On Tue, May 26, 2009 at 13:11, Seth Vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 26 May 2009, Till Maas wrote: > >> >> Why is this? Even an attacker that got access to your desktop without >> specifically targetting a Fedora infrastructure team member can afterwards >> compromise your phone, once he noticed that you use it to login to Fedora. >> The >> browser cache or e-mails may indicate that you login to Fedora and some >> config >> files for phone synchronization can show the attacker, how the phone can >> be >> compromised. > > Doesn't this same argument stand if you plug the yubikey into the machine? > Ie: sniff the incoming usb traffic and grab the "password" that the yubikey > has just inputted? > > -sv Yubikey uses a one time password (OTP) so sniffing the output of the device would yield the key for that particular time and wouldn't be able to be used at a later time. Eric "Sparks" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
