u/DistinctTradition200

Looking at the gap between "best practice" and "what people actually ship" for IoT device identity.

Best practice says: every device gets a unique private key, generated inside a secure element (ATECC608, OPTIGA Trust M, SE050, etc.), never extractable, used for mutual TLS to the cloud and for signing telemetry.

What I see in actual products (teardowns, leaked firmware, CVE reports): keys in flash, often shared across a product line, sometimes hardcoded in the binary. Even from companies that should know better.

For people who've shipped IoT products at any scale, what's the actual barrier?

• BOM cost? (608B is ~$0.60 in volume, hard to argue against)
• Provisioning complexity? (this seems like the real answer — getting unique keys into millions of devices on a contract manufacturing line is genuinely hard)
• Just nobody asking for it until after a breach?

Curious whether anyone's using the pre-provisioned variants (TrustFLEX, TrustCustom) and whether that actually solves the provisioning problem or just moves it.

Building a data logger that cryptographically signs each reading at the point of capture, so downstream systems can verify the data wasn't modified after the fact. Use case is environmental monitoring where data integrity matters for compliance.

Architecture:

• Sensor reads → MCU buffers
• MCU hashes the reading + timestamp + sequence number
• Hash sent to ATECC608B for ECDSA-P256 signing
• Signature stored alongside the reading
• Each reading also includes the hash of the previous reading (hash chain), so tampering with any historical record invalidates everything after it

Why the 608B specifically: private key generated on-die and never leaves, so even with full firmware access an attacker can't forge signatures for a different device. The chain structure means even the device operator can't quietly edit history.

Open questions for the hardware folks:

• Sign latency on the 608B is ~50ms per ECDSA operation. For a 1Hz sample rate that's fine; for anything faster I'd need to batch (sign a Merkle root over N samples). Anyone done this in practice?
• Power: signing draws ~14mA peak. On battery, is it worth gating the chip's power rail between operations, or does the wake sequence overhead make that a wash?
• Anyone have opinions on the 608B vs the SE050 for this kind of workload? SE050 has more features but also more attack surface.

Anyone know from experience if there is any type of pen or ink that will leave permanent writing. I have used sharpies and they are very good at leaving writing that is not easily removed, but it can be removed. Eventually i will be etching but This is where i am at for the next couple months.

Working through some chain-of-custody questions and curious how others approach this in practice.

For traditional disk imaging, the workflow is well-established — hash on acquisition, hash on verification, document the tool/version, sign it off. But for ephemeral evidence (memory captures, live network sessions, volatile artifacts), I keep running into the same issue: the moment you capture it, the source state is already gone, so you can't re-verify against the original.

A few specific things I'm wondering:

I've seen some discussion around using cryptographic timestamping services for acquisition timestamps, but curious whether that's actually showing up in casework or if it's still mostly theoretical.

Not looking for product pitches, just want to understand current practice.

Does anyone know what the future of the Q9 plus is?

The Q9 plus split space (not split keyboard), wired, is my keyboard for life right now, or at least that was the plan. I have two and i couldn't imagine life without them. But i am thinking I will need to switch to the korne as this model does not seem to have lasting power.

Suggestions?

If i have to go splitkeyboard route I am going with the Corne, as that one won't be taken away from me based on market demand.

Does anyone know what the future of the Q9 plus is?

The Q9 plus split space (not split keyboard), wired, is my keyboard for life right now, or at least that was the plan. I have two and i couldn't imagine life without them. But i am thinking I will need to switch to the korne as this model does not seem to have lasting power.

Suggestions?

If i have to go splitkeyboard route I am going with the Corne, as that one won't be taken away from me based on market demand.

Credit to u/FEDCONConsulting whose recent post on the past-performance trap got me thinking about this. Their five paths are all correct and probably the right answer for most people. This is a sixth path that worked for me, posted in case it's useful to someone in a similar spot.

The setup: Veteran-owned, technical background, registered the entity (UEI, CAGE, all of it) earlier this year. Standard advice was to chase a small contract or sub on a prime to start building past performance. I went a different direction.

What I did instead:

Spent the registration window building commercial IP and a working product, not bidding. Filed 19 provisional patents on the underlying tech. Stood up the actual infrastructure — backend running in production, public verification endpoint, hash-chained ledger that anyone can audit. Started taking pre-orders from commercial customers.

The bet is that when I do approach a CO or PM, the conversation isn't "please trust a new SDVOSB with no track record." It's "here's a working system that already has commercial traction, owned by a US veteran-owned entity, and here are the patents that say nobody else can do this exact thing."

Why I think this works (when it works):

Past performance gets reframed. Commercial revenue and shipped product is a kind of past performance, even if it's not contract past performance. For agencies buying through simplified acquisition or commercial-item authorities (FAR Part 12), this can be enough.

Patents change the procurement math. If your tech is patent-protected and sole-source-eligible, you're not competing on price against five other shops. You're the only legal path to the capability. That's a different conversation entirely.

You stop being a vendor and start being a capability. COs would rather find a contracting vehicle to buy something that already exists than fund development of something that doesn't.

It's risk-symmetric. If government interest never materializes, you still have a commercial business. If it does, you walk in with leverage.

Why this is not for everyone:

Requires real technical IP. If your business is services or commodity products, this path doesn't exist.

Requires runway. I'm doing this on tight runway and it's been brutal — most people would be smarter to take FEDCONConsulting's advice and sub on a prime.

Patent filings are expensive and the provisionals are only good for 12 months. There's a clock.

"Sole source" is harder to achieve than people think. The patent has to actually read on what you're selling, and the agency has to write justification.

The point isn't that this is the right path. It's that the standard "get past performance any way you can" framing assumes you're trying to be a contractor. If you're building something that's actually novel and patent-defensible, you might be better served being a vendor the government has to come to, rather than a contractor competing for their attention.

Curious if anyone else has gone this route — would love to hear how it played out at the CO conversation stage.