<kristianpaul>
now this module has glonass, soo better changes to avoid spoofing
archang has quit [Remote host closed the connection]
nicksydney has quit [Quit: No Ping reply in 180 seconds.]
nicksydney has joined #qi-hardware
archang has joined #qi-hardware
<kristianpaul>
and since you can talk with the gps, there is an open room for location spoofing detecto
<kristianpaul>
s/defecto/detection
<DocScrutinizer05>
how is glonass more hardened against spoofing? (btw I wonder what's the usecase to have geolocate-locked keys anyway)
<DocScrutinizer05>
actually GNSS-spoofing should be pretty simple, at least for the civil unencrypted part. I'm not sure how secure the SA-encrypted part would be, but taking into account how they brought down some drones I'd think nobody ever thought about anybody being that bold to fake GPS signals ;-P Same as it ever was. See GSM and every other infra, where usually the authorities-controlled infra been considered secure-per-se and nobody thought
<DocScrutinizer05>
about proper authenzication of servers, only about authentication of clients
<DocScrutinizer05>
but honestly I'm just pissed enough when it comes to GNSS-based geolocation *assistence* to find next bus stop and the time schedule of the bus there. For the life of mine I couldn't figure a usecase scenario where I want a crypto solution *relying* on geolocation
<DocScrutinizer05>
switching to another sorting sequence (locally most recently used key first) in UI list of keys is all I could come up with for a usecase of GNSS in Anelok
<DocScrutinizer05>
implementing OPIE ,and proper URL detection support and even challenge-response auth via optical means to read out QR or similar on screen, in Anelok sounds way more useful
<DocScrutinizer05>
for URL detection on arbitrary webpages via a dedicated server that exploits $referrer I think I already suggested some details, which would make for a really great unique selling point for Anelok
<DocScrutinizer05>
F6; 'anel.ok'ENTER ; <point Anelok on QR appearing on screen until the display is flashing (detected QR)>; ENTER - or back-button (to return to the previous page that requested a password entry)
<DocScrutinizer05>
dunno if that would actually work that flawlessly to return to an input mask with multiple textboxes that way
<DocScrutinizer05>
alas nope, it clears the already filled in values in such multi-textbox forms
<DocScrutinizer05>
so your anelok not only needs to store the password value but actually should playback the complete set of values needed for that form, or you need to do the F6 etc dance as soon as you enter such webpage that eventually needs a password
<DocScrutinizer05>
e.g. when you log in where also a captcha is needed, you first go to anel.ok and THEN return to page, fill in captcha, username and password
<DocScrutinizer05>
wtf? .ok TLD not registered yet?
<whitequark>
I wonder when they register .exe TLD
<DocScrutinizer05>
either someone grabbed it and it's not easy to find out about the fact, or there must be some special quirks with .ok. Anyway for anelok there's stil all from a.nelok to ane.lok
<DocScrutinizer05>
apropos... (not really, since it's not exactly .exe...) could it fly to make anelok serve a HTTPS:// page that serves as a framework for automatically detecting and providing passwords? I.E. you would open this https://anelok page (ideally served from anelok dongle itself?? file://usb:index.html ?) and then enter the URL of your online banking site or whatever and anelok detects it automatically?
<whitequark>
no, that would be an XSS vulnerability
<DocScrutinizer05>
:nod:
<DocScrutinizer05>
though, maybe not realy when anelok page first tells anelok dongle about URL and then properly does a forward to that page
<whitequark>
you can't enter a password like that
<whitequark>
hell, it's often hard to enter a password if you have a legit password manager, because banks are stupid
<DocScrutinizer05>
no, i'm not planning to enter the password like that. Anelok already has means to enter password, either by reading it from disply and manually typing it, or by playback when anelok emulates a kbd
<DocScrutinizer05>
I'm just thinking about making anelok aware about the required password
<DocScrutinizer05>
once you got 30 or 50 passwords stored on anelok, it becomes a PITA to select the one you need right now
<DocScrutinizer05>
anelok knowing about the URL you are just looking at would be a great hint to offer the right (set of) password(s to select from)
<DocScrutinizer05>
*entering* the password is a completely unrelated issue
<whitequark>
ah, yeah, that works
<DocScrutinizer05>
ok, when you connect anelok between PC and kbd like a keylogger then it of course has no problem guessing which password you might need now (unless you used mouse to click on bookmarks or the like)
<DocScrutinizer05>
then otoh bookmarks make my formerly sketched aproach fail as well
<whitequark>
um, yes, of course i would not ever type the full URL there
<whitequark>
cli<TAB>ck.alfabank.ru is how I always do this
<DocScrutinizer05>
ut for the (raher common) situation where anelok is just-another-usb-dongle and the kbd is connected directly to PC, it might work
<whitequark>
not to mention you have no clue what the context is
<whitequark>
imagine sending someone a link to google.com and having anelok enter your google password?
<whitequark>
and you also don't know what the keyboard layout is
<DocScrutinizer05>
anelok never *automaticaly* adds a password
<whitequark>
ok, two other issues still stand
<DocScrutinizer05>
for keylogger the layout is a pest, yeah
<DocScrutinizer05>
for the ... lemme call it "URL input screen" layout is irrelevant
<DocScrutinizer05>
but of course won't fly when you enter the URL to address field of browser directly
<whitequark>
you can surely use a browser extension
<DocScrutinizer05>
heck, we need OCR in anelok ;-D
<whitequark>
Chrome now has WebUSB
<whitequark>
so you don't even have to pretend that you're a webpage
<DocScrutinizer05>
sounds good
<DocScrutinizer05>
except for "crome"
<whitequark>
Chromium and Firefox too
<DocScrutinizer05>
chrome even
<DocScrutinizer05>
ooh
<whitequark>
Firefox is not really there yet, but it will probably be at some point
<whitequark>
in Chromium that's usable right now, Yubikey uses it
<DocScrutinizer05>
I guess 'installing' such plugin still is quite some overhead not competitive with the fiddly picking of right password from anelok's UI directly?
<whitequark>
why? you could make it as light as the browser's builtin autocomplete
<whitequark>
you can do whatever you want with the webpages
<whitequark>
from a plugin
<DocScrutinizer05>
err, do plugins autoinstall?
<whitequark>
no
<DocScrutinizer05>
as soon as you plug in anelok?
<whitequark>
but you only have to install it once
<DocScrutinizer05>
yes, but that's not the point. For one-time installation the stuff to install can get arbitrarily complex. But that's not really the major usecase for anelok, I'd use a software password-keeper for that then
<whitequark>
ah, hm
<DocScrutinizer05>
anelok primary usecase is on-the-go
<whitequark>
right. you would want a composite device: expose a keyboard and a CDC-Ethernet
<DocScrutinizer05>
well, maybe not. Maybe it's "use anelok at home and you're ready for OTG"
<whitequark>
of course you will immediately bump into various computers not allowing installation under unprivleged user
<DocScrutinizer05>
yep
<DocScrutinizer05>
anyway, time to have that walk to my appointment
<DocScrutinizer05>
both for the appointment as well as for the "start my day" and "have a fine walk"
<DocScrutinizer05>
and the "get a break from PC"
<DocScrutinizer05>
:-)
<DocScrutinizer05>
BBL
archang has quit [Ping timeout: 246 seconds]
archang has joined #qi-hardware
jekhor has joined #qi-hardware
mithro has quit [K-Lined]
mithro has joined #qi-hardware
pcercuei has joined #qi-hardware
archang has quit [Remote host closed the connection]
archang has joined #qi-hardware
pcercuei has quit [Ping timeout: 244 seconds]
rodgort has quit [Ping timeout: 240 seconds]
rodgort has joined #qi-hardware
jekhor has quit [Remote host closed the connection]
atommann has quit [Ping timeout: 256 seconds]
arossdotme-planb has quit [Ping timeout: 256 seconds]
jwhitmore has joined #qi-hardware
arossdotme-planb has joined #qi-hardware
dandon has quit [Ping timeout: 272 seconds]
<wpwrak>
whitequark: (webusb) hmm, so a device - e.g., a password safe - isn't expected to be able to protect itself. that doesn't sound too nice.
<wpwrak>
ah, you guys were already discussing anelok :)
<wpwrak>
so far, i've been thinking of using hidapi for such things. but webusb could be a nice alternative
atommann has joined #qi-hardware
<wpwrak>
i wonder what the "origin" of a browser plugin would be. e.g., if you install a plugin from anelok.com and that plugin becomes active when visiting fakebook.com/login, would a webusb device have to permit one of anelok.com and fakebook.com, or maybe both ?
<DocScrutinizer05>
don't ask me, no clue about that stuff
<DocScrutinizer05>
what do you think of a mail like that (excerpt, sourcetext. The HTML alternative part stub at end looks extremely fishy... I truncated it, it is 100 times as much of same gibberish) http://paste.opensuse.org/31289181