Maybe because he didn’t want to wait for the Mooltipass to be produced, [davidhend] built himself his own offline password keeper, named Lynx.
It is based around an Arduino Pro 328, a 2.8″ TFT touch screen, an RFID card reader, an FTDI basic breakout and finally a li-ion battery. Lynx is therefore self-powered and uses an RFID card to later read the XOR-encrypted passwords located in a SD card. A USB serial connection is used to send the passwords to the computer, which also charges the battery. The current BoM cost is around $220 but we’re quite sure it can be made for much cheaper when not using pre-made boards. Looking at the official GitHub repository tells us that the XOR key is stored inside the microcontroller and that Lynx checks the RFID card code to allow encryption/decryption.
On a side note, we recently published a FAQ on the official Mooltipass GitHub. You’re welcome to let us know what questions we may have forgotten.
neat project, but should probably replace the XOR encryption with something a bit more secure
double rot13 FTW :)
Double rot13 is very inefficient. I propose rot26.
Yes, something more secure than XOR would be good. However, if XOR is going to be used then it would be a good idea to really stress the fact the the XOR key needs to be changed, nay that it should be made mandatory not to use the one on Github. Anyone with a little common sense and inititive, could easily get the passwords from the device (or sd-card)
Moreover, a key of “D T H” is not secure … assuming that this is the XOR key from: https://github.com/davidhend/Lynx/blob/master/lynx/functions.ino : line 68
ahahaha glad you noticed that :)
I must admit I still fail to see the utility in these devices.
there isnt any, it is just a excuse of people to justify working on a arduino. they’re all designed and implemented so poorly that they really do little to nothing to improve security. for christ sakes this thing at $220 is held together with electrical tape, that should tell you all you need to know about how much effort went in to this.
Password keepers can be handy. I find myself having to remember so many passwords that I start reusing without realizing it (all of my passwords are long phrases). I am kind of interested in the mooltipass, but only if it demonstrates real security features, i.e. 3 factor authentication, good encryption, etc. As matt says, this particular device is less then stellar, and is just an excuse to make something. Kudos on making the thing, now work on improving it in pretty much every way
Everyone has gotta start somewhere.
And just buy one of the secure ones…
http://www.mandylionlabs.com/
Works great, is tough enough to live on my keychain for 3 years now, and is secure enough to self destroy the contents after 3 attempts to turn it on incorrectly
They dont offer any substantial documentation, and their website is essentially nothing more than a listing of American regulations without stating how exactly this device helps you to comply with them. How the hell do you even enter the pin for this device, by pressing a directional pad god knows how many times? Well considering that their e-store page is offline, and their website hasnt been updated since 2006 ought to tell you all you need to know about how successful this product is. If you really want a passwork keeper which will lock you out after so many successful attempts go buy a old blackberry, enable encryption and lock out attempts, and store your passwords on it. That product has at least been analyzed by lots of people unlike anything you’ll see on HaD or that mandylion device.
papyrus! but perhaps thats the joke of this thing?
LULZ, it’s like I would name my project coca cola
Why not just use KeePass or any other portable password keeper software on a thumb drive? More secure and less cost.
sounds yummy enough for bitcoin ;)
How about an old Palm M100 with any number of password apps at http://www.mobyware.net/
lynx? Might want to consider a different name … lest someone thinks this is related to the ncurses browser.
I was thinking more the handheld game system by Atari.. That’s what I thought this was a rebuild of
“xor” and “encryption” do not belong in the same sentence unless the words “is not” are between them.
Technically xor operations are used heavily in encryption algorithms. But yeah you’re right, when it is the only operation present, “is not” ought to be used.
Just as a rubber tire is not a dump truck, XOR is not encryption. Things can be composed into other things, but that does not mean they are a replacement for the entirety of what they compose.
Conflating the two by saying that is might be in some circumstances an encryption method only further enables people to use it as an encryption method.
look through any encryption algorithm and then re-read both my and anon’s posts. virtually all modern encryption algorithms use xor operations as I stated.
I have a free one if these, it’s called my brain. Definitely not going to spend $220 on something like this.
lynx is the name of the public transport in the Orlando Florida area …. any copy wright infringement going on here ?
as for the browser lynx, don’t think I have heard of it .
You can look here for info on the browser: http://en.wikipedia.org/wiki/Lynx_(web_browser)
This article in a nutshell: “oh look at this project that’s similar to ours…it sucks though so ours is better.” If you want to both cover projects fairly and develop your own as well you might want to set up some ethical boundaries.
+1
Nice to see objective coverage.
between what i want to write, what i write, what is reviewed, what you read and what you want to read…