these are blackboxes and
           | marketing.
           | 
           | - secure ram: is another one of these vendor-endorsed moving
           | targets. https://www.tomshardware.com/news/amd-memory-
           | encryption-disa...
           | 
           | - Trustzone: is just marketing wank for a chips TEE
           | https://en.wikipedia.org/wiki/Trusted_execution_environment
           | and that TEE can be used _against you_ as well as for you.
           | 
           | - cryptographic accellerators: a cavium nitrox is a black
           | box, same as gemaltos. the reason these are so secure is
           | because theyre expensive and the implementation and operation
           | is pretty theatrical.
           | 
           | Trust is the key component in your defense strategy, and
           | trust is based on character times competence. Corporations
           | are categorically faceless and as such embody no character,
           | only a profit motive. zero times anything is just zero. The
           | same guys that sold you TPM might leak their keys because you
           | arent buying enough TPM this year. no company will accept
           | fault or liability for your security incident, so dont base
           | your defense on buzzwords alone unless this is risk
           | management for C level obligations to the shareholders.
           | 
           | tl;dr open source security is best security. trust and
           | verify, audit periodically and above all else avoid or
           | mitigate risk in any environment no matter how secure it is
           | assumed.
        
             | Vogtinator wrote:
             | "Secure Boot" here is unrelated to the MS controlled one on
             | PCs.
        
       | scott00 wrote:
       | I don't get the security benefits of this device over any other
       | ARM computer. It seems like a complicated enough device you'd
       | need to run full blown linux on it, and it would communicate over
       | BLE and USB. Are those stacks much more secure than the TCP or
       | UDP stacks for some reason? You'd have the benefit of nobody
       | opening random email attachments or visiting sketchy websites,
       | but the same would be true of any device treated like an
       | appliance or server.
        
         | pjmlp wrote:
         | There is a model that runs bare metal Go on it, no need for a
         | full blown Linux.
         | 
         | In fact, a good systems programming example, regardless of what
         | many think of using Go for such purposes.
        
       | Nokinside wrote:
       | https://www.withsecure.com/en/solutions/innovative-security-...
        
         | fragmede wrote:
         | https://news.ycombinator.com/item?id=36174359
        
       | pjmlp wrote:
       | One of production quality examples of using Go for systems
       | programming.
        
       | Quequau wrote:
       | Sorta weird to see this thing back in the news after so long.
       | Seems like they've gone through a revision and have been sold to
       | a larger company since the last time I looked.
        
         | markemer wrote:
         | Yeah the USB-C version with the iMX6 chip is much nicer but
         | it's still been out a few years. I love mine but it's very much
         | batteries not included.
        
       | gnabgib wrote:
       | Dupe of https://news.ycombinator.com/item?id=36174359 (also
       | posted by Nokinside??) since that actually has content, it seems
       | like the better posting/source.
        
       | jonathankoren wrote:
       | Can we get a real write up about this rather than a lazy link to
       | GitHub, that's not even to documentation, but rather just a list
       | of repos? As it is, it's completely unclear what this is or why I
       | should care.
        
         | SMAAART wrote:
         | https://www.withsecure.com/en/solutions/innovative-security-...
        
       | ParadisoShlee wrote:
       | Did this project get bought our from f-secure? or is this a
       | rebranding?
        
         | noinsight wrote:
         | They rebranded and split the company. WithSecure is the
         | enterprise side, F-Secure is the consumer side.
        
       | DethNinja wrote:
       | What is the use case? I'm guessing just to store secrets but then
       | why not just use a HSM or even yubikey.
        
       ___________________________________________________________________
       (page generated 2023-06-03 23:01 UTC)