Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I was recently reading this article http://www.cnet.com/news/false-secur...its-customers/ about two-factor authentication and although I really didn't understand it, the article was suggesting that hardware tokens weren't secure. So this got me wondering what type of two-factor authentication is currently the safest? This website https://twofactorauth.org/ lists different websites and the methods of two-factor authentication they use. So between SMS, phone call, email, hardware tokens, and software implementation which ones are the most secure?
Especially given your comments on Linux security here I suggest you don't use the fact you don't understand the article as a shortcut to blightely jump to the million dollar question. Basic understanding of the SiteKey implementation, how Man in The Middle (MiTM) attacks subvert it and more importantly: how human behaviour undermines authentication (neglecting to notice any discrepancies), is important. Next to that anybody responding with "product X" (without properly explaining why) should be viewed as utterly suspicious.
Failing to do so would be like setting up a Claymore mine (or better: have some doofus set it up for you) without reading the cover notice and "just hoping you get it right". Well, there is a chance... Now, that you are invited to discuss things here is inherent to how fora like LQ work but the responsibility to read, understand and make an informed decision should be yours and yours alone. So as far as CVE-2006-7199 goes please read these: https://www.schneier.com/blog/archiv...ailure_of.html http://blog.washingtonpost.com/secur..._to_break.html
I think that the bottom line is that "neither personal-computers, nor (especially ...) phones and tablets, qualify as 'secure devices.'" Neither is the Internet a 'secure network.' (No, not even given the fact that individual conversations can, more or less, be secured. You cannot prove that there is not a man somewhere in the middle of the complete exchange.) These devices were designed to be appliances.
The only hardware-plus-software environment that would actually be appropriate for (especially ...) "online banking" does not exist yet. The technology that is required includes a truly-hardened computer, plus a "smart" credit-card with an onboard microprocessor, and a secure reader for that card which is installed into every phone, tablet, or computer. The notion of a "credit card number" must go away completely.
Ironically, I think that some of the novel cryptographic ideas that currently manifest in "bitcoin" just might play a part in all of this. The total requirement for credit-card processing necessarily must include both online and offline acceptance capability, and the exchange must remain secure even though an unscrupulous merchant (or, a data-thief working for him ...) will have access to the stored, not-yet-processed offline data. "Bitcoin" essentially introduces the notion (as I understand it ...) of completely-decentralized authentication. If this notion can be coupled with a cipher exchange protocol that is not computationally intractable ... indeed, that can be partly implemented on-board a smartcard ... then there are millions of dollars in well-deserved patent royalties to be earned by someone.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.