tmsr - Search: " T"

714900+ entries in 0.374s

Naphex: ;;rate 1 asciilifeform NSA Should make a open OTP Token

gribble: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.

Naphex: ;;rate 1 asciilifeform NSA Should make a open OTP Token ;]

Naphex: well - a completly open OTP token, with hardware for sale would make a killin'

asciilifeform: take minute to think, what is yubi hiding, when refusing to publish the design ?

Naphex: i'd just stop ther eand request gpg auth:P

Naphex: to just have it on the phone / or cached or who knows what

Naphex: if i have to deliver DH/GPG secret to the client for GAuth

Naphex: asciilifeform: still protecting Gauth secret ruins the whole point

asciilifeform: you gotta transport the secret to the user << did i wake up today in a parallel universe where public-key crypto was never invented ?

Naphex: you're not handling the private keys since you can just check yubico servers

asciilifeform: that is decorated with alchemical symbols, in order to seem impenetrable to naive buyer

Naphex: for GAuth you gotta transport the secret to the user

asciilifeform: and undertakes to solve a problem to which there can be no solution

asciilifeform: the device comes with not one but two gestures of bad faith

asciilifeform: nothing to do with trojans

Naphex: i'm not trumpeting yubikey, but i don't know of a better OTP atm

Naphex: or taped

Naphex: guess so, still.. you'd still need the button pressed

Naphex: so yeah they had to tape the button

Naphex: (version 2.4) and found that our attacks do not apply to this improved version.

Naphex: taken measures to mitigate the security issues. We examined an updated ﬁrmware

Naphex: Having discovered the security problem, before publication, we contacted the

Naphex: asciilifeform: https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf apperantly it got sca'd some time ago

mike_c: kakobrekla: perfect, thanks.

asciilifeform: a closed gadget suggests that there is something to be gained from learning what has been kept closed.

benkay: i saw something to the effect in the logs. tbqf i don't in2 drama.

kakobrekla: mike_c : http://bit4x.com/panacea/history/ < dis ok? note the csv url is different nao

fluffypony: benkay: did you see their reply to my TagPesa questions? they're all shock and horror that I suggested that institutional investors and even casual observers aren't impressed with them

Naphex: which you would need to generate a valid otp

pankkake: unless it signs with the main key

fluffypony: benkay: yeah the whole thing is a joke

pankkake: well, GPG allows you to be partially online

benkay: fluffypony: you missed the conversation where we mocked sfi for just listing a bunch of other people's projects on their havelock page.

jurov: but they must be somehow online for ppl to be able to trade

jurov: thestringpuller: burnside (of btct) trolled coinbr hard, because mpex keys are online

fluffypony: on the topic of SeedCoin: http://bitcoin-betting-guide.com/james-cannings-blog/seedcoin-fund-i-update-no-gocoin-what-next/

Naphex: don't place maxtrust(TM) on anything though :)

thestringpuller: true but far less than say bitcoinica

jurov: manual process does have disavantages, too

jurov: thestringpuller: mpex did lose few bitcoins due to human errors, don't paint mp as saint

asciilifeform: we cannot see if the promise is kept

thestringpuller: what's the point of 2 factor?

Naphex: but the software is, and there are some yubi software generators around

Naphex: doubt their open

Naphex: of the hardware?

asciilifeform: i see no description of the internals.

asciilifeform: Naphex: what can we tell from this marketing brochure?

Naphex: and you don't have to keep the secret keys for it

Naphex: i'd recommend the system over gauth

assbot: [HAVELOCK] [B.MINE] [PAID] 2.70729420 BTC to 7`514 shares, 36030 satoshi per share

Naphex: so there

Naphex: asciilifeform: i trust them mostly, but the security level is chosen by the client. so if client trusts yubi, then it trusts yubi validation servers

asciilifeform: gotta ask, what's the basis for trusting 'yubikey' ?

thestringpuller: mike_c: good point ;) man that was a long time ago

mike_c: mpex actually did lose some investor funds according to rota :)

Naphex: just to make sure they are clean, and no 0 day can travell till the end

Naphex: and they check and validate the protocol and messages before

Naphex: i have state-full firewalls that know the protocol before

Naphex: then server checks signature, then checks otp

benkay: are you just eval'ing those funcalls when you get 'em?

Naphex: OTP - is otp released to the client, by levels email yubikey/gpg/ - whatever

Naphex: signature is hmac-sha256 with secret, from field 1 to uuid

Naphex: forgot that :P

benkay: what does the message look like?

Naphex: everything else gets dunked a long way from there

thestringpuller: because you've audited all 100% of the code oyu're running

thestringpuller: or they can dump unencrypted memory with a 0 day exploit you have no idea about yet trust your system completely

Naphex: the most sophisticated attacker, will need user secrets to get whatever they have

Naphex: well put it like this

thestringpuller: please direct me to another facility of such high standards.

Naphex: thestringpuller: honestly if you have a well designed system, that gets breached and you get ninja'd out of the 10 hotwallet BTC

pankkake: if the machine is really offline even Windows ME should be fine!

Naphex: mean while, Joe Giner wants his 0.2 btc that he just bought out now

Naphex: thestringpuller: well thats their priviledge

mike_c: hm, JD seems to be down.

thestringpuller: mpex investors have to wait sometimes up to 24hours for withdrawals

danielpbarron: what's more secure; using a machine that was set up before Bitcoin existed and hasn't been updated since; or a totally fresh install?

Naphex: they want it too

Naphex: so you want to sign transactions offline?

thestringpuller: there is an implementation of hot wallets that don't require the key ring to touch the internet

Naphex: only the hot wallets

thestringpuller: that's all that matters

thestringpuller: so you keep the keyring hot?

Naphex: even if an attackers gets through mostly everything undetected

Naphex: now the users have that secret, so an intruder couldn't do much without user secrets

Naphex: if the user's OTP is not valid

Naphex: won't accept any messages, whatever the source or trust

Naphex: you trust the sig

thestringpuller: depends on the transaction volume

Naphex: thestringpuller: there are hot wallets and cold ones

dexX7: ah np, just trying to understand your approach. at which point do you fetch and process incoming information?

thestringpuller: the firewall shouldn't talk to other machines with your "airgapped" software

Naphex: uh, what's that related to?

thestringpuller: you can't trust the TCP/IP stack

thestringpuller: offline wallet can't touch net even on firewall part

Naphex: but what i'm thinking is just a notification system for BitcoinD clusters, track txid's, addresses and confirmations

Naphex: i will when there is something working

dexX7: mind to share a link?

Naphex: either that or in reverse, where it connects to a aggregate server, and that just runs pubsub