None of which precludes the implementation from being open source. In fact, it just means that even if the software were open source, it would be near-meaningless since I can't verify the code running on the device and can't reflash it myself.
"Youbico isn't saying that the security of the device is increased by keeping the source code secret."
Yeah, they're not really saying anything other than trying to provide an excuse for why they won't release it. "You can't use it anyway" isn't much of a response (I actually find it rather patronizing and dismissive).
Not to pile on, but regarding: "Engineering is always full of trade-offs."... what exactly is the supposed trade off here? (Maybe they're using licensed code that they can't redistrib?)
If I'm reading the statement correctly, they are unable to release the source due to an NDA with their hardware provider, which is at least a reason other than "it's not software under the Free Software definition".
What would be the purpose of an NDA with the hardware provider? Surely not to hide it from GCHQ/NSA?! I imagine a company like Yubico has all of its employees on GCHQ/NSA lists and may even have cell tower simulators outside of its offices.
The NDA makes this even more suspicious. Who's the hardware provider? Huawei?
NXP makes you sign an NDA to use their secure stuff.
The purpose is anti-competitive, preventing NXP's competitors from learning how the devices work. These devices often have advanced hardware and firmware countermeasures.
The secure modules are considered weapons technology if they're allowed to be updated after sale; the company is responsible for tracking each one, they're impossible to ship overseas, etc.
It's not suspicious, it's SOP. Choose between open and secure, or make your own silicon.
Pretty much all of the providers of secure hardware are like this because they're all reliant on security by obscurity. They rely on keeping secret things like their instruction set, register locations, what countermeasures against intrusion they have, etc in order to make it harder for a hacker to compromise them.
> in order to make it harder for a hacker to compromise them
Keeping implementation details secret DOES make it harder for a hacker to compromise them. When used as a defence on top of a decent security infrastructure. "Security through obscurity" is when a company only uses the secrecy as a defence. This is not true:
> they're all reliant on security by obscurity
They're generally reliant on some secure and proven methods of security, with a layer of design obscurity over the top (and in practice as others have pointed out, they don't keep the design secret for security reasons, they do it for commercial ones).
I think if they released the source, but you weren't able to reflash the device (which is a design trade-off they chose to close some attack vendors), people would be up-in-arms and saying "it's not true open source because I can't re-flash or verify the device."
Except that I was just able to make the distinction... If their response wasn't patronizing enough, now you're adding on by saying we're too stupid to acknowledge the difference?
"Youbico isn't saying that the security of the device is increased by keeping the source code secret."
Yeah, they're not really saying anything other than trying to provide an excuse for why they won't release it. "You can't use it anyway" isn't much of a response (I actually find it rather patronizing and dismissive).
Not to pile on, but regarding: "Engineering is always full of trade-offs."... what exactly is the supposed trade off here? (Maybe they're using licensed code that they can't redistrib?)