How are things handled back-end as far as HSM with AES keys to the Sparks and other future chips?
Since our Spark keys are symmetrical and stored on DT and VivoKey ends. What security features are in place, is the HSM zero-knowledge. Can it be made zero-knowledge. What happens if a Govt. agency subpoena Vivokey for the AES keys?
Just wanted to see if we could get some more info as far as our implants security goes? I’m talking more of state actors/more complex black hats.
As a Red Teamer I’m very interested in the back-end. I understand with most passive attacks our chips are highly safe, but what if someone hit the back-end or the company receives a subpoena to hand over the AES keys to my chip.
Those Apple cases came to mind, When I read this part…
My opinion is, If law enforcement
Needs evidence to support a case for conviction or in those Apple cases just to gather info for the general public’s safety then It’s a no brainer, Hand it over.
Peoples privacy rights fly out the window when they’re committing
Crimes, But that’s just my opinion.
Along with the “how is is stored” question, I’d also throw in a “Where is it stored”
Servers in NA? are there serves in EU to handle EU users?, I’m seeing more and more users from within the EU on these forums as well over the last few months.
@anon67519447 I feel like it’s a double edge sword, being on both sides before in the eyes of law I would have to argue with the ^^^statement.
Example: recently two acquaintances of mine were arrested in the US during a penetration test of a court house in Iowa. They are employees of Coalfire a reputable company in the US. What if they had used there xM1 chips to access the door system. They had a “get out of jail free card” yet it didn’t work.
What if they had asked for the AES keys for there Spark chip. Although this wasn’t the case, law enforcement still wanted access to all the digital device confiscated during the arrest. Which they refused. They were innocent hired by the State to perform the test, yet all there personal and other client’s data would have been processed. We are all human…well some of us are Cyborgs :). But I just believe security is vital in today’s world. What others might think is wrong you have a whole other side that moraly thinks it’s right. Security should be neutral, if we allowed the US to access the data because of there “suspicion of a crime” what’s stopping Somalia or North Korea or Libya to access the data because they thought there was a crime, commited? Who is to decide who what and where can access it? I believe I have a right to my own access and those I grant that access to.
Both pentesters are FULLY exonerated, but it falls into question WHO is really qualified to determine if a 3rd party can access data. Per example, Snowden!
@Aemun I would also like to know where it is stored. As a natural-born citizen to Éire, I would like to know how and where data is stored. I have full confidence in the DT and Vivokey guys and gals…but knowledge is the most powerful weapon!
I understand where you’re coming from, but it’s not that black and white. The most important factor to consider here is who determines what is an “ACTUAL Crime”. There are plenty of people honored with the title judge all over the world, but that doesn’t necessarily mean that they’ll be impartial arbiters of Justice who are not susceptible to bias or bribes.
Until the algorithms are responsible for using math to determine my guilt or innocence, I’m not willing to surrender my privacy, regardless of how mundane my activities.
As per real world example. I am an active member of the 32CSM “32 County Sovereignty Movement” in Northern Ireland. Under Homeland security and the Department of State, 32CSM is considered a FTO “Foreign Terrorist Organization” yet in the Republic of Ireland and N. Ireland we are recognized as a registered political organization that holds membership to governing bodies. We are also fully recognized by the UN.
So who is right and who is wrong in the determination of morals.
It’s a very gray subject.
@anon67519447 it’s great to have mutual debates and knowledge seeking. All opinions are valid and I appreciate your outlook on the topic alot. I always welcome your feedback and bluntness
I am still looking through the forums for something else I saw, that may help, I’ll let you know when I find it
UPDATE
I found what I was thinking of, which was the Vivokey Opt-out {possibility}, here is the link to the whole post, because there is some other info that may be of use, but the opt-out discussion is pretty much at the bottom.
History is replete with examples of that proposition turning spectacularly against entire populations who believed it. The keyword in “they should have nothing to worry about” is “should”.
There’s always something to worry about when somebody, anybody, forces you to reveal your secrets, however innocuous. If you chose to implant a chip that does encryption, there must be a reason: if you truly had nothing to hide and nothing to fear, you’d implant a simple memory chip that stores plaintext. Everybody has something to hide, otherwise nobody would use encryption.
What if the content of the chip is used against you by a totalitarian regime or by an overreaching police force? Hint: the US isn’t far from turning into the former, and already has the latter.
If they have nothing to hide, Then they should have nothing to worry about
A very slippery slope to go down. Privacy is a central tenet of what we do at VivoKey - I can’t speak officially on this topic, but it’s definitely been a core focus in internal discussions.
“nothing to hide, nothing to fear” is a bit of a flawed argument. It says “I don’t care about my right to privacy”, it’s very similar to “i don’t want to say anything controversial so i don’t care about free speech”.
It becomes a slippery slope in that once you start taking fundamental rights away, when do you stop?
For reference, I live in a country where the government thinks it’s above maths. (I wish I was joking but a former PM literally said “the law of mathematics is all well and good but it isn’t above the law of Australia”)
Right now we have a semi-custom HSM but considering moving to Hashicorp Vault. Sparks are and will be the only chips with symmetric crypto… future chip releases like the Apex line will support full PKI for VivoKey activities. The Apex chips support chip-side key pair generation, and the VivoKey Identity applet, and any VivoKey branded applets we deploy, will all leverage chip side key pair creation. This means we will not actually have your private keys at all for any Apex line device.
This is likely where you would want to leverage PGP or other autonomous uses of Apex’s encryption capabilities that have nothing to do with us. Resisting complex attacks from state actors or organized crime targeting specific individuals is, for now anyway, outside the scope of VivoKey. I’d love for it to be a major focus, but right now the focus is continuing to build this niche out of “biohacking” and into some sort of mainstream business, while also keeping a roof over our heads. One day, with the means behind us, we will expand our scope.
For now, servers are in North America… we will very likely branch out once we are able.
I know this has been discussed above, and @Satur9 even hit directly on this concept… but the best response for this I can think of is this - Being Jewish in Germany was perfectly legal, until it wasn’t. They had nothing to hide, then had to go into hiding. Being able to hide saved many lives. The same could be true of encryption - being able to properly hide yourself in a digital society turned rotten may just save lives.
In this case, I’m not taking a big risk: everybody really does have something to hide. That’s just a fact And you do too: for instance, if some dude stopped you in the street and asked you your most intimate sexual fantasy, you wouldn’t readily tell them would you? Well there you go: you have something to hide.
I’ll tell you another story: a friend of mine had snapped holiday pictures of his family and put them up on his website some 20 years ago. One day, the fuzz knocked at his door, told him he hosted pictures of naked children, and arrested him on pedopornography charges - much to his wife’s dismay. The pictures in question were of his children on the beach. No matter how much they argued they were just innocuous holiday photos, that the kids were now grown up and willing to testify nothing dirty had happened to them in the past, he still had to spend a few hours at the precinct with the cuffs on, then hire a lawyer and fight the charges in court.
Well, 20 years ago, putting up photos of your children playing naked on the beach was okay. Today it is not. Things change, and stuff you think you have nothing to hide today may need to be hidden in the future. Like pictures of your kids. Or perhaps photos of your bar mitzvah if you lived in Germany in 1933. Or perhaps photos of you and your friends celebrating cinco de mayo if you lived in the US in 2020…
People who know history hide things that are perfectly okay today to future-proof their lives, and they don’t want to give out the decryption key. That’s also why encryption exists.
