nanog mailing list archives
Re: South Africa On Lockdown - Coronavirus - Update!
From: Owen DeLong <owen () delong com>
Date: Mon, 23 Mar 2020 18:23:40 -0700
On Mar 23, 2020, at 17:24 , Warren Kumari <warren () kumari net> wrote: On Mon, Mar 23, 2020 at 8:03 PM Owen DeLong <owen () delong com <mailto:owen () delong com>> wrote:On Mar 23, 2020, at 16:50 , Warren Kumari <warren () kumari net> wrote: On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri () cluecentral net> wrote:Hi, In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.By that argument, SecureID (and other LCD tokens) are also really insecure. When I worked at AOL we had to use them for almost everything - a bunch of people got together and put their secureIDs in a grid under a webcam. That way they didn't need to carry them with them - when they needed a token they would open the webcam page, and know that theirs was third down, and fourth across….Not actually, no… SecurID and the others of its ilk have a safety feature in that the number doesn’t change that often. It turns out to be awkward and time-consuming to do what is being done with the UBIKEY.Not if you run it in TOTP mode. Yubikeys support many options - if you choose to use a weak solution, well that's your choice... I guess you could ask them nicely to make a version without the features you don't want to use - or you could just not *use* the features you don't want to use….
I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys to an employee in a secure way with those features disabled? It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing that seems to me is the issue in this case.
I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate.That's like saying that cars are worse than bicycles, because cars allow you drive into things are a more dangerous speed. I mean, yes, but ….
Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs. In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased hazard. Owen
Current thread:
- Re: crypto frobs, (continued)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs John Covici (Mar 24)
- Re: crypto frobs John Kinsella (Mar 24)
- Re: crypto frobs Tom Beecher (Mar 24)
- Re: crypto frobs Rob Seastrom (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Christopher Morrow (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Joshua D'Alton (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 24)
- RE: South Africa On Lockdown - Coronavirus - Update! Keith Medcalf (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Eric Tykwinski (Mar 23)
- RE: South Africa On Lockdown - Coronavirus - Update! Keith Medcalf (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Thomas (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Tom Beecher (Mar 23)