On Fri, Aug 28, 2020 at 11:15:00AM -0400, Christopher Browne via talk wrote:
Here's a cool thing I saw recently...
https://www.schneier.com/blog/archives/2020/08/dicekeys.html
The comments are certainly fun to read.
The intention of this parallels the various Bitcoin "Solid Steel Passphrase Wallet" items that were popular a year or so ago (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/, https://www.buybitcoinworldwide.com/wallets/steel/ )
It's a case for a set of 25 dice that looks like a Boggle game set; it will generate and "record" what ought to be a Sooper Seekrut key as would be used for things like: - master key for password manager - U2F key for 2 Factor Authentication - Secret key for cryptocurrency wallet
By being a set of dice with a nice plastic box to hold them securely, this is not vulnerable to various threats common to electronic devices: - EMP (for those highly worried about nuclear devices) - Water damage
Of course, if all your disk drives get toasted, there might not be any data left to decrypt or systems to connect to. And plastic will melt away or burn when exposed to fire...
But it's pretty cool, I'm tempted to grab a set.
There's a web app: https://dicekeys.app/
It appears that this application, embedded in a single JavaScript file, runs locally, inside your browser, so that usual criticisms about it being a giant security vulnerability of sharing your key with their web site seems like it mightn't apply. How to confirm in an authoritative way that nothing is *actually* shared seems like the fun security question.
I guess if you load the page, go offline, do the thing, close the browser, wipe any caches and other things from it, then maybe you could trust it? Or save a copy locally, read all the code and only run your verified local copy? -- Len Sorensen