Announcement

Collapse
No announcement yet.

Linux Foundation Pushes Two-Factor Authentication For Git

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Foundation Pushes Two-Factor Authentication For Git

    Phoronix: Linux Foundation Pushes Two-Factor Authentication For Git

    The Linux Foundation is pushing for two-factor authentication for Kernel.org Git repositories...

    http://www.phoronix.com/vr.php?view=MTc2NjQ

  • #2
    Half the Internet is scared out of their minds over USB being the most evil device standard ever invented, and here we have people who want to make the world more secure with a USB device.

    Comment


    • #3
      Well, hopefully nobody at FedEx knows about BadUSB.

      Comment


      • #4
        Originally posted by sdack View Post
        Half the Internet is scared out of their minds over USB being the most evil device standard ever invented, and here we have people who want to make the world more secure with a USB device.
        In this case, they seem to be safe USB devices.

        Comment


        • #5
          BADUSB requires attacker to predict which drive you will get

          Originally posted by computerquip View Post
          Well, hopefully nobody at FedEx knows about BadUSB.
          This is indeed a good reason not to plug anything which has been sent to you by mail or special-ordered on your behalf into a USB port if you have reason to believe the government in your country regards you as an enemy. On the other hand, if these USB keys were picked up in person they would be safe unless the entire Linux Foundation was corrupted in some way, in which case we've got bigger problems and possibly could not trust any of our software. If the keys must be mailed they should be packed in such a way as to prevent any kind of inspection from determining that a USB device is inside the box. Packing in a lot of electronic junk would confuse any X-ray inspection picture.

          Still, BadUSB is a software level attack, even if it comes from malicious firmware. What it can do according to what I just read is effectively the same as an attacker able to spoof your wireless keyboard could do(I do not use wireless keyboards!). There is also the fact that a malicious vender, limited to making BADUSB run commands by emulating a keyboard, would quite likely program in a sequence that is only valid in MS Windows, and in Linux has an extra problem: The attacker cannot guess your root or sudo passphrase in advance. Dictionary attacks would be severely slowed by the usual sudo/su delays on a bad passphrase. I would worry more about someone finding a way to attack firmware on another device by firmware on USB3, which I just read has DMA capability. That means the ability to attack firmware as well, as I will describe below.

          There have been proof of concept attacks on specific network cards where they were reprogrammed to reflash a BIOS, and with the device on the network it would be possible to read the BIOS first to know exactly what to reflash it with. This is especially ugly because it is a remote attack and since these are Ethernet cards often hooked to a landline carrier a targeted attack on a chosen target is possible. This is one of many reasons to always use a router, so any attacker has to hack the router first just to see your network card.

          The exact same principle is used openly when using a "bus pirate" to reflash a motherboard which was bricked by a failed BIOS update or is suspected of having been flashed with a malicious BIOS. Requrements of such a device are DMA access and a small microprocessor on the board that can act as the CPU for the purpose of writing to the BIOS/UEFI flash. The Bus Pirate runs the board without the board even having to POST, and can write to any flash on the board if its hardware address is known. Thus, it can reflash a corrupted or malicious BIOS and does not even require that the CPU be present in the board to work. That gives it yet another use: dealing with a motherboard that does not support your only CPU for it but can with a BIOS/UEFI update. In fact, if I had to order motherboards through the mail, I would acquire and use a Bus Pirate to reflash every one of them with a known good BIOS/UEFI/Coreboot image before ever trusting them. This may be the only way to recover from an external firmware attack, whether it comes from the NSA intercepting your package or the black hat who shares your dorm writing a new USB3 attackware to target your motherboard.

          Comment


          • #6
            Originally posted by sdack View Post
            Half the Internet is scared out of their minds over USB being the most evil device standard ever invented, and here we have people who want to make the world more secure with a USB device.
            lolz. Well, To be fair - usb [and older standards] have [almost] always been used for security purposes, software protection and encryption/data protection.

            http://en.wikipedia.org/wiki/Software_protection_dongle
            http://www.ironkey.com/en-US/
            http://www.kingston.com/en/usb/encrypted_security

            there are many more, just a couple examples.

            Maybe, that half of the internet should stop using USB and use PS/2 ports, instead.

            Comment


            • #7
              Originally posted by matthewdavis View Post
              In this case, they seem to be safe USB devices.
              I assume you mean well, but the article you are linking to is rather awful and can only give comfort to the naive and uninformed. It makes many assumptions and offers no proof, simply because it cannot give any. It is a bit like saying "developers have stopped using the C-function gets(), because it is known to be insecure for decades and so there is no further risk coming from this function". But as long as the function exists and is being used in only a single program does it still pose a risk and there is nothing stopping anyone from putting it into their code, either by choice or by accident. Nor will the function disappear from old code, because of it.

              It is such uncertainties that black hatters are looking for. They do not look for an open door that is guaranteed to be open 99.8% of the time. They look for the needle in the haystack. And USB has now been pointed out to be a very big haystack. So what are the chances of finding needles in it?

              The article should rather warn about a likely increase in attacks via USB, because now that everyone knows about it will it receive more traction.

              Comment


              • #8
                Originally posted by ninez View Post
                Maybe, that half of the internet should stop using USB and use PS/2 ports, instead.
                It's also faster, uses less power, and less cpu usage to use ps2 over usb

                ps/2 does interrupts, while usb is polled.

                Comment


                • #9
                  Originally posted by sdack View Post
                  I assume you mean well, but the article you are linking to is rather awful and can only give comfort to the naive and uninformed. It makes many assumptions and offers no proof, simply because it cannot give any. It is a bit like saying "developers have stopped using the C-function gets(), because it is known to be insecure for decades and so there is no further risk coming from this function". But as long as the function exists and is being used in only a single program does it still pose a risk and there is nothing stopping anyone from putting it into their code, either by choice or by accident. Nor will the function disappear from old code, because of it.

                  It is such uncertainties that black hatters are looking for. They do not look for an open door that is guaranteed to be open 99.8% of the time. They look for the needle in the haystack. And USB has now been pointed out to be a very big haystack. So what are the chances of finding needles in it?

                  The article should rather warn about a likely increase in attacks via USB, because now that everyone knows about it will it receive more traction.
                  Edit:
                  I have read through the article again and must say that I would not buy any of their products. The guy is being ridiculous. Anyone who talks like him should not be in the security business:

                  Many low-end USB devices do not ...
                  To perform DFU, often some active (and usually quite awkward) sequence has to be ...
                  An attack of this kind ... requires extensive knowledge ...
                  Many low-end USB devices have ...


                  "Many" is not the same as "all", "often" is not the same as "always", and the required "extensive knowledge" has been demonstrated to exist.

                  This is not just some guy, it is their CTO who talks like this.
                  Last edited by sdack; 08-19-2014, 04:52 AM.

                  Comment


                  • #10
                    Originally posted by curaga View Post
                    It's also faster, uses less power, and less cpu usage to use ps2 over usb

                    ps/2 does interrupts, while usb is polled.
                    If it's so much better, how come new keyboards have better specs and better responsiveness and support more keys and lower latency while using USB?

                    Comment

                    Working...
                    X