rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 27, 2012, 08:10:03 PM |
|
It's not volume-related, and being "old school" has nothing to do with it either. Free Yubikeys are given to people who had a transaction rolled back back when prices dropped to $0.01
You, sir, are a bullshitter. Read the post date - August 2011. It was true then, although it may be unrelated now. It's a shame that they have to give them away instead of people being smart enough to order them in the first place. They really don't cost much when you buy them, but it does cost mtgox a lot just to give them away en masse. My understanding was that a MtGox Yubikey was a Yubikey with an AES key put into it by MtGox. Actually, that's two AES keys - one for the short press (logging in), and one for the long press (withdrawing funds).
AES is a symmetric algorithm - in this case, I understand this to mean that MtGox and the key know the same secret number.
That said, I don't understand how can a third party make use of a MtGox Yubikey without knowing that number?
I believe that you can validate against a given authentication server without needing to know the secret.
|
|
|
|
Soros Shorts
Donator
Legendary
Offline
Activity: 1617
Merit: 1012
|
|
June 27, 2012, 10:13:20 PM |
|
My understanding was that a MtGox Yubikey was a Yubikey with an AES key put into it by MtGox. Actually, that's two AES keys - one for the short press (logging in), and one for the long press (withdrawing funds).
AES is a symmetric algorithm - in this case, I understand this to mean that MtGox and the key know the same secret number.
That said, I don't understand how can a third party make use of a MtGox Yubikey without knowing that number?
I believe that you can validate against a given authentication server without needing to know the secret. Yes. The same way that you can authenticate a generic Yubikey against the YubiCloud without knowing the private key that is pre-programmed in the 1st slot, you should be able to authenticate a Mt.Gox Yubikey if you have been given access to their authentication server.
|
|
|
|
P_Shep
Legendary
Offline
Activity: 1810
Merit: 1246
I guess this is OK.
|
|
June 27, 2012, 10:54:56 PM |
|
I got one too.... Dunno if I'll use it (eggs/basket etc), but it's free
|
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
June 27, 2012, 11:38:37 PM |
|
Are we 100% sure this is from Mt.Gox and not a phishing expedition.
|
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
June 27, 2012, 11:46:59 PM |
|
Are we 100% sure this is from Mt.Gox and not a phishing expedition.
LoL....yes 100% sure. I didn't click the link in the email, I went to my browser and typed in the address. Logged in and gave my coupon code under buy a yubikey. Thanks. Just in case I get such an offer.
|
|
|
|
Seal
Donator
Hero Member
Offline
Activity: 848
Merit: 1078
|
|
June 28, 2012, 07:07:48 AM |
|
I got a free one from Gox too 2-3 months ago. They sent it straight from Japan in some cool Japanese envelopes with a crazy amount of tickboxes on it. (all the customs declarations)
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 29, 2012, 01:41:38 AM |
|
I got a free one from Gox too 2-3 months ago. They sent it straight from Japan in some cool Japanese envelopes with a crazy amount of tickboxes on it. (all the customs declarations)
I actually paid for mine, and I got 2 in the mail, one had someone else's name lol. Whoops.
|
|
|
|
niko
|
|
June 29, 2012, 09:55:30 PM |
|
Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
Grouver (BtcBalance)
|
|
July 03, 2012, 11:16:48 AM |
|
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
July 03, 2012, 01:01:27 PM |
|
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go.
|
|
|
|
Grouver (BtcBalance)
|
|
July 03, 2012, 01:28:49 PM |
|
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go. Where can I find this driver? It's not on the homepage of yubico for instance.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
July 03, 2012, 01:39:07 PM |
|
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go. Where can I find this driver? It's not on the homepage of yubico for instance. It should install itself as a standard USB keyboard or HID device, there isn't a driver to download.
|
|
|
|
Grouver (BtcBalance)
|
|
July 03, 2012, 01:46:40 PM |
|
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go. Where can I find this driver? It's not on the homepage of yubico for instance. It should install itself as a standard USB keyboard or HID device, there isn't a driver to download. Thats weird, it's not doing anything when I connect it. Tried multiple USB input ports. Edit: nvm.. its working now. Weird.
|
|
|
|
World
|
|
July 04, 2012, 09:55:44 AM |
|
wow very fast delivery just 5 days arrived today . Thanks Mtgox.
|
Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
|
|
|
Justin00
Legendary
Offline
Activity: 910
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
|
|
July 04, 2012, 11:50:16 AM |
|
Does it actually protect you from key logger ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ?? Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
|
|
|
|
rate5
Member
Offline
Activity: 104
Merit: 100
|
|
July 04, 2012, 12:56:19 PM |
|
Does it actually protect you from key logger ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ?? Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
The idea behind it is that each password it generates can only used one time. Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid. Someone will need physical access to your yubikey to log into your account. However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account. Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!
|
|
|
|
niko
|
|
July 04, 2012, 02:54:59 PM |
|
Does it actually protect you from key logger ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ?? Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
The idea behind it is that each password it generates can only used one time. Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid. Someone will need physical access to your yubikey to log into your account. However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account. Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP?
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
July 04, 2012, 03:02:37 PM |
|
Does it actually protect you from key logger ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ?? Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
The idea behind it is that each password it generates can only used one time. Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid. Someone will need physical access to your yubikey to log into your account. However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account. Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP? The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time.
|
|
|
|
niko
|
|
July 04, 2012, 05:39:04 PM |
|
Does it actually protect you from key logger ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ?? Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
The idea behind it is that each password it generates can only used one time. Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid. Someone will need physical access to your yubikey to log into your account. However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account. Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP? The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time. Got it, the counter. Thanks.
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
July 04, 2012, 05:44:36 PM |
|
The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time.
Got it, the counter. Thanks. The other thing is that you can skip OTPs if you want to, because of that counter. Therefore, you could generate a bunch of keys, but as soon as you used key #15 from the example above, all the previous ones would become invalid unless you had used them in sequence.
|
|
|
|
|