Links for 2011-04-25

This entry was posted in Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Posted April 26, 2011 at 13:18 | Permalink

    Dropbox seem to be in big trouble, in the past week they’ve had this, the slightly-wonky local exploit, and the change of Ts&Cs that highlighted the fact that they use a master key rather than individual keys. But is SugarSync any better?


  2. Craig Hughes
    Posted April 26, 2011 at 22:55 | Permalink

    Re: duosecurity. I’d be careful to make sure that you configure the system to fail open — so if duosecurity’s servers go down (accident, business failure, etc), then you’ll still be able to log in to your box(es)….

    That opens you do some clever attacked DoSing your link to duo in order to get around the 2nd factor, but the attacker probably won’t even know you’re using Duo, so how would they know to DoS it… or does Duo print something on your connection while it’s waiting for the 2nd factor auth?

  3. Posted April 26, 2011 at 23:45 | Permalink

    Craig – some more hints here:

    I think you need to know the traditional login-with-password first (“something you know”) before following up with the DuoSecurity stuff (“something you have”), so the use of DuoSecurity is undetectable. all the same, what I’m thinking of doing is adding an emergency-use user account with a very long, ~uncrackable passphrase, then using DuoSecurity in fail-closed mode.