As the old saying goes "once physical access is aquired, all bets are off"

If buying isn't owning, then duplicating isn't stealing.

Was worried for my Yubikey for a moment there... left feeling more impressed

The Internet Archive portal is a heritage of humanity. Future generations, when they look back, will be perplexed by the pettiness of our time.

Are publishers going after the Internet Archive because they maintained an open library during the once-in-a-century pandemic when everything was locked down? Copyright started as 14 years. It lost all meaning when it crossed the period of "life of author". Now it's just another industry with regulatory capture.

The publishers' attack on the Internet Archive's emergency library create not only a moral justification, but in fact the same MORAL OBLIGATION that exists with Adobe products. I see Ally hit a nerve today. 😉

Remember, its morally right to pirate Adobe and books.

I used internet archive to view my textbooks instead of having to pay hundreds of dollars to see it online. Sucks that people can't use this resource anymore..

If these book publishers don't want people to read their books, then don't make books.

Why does watching Hak5 feel like watching a high school media broadcast???

the exploit requires physical access, but really anytime a hardware key gets into unauthorized hands it should be reset/replaced and associated accounts checked since in some cases it may have been used to add the attacker's own key to an account

Guess they would have to take my yubikey from my cold dead hands first

Growing up in the 80-90s with punk and hacker culture. I never imagined the hacker space being against free speech or big government. We must remember the second we allow a government to dictate speech we welcome both side to open a police state to their beliefs.

thank you for your services! I also watch Saytonic

TL;DR - It's applicable for State Agencies on hardware siezed under Warrant, or maybe hardware disposed of incorrectly.

Live Long Internet Archive!!

Big corpos pay money for laws to be made against users. Screw corpos and their greed.

Not YubiKey. Infineon created a weak link. Again. Second time Infineon cause problems. Last time there was a replacement program for effected Yubikeys to get a replacement.

Great details on the YubiKey Issue.

How much, in dollars, did Elon Musk lose as a consequence? About a Brazilian...

This breakdown is what we needed. It's so good to put this into context

you miss the story... it's the same system used by biometric passports... yubikey is not the story here

Attacker would need to steal the key to do this, in which case if they have the key what's the point in cloning it. Not really much of a threat.

This should be a constitution everyone would be a scholar and more educated "information should always be free, if not at least in 3-5 years, not entertainment, just general knowledge"

This is exactly the overview I wanted. Thank you.

So it's basically a worry for people targeted by large intelligence agencies.

but if you already have phisical access to the key and know the first auth method key, why bother to clone the yubikey instead of just... ussing it??

If you can get fined for using a VPN. Then it's not really private.

Guess I’ll have to go to Anna to “borrow” my books.😏 The Internet Archive was as the name suggested an Emergency Lending Library because of the pandemic lockdown. It’s better to lend and borrow then for readers to pirate. Publishers forcing readers hands. Amazon has a Kindle Unlimited lending library but a majority of their stuff are self published pamphlets and fictions from weekend inspiring authors of varying quality.

I agree, Internet Archive shouldn't lend anything. Let's just download it. :/

Yubikey: ha! They have to defeat my first layer of security then, finding the dang thing in one of my many junk drawers!

I enjoyed this news segment immensely.

I'm out of the loop. Where's Shannon?

Steve Gibson's "Security Now" podcast

What happened to Shannon Moris she was awesome. FYI I really didn't appreciate the Ill part guess she doesn't like X formally Twitter. Wonder if she would also say ill to Twitter when it wasn't owned by Elon Musk. Think the thing people miss is they froze bank accounts this not only happened with him but also with the trucker movement in Canada and here in the US one reason for Bitcoin being such a hot Item is because of desegregation.

Note that Internet Archive held the physical books for everything it shared, and only one person could access each book at any given time; ie. same as a library.

it's a feature of OK. they are a low budget company, but the tech is OK, and you can have backups

I can't belive that those publishers are going after Open Archive, lending digital books is very restrictive to avoid getting sued and even then they sued Open Archive, they are greedy and evil!!

Did she say X eww? 3:35

Does it really count as a hack if you have to use an electrical engineering lab to do it? I think yubikey users are safe for all practical purposes.

Every serious security professional I talk to tells me that physical security keys are nonsense. Personally, I refuse to use one.

I guess educational value is no value? A lot of these books you can't even buy anymore.

More accurate less sensational clickbait version from Steve Gibson on Tuesdays security now podcast. TL:DR - yubikey still secure.

"needs physical access"... well I never thought my yubikey would still be save when physically accessed by some one else

Is it this same with the google titan keys? Do they need to be physically had and taken apart too or is there a nonlocal risk virtually as well

Thanks for talking about the fight of Xandao The Dictator vs X

You had me worried there....for a second at least

Threat actors in Russia & China mostly. Recently some small outfits in the Middle East...

I’d be more worried that if they were able to get access to the key in the first place.

Security Now podcast on TWIT

coughed coffee all over my keyboard at 3:36 "x... ew"

Are the dolphins at it again

I'm actually surprised at the effort needed to read that token !!!

I came across a cyber security headlines KZbin channel called CISO series if that’s any use!

It's still 100x more secure than a house key.

I guess secure hardware always has an inherent security by obscurity component to it. Quite a lot of effort required to beat a simple yubikey, it's impressive in a way.

So Yubi needs to put an internal Faraday cage inside?

Fugg my mind just shuts off when the data dump begins, I think a montage walk through about like the ubikey thingy would have been helpful. Idk. maybe I'm just stoopid. 🤣

So the government can break in and hack me but not some guy in china with a script which is the one I worry about

Or, “How to completely baffle all your customers in one easy podcast.”

Unless you are targeted by a nationstate you are ok on this one (Yubi).

What locks .... Can always be unlocked 🔓

I prefer if the future uses U2F second factor authentication instead of using password-less passkeys or really any stored resident credentials for 2 reasons. First is limited number of storage slots on most keys, they may increase in the future but are still going to be less than infinite. Second is deniability and security, if you have someone's U2F key, you cannot possibly figure out which accounts that key opens without trying it on EACH account you suspect it opens... but with resident credentials, it is possible to at least know where that key goes... so if you can somehow bypass or guess the PIN... you have the key and know which lock it opens. But with U2F, you only have the key, which might be PIN secured in some cases anyhow, so you still don't know which of the billions of accounts the key opens... giving time to de-register the stolen or lost key.

Yeah, for yubikey, the fact that you need physical access pretty much kills this 'hack'. The other requirements are also insane 😄 -Physical access -$10k+ in equipment -Significant time -Significant knowledge

I HOPE THERE ARE STILL BRAZILIAN BUNS ON "X"

Oh this is why I have problems with people like this

Pretty soon hackers will be able to create an account with your face, fingerprints, ssn, mothers maiden name, your physical address, and picture ID. oh wait...

I have a few security related Google Alerts set up, a few email newsletters, and whatever the algorithm wants to feed me recommended

If it requires extended physical access to the key, then they should just use the key.

I have multiple places, where I get cybersecurity-news. Most of them are either pretty slow or not in english, like fefe's blog or talks directly at local conferences.

Go X, GO Elon Musk, Go TRUMP!

x iuh? really ?

This smells like a backdoor.

Once again, thank you for providing FUD-free, non-sensationalist analysis of security news. 👏

Thank you Ali . I was about to throw mine away

translation the CIA and NSA have been using this for years

What frustrates me more than anything is the majority of people who dont care. 😢

You hacked my mind where no security required, I Like ninja 😍

Well, floatplane media would be the next best place.

Also commented before DNS / VULN

I listen to the Risky Business podcast with Patrick Gray. Awesome podcast

I was wondering how long it would take.

"It´s Free = not fair use" Say what now?

just wrap your yubikey in a gum wrapper while you use it EZPZ

I have lot's of sources. MSN is actually pretty good for me. I also am a member of the 2600 group some of the original phone phreakers.

did scheme the output of the device to replicate the action?

My YubiKey is just protecting my online bank account. No biggie.

So this attack would also apply to TPM?

Security now with Steve Gibson and also Shannon Morse for news

Once you have the yubikey, couldn't you just use it? Much faster than cloning it.

this feels like a glowie backdoor tbh

Oh, I also watch Mental Outlaw, but its more history than news

All Internet Archive needs to do is offload the material onto a webserver located in a country where the laws are different & thumb their noses at their opponents.

So we know it won't be used outside of nation states.

Ars Technica isn't a bad place to get Information Age security advise from, but they aren't perfect either. 🤷‍♂ A "journal" would be the fastest and best place to find out about software/hardware exploits, but they typically have subscriptions that aren't cheap... at least if they use the typical branch of science reporting method. 🤔

even easier to clone any authenticator app

Once they have your Yubikey, why do they need to clone it???? They already got the key.

So, keep it in your pocket.

Isn't banning against censorship laws

yeah; but what happened with your project to use github as a dating app?