I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.
It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.
The things I do for beer...
https://news.ycombinator.com/item?id=17416298 says "no Windex, as tempting as it might be!"
Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?
Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?
Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".
On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.
Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?
(Nope. My Nexus 5X unlocks no matter the orientation of my finger)
and references this 2011 UCSD paper
Heat of the moment: characterizing the efficacy of thermal camera-based attacks
So not sure what the Thermanator folks are adding here...
EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).
Are our jobs really this dull that we have to give our projects stupid hollywood names
What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?
I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.
Nothing but noise to a thermal camera...
Sorry, it sounds like a really good idea, but it just doesn't work very well in practise.
The users fingers don't sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.
now please enter your non-SMS two-factor authentication code
I wonder what other security issues / lessons I internalized from that game...
There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html
At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.
That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?
I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.
same thing goes, but they're rarely made of metal
and then dozen different iterations since then.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.
Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.
Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.
Basically double that of high end SLR lenses.
I always figured this could be an attack someday. But didn't know the tech was cheap enough/sensitive enough yet. I need to start being more paranoid.
It's a hygiene and security best practice.
(I work for over 10 years with thermal cameras and know the limits)