Generating and storeing keys on usb pen

[Robert J. Hansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> autonomous malware.  What evidence do we have that USB controllers are
> reprogrammable once they leave the factory?

The better question, at least from a security perspective, is what  
evidence do you have that your particular vendor's USB token is not?

I mentioned this a few days ago, but my day job involves security  
testing of electronic voting machines for the National Science  
Foundation [*].  We have to deal with the issue of whether a given  
machine is reprogrammable and under what circumstances it can be  
reprogrammed.  History tells us that skepticism is warranted when it  
comes to this issue.  See, for instance, the work of Harry Hursti or  
Ed Felten.

Most USB token vendors are not concerned with security.  Most of them  
don't care if their devices can carry malware.  There are no citizen  
review boards to examine the product and hold vendors accountable.

I am deeply skeptical of claims that USB controllers are not  
reprogrammable.  I'm not saying they must be reprogrammable... only  
that until we see strong evidence that a particular vendor's hardware  
is not reprogrammable we should assume that it is.





[*] I'm not speaking for the NSF, all opinions are my own, any  
inferences you draw about my feelings towards electronic voting  
machines are entirely yours.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iFYEAREIAAYFAkYwvvAACgkQf2XByo0Cu7ObbQDghnGXhW5WP+VuQRNs9f0Nplj8
cieUPmqE4xOZ1ADdEpxtKbwWBUg5Lz0Xj6DFuOw3lqulBMCing2tBokBHAQBAQgA
BgUCRjC+8AAKCRC3APSC/q+BCXLcCADZr4oc2H7oTcr2jtxYDoNRy2O2Ccii3hFb
DA40BRwroIW+rnCy7IuTToBbJBvLU2YW0Rwsapj2CqiBNoTysrdXpD7xeH7fAq44
Tuzjw3ivonu4w3zRyvpScgTbPHJNzUcoTgUKBRZAgyk4psuvo2JumbqrhQVUqO09
tMqL1+bCfcaxcL5WbqNPCLMRmxXxSq8FiRUlfiBOn3kpJnPhCqi7X+lZctzA4dmr
bGNzuZOBvDxWM9gcWQnbaKz8Jy/mNI6uJ++m2deE0zQ/m3IWhNwJxnrnUhbaqOV6
1rBHtQ2urbONRRphIIVFjRJMFrgya1tF00vZOSMNs75PkeN7NhjK
=q72e
-----END PGP SIGNATURE-----