Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
hooah
Feb 6, 2006
WTF?
How would I use either the keyfile or the Yubikey on my phone?

Adbot
ADBOT LOVES YOU

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

hooah posted:

How would I use either the keyfile or the Yubikey on my phone?

Good point. At least for the keyfile you'd just copy it on to there--I am not sure how this works in iOS land but in Android it's just a matter of dumping it via MTP or whatever.

Loving Africa Chaps
Dec 3, 2007


We had not left it yet, but when I would wake in the night, I would lie, listening, homesick for it already.

hooah posted:

How would I use either the keyfile or the Yubikey on my phone?

NFC yubikey?

Khablam
Mar 29, 2012
RIGHT OR WRONG, I CAN’T HELP BUT EXPRESS MYSELF LIKE A BRATTY CHILD. DON’T LISTEN TO ME.
Minikeepass (iOS) lets you pull a file from dropbox to use as a keyfile, or sideload using iTunes / document storage.

DeaconBlues
Nov 9, 2011
What's a good method of integrating KeepassX with Linux? I've had a go at installing KeeFox: it required mono, so I did that and then it seemed unable to detect my KeepassX 2 instance. I've looked at PassIFox but it's incompatible with Firefox Sync, which is something I don't want to give up.

My KeepassX 2.0 vault is set up and imported from Lastpass, it's only the clunkyness that keeps me using Lastpass until I find a better alternative. I'm pretty annoyed at Lastpass for what they've done with the UI in version 4.0 and want to show my disgust by cancelling but I'm yet to find something as easy as Lastpass v3. They stated that being bought out by LogMeIn wouldn't change the service and already they're forcing an awful UI which doesn't work but looks "nicer".

hooah
Feb 6, 2006
WTF?
Out of curiosity, what did you find didn't work about the new UI? Granted, I only used the password feature so I didn't interact with LastPass much, but it seemed innocuous enough to me.

DeaconBlues
Nov 9, 2011
1. It takes about 15 seconds to load on login (i5 laptop with SSD), possibly due to small thumbnails for each site having to load to make it look cuter.
2. Click on secure notes and then click again to see the list of secure notes=wasted click.
3. Generate secure password dialog displays with the bottom part obscured and no scrollbar to see the full range of options, making password generation only partially usable.

Top of my head, there.

Khablam
Mar 29, 2012
RIGHT OR WRONG, I CAN’T HELP BUT EXPRESS MYSELF LIKE A BRATTY CHILD. DON’T LISTEN TO ME.

DeaconBlues posted:

What's a good method of integrating KeepassX with Linux? I've had a go at installing KeeFox: it required mono, so I did that and then it seemed unable to detect my KeepassX 2 instance. I've looked at PassIFox but it's incompatible with Firefox Sync, which is something I don't want to give up.

My KeepassX 2.0 vault is set up and imported from Lastpass, it's only the clunkyness that keeps me using Lastpass until I find a better alternative. I'm pretty annoyed at Lastpass for what they've done with the UI in version 4.0 and want to show my disgust by cancelling but I'm yet to find something as easy as Lastpass v3. They stated that being bought out by LogMeIn wouldn't change the service and already they're forcing an awful UI which doesn't work but looks "nicer".

Did you have any luck using this to install regular KeePass under mono? That should leave you with the ported version of 2.x - from there you can try to install Keepasshttp and get a plugin working, or just use the auto-type to fill in forms.
PassIFox does work with sync, you just need to install it and import the keys before you enable sync.

NFX
Jun 2, 2008

Fun Shoe

Melian Dialogue posted:

What are your guys' thoughts on the whole Blackphone thing? Is it overhyped as some uber-security phone or is it actually not bad for what it's selling? I think they are coming out with a tablet soon too.

Poul-Henning Kamp (the FreeBSD developer) did a three part review (one, two and three). Yeah, it's crap.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

NFX posted:

Poul-Henning Kamp (the FreeBSD developer) did a three part review (one, two and three). Yeah, it's crap.

Really the thing to keep in mind about any phone that claims to be built with privacy and security in mind is that unless they're designing the baseband radio too, it's crap. I tried to look it up because it got me wondering but they're very hesitant to release those specific details (although if I had to guess it might be Qualcomm).

Until one can write a non-blackboxed radio chipset for LTE/UMTS/GSM, anyone who claims to have a "secure" mobile phone can go gently caress off.

Lain Iwakura fucked around with this message at 21:49 on Feb 26, 2016

Boris Galerkin
Dec 17, 2011

I don't understand why I can't harass people online. Seriously, somebody please explain why I shouldn't be allowed to stalk others on social media!

OSI bean dip posted:

I haven't seen much else but there is this:
http://www.lucianofiandesio.com/1password-in-linux

It's kind of janky so your mileage will vary and as a result I cannot really recommend it either.

This seems to work only if I'm using Dropbox for syncing :(

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano
Just buy the Windows version and run it under Wine, it's $40 with the coupon code "MacPowerUsers" and works great

Saukkis
May 16, 2003

Unless I'm on the inside curve pointing straight at oncoming traffic the high beams stay on and I laugh at your puny protest flashes.
I am Most Important Man. Most Important Man in the World.

Boris Galerkin posted:

This seems to work only if I'm using Dropbox for syncing :(

I don't think so, he was just personally using Dropbox for syncing the keychain file so he instructed how to use it. The software is designed so the keychain is stored as ~/1Password/1Password.agilekeychain and you just symlink that to where ever your sync client stores the actual file.

Melian Dialogue
Jan 9, 2015

NOT A RACIST
So if the Blackphone is a dud what options are there where you can still have decent functionality with say Android apps, but still have some semblance of security on mobile? Why does my Camera need access to "Modify settings" and why does a Sudoku app need permissions for Geotagged locations?? Do you pretty much have to be a hermit and not use any mobile tech?

apseudonym
Feb 25, 2011

Melian Dialogue posted:

So if the Blackphone is a dud what options are there where you can still have decent functionality with say Android apps, but still have some semblance of security on mobile? Why does my Camera need access to "Modify settings" and why does a Sudoku app need permissions for Geotagged locations?? Do you pretty much have to be a hermit and not use any mobile tech?

Get a phone running M and revoke permissions as you see fit? :shrug:

e: And dont sideload apps and you're fine, easily better off than your desktop. hth.

apseudonym fucked around with this message at 02:39 on Feb 27, 2016

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

Melian Dialogue posted:

So if the Blackphone is a dud what options are there where you can still have decent functionality with say Android apps, but still have some semblance of security on mobile? Why does my Camera need access to "Modify settings" and why does a Sudoku app need permissions for Geotagged locations?? Do you pretty much have to be a hermit and not use any mobile tech?

Yes.

The real question is "who is your adversary?" Are you concerned about random malware? Are you concerned about spear phishing? Are you concerned about three letter agencies specializing in SIGINT?

If it's the latter, rotate your flip-phone burners and prepaid SIM cards daily, that's the only real solution at the moment to Nation State level attacks.

Otherwise, pick up a newer Nexus phone since Google is committed to pushing firmware updates with security fixes on a regular cadence, and isn't beholden to carrier QA approval.

Only download software from Play. Only download software which isn't ad supported. Only download software with sensible permissions. Use Baksmali to inspect apps which you really, really care enough about to reverse engineer. Hope that whoever's app you're using supports tokenization for credentials.

Use Work Profiles if you're concerned about keeping your work data segregated from your personal data.

For God's sake, do not get some sort of "Antivirus" software for your phone.

Remember that zero days will always exist in any platform.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
Overall, mobile phones really suck for security.

apseudonym
Feb 25, 2011

OSI bean dip posted:

Overall, mobile phones really suck for security.

Nah, not really.

uPen
Jan 25, 2010

Zu Rodina!

apseudonym posted:

Nah, not really.

Marshmallow was released going on 5 months ago and 1% of android phones are running it. IOS 9 came out a few weeks prior and 77% of iphones are running it.

Midjack
Dec 24, 2007



apseudonym posted:

Nah, not really.

yeah really

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

uPen posted:

Marshmallow was released going on 5 months ago and 1% of android phones are running it. IOS 9 came out a few weeks prior and 77% of iphones are running it.

This, unfortunately. For Android, the current structure of carriers and OEMs heavily disincentivizes patching anything at all. If you're lucky, you'll get one OTA update, ever. Apple, being the sole manufacturer AND the OS vendor, AND having the ability to flip off carriers and their requirements, means that they can patch as much as they want, and it's not a gigantic poo poo show of hacks.

As I said, the Nexus phones can generally do that too (if bought from Google) but Google doesn't seem to support them as long as Apple does.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Volmarias posted:

This, unfortunately. For Android, the current structure of carriers and OEMs heavily disincentivizes patching anything at all. If you're lucky, you'll get one OTA update, ever. Apple, being the sole manufacturer AND the OS vendor, AND having the ability to flip off carriers and their requirements, means that they can patch as much as they want, and it's not a gigantic poo poo show of hacks.

As I said, the Nexus phones can generally do that too (if bought from Google) but Google doesn't seem to support them as long as Apple does.

Add the fact there is what I said:

OSI bean dip posted:

Really the thing to keep in mind about any phone that claims to be built with privacy and security in mind is that unless they're designing the baseband radio too, it's crap. I tried to look it up because it got me wondering but they're very hesitant to release those specific details (although if I had to guess it might be Qualcomm).

Until one can write a non-blackboxed radio chipset for LTE/UMTS/GSM, anyone who claims to have a "secure" mobile phone can go gently caress off.

Your baseband radio has so much outside control without the OS' knowledge.

apseudonym
Feb 25, 2011

OSI bean dip posted:

Add the fact there is what I said:


Your baseband radio has so much outside control without the OS' knowledge.

If your threat model is NSA spookiness there's lots of easier things to do to non-mobile devices and far less integrity protection, though radios are a nice place to try and drop persistent code for sure depending on the hardware layout of the specific device.

That's not really a realistic threat model for probably everyone browsing SA though, we're not worth that kind of attention. If your threat model is realistically the NSA your hardware all got shipped to you owned in ways youll never detect.

The threat model for most of SA users is just the usual random poo poo on the internet combined with idiotic views on how security actually works leading to shooting themselves in the foot.

In actual practical security for your average person mobile is far better than older OSs simple because we've learned from a lot of mistakes in older OSs' designs. The malware numbers for mobile are ridiculously small compared to desktop OSs.

DeaconBlues
Nov 9, 2011

Khablam posted:

Did you have any luck using this to install regular KeePass under mono? That should leave you with the ported version of 2.x - from there you can try to install Keepasshttp and get a plugin working, or just use the auto-type to fill in forms.
PassIFox does work with sync, you just need to install it and import the keys before you enable sync.

Thanks for suggesting using Keepass rather than KeepassX. I'm having much more luck with regular Keepass running with mono in Fedora, using both plugins (Keepasshttp and PassIfox).

I just disconnected Firefox sync before installation and then reconnected once Keepass was set up. It's a pretty neat way of handling passwords, actually. Everything seems to be held in Keepass but Firefox thinks it is using its native password filler. Firefox is only being fed each password as and when it's required by whichever webpage I'm logging into. This can be checked by going to Firefox Preferences>Security>Saved Logins>Show Passwords. All of my passwords simply say "Stored in Keepass", so although Firefox thinks it has a couple of hundred passwords in there it actually has nothing until one is needed and then it's piped through from Keepass encrypted with AES. Logging into a site feels just like Firefox is doing it, because it essentially is!

I'll play around like this for a few days to see if there are any drawbacks but at the moment it looks like bye bye Lastpass.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

apseudonym posted:

If your threat model is NSA spookiness there's lots of easier things to do to non-mobile devices and far less integrity protection, though radios are a nice place to try and drop persistent code for sure depending on the hardware layout of the specific device.

That's not really a realistic threat model for probably everyone browsing SA though, we're not worth that kind of attention. If your threat model is realistically the NSA your hardware all got shipped to you owned in ways youll never detect.

The threat model for most of SA users is just the usual random poo poo on the internet combined with idiotic views on how security actually works leading to shooting themselves in the foot.

In actual practical security for your average person mobile is far better than older OSs simple because we've learned from a lot of mistakes in older OSs' designs. The malware numbers for mobile are ridiculously small compared to desktop OSs.

Yeah. But my remark is whether or not you can secure a phone and the answer is "not really". Also suggesting that the NSA is my concern is incorrect.

https://www.youtube.com/watch?v=DuaGt83ZCiw

This isn't NSA-level stuff and can be done with hardware that's less than $400 USD. The baseband is a serious concern.

apseudonym
Feb 25, 2011

OSI bean dip posted:

Yeah. But my remark is whether or not you can secure a phone and the answer is "not really". Also suggesting that the NSA is my concern is incorrect.

https://www.youtube.com/watch?v=DuaGt83ZCiw

This isn't NSA-level stuff and can be done with hardware that's less than $400 USD. The baseband is a serious concern.

Oh, you're coming at this with regards to bugs and exploiting. Sorry when people talk about the baseband its usually very :tinfoil: NSA stuff.

Yes, bugs in the components of a device that touch the network are fun, but keep in mind WiFi drivers and hardware have similar bugs all too often, its an area of work across a lot more than mobile.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

apseudonym posted:

Oh, you're coming at this with regards to bugs and exploiting. Sorry when people talk about the baseband its usually very :tinfoil: NSA stuff.

Yes, bugs in the components of a device that touch the network are fun, but keep in mind WiFi drivers and hardware have similar bugs all too often, its an area of work across a lot more than mobile.

quote:

The attack takes advantage of the machine-to-machine (M2M) interface used by carriers to do remote provisioning of the phone when it’s purchased and to push out communications updates. The interface is part of the baseband configuration of the phones—it leverages the baseband processor, which is the system-on-chip that handles the connection to cellular networks. On some devices, the baseband chip can access local storage and memory used by the smart phone’s operating system and be used to gain root-level access.

At Def Con, Ars talked with Jon Callas and Dan Ford about the baseband question. Callas said that the baseband processor in the Blackphone, which is made by Nvidia, has no such access to the memory and storage used by PrivatOS. “It’s completely segregated,” Callas said. Blackphone is looking at ways to provide an audit of the phone’s baseband code to assure users that the cellular modem can’t be made into what amounts to a hostile router, “but we assume that it’s a hostile router in the way we developed PrivatOS,” Callas added.

It’s clear that there are a number of issues left to be fixed with Blackphone. There’s an app store in the works that will provide a curated set of pre-audited Android applications, and there have been requests from some customers for a physical switch to turn off the phone’s camera and microphone. There have also been complaints about the phone’s LTE support.

But for a company of about 100 people just a month into its first product’s lifecycle, SGP has already shown how serious it is about security. Ford said that the Blackphone team turned around the patch to one already-discovered issue and shipped it out as an over-the-air update “in less than 48 hours.”

http://arstechnica.com/security/2014/08/blackphone-goes-to-def-con-and-gets-hacked-sort-of/

The last sentence had me kind of giggling. But yeah, I don't really trust mobile phones and it's really hard to write a proper guide these days because removing the battery is pretty difficult--airplane mode is a joke.

The problem is that details on the radios is kept very close to the manufacturers' chests. Nobody can really do an audit outside of their own drivers.

apseudonym
Feb 25, 2011

OSI bean dip posted:

http://arstechnica.com/security/2014/08/blackphone-goes-to-def-con-and-gets-hacked-sort-of/

The last sentence had me kind of giggling. But yeah, I don't really trust mobile phones and it's really hard to write a proper guide these days because removing the battery is pretty difficult--airplane mode is a joke.
48 hours is actually quite good for taking a patch, making a new build of the OS, QAing it(hopefully, but in that time I doubt it), and starting a rollout.

If you don't trust the hardware that's fine, but there's a certain level of trusting trust here, the advice of "pull out the battery" or "airplane mode if you're not using it" is just making it secure by making it useless. You can use a dumb phone if you want but then whats the point, who even uses phone calls anymore.

quote:

The problem is that details on the radios is kept very close to the manufacturers' chests. Nobody can really do an audit outside of their own drivers.
This is equally true for most hardware in any device, the NIC and wireless radio in your laptop is probably just as difficult to audit and probably worse than the baseband in quality because security people don't pay near as much attention to those.

BigFactory
Sep 17, 2002
This is all crazy person talk, right?

doctorfrog
Mar 14, 2007

Great.

Speaking of crazy persons: http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Is there anything to this alarming/alarmist piece? Even if you didn't know John McAffee wrote it?

apseudonym
Feb 25, 2011

doctorfrog posted:

Speaking of crazy persons: http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Is there anything to this alarming/alarmist piece? Even if you didn't know John McAffee wrote it?

There were two backdoors, one which anyone could exploit (and was very amateurish) and one that with the knowledge of a private key would allow the decryption of traffic secured by that device. That second one is a dead ringer for the kinds of things intelligence agencies want, traffic decryption and most importantly nobody but us capability.

quote:

So, while the NSA was monitoring our perceived Middle Eastern enemies, the Chinese and Russians, and god knows who else, were making off with every important secret in the US, courtesy of the NSA’s back door.

Is poo poo, tbh. I'm sure some fun happened due to the first backdoor, but calling that the NSA backdoor is disingenuous.


Also they go on a lot about it being a programmer 'planted' by the NSA, there is no evidence to support that whatsoever.


I will give it some points for only using 'cyber' once, but its otherwise garbage.

turbomoose
Nov 29, 2008
Playing the banjo can be a relaxing activity and create lifelong friendships!
\
:backtowork:
Recently when browsing SA and some other websites (usually news articles) my screen will go blank and then come back at the top of the webpage. So if it's a long webpage it will be scrolled to the top. I want to stress that the page has not been refreshed due to this, just changed how far down I have scrolled.

I have a screenshot of the blank screen and it has an interesting address at the bottom in hovertext.



it's something to the effect of vindicosuite.com which after googling sounds like it's a problem with a site plugin for counting users but this has been happening on multiple sites so I can't help but feel like it's a problem on my end.

pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

turbomoose posted:

Recently when browsing SA and some other websites (usually news articles) my screen will go blank and then come back at the top of the webpage. So if it's a long webpage it will be scrolled to the top. I want to stress that the page has not been refreshed due to this, just changed how far down I have scrolled.

I have a screenshot of the blank screen and it has an interesting address at the bottom in hovertext.



it's something to the effect of vindicosuite.com which after googling sounds like it's a problem with a site plugin for counting users but this has been happening on multiple sites so I can't help but feel like it's a problem on my end.

This isn't really the correct thread for tech support but good lord update to Windows 10 already.

froward
Jun 2, 2014

by Azathoth

Volmarias posted:

Yes.

The real question is "who is your adversary?" Are you concerned about random malware? Are you concerned about spear phishing? Are you concerned about three letter agencies specializing in SIGINT?

If it's the latter, rotate your flip-phone burners and prepaid SIM cards daily, that's the only real solution at the moment to Nation State level attacks.

Otherwise, pick up a newer Nexus phone since Google is committed to pushing firmware updates with security fixes on a regular cadence, and isn't beholden to carrier QA approval.

Only download software from Play. Only download software which isn't ad supported. Only download software with sensible permissions. Use Baksmali to inspect apps which you really, really care enough about to reverse engineer. Hope that whoever's app you're using supports tokenization for credentials.

Use Work Profiles if you're concerned about keeping your work data segregated from your personal data.

For God's sake, do not get some sort of "Antivirus" software for your phone.

Remember that zero days will always exist in any platform.

thank you for this useful post with actionable items instead of castigation of current reality.

--

looking forward to the NSA giving the FBI some of its tech and this eventually trickling down to police departments with barely educated thugs with a moral code of "take what you can and burn the rest"

Fuschia tude
Dec 26, 2004

THUNDERDOME LOSER 2019

pr0zac posted:

This isn't really the correct thread for tech support but good lord update to Windows 10 already.

Is it stable enough to be worth trusting yet?

Rexxed
May 1, 2010

Dis is amazing!
I gotta try dis!

Fuschia tude posted:

Is it stable enough to be worth trusting yet?

Sometimes. When it works it's fine. When it breaks it breaks really badly. It's better than 8 and worse than 7 but not that much worse I guess.

Szmitten
Apr 26, 2008

Fuschia tude posted:

Is it stable enough to be worth trusting yet?

Rexxed posted:

Sometimes.
Welp. Not touching that then.

BigFactory
Sep 17, 2002
I had Windows 10 BSOD which I don't think I ever had with 7.

turbomoose
Nov 29, 2008
Playing the banjo can be a relaxing activity and create lifelong friendships!
\
:backtowork:

pr0zac posted:

This isn't really the correct thread for tech support but good lord update to Windows 10 already.

Sorry! Is there a general tech support questions thread or should I just make a new one with my specific issue?

Adbot
ADBOT LOVES YOU

Scaramouche
Mar 26, 2001

SPACE FACE! SPACE FACE!

Fuschia tude posted:

Is it stable enough to be worth trusting yet?

Hah, the first page of this forum has 7 posts with Windows 10 in the title (including one of mine) so no, I'm not sure if its there yet.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply