log☇︎
88 entries in 0.354s
feedbot: http://qntra.net/2019/06/yubikey-fips-products-suffer-reducted-randomness/ << Qntra -- Yubikey FIPS Products Suffer Reducted Randomness
mircea_popescu: i suppose next someone cracks open one of these fetlifes, can dump the yubikey set this way. tho... very roundabout way of ghoing about things -- could as well just list the privkeys.
mircea_popescu: understand how "yubikey" works : hitlerist website buys a boatload, extracts pub/privkeys, sends to losers.
mircea_popescu: asciilifeform, tedious to get the pubkey out of shit like yubikey tho
asciilifeform: includes ~all 'yubikey' devices, for instance.
mircea_popescu: since the chip you discuss could be made out of extant bitcoin miner + yubikey arrangement, they must both be just as linear
mircea_popescu: kinda what yubikey was/is
mircea_popescu: kinda stopped at yubikey/electrum looselet.
mircea_popescu: apparently my boxes aren't needed, but hell yea roger ver's "money" that doesn't exist is more than welcome. and plox moar yubikey and canonical and if it's not fucking plain yet...
Joshua-I: What's the opinion on pgp smart cards / yubikey around here
ascii_field: like the 'yubikey' turd mtgox shipped ?
mats: > Yubikey NEO (JavaCard OpenPGP) private key operations can be accessed without PIN
pete_dushenski: they're sort of in the 'yubikey' camp of 'blackbox toy crypto that plugs into usb'
mats: .cn sysop uses yubikey at his terminal, "he's using gpg encryption... it'll take me at least a month to crack it... it must be at least a 512 bit key"
asciilifeform: why would anyone use a device such as 'yubikey' for access to a man-portable machine ?
BingoBoingo: asciilifeform: Appears to indeed be a Yubikey
mike_c: "The site broke new ground for security in the space, integrating Yubikey and Google Authenticator"
benkay: yeah but yubikey is turd
joecool: yubikey neo has a javacard port of it, keys limited to 2048bit there
mircea_popescu: fluffypony how is it different from a repurposed yubikey ?
bitcoinpete: asciilifeform: i invited the yubikey kids here for your amusement https://twitter.com/bitcoinpete/status/461633158836789248
decimation: still; why would someone like yubikey watch bob and say "I want me some of that?"
decimation: asciilifeform: I think the RSA keyfob hack demonstrates your point about yubikey perfectly
mircea_popescu: "- The Yubikey personalization app saves a .csv logfile with the programmed key values meaning a malware-based attack may discover the log files on block devices even when the files have been deleted"
mircea_popescu: asciilifeform http://www.unrest.ca/evaluating-the-security-of-the-yubikey
asciilifeform: anyone here own 'yubikey' ? got it to cough up its fw?
artifexd: The code to run a yubikey server is open source so you, I, or anyone is welcome to swap out the key and run their own server.
mircea_popescu: ie, not all keys work, key has to satisfy magic yubikey criteria on top of entropy
mircea_popescu: artifexd> That may, or may not, invalidate the ability to use yubikey's servers though. I don't know. << afaik blowing their key does make it unable to use the servers, because you see, the true beauty of stupidty : they actually narrow the keyspace (significantly) to make their product vendor-lockedin
artifexd: benkay suggested that the yubikey could phone home (or any attacker) with the new contents if it were reloaded. I was questioning that.
artifexd: benkay If the yubikey registers as a keyboard, how can it access the network?
artifexd: That may, or may not, invalidate the ability to use yubikey's servers though. I don't know.
artifexd: If it makes a difference, yubikey's internal slots are client writable.
asciilifeform: Naphex: what i'm trying to get across is that a fellow with yubikey in his pocket is, in fact, 'holding a secret'
Naphex unplugs yubikey out :)
Naphex: i'm not trumpeting yubikey, but i don't know of a better OTP atm
Naphex: asciilifeform: https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf apperantly it got sca'd some time ago
Naphex: asciilifeform: are you sugesting DPA could be use in retriving yubikey secret?
asciilifeform: for instance, what measures, if any, against 'differential power analysis' in yubikey?
Naphex: i use a yubikey neo, and i'm pretty happy with it
asciilifeform: gotta ask, what's the basis for trusting 'yubikey' ?
Naphex: OTP - is otp released to the client, by levels email yubikey/gpg/ - whatever
Naphex: now OTP can be, Email / YubiKey -> GPG, Bitcoin signature
asciilifeform: joecool: trying to explain to ninjashogun why a crypto-gizmo like yubikey is fundamentally braindamaged
joecool: Diablo-D3: xray of a yubikey neo i'm guessing
asciilifeform: take your yubikey, etc. and disassemble it
asciilifeform: ninjashogun: homework. determined the cost of, starting with nothing but idle hands, personally determining exactly what your 'yubikey' does.
asciilifeform: one of the things people refuse to understand about 'yubikey' et al is that miniaturization of the keychain/card variety is fundamentally antithetical to genuine security.
joecool: asciilifeform: have you looked at yubikey neo yet?
joecool: asciilifeform: i need to play with the yubikey neo implementation of bip32
Mats_cd03: isnt this inferior compared to yubikey
joecool: i'm using 4096-bit RSA for the forseeable future, but ecdsa seems attractive if i can write a javacard implementation to work on my yubikey neo
Jere_Jones: The yubikey can hold a static password up to 64 characters long. 200+? 4 yubikeys that you have to use in the right order?
pankkake: so… more expensive than a yubikey but only works with mtgox
arij: does anyone know how to add a yubikey to btct.co
freeroute: but the only safe alternative is to buy a Yubikey (= spending moneys)
dexX7_: a new yubikey can be used without restrictions
arij: can i just buy a new yubikey? are they easy to set up?
arij: can i use my mtgox yubikey at other places such as btc-tc
pankkake: however there are other uses of a yubikey: https://www.yubico.com/2012/12/yubikey-neo-openpgp/ http://undeadly.org/cgi?action=article&sid=20130616112437
Duffer1: why yubikey if you already google auth?
Rulother_: Do any of you use Yubikey?
kakobrekla: i have yubikey
jborkl: Hey guys, lets play hide the Yubikey OK, not gay or anything this is for national security
jborkl: there are only so many places to hide your Yubikey in the Sauna
mircea_popescu: anyway, as you say. mtgox does not talk to yubikey, it talks to teh computor.
asciilifeform: someone should sit with the chump, and patiently explain that mtgox doesn't talk to your yubikey. it talks to your idiot consumer pc that happens to have a yubikey plugged in, and a display that can output whatever your new owner wants it to.
asciilifeform: so it is entirely conceivable that a yubikey-enabled gox diddler exists but has managed to infect only paupers
asciilifeform: mircea_popescu: you evil tempter, you just made me want to transfer btc to mtgox just to buy their yubikey.
MJR__: yubikey to trade or transfer?
jborkl: That is why I use 2fa and a yubikey
kakobrekla: i forgot my yubikey at home
jborkl: hen I signed up(right after the hack) they gave me a free yubikey- free shipping
jurov: as you issued the yubikey
jurov: yubikey creates a pseudorandom string and you know what the strign is going to be, no?
MJR_III: i still think that you could use the yubikey method
MJR_III: you know how yubikey or any of those authenticators work?
Anduck: mtgox charges 30 usd for yubikey
ZedsterX: Mt.gox yubikey only works for them
Anduck: do you get free yubikey from mtgox?
nefario1: it runs through yubikey
usagi: send with yubikey, etc.
usagi: Sign in with a yubikey
nefario: ill add yubikey next month
usagi: As soon as GLBSE replaces the submit acttion button with a yubikey textarea I will be able to sleep at night
usagi: I'm planning on giving customers of hotwallet a free yubikey
usagi: I'm working on a non-yubikey + password and/or google auth login
usagi: mircea do you have a yubikey?