Generating and storeing keys on usb pen
Robert J. Hansen
rjh at sixdemonbag.org
Thu Apr 26 17:02:08 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
> autonomous malware. What evidence do we have that USB controllers are
> reprogrammable once they leave the factory?
The better question, at least from a security perspective, is what
evidence do you have that your particular vendor's USB token is not?
I mentioned this a few days ago, but my day job involves security
testing of electronic voting machines for the National Science
Foundation [*]. We have to deal with the issue of whether a given
machine is reprogrammable and under what circumstances it can be
reprogrammed. History tells us that skepticism is warranted when it
comes to this issue. See, for instance, the work of Harry Hursti or
Most USB token vendors are not concerned with security. Most of them
don't care if their devices can carry malware. There are no citizen
review boards to examine the product and hold vendors accountable.
I am deeply skeptical of claims that USB controllers are not
reprogrammable. I'm not saying they must be reprogrammable... only
that until we see strong evidence that a particular vendor's hardware
is not reprogrammable we should assume that it is.
[*] I'm not speaking for the NSF, all opinions are my own, any
inferences you draw about my feelings towards electronic voting
machines are entirely yours.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
More information about the Gnupg-users