Hi everyone,

I have thought about using a Yubikey for limiting root access to my BBS
server. Are any of you using a Yubikey or something similar? I know that Slackware supports the use of a Yubikey via third-party software.

If you're using one, what do you think about it?

Thanks,
Sean


--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Sean Dennis wrote to All <=-

Hi everyone,

I have thought about using a Yubikey for limiting root access to my BBS server. Are any of you using a Yubikey or something similar? I know
that Slackware supports the use of a Yubikey via third-party software.

If you're using one, what do you think about it?

I use Yubikey and do as you say, using Ubuntu and Mate. And as a 2Fa for social media etc. Love the keys. Got 3. I would recommend buying 2 so in case you lose one, you have a backup

Sean


... tcob1: telnet and http tcob1.duckdns.org

--- BBBS/Li6 v4.10 Toy-4
* Origin: TCOB1 at tcob1.duckdns.org BinkP (618:500/14)

On 08 Jun 2021, Sean Dennis said the following...

I have thought about using a Yubikey for limiting root access to my BBS server. Are any of you using a Yubikey or something similar? I know
that Slackware supports the use of a Yubikey via third-party software.

If you're using one, what do you think about it?

I have a few Yubikeys. All USB A and two that support NFC.

I don't use any of them. I love the idea, and for about a month I had them setup on every account that supports them. GMail, Facebook, my domain registrar and DNS provider & even a wordpress site that I used to run.

Some services let you check a box to "don't ask me again on this device"
while others may have "don't ask me again for 30 days" which I quite like.

If I've logged in from that device, chances are it's safe.

I guess the problem is, I kept the yubikey on my keychain. So it's 8pm on
some random Wednesday and you want to log into your webmail & then you're greeted with "press the button on your yubikey to continue". Now you have to get off the couch, go to the front door & grab your keys, walk back to your laptop, insert the yubikey & press the button, then walk back to the front
door to put your keys back so that you're not looking for them in a panic the next morning.

All-in-all, a very 1st-world problem that after awhile just made it not worth it for me. I use Google Authenticator for everything that supports it, that way I can just grab my phone which is usually with me to enter the codes, or even use a desktop client that also supports TOTP codes if you don't want to use your phone.

I've used tutorials for Debian/Ubuntu for adding Google Auth support to SSH, Slackware may support it as well:

https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview

Maybe if you usually log into your server from the same computer and had the Yubikey handy at that computer the experience may be better.


Jay

--- Mystic BBS v1.12 A46 2020/08/26 (Raspberry Pi/32)
* Origin: Northern Realms (618:500/23)

Hello Warpslide!

** On Tuesday 08.06.21 - 20:07, Warpslide wrote to Sean Dennis:

...Now you have to get off the couch, go to the front door
& grab your keys, walk back to your laptop, insert the
yubikey & press the button, then walk back to the front
door to put your keys back so that you're not looking for
them in a panic the next morning.

Is that a key fob for keyless entry? If so, then you shouldn't
keep one of those near the door at all. Just wondering, 'cuz
you mentioned that you have a new car, and I would imagine that
some new cars offer keyless start.

There was a very cool YT video of a seminar where a fellow
demo'd how *any* key fob signal can be compromised. It's
astonishing how poor the security (ie. no encryption) is for
those things.

--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

On 09 Jun 2021, August Abolins said the following...

Is that a key fob for keyless entry? If so, then you shouldn't
keep one of those near the door at all. Just wondering, 'cuz
you mentioned that you have a new car, and I would imagine that
some new cars offer keyless start.

There was a very cool YT video of a seminar where a fellow
demo'd how *any* key fob signal can be compromised.

That's why I also have this fancy schmancy Faraday Box:

https://www.amazon.ca/Faraday-FOXNSK-Leather-Blocker-Anti-Theft/dp/B088TNWG1N

I even tested it in a couple of ways. Walking up to my car with the keys in the box & the doors wouldn't unlock.

Opened the box and got in the car & then closed the box again. Pressed the button to start the car and the dash says "No Key Detected". Opened the box and started the car, then closed the box again. After about 30 seconds the
"No Key Detected" message came back and wouldn't let me shift out of park.

I also tried it with the Apple AirTag (bluetooth tracker) on my keys. With
my keys in the box, my phone cannot find the tag at all. They can't be
located or receive the signal to play a sound. Here's where it gets interesting: If I unlatch the box but keep the box closed, the AirTag will receive the signal to play a sound, but still can't be located. So I suspect the latch plays a role in either completing the cage or just holding the box closed tight enough for the protection to work.

Either way, it's a neat little box that kept me amused for about 45 minutes testing various scenarios.

It's astonishing how poor the security (ie. no encryption) is for
those things.

Depending on the method used, a lot of these are just amplifying/relaying the signal from the FOB. So it is encrypted between the car & FOB, it's just receiving a some help extending the range between the two.

There was another one I saw where someone could capture the signal over the
air to unlock the doors and "replay" it as many times as they wanted to unlock a car. THAT is just poor design!


Jay

--- Mystic BBS v1.12 A46 2020/08/26 (Raspberry Pi/32)
* Origin: Northern Realms (618:500/23)

Sean Dennis wrote to All <=-

I have thought about using a Yubikey for limiting root access to my BBS server. Are any of you using a Yubikey or something similar? I know
that Slackware supports the use of a Yubikey via third-party software.

While hardware 2FA is pretty nifty, I'd think that SSH keys would be sufficient.


... Am I any closer to finding what I'm looking for?
--- MultiMail/DOS v0.52
* Origin: realitycheckBBS.org -- information is power. (618:300/1)

Warpslide wrote to Sean Dennis <=-

All-in-all, a very 1st-world problem that after awhile just made it not worth it for me. I use Google Authenticator for everything that
supports it, that way I can just grab my phone which is usually with me
to enter the codes, or even use a desktop client that also supports
TOTP codes if you don't want to use your phone.

I've used Authy, it lets you back up the keys on its' Android client and it syncs with a desktop client.


... Am I any closer to finding what I'm looking for?
--- MultiMail/DOS v0.52
* Origin: realitycheckBBS.org -- information is power. (618:300/1)

thecivvie wrote to Sean Dennis <=-

I use Yubikey and do as you say, using Ubuntu and Mate. And as a 2Fa
for social media etc. Love the keys. Got 3. I would recommend buying 2
so in case you lose one, you have a backup

Good and glad it works for you ... and a good idea having multiple backups. Something I didn't consider.

Later,
Sean

... A verbal contract isn't worth the paper it's written on.
--- MultiMail/Linux
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Warpslide wrote to Sean Dennis <=-

Maybe if you usually log into your server from the same computer and
had the Yubikey handy at that computer the experience may be better.

I'm usually on my workstation to get to the server (which is on the floor
next to me). I keep my keys in a valet on my nightstand which is less than
a foot behind me; I just turn around and grab them ... which is why I was thinking about having a Yubikey.

Thanks for your thoughts ... appreciate it.

I found the following blog post and it looks like supporting Yubikeys in Slackware is pretty straightforward:

https://tinyurl.com/mw7xv933 (blog.edie.io)

I took a look in SlackBuilds (a third-party package repo for Slackware) and there's a few pieces of software that will allow easy personalization of a Yubikey. When I get the money to buy one, I'll try it out.

Later,
Sean

... Brevity is the soul of lingerie. -- Dorothy Parker
--- MultiMail/Linux
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

August Abolins wrote to Warpslide <=-

Is that a key fob for keyless entry? If so, then you shouldn't
keep one of those near the door at all. Just wondering, 'cuz
you mentioned that you have a new car, and I would imagine that
some new cars offer keyless start.

From Wikipedia (https://en.wikipedia.org/wiki/YubiKey):

"The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO
Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated
by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Both Google and Facebook use Yubikey devices to secure employee accounts as well as end user accounts.
Some password managers support YubiKey. Yubico also manufactures the
Security Key, a similar lower cost device with only FIDO/U2F support."

With the hundreds of passwords I use and my server(s), a Yubikey would be a
big help for me.

Later,
Sean

... Santa's elves are just a bunch of subordinate Clauses.
--- MultiMail/Linux
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Kurt Weiske wrote to Sean Dennis:

While hardware 2FA is pretty nifty, I'd think that SSH keys would be sufficient.

It's not just SSH keys that I'm thinking about; it's the ability to keep
all of my passwords with me at all times and not just for my own equipment.

I also want to use 2FA with various websites that a SSH key will not work
with (I'd rather carry around a Yubikey than depend on this POS cell phone
I have and Google Authentiate).

In my case, if it wasn't for everything else I want, SSH keys would be sufficient.

Later,
Sean



--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Re: Re: Yubikey
By: Kurt Weiske to Sean Dennis on Wed Jun 09 2021 08:22 am

Sean Dennis wrote to All <=-

I have thought about using a Yubikey for limiting root access to my BBS server. Are any of you using a Yubikey or something similar? I know that Slackware supports the use of a Yubikey via third-party software.

While hardware 2FA is pretty nifty, I'd think that SSH keys would be sufficient.

... Am I any closer to finding what I'm looking for?

It depends on the application, but pretty much this.

When you enable 2nd Factor Authentication in a _small_ firm, user support tickets SKYROCKET because everybody and their grandmother eventually manages to lose, corrupt or have their 2nd Factor Auth device stolen.

There was a cryptocoin exchange that started charging a fee for solving 2FA issues because they were badly overloaded.

2FA is also causing me lots of headaches in e-commerce because many users can't figure it out and get credit card payments authorized.

In my opinion, small users are better served with a single user-password pair and some anti-bruteforce technique, such as temporarily disabling users with an excess of failed logins. This has other issues (it makes your services DoSable if you are not careful) but it seems to be less of a problem in the wild than the 2FA apocalypse.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Re: Re: front door & grab your keys
By: Sean Dennis to August Abolins on Wed Jun 09 2021 01:48 am

August Abolins wrote to Warpslide <=-

Is that a key fob for keyless entry? If so, then you shouldn't
keep one of those near the door at all. Just wondering, 'cuz
you mentioned that you have a new car, and I would imagine that
some new cars offer keyless start.

From Wikipedia (https://en.wikipedia.org/wiki/YubiKey):

"The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Both Google and Facebook use Yubikey devices to secure employee accounts as well as end user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower cost device with only FIDO/U2F support."

With the hundreds of passwords I use and my server(s), a Yubikey would be a big help for me.

Later,
Sean

... Santa's elves are just a bunch of subordinate Clauses.

Also worth mentioning is the Nitrokey in this context. I feel like buying one so I can write a review. Not that I am very fond of these things for regular users.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Re: Re: Yubikey
By: Sean Dennis to Kurt Weiske on Wed Jun 09 2021 12:14 pm

Kurt Weiske wrote to Sean Dennis:

While hardware 2FA is pretty nifty, I'd think that SSH keys would be sufficient.

It's not just SSH keys that I'm thinking about; it's the ability to keep
all of my passwords with me at all times and not just for my own equipment.

I also want to use 2FA with various websites that a SSH key will not work with (I'd rather carry around a Yubikey than depend on this POS cell phone
I have and Google Authentiate).

In my case, if it wasn't for everything else I want, SSH keys would be sufficient.

Later,
Sean

I personally keep my passwords stored in a password manager hosted in a personal server. That way I can access my passwords from any computer on which I have the SSH keys required to access the server.

I take care of having the SSH keys only on computers I trust completely and this means the passwords are only used from computers I trust completely.

This also means I cannot fall in temptation and access my email from my crappy, untrusted smartphone on a whim, and I am forced to sit down at a proper workstation with Full Disk Encryption, integrity databases et all, in order to access sensitive information.

For the morbid curios, most of what qualifies as "sensitive information" are actually short stories and horse wallpapers XD


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Arelor wrote to Sean Dennis:

For the morbid curios, most of what qualifies as "sensitive information" are
actually short stories and horse wallpapers XD

Unless it's GPG-encrypted email, I don't care. Email is inherently insecure and I'm not going through hoops to use it. If I am worried about it, I'll
use my GPG setup on my workststion. Otherwise, let the powers that be read
my email. I lost my right to privacy when I joined the Army 26 years ago.

-- Sean



--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Arelor wrote to Sean Dennis:

Also worth mentioning is the Nitrokey in this context. I feel like buying one
so I can write a review. Not that I am very fond of these things for regular
users.

As you have mentioned, 2FA is overkill for a majority of users. For more advanced users and system administrators (which is most of us in BBSing
these days), 2FA can be a good idea. I was just considering a Yubikey for reasons I've explained before. I also like to use my laptop at the public library and using a Yubikey is just an additional layer of security (I think
of it much like a smart card) for me.

-- Sean


--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Arelor wrote to Sean Dennis:

I personally keep my passwords stored in a password manager hosted in a personal server. That way I can access my passwords from any computer on which
I have the SSH keys required to access the server.

I use my laptop a lot in areas where Internet access is not available or I
do not trust it enough to use it in a secure method hence the use of a
Yubikey. I do have NordVPN that I can use for access but sometimes I just don't want to deal with it.

-- Sean



--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Hello Warpslide!

** On Wednesday 09.06.21 - 09:35, Warpslide wrote to August Abolins:

That's why I also have this fancy schmancy Faraday Box:

https://www.amazon.ca/Faraday-FOXNSK-Leather-Blocker-Anti-
Theft/dp/B088TNW G1N

You could have probably built your own by lining the inside of
a box (and a lid) with tin-foil or the duct tape that is used
to seal heating ducts.

I did something exactly like that by inserting a layer of
folded tin foil in my wallet, and the touchless/proximity POS
that did not pick up on any cards.

But, by then I had already ordered a fine (inexpensive) RFID
shielded wallet.

...Opened the box and started the car, then closed the box
again. After about 30 seconds the "No Key Detected"
message came back and wouldn't let me shift out of park.

Yes.. the keyless ignition fobs emit a signal constantly. The
batteries in those things probably need more frequent changes
than the typical fob then?

Ok.. so if the key is in the ignition, does it still emit? I
would hope that the emitter is disabled, otherwise the signal
is broadcast to anyone passing you on the highway.

What about the scenario when the keys are in your pocket and
you're out doing shopping? Or.. does a proper "exposure" of
the fob signal only work when it is within comms range of the
car?

...Here's where it gets interesting: If I unlatch the box
but keep the box closed, the AirTag will receive the signal
to play a sound, but still can't be located. So I suspect
the latch plays a role in either completing the cage or
just holding the box closed tight enough for the protection
to work.

That *is* interesting. So.. if the lid is tightly closed, but
unlatched, then some signal still leaks?

Either way, it's a neat little box that kept me amused for
about 45 minutes testing various scenarios.

Sounds like it! Thanks for the Consumer Report!

..So it is encrypted between the car & FOB, it's
just receiving a some help extending the range between the two.

Not according to the fellow who was able to hack fob and
garage-door opener signals. Most fob signals emit a pattern of
serial numbers that are easy to figure out.

There was another one I saw where someone could capture the
signal over the air to unlock the doors and "replay" it as
many times as they wanted to unlock a car. THAT is just
poor design!

That one sounds like a first-generation fob. Stupid engineers!
Or, most likely penny-pinching project managers.



--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

Hello Sean Dennis!

** On Wednesday 09.06.21 - 01:48, Sean Dennis wrote to August Abolins:

From Wikipedia (https://en.wikipedia.org/wiki/YubiKey):

[...]

With the hundreds of passwords I use and my server(s), a
Yubikey would be a big help for me.

Hundreds? Really?

I'd be afraid that the such a yubikey device gets electrically
compromised, or lost. I've developed apparently "dead" usb
thumb drives at the least convenient moments. I've also lost a
couple of usb drives detaching from my key chain.

I've came up with a formula for most sites that I need to
access with a password based on the sitenames. That way my
"yubikey" is in my head, and I can always figure out the
password based on the formula. I actually have 3 different
formulas depending on how many syllables are in the sitename or
how many distinct words are part of the company name.

For inconsequential sites, I let my browser remember them.
--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

August Abolins wrote to Sean Dennis:

Hundreds? Really?

Yes, hundreds. Close to 400 passwords, actually. Once I get a Yubikey set
up, I will be modifying all of those passwords except a couple to random passwords.

I'd be afraid that the such a yubikey device gets electrically compromised, or lost. I've developed apparently "dead" usb
thumb drives at the least convenient moments. I've also lost a
couple of usb drives detaching from my key chain.

That's why you have multiple Yubikeys, much like Sean Rima does. You never just have a single device. You -always- have redundancy (and backups).

I've came up with a formula for most sites that I need to
access with a password based on the sitenames. That way my
"yubikey" is in my head, and I can always figure out the
password based on the formula. I actually have 3 different
formulas depending on how many syllables are in the sitename or
how many distinct words are part of the company name.

When you've had two massive concussions and permanent "brain fog" from
chronic illness and the medications to treat them, you learn not to trust
your memory. I have enough trouble remembering how to get dressed at times
... though working on the BBS is not too difficult (probably "muscle memory"
if anything after 25 years).

For inconsequential sites, I let my browser remember them.

I do that also.

-- Sean


--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

Sean Dennis wrote to thecivvie <=-

thecivvie wrote to Sean Dennis <=-

I use Yubikey and do as you say, using Ubuntu and Mate. And as a 2Fa
for social media etc. Love the keys. Got 3. I would recommend buying 2
so in case you lose one, you have a backup

Good and glad it works for you ... and a good idea having multiple backups. Something I didn't consider.

I had one backup before and dropped the macbook air which landed on the key and made bits of it. Thankfully the spare allowed me in and also able to reset when I added 2 keys as spare. Macbook was saved by the Yubico key literally :)

Sean


... tcob1: telnet and http tcob1.duckdns.org

--- BBBS/Li6 v4.10 Toy-4
* Origin: TCOB1 at tcob1.duckdns.org BinkP (618:500/14)

On 09 Jun 2021, August Abolins said the following...

I did something exactly like that by inserting a layer of
folded tin foil in my wallet, and the touchless/proximity POS
that did not pick up on any cards.

I bought a stainless steel wallet which I actually quite liked. It was supposed to block RFID signals as well, but I never tested it. The problem
was the corners were kind of sharp and scratched the hell out of the screen
on my phone!

Yes.. the keyless ignition fobs emit a signal constantly. The
batteries in those things probably need more frequent changes
than the typical fob then?

It's just a CR2032 battery, which Ford says *should* last 3 to 4 years. The other half has a Honda civic & had to replace the battery after 2 years.

Ok.. so if the key is in the ignition, does it still emit? I
would hope that the emitter is disabled, otherwise the signal
is broadcast to anyone passing you on the highway.

The FOB just has to be inside the cabin, there isn't anywhere to insert it. Mostly for me it's either in my pocket or I throw it in the cup holder.

And the FOB needs to be in the cabin the entire time you're driving,
otherwise the car will just come to a stop. So I don't know if it constantly broadcasts or just beacons from time-to-time.

That *is* interesting. So.. if the lid is tightly closed, but
unlatched, then some signal still leaks?

Seems to be the case. That being said, I didn't test it too thoroughly. It's possible the box wasn't tightly closed with the latch open, but I'm not too worried. When we're home, our keys are in the box with the latch closed.

Another thing I read was people keeping their keys in the microwave. I put
my keys in there and I was still able to communicate with my bluetooth
tracker. So either I have a really crappy microwave that leaks radiation or that faraday cage only blocks microwaves & not bluetooth?

Not according to the fellow who was able to hack fob and
garage-door opener signals. Most fob signals emit a pattern of
serial numbers that are easy to figure out.

I found this online from 2019:

"The new system uses a sleep mode that sends the fob to sleep if it remains motionless for 40 seconds and wakes it up once it detects movement and is within 6.5m of the car."

So it sounds like I may not need the faraday box for when I'm home, though
I'll use it anyway.

As for walking about, it sounds like the FOB sleeps until it's within rage of the car, so walking around the grocery store should be safe. There are also faraday pouches you can buy, but I doubt I'll go that far.


Jay

--- Mystic BBS v1.12 A46 2020/08/26 (Raspberry Pi/32)
* Origin: Northern Realms (618:500/23)

thecivvie wrote to Sean Dennis:

I had one backup before and dropped the macbook air which landed on the
key and made bits of it. Thankfully the spare allowed me in and also able to reset when I added 2 keys as spare. Macbook was saved by the Yubico key literally :)

That's what I'm talking about. I'd even keep a Yubikey in my safe just in case.

-- The Other Sean



--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

On 09 Jun 2021, August Abolins said the following...

With the hundreds of passwords I use and my server(s), a
Yubikey would be a big help for me.

Hundreds? Really?

I've use a password manager for several years & have accumulated just over 400 items in mine.

Just scrolling through, it's a lot of "dumb" things like random websites
where you need to create an account to order something or to leave a comment.

Other things are more important like my Gmail account. For most of my
accounts I don't know my password. I've used my password manager to generate the password and it's stored in there.

I'd be afraid that the such a yubikey device gets electrically compromised, or lost.

That's where account recovery comes in. If you forget your password you can reset it. If your MFA token (whether physical or digital) can't be used, you are usually given recovery codes, which I then save in my password manager.

Some sites are a PITA to recover from MFA. Like Linkedin for example I had
to scan my driver's license & sent it to them to get my account back. Years later they had a data breach, so I feel super good about that decision...


Jay

--- Mystic BBS v1.12 A46 2020/08/26 (Raspberry Pi/32)
* Origin: Northern Realms (618:500/23)

Warpslide wrote to August Abolins:

That's where account recovery comes in. If you forget your password you can
reset it. If your MFA token (whether physical or digital) can't be used, you
are usually given recovery codes, which I then save in my password
manager.

Like Sean, I'd have at least one spare MFA token in a safe place.

Learned that lesson the hard way.

Some sites are a PITA to recover from MFA. Like Linkedin for example I
had
to scan my driver's license & sent it to them to get my account back. Years
later they had a data breach, so I feel super good about that decision...

I was involved in that data breach at LinkedIn also. :/

--Sean



--- MBSE BBS v1.0.7.22 (GNU/Linux-x86_64)
* Origin: Outpost BBS * Micronet World HQ (618:618/1)

On 10 Jun 2021, Sean Dennis said the following...

Like Sean, I'd have at least one spare MFA token in a safe place.
Learned that lesson the hard way.

All mine are TOTP & are backed up to the cloud. I learned that lesson the
hard way as well.

Typing backup codes all day is not my idea of a fun time.

I was involved in that data breach at LinkedIn also. :/

I've been notified I've been part of so many data breaches that I have free credit monitoring from both TransUnion & Equifax for the next ~10 years!

Came in handy when someone decided to apply for a Wal-Mart MasterCard in my name one a day for 5 days straight.


Jay

--- Mystic BBS v1.12 A46 2020/08/26 (Raspberry Pi/32)
* Origin: Northern Realms (618:500/23)

Hello Warpslide!

** On Thursday 10.06.21 - 09:25, you wrote to me:

I bought a stainless steel wallet which I actually quite
liked. It was supposed to block RFID signals as well, but
I never tested it. The problem was the corners were kind
of sharp and scratched the hell out of the screen on my
phone!

I've seen people with hard cases for their credit cards. Some
have sharper edges than others. And I wouldn't want to remember
to carry *two* containers: one for my money and another for the
cards.

Yes.. the keyless ignition fobs emit a signal constantly..

It's just a CR2032 battery, which Ford says *should* last 3
to 4 years. The other half has a Honda civic & had to
replace the battery after 2 years.

I just replaced the battery for the rav4 fob about 3 years ago.
That makes it 10 years! But I just have the regular fob, not
keyless.

The FOB just has to be inside the cabin, there isn't
anywhere to insert it. Mostly for me it's either in my
pocket or I throw it in the cup holder.

That can seem convenient, when you just have to be near the
vehicle and you can just start it without actually putting the
keys into the ignition. But I still see a security problem
with that. Say, you've started the car, and sitting idle, the
key is on your person, a hacker can monitor the constnat
signalling that key/car are having.

And the FOB needs to be in the cabin the entire time you're
driving, otherwise the car will just come to a stop. So I
don't know if it constantly broadcasts or just beacons from
time-to-time.

Beacon makes the most sense, otherwise the battery would drain
much faster.

That *is* interesting. So.. if the lid is tightly closed, but
unlatched, then some signal still leaks?

Another thing I read was people keeping their keys in the
microwave. I put my keys in there and I was still able to
communicate with my bluetooth tracker. So either I have a
really crappy microwave that leaks radiation or that
faraday cage only blocks microwaves & not bluetooth?

I think microwave is exactly 2.45Mhz. Whereas, bluetooth is
anywhere between 2.4Mhz to 2.48Mhz (?)

Their best bet is a completely foil-lined container.

"The new system uses a sleep mode that sends the fob to
sleep if it remains motionless for 40 seconds and wakes it
up once it detects movement and is within 6.5m of the car."

But even the sleeping part and the motion detection part need
some battery juice to operate. So, maybe the sleep mode is
more like a beacon thing with an extended gap time?

So it sounds like I may not need the faraday box for when
I'm home, though I'll use it anyway.

I doubt that the 6.5m is precise. Those figures often have a
margin of error.

As for walking about, it sounds like the FOB sleeps until
it's within rage of the car, so walking around the grocery
store should be safe. There are also faraday pouches you
can buy, but I doubt I'll go that far.

Oh.. so the danger-zone (the time and space in which a hacker
would operate) is only when the fob and the car are in close
proximity? Still, parking lots sound like fertile ground were
hackers with the radios can operate as there would be plenty of
people close to their vehicles.





--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

Re: front door & grab your keys
By: August Abolins to Warpslide on Thu Jun 10 2021 06:44 pm

I've seen people with hard cases for their credit cards. Some
have sharper edges than others. And I wouldn't want to remember
to carry *two* containers: one for my money and another for the
cards.

I am such of those guys, I guess.

I always carry my stuff in a small bag with pokets, anyway, and LOTS of keys. I have so many keys and keyrings that my problem is how to carry them without compromising the phone's screen... the bag allows me to put the keyrings in different pockets than the things that could get scratched. Same goes for the faraday card case.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Sean Dennis wrote to thecivvie <=-

thecivvie wrote to Sean Dennis:

I had one backup before and dropped the macbook air which landed on the
key and made bits of it. Thankfully the spare allowed me in and also able to reset when I added 2 keys as spare. Macbook was saved by the Yubico key literally :)

That's what I'm talking about. I'd even keep a Yubikey in my safe just
in case.

My keys are in the rack with the keys in a secure place. Well 2 keys, the third is elsewhere

TC


... tcob1: telnet and http tcob1.duckdns.org

--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 at tcob1.duckdns.org BinkP (618:500/14)

Hello Arelor!

** On Thursday 10.06.21 - 18:14, Arelor wrote to August Abolins:

I always carry my stuff in a small bag with pokets, anyway,
and LOTS of keys. I have so many keys and keyrings that my
problem is how to carry them without compromising the
phone's screen... the bag allows me to put the keyrings in
different pockets than the things that could get scratched.
Same goes for the faraday card case.

Well.. you are a very important person between operating a drug
dispensary and assisting in an IT department.

Myself.. I can easily misplace a thumbdrive from one coat
pocket to the next. Keys are relatively simple (everything is
on one ring), but one particular spare shop key is stand-alone.

Typically it is meant to stay in the key slot on the INSIDE
when I lock up. But sometimes that darn key ends up travelling
home with me, and then I promptly forget to bring it with me
when I go to the shop!

I also have an iPod that I would use for making calendar
reminders and check the time, but that device too sometimes
ends up forgotten at home or forgotten at the shop!

Now.. the Blackberry is a bit different. It's my mobile data
device. I can leave it at home 'cuz I don't really need it
when travelling. But I got a nice belt-clip pouch for it so
that it gets a little protection from scratches and can easily
travel with me if necessary. But I dare not detach that device
from my belt or it may end up forgotten! :/

--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

Hello Warpslide!

** On Thursday 10.06.21 - 10:41, Warpslide wrote to August Abolins:

I've use a password manager for several years & have
accumulated just over 400 items in mine.

[...]

Other things are more important like my Gmail account. For
most of my accounts I don't know my password. I've used my
password manager to generate the password and it's stored
in there.

The system generated ones are the worst. I'll let the browser
save those, but some I would promptly replace with my own
formula. At first I wasn't sure if I could stick with the
formula so as to be able to recreate the passwords I needed,
but the more I started doing it the easier it became.

I don't even bother remembering my PIN for my cards. I simply
picked a PATTERN and SEQUENCE that made sense to me and made
that whatever number it came to.

Some sites are a PITA to recover from MFA. Like Linkedin
for example I had to scan my driver's license & sent it to
them to get my account back. Years later they had a data
breach, so I feel super good about that decision...

I never bothered fulfilling my account details on Linkedin. I
registered an account not long after they launched. The
benefits of like-minded community sounded appealing, but it
wasn't long until I started getting unknown people wanting me
to add them. That constant barrage of maintenance frustrated
me It just started to feel like another FB. I was already on
another kind of community with the IEEE any way (@ieee.org)
That, and IEEE's roster of members was good enough. But I
found that professional people like myself rarely bothered with
the social media stuff.

Regarding the copy of your driver's license and the subsequent
data breach.. outch.
--
../|ug

--- OpenXP 5.0.50
* Origin: (} Pointy McPointface (618:250/1.9)

Re: front door & grab your keys
By: August Abolins to Arelor on Sun Jun 13 2021 08:52 pm

Hello Arelor!

** On Thursday 10.06.21 - 18:14, Arelor wrote to August Abolins:

I always carry my stuff in a small bag with pokets, anyway,
and LOTS of keys. I have so many keys and keyrings that my
problem is how to carry them without compromising the
phone's screen... the bag allows me to put the keyrings in
different pockets than the things that could get scratched.
Same goes for the faraday card case.

Well.. you are a very important person between operating a drug
dispensary and assisting in an IT department.

Myself.. I can easily misplace a thumbdrive from one coat
pocket to the next. Keys are relatively simple (everything is
on one ring), but one particular spare shop key is stand-alone.

Typically it is meant to stay in the key slot on the INSIDE
when I lock up. But sometimes that darn key ends up travelling
home with me, and then I promptly forget to bring it with me
when I go to the shop!

I also have an iPod that I would use for making calendar
reminders and check the time, but that device too sometimes
ends up forgotten at home or forgotten at the shop!

Now.. the Blackberry is a bit different. It's my mobile data
device. I can leave it at home 'cuz I don't really need it
when travelling. But I got a nice belt-clip pouch for it so
that it gets a little protection from scratches and can easily
travel with me if necessary. But I dare not detach that device
from my belt or it may end up forgotten! :/

--
../|ug

I solved the problem of leaving keys every here and there by adopting a simple policy:

*EVERYTHING* is put in the bag, so when I take the bag with me, I am guaranteed I carry *EVERYTHING* with me. That means keys, the wallet, more keys, the phones, and more keys.

That way you don'tpick the bag believeing you have somke set of keys in it, only to discover you forgot that particular set on your bed.

And, for the record, there are backups of the keys :-)


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Hello Arelor!

** On Monday 14.06.21 - 03:08, Arelor wrote to August Abolins:

I solved the problem of leaving keys every here and there
by adopting a simple policy:

*EVERYTHING* is put in the bag, so when I take the bag with
me, I am guaranteed I carry *EVERYTHING* with me. That
means keys, the wallet, more keys, the phones, and more
keys.

Ah... When men use a purse, it's called a bag! :D

That way you don'tpick the bag believeing you have somke
set of keys in it, only to discover you forgot that
particular set on your bed.

And, for the record, there are backups of the keys :-)

I have a spare shop key INSIDE the shop! I just realized that
doesn't do me any good if I don't have it with me. LOL

But the main one is on my main keychain: house, car, shop,
mailbox. Which means.. if I can drive, then I have all the
keys I need with me.

But I still forget the damn phone and some usb sticks that I
use when I "take" work home with me.

--
../|ug

--- OpenXP 5.0.50
* Origin: my little micronet point (618:510/1.1)

Re: front door & grab your keys
By: August Abolins to Arelor on Mon Jun 28 2021 08:43 pm

*EVERYTHING* is put in the bag, so when I take the bag with
me, I am guaranteed I carry *EVERYTHING* with me. That
means keys, the wallet, more keys, the phones, and more
keys.

Ah... When men use a purse, it's called a bag! :D

Actually, it is called "horse toy".

My favorite mare wanted to play with it so hard yesterday. It broke my heart to tell her that was forbidden. She didn't take it very well and was in a sad mood for a couple of minutes until I invited her to partake in a brutal horse hug.

The way she started grooming me with her teeth feklt somehow desperate, grooming and breathing harder like an angry buffalo. I think she thought that me forbidding her from playing with my bag meant I didn't love her anymore or something.

Good news is that she was happy again after a quarter an hour of rubs.


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)