Come on HN, this comment was answering the parent directly. Unless you've been under a rock for the last 4 years there's no excuse to downvote even if you think it's still low-probability...
The comment also originally said "but even mentioning it on Hacker News will mean you get downvoted" before it was edited - personally I get very tired of pre-emptive complaints about downvoting.
Likewise. I may be in the minority but I won't normally downvote comments, only when I think it really is deserved, but complaining about downvotes -- especially in your original comment, before you've even received any -- well, I will downvote you for that.
There's still this meme out there that anyone who thinks the government might be doing something nefarious is a "conspiracy theorist." People around here tend to want to be upper-class educated no-nonsense rational types of people, which means you can't be entertaining woo-woo conspiracy theories.
I think this is a lazy broken heuristic that ends up labeling all social criticism and all allegations (even if credible) as "crazy." It's very Soviet-- you are mentally ill if you disagree with the government.
The problem is that we have hard documentation that governments (including but not limited to the USA) have run actual named and funded programs and efforts with the explicit intent of sabotaging crypto available in the public market. It's not even a "theory." It's established historical fact.
Believing the queen of England is a shape shifting reptile or that we didn't go to the Moon is a woo-woo conspiracy theory. Believing in things with a hard paper trail is not, nor is entertaining the possibility that governments might be doing things that we know for a fact they have done in the past.
It's not only a Soviet phenomena; American politics has utilized a "paranoid style"[1] for a long time.
> sabotaging crypto
It seems like a lot of people are pretending that BULLRUN doesn't exist. Nobody wants to believe that a coworker might be a collaborator; that kind of thinking can easily erode trust and create paranoia even when it isn't warranted. Unfortunately, the program exists so it's foolish to ignore the probability that it is still working to weaken crypto. As PHK explain in "Operation Orchestra", encouraging weak crypto is much cheaper than breaking real crypto.
A nefarious, diabolically clever government wants to compromise this device and then telegraphs that intent to the world by forcing the software to go closed source - that is absolutely an irrational and silly conspiracy theory. To believe that you have to believe that the government is both nefarious, diabolically clever and cartoonishly inept.
Absolutely most certainly yes all three of those things.
Nefarious: government is, I contend, only that group of criminals we have collectively decided we would be better to regulate and pay off. I'm not saying this is a bad thing, we certainly need some regulation and law enforcement, etc.
Diabolically clever: the word means 'characteristic of the devil' - government is responsible for torturing people, killing people in pointless wars, etc.
Cartoonishly inept: for sure! you only have to go outside, pick up a news paper, browse a news website, to see how incompetent government can be.
But, we tend to speak of 'government' as some cohesive whole, which it most certainly is not. Is any one branch or agency of government all three of those things at all time? I don't think so. Some parts of government do a fine job of administering their responsibilities, some of the time. Probably. Maybe.
Can you name one medium to large (resources and headcount) organization that has existed for 20 years that could not be called cartoonishly inept by its detractors?
And this is exactly the type of strawman that usually accompanies the "conspiracy theory" bashing. You've chosen the strongest-claiming narrative, which is easily knocked down.
The simplest scenario isn't that YubiKey 4 went closed source to support a government backdoor. It's that it's entirely for business reasons as they've said. And then after a few years, a few more layers of middle management, a few interesting users, and a little more TLA focus, Yubikey 6 quietly gets subverted.
Tangentially - I was pretty close to buying a Yubikey Neo for its form factor, but it didn't seem like I could modify/reload the OpenPGP applet, and documentation was scant as to how configurable it was. I really want the thing to operate as semi trusted hardware - passphrase, etc. Smartcard tech is nifty, but it seems like a non-hardened chip would be more worthwhile for the ability to iterate features/UI.
IMHO: The comment isn't valuable: It's an obvious idea, the comment provides no information or analysis, and its snarky wording prompts more low-value snarky comments. One obvious, snarky sentence isn't a useful comment.
For what it's worth I think it's important to bring up regardless of the snarkiness of his phrasing. There was a time when suggesting that at all would have sounded tinfoil-hatty, but now we need to consider it not just as a possibility but a completely plausible one. Yubi could make a whooooooooooooole pile of money doing this at the behest of, or encouraged by, government actors.
HN tends not to approve of comments that smell even a whiff like conspiracy theory crazytown, so I'm not surprised.
tptacek's positions hold outsized influence here, so even after his public concession on Dual_EC_DRBG, it's still very unpopular to posit that nation states would ever backdoor products.
No reason to complain about downvotes, per the rules.
If they want to intentionally backdoor it, can't they just release source without the backdoor, but ship devices with it? You can't upgrade them so you can't build from source and overwrite. And for such a platform it's unlikely you'd have the whole build toolchain, let alone the environment to get reproducible builds.
Even then you have to extract the firmware from the device then try to match it with your compiled binary. Seems like you might as well just reverse the binary and look for backdoors directly?
There is one, big, obvious government-shaped reason.