My YubiKey 4 Arrived

Jason · July 26, 2018, 09:43:19 PM

A few months ago I mentioned in another topic that Wired was running a promotion where you would get three months of Wired for free and, if you don't cancel your subscription, a YubiKey 4.

I just received it the other day and have been playing with it. It's great and is easy to setup with those services that support it. I use it with LastPass, Google and Facebook and plan on harassing my bank and other services to support it, too. I can't take a picture to give it justice but you can view it on the YubiKey site.

Btw, the promotion is still on. Strange thing is they haven't billed me for the year yet.

dougal · July 26, 2018, 11:11:03 PM

wondering if you had read this :
Yubico has replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws.[33] Yubico states that internal and external review of their code is done. Yubikey NEOs are still using open-source code.[34] On May 16, 2016, Yubico CTO Jakob EhrensvÃ¤rd responded to the open-source community's concerns with a blog post[35] affirming the company's strong open source support and addressing the reasons and benefits of updates to the YubiKey 4.

In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key.[36][37] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[38] Yubico publicized a tool to check if a Yubikey is affected and replaced affected tokens for free.

Jason · July 26, 2018, 11:35:39 PM

Do you have the link where that text comes from?

dougal · July 27, 2018, 01:54:33 PM

looks like this is a two yr old thread posting that i got from wikipedia and the github link was where i ended up, but i don't understand much of the technical aspects of the postings

https://en.wikipedia.org/wiki/YubiKey

reference note #33 at bottom of page takes to :

I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all newer yubikeys), as apparently Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s:

https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368

here's yubico blog post on the subject:
https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

fox · July 27, 2018, 03:56:14 PM

I read the relevant posts. Yubico appears to have made a logical argument for their decision to make the firmware proprietary, though that decision was clearly not endorsed by the Linux Foundation representative. I don't have the technical knowledge to comment on who is right, but bear in mind that the firmware in any computer owned by any PLUG member is also proprietary.

In another posting I did today, I referred to an article on a new security key soon to come out that is made by Google. This will, undoubtedly, be closed source as well, at least with regard to the firmware.

Jason · July 27, 2018, 05:46:39 PM

Thanks, Dougal. I'm not sure about the security ramifications, either. The blog reply was more interesting though I have to say it lost me quite quickly. I don't know enough about security to be able to understand the ramifications of opening this kind of code or keeping it proprietary.

And I like Open Source but I don't believe everything has to be Open Source. I don't think our computers would be as useful if we only used open source software and as Fox points out, a lot of the hardware in our computers isn't.

Regarding the vulnerability you mentioned previously in YubiKey 4, they have security advisories on their website and everything shipped after July of last year didn't have the bug and if you had a key before that, they offered to replace it. I didn't just trust the shipping date, though. I used their terminal command to determine the version I had to make sure it was okay and it is.

Jason · July 31, 2018, 01:37:04 AM

A few minutes after you left, I was trying to get the YubiKey to work in Ubuntu 18.04 Desktop after the unsuccessful attempts you witnessed and then Doogal, smart guy that he is, suggested trying another live distro. I didn't have any with me, but he had Linux Mint Cinnamon (18.3, I think?). Booted up in live mode, logged into Lastpass with username and password, it asked for the YubiKey, inserted it and touched the metal circle and presto, it worked!

It seems there is nothing wrong with the key, this is an issue with vanilla Ubuntu support.

I'm going to keep playing with Ubuntu to do some investigating to see if I can get it to recognize the YubiKey.

fox · July 31, 2018, 07:44:02 AM

In light of your troubles last night, I should have brought you Peppermint Linux.

Jason · July 31, 2018, 09:00:38 AM

Quote from: fox on July 31, 2018, 07:44:02 AM
In light of your troubles last night, I should have brought you Peppermint Linux.

I don't know if that would have helped. I forget what Peppermint is based on.

It seems really strange to me that Ubuntu wouldn't be supported but hopefully I'll get it figured out and let everyone know. Also wondering it LM 19 supports it since it uses Ubuntu 18.04 as a base.

fox · July 31, 2018, 12:06:20 PM

Peppermint is based on Ubuntu, but it uses a combination of lxde and xfce for its desktop.

dougal · July 31, 2018, 10:19:36 PM

the live OS that worked last night was LinuxMint 19 Tara Cinnamon 64bit

Jason · August 01, 2018, 01:28:23 AM

Quote from: dougal on July 31, 2018, 10:19:36 PM
the live OS that worked last night was LinuxMint 19 Tara Cinnamon 64bit

Good to know. Thanks! Any other distros that people want me to check it with? I don't promise to get it done fast - getting requests for interviews, etc. and I haven't even put out a media release yet!