• 0 Posts
  • 21 Comments
Joined 1 year ago
cake
Cake day: July 23rd, 2023

help-circle











  • Probably not. It looks like it’s setting the fake address before reading the tunnel parameters, where the real address is stored. Probably a kludge in case the connection address is undefined so the program doesn’t crash. So check whether the address is included there.

    Also check the function that establishes the connection. 10.1.1.1 is not a public subnet, so unless there is a VPN device listening at the local address, the tunnel should fail to establish and throw an error, triggering the exception clause in that code. Again, you’ll want to confirm that in the code.





  • Manually keying in the pin is only needed when plugging in the device. Challenges for TOTP, FIDO2, etc. are a configuration option, and are only 3 digits if enabled (press any button if disabled).

    As for “excessive amount of security”, security as an absolute measure isn’t a great way to think about it. Use case and threat model are more apt.

    For use case, I’ll point out it’s also a PGP and SSH device, where there is no third party server applying the first factor (something you know) and needs to apply both factors on device.

    For threat model, I’ll give the example of an activist who is arrested. If their e-mail provider is in the country, they can compel the provider to give them access, allowing them to reset passwords on other more secure services hosted outside the country. The police now have the second factor (something you have), but can’t use it because it’s locked.