----- Original Message ----- > > This OTP device looks like an even smaller version of a thumb > > drive, and also plugs into a USB port. When you press the sole > > button > > on the top it acts like a USB keyboard and spits out a single-use 44 > > Why couldn't this be provided by free software on my phone?
I keep trying to determine whether "convenience" and "device ubiquity" trump the larger attack surface of phone-based "soft token" and "callback" authentication schemes. Note that I'm not claiming that dedicated security devices are impenetrable; we're talking a matter of degrees, here. You've gotta admit, though: modern phones are complex, run more-or-less complete OSes, and are constantly connected to a potentially-hostile WAN. And then there are those that opportunistically connect to available open WiFi... Rik Farrow had a great video showing himself doing stuff to a jailbroken iPhone that made my skin crawl. (In a giddy way, of course, but it was creepy AND crawly, nonetheless.) The finks at FastCompany have since taken it down, but the original article[1] and his follow-up[2] are still available. Cheers, -sth [1]http://www.fastcompany.com/articles/2007/11/hacking-the-iphone.html [2]http://rikfarrow.com/iphone-take-2.html sam hooker|[email protected]|http://www.noiseplant.com SOR SUP NO SCRIP LI POTI TE ER RUM TOR BRI ATUR MOR INF NO RAP LI MORI
