Good morning, Josh,
On Tue, 19 Oct 2010, Josh Sled wrote:
William Stearns <[email protected]> writes:
I'll place an order before the end of October to get them here
before November meetings.
As a quick note (and more complete and formal notice will be
forthcoming): the November VAGUE meeting will be on Wednesday, November
10th.
Perfect - they'll be in before then.
This OTP device looks like an even smaller version of a thumb
drive, and also plugs into a USB port. When you press the sole button
on the top it acts like a USB keyboard and spits out a single-use 44
Why couldn't this be provided by free software on my phone?
Of course, a $30 keychain token is much less expensive than a
new smartphone plus the required cell phone and data plans,
but we're converging that way anyways?
It can!
I'm always a fan of fewer devices doing more tasks, and there's
certainly OTP software available for multiple platforms and the iPhone
(App Store/mOTP; not tried it yet).
A decade of teaching for a security training firm has drilled,
among other concepts, the idea that security devices should be _isolated_.
Separate physical systems, separate VM's, separate network segments, few
or no services to access them, etc. In this case, the Yubikey gives that
isolation quite handily.
The AES key it holds _can't_ come out of the key. At all. Ever.
I can load a new one into it with some customization software, but it's
never coming out.
Cheers,
- Bill
---------------------------------------------------------------------------
"I give up, how DO you keep a mathematician busy for 350 years?"
-- Pierre de Fermat's friend
(Courtesy of Tim Connors <[email protected]>)
--------------------------------------------------------------------------
William Stearns ([email protected], tools and papers: www.stearns.org)
Top-notch computer security training at www.sans.org , www.giac.net
--------------------------------------------------------------------------
