I had a talk (GnuPG + Gnuk Token) and a workshop with FST-01. https://hackarnaval.online
It was my surprise, in Paris, people accept things don't work. Vending machine not accepting credit card, subwey gate denying to accept tickets, and drivers/officers (for public transportation) being on strike, etc.
(This is my first visit to Paris.)
GPG4Win statement on Efail research
Effective Hype or Ehype
Recently, "security researchers" seem to adopt/develop strategy to cheat media people to get maximum attention (only providing technically "correct" things which impress people, while they don't give enough information for the impact, which is actually not that big).
Given the situation that it's not well coordinated to upstream(s) involved, I'd say it's a kind of "MitM" attack. I'm sad that national CERT didn't worked well this time.
I observed that some industries love even fake news, because people's attention is so important for them to maximize flow. So, it's difficult to stop this fashion, I suppose.
I wish "social engineering" researchers doing some research for this strategy. I would call it Ehype.
UDP stands for "USB Disk in Package"For me, it's "User Datagram Protocol".
I learned that small factor USB flash drive now uses new production technology: PIP (Product in package).
Gnuk runs on GD32F103 @ 96MHz
I managed to run Gnuk on GD32F103, with some fixes. It takes 6 seconds for RSA4096. For 100 invocations of gpg --decrypt with cv25519, it takes 7.5 second (for STM32F103 @ 72MHz, it takes 21 second). For 100 invocations of gpg --detach-sign with ed25519, it takes 4.4 second (for STM32F103 @72MHz, it takes 10 second).
GnuPG 2.2.6 releasedThis release include --card-edit/kdf-setup subcommand to setup KDF Data Object on Gnuk Token (and newer OpenPGPcard).
We can use this feature to lower the risk for some invasive attacks.
Gnuk 1.2.9 releasedThis version have better KDF support.
I added more tests, so, I am a bit confident it's better (than other releases :-).
Now, I set up my tokens with KDF Data Object. With it, host computes hash from PIN. So, the risk of exposure of private keys when token will be stolen and flash ROM will be analyzed (somehow) can be smaller.
PocketBeagle as SWD writer
I updated BBG-SWD and use it with PocketBeagle. In this case, power is supplied from PocketBeagle to the target (FST-01).
Submitting a patch series to lkmlIt was more than 25 years ago, when I submitted the first patch of mine to Linux mailing list. We didn't have lkml yet at that time.
Things have been changed a lot sice then, but I believe that I found a long standing bug.
George Standish likes this.
po: msgstr entries with unmatched %-format string
The problem of GnuPG key generation only for Japanese was reported: https://dev.gnupg.org/T3619
It is due to unmatched %-format in msgstr (in po/ja.po).
This kind of bug can cause DoS targetted to a specific locale. I think that msgfmt -c should check this, too.
I develop my USB driver with no USB alalyzer or digital alalyzer. I mean, with no looking any signals on wire.
Last week, I looked the signal using Sigrok. With my ZEROPLUS, only it can caputure three frames of USB (3ms). But I can see the transactions: command from host, response from device, seven NAKs while responding an answer.
McClane likes this.
regcomp+regexec with REG_ICASE
On GNU system, regexp \x\y\z doesn't match xyz, while \X\Y\Z does. I tested on FreeBSD, both match xyz.
I learned that grep uses DFA, so its behavior is different.