I then tried to google uberkey, then realised that it was actually spelted as yubikey instead of uberkey.

Yubikey is a usb keyboard that generates a 12 character yubi ID, and a 44 character OTP or 44 static characters long password on pressing the button found on the token. The concept was interesting, especially we don’t need to rememeber long cryptographically strong password anymore. The price pitch was rather attractive @ 25USD for a single unit, and @ 20 USD when the MOQ is 10.The yubikey support openID login through it’s yubiID and OTP authentication. However this like any other OTP systems, it requires an internet connection to verify the authenticity of the id and OTP. There are several API and source code available for the development of the yubi key.

I was thinking of how can i use the yubikey for multiple sites w/o compromising the key, one possible solution on using this on multiple website or login, could be to prepend the password with a password that you normally use and subsequently use the static password generated by the yubikey. Some issues i normally face while doing such things is that the website only allows password of length which are like 12 characters or so. What is wrong with these sites? Coming to this point, i usually do a md5 on my password(which depends on which site i visit), for example my google account password could be googPASSSWORD and yahoo could be yahoPASSWORD. [Psss i use vimperator to do a md5 hash on my password, by pressing "o md5 googPASSWORD". ] This is then entered as the password for my login, and some of them refused it as they only allow 12 characters. Sites that only allow 12 characters worry me, i have visited site and registered with site that stores my password in plaintext! First i assumed it is in plaintext, because when i request for a forget password, they return me the same password that i have entered. What is wrong with these sites, they should have a reset password function during “Forget password”. It is also unlikely that they have encrypted the password with a public key and subsequently decrypted it with their private key, this is way too much work compared to the reset password feature! So how do you remember all your password. Another way to avoid all these problem of password for websites, is to make use of www.bugmenot.com, they have pre-registered accounts that just works. This is very useful for sites that require log in before downloading, searching in forum, etc.

SSL certificates as talked about in Security Now 177, has been kinda of compromised. Only for md5 signed certs though. It seems that a group of researchers made use of 200 PS3[Yeah powerful PS3 SPU at it's best?]  to brute force a fake root CA certificate that is valid. This would then allow them subsequently create SSL certificates for any site! The podcast talks about how to fix this locally on your PC, by removing all the CA certs that are md5 signed. Do check the podcast out for more details on how to drop these certs from your OS.

Been busy these days, going to post more later on.

revision3.com/hak5/SessionHijackingAndVirtualizing/

Session hijacking. In short, by using tools available now, you can effectively
1. Use Jasager [www.digininja.org/jasager/index.php] to let people think that they are on their default wifi network. Meaning, i go to a starbucks, i turn on my wifi, and my laptop automatically tries to connect to wireless@SG. Jasager lets you log on to it, making you think that you have connected to the wireless@SG hotspot. You start surfing, thinking cool, free internet again
2. Prankster, hacker, kid, whatever who had setup the jasager, use ferret and hamster and tap into whatever you are surfing, using you session, your cookie, etc. erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
3. Game over, you find you have posted some things in facebook or started to poke people at the wrong place, started to mass mail your friends, etc.

From point 2, you can see that this is a very old post, so i hope that this post will bring about more awareness.
So how to prevent this from happening? You can’t really, you just have to be careful, you have to know the infrastructure of the network like what Hak5 said.
1. For example, if you are logged in to your home router ssid, but hey you are at macdonalds, that can be right? You better get your butt off from that network.
2. For example, if you are logged on to wireless@SG, it did’nt prompt you for the usual password? Something is wrong, even if it prompts you for your password, better check the SSL certs, etc to make sure you are on the right wifi network
3. Make use of SSH tunnelling, so that people won’t be able to see the packets and side jack you.

The video just blows me away, you got to watch it, to know how bad this is.