Home Tags NFC

Tag: NFC

10% off Bose SoundSport Pulse Wireless Headphones With Heartrate Monitor –...

Take your workout to the next level with Bose SoundSport Pulse wireless headphones.

A built-in heart rate sensor makes it easy to track your performance without missing a beat of your music.

The sensor measures your heart rate directly from your ear, delivering a highly accurate reading without interfering with your workout.

And while yoursquo;re on the move, SoundSport Pulse wireless headphones stay secure.

The StayHear+ Pulse tips are designed for stability even during intense workouts.

Connect to your device easily with Bluetooth and NFC pairing.

The Bose SoundSport Pulse headphones average 4 out of 5 stars from over 1,900 people on Amazon (read recent reviews here), where their typical list price of $199 has been reduced to $179.
See this deal on Amazon.To read this article in full or to leave a comment, please click here

OnePlus 5 review—The best sub-$500 phone you can buy

Snapdragon 835, 6GB of RAM, and near-stock Android for $479? Sign us up.

74% off Omaker M4 Portable Bluetooth Shower and Outdoor Speaker with...

The M4 speaker from Omakernbsp;isnbsp;IP54 rated, so its rugged splash, shock and dustproof design makes it ideal for shower and outdoor use.

The latest Bluetooth 4.0 technology helps it pair quickly with your device (tap-to-pair with NFC capable devices) and maintain a long 33-foot connection range.

Crystal clear sound quality and robust bass is realized through a 3W audio driver and passive subwoofer.

The M4 is capable of producingnbsp;12 hours of music at 80% volume, up to three times longer than similar-sized portable speakers.
It  fully recharges in just 3 hours using an included Micro USB cable.

The unit averages 4.5 out of 5 stars from over 5,000 people on Amazon (read reviews), many of which report sound quality that rivals more expensive speakers.

Amazon indicates that its list price has been reduced significantly to just $22.99.
See the discounted Omaker M4 speaker now on Amazon.To read this article in full or to leave a comment, please click here

LG G6 review: LG’s “personal best” still can’t compare to Samsung

Recommending the G6 is hard when Samsung is building a better version of the same phone.

Huawei Watch 2 hands on—This feels like a last-gen smartwatch

With a small, ugly screen and no digital crown, the Huawei Watch 2 feels old.

No key, no login: G Suite admins can now make FIDO...

Forget 6-digit 2FA codes, just plug in a USB stick!

It’s Android Wear 2.0 launch day—here’s what’s getting updated

Google announces new hardware and updates with the new smartwatch OS.

LG Watch Sport review: Google’s bulky watch breaks free from the...

First Android Wear 2.0 device takes the smartwatch platform in a new direction.

69% off Omaker M4 Portable Bluetooth Shower and Outdoor Speaker with...

The M4 speaker from Omaker is IP54 rated, so its rugged splash, shock and dustproof design makes it ideal for shower and outdoor use.

The latest Bluetooth 4.0 technology helps it pair quickly with your device (tap-to-pair with NFC capable devices) and maintain a long 33-foot connection range.

Crystal clear sound quality and robust bass is realized through a 3W audio driver and passive subwoofer.

The M4 is capable of producing 12 hours of music at 80% volume, up to three times longer than similar-sized portable speakers.
It  fully recharges in just 3 hours using an included Micro USB cable.

The unit averages 4.5 out of 5 stars from over 4,800 people on Amazon (read reviews), many of which report sound quality that rivals more expensive speakers.

Amazon indicates that its list price has been reduced significantly to just $27.99.
See the discounted Omaker M4 speaker now on Amazon.To read this article in full or to leave a comment, please click here

Better authentication: Go get 'em, FIDO

Only a handful of industry associations accomplish what they set out to do.
In the security realm, I’ve always been a huge fan of the Trusted Computing Group.
It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner. The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security.

Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings.
Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it.

Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices. All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks.

Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method.

The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength.

FIDO authentication must be supported by your device or browser, along with the authenticating site or service. With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided. The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations.

Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client.

The client’s private key never leaves the client device and can be used only when the user physically interacts with the device. FIDO authentication goes much further than traditional TLS.
It links “registered” devices to their users and those devices to the eventual websites or services.

Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services.

A nice graphical overview of the FIDO authentication process can be found here. Google Security Keys Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper.

Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services. Several vendors make the physical, tamperproof Security Keys.

The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor.

Each dongle has a unique device ID, which is registered to the user on each participating website.

The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing. Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers.

Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that.

The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each.

That’s not bad for greater peace of mind. FIDO updates FIDO recently announced the 1.1 version of its specification.
It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC).

FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce.
Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well. The 2.0 version of the FIDO specification is already in the works.

FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone. Reducing the use of stolen credentials takes a big bite out of online crime.
I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible.

After years of previous attempts at similar initiatives, this one looks posed for broad success.

Op-ed: Why I’m not giving up on PGP

Aurich Lawson / Thinkstockreader comments 25 Share this story Neal H. Walfield is a hacker at g10code working on GnuPG.

This op-ed was written for Ars Technica by Walfield, in response to Filippo Valsorda's "I'm giving up on PGP" story that was published on Ars last week. Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015.

The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous." In this article I want to respond to the points that Filippo raises.
In short, Filippo is right about some of the details, but wrong about the big picture.

For the record, I work on GnuPG, the most popular OpenPGP implementation. Forward secrecy isn't always desirable Filippo's main complaint has to do with OpenPGP's use of long-term keys.
Specifically, he notes that due to the lack of forward secrecy, the older a key is, the more communication will be exposed by its compromise.

Further, he observes that OpenPGP's trust model includes incentives to not replace long-term keys. First, it's true that OpenPGP doesn't implement forward secrecy (or future secrecy).

But, OpenPGP could be changed to support this. Matthew Green and Ian Miers recently proposed puncturable forward secure encryption, which is a technique to add forward secrecy to OpenPGP-like systems.

But, in reality, approximating forward secrecy has been possible since OpenPGP adopted subkeys decades ago. (An OpenPGP key is actually a collection of keys: a primary key that acts as a long-term, stable identifier, and subkeys that are cryptographically bound to the primary key and are used for encryption, signing, and authentication.) Guidelines on how to approximate forward secrecy were published in 2001 by Ian Brown, Adam Back, and Ben Laurie.

Although their proposal is only for an approximation of forward secrecy, it is significantly simpler than Green and Miers' approach, and it works in practice. As far as I know, Brown et al.'s proposal is not often used. One reason for this is that forward secrecy is not always desired.

For instance, if you encrypt a backup using GnuPG, then your intent is to be able to decrypt it in the future.
If you use forward secrecy, then, by definition, that is not possible; you've thrown away the old decryption key.
In the recent past, I've spoken with a number of GnuPG users including 2U and 1010data.

These two companies told me that they use GnuPG to protect client data.

Again, to access the data in the future, the encryption keys need to be retained, which precludes forward secrecy. This doesn't excuse the lack of forward secrecy when using GnuPG to protect e-mail, which is the use case that Filippo concentrates on.

The reason that forward secrecy hasn't been widely deployed here is that e-mail is usually left on the mail server in order to support multi-device access.
Since mail servers are not usually trusted, the mail needs to be kept encrypted.

The easiest way to accomplish this is to just not strip the encryption layer.
So, again, forward secrecy would render old messages inaccessible, which is often not desired. But, let's assume that you really want something like forward secrecy.

Then following Brown et al.'s approach, you just need to periodically rotate your encryption subkey.
Since your key is identified by the primary key and not the subkey, creating a new subkey does not change your fingerprint or invalidate any signatures, as Filippo states.

And, as long as your communication partners periodically refresh your key, rotating subkeys is completely transparent. Ideally, you'll want to store your primary key on a separate computer or smartcard so that if your computer is compromised, then only the subkeys are compromised.

But, even if you don't use an offline computer, and an attacker also compromises your primary key, this approach provides a degree of future secrecy: your attacker will be able to create new subkeys (since she has your primary key), and sign other keys, but she'll probably have to publish them to use them, which you'll eventually notice, and she won't be able to guess any new subkeys using the existing keys. Enlarge / Circuit Benders and more at the 2011 Doo Dah Parade. Sheyneinlalaland Physical attacks vs. cyber attacks So, given that forward secrecy is possible, why isn't it enabled by default? We know from Snowden that when properly implemented, "encryption … really is one of the few things that we can rely on." In other words, when nation states crack encryption, they aren't breaking the actual encryption, they are circumventing it.

That is, they are exploiting vulnerabilities or using national security letters (NSLs) to break into your accounts and devices.

As such, if you really care about protecting your communication, you are much better off storing your encryption keys on a smartcard then storing them on your computer. Given this, it's not clear that forward secrecy is that big of a gain, since smartcards won't export private keys.
So, when Filippo says that he is scared of an evil maid attack and is worried that someone opened his safe with his offline keys while he was away, he's implicitly stating that his threat model includes a physical, targeted attack.

But, while moving to the encrypted messaging app Signal gets him forward secrecy, it means he can't use a smartcard to protect his keys and makes him more vulnerable to a cyber attack, which is significantly easier to conduct than a physical attack. Another problem that Filippo mentions is that key discovery is hard.
Specifically, he says that key server listings are hard to use.

This is true.

But, key servers are in no way authenticated and should not be treated as authoritative.
Instead, if you need to find someone's key, you should ask that person for their key's fingerprint. Unfortunately, our research suggests that for many GnuPG users, picking up the phone is too difficult. So, after our successful donation campaign two years ago, we used some of the money to develop a new key discovery technique called the Web Key Directory (WKD).

Basically, the WKD provides a canonical way to find a key given an e-mail address via HTTPS.

This is not as good as checking the fingerprint, but since only the mail provider and the user can change the key, it is a significant improvement over the de facto status quo. WKD has already been deployed by Posteo, and other mail providers are in the process of integrating it (consider asking your mail provider to support it). Other people have identified the key discovery issue, too. Micah Lee, for instance, recently published GPG Sync, and the INBOME group and the pretty Easy privacy (p≡p) project are working on opportunistically transferring keys via e-mail. Signal isn't our saviour Filippo also mentions the multi-device problem.
It's true that using keys on multiple devices is not easy. Part of the problem is that OpenPGP is not a closed ecosystem like Signal, which makes standardising a secret key exchange protocol much more difficult. Nevertheless, Tankred Hase did some work on private key synchronisation while at whiteout.io.

But, if you are worried about targeted attacks as Filippo is, then keeping your keys on a computer, never mind multiple computers, is not for you.
Instead, you want to keep your keys on a smartcard.
In this case, using your keys from multiple computers is easy: just plug the token in (or use NFC)! This assumes that there is an OpenPGP-capable mail client on your platform of choice.

This is the case for all of the major desktop environments, and there is also an excellent plug-in for K9 on Android called OpenKeychain. (There are also some solutions available for iOS, but I haven't evaluated them.) Even if you are using Signal, the multi-device problem is not completely solved.

Currently, it is possible to use Signal from a desktop and a smartphone or a tablet, but it is not possible to use multiple smartphones or tablets. One essential consideration that Filippo doesn't adequately address is that contacting someone on Signal requires knowing their mobile phone number. Many people don't want to make this information public.
I was recently chatting with Jason Reich, who is the head of OPSEC at BuzzFeed, and he told me that he spends a lot of time teaching reporters how to deal with the death and rape threats that they regularly receive via e-mail.

Based on this, I suspect that many reporters would opt to not publish their phone number even though it would mean missing some stories.
Similarly, while talking to Alex Abdo, a lawyer from the ACLU, I learned that he receives dozens of encrypted e-mails every day, and he is certain that some of those people would not have contacted him or the ACLU if they couldn't remain completely anonymous. Another point that Filippo doesn't cover is the importance of integrity; he focused primarily on confidentiality (i.e., encryption).
I love the fact that messages that I receive from DHL are signed (albeit using S/MIME and not OpenPGP).

This makes detecting phishing attempts trivial.
I wish more businesses would do this. Of course, Signal also provides integrity protection, but I definitely don't want to give all businesses my phone number given their record of protecting my e-mail address. Moreover, most of this type of communication is done using e-mail, not Signal. I want to be absolutely clear that I like Signal. When people ask me how they can secure their communication, I often recommend it.

But, I view Signal as complementary to OpenPGP.

First, e-mail is unlikely to go away any time soon.
Second, Signal doesn't allow transferring arbitrary data including documents.

And, importantly, Signal has its own problems.
In particular, the main Signal network is centralised, not federated like e-mail, the developers actively discourage third-party clients, and you can't choose your own identity.

These decisions are a rejection of a free and open Internet, and pseudononymous communication. In conclusion, Filippo has raised a number of important points.

But, with respect to long-term OpenPGP keys being fatally flawed and forward secrecy being essential, I think he is wrong and disagree with his compromises in light of his stated threat model.
I agree with him that key discovery is a serious issue.

But, this is something that we've been working to address. Most importantly, Signal cannot replace OpenPGP for many people who use it on a daily basis, and the developers' decision to make Signal a walled garden is problematic.
Signal does complement OpenPGP, though, and I'm glad that it's there. Neal H. Walfield is a hacker at g10code working on GnuPG. His current project is implementing TOFU for GnuPG.

To avoid conflict of interests, GnuPG maintenance and development is funded primary by donations. You can find him on Twitter @nwalfield.
E-mail: neal@gnupg.org OpenPGP: 8F17 7771 18A3 3DDA 9BA4 8E62 AACB 3243 6300 52D9 This post originated on Ars Technica UK

FIDO Authentication Standards Provide Security Efficiency for Google

Google researchers publish a study based on two-years of Security Keys usage and determine that improved security, reliability and lower costs are the result. In a new two-year research study, Google researchers have concluded that the use of the FIDO ...