I'm about to put #Signet devices on #sale. Actually no, not sale, I'm just going to lower the price on my store, where people pay in #bitcoin. #Fiat prices will remain the same.
https://hax0rbana.org/signet to buy, but might as well wait until tomorrow when the price drops.
#security #infosec #cyber #cybersec #cybersecurity #OpenSource #hardware #privacy
OK, price drop for #BTC users, as promised.
I can't go any lower than this. This is the cost of parts & average shipping cost. No money for the hour I spend building, testing and reworking each device. Nothing for maintaining the client & firmware.
A yubikey can only store one password, so you can't use it to log into accounts that take passwords, enter passwords to decrypt files and so forth. It does second factor auth, FIDO2 auth and things of that nature.
#Signet does store passwords (and other secrets like seed phrases, answers to security questions, and so forth).
The current firmware doesn't have the ability to sign nostr notes, but that could be added. Plus, it's open source so you don't need my permission to patch that feature in. 🙂
#Signet is an open source project, so we don't have a well funded marketing department. We have me, posting notes on nostr, trying to spread the good word that there are non-corporate, non-centralized, hardware based solutions to password management. ✊
I keep mine on my keychain and don't lose my keys for very long. It's also backed up on a hard drive in the safe. If it got lost, I could restore it toa new device and be good to go. Thanks for the feedback.
Yeah, even normal international shipping is pretty painful and expensive. Just shipping from the US to Canada can cost almost as much as the device.
I'd be happy to have someone in various regions to help with the shipping. It'd be great to ship a batch to Europe and only have to deal with customs, VAT and all that bureaucracy once.
KeepassXC really is great. KeepassDX too.
It's hard to say since I've never seen one go bad. I've had mine since 2019 and use it every day. The button is rated for 1,000,000 cycles. I tried to find something about the STM32 lifecycle from the data sheet, but couldn't find anything.
So all I can say for sure is at least 5 years.
It's just a password manager (although, with some firmware and client tweaks, it could be a signing device), and only $45.
I've never heard on moolti-pass before but it looks legit! The whole knocking on wood thing is weird, but they seem legit about being open source, as opposed to being like most companies that claim to be open source because one component is open source. I saw mooltipass has published kicad files.
Thanks for the feedback. I'm working on a model with USB-C now. 😀
One advantage over bitwarden is that the backup file can be stored offline and the device provides physical control of the passwords. Nothing has to be on an always online server.
I might add a comparison between bitwarden and Signet. I do like BitWarden and look forward to setting up a self-hosted version for an organization that I'm part of. That'll give me a deeper understanding of their internals so I can better compare and contrast.
I see the OnlyKey has software that runs on the computer, is that optional? How would you choose which password you want to have it type in without any software?
I'm about to put #Signet devices on #sale. Actually no, not sale, I'm just going to lower the price on my store, where people pay in #bitcoin. #Fiat prices will remain the same.
https://hax0rbana.org/signet to buy, but might as well wait until tomorrow when the price drops.
#security #infosec #cyber #cybersec #cybersecurity #OpenSource #hardware #privacy
For people who have NOT joined the #Signet project, nor bought a device. I want to hear from you.
Too expensive ($45)?
Don't feel it's more secure than pure software?
Don't feel you can trust it?
Don't use a password database?
Not enough time to help (provide feedback, report bugs, contribute code, etc.)?
What's holding you back and how can we fix it?
Was able to flash it successfully on the first try.
Had to rework it once to address a short with the button, but my guide on what component to look at for the specific problem (button doesn't work) made the rework 10x less frustrating, and faster too.
Now if there were more interest in the #Signet project, I think I'd be able to better keep up with demand.
Working on another prototype for #Signet #Saturday
Pro tip: don't proactively add a droplet of flux to surface mount soldering. While it seems like a good idea, it will boil off and cause resistors and capacitors to go flying. Even a switch got misaligned and the CPU was jumping up and down in my case!
For any Americans seeing that post, "the pavement" is Brittish for "the sidewalk".
If you believe MasterCard, it's Recorded Future.
Personally, I feel like that's asking who has the best lead balloon. It's not that it's completely impossible to get value there, but it's misguided.
I feel it'd be better to look at the processes that cause vulnerabilities, the vulnerabilities themselves and defenses to immediately detect and resond to problems.
As compared to CTI, which focuses on the payload that was used to exploit them, at best, or at worst: surfing message boards looking for people bragging about hacks or selling information obtained.
It works by storing your passwords and any other data you put in there encrypted (aes256-cbc) on the persistent storage. The device does not contain the secret key and there is no secure element, by design.
The device password is used to generate the key to decrypt the storage. https://gitlab.hax0rbana.org/signet/signet-base/-/blob/trunk/firmware/commands.c#L411
The password is hashed by scrypt to generate the key. https://gitlab.hax0rbana.org/signet/signet-client/-/blob/trunk/client/signetapplication.cpp#L213
As for has it been audited, well, yes and no. If your definition of an audit is that someone who did not write the code reviewed it for security, and this reviewer was experienced in cryptographic audits, then yes. If you mean, were they paid for their work, and did they write up a report, then no.
Also, I am the person who did the audit, because I wasn't going to trust the device without doing a code review first. So there's some bias here in me saying it's audited, but I didn't design or implement the code. I'm merely the maintainer of all software and firmware and the builder of hardware.
By not having a secure element that stores some secret, it means there's no secure element that needs to be audited (which is good because they're difficult to audit and nearly impossible to get access to in order to do the audit). It also makes it easier to backup & restore the device. The trade off here is that it means offline attacks are possible. If you chose a weak password, it'd be possible to brute force if someone got a backup of your device. So, yeah, a 6 digit PIN isn't going to cut it here.
"People who hate negative numbers will stop at nothing to avoid them."
Being at a worker coop conference got me thinking about some big problems.
Why do companies (esp big tech) keep screwing over customers and employees? Because they need to grow every year?
Why do they need this infinite growth? At a minimum, to keep up with inflation. If they made the same amount of dollars next year, that less money in real terms.
Why don't we just get rid of inflation, which also drives a lot of the consumerism we see?
And there's the rub, in a single post.
Hint: it has to do with debt...
I'm about to put #Signet devices on #sale. Actually no, not sale, I'm just going to lower the price on my store, where people pay in #bitcoin. #Fiat prices will remain the same.
https://hax0rbana.org/signet to buy, but might as well wait until tomorrow when the price drops.
#security #infosec #cyber #cybersec #cybersecurity #OpenSource #hardware #privacy
Spotted in #chicago The best part about this sticker is that's the transunion building in the background.
Am I lying? Come check it out for yourself. South Clinton, between Monroe and Adams. #ProofOfWork
