Thats cool - I guess what I need to do is get on over to you board and login. :P I'll do that sometime in the near future. Cheers.

It's amazing how much of a barrier that is at times. :)

Though I imagine it's basically the same barrier to most websites that'd have you create an account.

Maybe some day someone will come up with a cross-BBS login thing, like how various sites use Facebook/google/Github/whatever to login rather than requiring sign-up info.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

On 29 Jul 2020, Adept said the following...

Maybe some day someone will come up with a cross-BBS login thing, like
how various sites use Facebook/google/Github/whatever to login rather
than requiring sign-up info.

Now *that* is a spectacular idea.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Hello Adept!

** On Wednesday 29.07.20 - 18:54, Adept wrote to paulie420:

Maybe some day someone will come up with a cross-BBS login thing,
like how various sites use Facebook/google/Github/whatever to login
rather than requiring sign-up info.

HOW do those systems work? If site X offers sign-in with Google/FB/ and
you choose Google, does site Xy use your Google un and pw?

But then what happens if there is a security breach at site X? Will the hackers have access to your Google account?


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 29 Jul 2020, Ogg said the following...

HOW do those systems work? If site X offers sign-in with Google/FB/ and you choose Google, does site Xy use your Google un and pw?

But then what happens if there is a security breach at site X? Will the hackers have access to your Google account?

It's really just offloading the authentication to Google, so you're trusting that their Google account is secure.

Same with your second set of questions... It's more the opposite of what you think. If the website gets hacked, they'll have access to whatever you
allowed (as a user) when authorizing the website to use Google auth. Usually just basic stuff like name or email address or whatever. The larger danger would be if their Google account got hacked that the hackers gain access to other websites.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

HOW do those systems work? If site X offers sign-in with Google/FB/ and you choose Google, does site Xy use your Google un and pw?

Andre gave a good answer, but I wanted to talk about part of it anyway.

So far as I understand, what a site winds up with is some sort of token. It's
a really complicated token, so it's a bit like the complexity of correctly guessing a username and password, but actually random.

This token can be generated each time by Google - They just check that it's
who you think it is, and send over the token. If it matches the token they provided when they signed in with Google before, the system signs them in.

If your site is hacked and they get all those tokens, they'd still have to do
a man-in-the-middle attack and pretend like they were sent from Google.

...or a variety of other security concerns. But general idea is that there's significantly less of a security worry for that particular site, as there's nothing of particular value in your authentication database.

But if the person's Google account gets hacked, then people with malicious intent will also be able to use the victim's account on your site.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

Maybe some day someone will come up with a cross-BBS login thing, like how various sites use Facebook/google/Github/whatever to login rather than requiring sign-up info.

Now *that* is a spectacular idea.

It is, but will it be a pain like FB where some registers your nick? And do you lose the I'm fred@somebbs not fred@xbbs... in the join one join them all scenario. At this stage probably not I s'pose theres far fewer users than there used to be.

Perhaps start with a communal FSX login system?

Spec


*** THE READER V4.50 [freeware]
--- SuperBBS v1.17-3 (Eval)
* Origin: Scrawled in haste at The Lower Planes (21:3/101)

HOW do those systems work? If site X offers sign-in with Google/FB/ and you choose Google, does site Xy use your Google un and pw?

I imagine its a blind check, I have name and auth, and the response would be true or false. No need to do anything else. The client end doesn't need to store any data whatsoever.

But then what happens if there is a security breach at site X? Will the hackers have access to your Google account?

No, because they don't have your google data, unless they're keeping it behind the scenes of course.

Spec


*** THE READER V4.50 [freeware]
--- SuperBBS v1.17-3 (Eval)
* Origin: Scrawled in haste at The Lower Planes (21:3/101)

Re: Re: Calling BBSs
By: Spectre to Andre on Thu Jul 30 2020 01:20 pm

Maybe some day someone will come up with a cross-BBS login
thing, like how various sites use
Facebook/google/Github/whatever to login rather than requiring
sign-up info.

Perhaps start with a communal FSX login system?

I'm actually after a federated authentication system - but cant think how to make it, within the constraints of BBSing.

I have my ANSItex and Videotex working, but I'm wanting to make it InterBBS capable - ie: if somebody else is running ANSItex/Videotex you could authenticate to their system with the same credentials as any other node.

OAUTH (which is the google discussion) would be great, but I cant see how it would work in BBS land. While you "login with google" on websites, what you may
not notice is there is a bit of bouncing going on with your browser before the login completes - and a direct conversation between the web site and google that.

IE: When you want to auth with a website - it redirects me to google to authenticate, where you use your google credentials. The redirection includes a
secure token (signed by the website that only google can decrypt) that tells google which website redirected to it. (There are 3 pieces of information that needs to be correct otherwise you get an error.)

After you authenticate (username/password/OTP, etc), google then creates a "key" for the website to use and encrypts it, so that only the website can get the key and redirects you back to the website with the key.

The website gets the key, decrypts it and then makes a request behind the scenes to get the users's details - and depending on the setup will depend how much info they key makes available. If the key works, the website gets your details from google and thus knows who you are and lets you in.

In BBSing world, I cant imagine how this could happen, since we use a terminal software, which by definition is a direct connection.

The BBS software could make the backend connection to get/validate your credentials while you are logging on I guess...

...ëîåï

... Because of the greatness of the Shah, Iran is an island of stability
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 30 Jul 2020, Spectre said the following...

It is, but will it be a pain like FB where some registers your nick? And do you lose the I'm fred@somebbs not fred@xbbs...

I think you'd probably have to link the OAuth login to a local account, probably by email. Then the local account would have the usual BBS account
info like nick and real name.

Whether you used a uber-BBS Oath or Google/Facebook/Twitter/Apple/etc.
wouldn't change that. Login to a board for the first time and you'd still
have to go through the same new user process, but you're just moving your user/pass out the OAuth service.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

On 30 Jul 2020, alterego said the following...

In BBSing world, I cant imagine how this could happen, since we use a terminal software, which by definition is a direct connection.

The BBS software could make the backend connection to get/validate your credentials while you are logging on I guess...

That's what I was initially thinking. But now that you mention it I can't
think of a way to send the user over to authorize the request within the terminal, much less grab the token and give it back to the BBS.


Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

I'm actually after a federated authentication system - but cant think
how to make it, within the constraints of BBSing.

I think you'd have to write a front end to replace the login, or in the case of the old DOS system probably a logon door. I guess most of the others can, but super allows you to tell it who is online on the command line, so the action would be a little like a smarter FD batchfile. For the new fangled BBS system, never looked at one really and someone else would have to figure those out.

The only super problem I can forsee, is that you won't have http redirection available to you. So you'd probably have to ask for user/pass in the normal sense on the host system and then ask if its right or not...

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: (21:3/101)

I just forsaw and unforseen problem ;)

Despite being able to tell the software who's online they still need an entry in the userbase.... could be as simple as name & XXXX for the password, seeing as the local password won't be used, but starting this way without the user already in the base falls over if I recall right.

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: (21:3/101)

Re: Calling BBSs
By: Ogg to Adept on Wed Jul 29 2020 07:53 pm

Hello Adept!

** On Wednesday 29.07.20 - 18:54, Adept wrote to paulie420:

Maybe some day someone will come up with a cross-BBS login thing,
like how various sites use Facebook/google/Github/whatever to login rather than requiring sign-up info.

HOW do those systems work? If site X offers sign-in with Google/FB/ and
you choose Google, does site Xy use your Google un and pw?

But then what happens if there is a security breach at site X? Will the

hackers h

access to your Google account?

I think most work like this:

The user arrives at arelorhorses.com, and clicks on Authenticate Via Tech Giant.

arelorhorses.com asks techgiant.com if this user has been authed with techgiant.com.
techgiant.com verifies that the user has an account with them (say, via a password
prompt or whatever) and tells arelorhorses.com "That's right, this user sold their
soul to us, give him access as user DumbUser".

--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Re: Calling BBSs
By: Spectre to alterego on Thu Jul 30 2020 18:45:00

The only super problem I can forsee, is that you won't have http

redirection available to you. So

you'd probably have to ask for user/pass in the normal sense on the host

system and then ask if its

right or not...

That's a big problem, because it means that if I'm on BBS A trying to log in with my account from BBS B, I need to type my password for BBS B into BBS A, and BBS A could record that if it wanted to.

We can do this sort of thing "safely" on the web because we can ping pong the client's browser from one place to another, and pass messages back and forth.

I think you'd have to write a front end to replace the login, or in the

case of the old DOS system

probably a logon door. I guess most of the others can, but super allows

you to tell it who is

A while ago I suggested an "authenticator" application for desktop/mobile. If I
call BBS A and log in as "Some User@Federated System", assorted magic happens in the background, and then the authentication application I'm running on my phone or desktop brings up a prompt. From there I can approve the login, and maybe approve the export of certain user details to build out my profile on BBS
A.

Any participating BBS would need to allow for modifications to its login process, and inserting/altering records in its user database.

Is this worth the hassle, to avoid a newuser signup process or remembering multiple passwords? I dunno.

There would be other problems to deal with (username collisions, etc.)

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
* Origin: electronic chicken bbs - bbs.electronicchicken.com (21:1/164)

Adept wrote to paulie420 <=-

Maybe some day someone will come up with a cross-BBS login thing, like
how various sites use Facebook/google/Github/whatever to login rather
than requiring sign-up info.

Center of Awareness did that for a while - it is(was) a Synchronet
service that did real-time messaging (chat and message echoes) and at
one point shared user databases, so you could login on any of the CoA
BBSes with a common username/password.

Some people panicked over the notion of sharing BBS info. I think the
issue was with sysops whose board you don't log into having your login
info, like we'd log in as a user and post untruths, or something.

It was a cool idea, for a time.



... What context would look right?
--- MultiMail/XT v0.52
* Origin: realitycheckBBS.org -- information is power. (21:4/122)

Andre wrote to alterego <=-

On 30 Jul 2020, alterego said the following...

In BBSing world, I cant imagine how this could happen, since we use a terminal software, which by definition is a direct connection.

The BBS software could make the backend connection to get/validate your credentials while you are logging on I guess...

That's what I was initially thinking. But now that you mention it I
can't think of a way to send the user over to authorize the request
within the terminal, much less grab the token and give it back to the
BBS.

What about utilizing SQRL:
https://www.grc.com/sqrl/sqrl.htm


... Bugs are sons of glitches
___ MultiMail/Linux v0.51

--- Mystic BBS/QWK v1.12 A46 2020/03/07 (Linux/64)
* Origin: The Search BBS bbs.theharrisclan.net 34123/2222 (21:1/161)

On 30 Jul 2020, Arelor said the following...

arelorhorses.com asks techgiant.com if this user has been authed with techgiant.com. techgiant.com verifies that the user has an account
with them (say, via a password prompt or whatever) and tells arelorhorses.com "That's right, this user sold their soul to us,
give him access as user DumbUser".

That's not how the standards work though. You're building a connection
between techgiant and arelorhorses that will persist in the future until it expire or is revoked. Because of that, the user is the one who carries both the burden of trust and the authorization token between the two sites. Techgiant doesn't want to blankly trust that arelorhorses is telling the
truth.


Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Re: Re: Calling BBSs
By: poindexter FORTRAN to Adept on Thu Jul 30 2020 09:05:00

Center of Awareness did that for a while - it is(was) a Synchronet

I would say "was". It still exists, but I can't be bothered to work on it right
now. I'd have shut it down ages ago, but the other remaining founder always asks me not to.

I'd like to redo it from scratch some day, but then I have a lot of things I'd like to do and not enough time or energy.

service that did real-time messaging (chat and message echoes) and at
one point shared user databases, so you could login on any of the CoA BBSes with a common username/password.

I had wanted the shared user database to be an opt-in system and was pretty uncomfortable with it from early on. The counter-argument was "it's just a BBS thing and nobody cares".

Some people panicked over the notion of sharing BBS info. I think the issue was with sysops whose board you don't log into having your login info, like we'd log in as a user and post untruths, or something.

The shared-users thing died a quick death, because I wasn't the only one with reservations about it. I was pretty happy to see it go.

There's merit in the idea, but it should be done properly, with some semblance of security and respect for privacy. Probably a bit easier to do today than ten
years ago.

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
* Origin: electronic chicken bbs - bbs.electronicchicken.com (21:1/164)

On 30 Jul 2020, nristen said the following...

What about utilizing SQRL:
https://www.grc.com/sqrl/sqrl.htm

I wouldn't go anywhere near anything that guy pushes.

http://attrition.org/errata/charlatan/steve_gibson/


Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

echicken wrote to poindexter FORTRAN <=-

I'd like to redo it from scratch some day, but then I have a lot of
things I'd like to do and not enough time or energy.

It was a great proof of concept with what you could do when you threw
out the "store-and-forward" mindset of other networks.

I had wanted the shared user database to be an opt-in system and was pretty uncomfortable with it from early on. The counter-argument was
"it's just a BBS thing and nobody cares".

The shared-users thing died a quick death, because I wasn't the only
one with reservations about it. I was pretty happy to see it go.

I could understand the concerns, but it was nice being able to log on
with a common set of credentials.

There's merit in the idea, but it should be done properly, with some semblance of security and respect for privacy. Probably a bit easier to
do today than ten years ago.

I'd love to see version 2 some time.



... Distort time
--- MultiMail/XT v0.52
* Origin: realitycheckBBS.org -- information is power. (21:4/122)

Hello Arelor!

** On Thursday 30.07.20 - 06:02, Arelor wrote to Ogg:

Maybe some day someone will come up with a cross-BBS login thing,
like how various sites use Facebook/google/Github/whatever to
login rather than requiring sign-up info.

HOW do those systems work? [snip]

I think most work like this:

The user arrives at arelorhorses.com, and clicks on Authenticate Via Tech Giant.

arelorhorses.com asks techgiant.com if this user has been authed with techgiant.com. techgiant.com verifies that the user has an account with them (say, via a password prompt or whatever) and tells arelorhorses.com "That's right, this user sold their soul to us, give him access as user DumbUser".

But what is the tradeoff or benefit to arelorhorses.com to do this? Is
there a payola model or promise to provide tracking info behind this?


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

The user arrives at arelorhorses.com, and clicks on Authenticate Via

Tech

Giant.

arelorhorses.com asks techgiant.com if this user has been authed with techgiant.com. techgiant.com verifies that the user has an account with them (say, via a password prompt or whatever) and tells arelorhorses.com "That's right, this user sold their soul to us, give him access as user DumbUser".

But what is the tradeoff or benefit to arelorhorses.com to do this? Is there a payola model or promise to provide tracking info behind this?

The idea is that users will sign in because they don't have to make yet another
internet account with yet another password to remember. Also, arelorhorses.com don't have to store password data, so if they get hacked at least the hackers wont get your password.

Of course if tech giant gets hacked, then you're stuffed.

Andrew

=== TitanMail/linux v1.0.6
--- SBBSecho 3.11-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

Re: Calling BBSs
By: Ogg to Arelor on Sun Aug 02 2020 08:23 pm

Hello Arelor!

** On Thursday 30.07.20 - 06:02, Arelor wrote to Ogg:

Maybe some day someone will come up with a cross-BBS login thing,
like how various sites use Facebook/google/Github/whatever to
login rather than requiring sign-up info.

HOW do those systems work? [snip]

I think most work like this:

The user arrives at arelorhorses.com, and clicks on Authenticate Via Tec Giant.

arelorhorses.com asks techgiant.com if this user has been authed with techgiant.com. techgiant.com verifies that the user has an account with them (say, via a password prompt or whatever) and tells arelorhorses.com "That's right, this user sold their soul to us, give him access as user DumbUser".

But what is the tradeoff or benefit to arelorhorses.com to do this? Is there a payola model or promise to provide tracking info behind this?

The tradeoff is arelorhorses.com no longer has to store credential data directlÃy. When you are a mass service catering to the dumb masses, emails from people telling you they forgot their password of their user name can really drag you down. You can outsource all that crap to a third party.

Seriously, there is a lot of people advocating for 2FA in web services, but that people is usually not the people who has to reauth users after their break their secodn factor device. It brings such an administrative overhead. Some administrators actually bill you a fee if they have to restore your access too often, it is that bad.


--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Re: Re: Calling BBSs
By: nristen to Andre on Thu Jul 30 2020 02:22 pm

What about utilizing SQRL:
https://www.grc.com/sqrl/sqrl.htm

So I've been looking at this - I hadnt heard of it before.

I have to say, I'm liking this concept of authentication and it would be great if it takes off. I'm thinking it solves a few problems - but for the end user but also for the company where usernames/passwords are stored.

I thought I might see if I can get it working with Synchronet - but I'm finding
that the clients for it are just a bit too buggy for my liking (might be because I'm using a MAC). Its a shame really, its probably just a little too immature.

I've not heard of Steve Gibson before - but it seems he also has a strong negative following - havent formed an opinion as to whether that is justified yet (not really my area of expertise).

...ëîåï

... Now and then an innocent man is sent to the legislature.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 03 Aug 2020, alterego said the following...

I've not heard of Steve Gibson before

I follow his podcast Security Now. It focuses on computer & network
security at a high level, mostly geared towards an end user's point of view.

I also follow the risky.biz podcast which also focuses on computer & network security. I find this one is more geared to my profession & goes a little deeper than Security Now does.

but it seems he also has a strong negative following - havent formed an opinion as to whether that is justified yet (not really my area of expertise).

I've seen some of this feedback, and some of it is justified. In a recent episode of Security Now he went on a rant about some of renaming of terms in the computer world such no longer using certain terms such as whitelist/blacklist & master/slave:

https://www.zdnet.com/article/linux-team-approves-new-terminology-bans-terms-li ke-blacklist-and-slave/

https://9to5google.com/2020/06/12/google-android-chrome-blacklist-blocklist-mor e-inclusive/

His Twitter followers promptly raked him over the coals for that.

There does seem to be a smear campaign out there for some of the hosts on the Twit network, whether or not any or all of it is true is another question.

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

What about utilizing SQRL:
https://www.grc.com/sqrl/sqrl.htm

I've not heard of Steve Gibson before - but it seems he also has a strong negative following - havent formed an opinion as to whether that is justified yet (not really my area of expertise).

I used to frequently listen to his Security Now podcast on Twit. I looked up some of the complaints and they look pretty dated although I can understand
it can be hard to get a bad taste out of your mouth.

I believe the SQRL is an ingenius solution no matter who came up with it.

I really am a enthusiastic supporter of gpg encryption. The original author
of pgp, Phil Zimmerman used to be a hero of mine until I met him in person. .
I do not care for him a person however I wont let that get in the way of
using a good tool.

nristen (Karl Harris)

--- Mystic BBS v1.12 A46 2020/03/07 (Linux/64)
* Origin: The Search BBS bbs.theharrisclan.net 34123/2222 (21:1/161)

Hello nristen!

** On Monday 03.08.20 - 18:19, nristen wrote to alterego:

I used to frequently listen to his Security Now podcast on Twit. I
looked up some of the complaints and they look pretty dated although I
can understand it can be hard to get a bad taste out of your mouth.

I looked up some of the complaints too. Much ado about nothing.

I latched on to the podcast pretty much at its inception. Over time, the shows started to get pretty long though and I could not keep up with every single one if I missed a few weeks. Now, I glance at the brief
descriptive header, and if there is something that catches my interest,
I'll cue it up and lay back in bed just before sleep.

I believe the SQRL is an ingenius solution no matter who came up with it.

Moi aussi.

I really am a enthusiastic supporter of gpg encryption. The original author of pgp, Phil Zimmerman used to be a hero of mine until I met him in person. . I do not care for him a person however I wont let that get in the way of using a good tool.

What happened? Maybe there was something wrong with you! LOL.

I did not realize he was still around.

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs
By: Ogg to nristen on Mon Aug 03 2020 09:34 pm

I did not realize he was still around.

Mr. PGP guy is still around and actually deploying for-profit projects. I don't think any of those is being particularly successful.

The Blackphone looked cool in theory, but in the end it was Android without Google, with some secure coms tools bolted on which required expensive subscriptions. I think Copperhead looked like a superior competitor on paper, and their support model sorta sucked.

--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Ogg wrote to nristen <=-

I really am a enthusiastic supporter of gpg encryption. The original author of pgp, Phil Zimmerman used to be a hero of mine until I met him in person. . I do not care for him a person however I wont let that get in the way of using a good tool.

What happened? Maybe there was something wrong with you! LOL.

I did not realize he was still around.

It was a couple years ago when I ran into Phil Zimmerman at a conference where he was pushing his latest venture, Silent Circle.

...and I admit there is a lot wrong with me. I just don't enjoy being in the company of very pushy sales people for very long. Phil's talk while supposed to be focused on security turned out to just be big sales pitch.

... Press CTRL-ALT-INS-DEL-PGDN-PGUP-END-HOME-SHIFT-PAUSE to continue...
___ MultiMail/Linux v0.51

--- Mystic BBS/QWK v1.12 A46 2020/03/07 (Linux/64)
* Origin: The Search BBS bbs.theharrisclan.net 34123/2222 (21:1/161)

I looked up some of the complaints too. Much ado about nothing.

I haven't followed Steve Gibson in years, but I think the most damning complaint I heard about his work was that SpinRite might get you some data back, but it'll do it in such a way that'll hasten the demise of the drive.

But I don't know if people even _use_ SpinRite at this point.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

On 04 Aug 2020, Adept said the following...

But I don't know if people even _use_ SpinRite at this point.

Yeah, that's the biggest red flag that I see. I'm in the InfoSec industry,
and literally zero of the well-respected researchers, penetration testers,
or leaders pay any attention to him. That's pretty damning to me.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Re: Re: Calling BBSs
By: Andre to Adept on Tue Aug 04 2020 04:20 pm

Yeah, that's the biggest red flag that I see. I'm in the InfoSec industry, and literally zero of the well-respected researchers, penetration testers, or leaders pay any attention to him. That's pretty damning to me.

I'm not in that industry, but I'm curious - what's the view of his SQRL by the InfoSec industry?

From what I've read it has a heap of pluses, and my only negative so far is the
lack of adoption (so the software that is available is buggy).

...ëîåï

... Database administrators do it with their relations
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Andre!

** On Tuesday 04.08.20 - 16:20, Andre wrote to Adept:

But I don't know if people even _use_ SpinRite at this point.

Yeah, that's the biggest red flag that I see. I'm in the InfoSec
industry, and literally zero of the well-respected researchers,
penetration testers, or leaders pay any attention to him. That's
pretty damning to me.

The SpinRite testimonials sound genuine and compelling. I have been
poised to give SpinRite a try on a failed BBS hdd that was operating with OS/2 about twenty years ago. There are some email files I'd love to
recover. If the hdd could be revitalized long enough to so that I could
at least move the data to another drive, I'd be happy.

Steve was the first to discover that Sony was including a rookit on some audio CDs that installed on people's PCs when people accessed the
multimedia features of the CD. He was very thorough in his evidence and technical knowledge.

For the most part, he seems to be a very private guy and doesn't engage in big-shot conventions, sales galas, or news interviews to push his
expertise or products. It's hard to pay attent to someone like that.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 05 Aug 2020, alterego said the following...

I'm not in that industry, but I'm curious - what's the view of his SQRL
by the InfoSec industry?

There isn't a view of it in the industry. I've never heard of it, and I can't find anyone who's even commented on it. When I look at it, there are so many flaws with it that it's not worth writing a novel about. Too hard for end
users to use, to easy to MITM and/or fabricate QR codes, requires end users
to make sure the domain is the right one (which we exploit in phishing all
the time), and so on.

This guy doesn't seem to exist within any of the groups that actually do anything. I saw a blog comment that sums it up nicely: "No one uses SQRL, and no one wants to."

It adds nothing over existing MFA, and actually is much worse. I don't even know anyone that takes Gibson or Security Now seriously. He's just not a respected individual.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

On 04 Aug 2020, Ogg said the following...

For the most part, he seems to be a very private guy and doesn't engage
in big-shot conventions, sales galas, or news interviews to push his expertise or products. It's hard to pay attent to someone like that.

There are plenty of people like that. I've often remarked publicly that the loudest people are usually attention whores more than knowledgable. But this guy isn't just quiet... He's nonexistent in the community.

Steve was the first to discover that Sony was including a rookit on some audio CDs that installed on people's PCs when people accessed the multimedia features of the CD. He was very thorough in his evidence and technical knowledge.

Discovering something twenty years ago doesn't make someone knowledgable on
all aspects of security, much less any current aspects of it. Steve seems way out of his element with MFA. We beat the snot out of current methods of MFA that are way more advanced... SQRL wouldn't last a day under an
directed attack.

I realize that people won't take my word for it. I guess I'm not really
trying to convince anyone. I'm just saying that it should strike people as
odd that (1) no one uses SQRL, (2) no one of any reputation has written about SQRL, and (3) he doesn't seem to have anyone of any reputation following
his social media accounts.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Re: Re: Calling BBSs
By: Andre to alterego on Tue Aug 04 2020 09:31 pm

can't find anyone who's even commented on it. When I look at it, there are so many flaws with it that it's not worth writing a novel about. Too hard for end users to use, to easy to MITM and/or fabricate QR codes, requires end users to make sure the domain is the right one (which we exploit in phishing all the time), and so on.

I'm interested to understand those flaws a little better. I will admit that I cant imagine any, and I'm pretty impressed so far on what I've read. How is it flawed? (Regretting to be disuated by what I thought was a cool innovation.)

I agree with the end users to use comment - actually I think it "could" be so easy for end users to use, but lack of great clients (and I've tried a few) making it difficult and problematic. (And I consider myself an advanced user - and if its difficult for me, I dont want to be the one helping regular users with that difficulty :) If one of the password managers picked it up, it would make it so much easier for users.

The MITM comment - the videos I've been watching of Steve I thought addressed this - I'm keen to know how it can be exploited?

Also on the fabric QR codes - how can that be exploited? The QR code is essentially a URL, and sure while something might generate a fake QR code (ie: a fake URL) - and even lets say that results in to positive identification - I thought that ID was useless to anything but that site that validated the authentication (ie: the site in the URL)? And the ID cannot be attributed back to any specific person nor their details, since it is just returning a public key?

(I will admit, I'm surprised it hasnt had greater adoption - but then you might
enlighten me... :)

...ëîåï

... All things being equal, a fat person uses more soap than a thin person.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

even know anyone that takes Gibson or Security Now seriously. He's just not a respected individual.

Is Bruce Schneier still a respected individual in the community? I think
that's the only security person that I follow remotely regularly.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

On 05 Aug 2020, Adept said the following...

Is Bruce Schneier still a respected individual in the community? I think that's the only security person that I follow remotely regularly.

Yeah. He'd be a good example of someone who's mostly not a major part of the conference community but still respected. I think most people are ambivilent about him as he doesn't have anything groundbreaking to say for the professionals, but puts out good information to the masses.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

On 05 Aug 2020, alterego said the following...

I'm interested to understand those flaws a little better. I will admit

The MITM comment - the videos I've been watching of Steve I thought addressed this - I'm keen to know how it can be exploited?

(I will admit, I'm surprised it hasnt had greater adoption - but then
you might enlighten me... :)

The whole system is just so out of touch with how end users actually operate, and there are so many issues from just my cursory glances, that it'd take forever to pick them all apart. I've seen some websites/blogs that try, and
do okay with the simpler bits.

But one massive example is on the https://www.grc.com/sqrl/phishing.htm page under Cross-Device SQRL Authentication.

It's written like an known-bugs comment. The problem is that method makes up the majority of how MFA is currently done. You use a second device, usually a phone, to authenticate the first device, usually a laptop. So a simple
password spamming attack to find valid accounts, then pummel the hell out of those working accounts so that users get endless MFA requests until they get annoyed enough to just say, "fine, I approve" on the phone. SQRL in that case would be sending it to the actual website directly, and the attacker is authenticated.

It's a real-world attack that works. We do it all the time.

The point I'm trying to make is not that the attack is unique to SQRL. Any
push notification with only an approve/deny versus a challenge ("match the number displayed on the website") has this problem. The point I'm making is that this is well-known in the InfoSec industry and Steve Gibson seems
unaware of it.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Andre wrote to alterego <=-

On 05 Aug 2020, alterego said the following...

It's written like an known-bugs comment. The problem is that method
makes up the majority of how MFA is currently done. You use a second device, usually a phone, to authenticate the first device, usually a laptop. So a simple password spamming attack to find valid accounts,
then pummel the hell out of those working accounts so that users get endless MFA requests until they get annoyed enough to just say, "fine,
I approve" on the phone. SQRL in that case would be sending it to the actual website directly, and the attacker is authenticated.

It's a real-world attack that works. We do it all the time.

SQRL doesn't work anything like Microsoft Authenticator or Duo, the apps don't do push
notifications at all.

The browser plug-in only springs to life if you click a sqrl:// URL. Even then the plug-in would communicate directly with the back-end of the authenticating server
giving it nothing more than the nonce received from the QR Code or URL signed with
an HMAC of your master private key combined with the domain name (creating a unique
per-site public/private key pair) of the site your logging in to.

The phone app works in a similar way, it doesn't do push notifications. A user knows they want to log into a website, the go to the logon page to get a generated
QR code, the user then has to open the app on their phone, point their camera at
the QR code and they're logged in using the method described above.

How exactly would you flood a user with requests in this scenario?

Jay

... On the other hand, you have different fingers.
___ MultiMail/Mac v0.52

--- Mystic BBS/QWK v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Re: Re: Calling BBSs
By: Andre to alterego on Wed Aug 05 2020 06:36 am

The whole system is just so out of touch with how end users actually operate, and there are so many issues from just my cursory glances, that it'd take forever to pick them all apart. I've seen some websites/blogs that try, and do okay with the simpler bits.

I would really like to understand them. I'm going down the path that I think SQRL is a plus, and I'm really after solid information to let me know that is a
wrong decision. (I plan on implementing it in things I do - I'd hate that to be
a big mistake.)

From what I've read, I do think its an improvement in authentication security -
they key word here is improvement. I have read/heard statements from Steve that
it is not a replacement for security (although he does leave a sentiment that it almost is one), and the cross device scenario that you described he does too. (And it seems it would be perfectly appropraite to add 2FA to a SQRL login
process - to complete the "something you know" and "something you have" best practise for authenticating.)

It's a real-world attack that works. We do it all the time.
simple password spamming attack to find valid accounts, then pummel the The point I'm trying to make is not that the attack is unique to SQRL. Any hell out of those working accounts so that users get endless MFA requests until they get annoyed enough to just say, "fine, I approve" on the phone. SQRL in that case would be sending it to the actual website directly, and the attacker is authenticated.

So would it be fair to say, that SQRL doesnt increase the chance of this type of activity succeeding? - and I'm coming to this conclusion because of comments
on the fishing page (that makes sense to me) - that it changes the profile of the wanna attacker and forces them into an active attack.

My read on an "active" attack, is that they need to complete their intended compromise at the same time the user logs in (and before the login session expires) - since they do not get a username/password combo that they can use "later". This is one of the primary reasons I'm liking SQRL - and I can further
reduce this from occuring by forcing 2FA for important actions performed while logged in (where that 2FA confirms the action that the token enables).

I'm also liking the fact that I can "give you" my access database, but it has nothing you can use. (Which would mean, if I do read up on the Marriot hotels being compromise again, as an end user I dont have to worry. :)

...ëîåï

... One good turn gets most of the blanket.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 05 Aug 2020, Warpslide said the following...

SQRL doesn't work anything like Microsoft Authenticator or Duo, the apps don't do push
notifications at all.

No, I wasn't saying it was, but I can see how my analogy would make it look that way. My point wasn't about how you deliver the fake QR code, just that it's possible to serve up codes to enough people that by sheer numbers
someone is going to approve it. Directed attacks are rarely against a person, but against an organization. We just need some schmuck to give us a foot in
the door, not any specific schmuck.

The browser plug-in only springs to life if you click a sqrl:// URL.

Browser plug-in? That's a nonstarter. We're in PGP world of difficulty now. This isn't feasible for organizations to roll out or for consumers to use.
It's too difficult.

A user knows they want to log into a website, the go to the logon page
to get a generated
QR code, the user then has to open the app on their phone, point their camera at
the QR code and they're logged in using the method described above.

This is Walmart Pay vs Apple Pay. One is a single step. The other is multi-step. It's clear which one has been winning.


Your points are all valid. But my point is simply that this isn't any more secure than existing methods, and in some cases worse, and that it's
massively harder to deploy and use. It's just out of touch and isn't going to see adoption.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Re: Re: Calling BBSs
By: Andre to Warpslide on Wed Aug 05 2020 10:09 pm

No, I wasn't saying it was, but I can see how my analogy would make it look that way. My point wasn't about how you deliver the fake QR code, just that it's possible to serve up codes to enough people that by sheer numbers someone is going to approve it. Directed attacks are rarely

Something isnt adding up for me.

The QR Code on its own is for all intesive purposes useless, unless it has started the "auth process".

So if "x" number of people captured the same QR code that I'm using to login to
a site - it wont generate an "approve this alerts" to me. Even if the QR Code was a start of a cycle that generated an "ask message" - I dont get asked that message until I have successfully completed the authorisation cycle - so the "x" people wouldnt even get throught that to generate that "approve this" message intended for me.

Or did you mean something else?

Browser plug-in? That's a nonstarter. We're in PGP world of difficulty now. This isn't feasible for organizations to roll out or for consumers to use. It's too difficult.

I'm not sure I agree with you on this point. Yes, its a little "more" setup than normal - and since it is (for all intensive purposes) a one time activity that I might forget how to do it - I dont think it is that difficult.

A desktop client (albeit SQRLs or if a password manager adopts it) - wouldnt been that anymore difficult - and app design can make that simpler. (I use 1password, and it is similar to setting up an OTP configuration for a site.)

Your points are all valid. But my point is simply that this isn't any more secure than existing methods, and in some cases worse, and that it's

Its this point that I am trying to understand better. At the moment, I dont think I agree with you. Heck, I'm no security guy, but I do SSL stuff, PGP stuff, and I would put how auth is being done by SQRL in the same bucket. What am I missing?

...ëîåï

... I've always been a bit maturer that what I am.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Re: Re: Calling BBSs
By: alterego to Andre on Thu Aug 06 2020 01:47 pm

The QR Code on its own is for all intesive purposes useless, unless it has started the "auth process".

Dang, dont you hate it when fingers have a mind of their own! It should read "all intensive purposes useless..."

...ëîåï

... I'm at that age now where just putting my cigar in its holder is a thrill. --- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 06 Aug 2020, alterego said the following...

So if "x" number of people captured the same QR code that I'm using to login to a site - it wont generate an "approve this alerts" to me. Even
if the QR Code was a start of a cycle that generated an "ask message" -
I dont get asked that message until I have successfully completed the authorisation cycle - so the "x" people wouldnt even get throught that
to generate that "approve this" message intended for me.

Why can't the attacker, who already has your valid user/pass start the process of requesting the QR code and deliver it to you to approve?

I'm not sure I agree with you on this point. Yes, its a little "more" setup than normal - and since it is (for all intensive purposes) a one time activity that I might forget how to do it - I dont think it is that difficult.

We aren't going to be able to come to terms on this point. I no longer to red team work or manage red teams. I currently do data analysis on end-user
tickets and help IT Directors and CISO reduce those tickets. Password/MFAtoken resets and unlocks for infrequently used systems by far makes up the majority of tickets. People are busy with their actual job, and a complex auth system would cause massive unrest in the org and probably start my VP down the path
of getting fired.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Re: Re: Calling BBSs
By: Andre to alterego on Thu Aug 06 2020 08:37 am

Why can't the attacker, who already has your valid user/pass start the process of requesting the QR code and deliver it to you to approve?

This doesnt make sense to me...

If the attacker has my user/password, then they are already in. (The intention of SQRL is that user/password details are revoked - and the web application developer *should* honor that (if they dont its not a flaw of SQRL - which is what I'm probing to find out)).

Now if the user/password was used to get in, but lets say hacker was transferring funds which resulted in a QR code generated to approve it - as you
say, and somehow, you got that QR code to my browser - while I was on the site,
within the timelimit of the nonce (default 5 mins), and the resulting "ask message" (since that's what it would be) displayed "do you approve the transfer
of $x to "Y") - I should be suspicious right? But then again I think this is a design flaw of the website authorising a user/password combination in the first
place if other functions required SQRL auth.

I dont see a scenario were a 3rd party can exploit my SQRL auth...

Password/MFAtoken resets and unlocks for infrequently used systems by far makes up the majority of tickets. People are busy with their actual job,

So this is an interesting point, that I think SQRL does reduce. These resets occur because folks "lost" their token, or forgot the password right?

If 2FA was still used (which is perfectly viable) - then this isnt an SQRL flaw. (ie: if the user still lost their token, the problem hasnt really changed).

If 2FA was no longer required, and only SQRL was used, then the only scenario here is that the user "lost" their SQRL identity and didnt take precautions to protect it. But its not an issue - because if they create a new digital identity, then its just a normal new "registration" process - and the old identity would never be seen again. And these days even banks (well over my neck of the woods anyway), do end user registration without speaking to a helpdesk.

...ëîåï

... I can remember when a liberal was one who was generous with his own money. --- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Re: Re: Calling BBSs
By: nristen to Andre on Thu Jul 30 2020 02:22 pm

Howdy,

What about utilizing SQRL:
https://www.grc.com/sqrl/sqrl.htm

So you may have seen me post about SQRL of late - and I'm thinking its a pretty
innovative tool.

This thread started with having an ease of use experience of logging into (in this case) BBSes without having to remember "another" password.

Well, I rewrote an SQRL backend (just to learn it in more detail) - its in PHP and I built it to run with LUMEN.

I then added SQRL to synchronet - so yes, it polls the backend, gets an SQRL link and then converts that into a QRCODE which is rendered in the terminal.

And I've tested it with my iphone SQRL app, and it works! (The authentication completes and I have a user ID, that is indeed consistent each time it authorized.) No passwords! I just have to write the last part which *actually* logs you into the BBS - which hopefully wont take long at all now.

So while I did this for my ANSItex project that I'm working on, I even did it for my Viewdata/Videotex server as well. Its pretty cool seeing an old viewdata
interface (from 1980s and even earlier), present a QRCODE and after scanning it, it proceeds to authenticated!

(In fact the Videotex rendering looks better (IMHO) than the ANSI because of the 2x3 pixel rendering of Viewdata).

If you are curious to try, your welcome to - ANSItex is alterant.leenooks.net port 24, Videotex is on port 516 (and if you dont have a Videotex client), you can login using the webUI on my website. Let me know if it works or not...

(Might need to give it a few days - while the SQRL completes, I havent actually
written the "login to SBBS" bit yet :)

...ëîåï

... The one charm of marriage is that it makes a life of deception a necessity --- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Arelor!

** On Monday 03.08.20 - 07:26, Arelor wrote to Ogg:

A>>> arelorhorses.com asks techgiant.com if this user has been authed
A>>> with techgiant.com. techgiant.com verifies that the user has an
A>>> account with them (say, via a password prompt or whatever) and
A>>> tells arelorhorses.com "That's right, this user sold their soul to
A>>> us, give him access as user DumbUser".

O>> But what is the tradeoff or benefit to arelorhorses.com to do this?
O>> Is there a payola model or promise to provide tracking info behind
O>> this?

The tradeoff is arelorhorses.com no longer has to store credential
data directlÃy. When you are a mass service catering to the dumb
masses, emails from people telling you they forgot their password of
their user name can really drag you down. You can outsource all that
crap to a third party.

But there must be a monetary or meta-data tradeoff in the arrangement.

Meanwhile that 3rd party can be vulnerable and its precious horde of
hashes would be like gold to the hackers, no?

I remember participating in the "Login with Google/Facebook" options for a few places thinking "oh wow.. how easy and convenient! no new passwords to create and remember!" Now I regret it. I don't remember what sites had that, but they were temporary and unimportant places

Seriously, there is a lot of people advocating for 2FA in web
services, but that people is usually not the people who has to reauth
users after their break their secodn factor device. It brings such an administrative overhead. Some administrators actually bill you a fee
if they have to restore your access too often, it is that bad.

One of the recent Krebs on Security posts (https://krebsonsecurity.com/) stresses the importance of 2FA for all of us. "If we don't do it for us, somebody else will."

One of my credit card companies forces 2FA once a month or so. Thankfully, their system allows for several choices: [1] phone # A, [2] phone # B, or
[3] a text. And each choice is given as an option every time; choices [1] [2] or [3] are not configured and locked in.

My [1] and [2] point to my landlines. I don't use [3]



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello Apam!

** On Monday 03.08.20 - 18:32, Apam wrote to Ogg:

The idea is that users will sign in because they don't have to make
yet another internet account with yet another password to remember.
Also, arelorhorses.com don't have to store password data, so if they
get hacked at least the hackers wont get your password.

Of course if tech giant gets hacked, then you're stuffed.

It is disgusting how easily many sites get hacked for their stash of user login credentials.

The whole idea of username + password stems from the days of terminals. Leaving the responsibility of protecting our credentials server-side has proven to be a very weak thing.

I always wondered why isn't there something like a PGP private/public key thing for a login process. SQRL mentioned earlier is along those lines.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

I remember participating in the "Login with Google/Facebook" options for passwords to create and remember!" Now I regret it. I don't remember what sites had that, but they were temporary and unimportant places

That really is one of the worst features about that -- there's some amount of sites where I can't find a username/password for it, and I wonder if I used Google/Facebook to login previously. But I don't really know.

I suppose I could just keep a doc of such things, but just keeping track of another username/password combo seems pretty much as easy, and makes it one fewer single-point-of-failure.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

I always wondered why isn't there something like a PGP private/public
key thing for a login process. SQRL mentioned earlier is along those lines.

I assumed it's the balance between convenience and security. And, "no one
uses it" is a significantly bigger problem than, "and all your users data
gets released from time to time."

Well, significantly bigger problem for a company.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

Re: Re: Calling BBSs
By: alterego to nristen on Mon Aug 17 2020 10:04 am

Howdy,

(Might need to give it a few days - while the SQRL completes, I havent actually written the "login to SBBS" bit yet :)

So I've got it working.

Its pretty cool logging into the BBS by using the app on my phone! Call it a fusion of 1980 and 2020 :)

If you want to give it a try, please do, be keen to see if I need to make some improvements. (I have some planned...)

alterant.leenooks.net:24 for ANSItex, or if you have a viewdata terminal, port 516 (not much on the viewdata side yet though...)

...ëîåï

... Spring is God's way of saying, One more time!
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello alterego!

** On Tuesday 18.08.20 - 23:13, alterego wrote to All:

(Might need to give it a few days - while the SQRL completes, I havent
actually written the "login to SBBS" bit yet :)

So I've got it working.

That was pretty fast. Congratualtions. I'd give it a go, but I don't
have a phone to work it with.

I thought SQRL had a non-phone option too.

Its pretty cool logging into the BBS by using the app on my phone! Call it a fusion of 1980 and 2020 :)

Absolutely! Why not produce a short YT video of the process.



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs
By: Ogg to alterego on Tue Aug 18 2020 06:50 pm

Hey Ogg,

I thought SQRL had a non-phone option too.

Yeah it does - there are browser extensions for SQRL - but they work by responding to OS sqrl:// links (normally on webpages).

There is also a Windows client created with mono - and since its mono, I've tried it on the MAC without much success.. :(

With a BBS - inside a terminal, I'm not sure there is a way to intercept the sqrl:// URL?

Absolutely! Why not produce a short YT video of the process.

I posted something in the Synchronet Facebook page...

...ëîåï

... Martyrdom is the only way a person can become famous without ability.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello alterego!

** On Thursday 20.08.20 - 20:50, alterego wrote to Ogg:

I thought SQRL had a non-phone option too.

Yeah it does - there are browser extensions for SQRL - but they work by responding to OS sqrl:// links (normally on webpages).

I suppose that method can be a spoofing vulnerability?

I posted something in the Synchronet Facebook page...

Very good! (I had to tune out the sound though..) ;)

It's kinda magical how the phone can log you in. I'm missing how
that actually works.

You should send out a heads up to Gibson. I think he would be
tickled to see an implementation of (20th century) SQRL with
(19th century) BBS technology.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs
By: Ogg to alterego on Sun Aug 23 2020 11:50 am

Hey Ogg,

Yeah it does - there are browser extensions for SQRL - but they
work by responding to OS sqrl:// links (normally on webpages).

I suppose that method can be a spoofing vulnerability?

I dont believe so - can you explain more?

It's kinda magical how the phone can log you in. I'm missing how
that actually works.
You should send out a heads up to Gibson. I think he would be
tickled to see an implementation of (20th century) SQRL with
(19th century) BBS technology.

Yeah, I think its pretty cool (or should I saw kewl?)

I've actually implemented, and made a video with it working on Videotex. Now that is totally weird. A 1980's technology where "smart" phones were probably only an imagination, and I'm not sure that cryptography, let alone using it for
identification, existed...

...ëîåï

... Help fight continental drift.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 23 Aug 2020, Ogg said the following...

Yeah it does - there are browser extensions for SQRL - but they work b responding to OS sqrl:// links (normally on webpages).

I suppose that method can be a spoofing vulnerability?

I suppose if you downloaded a malicious "sqrl" client that took over as the sqrl:// handler & leaked your private key after you unlock it, that could be one method of attack.

But at that point you already have something malicious running on your
machine, so they could do much worse things than spoof your sqrl client.

Your private key is encrypted at rest so I'd imagine a drive-by attack would
be more difficult.

You should send out a heads up to Gibson. I think he would be
tickled to see an implementation of (20th century) SQRL with
(19th century) BBS technology.

You'd HAVE to imagine Steve was a BBS user back in the day. With his reluctance to moving to new technology I'm actually a bit surprised he's
never mentioned BBSes on the show.

Jay

--- Mystic BBS v1.12 A46 2020/08/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Hello Warpslide!

** On Sunday 23.08.20 - 17:55, Warpslide wrote to Ogg:

I suppose that method can be a spoofing vulnerability?

I suppose if you downloaded a malicious "sqrl" client that
took over as the sqrl:// handler & leaked your private key
after you unlock it, that could be one method of attack.

If sqrl:// is resolved by the client (your device) then my
concern is moot.

You should send out a heads up to Gibson. I think he
would be tickled to see an implementation of (20th
century) SQRL with (19th century) BBS technology.

You'd HAVE to imagine Steve was a BBS user back in the day.
With his reluctance to moving to new technology I'm
actually a bit surprised he's never mentioned BBSes on the
show.

The show has always been about security, so I doubt there would
be room or interest for discussion of BBSes. But they have had
segments to discuss a favourite book or movie. Nevertheless,
up until about 3 years ago, Steve boasted about being perfectly
happy with his XP pc and not concerned about all the hype about
it being vulnerable. He has since retired the XP pc; I don't
recall the reason why.

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello alterego!

** On Monday 24.08.20 - 07:42, alterego wrote to Ogg:

Yeah it does - there are browser extensions for SQRL -
but they work by responding to OS sqrl:// links (normally
on webpages).

I suppose that method can be a spoofing vulnerability?

I dont believe so - can you explain more?

Nevermind. I have to review the implementation and mechanism
more closely again before I comment further. But on one of his SQRL-presentations, there was a question from the audience
asking what if the sqrl:// link did not match what was
expected... and Steve's answer was "Then don't authorize it."
That seemed to be an open door for a scammer, especially when
our muscle memory would instinctively click right away - BEFORE
we even realize that we clicked on a bogus sqrl:// link to
authorize or register with a site for the first time.



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs
By: Ogg to alterego on Sun Aug 23 2020 08:43 pm

Hey Ogg,

Nevermind. I have to review the implementation and mechanism
more closely again before I comment further. But on one of his SQRL-presentations, there was a question from the audience
asking what if the sqrl:// link did not match what was
expected... and Steve's answer was "Then don't authorize it."
That seemed to be an open door for a scammer, especially when
our muscle memory would instinctively click right away - BEFORE
we even realize that we clicked on a bogus sqrl:// link to
authorize or register with a site for the first time.

So I think his comment is right - and here's why:

When the SQRL client "starts" the authentication process (so either by scanning
a QR code, or by intercepting a sqrl:// link) - it first asks you to start the authentication and it presents the URL to you that it will use.

So, my BBS is ansitex.bbs.leenooks.net - if I presented a QRcode (that you obviously cant read), but it had the url of scammer.org (because a hacker intercepted it) - the client will be asking you to start autentication to "scammer.org". Naturally as the end user you should see the difference and question it.

But lets say the URL is ansitex.bbs.leen00ks.net (and you didnt notice that the
double O, is now double zero). Even if you started and completed the authentication against that URL - it is still useless to the scammer - because:

* The scammer doesnt get your private key as part of the authentication - it gets a public key, which is useless. It cannot use this portion of your key to authenticate to the real server and pretend to be you.

* The public key the scammer gets is different to the public key the real server gets. So the scammer cant identify you as you would appear on the real server. (The beauty of this innovation, is that I can give you the authentication database (full of public keys and no passwords) - you cannot use
it effectively in anyway, nor identify a specific person from it.)

* And lastly the public key mapping to the real user and authentication completion is done "internally" on the target server/network - so it needs to be compromised to complete the login process AND redirect that session to another connection. And I guess the assumption is, if the target is compromised, the hacker is already in, and doesnt need me to authenticate.

I can even tell you how I'm doing passwords on the BBS with SQRL. Since Synchronet only has a 25 char "user name" and a "40 char" password (and the public keys are 43 chars when base64 encoded), when SQRL gives me your public key I chop off at 24 chars and prefix an "S" to use as the username and 40 chars to use as the password.

Now you might think OK, if I find out your pubic key, you could login to the BBS as me (by using the first 24 chars and 40 chars respectively). But also I implement that this username can only be presented by SQRL - so if you type it at the "login prompt", you'll still get an access denied (and actually the client can control that).

(I know this is overkill for a BBS - but I'm just playing with it to see what it can do, and to validate that it stacks up as a secure authentication mechanism...)

...ëîåï

... Children are a comfort in old age, and they will even help you reach it. --- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)