Tom,

Thank you for sharing the information about Minuet. I’ve lamented for years that high level programming languages and “sloppy” coding have made operating systems expand to consume all the resources our screaming fast machines have available. No matter how fast hardware gets, the user experience seems to remain tedious. This includes embedded systems that I work with, which operate via a command line.

Minuet gives me hope that we can start seeing this trend invert and user interfaces in the operating system gain some serious optimization. I would have never found out about this project if I hadn’t listened to your show. Please keep bringing us news of these clever, elegant, and awesome things like Minuet.

Regarding the new exploit for SecurID Tokens. There has been an exploit in the wild regarding this product for over a decade. It effects less than 2% of the tokens, but it allows an attacker who sees the pseudo random code on the keyfob once, to recreate the seed code and therefore be able to create a software duplicate at any time in the future. The attacker needs to also get a time stamp along with seeing the code.

Most security guys I’ve worked with don’t worry about this, because it also requires the user’s login and password in order to successfully hack the user’s account. But if an attacker gets one look at a keyfob and then a second one at a later time, he can validate wether or not the user’s SecurID token is vulnerable to the attack. If it is, then he can concentrate his efforts on hacking that specific user now that the linchpin of the security system, SecurID, is known to be compromised.

This specific attack, as described, actually doesn’t worry me that much. All the SecurID systems I’ve worked on have only allowed a specific code to work once for authentication. Unless the attacker’s code can get authenticated before the user’s login attempt, that specific code will be useless. However, if you combine it with the above vulnerability I describe above, then you no longer need to look at the token, you can just try out the attack and see if the user’s token is one of the less than 2% that are vulnerable. If they are, you already have all the credentials and can impersonate that user to the system any time you like.

Keep up the excellent work,

-Paul Fischer