South Africa On Lockdown - Coronavirus - Update!

• Previous message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Next message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Mar 23, 2020, at 17:24 , Warren Kumari <warren at kumari.net> wrote:
> 
> On Mon, Mar 23, 2020 at 8:03 PM Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
>> 
>> 
>> 
>>> On Mar 23, 2020, at 16:50 , Warren Kumari <warren at kumari.net> wrote:
>>> 
>>> On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri at cluecentral.net> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
>>> 
>>> By that argument, SecureID (and other LCD tokens) are also really
>>> insecure. When I worked at AOL we had to use them for almost
>>> everything - a bunch of people got together and put their secureIDs in
>>> a grid under a webcam. That way they didn't need  to carry them with
>>> them - when they needed a token they would open the webcam page, and
>>> know that theirs was third down, and fourth across….
>> 
>> Not actually, no…
>> 
>> SecurID and the others of its ilk have a safety feature in that the number doesn’t change that often.
>> 
>> It turns out to be awkward and time-consuming to do what is being done with the UBIKEY.
> 
> Not if you run it in TOTP mode. Yubikeys support many options - if you
> choose to use a weak solution, well that's your choice...
> I guess you could ask them nicely to make a version without the
> features you don't want to use - or you could just not *use* the
> features you don't want to use….
> 

I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys
to an employee in a secure way with those features disabled?

It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing
that seems to me is the issue in this case.

> 
>> 
>> I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the
>> UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate.
> 
> That's like saying that cars are worse than bicycles, because cars
> allow you drive into things are a more dangerous speed. I mean, yes,
> but ….

Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs.

In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased
hazard.

Owen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200323/848bd6f7/attachment.html>

• Previous message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Next message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]