security research, software archaeology, geek of all trades
315 stories
·
7 followers

vongoladodicesimo: sadakotetsuwan: kaytayzombay: showerthoughtsofficial: How important do you...

1 Comment

vongoladodicesimo:

sadakotetsuwan:

kaytayzombay:

showerthoughtsofficial:

How important do you have to be to have been “assassinated” instead of “murdered”?

That is…a good question

If the motivation is political, then it’s assassination. Otherwise it’s murder. You cannot be assassinated by accident.

If a jilted ex murders the Prince of Placeland, it’s just a murder.

If a jilted ex is also a member of a rival political faction, it may be assassination.

If a jilted ex is driving home in tears and accidentally runs over the Prince of Placeland in the middle of the night in a neighborhood where the streetlights are out because of the prince’s questionable infrastructure policy, it’s manslaughter.

Thanks murder side of tumblr

Read the whole story
zwol
23 hours ago
reply
There may be a gray area when organized crime is involved, but otherwise this seems sound
Mountain View, CA
Share this story
Delete

The truth has got its boots on: what the evidence says about Mr. Damore’s Google memo

1 Comment and 2 Shares
Read the whole story
acdha
2 days ago
reply
Click through for the full 19k words — and hope https://github.com/samuelclay/NewsBlur/issues/755 ships soon — covering Damore's misuse of science in his manifesto.

Feel free to buy Erin a coffee for taking the time to ferret out the original papers behind the anecdotes and reviewing their quality, too. Catching up with a raging Gish Gallop takes a lot more work than starting it:

https://ko-fi.com/tweetingmouse
Washington, DC
zwol
1 day ago
reply
Mountain View, CA
Share this story
Delete

Security Keys

2 Shares

Security Keys are (generally) USB-connected hardware fobs that are capable of key generation and oracle signing. Websites can “enroll” a security key by asking it to generate a public key bound to an “appId” (which is limited by the browser based on the site's origin). Later, when a user wants to log in, the website can send a challenge to the security key, which signs it to prove possession of the corresponding private key. By having a physical button, which must be pressed to enroll or sign, operations can't happen without user involvement. By having the security keys encrypt state and hand it to the website to store, they can be stateless(*) and robust.

(* well, they can almost be stateless, but there's a signature counter in the spec. Hopefully it'll go away in a future revision for that and other reasons.)

The point is that security keys are unphishable: a phisher can only get a signature for their appId which, because it's based on the origin, has to be invalid for the real site. Indeed, a user cannot be socially engineered into compromising themselves with a security key, short of them physically giving it to the attacker. This is a step up from app- or SMS-based two-factor authentication, which only solves password reuse. (And SMS has other issues.)

The W3C standard for security keys is still a work in progress, but sites can use them via the FIDO API today. In Chrome you can load an implementation of that API which forwards requests to an internal extension that handles the USB communication. If you do that, then there's a Firefox extension that implements the same API by running a local binary to handle it. (Although the Firefox extension appears to stop working with Firefox 57, based on reports.)

Google, GitHub, Facebook and Dropbox (and others) all support security keys this way. If you administer a G Suite domain, you can require security keys for your users. (“G Suite” is the new name for Gmail etc on a custom domain.)

But, to get all this, you need an actual security key, and probably two of them if you want a backup. (And a backup is a good idea, especially if you plan on dropping your phone number for account recovery.) So I did a search on Amazon for “U2F security key” and bought everything on the first page of results that was under $20 and available to ship now.

Yubico Security Key

Brand: Yubico, Firmware: Yubico, Chip: NXP, Price: $17.99, Connection: USB-A

Yubico is the leader in this space and their devices are the most common. They have a number of more expensive and more capable devices that some people might be familiar with, but this one only does U2F. The sensor is a capacitive so a light touch is sufficient to trigger it. You'll have no problems with this key, but it is the most expensive of the under $20 set.

Thetis U2F Security Key

Brand: Thetis, Firmware: Excelsecu, Chip: ?, Price: $13.95, Connection: USB-A

This security key is fashioned more like a USB thumb drive. The plastic inner part rotates within the outer metal shell and so the USB connector can be protected by it. The button is in the axis and is clicky, rather than capacitive, but doesn't require too much force to press. If you'll be throwing your security key in bags and worry about damaging them then perhaps this one will work well for you.

A minor nit is that the attestation certificate is signed with SHA-1. That doesn't really matter, but it suggests that the firmware writers aren't paying as much attention as one would hope. (I.e. it's a brown M&M.)

Feitian ePass

Brand: Feitian, Firmware: Feitian, Chip: NXP, Price: $16.99, Connection: USB-A, NFC

This one is very much like the Yubico, just a little fatter around the middle. Otherwise, it's also a sealed plastic body and capacitive touch sensor. The differences are a dollar and NFC support—which should let it work with Android. However, I haven't tested this feature.

I don't know what the opposite of a brown M&M is, but this security key is the only one here that has its metadata correctly registered with the FIDO Metadata Service.

U2F Zero

Brand: U2F Zero, Firmware: Conor Patrick, Chip: Atmel, Price: $8.99, Connection: USB-A

I did bend the rules a little to include this one: it wasn't immediately available when I did the main order from Amazon. But it's the only token on Amazon that has open source firmware (and hardware designs), and that was worth waiting for. It's also the cheapest of all the options here.

Sadly, I have to report that I can't quite recommend it because, in my laptop (a Chromebook Pixel), it's not thick enough to sit in the USB port correctly: Since it only has the “tongue” of a USB connector, it can move around in the port a fair bit. That's true of the other tokens too, but with the U2F Zero, unless I hold it just right, it fails to make proper contact. Since operating it requires pressing the button, it's almost unusable in my laptop.

However, it's fine with a couple of USB hubs that I have and in my desktop computer, so it might be fine for you. Depends how much you value the coolness factor of it being open-source.

KEY-ID FIDO U2F Security Key

Brand: KEY-ID, Firmware: Feitian(?), Chip: ?, Price: $12.00, Connection: USB-A

I photographed this one while plugged in in order to show the most obvious issue with this device: everyone will know when you're using it! Whenever it's plugged in, the green LED on the end is lit up and, although the saturation in the photo exaggerates the situation a little, it really is too bright. When it's waiting for a touch, it starts flashing too.

In addition, whenever I remove this from my desktop computer, the computer reboots. That suggests an electrical issue with the device itself—it's probably shorting something that shouldn't be shorted, like the USB power pin to ground, for example.

While this device is branded “KEY-ID”, I believe that the firmware is done by Feitian. There are similarities in certificate that match the Feitian device and, if you look up the FIDO certification, you find that Feitian registered a device called “KEY-ID FIDO® U2F Security Key”. Possibly Feitian decided against putting their brand on this.

HyperFIDO Mini

Brand: HyperFIDO, Firmware: Feitian(?), Chip: ?, Price: $13.75, Connection: USB-A

By observation, this is physically identical to the KEY-ID device, save for the colour. It has the same green LED too (see above).

However, it manages to be worse. The KEY-ID device is highlighted in Amazon as a “new 2017 model”, and maybe this an example of the older model. Not only does it cause my computer to reliably reboot when removed (I suffered to bring you this review, dear reader), it also causes all devices on a USB hub to stop working when plugged in. When plugged into my laptop it does work—as long as you hold it up in the USB socket. The only saving grace is that, when you aren't pressing it upwards, at least the green LED doesn't light up.

HyperFIDO U2F Security Key

Brand: HyperFIDO, Firmware: Feitian(?), Chip: ?, Price: $9.98, Connection: USB-A

This HyperFIDO device is plastic so avoids the electrical issues of the KEY-ID and HyperFIDO Mini, above. It also avoids having an LED that can blind small children.

However, at least on the one that I received, the plastic USB part is only just small enough to fit into a USB socket. It takes a fair bit of force to insert and remove it. Also the end cap looks like it should be symmetrical and so able to go on either way around, but it doesn't quite work when upside down.

Once inserted, pressing the button doesn't take too much force, but it's enough to make the device bend worryingly in the socket. It doesn't actually appear to be a problem, but it adds a touch of anxiety to each use. Overall, it's cheap and you'll know it.

Those are the devices that matched my initial criteria. But, sometimes, $20 isn't going to be enough I'm afraid. These are some other security keys that I've ended up with:

Yubikey 4C

Brand: Yubico, Firmware: Yubico, Chip: NXP?, Price: $50 (direct from Yubico), Connection: USB-C

If you have a laptop that only has USB-C ports then a USB-A device is useless to you. Currently your only option is the Yubikey 4C at $50 a piece. This works well enough: the “button” is capacitive and triggers when you touch either of the contacts on the sides. The visual indicator is an LED that shines through the plastic at the very end.

Note that, as a full Yubikey, it can do more than just being a security key. Yubico have a site for that.

Many people lacking USB-A ports will have a Touch Bar, which includes a fingerprint sensor and secure element. One might spy an alternative (and cheaper solution) there. GitHub have published SoftU2F which does some of that but, from what I can tell, doesn't actually store keys in the secure element yet. However, in time, there might be a good answer for this.

Yubikey Nano

Brand: Yubico, Firmware: Yubico, Chip: NXP?, Price: $50 (direct from Yubico), Connection: USB-A

Another $50 security key from Yubico, but I've included it because it's my preferred form-factor: this key is designed to sit semi-permanently inside the USB-A port. The edge is a capacitive touch sensor so you can trigger it by running your finger along it.

It does mean that you give up a USB port, but it also means that you've never rummaging around to find it.

Read the whole story
acdha
4 days ago
reply
Washington, DC
zwol
4 days ago
reply
Mountain View, CA
Share this story
Delete

cleo4u2: shieldposts: mylordshesacactus: As a writer, you should try to give your villains...

1 Comment

cleo4u2:

shieldposts:

mylordshesacactus:

As a writer, you should try to give your villains plausible motivations, backstories, etc. A villain is much more interesting if they think they’re the hero of their own story.

As a DM, this is still great advice in theory but in practice you should ABSOLUTELY NEVER DO THIS because your players will discover your villains’ tragic backstory, look at their motivation and find it sound, and end up adopting the villains, going rogue from the Celestial Intervention Agency to avenge the wrongs done said villains and ensure their freedom, accidentally kidnapping the President, and plunging Gallifrey into a civil war.

This is… extremely specific

I love this post

As a DM I can attest to this, it’s not overspecific this is precisely what they do.

Read the whole story
zwol
13 days ago
reply
Trufax.
Mountain View, CA
Share this story
Delete

thatvolyova: mechakitten: usagiyojumbo: stuffmomnevertoldyou: ...

1 Comment












thatvolyova:

mechakitten:

usagiyojumbo:

stuffmomnevertoldyou:

Y’all, Lisa Frank went and made Tarot cards (and Death is a bunny riding a rainbow horse)

@mechakitten

MULTIPLE PEOPLE HAVE TAGGED ME IN THIS
pretty sure DEATH and THE DEVIL are the best cards EVER

um @yukoyaki I feel like either we had this convo or your witchy roommate and I did and… well.
Read the whole story
zwol
19 days ago
reply
This is hilarious, and it's even more hilarious if you click through and discover that it's not actually _by_ Lisa Frank, but another artist imitating Lisa Frank's style, and forging Lisa Frank's signature on each piece.

Which makes this... PSEUDO-LISA FRANK.
Mountain View, CA
Share this story
Delete

Bun Alert

5 Comments and 14 Shares
Since buns range from crepuscular to nocturnal, it's recommended that you enable the scheduled "Do Not Disturb" mode on your phone to avoid being woken by alerts about Night Buns.
Read the whole story
zwol
19 days ago
reply
/attn @haloedrain
Mountain View, CA
popular
19 days ago
reply
Share this story
Delete
4 public comments
medici
12 days ago
reply
Buns!!!
MaryEllenCG
18 days ago
reply
I want this to be a real thing.
Greater Bostonia
miestasmagnus
19 days ago
reply
🐰💖
alt_text_bot
19 days ago
reply
Since buns range from crepuscular to nocturnal, it's recommended that you enable the scheduled "Do Not Disturb" mode on your phone to avoid being woken by alerts about Night Buns.
Next Page of Stories