I like how polite Yubi and Hexview are in this exchange; a breath of fresh air from an infosec company engaging with a security company! Makes me feel like there are grown-ups both places, and that the work will help Yubi in future iterations.
You clearly misread or didn't read my comment because I didn't say anything about not taking your Yubikeys with you while traveling.
>The whole point is to use them as part of your authentication chain.
I know and that's exactly why I said you might want to be careful with them while traveling. If your keys are taken away from you and you don't have any backup solution (such as recovery keys), you will get locked out of your important accounts.
It seems that hardware breakdowns inevitably place a 'raw materials' costing to ojects broken down, often (but less in this instance) - as a somewhat passive-agressive dig at the company: "They sell it for $50, but it's only got $10 worth of components in it!"
Outside of the obvious external costs (development, transport, overheads, import, profit, etc), PCB + Tooling costs are often wildly underestimated.
For reference, a PCB of this size requires a setup + stencil template, which would run ~ 400 - 500 USD.
Tooling for the plastic injection mold for this piece would run around 5000 USD, and each subsequent piece would probably cost around 10 - 50c USD.
Tooling + PCBA done right have significant upfront costs that often seem to be forgotten.
To support your point, most of the delays in the JackPair Kickstarter involve tooling for the casing. The recent one admits they should've talked to an expert before they even settled on the prototype because they had no idea how much trouble it would cause at manufacturing time.
Hence, the popularity of the Design for Manufacturing concept these days...
Tooling and injection molding is an arcane art.
Most people would be amazed to realise that the tooling to make even the yubikey would probably be around 45cm x 45cm of (almost) solid steel block.
They'd be probably even more surprised to find that it'd cost 10k - 15k to make the tooling.
Diagnosing / 'debugging' issues with injection molding is incredibly difficult - again - it's almost black magic, and it's sadly a skill that's getting harder and harder to find.
If you cast your eyes around your desk / room, we see molded plastic parts every where - so we make the assumption that they must be cheap and easy to do.
And indeed - the assumption of facility due to availability is a very common trap that many kickstart projects fall into.
I would say your 5000 USD for the tooling seem pretty low to me for a steel mold (as opposed to a "soft" aluminium mold). They can easily cost 5-10x more if you factor in mold development.
For full disclosure, I work with factories (Based in China) running plastic injection molding and zinc casting molding.
5kUSD would be a conservative price from our factories; but the item is rather simplistic. As a general rule of thumb, for cases in plastic injection molding, you're correct - you're looking at 10 - 20k easily. Multiple pieces with complicated gating, the price goes up.
Zinc / Metal injection molding involves much more black magic, and this is reflected in the costs.
With all of that said - we're in complete agreement on the main subject - even if tooling cost 5k + 20c per piece, the estimation of $1 for PCBA + PCB Stenciling + molding is way off track, unless it was amortised over tens / hundreds of thousands of pieces.
I accidentally ran over my Yubikey with my Honda Accord, on a key ring with a fin key (1). I dusted it off and it works fine 6 months later. Seriously, if you're in a position where you're using a Yubikey, getting another Yubikey isn't that big a deal for the organization. In fact, if you're a solo practitioner using something like Yubikey, I recommend you get another one and just keep it in a lock box in the event you, say, run over the primary with your car :)
Nice article, would be interesting to build something that HexView did, in fact, find "nearly indestructible". Full disclosure I'm a fan of the Yubikey, I think that something like it will be the future of operational security for networks. Requiring the key be present to answer challenges helps a lot.
That's a lot of text to say nothing of interest. I really love how they question the trade offs made in the PCB design, as if these things didn't occur to the designers.
Disappointed that they did nothing to probe the onboard MCUs to see if they could get it to leak anything, and just dismissed that with "we expect it to get high marks there." This seems an awfully low quality report from an infosec company. I was hoping to see an audit of the controllers onboard to see if (and if so, how much effort) they can extract onboard secrets, because after all that's the whole purpose of this device, to act as a secrets repository.
First line of the page: Yubikey is a curiosity-driven side project for us and we have plans to dig a bit further into hardware as time permits. If anybody could confidentially help with NXP datasheets, it would be much appreciated.
I guess they could have waited until they had more to publish it, but I found it interesting regardless
All else being equal it would be nice if the keys' casing were more tamper-resistant. But the article doesn't even touch on the tamper resistance of the NXP A7005, which is the part that actually matters.
I found it interesting since as a user you can't see the PCB. Of course the designers knew about the tradeoffs, it's just nice to know what those tradeoffs were.
While we're at it .. are there any other tokens/smartcards that could be used for signing messages (ECC preferable, RSA acceptable)? I only know of YubiKey and the KernelConcepts PGPcard.
Thanks. Nitrokey looks nice. I'll have to look deeper into the github repo to see what it actually supports in hardware though - the website does not mention the smartcard standards that are actually supported.
Readit News
https://twitter.com/flexlibris/status/660108123487789056
> TSA at Boston airport tried to take my Yubikeys away from me to a second location "for a test". I refused & they backed off but FYI people.
If you have your Yubikeys with you while traveling, you might want to be careful.
>The whole point is to use them as part of your authentication chain.
I know and that's exactly why I said you might want to be careful with them while traveling. If your keys are taken away from you and you don't have any backup solution (such as recovery keys), you will get locked out of your important accounts.
Outside of the obvious external costs (development, transport, overheads, import, profit, etc), PCB + Tooling costs are often wildly underestimated.
For reference, a PCB of this size requires a setup + stencil template, which would run ~ 400 - 500 USD.
Tooling for the plastic injection mold for this piece would run around 5000 USD, and each subsequent piece would probably cost around 10 - 50c USD.
Tooling + PCBA done right have significant upfront costs that often seem to be forgotten.
Hence, the popularity of the Design for Manufacturing concept these days...
They'd be probably even more surprised to find that it'd cost 10k - 15k to make the tooling.
Diagnosing / 'debugging' issues with injection molding is incredibly difficult - again - it's almost black magic, and it's sadly a skill that's getting harder and harder to find.
If you cast your eyes around your desk / room, we see molded plastic parts every where - so we make the assumption that they must be cheap and easy to do.
And indeed - the assumption of facility due to availability is a very common trap that many kickstart projects fall into.
It's harder to scaffold and pivot in real life ;)
5kUSD would be a conservative price from our factories; but the item is rather simplistic. As a general rule of thumb, for cases in plastic injection molding, you're correct - you're looking at 10 - 20k easily. Multiple pieces with complicated gating, the price goes up.
Zinc / Metal injection molding involves much more black magic, and this is reflected in the costs.
With all of that said - we're in complete agreement on the main subject - even if tooling cost 5k + 20c per piece, the estimation of $1 for PCBA + PCB Stenciling + molding is way off track, unless it was amortised over tens / hundreds of thousands of pieces.
(1) http://www.amazon.com/FCS-Moulded-Steel-Fin-Key/dp/B003JCQPX...
http://www.unrest.ca/yubico-reinvents-the-yubikey
I guess they could have waited until they had more to publish it, but I found it interesting regardless
But now PlugUp web site, http://pu1.fr, redirects to a trendy, rebranded site that I can't get to work. So I don't know if that vendor exists anymore.
I am excited about YubiCo products. The key I have Just Works, looks and feels very well-made.