Comments for ITSec Packets

Comment on WebGoat by Eric

Eric — Wed, 13 Aug 2008 19:29:58 +0000

Another alternate to the sanitization of the parameters would be to use parameterized queries. By using them, you don’t have to deal with what might be allowable and what isn’t.

And even better, if you were using one of the big databases, you would just use stored procedures.

Comment on My Yubikey implementation by legind

legind — Mon, 28 Jul 2008 19:56:04 +0000

A great post, this has been very helpful in my implementation of the yubikey PHP class. I do have a bit of a correction, however. The yubikey, to my understanding, uses symmetric shared-key encryption, rather than using the asymmetric public/private key model. This is still secure, because there is nothing you can do to induce your yubikey to spit out the key, which is only shared under lock-and-key over at the yubico server side. Yubico has opted for symmetric encryption because of simplicity - as explained in this post: http://forum.yubico.com/viewtopic.php?f=6&t=21 As Steve Gibson notes in episode 154 of Security Now, the computation power of the yubikey would have to be much greater in order to get asymmetrically encrypted text out of it, which isn’t really feasible.

Comment on The beauty of asymetric key encryption by ITSec Packets | My Yubikey implementation

ITSec Packets | My Yubikey implementation — Fri, 25 Jul 2008 18:22:03 +0000

[...] how does the Yubikey work? We talked about asymmetric encryption in a prior post. Each Yubikey contains a unique private key that encrypts some data, turning it [...]

Comment on My Yubikey implementation by Paul Simon

Paul Simon — Thu, 10 Jul 2008 06:13:26 +0000

Very cool, I’m also planning to use Yubikey as a voting mechanism on my rating site. I heard the price will come down as the production volume grows up quickly.

Comment on Perfect Paper Passwords by P

Fri, 04 Jul 2008 15:39:07 +0000

This is not a very good solution. What if you leave the card on the table for a few minutes and some scans or photocopies the card. They can steal your 2FA device for life !

Comment on RSA 2008 and Yubikey by admin

admin — Wed, 18 Jun 2008 18:49:00 +0000

Kieran - What don’t you believe ?

Comment on RSA 2008 and Yubikey by Kieran

Kieran — Tue, 17 Jun 2008 13:58:07 +0000

Kieran…

Intriguing idea, but I don’t know if I believe you one hundred percent….

Comment on RSA 2008 and Yubikey by ITSec Packets | My Yubikey implementation

ITSec Packets | My Yubikey implementation — Mon, 16 Jun 2008 16:59:21 +0000

[...] we’re going to continue our discussion on the Yubikey from Yubico. I received mine in the mail a few weeks ago and had the opportunity to play around with [...]

Comment on My Yubikey implementation by ITSec Packets | RSA 2008 and Yubikey

ITSec Packets | RSA 2008 and Yubikey — Fri, 06 Jun 2008 00:11:13 +0000

[...] post on my Yubico [...]

Comment on .htaccess file by ITSec Packets | RSA 2008 and Yubikey

ITSec Packets | RSA 2008 and Yubikey — Fri, 02 May 2008 16:55:38 +0000

[...] than to implement it. We talked about securing my blog’s “Admin panel” in a previous post. I have username/password and for a 2nd factor authentication I can use the yubikey. I sent the [...]