A little less than a year ago HackADay featured the start of a world-wide collaboration around an open source offline password keeper, the Mooltipass. The device enumerates as a keyboard and uses a PIN-locked smartcard to read an AES-256 key required to decrypt its credentials database. All password accessing operations need to be approved on its physical user interface to prevent impersonation.
As its beta testing phase is over, the Mooltipass crowdfunding campaign is now live and already achieved 44% of its $100k goal in less than four days.
Related Stories
The European Union's interoperability page reports:
In just three days, the Swiss open source community Wilhelm Tux reached its crowdfunding target of 10,000 CHF (about 8000 euro) to add support for digital signatures in PDF documents. The feature will be added to LibreOffice, a free and open source suite of office productivity tools. The project is awarded to Collabora, an open source IT service provider, which will deliver the new functionality in April.
The Swiss open source group began raising funds on 13 October. The campaign will allow users of LibreOffice to create PDF documents with digital signatures, conform to PDF/A signature standards. This is a requirement to creating PDF documents that can be legally binding.
Electronically signed PDFs can be legally binding when the signature is accompanied by a timestamp, explains Markus Wernig, the group's chairman. The open source group hopes to be able to fund this as well, if further donations come in.
The idea for the crowdfunding campaign was conceived at the LibreOffice Conference, which took place in Bern in early September. The open source group writes that a discussion on the feature attracted a lot of interest at the conference. "Digital signatures are important for being able to verify the authenticity of a document."
[...]The past few years, Swiss, German, and French public administrations have paid for comparable software development projects to improve open source office productivity.
Have any Soylentils been involved in FOSS development work where there was a bounty?
Chemist and “semi-recreational” codemonkey Isaac Yonemoto is running a crowdfunding campaign called Project Marilyn to create open sourced, patent-free cancer drugs.
Yonemoto proposes a $75,000 stretch goal to fund an experiment he hopes will prove we can use a compound sequenced from microscopic bug cultures to treat cancer.
It’s a plan that could liberate pharmaceuticals and dramatically lower the cost of anticancer medicine. The global market for these drugs surpassed $1 trillion this year. The average monthly cost of a brand-name cancer drug in the U.S. is about $10,000, according to the IMS Institute for Healthcare Informatics.
(Score: 2) by frojack on Sunday November 09 2014, @11:40PM
Yubico.com has several varieties with different capabilities that are a lot smaller. [yubico.com]
They can be used in a variety of ways, the simplest is simply a totally offline. They have other versions with more capabilities but all support FIDO U2F (Universal Second Factor) which requires no on-line server.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by Popeidol on Monday November 10 2014, @01:00AM
I feel you may have misunderstood what it actually does. It's primarily a physical password storage tool - You plug it in, authenticate yourself, and then it acts as a keyboard to push your usernames and passwords. The Yubikey seems to fill a different niche.
There may be similar products out there but I don't know anything that hits this balance of convenience vs security: two factor authentication, open source, cross-platform, and completely offline. If you can make that even vaguely user friendly there's a market for it.
(Score: 1, Troll) by Nerdfest on Monday November 10 2014, @02:19AM
The Google 2 factor that is currently in the news is the same, but there's big value in an open-source tool. Because of the NSA, you really can't trust US companies. It's not really their fault, but unfortunately they are left responsible.
(Score: 0) by Anonymous Coward on Monday November 10 2014, @09:39AM
How exactly is the parent Troll?
(Score: 2) by frojack on Monday November 10 2014, @02:33AM
Well its equally possible you've mistaken how Google use the Yubico key as the only way it can be used.
I got the cheap one, which is fairly limited, but I've looked at the opensource code, and the more expensive ones can do a LOT of different protocol.
Some are pretty cool including One Time Password generation, so a different password is transmitted each time you log in.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Monday November 10 2014, @09:20AM
And how exactly does the web application on the other end recognize that the one-time password is indeed yours?
(Score: 1) by jmorris on Sunday November 09 2014, @11:52PM
We need something that could achieve widespread adoption and this can't. First clue is the word 'arduino' Trying to work in a AVR mpu and that idiotic arduino form factor just to check off a buzzword bingo box was probably required to attract the crowdfunding low info tech types but combined with the general over engineering, again to appeal to the crowdfunders, dooms any hope of widescale adoption.
Forget the smartcard, just implement the whole thing in a single chip. The choice of an AVR is quite acceptable as there are affordable units with USB, AES and enough security features to make cracking the key material about as difficult as attacking a smartcard. More important they support touch as a native feature for simple buttons. So just a one line LCD and ten key for pin entry. Do those things and it can get small and cheap. You would be limiting use to applications where a browser plugin or other auth helper could send a domain tag to the key, but a couple of responses could be worked into a one line UI without it getting unusable.
In quantity you need to be shooting for $15-$20; $70 isn't even in the ballpark.
(Score: 2) by fnj on Monday November 10 2014, @01:14AM
Why? If this does the job, I couldn't care less if anybody else ever buys it.
(Score: 2) by frojack on Monday November 10 2014, @02:27AM
Too big. Too complex.
My Yubico key fits on a keychain.
No, you are mistaken. I've always had this sig.
(Score: 1) by jmorris on Monday November 10 2014, @07:52AM
Slightly different problem space. Yubico only has a single button; it can confirm that the request that came over USB was expected by a press by the user but that is the extent of the validation possible. That gets you portable authentication on corporate workstations and the root key out of the user's normal storage where malware can harvest, little more. This device under discussion here can store all of a user's passwords, getting all authentication out of the reach of malware... almost. Without also adding more than username/password it can still all be harvested by longer running malware. Adding OTP capability would of course be easy enough in theory. The size of this thing, might as well just develop it as an app and use a smartphone's touchscreen.
My problem with it was it is over engineered and over buzzworded. See my other posts on that.
(Score: 2) by caseih on Monday November 10 2014, @05:11AM
Why is the word "arduino" a clue that this can't be adopted widespread? Many people might not realize it but "arduino" refers as much to the AVR programming framework and tools as it does to any particular board or chip. It's not just a 2 inch square developer board that we've all heard about. Rather it's a AVR programming framework and libraries that make development easy compared to plain C avr programming, and can work with many chips with or without the arduino bootloader. I use arduino with many units including the large arduino boards, the much smaller usb-stick-sized teensy, and even the single chip attiny. In fact The Teensy boards are small enough to go in a usb stick (could be smaller except that they are prototype boards so they have breakout pins) and they actually support USB keyboard natively, among other modes. So really arduino is just an environment to facilitate development. The software can then be flashed onto a miniature production device once debugging is complete. I'd say this is a common route. Use the breakout boards to prototype, then move to the real hardware. All without changing the software tools much.
Also the final hardware can be in volume, and customized. And still run arduino-based code. So talking about the cost of arduino boards is irrelevant.
(Score: 1) by jmorris on Monday November 10 2014, @08:22AM
Why is the word "arduino" a clue that this can't be adopted widespread?
Don't think I was as clear as I could have been. Using the 'Arduino' buzzword was a sign it was designed to appeal to the crowdfunding scene which is almost entirely different that mass market product.
Spare the pitch, I know exactly what Arduino is and isn't. It is three things:
1. A hardware product. The happy 'mistake' that locked out every normal proto board and created a branded world of 'shields' that have to be custom designed 'for arduino'. Otherwise a totally bog standard reference board for an AVR device.
2. A software product. Or more accurate to say repackaging. As you note, ALL of the important parts existed years before anyone ever heard of 'Arduino.' The compiler, the vast libraries, all of it. The only difference between a C program and a 'sketch' is a stub with main() in it. And instead of a proper build environment and IDE you get some Java foolishness. I certainly know I was playing with Atmel's AVR parts before I had ever heard the word.
3. A branding campaign. This is the utter brilliance of the Arduino. For all of the vaunted 'rationality' in the nerd-o-sphere we appear no less susceptible to a slick marketing campaign than the masses when 'the powers that be' decide that Katy Perry is going to be a star.
Use the breakout boards to prototype,
Exactly. Breakout boards are required to work with most modern chips that are only available in SMT; But the basic Arduino is less useful than a breakout. It has non-standard pinout spacing, it has female plugs, it is too wide for a breadboard. On the other hand the basic AVR products are available in PDIP and can just plug into a breadboard. Add an Xtal and a pair of caps and light it up. When you have a working circuit, put it on a generic 0.1in spacing blank board. None of that is all that difficult.
(Score: 2) by fnj on Monday November 10 2014, @03:10PM
I am always nonplused by the people who don't realize that their Arduino sketches are compiled by a C++ compiler, not a C compiler.
(Score: 2) by caseih on Monday November 10 2014, @03:53PM
Sure I know that my sketches are C++ too. But my point was that Arduino framework and libraries make it very easy to develop embedded code, code which can run on nearly any AVR.
(Score: 1) by Daz on Monday November 10 2014, @05:13AM
The mooltipass is not running Arduino code, its straight AVR C-Code. The smart-card provides the AES key to ensure security for the credentials that are stored.
The arduino support was added as an extra to support plug-in hardware modules to, for example, add NFC or bluetooth support.
(Score: 2) by cafebabe on Monday November 10 2014, @02:11AM
I'll stick with paper. And if I may quote a film:-
1702845791×2
(Score: 2) by Snotnose on Monday November 10 2014, @04:11AM
I've got a 22 char password (first letters of a phrase), mixture of upper/lower case, numbers, and characters (!@# etc). The file is on my laptop, my phone, my NAS, and a friend has a copy (and I've got a copy of hers).
IMHO, the worst that can happen is I suffer a brain injury such that I don't remember the password, it isn't backed up anywhere.
When the dust settled America realized it was saved by a porn star.
(Score: 1) by Daz on Monday November 10 2014, @05:09AM
I have about twenty sites with usernames and passwords that all differ. The mooltipass lets me have those credentials with me at home, at work, on the road.
It may also support ssh keys and one-time pads in the near future and credit card details.
(Score: 2) by Snotnose on Monday November 10 2014, @05:26AM
I've got about 20 sites, 3-4 I care about that have different logins/passwords, and the rest are like SN and /.. Wanna snarf my fark credentials? Knock yourself out. Wanna snarf my bank account? Good luck with that, it's got a modern username and password combo that get updated regularly.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Monday November 10 2014, @06:54AM
Why not have secure passwords for everything? With password management apps and this kind of thing there's no reason not to.
(Score: 4, Insightful) by stormwyrm on Monday November 10 2014, @07:40AM
This. You never know what kind of creative stuff miscreants can do using the credentials even for innocuous-looking sites. A hacked account here can be used to post spam, at the very least. Sites also tend to evolve and you never know in what ways they can become interdependent if they aren't so already. Back in 2006 I might have considered Facebook a throw-away site whose security was unimportant. Not so today, given how it's being used: the consequences of an account breach like that would be very high. If you use a password manager then why the hell not use strong passwords for everything? You don't need to remember the strong password yourself anyway, so cognitively it costs you more to use a weak password on some sites you consider throw-away: what happens if you forget the "weak" password? The whole point of using a password manager is so that you need only remember one password.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Tuesday November 11 2014, @04:52PM
Someone replied to your AC.
(Score: 2) by stormwyrm on Monday November 10 2014, @05:43AM
That's not the worst that can happen. Malware could infect your system and in that way a trojan copy of keepass could be installed which sends a copy of your unencrypted password database to parts unknown when you unlock it. This attack is impossible with the mooltipass. There could still be malware which sniffs the USB HID for passwords you use though, but even if that happens they'll only compromise the passwords you actually use during the session. They won't get all your passwords, which they would if you just used keepass. Type in the passphrase to your keepass vault on such a system and voilà, all your passwords are belong to us.
My main complaint with this device is that it's rather large. Judging from the pictures they have, it's about half the size of a typical slate-type smartphone. And it seems the only real reason why it's so big is apparently because they wanted to make an Arduino header available, which is to my mind a totally pointless feature for a device like this. I'm all for hackability, but this is supposed to be a dedicated password storage device, a security appliance, not something for you to play around on in ways that might compromise its security! Something more like the form factor of a 6th-gen iPod Nano [wikipedia.org] might have been more suitable. I'd shell out a hundred bucks or so for this but I am not sure that these people have their priorities straight.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by VLM on Monday November 10 2014, @02:28PM
And it seems the only real reason why it's so big is apparently because they wanted to make an Arduino header available, which is to my mind a totally pointless feature for a device like this.
My fitbit is always in my pocket. Often my phone is nearby me but not all the time. I could see sticking a smart (not dumb) bluetooth sniffer on the arduino (if such a thing exists, no I'm not talking about an exclusively RFCOMM speaking serial cable replacer) then when my phone and my fitbit are in range I would be satisfied with a mere 4-digit pin vs if both are out of range then I'm probably not nearby it so go full on security nut.
Ditto games with a wifi shield. If I sniff my wifi SSID and two of my neighbors, I'm probably at home and PIN is good enough.
A large part of a gadget like this is showing off security theater (its inconvenient, it MUST be good security!) so making it easier to use is at cross purposes.
(Score: 0) by Anonymous Coward on Monday November 10 2014, @09:37AM
Keepass is in Mono and as such is slow, buggy and possibly loaded with backdoors / bugdoors. That's one difference.
(Score: 1) by Username on Monday November 10 2014, @06:23AM
And that is the password to my email account. When ever I need to log in, I go through the "forgot password" generator and get a new one sent to me.