In a few weeks the Hackaday community offline password keeper will reach a crowdfunding platform. This is a necessary step as only a high production volume will allow our $80 early bird perk target. We’ll therefore need you to spread the word.
Thanks to the Chromium development team, a few days ago the Mooltipass installation process became as simple as installing our app & extension. As you may remember, our device is enumerated as composite HID proprietary / HID standard keyboard. This makes it completely driverless for all operating systems and enables standalone operation as the Mooltipass can type logins and passwords selected through its user interface. Management communications are therefore done through the Mooltipass HID proprietary interface, which Chrome 38 now natively supports through its chrome.hid API. The simpler our installation process is, the more likely the final users will appreciate the fruit of our hard labor.
As our last post mentioned there’s still plenty of space for future contributors to implement new functionalities. Our future crowdfunding campaign will allow us to find javascript developers for the remaining app & extensions tasks and also implement other browsers support. Want to stay tuned of the Mooltipass launch date? Subscribe to our official Google Group!
$80 for a piece of acrylic and a atmega ??????? WTF ???
So ignorant.
Hey how about you make your own one for much less and show the world your capabilites.
Or are you just mouthing off?
Mine fits in your pocket, and is 45 usd before mass-production:https://www.youtube.com/watch?v=38ZvmFApGkM
doesn’t protect you from impersonation though
Our Bill of Materials can be found on the Github repository, along with the assembly instructions. If you can make it for cheaper, please enlighten us :)
It is pretty sad that chinese tablets are cheaper than this. Now it would be neat to repurpose them as they already have all the hardware + case.
Even if you were to buy the shields from China and recode the firmware,
ABS clear plastic case for PCDuino (with LCD window+ mounting hole) $9.44
Keypad + LCD shield: $ 10.14
Add Processor of your choice… May it be ARM with tons of memory and not needed additional FLASH or AVR… ~ $15
So $35 or so without the premium on bling-bling that doesn’t add to security.
don’t forget to add the assembly, shipping, functional test, distribution.
The prices already includes “Free shipping” from China for the reseller (DX and others), so inventory / fulfilment / distribution is done. Return for DOA too for that price.
Since they are shields based, it is a matter of stacking them, assembly them into the plastic case on my list by the end user. I think someone in China is happy to pocket the difference to sell the final “assembled” product.
Having all the electronics exposed is also a problem.
Anyway, I agree with you that if you don’t mind having a not so pretty piece of hardware potted in resin your solution should do the trick.
That being said, I’m fairly sure they produced way more than 1k units to get these prices.
That’s why I have a $9.44 injection molded ABS plastic case specifically made for the *duinos + LCD + buttons already on my BOM in the $35. It wouldn’t be fair if have I show has dangling pieces of wire duct taped together. They now have $5.5 injection molded RPi black case that looks professional.
You are not taking advantage of mass produced commodity for a small production run. (NIH strikes again.)
My new job has given me a very close look at chinese supply chains versus other nations on our product line, and if you go looking at the source materials in China, *THEY* shouldn’t be able to afford to buy the raw materials for many of the products I deal with, based on their end selling price. I can’t name names, but, those conspiracies about some Chinese companies being heavily subsidzed by government, it’s the only way I can figure it out.
Is there anyway to make the Android phone/tablet a HID device? It sure is tempting at ~40 USD/free for an android device, it could be worth it to make a custom ROM for this.
https://github.com/pelya/android-keyboard-gadget/blob/master/kernel-3.4.patch
https://play.google.com/store/apps/details?id=remote.hid.keyboard.client
So it seems to be possible
I’ll just put this in case: http://tech.slashdot.org/story/14/08/22/2042213/researchers-hack-gmail-with-92-percent-success-rate
Listen you have a great design, that doesn’t make an Android version less secure if designed in the same way.
“Moreover, our security chain has been checked by qualified individuals.”
Namely? (Just asking)
Believe it or not, these individuals don’t want their real names published but just their aliases.
No one wants the NSA to come visit them.
You’re making one large assumption there…
What makes them qualified? How do you know that they are? Why should anyone believe someone that is just an alias?
The work address they used to contact me privately mostly.
Fair enough.
I wish you all a succesful product! It is apparently not for me, but oh well, you can’t please everyone.
“Mooltipass HID proprietary interface”? Isn’t the Mooltipass “an open-source platform” (from the Github page).
HID proprietary means in this context a standard HID communication channel
So…. (I’m just asking here) it needs to be plugged into the computer to work?
I’m thinking of the public accessible computers (banks, hospitals, public libraries) that have USB ports plugged or locked away. Or can it display a password on the screen
when a USB port is unavailable.
It needs to be powered by a device through USB indeed.
In that scenario you may use your smartphone to do so. We’re still debating the idea of allowing passwords to be displayed in clear on the display.
Thanks!
You may find all our protocol here: https://github.com/limpkin/mooltipass/tree/master/source_code/src/USB
Thanks. I guess I misunderstood that sentence.
I was actually not sure how to phrase it!
Can’t wait to fund this already! Me wantee! In addition to the security upgrade it offers me I also want to encourage you to do more things like this. Maybe a had dev board? Or just upgraded parts to other products like 3d printers, cnc router, etc.? Have you guys thought of any possible future ideas?
Now…does it also have a “generate random” password thing ?!
So whenever someone or something asks me to sign up, I can just enter something and it does the rest?
Im not up to speed with this project :(
It’s actually in our todo list:
“Use the 0x4B command to get 32 random bytes, use them to generate a random password when clicking “generate” on a detected password field”
Thank you!
What is this ‘0x4B command’ that provides random bytes? Do you have a link/doc as this would be useful for many projects and uses, as long as it is a mostly random bytes (RND on Arduino is difficult in my experiments)
AH I found it in protocol doc.. this command gets 32bytes from the HOST OS right?
It’s actually the other way around… we’re using a TRNG on the MP side of things.
I’ve actually been running one Mooltipass for nearly 2 weeks now, dedicated to random number generation.
current entropy utility output:
Entropy = 7.999978 bits per byte.
Optimum compression would reduce the size
of this 8987840 byte file by 0 percent.
Chi square distribution for 8987840 samples is 272.59, and randomly
would exceed this value 21.45 percent of the times.
Arithmetic mean value of data bytes is 127.4850 (127.5 = random).
Monte Carlo value for Pi is 3.143586700 (error 0.06 percent).
Serial correlation coefficient is -0.000034 (totally uncorrelated = 0.0).
doc: https://github.com/limpkin/mooltipass/tree/master/source_code/src/USB
Yeah dude, I dont have a single idea what you just said.
ELI5 please :(
Generating random numbers is more complex than it appears.
Many random number generators used actually are _pseudo_ random number generators, which are an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers.This sequence may however repeat in some way or another.
So most (if not all) security guys here will argue that we need a true source for RNG, even though we don’t need so many random numbers in our case.
We currently use the avr entropy library, which uses the watchdog timer jitter to generate random numbers. But as for every TRNG out there we need to make sure that our implementation is correct, which is why some of us are leaving our mooltipass connected to test the properties of the random numbers generated.
Would you mind running https://gist.github.com/amtal/26f91018e0e12911f6c7 on your data?
I’d be very curious in looking at the stream pre-whitening. There’s been some data collected by endolith (https://secure.flickr.com/photos/omegatron/7122501307/in/set-72157629934367149) with interesting cyclic patterns. What happens if you isolate the board from USB power supply noise?
Admittedly if each 16ms sample produces at least 1 bit of entropy, that’s 32 bits of entropy covered in the Jenkins hash input. So, this is all likely to be more interesting than useful.
Total samples: 2374680
Expected repeats: 1312.59301939
Actual repeats: 652
seems actual repeats is expected repeats/2…
Would love to hear your thoughts on it. I can send you the random file if you want as well (9.5MB)
Are you guys planning on developing a Firefox extension that has feature parity with the Chrome extension? I’m guessing this might be a bit of a challenge if Firefox doesn’t have a good HID API, but a full-featured Firefox extension would be great to have.
Oh yeah. A firefox extension is a must
I agree with you. Well as you can guess our current problem is limited resources.
I can understand that. I would be sure to add the cost of having one developed into the crowd funding goal to help guarantee success
that’s very kind, thanks!
Hi, it is nice! Does it support sites that require random characters from a password? My e-banking account required this form of password input from a secondary password.
it does :)
Lovely! How does it work in Mooltipass? My bank web site is also doing the same, asking random combination every time.. it’s very frustating that even if you remembered the password, many a times the wrong key is entered..
If your bank do this, that mean that IT DOES STORE THEM WITH OUT ANY HASHING!
Does this solve my problem, that mother wants be to call at least every 14 days?
‘This makes it completely driverless for all operating systems and enables standalone operation as the Mooltipass can type logins and passwords selected through its user interface.’
If the Mooltipass is typing the username/password, rather than directly setting them using the browser API (in this case chromium) — how would attacks using a keylogger be mitigated by the Mooltipass?
They can’t be. As the FAQ mentions our goal is to only reduce to a very minimum the number of attack vectors. Perfect security could only be achieved by sharing a secret with all services out there or by verifying in person a public key.
I’m voluntarily not mentioning chain of trusts given the numerous CAs that were compromised these last years.
> If the Mooltipass is typing the username/password, rather than directly setting them using the browser API (in this case chromium) — how would attacks using a keylogger be mitigated by the Mooltipass?
Then they’re exactly as secure as writing your passwords down on paper, and locking them in a series of perfectly secure matryoshka safes. You’ll eventually have to use a keyboard, right?
As a humorous comment… the MP isn’t susceptible to shoulder surfing when entering a password though; a keyboard is ;)
The mooltipass is not susceptible to keyloggers that target HID keyboard devices when it is used with the chrome plugin. The chrome plugin makes use of the RAW HID protocol for its communication, not the HID keyboard protocol.
Malware would need to log the RAW protocol to capture credentials sent in this manner.
The mooltipass also supports the HID keyboard method to enter credentials (to, for example, avoid the need to install a browser plugin). In this case its as safe as your keyboard.
I still don’t see any benefit of using this hardware over a software app like 1Password.
there’s a dedicated section in the readme that addresses your question.
What’s there to stop someone to create a rouge login form in order to retrieve user/pass from the mooltipass? I’d be upset to find out that a dodgy web-page with a hidden iframe managed to extract all, or some, of my stored credentials…
I’ve not extensively read up on mooltipass yet so my question might already been answered. If so, my bad.
The Mooltipass requests your confirmation before sending any credentials. You’ll therefore be able to check the domain.