YubiKeys demystified

When I saw the Bloodhound Developer use his YubiKey at Black Hat to access Github (in front of hundreds of people), I knew then I had to get a YubiKey of my own!

This article documents some of the initial “hands-on” experience – with accompanying comments and conclusions.


LastPass, Duo, Google “Push” for 2FA

Came back from Black Hat / Defcon all fired up about 2FA (“Two-Factor Authentication”).

I was particularly impressed when the Bloodhound developer used his YubiKey to access GitHub in front of all the hackers, er,  security people.

So decided to take a quick look at LastPass, Duo, as well as Google’s new Push 2FA. The result is this 3-part series.

LastPass (or is it LostPass?)

LastPass has great Password Management function. But would a better name have been “LostPass”? This article takes a quick look.

Duo: Here-a-Push, There-a-Push, Everywhere a Push-Push

Duo innovated with their 2FA (“Two-factor Authentication”) using mobile Push notification.

Although Duo’s primary focus is corporate, they have a great “freemium” version that is useful for SMBs as well as individual users.

This article takes Duo out for a test drive as well as a technical dive into Duo ssh configuration.


Black Hat USA 2016 and defcon 24 - The Last Word

This year's BH and Defcon were historic. Nothing less.

It was truly "The Rise of the Machines".

defcon 24 - Notes for Friday 2016-8-06

Defcon sure has changed since the last time I was there.
This blog post has my notes from defcon 24 Friday 2016-8-06.


defcon 24 - Notes for Saturday 2016-8-06

Here are my notes from Defcon 24 for Saturday 2016-8-07.

You should check out the new Bloodhound graph tool for analyzing MS AD architecture. From the Empire folks. Wow! See my notes below for more details and the link.