“I must, sadly, withdraw my endorsement of Yubikey 4 devices”

From the Github issue [0]:<p><pre><code> &gt; Further hostility against the company or our users will &gt; not be tolerated in this forum, and will be met with &gt; bans. </code></pre> Odd reaction. Especially when they&#x27;ve _changed_ from open to closed source, and what benefit is there, really, to a closed-source &#x27;OpenPGP&#x27; implementation?<p>They&#x27;re looking for a profit, sure, but they&#x27;re blessed to be a hardware company. It&#x27;s not like I can just clone they&#x27;re repo and not need to buy their product.<p>[0] - <a href="https:&#x2F;&#x2F;github.com&#x2F;Yubico&#x2F;ykneo-openpgp&#x2F;issues&#x2F;2#issuecomment-219021710" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Yubico&#x2F;ykneo-openpgp&#x2F;issues&#x2F;2#issuecommen...</a>

I was seeking an alternative and cheaper OpenPGP solution to Yubikeys, then I found that the OpenPGP card is essentially a Java applet lives on a chip runs JVM, and JVM runs on top of JavaCard OS. Since all the programs follows GlobalPlatform standards, communication with Java Cards can be straightforward.<p>In the end, it&#x27;s not difficult to burn opensource openPGP applet to your own card. But there are 2 problems:<p>1. Bulk sales. If you want to all the things by yourself, and you found an ideal chip (recent NXP SmartMX2 cards has all the fancy stuff you want), almost every reseller only allow bulk purchases, say 100 pcs minimum.<p>2. Propriety software. For NXP cards, you need a propriety software to initialize&#x2F;unlock a card before you can use GlobalPlatform tools to flash your own Applets. A reseller told me that his can be done by sending raw HEX code with a Transport Key to workaround, but I&#x27;m not sure about it.

I&#x27;ve been disappointed in Yubico since I reported a Replay Attack, in their server, to them and Steve Gibson a couple of years ago. They gave now reply. Steve replied after a called him out publicly. I&#x27;m considering creating a like process based on the USB Rubber Ducky. I&#x27;m thinking simple one time pad. <a href="https:&#x2F;&#x2F;hakshop.myshopify.com&#x2F;products&#x2F;usb-rubber-ducky-deluxe?variant=353378649" rel="nofollow">https:&#x2F;&#x2F;hakshop.myshopify.com&#x2F;products&#x2F;usb-rubber-ducky-delu...</a> 1s

I&#x27;ve been looking into purchasing an OpenPGP card&#x2F;stick for a while. Haven&#x27;t yet pulled the plug.<p>Here are some fully open Yubikey alternatives.<p><a href="https:&#x2F;&#x2F;www.sigilance.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.sigilance.com&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.nitrokey.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.nitrokey.com&#x2F;</a><p><a href="http:&#x2F;&#x2F;www.seeedstudio.com&#x2F;wiki&#x2F;FST-01" rel="nofollow">http:&#x2F;&#x2F;www.seeedstudio.com&#x2F;wiki&#x2F;FST-01</a>

This is about the code running <i>on</i> the YubiKey itself, not about the code to interact with it from a general-purpose computer?<p>And if I&#x27;m reading the linked GitHub issue correctly, this is about a specific plugin that runs in a sandbox on the YubiKey NEO, where the main codebase of the NEO is still proprietary?<p>I don&#x27;t understand the advantage of it being open-source then, at least as far as security goes. (For user freedoms in practice, maybe.) What guarantee do you have that the code on the device matches the code on GitHub, or that the code on GitHub isn&#x27;t subverted by other code on the device?

whatever the conclusion here I&#x27;m very glad there are eyes on these devices.<p>Is there a central clearinghouse for security audits of hardware &#x2F; software? This is something the FOSS community can do <i>much</i> better than msft or even open source promoters like fb&#x2F;goog, but not if the results are distributed on the experts&#x27; blogs and tumblrs.

Ah crap, why ruin something great just out of greed (What other reason could there be?) :-(

The problem with both Yubi and Nitro is that pin entry is by keyboard, not a secure pinpad.

The one thing that I find missing in Nitrokey is that none of their regular keys support U2F alongside other 2FA methods, like Yubikey does. You need the separate U2F device for that, and I don&#x27;t want to carry around multiple tokens if at all possible.

While on the subject, does anyone know how to actually put a 4096 bit key on a Yubikey 4? I&#x27;ve been trying for months and their support is non-existent.

Locked to contributors. Surprise!

I&#x27;m glad someone&#x27;s using &#x27;libre&#x27;; glad that i can easily refer to liberated open-source software without ambiguity.

Glad to learn Nitrokey has ECC support, even if only 256 bits.

They arw pulling a MakerBot.

Hang on just a minute, hackernewsies. Put down your pitchforks and torches.<p>Do you really expect a leading company of security hardware to give the keys of its kingdom away (pun intended)?

I don&#x27;t really see what&#x27;s new here, that made the author &quot;withdraw his endorsement&quot;. It&#x27;s an issue from 2014, about a device that has always been fully proprietary? Ok, so they make <i>other</i> devices that was in some small way open, and ran Free software. Great. But the yubikey devices have <i>never</i> AFAIK really been open in any meaningful sense. So, really this isn&#x27;t so much yubikey changing what they do, but rather the author not understanding what these devices were in the first place?<p>As far as I can tell, if you got one of these in the mail, there&#x27;d be no meaningful way you could verify that it hadn&#x27;t been tampered with anyway. So you&#x27;d just have to make a leap of faith, and assume it was &quot;secure&quot;? If you were prepared to do that, then fine use the yubikeys. If not, perhaps you should take a deeper look at your usb mouse and keyboard too. Did you verify that your keyboard isn&#x27;t running some code that might compromise your security?

I guess I should know this guy, but I don&#x27;t. When I see the picture and a post on Google+ it hardly seems like something that I should take seriously. I know the fake mustache is there to show what a fun guy this is, but if you&#x27;re posting something you want people to take seriously, post it seriously.