libreboot and trisquel

Last month I saw somebody on the fsfe mailing list talk about an OpenMoko phone. As I had one of those collecting dust in the drawer, I asked if anybody was interested. Promptly I got an offer to exchange it for a Lenovo X60 notebook with libreboot. I didn’t need another notebook, but libreboot seemed interesting enough, so I agreed. It came preinstalled with trisquel gnu linux, and with a docking station. I’m not sure if I heard about that distribution before. It is based on ubuntu, but includes only the free open libre stuff. The default desktop is gnome3. Since it’s a good fit with libreboot, I kept trisquel. The first impression was that it runs extremely well for such an old device. I was also amazed how rounded and complete a full on libre distro can be these days. Gone are the days where the compromises you had to make for freedom were hard to justify. The first thing, friends ask is about flash. But I don’t miss it at all, I mean html5 has been around for a while. At first, I started to install games for the kids. They run a lot better than on my old Atom netbook. As it’s my first device with a fingerprint reader, I had a little play installing this option for logging in, fully aware that it’s not that secure. The only two things that are not so optimal are sound and heat. Neither the speakers not the headphones give any sign of live, event hough the operating system seems to have recognized the sound card. This is not such a big deal, as the bluetooth headphones still work perfectly. The other issue is that it heats up a lot under full load. And when the core temperature hits 100°C it just switches off. This happened a couple of times when the BitCoin BlockChain synchronized. And it still happens once every second day.

Then, my XPS13 was stolen, and I needed something to fill the gap until I have a proper replacement. I must say it does the job well. I miss the XPS13 a lot, but at least I have something I can work on. And who knows how long it takes before I have an XPS13 again. They recently announced a new version with tiny bezels around the screen, bigger SSD and newer processors. But the new developer edition is not available yet, and the old version is not available any more. When it becomes available, I want to pay it with BitCoin, which also is not available yet. Dell accepts BitCoin payments in the US, Canada and the UK. I hope they will soon roll out worldwide, or at least to the rest of Europe. Once I can order on my terms, I will still have to wait about a month for delivery.

Categories: BitCoin, Software | Tags: , , , , , | Leave a comment

xapo debit card backed by BitCoin

It will take a while until we can pay with BitCoin at most merchants. For the time being xapo introduced a visa debit card that credits your expenses directly from your BitCoin online wallet at xapo. Since it runs over the visa network, and since there are currency conversions involved, it can’t be as cheap and frictionless as BitCoin directly, but it is an interesting option nonetheless. Since I’m planning on cancelling my regular credit card, this could be an interesting intermediary solution. I found a couple of articles that more or less describe the card, but they all left some uncertainty. It appears that they only recently expanded their offer to Europe. But only cards with USD, EUR or GPB as nominal currency are available. That means for me that an additional conversion from CHF to EUR will be required, adding to the transaction costs.

So, first you create an account with xapo, which is as easy as with any other online service. Then you find an option to pre-order a debit card, which will require you to allow them to hijack your twitter and facebook accounts. I don’t have none of the two, so I was stuck for a moment. There is a support chat easily accessible, and they respond quickly. European customers just need to send some money from their regular bank account to the xapo wallet where it is converted to BitCoin. After that, you receive a debit card automatically.

I received mine last week. To enable it and get the pin code, I had to call a number in the UK with a fully automated computer system. On the web you will find different information about the card. The third party issuer seems to have prohibitive fees, which xapo promised to absorb. So, I’m a bit curious about the business model behind. but this post is about it’s usage. Since I planned it as a replacement for my regular Visa credit card, I tried it for online purchases first. I always thought Visa is Visa, after all Visa debit cards are uncommon around here. Turns out most online merchants only accept Visa credit cards, and wont go with debit cards. I have no idea why this is. Today it should be easy to verify a payment with a bank where the customer’s account is. That was not the case twenty years ago, but nowadays ….?

Then I used the card to buy some chewing gums and a train ticket. That worked like a charm. When I calculated the cost with the current CHF price that the android BitCoin wallet displayed, it was about CHF 5.99 which would be even less than the fees indicated. But as we all know BitCoin is very volatile, and so this calculation is difficult to carry out exactly. But I think it’s save to say that the fees with the two currency conversions are not as prohibitive as I feared. I don’t know if the merchants pay equally high fees as with credit cards, but I guess it’s for sure higher than with the Maestro debit cards that all local banks hand out to their customers.

To sum it up, it’s great that there is now a way to indirectly spend BitCoin for everyday purchases. Even if BitCoin is used in the background, this particular use case seems to add more friction than just using the Maestro card from my local bank. The minus that bugs me most, is that I can’t use it for online purchases.

Coop sbb xapo-card
Categories: BitCoin | Tags: | Leave a comment

missing or lost -> stolen

When we went to our ski holiday last week, we had a lot of luggage. So we had to hurry when leaving or switching the train. It always worked out well, even when we had to run, or walk a stairway twice. When we left the train on the way back in our home town, I grabbed the heavy stuff as usual, but somehow missed my messenger bag with the notebook. Just outside the train I realized that it was missing, and asked my wife if she had it. She usually checks the seats before leaving. But she didn’t have my bag. We assumed we just overlooked it on the seat. Immediately we called the train company, and had to pay CHF 50 for somebody in the train to go search my bag. Nothing was found, but they told me that sometimes lost items are brought to a train station the days after. I was full of hope to see my stuff again. A couple of days later, my optimism fades. Ever more so, after I read articles about how much stuff is stolen in Swiss trains. We both noticed two black guys walking suspiciously back and forth in the train. At first I couldn’t imagine that they could grab the bag without us realizing. But after reading those stories, and especially since we really habitually check the seats before we leave, I start to think they might have taken it.

It’s just material, but still the loss hurts. We like to believe that these things happen somewhere else, but not here. We like to tell the stories of our parents who didn’t lock the door, and left the keys in the car. That just makes it more bitter when reality hits us. There are a couple of things that are difficult or even impossible to replace. The bag itself was from the Paragliding World Cup in Korea. I worked hard in the competitions for almost five years to make it into the World Cup. And this bag was one of the souvenirs. The notebook was by far the best computer I ever had. It’s a Dell XPS13 developer edition with Ubuntu pre-loaded. I didn’t allow it to get a single scratch in the 15 months I had it. If I have to order a new one, given I manage to allocate the funds for such a great device, I have to wait at least a month for delivery. The Trezor was a “first edition” given out only to the backers of the crowd funding campaign. The Prada sunglasses were from the outlet store. Just to get there would cost more than I saved on the regular price.
So, If you see somebody by chance with a brand new looking Dell XPS13 ultrabook
that doesn’t seem to belong to him, or a FlyGin messenger bag that has a Paragliding World Cup print, or with a red-black Mammut GoreTex Paclite jacket, then please report.

Categories: Family, Travel | Tags: | Leave a comment

Winter wonderland

I picked a marvellous day to go speedflying in Andermatt. See for yourself:

Categories: Paragliding | Tags: , , | Leave a comment

Code coverage for C++

Ever since I wrote automated tests, I wondered how complete the coverage was. Of course you have a feeling which parts are better covered than others. For some legacy code you might prefer not to know at all. But I thought test coverage was something easy to do with a language running on a VM such as Java, but hard with C++. Some things are not as hard as you think, once you give it a try.

The thing that triggered my interest was the coveralls badge on the readme page of vexcl. By following it through, I learned that coveralls is just for presenting the results that are generated by gcov. Some more research showed what compiler- and linker flags I need to use. In addition I found out that lcov’s genhtml can generate nice human readable html reports, while gcovr writes machine readable xml reports. So the following is really all that needs to be added to your CMakeLists.txt:

OPTION(CODE_COVERAGE       "Generate code coverage reports using gcov" OFF)

IF(CODE_COVERAGE)
    SET(CMAKE_C_FLAGS          "${CMAKE_C_FLAGS}          
        -fprofile-arcs -ftest-coverage")
    SET(CMAKE_CXX_FLAGS        "${CMAKE_CXX_FLAGS}        
        -fprofile-arcs -ftest-coverage")
    SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} 
        -fprofile-arcs -ftest-coverage")

    FILE(WRITE ${PROJECT_BINARY_DIR}/coverage.sh "#! /bin/sh"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh "lcov --zerocounters 
        --directory . --base-directory ${MyApp_MAIN_DIR}"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh "lcov --capture --initial 
        --directory . --base-directory ${MyApp_MAIN_DIR} --no-external 
        --output-file MyAppCoverage"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh "make test"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh "lcov --no-checksum 
        --directory . --base-directory ${MyApp_MAIN_DIR} --no-external 
        --capture --output-file MyAppCoverage.info"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh "lcov 
        --remove MyAppCoverage.info '*/UnitTests/*' '*/modassert/*' 
        -o MyAppCoverage_filtered.info"\n)
    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh 
        "genhtml MyAppCoverage_filtered.info"\n)

    FILE(APPEND ${PROJECT_BINARY_DIR}/coverage.sh 
        "gcovr -o coverage_summary.xml -r ${MyApp_MAIN_DIR} -e '/usr.*' 
         -e '.*/UnitTests/.*' -e '.*/modassert/.*' -x --xml-pretty"\n)

    ADD_CUSTOM_TARGET(CODE_COVERAGE bash ${PROJECT_BINARY_DIR}/coverage.sh
                        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
                        COMMENT "run the unit tests with code coverage and produce an index.html report"
                        SOURCES  ${PROJECT_BINARY_DIR}/coverage.sh)
    SET_TARGET_PROPERTIES(CODE_COVERAGE PROPERTIES
        FOLDER "Testing"
    )

ENDIF(CODE_COVERAGE)

The resulting html page is very detailed and shows you the untested lines in your source files in red.
From the produced xml file it’s easy to extract the overall percentage for example. You could use this figure to fail your nightly builds when it’s decreasing.

Categories: Software | Tags: , , | Leave a comment

prevent or react

Beginning of this year, there was a very tragic event prominently present in all newspapers across Switzerland. The whole thing was so tragic, that I won’t add a link here. But there is one aspect, that kept me thinking for the last two weeks. Today’s blog post by Bruce Schneier triggered me to write about it. There was a family father who fed his family from selling smart phones on online auction sites without delivering anything. Apparently he did that for years. They couldn’t get hold of him because he moved house every couple of months. In contras to places like Nigeria, I didn’t think this was even possible here in Switzerland.

First of all, I don’t think that’s the profession he imagined for himself. There must have gone something terribly wrong long before. I think one has to be very desperate to become a professional cheater. Most measures our society has in place against such behaviour are reactive. Bad behaviour is punished, and the prospect of the punishment should keep the hesitant from misbehaving.

In certain areas of commerce it’s easier. In a brick and mortar store, you get the goods and pay directly. If you take the goods and run out of the store, chances are somebody will follow or somebody will stop you. This kind of theft is also easier for the police to pursue. But there are other areas where you need to bring a certain trust. That’s for example if you order something online and pay upfront. If it is a big name store, you may know it’s reputation. If they wouldn’t deliver, you ‘d tell your friends. This in turn could influence the reputation of the shop. With sites like ebay that have more participants than could any individual keep track of, it doesn’t work as easy. That’s why they have reputation systems built in. There are certain ways how you could trick them. I have no ideas how well that would work out, but the only way to prevent that would be to require for example a social security number instead of just an email address to register. Other countries issued electronic passports for a while which could be used for identification in such cases. Whether this is desired is another question.

Ebay and ricardo do offer some sort of escrow service. But nobody seems to make use of it. Certainly not the victims of the above mentioned iphone scammer. Some may already know where I’m leading to. That’s an area where BitCoin can shine. With it’s built in, easy (soon) to use  multi signature escrow system, certain types of fraud almost disappear over night. If the system doesn’t allow cheating, there is no need for punishment after somebody was ripped off, or threats against such behaviour. So which is better, prevention or reaction paired with menace?

Categories: BitCoin | Tags: | Leave a comment

decentralized social communication

When you think about social networks, do you even realize how centralized and compartmentalized the prevalent systems are? Neither centralization nor artificial borders are inherent traits of a network though. Imagine you could only talk to customers of the same phone company you use. Or you could exchange emails only with customers of the same service provider. Wouldn’t that be ridiculous? And yet this lack of interoperability is the reality with most social networks today.

Blogging -> wordpress

Blogging is about the only category here that is fairly decentralized. You can host your own blog without any problem. Even though wordpress seems to have the lion’s share of feeds, rss and atom are open standards. And indeed lots of products and platforms offer that functionality. And most important: you can freely choose the software that fetches all the news for you. The same system is also used for podcasts, videocasts and various other content you can subscribe to. Lately, wordpress is even used increasingly to build regular websites. It is also what powers the blog you’re currently reading.

Microblogging -> twister

Everybody knows twitter. People who use it say it was great before they had to start pleasing their share holders. It was used for communicating in the North African revolutions. Sounds ironic, given it’s centralized nature. It’s easy to revoke free speech with centralized systems. Nobody is astonished when it happens in turkey.  Lately I read that even in the UK they think about blocking twitter when things are going out of control.

There was a more open alternative called identica, but I don’t know if it’s still used a lot. I saw twister mentioned a while ago, and thought that’s something I should have a closer look at. Only last week I installed it and started playing with it. It triggered new interest in the whole topic. It is based on BitCoin and torrent systems, thus completely decentralized. A blockchain is used to register users, and torrents to distribute the content. Installing is as simple as adding a ppa (personal package archive from launchpad.net) and apt-get install it. As I don’t use twitter, I don’t know for sure, but I think the user experience should be similar except for ads. And while twitter provided rss feeds a long time ago, but stopped due to monetization, it is no problem with twister. While they say it’s in alpha stage, I had no issues, and the experience is better than with many commercial software. One downside it currently has is that a lot of handles for big company names or celebrity names were reserved early on by hwo knows whom. There is no mechanism to transfer a handle other than sharing the secret key. Maybe an expiration model such as with namecoin would be appropriate here. My handle is @ulrichard, if you want to follow me.

Social networks -> diaspora or gnu social?

I never really got it why I should be on facebook. You could describe their business model as a man in the middle attack. You chat with friends and there is always someone nearby who listens in and takes notes. Then he sells the information he gathered. And if he pleases so, he can even block you from chatting with your friends altogether. Sounds over the top? Think about it.

I do have a google+ account, but I actually never used it. It was forced on me to be able to keep uploading videos to youtube. The same criticism as for facebook also apply to google+. But the worst thing is that they are not interoperable. Why do people have to be on the same platform to interact? That is a huge step backwards.

Diaspora was touted as an alternative for a long time. I wanted to give it a try, and I routinely check the packaging status. Usually I only use software that I can apt-get install, and thus is automatically updated, cleanly uninstalled, and I can check what files belong to it and where they go. If it is written in a language and environment that I’m familiar with, I might compile it to give it a try. I’m not familiar with ruby at all. Apart from that, I make very few exceptions from my apt-get rule. So, I’m still waiting for the diaspora packages.

Then I recently learned about gnusocial. It also looks viable, but again, no deb package. So I’m waiting here as well.

Messengers and Video calls -> Tox

Skype used to be great before it was sold to Microsoft. We used it a lot to phone home on our South America trip in 2007. Then GoogleTalk used to be even better until they terminated xmpp federation, and subsequently even switched to a proprietary protocol.

For text messages, xmpp is still perfect, but for voice calls it was difficult for a while. I once tried mumble, but can’t remember at the moment, what I didn’t like about it. My SIP VoIP experiments didn’t lead anywhere. And all the proprietary apps like WhatsApp really don’t cut it for me.

Only through twister I learned about tox. It’s still a mystery to me why I didn’t know about it sooner. It is easy to apt-get install from a ppa, and just works. They say it’s at an early stage and can be buggy. I had no issues so far. Nothing more to say… other than my tox id : 75A6B5F621BF142FA836E58A96023EE8F51AE0446FD85B2FBAFB378F4034E265EFF16B919A7A

Chat -> IRC, BitMessage, TorChat

I almost forgot to mention chat. IRC has been there forever. In my early chat experiences in the nineties I didn’t know about the technology behind, but in retrospect I assume it was powered by IRC. I still use IRC regularly, mainly on freenode to discuss about OpenSource software.

There is BitMessage which uses some ideas from BitCoin to run a fully anonymous stealth communication network. I like the idea and the concept, but getting a message through can sometimes take it’s time.

And recently I learned about TorChat. It worked fine the one time I used it. It makes use of the tor onion router to hide the communication, but appart from that it’s not associated with the tor project.

 

Categories: Software | Tags: , | Leave a comment

wake up to a clean state

I used to have problems when my ultrabook woke up from sleeping mode. Nothing serious, but annoying. One thing was that the empathy messenger application fully occupied one CPU core, effectively transforming the power out of the battery into heat. I grew tired of manually terminate it every time. So I did some research, and put the following lines into  /etc/pm/sleep.d/20_empathy_cpu_hog :

case "${1}" in
    resume|thaw)
        killall empathy-gabble
        ;;
esac

The other problem was the ssh connection that I keep to my server. After waking up from sleep it took a while to time out. Now, I terminate it right after wakeup, so that it can be automatically re-established. To accomplish this , I wrote the following lines into /etc/pm/sleep.d/30_ssh_ulrichard :

#! /bin/bash
case "${1}" in
    resume|thaw)
        kill `ps aux | grep ssh | grep user@server.ch \
                 | grep -v grep | awk '{print $2}'`
        ;;
esac

I love linux, where problems are rare, every problem can be solved, and the solution is just a few lines away…

Categories: Software | Tags: , | Leave a comment

Paying online without a credit card

I can still remember the times when travelling without a credit card could be really inconvenient. But since Maestro and Cirrus cards work around the globe, it’s fine without. The time where shopping on the internet without a credit card was inconvenient to impossible was not so long ago. In a recent post, I announced that I don’t plan to renew my credit card. So here are some hints on how to get by without. BitCoin is the tool of choice as it has so many advantages.

On christmas we usually play a game with the familiy of my wife. Everybody gets assigned a random person to make a gift. Beforehand we distribute our wish lists. My stuff is usually from online sites. The problem is, I’m the only one with a credit card in this circle. So what looks easy to me, might be difficult to order for the others. But the democratization of money, which BitCoin is about, is going to make online commerce a lot easier. Soon anybody with a computer or a phone will be allowed to participate.

Businesses that directly accept BitCoin

Even though there are thousands of businesses listed in the directories to accept BitCoin worldwide, only a few of them are in Switzerland. Most of them are in niche areas, selling goods that most people rarely need. And usually you search for goods rather than places where you can spend your money. Some of the American giants like dell, overstock, tigerdirect, newegg or adafruit deliver abroad at prohibitive costs, not at all, or only allow BitCoin payments for domestic clients. But sometimes you stumble across a site that accepts BitCoin by pure coincidence like for example nitrokey, spycoins or reelhouse.

Movies

Call me old school, but I don’t like subscriptions to watch movies. Yes NetFlix is a lot cheaper than the other options we have in Switzerland, but I just don’t like subscriptions that renew automatically, cost you when you don’t use it, and have notice periods when you want to terminate. Instead I want to select the movie I want to watch, and pay for it. Basta. Why is that so difficult? No wonder movies get pirated all the time. If it were so easy to pay for what you want, and the prices were reasonable, there would be no incentive to download movies from torrents or p2p. The music industry struggled for a while with the same problem. But nowadays you can download music at reasonable prices and it’s not even crippled with DRM anymore. When will the movie industry learn that making interesting offers is better than trying to break the internet? When I bought the movie “The rise and rise of BitCoin” on vimeo, I could pay with BitCoin and download the movie without DRM. The experience was so good, that I started exploring the video on demand section on vimeo. But when I wanted to buy the next movie, there was no BitCoin option, as with the previous one it ran through a voucher code. So I wanted to pay it with PayPal. But it kept failing and asking for a credit card. It just wouldn’t use my balance. It didn’t state it clearly, but somehow vimeo requested the address information associated with a credit card. Why that? Probably because of some area restriction which is almost as stupid as DRM itself. And this type of restriction clearly didn’t apply to the movie I was about to buy. Luckily somebody from “The flying Frenchies” told me that their video is also available from reelhouse. They natively support BitCoin. You can choose to rent and watch in the browser with flash, or buy and download DRM free. That’s exactly how it should be. I found my movie platform, and hope their selection will expand quickly.

Amazon and buy by proxy with discount

No, they still don’t accept BitCoin directly. But you can either buy gift cards from gyft.com or egifter.com, or even better let someone else place the order on your behalf and pay him in BitCoin. That is how purse.io and brawker work. Purse.io is exclusively geared towards amazon. You create a new wish list with amazon, configure your shipping address and populate it. Then you copy the URL of your wish list into purse and select your desired discount. People who want to buy your bitcoins make offers with differing discounts, usually in the range of 7%. You send your coins into escrow and select an offer. Once the goods are delivered, you release the coins from escrow and the buyer gets them. As it is geared towards amazon there are less variables, and thus it runs very smoothly. If your item is listed with amazon, but delivered by a 3rd party seller, purse might have problems processing. That’s when I tried brawker. Here you populate one or more edit fields with URL’s containing direct links to the products you want. They can be on any site. That’s why you also see strange things listed. But the process is otherwise the same as with purse. One thing I noticed is that the escrow BitCoin address is actually a P2SH multisig address. But to release, I didn’t have to sign the transaction with my BitCoin refund address. Thus I don’t really know what this is about. Finally, I sould mention snapcard and bitspend. They offered similar service where they executed the orders and charged in BitCoin. BitSpend closed long ago, and SnapCard changed their business model.

Donations

I used to do donations for Mozilla and SeaShepherd through SnapCard, but these days I do direct BitCoin donations only. And in fact many non profit organisations accept direct donations: Apache, Mozilla, LibreOffice, GnuPG (through the Wau Holland foundation), Electronic Frontier Foundation, digitale-nchhaltigkeit.ch, Wikipedia, Gliding Everest, Ebola fighters, Koptimism, BitCoinFoundation, to name just a few.

Auctions

There used to be an auction site that ran on BitCoin. It was called BitMit and was very cool. For some reason they closed a while ago. I don’t know of a good alternative at the moment, but there are better things to come. The most prominent being OpenBazaar. The great thing about it ist that it’s not jsut another centralized service, but completely decentralized.

Food

In some areas you find lots of restaurants where you can pay with BitCoin. In Switzerland, I know only of Kafi Schoffel in Zürich. But this post is about the internet. You can order food for BirCoin on lieferservice.ch, which for sure has something in your area.

Categories: BitCoin | Tags: , , | Leave a comment

fido universal 2nd factor authentication

In the time since my rant about passwords, more and more sites adopt OAuth. I don’t like this development. Usually they offer login with facebook, sometimes with google or twitter and rarely with linkedin. The problem with OAuth is that the site operator decides what providers are supported. With OpenID on the other hand, I can host my own OpenID provider and secure it with whatever 2nd factor authentication I choose. It’s sad to see that OpenID lost traction, and is actually removed in many places. One concern about OAuth is that exactly the companies that track you the most, get this extra information about where you log into and when. And on top of that you usually have to grant the site you log into the permission to tweet or post on your behalf. But what bothers me most, is that you grant your id provider more power than you are probably ready to admit. Say for example you use google as your id provider for every site you can, because it is just so convenient. Then one day google decides for whatever reason to block your account. As a result you are locked out not just from all google services, but out of most of the sites you care. And it does happen that google blocks accounts for no good reason.

Most BitCoin exchanges these days offer some sort of 2nd factor authentication. Some use YubiKeys, some use GoogleAuthenticator and some send you text messages. They are somewhat similar as they all use something called “one time passwords“. Only how the user gets them is different. Text messages seem like an ugly hack, and phones known to be insecure.  That’s also why I don’t like the Google Authenticator as it is just software running on the regular processor of your smart phone. The YubiKey is clearly the best option out of these, but it also has its weakness. If you use it for different purposes, an OTP generated for one site could be reused for a different site. As it emulates a keyboard it’s a one way track and it has no way of knowing where it is used. This is why the now defunct MtGox distributed dedicated YubiKeys. At least some parts they did right .But there is something in the works to solve all of this…

Last week I received a new USB security token. It’s a PlugUp fido u2fa device. It has exactly the same form factor as the HW1 BitCoin hardware wallet. And that is actually how I paid it. Not directly, but through Brawker. The device implements the new FIDO universal 2nd factor authenticator standard. Finally a conglomerate of big name companies got together to solve the password authentication problem.

When I first read up on it, I found lots of marketing speech, and overly detailed specification, but not the kind of technical overview I was looking for. But it seemed interesting enough to give it a try. So far, there are USB devices available from only two vendors: Yubico and PlugUp. Even though I love the YubiKey NEO, the price was too high just to give it a try. The PlugUp device is much cheaper but also less rigid. Also there are not a lot of places where you can use it so far. But looking at all the companies that form the alliance, that is hopefully going to change.  The only place I could use was to log into my google account, and only with the Chromium browser. My browser of choice is Firefox, but it doesn’t look as if fido support is imminent. I did like what I saw so far. You can register multiple devices per account. And you can use the same device for multiple accounts. There were no technical hiccups. It just worked.

But still I thought, I would prefer a solution based on OpenPGP Card with EnigForm. With GPG, I can manage my identity myself, how I want it. Of course this is great for power users, but not something regular users want or can do. FIDO is targeted at regular users, and I think they found a good compromise. It appeared that from the security standpoint they should be similar, in that both work in a challenge response scheme. The server knows the public key, and lets the device sign something.

Then I found the technical information I was looking for on this blog. Now that looks promising. The device generates a new set of keys for every site. That is perfect for authentication, i.e. making sure it’s the same user as last time. If you want to compartmentalize your identity, you don’t even have to do it by hand. But it doesn’t help with identification. GPG would be better in that regard. So while GPG would be enough to identify a user, with fido the user will still have to fill in some required information. But most important, with both approaches fido and GPG/EnigForm, you don’t need a central service like with OpenID or OAuth that can track you.

Once fido gains more traction, the new YubiKey NEO will be perfect, as it combines fido u2fa with an OpenPGP applet. In the meantime, you can check which sites offer what type of 2nd factor auth at dongleauth.info

Categories: Software | Tags: | Leave a comment