Re: South Africa On Lockdown - Coronavirus - Update!

[Owen DeLong <owen () delong com>]

> On Mar 23, 2020, at 17:24 , Warren Kumari <warren () kumari net> wrote:
>
> On Mon, Mar 23, 2020 at 8:03 PM Owen DeLong <owen () delong com <mailto:owen () delong com>> wrote:
> > > On Mar 23, 2020, at 16:50 , Warren Kumari <warren () kumari net> wrote:
> > >
> > > On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri () cluecentral net> wrote:
> > > > Hi,
> > > >
> > > > In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred 
> > > > tokens during a meeting and save the output in a text file. Then they'd have a small python script which was 
> > > > triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for 
> > > > would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
> > >
> > > By that argument, SecureID (and other LCD tokens) are also really
> > > insecure. When I worked at AOL we had to use them for almost
> > > everything - a bunch of people got together and put their secureIDs in
> > > a grid under a webcam. That way they didn't need  to carry them with
> > > them - when they needed a token they would open the webcam page, and
> > > know that theirs was third down, and fourth across….
> >
> > Not actually, no…
> >
> > SecurID and the others of its ilk have a safety feature in that the number doesn’t change that often.
> >
> > It turns out to be awkward and time-consuming to do what is being done with the UBIKEY.
>
> Not if you run it in TOTP mode. Yubikeys support many options - if you
> choose to use a weak solution, well that's your choice...
> I guess you could ask them nicely to make a version without the
> features you don't want to use - or you could just not *use* the
> features you don't want to use….

I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys
to an employee in a secure way with those features disabled?

It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing
that seems to me is the issue in this case.

> > I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the
> > UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate.
>
> That's like saying that cars are worse than bicycles, because cars
> allow you drive into things are a more dangerous speed. I mean, yes,
> but ….

Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs.

In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased
hazard.

Owen