Ordered my first YubiKey, YAY!
Can't wait until this thing arrives 😊

What's that?

@PrivateGER Always find it hard to explain so hereby: https://en.m.wikipedia.org/wiki/...

@linuxxx Oh that sounds cool

That's pretty cool. I need to look into one of those

@Zennoe Wasn't but I ordered version 4 which doesn't seem to be affected. Thanks for letting me know!

"Yubico has replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws."

What has happened to you 😵

@Forside oh my god

i have one too, my private gpg key is on it.

@Forside Source? If true, I'm seriously cancelling the order 😓

@linuxxx The Wikipedia page you linked. "Security-concerns YubiKey 4 (closed-source code)" section

Oh shit

Any open-source alts?

@Forside I fucking missed that part, thanks, I just sent a message with the request to cancel my order!
Let's hope that they have open versions...

@gitpull I think it's just version 4, does anyone have more info on this?

You may try this Neo version.

@Forside Is that one open for sure?

there is an open alternative: https://nitrokey.com

@linuxxx I don't know, but it's stated so in the same paragraph.
"Yubikey NEOs are still using open-source code."

@Forside Yup I see it, I'll be ordering a Neo then, thanks!

just make sure it is from a newer batch. the old ones have a serious infineon bug.
https://internetsociety.org/blog/...

Haha, but is only works with chrome with webbased applications?

firefox has an integration to, but it needs to be activated.

Isn't closed source code better when it comes to security flaws? I don't understand this forum...I really don't. I don't want everyone having access to the software I use, especially security software... Yikes. @Forside

Really looks amazing, when I cam justify paying a little less to my debt, I'll get one for sure, and to my GF as well!

@intromatt it's kind of like that, I would say.
If it is open source, you can modify the program with your desires.
If it's close source, you still can, but it will take damn long to modify it. It's so hard.
This is my perspective on how I see it, when it comes to modifying it.

On the security aspect, it's ... hmmm... I'll let the others speak

I don't want to modify my security software or OS. I don't want everyone having source code access to the software (especially security) I use. Yikes, again. @gitpull

📌

@intromatt
I think you misunderstand what open source means.

Open source doesn't mean someone can modify the code you're running -- that's called an exploit. Open source means you can read the source so you know exactly what it's doing, and it allows you to verify the security. (Being able to read the code responsible for encryption, etc. doesn't mean someone can immediately break it -- and if that's the case, that means the "security" is extremely shoddy. Look at Signal and TutaNota -- both are open source and still secure.)

By contrast, closed source means you can't do these things. The code could very well record everything you do and send it to Microsoft -- you wouldn't ever know. It also could have shoddy or intentionally-breakable encryption. Again, you would never know. To use these, you have to trust that someone else is doing everything they can, and correctly, to safeguard your data -- despite there being a very profitable incentive to sell it instead.

So, you have to trust that someone else's code is high quality, with very sound and well-thought-out security, and that they didn't out in a back door or are otherwise selling your data -- and aren't lying about not doing any of these.

This is why open source is absolutely preferable in all circumstances.

@intromatt Arguments saying closed systems are more secure because you cannot find exploits as easily... Here's an example of why that's simply not true:

Intel's Intel Management Engine is a complete black box -- even its existence and I/O were basically a mystery -- yet people still found and exploited flaws in it. That's particularly terrifying because the IME has complete and unfettered access to absolutely everything. Completely undocumented and still exploited.

Security through obscurity is not security at all.

You got so much money huh?

@Root Nice explanation! Can I show that one to my „web application security teacher“ because he is a closed source fanboy uses md5 for hashing (in 2018) and in a right or wrong task in an exam he corrected my answer to „security by obscurity is a valid protection“ (or sth like that) from wrong to right...

@Linuxxx nice I have looked into it before but will certainly take a closer look now (was too expensive back then)

@needToRoll Sure! though I'm positive there are better sources out there 😊

Won a yubi key years ago. Never found use for it. It's useless for anything security related, because
1. You don't have backups. If you lose or break it, you're fucked
2. People can take it from you and access your stuff. I.e. You're fucked

Use a key safe with a long secure password instead (e.g. a sentence) and keep a backup of the file on a second disk. Problem solved

I am sure there are plenty of examples but, again, I wouldn't trust open source software for my security needs, ever. Much rather have Apple (maybe a bad example) or Microsoft or Cisco or Google engineers working on my software than a bunch of people on stack overflow analyzing the code for exploits. @Root

I agree, these keys are a pain and really have no use unless in some very specific cases.

Never reuse passwords, use a password manager (get it to make up passwords for yiu) set up a PIN on your login screen and use 2 factor EVERYWHERE you can. @Huuugo

@intromatt lol. stackoverflow.

But sure, some people from stackoverflow contribute to open source projects. Anyone can, and their additions may even get merged if the code is sound enough.

But guess who else does? Microsoft, Google, Facebook, etc.; all of the big name companies contribute to open source, and all OS's use open source projects for anything from sound to encryption ciphers.

You seriously need to do at lest some research before talking about this.

@intromatt (@Root) fun thing is that I've worked (including internships) at multiple companies where they use combo's of all systems. One thing they all had in common: they solely use open source software when it comes to (high) security subjects like firewalls and servers.

In all cases:
Me: I agree with this but as for you (company/sysadmins), why only open source software for security critical systems?
Them: because it's publicly verifiable and hard to backdoor without it getting known fast.

The most painful example was (imo) the flaws in the closed source juniper firewalls (used around the world) which were known by the NSA which had a working exploit but they only found out years later after the shadowbrokers hacked an NSA contractor and found that exploit.

Open source solves that problem.

Closed source, mostly needs Google Chrome

@linuxxx Build one your own. It’s not too hard. I’m planning to do that and sell them on amazon for +-10$. Btw will open source the software

@intromatt So you'd never use Linux ever in your life?

I use it everyday. In fact it's on 5 of my little computers I have running around in my loft.

Raspberry Pi projects galore. Plus I love Android. @aaxa

@intromatt But you're saying that you won't trust open source software for your security needs.
Does that mean you have no need for your OS's or kernel to be secure?

Yes, I wouldn't trust open source software for my security needs. @aaxa

@intromatt But Linux is open source...

@aaxa I'm assuming they mean security needs suck as this product, a password manager, and so on. Not necessarily meaning the OS.

@jhh2450 Open source will always stay more secure.

Except the opposite is true. You may want to Google "open source". @PrivateGER

@intromatt Open Source simply means there are more eyes on the code, development will be faster, Bugs can be fixed AND most importantly ISSUES WILL BE FOUND QUICKLY! Proprietary code security issues can be EXTREMELY serious! Why do you think Shellshock was patched quickly? It would probably taken forever to find!
Security through obfusucation is no security!
People looking at Code =/= Insecure
Watched Code === More secure code

Opposite. I don't want a million neckbeards looking at the code of my OS or security software. If you think FOSS is more secure than its commercial counterparts, you're dilusional. @PrivateGER

@intromatt Sorry, but are you stupid? DId you read my comment?

@intromatt If the code is so shitty that people cannot look at it, you shouldnt use it.

Right, that's why I don't use FOSS, I can afford to buy the real useable stuff that %80 of the world's population uses. . @PrivateGER

@intromatt Thats a bullshit statement and you know that. Using something because everyone uses it doesnt make it good. Just look at the shit called Snapchat.

@intromatt You're contradicting yourself. Linux is open source, and you say you use it every day, but you don't want open source software for your OS? I don't get it...

@intromatt You don't use FOSS but you use linux......?

@intromatt Well the second you can prove to me that a proprietary security program/OS is more secure than an open source one by showing me the code (how on earth could you prove that without seeing the code...), gimme a shout!

So yeah just hit me up when you get the source code of one of tho..... Oh right, you can't because they're closed source 😄

Yes, on my Pis, I don't have another choice for the projects I work on. Raspian is essentially the only properly supported OS on the platform....for now. @aaxa

@intromatt So let's say that there's a company working on a proprietary security project in a country where companies are legally required to build in certain capabilities at govt request (looking at you, UK/US). They use strong crypto and run the software past the govt before launch which tells them to build in a way past the encryption first. They integrate the backdoor because they're legally required to and ship the product. Now you've got products out there containing a government backdoor. How can people verify that its secure and doesn't contain nasty stuff? They can't.

As for crypto code/algo's, luckily, the world biggest/most influential security/crypro experts agree that one should never trust closed source crypto, especially not in an age of mass surveillance.

Going to call in someone as well for this one because fuck it, it's my own rant! @FrodoSwaggins

@linuxxx open source u2f token

https://github.com/conorpp/u2f-zero

@FrodoSwaggins Thanks haha!
@ChainsawBaby 😍

@FrodoSwaggins I still think I'm right.

@intromatt That's fine!

I'd still rather use verifiable software 'products' than ones where I HAVE to rely on the trustworthiness of big companies mostly. Plus, we know that the big companies often are in bed with intelligence agencies (*cough* prism *cough*) so that trust is entirely gone if you ask me.

I'm not saying that closed source software cannot be secure, I'm just saying that I want to be able to verify my shit when wanted/needed and I simply can't do that with proprietary software.

@intromatt Someday you may realize you're missing something, and on that day there will be hope for you again. But not until.

@Root no hope. But I'll continue to be right.

@intromatt I'm just trying to comprehend your way of thinking on this, especially since there are so many huge projects which prove your theory and/or way of thinking wrong (Linux, for one).

Let me ask you a question:

Can you explain your way of thinking on the basis of your answer to this:
Would encrypted communications software/apps/services benefit from being open source? (Keep the UK and Australian laws in mind on this one)

@intromatt Some people are positive the Earth is flat, too, despite overwhelming evidence to the contrary. Don't be one of those people.

@Root I don't believe the earth is flat.

@intromatt You missed the abstract reasoning portion of my comment.

@intromatt The question in my previous comment menetioning you!

@linuxxx Is it some Linux related question? Or something about open source software? Please, I don't wish to answer, I live a good life now away from this awful crap. I was doing Linux sysadmin stuff for 2 decades, it turned me into an alcoholic. No, please....just NO! NO!