Anelok stanadalone password safe use case?

Werner Almesberger werner at almesberger.net
Mon Jan 19 17:32:00 UTC 2015


Ron K. Jeffries wrote:
> If someone wishes to store e.g. passwords in anelok but only retrieve by
> reading the anelok display (i.e. not having anelok pump bits into an
> attached vua USB or someday Bluetooth) computer... is this possible?

Of course. Anelok has a display, why would it stubbornly refuse
to use it ? :-) Besides, there are countless systems that want a
code but who wouldn't talk to us (and in some cases not to
anyone at all), e.g., building access controls, ATMs, etc.

I envision the following "readout" methods:
- display and leave the rest to the user,
- display and let user optionally choose some additional
  transmission path,
- do not display and use alternative path (not sure how much
  choice the user should have over the path at the time of
  readout - in some cases you'll prefer not to know the
  password).

If the retrieval is triggered from the outside, e.g., by a browser
(asking via a plugin that in turn uses HIDDEV to talk to Anelok),
not displaying the password would make sense as default option,
since there is already a communication channel that doesn't need
displaying.

And let's not forget the "out of the box" scenario: even if I 
should adopt some belief that passwords must never be displayed
(for showing them would mock the all-knowing Flying Spaghetti
Monster, by suggesting that it would not have known it if had not
been displayed), you are free to ignore my foibles and install a
firmware from someone less crazy and whom you (still) prefer to
trust.

- Werner



More information about the discussion mailing list


interactive