I like how polite Yubi and Hexview are in this exchange; a breath of fresh air from an infosec company engaging with a security company! Makes me feel like there are grown-ups both places, and that the work will help Yubi in future iterations.
Off-topic, but I came across this tweet today.<p><a href="https://twitter.com/flexlibris/status/660108123487789056" rel="nofollow">https://twitter.com/flexlibris/status/660108123487789056</a><p>> TSA at Boston airport tried to take my Yubikeys away from me to a second location "for a test". I refused & they backed off but FYI people.<p>If you have your Yubikeys with you while traveling, you might want to be careful.
It seems that hardware breakdowns inevitably place a 'raw materials' costing to ojects broken down, often (but less in this instance) - as a somewhat passive-agressive dig at the company: "They sell it for $50, but it's only got $10 worth of components in it!"<p>Outside of the obvious external costs (development, transport, overheads, import, profit, etc), PCB + Tooling costs are often wildly underestimated.<p>For reference, a PCB of this size requires a setup + stencil template, which would run ~ 400 - 500 USD.<p>Tooling for the plastic injection mold for this piece would run around 5000 USD, and each subsequent piece would probably cost around 10 - 50c USD.<p>Tooling + PCBA done right have significant upfront costs that often seem to be forgotten.
I accidentally ran over my Yubikey with my Honda Accord, on a key ring with a fin key (1). I dusted it off and it works fine 6 months later. Seriously, if you're in a position where you're using a Yubikey, getting another Yubikey isn't that big a deal for the organization. In fact, if you're a solo practitioner using something like Yubikey, I recommend you get another one and just keep it in a lock box in the event you, say, run over the primary with your car :)<p>(1) <a href="http://www.amazon.com/FCS-Moulded-Steel-Fin-Key/dp/B003JCQPXM" rel="nofollow">http://www.amazon.com/FCS-Moulded-Steel-Fin-Key/dp/B003JCQPX...</a>
Nice article, would be interesting to build something that HexView did, in fact, find "nearly indestructible". Full disclosure I'm a fan of the Yubikey, I think that something like it will be the future of operational security for networks. Requiring the key be present to answer challenges helps a lot.
Read a much more detailed security review of the Yubikey as it works in practice here:<p><a href="http://www.unrest.ca/yubico-reinvents-the-yubikey" rel="nofollow">http://www.unrest.ca/yubico-reinvents-the-yubikey</a>
That's a lot of text to say nothing of interest. I really love how they question the trade offs made in the PCB design, as if these things didn't occur to the designers.
While we're at it .. are there any other tokens/smartcards that could be used for signing messages (ECC preferable, RSA acceptable)? I only know of YubiKey and the KernelConcepts PGPcard.
Hard to take your article seriously with statements such as "...Levels 1 and 2 of the FIPS140-2 certification are just a marketing gimmick".
Even harder to believe Jakob took the time to respond.