back to article Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

Yubico has apologized to a security vulnerability researcher who had complained the dongle peddler lifted his work to nab a $5,000 Google bug bounty. Over the weekend, Marcus Vervier described how he and fellow infosec bod Michele Orru discovered flaws that could be exploited by miscreants to steal people's two-factor …

  1. Anonymous Coward
    WTF?

    Internal politics at Yubico involved? I have two keys myself, and not sure what to make of this.

    1. phuzz Silver badge

      From their reaction is sounds more like an honest fuck up, which is plausible, nay, expected, anywhere.

      After all, if this was malicious, what exactly were they expecting to get out of it, a $5000 bounty? If they're that hard up for cash then they'll be bankrupt by next week.

      More likely is a simple lack of communication between the person who read the bug report from the researchers, and the person who developed the PoC and though "we should probably tell google about this".

      You should always remember Hanlon's razor.

  2. YetAnotherJoeBlow

    Donate

    Donate the keys to Girls who code, and get two new keys from a different company. After all, Yubico wanted to learn from their mistake.

    1. Adam 52 Silver badge

      Re: Donate

      How about donating to Code Club or similar, rather than an organisation that is explicitly sexist.

      1. msknight

        Re: Donate

        The real question, Adam52, is why does such a group need to exist at all in this modern age of ours. Solve that problem, and then your statement gains some moral justification. But in todays world...

        1. wolfetone Silver badge

          Re: Donate

          "The real question, Adam52, is why does such a group need to exist at all in this modern age of ours. Solve that problem, and then your statement gains some moral justification. But in todays world..."

          You cannot agree with or justify segregation.

          They removed segregation from schools because it didn't benefit anyone. Yet, in this day and age, apparently segregation is good in order to encourage kids to take something up. How? Computing is inclusive and always has been inclusive. Maybe 40 years ago when women were pushed in to occupations of either being a teacher or a nurse this would've had a place. But not now, and the continual acceptable of segregation does not ultimately lead to inclusion.

          It never has. And it never will.

          1. msknight

            Re: Donate

            Women are still bring pushed into certain professions. It'll be at least another hundred years before we actually achieve anything approaching equal opportunities and society is properly deprogrammed from the abrahamic mysoginy.

            If this wasn't the case, then why is it only now that we have things like, "Hidden Figures" which are highlighting the women who were airbrushed out of history?

            1. jmch Silver badge

              Re: Donate

              "Women are still bring pushed into certain professions."

              Studies have shown that in societies (eg Scandinavia) with more equality of opportunity, women tend to gravitate in higher numbers to jobs that involve people and men tend to gravitate in higher numbers to jobs that involve things. But apparently it is anathema to the radical left that there is any biological difference between man and women and/or that such difference can be reflected in different desires and therefore different career paths and different outcomes. Oh, no, they say, we need to force the same outcome on everybody, who cares if most women don't want to program, we're going to push them to it anyway!

              For what it's worth, I think there is value in encouraging girls to do coding, so that those who find it interesting and desirable can find a welcoming and non-sexist environment to code in. But segregating coders is just wrong

              1. msknight

                Re: Donate

                There is a hostile environment out there. Plenty of cases where harassment is thrown around, and people don't generally give their best, or are put off entire careers, by harassment. What class teacher was ever able to keep track of all the bullying going on in the classroom, let alone the play ground.

                I had a conversation with a colleague from a different company where she broke down recounting the harrassment she got for being a woman in IT. And the rest of the men didn't speak up and tell the bully to wind his neck in.

                Solve that problem.... and you then solve the need for segregation.

            2. Anonymous Coward
              Anonymous Coward

              Re: Donate

              Women are still bring pushed into certain professions. It'll be at least another hundred years before we actually achieve anything approaching equal opportunities and society is properly deprogrammed from the abrahamic mysoginy.

              There are more female doctors, nurses and teachers. There are more male soldiers, workmen and sailors.

              Women are not being pushed into specific jobs, they are actively being encouraged to take up work, gain better qualifications and are better supported financially, emotionally, in health and social care in most developed countries than men.

              You do not see women going into sewage treatment, construction etc because those are hard, dirty jobs - so we might as well leave the boys to join those and have a vastly increased chance of dying on the job.

              Male privilege in the developed world includes bonuses like more likely to commit suicide, more likely to be homeless or die on the job. It's about time we stopped the feminist nonsense and started pushing for equality because that's NOT what feminism is about these days.

              1. msknight

                Re: Donate

                Male privilege doesn't exist. It is illegal. If people are exercising male privilege, then they are breaking the law.

                Women try and go into IT, and are hounded out of professions that men don't want them in. Can you blame them for not wanting to bother putting themselves in the firing line?

                How many more headlines must The Register carry about sexual harassment in IT, Uber, et al, before you acknowledge that there's a problem in our industry?

                1. msknight

                  Re: Donate

                  Yes, I did see the suicide bit about male privilege, and taking the discussion out of the IT realm, but we're dealing with an issue which is in mens hands as much as anyone's.

                  The pressure to, "be a man," comes from society, which is primarily male driven. Each man has the ability to define themselves on their own terms, rather than try to live up to what society tells them to be (other men, usually, through workplace banter, etc.)

                  I'm a full supporter of men being part of the family, playing a proper part in their children's upbringing... I smile to myself whenever I see a man pushing a trolley around the supermarket, exchanging funny faces with their kids in the trolley... good on them, and great for the kids, who get to see their dad more often than a rushed breakfast in the morning, and already sleeping by the time he gets home from the commute... but it's going to take men to stand up for their own rights in the work place rather than bowing to the social pressure. - https://www.bbc.co.uk/news/education-39869512

                  That's not an easy thing, I know... but the key is in your hands. If more women enter the work space, then the social dynamics will change, and that will make things easier for everyone. Men included. The only people who stand against this, in my eyes, are the people who don't actually want that dynamic to change.

                  So if you see a woman being bullied, do everyone a favour and support her.

                  1. Tom 38

                    Re: Donate

                    The pressure to, "be a man," comes from society, which is primarily male driven. Each man has the ability to define themselves on their own terms, rather than try to live up to what society tells them to be (other men, usually, through workplace banter, etc.)

                    This "mens problems are mens fault, and so are everything else" attitude is not helping your argument, and then followed by this hideously sexist paragraph:

                    I'm a full supporter of men being part of the family, playing a proper part in their children's upbringing... I smile to myself whenever I see a man pushing a trolley around the supermarket, exchanging funny faces with their kids in the trolley...

                    GTFO. That's called parenting. It's as condescending to men as saying this about female developers:

                    "I'm a full supporter of women being part of the IT development team, playing a full role in the development of software... I smile to myself when I see a women submitting a code review on github, exchanging comments with their peers...."

                    It's sexist when you take something that either gender can do, and make some aspect of it out of the ordinary for one of the sexes. The solution to sexism in the workplace is not more sexism.

                    So if you see a woman being bullied, do everyone a favour and support her.

                    If you see someone being bullied, do everyone a favour and support them.

                    1. msknight

                      Re: Donate

                      @AC - so what, exactlly, are you doing about those issues?

                      @Tom38 - you're right, anyone being bullied should be supported. However, the github thing is not a good analogy. The article about women posting on github as men having their code accepted demonstrates that. https://www.theguardian.com/technology/2016/feb/12/women-considered-better-coders-hide-gender-github ... and my point is that the solution to sexism in the workplace is less sexism, and more sexes.

                      (I was going to post that the solution to sexiam in the workplace is more sex, but that would have gone down the wrong way.)

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Donate

                  Male privilege doesn't exist. It is illegal. If people are exercising male privilege, then they are breaking the law.

                  Women try and go into IT, and are hounded out of professions that men don't want them in. Can you blame them for not wanting to bother putting themselves in the firing line?

                  How many more headlines must The Register carry about sexual harassment in IT, Uber, et al, before you acknowledge that there's a problem in our industry?

                  Who's saying there isn't an issue? There is. But it's not confined to only women, men have plenty of issues in the industry too - being expected to work insane hours, cancel family holidays at short notice, do unpaid over time etc. Those however are treated as generic "worker" issues and not attributed to men purely as men are "expected to man - up".

                  You are generalising by saying "men don't want them in", which men? I don't care if the person I work with is a unicorn, as long as they can do their job. Stop blaming ALL MEN.

                  1. nevarre

                    Re: Donate

                    I work with a unicorn and it has to be the most annoying sentient being I've ever had to deal with. It's all "virgin this" and "enchanted forest that" all day long, and don't get me started on the "me so horny" jokes. I'd rather work with elves, the worst thing they do is try to kill me constantly. At least they're not bores.

          2. phuzz Silver badge

            Re: Donate

            "They removed segregation from schools because it didn't benefit anyone."

            Turns out sometimes kids learn better in single sex classrooms (but still within a mixed school). They tried it for some subjects at my brother's school and did see an increase in GCSE grades (and this was 20 years ago).

            I still feel that schools as a whole should be mixed though, after all academic subjects are only part of what you learn at school.

            1. jmch Silver badge
              Thumb Up

              Re: Donate

              "schools as a whole should be mixed though, after all academic subjects are only part of what you learn at school"

              It's a pity I can only upvote once because this deserves a thousand upvotes.

              Schools should be places where children learn how to interact with each other in a social context, get to know each other and treat each other with respect. If schools are churning out straight A students who are basically arseholes incapable of any empathy, or whizkids who are uncomfortable and unable to properly interact in a social environment, then they are failing big-time.

        2. Adam 52 Silver badge

          Re: Donate

          That's easy. It doesn't need to exist.

          No more than "black programmer club" or "proofs for Python" or "white 100m sprinters" or "straight male hairdresser club".

          Whenever society splits itself into factions that fight for resources - whether that's sunloungers on the beach, jobs, oil or food - then we all lose.

          You can argue that IT teaching in schools is poor and disenfranchises girls, but that's a reason to improve the school system so that girls and non-nerdy boys don't feel left out, not to discriminate in favour of the girls to the detriment of everyone else. Do we do special Rugby for Weedy Kids, no?

          Sexual, racial, religious or gender discrimination is bad. The ends do not justify the means.

          1. msknight

            Re: Donate

            We do rugby for all kids, when the kid with blue hair keeps getting vetoed off joining the team by the existing team who all have green hair.

            When the rugby team has enough people with different coloured hair on the team, then you can reliably take your foot off the throttle because there's no artificial "club" that the team is conforming to.

    2. Velv
      Coat

      Re: Donate

      It’s all Hitlers fault. (so many negative comments, we had to get here some point, Godwin’s Law)

      But seriously. Saying “Women Who Code” is segregation is like saying “Alcoholics Anonymous” is segregation. Have they got bouncers on the door keeping teetotallers out? While WHC promote the industry to females they don’t exclude males specifically from their efforts. Some men just have a chip on their shoulder these days.

      1. Adam 52 Silver badge

        Re: Donate

        "While WHC promote the industry to females they don’t exclude males specifically from their efforts. "

        Yes they do. "Applaud Her" for example.

      2. tiggity Silver badge

        Re: Donate

        @ Velv AA do effectively exclude

        Try being an atheist and going to AA.

        .. part of their 12 step stuff is all very mystical / religious, accepting a higher power guff - that if you are resolutely not into fairy stories means AA is not for you. so its essentially discriminatory to the non religious drink addicts.

        (full disclosure - never been to AA meeting- know people who have who described their experience)

        1. David Nash Silver badge

          AA mystical / religious?

          Wow, is this true? I never heard this before.

          Never needed them and hope I never will, but that's very surprising.

          1. Anonymous Coward
            Anonymous Coward

            Re: AA mystical / religious?

            It is really religious (and doesn't work, but that's a different issue). Let's take a look at the original version of the 12 steps:

            We admitted we were powerless over alcohol—that our lives had become unmanageable.

            Came to believe that a Power greater than ourselves could restore us to sanity.

            Made a decision to turn our will and our lives over to the care of God as we understood Him.

            Made a searching and fearless moral inventory of ourselves.

            Admitted to God, to ourselves, and to another human being the exact nature of our wrongs.

            Were entirely ready to have God remove all these defects of character.

            Humbly asked Him to remove our shortcomings.

            Made a list of all persons we had harmed, and became willing to make amends to them all.

            Made direct amends to such people wherever possible, except when to do so would injure them or others.

            Continued to take personal inventory, and when we were wrong, promptly admitted it.

            Sought through prayer and meditation to improve our conscious contact with God as we understood Him, praying only for knowledge of His will for us and the power to carry that out.

            Having had a spiritual awakening as the result of these steps, we tried to carry this message to alcoholics, and to practice these principles in all our affairs.

  3. petethebloke

    Web Giant?

    When did Google stop being "Advertising giant"? Why has El Reg stopped saying it like it is?

  4. MiguelC Silver badge

    Yubiko is sorry

    for having been caught.

  5. GarethWright.com

    Happens more than you'd think

    A number of years ago I contacted Apple and Facebook regarding a security flaw whereby tokens and passwords were accessible in plists.

    I didn't hear back from Apple and Facebook said it wasn't a flaw so I reported it to El Reg who published the article.

    A few weeks later and a vast number of Apps on the app store has been updated to mitigate the flaw, iOS had been updated to prevent file level access and someone else wrote up the same exploit citing my work and got a bug bounty from Facebook.

    I guess Facebook were just pissed off they had egg on face.

  6. Omgwtfbbqtime

    No good deed goes unpunished

    'nuff said.

  7. Claverhouse Silver badge

    [ Giving to ] Charity Covers A Multitude Of Sins

    If I was responsible for a winning entry and some fucker gave my award to any charity --- even one I supported --- I would go spare.

    To have it go to a pompous, feel-good, virtue-signalling blowhard affair when there are plenty of women's shelters or homeless dogs, who could well use the money, would be mind-blowing.

  8. Anonymous Coward
    Anonymous Coward

    WebUSB

    WTF was Google thinking when they decided to introduce WebUSB into a web browser?

    Oh yeah, Slurrrrrrrp!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like