tuebor's comments

Over 100 companies have presented at the Ann Arbor New Tech Meetup (mostly from Ann Arbor, but we try to have some representation from the greater Detroit metro area): http://a2newtech.org

There've been several exits (AtD bought by Automattic, Mobiata bought by Expedia, GiftZip bought by SVM, etc.), many venture deals (Livio Radio, Duo Security, Benzinga, Life Magnetics, Shepard Intelligent Systems, Deep Field Networks, Scoutforce, Own, Zferral, Are You A Human, etc.), and maybe a smaller deadpool than you'd expect for the amount of activity here.

Join the meetup, and check out the 2-3 events held by any of 60+ geek groups in Ann Arbor every day: http://a2geeks.org http://www.a2techevents.com

Also, all are welcome to join us Oct 28 for the Halloween edition of our weekly http://TechBrewery.org Beer:30 startup social hour (wear a costume)! We'll have food, drinks, and music sponsored by LanguageMate, who recently arrived here. :-)

Google, Paypal, World of Warcraft, Mailchimp, etc. have all implemented user-facing two-factor auth also. It's the easiest way for them to protect against endpoint insecurity when attackers are going after user credentials en masse.

For any other site looking to implement this, check out our open-source web SDKs and service at Duo Security:

http://www.duosecurity.com https://github.com/duosecurity

At the very least, we highly recommend folks use it to protect their own cloud/datacenter infrastructure, and have made it free to do so (assuming you have 10 or less admins):

http://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-b...

We support callback, SMS, mobile apps for 7 platforms, as well as traditional hardware tokens for online and offline use...

The service was designed to isolate trust to only secondary login verification via a user-enrolled device. If any part of the system (including the user's phone) were to be compromised or disabled, an attacker would still need to have stolen your primary credentials to log in.

The choice of being locked out or not on Duo failure is a configuration option ("failmode"), with a fail-safe default.

In any usable system, security is never absolute, but a calculated abatement of risk (you still use HTTPS anyway, right? ;-). Two-factor auth protects against the most common path to account takeover today (credential theft), and Duo's approach intends to make it actually usable and deployable.

Yes, users can set up Duo by themselves. If 10 users use their own Duo accounts on the same host, they're replicating the work to manage their own Duo configurations, is all (and there's no centralized management of those users' credentials by the system administrator).

Currently, duo_unix does not have a non-service option to use manually-configured local secrets. It's something that could be added easily, but at the expense of centralized management, logging, audit, enrollment, etc.

Folks who only want to use one-time credentials they need to manually provision for each account are probably better off using OPIE or Google Authenticator for now.

For strictly secondary authentication, it's much more likely that an admin will lock themselves out through local misconfiguration than an attacker will find the mechanism disabled.

It's also a one-line configuration change.

Also, stop by the Tech Brewery for Beer:30 (every) Friday at 4:30 pm - http://techbrewery.org

And in May, don't miss http://leanstartupmi.com with Eric Ries, Dan Martell, Brant Cooper, and a bunch of Valley/Michigan investors and founders (including 2 YC companies) presenting. It's going to rock!

Ann Arbor, MI: proud home of the University of Michigan, techbrewery.org, a2newtech.org, a2geeks.org, ARBSEC.org, etc. And Zingermans (accurately described by tptacek as a culinary "force of nature")!

Scio Security is solving the most important problem in computer security today - the explosion in online account theft and transaction fraud driven by phishing and crimeware.

We're an Ann Arbor startup founded by Arbor Networks [1], Barracuda Networks [2], and Zattoo [3] founders and alumni, backed by True Ventures [4]. Other stuff we'll take blame for: public breaks of the world's leading firewall, IDS, anti-virus, virtualization, and state censorship (!) products; Google's first Android remote kill; dsniff; Linux NFSv4; OpenSSH (man ssh :-); returning tptacek to the Midwest in '01 :-)

Right now it's just three of us with $1M to pit against the international cybercrime syndicates of the world. We're looking for a frontend hacker with web/mobile UI/UX chops and deep design/brand thinking to be our fourth, and always happy to meet excellent app and backend folks.

We'd love to hear from you at [email protected] - or ping dugsong or jonoberheide on freenode/Twitter/FB...

[1] $100M+ revenue before we sold it this year :-)

[2] biggest content security appliance vendor by volume, with airport ads out the wazoo

[3] 0.5 -> 5M+ subscribers in 18 months

[4] 3rd top-ranked on TheFunded, investors in Wordpress, Urban Airship, Puppet Labs, Meebo, etc.

Ann Arbor, proud home of the University of Michigan, techbrewery.org, a2newtech.org, a2geeks.org, ARBSEC.org, etc. And Zingermans (accurately described by tptacek as a culinary "force of nature")!

Scio Security is solving the most important problem in computer security today - the explosion in online account theft and transaction fraud driven by phishing and crimeware.

We're an Ann Arbor startup founded by Arbor Networks [1], Barracuda Networks [2], and Zattoo [3] founders and alumni, backed by True Ventures [4]. Other stuff we'll take blame for: Google's first Android remote kill, dsniff, Linux NFSv4, OpenSSH (man ssh :-), public breaks of the world's leading firewall, IDS, anti-virus, virtualization, and state censorship (!) products, returning tptacek to the Midwest in '01 :-)

Right now it's just three of us with $1M to pit against the international cybercrime syndicates of the world. We're looking for a frontend hacker with web/mobile UI/UX chops and deep design/brand thinking to be our fourth, and always happy to meet excellent app and backend folks.

We'd love to hear from you at [email protected] - or ping dugsong or jonoberheide on freenode/Twitter/FB...

[1] $100M+ revenue before we sold it this year :-) [2] biggest content security appliance vendor by volume, with airport ads out the wazoo [3] 0.5 -> 5M+ subscribers in 18 months [4] 3rd top-ranked on TheFunded, investors in Wordpress, Urban Airship, Puppet Labs, Meebo, etc.