oh. so, not an overview of the history of smart card hacking, actually just an ad for a startup. excellent stuff there

29:07 - Yubikey literally did all three of these correctly (through FIDO/U2F/passkeys). * One physical token, many credentials, and all secure and isolated from each other because each credential is just a data slot in the same simple protocol - not separate apps. * No extra hardware - the protocol works over USB and NFC * User interface - Built-in PIN/passphrase (with a separate one for administration), and touch-to-confirm. Credential storage and other settings are managed through an app on your phone or PC, which is fine, I don't need a built-in interface for that. I love my Yubikey, and I would trust it over my phone any day. (But of course, it is not my only authentication factor)

Saying "Smartcards are dumb", because every card with an IC capable of doing authentication falls under the category of a Smartcard, is dumb.

literally was trying to figure out smart cards today and this showed up after I did my searching

I always love listening to defcon talks, I know nothing about computers but it’s always good to learn anything

Finally Defcon is back 🎉

Oh I love this, definitely going to check out his product. While I generally approve of a move toward using portable computers for access control, there are a few areas where we aren't so clearly ready for the move yet. Firstly, NFC is subject to spoofing and MITM. While QR codes do have some drawbacks that require careful thought around the protocol built on them due to shoulder surfing, it's really easy to tell when someone is tampering with or intercepting your QR code. Secondly, the problem with endpoint security is serious and I don't think TEE is the full answer. ARM Morello will help us understand user intention a lot more clearly when it arrives. Finally, modern phone security UI varies wildly on how closely the designer read Ka-Ping Yee's Secure Interaction Principles. "Fingerprint to approve" is a good example that fails to appreciate a wide range of common attacks covered in the SIP. If we can address these, maybe we can finally get that utopia of the world securely in our pocket.

Weigand is a "return to zero" code, the pulses on the wire are much narrower than the bit time, not as drawn.

Ouww yeah! - When the door unlook, incredible! - I love my 'Flipper' :D - Awesome Talk, man Awesome Talk!

Did they make brownout detection a mandatory function? If I remember right with iCLASS SE and ELITE you have to buy the cards directly from HID and they are horribly expensive.

If I lose my gym card, that’s fine-I report it as lost, they block it, and I get a new one, I will still have my drivers license, credit card and what else I might have. But if I lose my smartphone with this proposed "solution" I lose everything, even my ID card in the future. How will I then prove to authorities that I am who I say I am? It's like putting all your investments in the same one basket, you just don't do it. You spread the risk.

His name is “Chad Shortman” 😅

The video description boasts of high-profile attack analysis and live demos that don't exist.

When the power goes out - how do you open the doors? Having fail open is a security issue in itself, Doors closed is a health and safety issue. Keys, whilst insecure in themselves may be more secure? Lockpicking is easy when you have a lock in a vice, very different when trying a genuine lock in a door.

I've worked in the security field all my life basically... Try to getting a root shell on some of these boards is trivial.

This is certainly one of the best DEFCON talks I've seen. Very light on the jargon for once!

brilliant product

now I want to see if my CAC can run Doom

Top-notch systems require an Apple device with FaceID and a PIN. Touch phone to reader, enter PIN. App on phone notifies, you unlock your phone and unlock the zone with FaceID in an app. This is what I‘ve seen installed in major companies in Europe.

So it's possible in theory to run Doom on a credit card?

… AOW is “Any other weapon”

So out phones have a chip like our credit card but with a memory... Knowing nothing, I see a future where that can be used to hack phones.

Why on Earth would I ever put my personal credit and debit cards on a device that is known to be constantly connected to the Internet, even when "turned off" and almost certainly has at least one backdoor in it somewhere, if not put in by the manufacturer, at least put in by the NSA. Yeah no, I'll take a YubiKey any day.

My flipper zero just crapped on this video.

Yeeeaaah, no. I do not ever intend for my phone to _be_ my credit card, even if the infra becomes universal (as a Home Depot employee, we _literally just this month_ finally got Apple Pay at our store). Phones get stolen all the time, and if you steal a phone, and they put their payment cards, id cards, everything else on there... it doesn't matter if it's "password protected", you can always bypass that and *_become_* that person with little effort.