South Africa On Lockdown - Coronavirus - Update!

Mon Mar 23 23:50:48 UTC 2020

On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri at cluecentral.net> wrote:
>
> Hi,
>
> In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.

By that argument, SecureID (and other LCD tokens) are also really
insecure. When I worked at AOL we had to use them for almost
everything - a bunch of people got together and put their secureIDs in
a grid under a webcam. That way they didn't need  to carry them with
them - when they needed a token they would open the webcam page, and
know that theirs was third down, and fourth across....

W

>
> Thanks,
>
> Sabri
>
>
> ----- On Mar 23, 2020, at 1:26 PM, Eric Tykwinski <eric-list at truenet.com> wrote:
>
> I’ve already been playing with YubiKeys, but sadly Google Titan wouldn't work with Windows Hello.
> Might be something I was doing wrong...
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> On Mar 23, 2020, at 4:21 PM, Peter Beckman <beckman at angryox.com> wrote:
>
> Software-based TOTP offer more security than no one-time passwords, but
> admittedly less than the physical tokens. Google Authenticator, Authy,
> 1Password, LastPass all support TOTP.
>
> On Mon, 23 Mar 2020, Alexandre Petrescu wrote:
>
> I dont know where are people about supporting VPN and one-time passwords on tokens.
>
> At my work place a few people dont have tokens (OTP - One Time PAsswords).  The reserve of these tokens has been exhausted.  NEw ones are being on order.  Until then some people cant get on VPN.
>
> Some people forgot their token on their desk and had to to travel to office to get it, a thing not good to do to go to office now.
>
> Some (not sure) might have issues with syncing these devices.  An OTP token has a certain skew about clock, and a battery that lasts long. Hopefully, one's token has been synchronised recently and the battery is new.  The length of time one cant go to office might be anywhere between 21 days (announced) and 2 months (experrience eg in Wuhan still closed).  Some times the synching of clock can be performed remotely, and some 'coin' batteries can be replaced by the person with skill and tools, could be extracted from a quartz watch for example.
>
> An OTP device can be of many kinds.  Some people keep OTPs on paper (I did some time ago).  Some OTP devices are like Japanese 'tamaguchi' format, others like a credit card format.
>
> Alex, LF/HF 3
>
> Le 23/03/2020 à 20:47, Mark Tinka a écrit :
>
> On 23/Mar/20 21:20, Peter Beckman wrote:
>
> But also:
>
>     "The categories of people who will be exempted from this lockdown
>      are... those involved in the production, distribution and supply
>      of... telecommunications services"
>
>     https://www.cnbcafrica.com/news/2020/03/23/breaking-nationwide-lockdown-announced-in-south-africa/
> I think most anyone on this list could be considered exempt.
> I do hope the same will be true should our respective local and national
> governments take similar action.
>
> Yes, a number of "essential services" have been identified as needing to
> continue to operate under special dispensation during the lockdown, and
> telecoms falls within that.
> The details of the implementation of the dispensation may be nuanced.
> Experience will tell us more in the coming days.
> Mark.
>
>
>
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> beckman at angryox.com                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
>
>
>

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf