Alice Averlong🏳️⚧️I should patent cryptographically secure keyboard hardware and then refuse to license the patent
the moment I plug in a keyboard to any kind of computer and the computer goes "sorry that's not a Secure Input Device, you can't use this for passwords or whatever", that computer is going into a lake.
this is all assuming it's not patented already.
I was at google in 2019 and I could already see it coming as the next obvious step of their security work
I was at google in 2019 and I could already see it coming as the next obvious step of their security work
the problem is that you can have a highly secure workstation and every bit is locked down and you've got secure boot and everything and someone plugs in a keyboard and you have no idea what it's doing. is it saving those passwords? is it mailing them off to another country using a built in 4g modem? All you have is an easily spoofable ID to tell you what it is.
and the obvious solution is that you start sticking certificates in keyboards. the PC can verify it when the keyboard is connected, and reject keyboards not on some internal authorized CA list.
that makes it SLIGHTLY HARDER to do an evil-keyboard attack against PCs, but it's an improvement from the current "trivial, especially if you use mechanical keyboards"
Hon1nbo@foone what would make mechanical keyboards more "trivial?"
the typical size having more hardware space? the propensity for mechanical keyboard users to bring their own?
when we tampered with keyboards we typically hit your standard "came with the workstation" dell keyboards etc.
@hon1nbo many of them can be changed into an Evil Keyboard with no hardware changes, as you can just reprogram their (reflashable as a feature) microcontroller
@foone hmmm so more a manufacturer choice for keyboard makers geared towards enthusiasts I guess. Lots of boutique and midsized keyboard makers these days.
I haven't poke current trends for keyboard hardware in some time since I don't have that as part of my job anymore.
But authenticatable keyboards would be killer.
Kevin Karhan 
@hon1nbo @foone yeah, but that would require a completely new device class AND proper support in Hardware and Software, which is very much a non-starter at this point!
https://infosec.space/@kkarhan/113716404086081614
https://infosec.space/@kkarhan/113716404086081614
Kevin Karhan :verified: (@[email protected])
@[email protected] needless to say I doubt anyone will actually ever implement a *"#SecureUSB"* implementation even if it was an #OpenStandard and doing so wouldn't even require #USB-IF membership or anything. Ideally true *#SelfCustody with proper keys* would be implemented, but that would still have *Trust Root Probems* but worse than #CensorBoot...
@hon1nbo @foone Granted, the only ones willing to pay even a $50 premium per System to get this done are either so paranoid they don't buy keyboards but specifically contract a "secure manufacturer" (i.e. #Cherry) and demand the sourcecode and schematics as well as reference dumps and Xray images (i.e. #BND in #Germany) or do that shit inhouse from scratch.
- Still, a truly end-to-end encrypted, fully self-custody capable "secure HID port" would be interesting.
I'm shure something like that is possible with a #PiPico2 on both ends, necessitating manual handshaking and setting stuff in clear resin to make it tamper-evident!