On January 29th (2009) I found a flaw in the Yubico authentication server used by owner of the Yubikey. It allowed reuse of one time passwords (OTP) generated by a Yubikey during the same insertion.

Yubico responded quickly and fixed the bug and release this statement. "The previous version (of the authentication server code) did not properly detect OTPs generated within that same session where the Yubikey remains inserted in the USB slot. If the Yubikey was removed and then reinserted again and a new OTP is generated (most common use case) then OTPs from previous session were invalidated correctly and detected as replay attacks. However, for OTPs that were generated while the key remained inserted then OTPs within that session could be replayed without detection until next removal and insertion of the Yubikey. The reason was that the Yubikey counter for “session use” was not checked by the server. "

The bug was caused by the “session use” counter not being checked by the server. Firmware versions (pre 1.3.3), the validation server was checking the timestamp instead of the session counter, but this was dropped! due to incompatibility with firmware 1.3.3. This bug is now fixed in the Yubico validation server source code as of 2009-02-07. 

This flaw would have allowed a man in the middle (MITM) attacker to reuse a OTP after more then one was generated if the key was not reinserted. For example, if the user where to plug in the Yubikey and begin to logon to a group of SSH sessions without removing the key, the attacker could reuse the OTPs to login to the servers or other the Yubikey was valid on, until the Yubikey was removed, reinserted and used again.

The only recomendation I have now that the bug has been fixed applies even if the bug had not been found. If you have any suspition your Yubikey have have been "borrowed" and you are using it in OTP mode (not static password mode) use it immediately to invalidate generated OTPs. 

I was reading an article by Boe Parrish entitled Layoff Employees Need Help…Survivors Need Hope and here are my thoughts.

He said "(Everyday) Another layoff is announced, and another significant percent of the workforce is being laid off.  ... Profits are declining, sales are off, and executives are left with no other choice than cutting expenses in order to remain competitive, or simply to survive."

This seems like a self fulfilling prophecy. People out of work spend less. People who think they may soon be out of work spend less. People who are not out of work but are supporting other family members who are out of work, spend less. Business people who are afraid customers will be buying less spend less.

I agree with Boe. Employees need Hope. I also believe employers need Faith.  I understand companies have stock holders to support and growth numbers to meet. I also know it is easy to say "I have faith God will provide all my needs" when it comes to your own life but harder to say to unbeleivers in a stock holders meeting. 

Everyone recognizes and responds to success. I believe companies that keep faith and offer support, not just price cuts to their customers, will shine bright and quickly be recignized. Business partners will become excited to learn how succesful companies are staying succesful when other are cuting back and holding cash because of fear.

We don't just live in a consumer ecomony, it is also a sellers ecomony. If you can't sell your product because your customer can't sell his, offer help.  Don't say, "I'll work with you." and then just cut your price, WORK with your customer. Go to their meetings and help bring new idea for growth. 

I think the only thing to fear is fear. I believe President Bush planted a seed of fear when the declared a financial  crisis and started this tail spin. We need to reject fear and keep the faith.