Thursday, March 19, 2009

YubiKing Contest is over

Well, Yubico has announced the winners of the YubiKing 2009 contest, and those were: Idoneus's Maventa, Collective Software's AuthLite, and KeyGenius written by Dain Nilsson.

Congratulations to the those threee!

Obviously Enano didn't win, but we did get mentioned in the SecurityNow! Podcast (ep#188 for future reference) so maybe more people will be aware of the Enano CMS Project.

More details on the now completed contest are available at the Yubico wiki.

Monday, March 09, 2009

LinuxJournal's contest - Prize: Free 1yr subscription!

If you follow the Linux world, then you will be aware of a few of the magazines out there dedicated to Linux enthusiasts. Linux Journal is the oldest magazine out there dedicated to the Linux system and opensource relating to Linux. It's very first article was an interview of Linus Torvalds in 1994.

Now, on to the good stuff! This week, they are running a contest. Watch the daily "TechTip" videos this week and identify and collect the secret letters that the hosts announce each day in each video. On Friday, unscramble the letters and reveal the secret word(s) and respond with what you believe to be the answer by 11:59:59PM US Central Standard Time and see if you win! The ones that guess right will get a free one year subscription to the Linux Journal magazine!

More information is available here.

Wednesday, March 04, 2009

The Linux Action Show! is BACK, and better than ever before!

Alright! The Linux Action Show! has returned! This is a great podcast. If you have never seen or heard of the Linux Action Show! before, let me give you a run down of the awesomeness of it!

Bryan Lunduke and Chris Fisher are the hosts of the show. They cover the news of the week/month/etc. since the previous episode, and comment on it. They give advice, they review software, and they also take questions from listeners/viewers and respond to them in the show. It is funny, informative, and a great quality podcast. 

Linux Action Show! is different because they are full of awesome! They are quite upbeat. Although they are a bit childish, the childishness helps make the show better, because really, who wants to listen to something that is droll and completely adult-sounding (like a board meeting)? Jokes are flung left and right, with a bit of seriousness speckled in the jokes. Bryan is often prone to rants that are surprisingly very informative, while Chris is good at analyzing the news he reads off the docket. Both of them are quite friendly, and I would definitely recommend this show to anyone!

Monday, March 02, 2009

Yubikeys and Enano?

Enano CMS, a project that I am involved in, has recently announced Yubikey support through a plugin in the latest development versions. Now, most people, if not all that read this blog may not have a clue on why Yubikey support is so special. After all, its just another authentication method, right? Wrong!

Let me start off this with a little history on Enano CMS for those who don't know what it is. Enano CMS is a CMS that was started with by Dan Fuhry to replace the antiquated web page setup on the Experience UI project. Well, he was also spurred on by me, who joined him later because I had some bad experiences with Drupal and phpBB, Fully Modded. Each of these projects had good and bad things, though. 

Drupal is incredibly modular, but it had a rather clumsy UI at the time. I am told that the UI has been improved since then, but I digress. phpBB Fully Modded was chock full of features. Too many, in fact. However, it was the only truly reliable way of getting all the features needed working together. 

phpBB, Fully Modded inherits all the security issues of phpBB, as well as some of its architecture faults. For example, in most web systems, people can write plugins to hook into the main software package to provide additional features. This has a limiting factor, but it is modular, allowing for easy removal and installation for testing purposes. phpBB does not have a plugin system. Developers of phpBB depend on a MOD extension system, which is quite literally what it says, modifying phpBB itself to add these features. Essentially, they were patches to phpBB. Dan and I saw a huge issue with this, especially after my phpBB site was literally destroyed by crackers over Thanksgiving day in 2006. 

Enano CMS was Dan's solution to these problems. He saw phpBB's inefficiency with security quite damning for it, but it was really the best supported solution out there as far as forums went. So, when he designed Enano, back then called Midget CMS (it was changed to Enano when it was discovered another CMS package with the name existed already), he designed it with modularity and security in mind. Originally, it used regular old hash signatures, but it did not sanction actual code modification to extend functionality. It had an incredibly flexible plugin API added to it for this purpose. Over time, the API was extended, and Enano's core was modified to increase security. For 1.0RC1, Enano's security was truly new. It used 192-bit industrial strength AES cryptography to secure logins. Diffe-Hellman was later added in 1.1.x development, and finally HMAC-SHA1. Both Diffie-Hellman and HMAC-SHA1 are currently in use in Enano CMS. 

Also, after the first rewrite of Enano, the administration was heavily cleaned up, and redone several times to make it simpler and much more intuitive to the new user. The resulting Admin panel is quite easy for a new user to dive right in and use it. Concepts from Wordpress and phpBB were borrowed for the design of the admin panel, which is evident in the style of the panel. I got more involved with the project around the time of 1.0RC1 and started helping Dan figure out aspects of theming and UI to make sure that it was aesthetically pleasing as well as having high usability. The result was a quite nicely done system that additionally doubled as a wiki that could be secured using ACLs or numerous management shortcuts in the page tools.

Where does the Yubikey come into play here? Unsurprisingly, the security systems employed in Enano CMS make the Yubikey a rather good fit for it. Yubico, the company that developed and is marketing the Yubikey, designed the Yubikey system to use HMAC system which Enano also uses. The result? Enano can take advantage of some of the more powerful features of the Yubikey One Time Password (OTP) system. Dan, the developer, fell in love with the idea of the Yubikey and the OTP system. I pushed him to implement support for the Yubikey into Enano's own authentication system. The end result? The smoothest and quite possibly the most secure way to log into a web system is available for anyone who uses Enano and owns a Yubikey. Enano, being as flexible as it is, can function as a blog, a podcasting publishing site, a wiki, and a traditional CMS, among other things.

The Yubikey is special because it is a one time password system that does not require ANY special software on the local machine. It acts like a HID USB keyboard that just inputs the OTP to log in. Since, to a certain extent, it merely is a validation tool, the OTP system could be used for numerous things. The most popular way is for logins, but it could be a good replacement for CAPTCHAs on a company site where full access available to everyone is not necessary. The sky is the limit with a Yubikey!

More information here.