Tom -
Specifically what would an update do to make security worse?
Wouldn't an update fix any security issues which may exist on 2.2.3? Or is this a key so secure that no update is needed as it would break whatever security is in there? (A sign of questionable programming or "If it ain't broke, don't fix it").
Surely, you have seen where 25GPU systems are cracking every day windows passwords (
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/), and people are no longer safe against 2-factor password authentication when given the right information. (
http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering)Sure, we have the API tools and can authenticate against our own rolled out radius server, or yours, and that would help with this, but let's consider that maybe some of the things you 'fixed' in newer firmware was not made available to older keys (in my case less than 1 year old of ownership), and let's just say someone built a fantastic front end for those who have the newer keys with an updated API taking advantage of newer features. (For example, some new firmware that calls home to Yuibco to authenticate, but also authenticates against user's radius server to ensure that the key is real and not emulated AND the server it is going to authenticate is legitimate and not spoofed by a hacker). When a user with an older key with outdated firmware tries to login - Then they cannot login because they don't have the extra 'call' in the firmware to authenticate, forcing the user to purchase a new key.
I really am trying not to be sarcastic about this or a jerk, but I never thought Yubico would just make a key, call it a risk to security if it was updated. Seems a bit odd to me.
Login
FAQ
Search
