|
Crack posted:First of all, please don't use chrome because gently caress google. What specifically do you feel is wrong with chrome? Giving them the finger for their relationship with In-Q-Tel doesn't count. If you have a proper reason, what browser would you suggest instead? Crack posted:Noscript is great! What are you trying to prevent by disabling js? v8 is sandboxed and there hasn't been an RCE vuln reported in it since 2009 Crack posted:turn your phone off when you aren't using it [...] stingray This isn't how stingrays work - are you thinking of OTA baseband exploits? Not that you can avoid those Crack posted:get RedPhone, TextSecure, Signal yes Crack posted:Related to that, don't trust SSL (padlock) as implemented right now. This isn't helpful advice and it's not clear what you mean Crack posted:And pgp isn't great. Please elaborate on this Crack posted:If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it What are you talking about
|
# ¿ Jun 3, 2015 02:26 |
|
|
# ¿ Apr 28, 2024 19:41 |
|
general browser advice for security and privacy: - disable 3rd party cookies - set plugins to 'click to play' - install ublock - install https everywhere + privacy badger general windows advice: - UAC on max - DEP set to opt-out - install EMET - configure the windows firewall properly using the MMC snap-in
|
# ¿ Jun 3, 2015 02:40 |
|
Crack posted:fixed. You're just coming across as a loudmouth idiot with all this stereotypical smartass "IT guy" hurrrrr micro$haft bluster Crack posted:Tabnabbing for one? Still works in latest ff and chrome as far as I can tell. So your concern is that a malicious or compromised site could switch to a phishing page while you aren't looking. Why are you logging into websites manually to begin with? This problem is solved completely by using a password manager. Disabling JS to prevent phishing is like trying to kill a fly with a mallet and suggests you have bigger problems.
|
# ¿ Jun 4, 2015 04:29 |
|
I use 1Password, it has windows/osx/android/ios clients and plays nicely with various Dropbox-like syncing programs. Bit expensive but you can sometimes find a coupon online or they do educational discounts.
|
# ¿ Jun 5, 2015 23:36 |
|
OSI bean dip posted:To be honest, in your situation, just install any AV and hope that she never gets the machine compromised. I agree about getting her an iPad out of preference. However if she's using a full computer, I think there are easy additional precautions you should take beyond the ones OSI Bean Dip mentions. The greatest risks she faces are probably: - clicking poo poo in spam email - malware from ad networks: both those clicked on manually and those delivered by exploits - getting phished To that end, in addition to AV (MSE is fine): - Replace IE with Chrome; install uBlock; make plugins click-to-play if you think she can handle that - Remove the JRE and adobe reader; make PDFs open in Chrome - Install EMET - Use a password manager I got my parents a copy of 1Password a couple of years ago and it was a great decision. Not just because they don't have to remember tons of credentials any more, but because they will never get phished because they always log into sites using the browser extension. If you make it automatically save all credentials she submits to websites, you can then go back a couple of weeks later and change all the passwords to unique ones. By far my #1 momputing tip.
|
# ¿ Aug 12, 2015 18:42 |
|
ISP-run DNS tends to go down more, and they have been known to replace what should be NXDOMAIN responses with adverts, or to deliberately return wrong A records in an attempt to block sites. You also don't know whether they collect your DNS queries or what they do with them. ISPs are generally complete scum
|
# ¿ Oct 17, 2015 15:53 |
|
22 Eargesplitten posted:What's the best way to keep Keepass synchronized between my devices (three computers, one phone)? Someone suggested putting the database on SpiderOak, but I want to make sure that isn't a bad idea. The key for the database itself is unique and over 130 entropy bits, so hopefully that would be enough. SpiderOak is fine I quite like BitTorrent Sync because the Android app is nicer than SpiderOak's
|
# ¿ Oct 17, 2015 21:00 |
|
Geemer posted:You're extrapolating your experiences with the US' ridiculous ISPs to the rest of the world. Geemer posted:Over here in The Netherlands I've only had issues with my ISP's DNS three times in the last 10 years. Geemer posted:Also, you also don't know whether the non-ISP DNS collects your queries or what they do with them, so why even consider that?
|
# ¿ Oct 17, 2015 23:16 |
|
You're right though. Between Phorm and the Verizon header injections, ISPs have shown they can't be trusted not to gently caress with either HTTP requests, or HTTP responses. There's no reason to believe they're above loving with DNS responses from third party resolvers either.
|
# ¿ Oct 17, 2015 23:25 |
|
Khablam posted:Changing your DNS to Google's with the expectation that this will decrease any data-mining occurring is remarkably stupid. The only uses in "intercepting" your name lookups at large is almost entirely stats based, and you better believe Google will do this. Their DNS is also usually slow. Personally I change it so the responses I receive accurately reflect the RRs published by the authoritative DNS, but don't let me stop you trying to blacklist "bad ad domains" using the equivalent of a hosts file
|
# ¿ Oct 17, 2015 23:42 |
|
Khablam posted:Their DNS is also usually slow. 17ms here, but the speed-up might be due to PeerGuardian
|
# ¿ Oct 17, 2015 23:45 |
|
Khablam posted:It's the equivalent of a dynamically updating hosts file that can't readily be overwritten, so that's a lot better than nothing. Their focus is on blocking malware from phoning home / stopping botnet control and they have reasonable success at that. We're getting off-topic here, but letting your ISP sinkhole any hostname their three-letter-agency pals tell them is "malware" isn't the same as my carefully vetted blacklist shared over a tahoe-lafs hidden service. Grow up. Khablam posted:Differences in performance is less ping time (since all are within milliseconds of one another), and more one of reliability; Google's DNS has gone through several rocky patches where it would create considerable lag from making your enquiries retry or fallback due to non-response. Not sure if this is still such an issue. Clearly this is why you should be running unbound which automatically removes resolvers from the pool if they become unreliable
|
# ¿ Oct 18, 2015 02:37 |
|
22 Eargesplitten posted:Okay, thanks. this is the problem with keepass relying on so many third party programs and plugins and apps, you don't know imo buy 1password instead. At least it's all made by one company
|
# ¿ Oct 18, 2015 05:45 |
|
Grog posted:I never manually ran the executable. Then you're no worse off than you were before unless it exploited your AV engine or eg the PE parser bit of windows (realistically it probably didn't)
|
# ¿ Oct 29, 2015 16:56 |
|
If you're trying to identify locally initiated outbound connections (without resorting to looking at the origin port) you could use conntrack
|
# ¿ Nov 4, 2015 23:45 |
|
Yeah use 1Password instead. It has proper browser extensions that don't rely on magic involving window titles, don't blindly auto-type, and don't require you to construct some Rube Goldberg contraption out of third-party software in an attempt to work around it being poo poo
|
# ¿ Nov 5, 2015 02:31 |
|
Loving Africa Chaps posted:Can you use a yubikey with 1password? yes you could use a yubikey to enter your master password if that's what you mean (any of the normal yubikeys, not the cheap u2f-only one that doesn't support static passwords)
|
# ¿ Nov 6, 2015 20:23 |
|
spankmeister posted:does it support u2fa as the second factor though? Like password + yubikey? no - and iiuc 2fa doesn't make sense here because you're essentially decrypting a file on disk, not running an authentication protocol with another party
|
# ¿ Nov 6, 2015 21:24 |
|
Fruit Smoothies posted:Depends if you're looking, or searching / manipulating. I use whichever browser is default. Firefox, Chrome and Edge can all open PDFs, and they're all kept up-to-date more often than anything Adobe shits out. Re Firefox PDF.js: https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ OP should use chrome's because it's sandboxed
|
# ¿ Nov 18, 2015 16:55 |
|
univbee posted:If you must use Adobe Reader (Canadian government ), you should disable the auto-approval of Javascript, as well as the trust of external links Also you should be running EMET (not that it can't be circumvented)
|
# ¿ Nov 18, 2015 16:57 |
|
Just buy the Windows version and run it under Wine, it's $40 with the coupon code "MacPowerUsers" and works great
|
# ¿ Feb 26, 2016 23:02 |
|
Yeah I store my SSH keys (and my PGP keys, for what little use they get) on an OpenPGP smartcard, it's pretty convenient
|
# ¿ Apr 3, 2016 23:44 |
|
Disable third party cookies and, fwiw, enable DNT
|
# ¿ Jun 5, 2016 16:01 |
|
Avocados posted:As far as browsers go, what are add ons I can use that increase the safety of my browsing (Safari on my Macbook, Firefox on desktop PC)? . I have uBlock installed on both. Not sure what else to do. NoScript/NoJavaScript any good? - set plugins to 'ask to activate' - disable third party cookies - enable DNT, not that any sites actually pay attention to it - HTTPS Everywhere - Privacy Badger - RefControl
|
# ¿ Jul 18, 2016 23:13 |
|
Squeegy posted:To spin this into a somewhat interesting topic, why do you think email encryption has not caught on like SSL encryption has lately? It kinda has, motivated by Gmail's TLS shaming icon they introduced a while back
|
# ¿ Sep 6, 2016 19:25 |
|
Professor Shark posted:I got one of those pop ups last night that "locks" your browser (This one told me they were Windows and to call them), I alt-cntrl-del'd out and ran Malwarebytes and AVG, then scanned with Emisoft this morning, this is what Emi came up with: yes - how it happened in the first place? What OS and browser are you using? Do you have Flash or Java installed? An ad blocker? Also get rid of your third-party antivirus software, all of which have a poor record of security and actually increase your attack surface area.
|
# ¿ Oct 7, 2016 13:23 |
|
Uninstall Flash. If you actually got infected with something, this is almost certainly how it happened. Also
|
# ¿ Oct 7, 2016 14:42 |
|
The free Windows 10 upgrade is still available here if you missed the deadline
|
# ¿ Oct 7, 2016 14:45 |
|
yeah Chrome currently still has a built in version of Flash that it will fall back to
|
# ¿ Oct 7, 2016 15:58 |
|
Professor Shark posted:Installing now it gives you 10 days to roll back
|
# ¿ Oct 7, 2016 16:00 |
|
Samizdata posted:You know, most of EMET is baked into 10, albeit without the granular controls. I mentioned EMET explicitly in case he disregarded or was forced to stay on windows 7 Samizdata posted:Also, how to you justify "DEATH TO THIRD PARTY AV, but not THAT third-party AV!"? Samizdata posted:(As Defender was originally from Giant Software if I remember correctly)
|
# ¿ Oct 7, 2016 21:59 |
|
I think he means it will likely have password-based SSH enabled, a root password of "pi", and no firewall
|
# ¿ Feb 3, 2017 00:35 |
|
hooah posted:I feel like I've read about putting OpenVPN on a router, but that seems counterintuitive to me - how can a VPN be on the same side of the modem as me? hooah posted:The other option I'm aware of would be paying for a service, but I have no idea which companies are reputable, nor how to choose among them even if I did know that.
|
# ¿ Mar 29, 2017 04:12 |
|
Khablam posted:Is there actually anything to suggest the paid ones with provably no logging are actively bad? Would this be the same PrivateInternetAccess who use the same single shared secret to encrypt every customer's traffic?
|
# ¿ Mar 29, 2017 18:27 |
|
Seaside Loafer posted:One of the things I recommended to her mum was to buy Windows 7, I cant remember the exact spec of the box but its not in the i3/5/7 series, its the generation before that so I dont know if thats capable of windows 10. buying a core 2 duo (?) and a retail windows 7 license in 2017 this is almost certainly not the best use of your money
|
# ¿ May 31, 2017 18:28 |
|
You don't mention running adblock. It doesn't sound like the cause of your problem but you should be using it anyway. Also check your router's DNS settings haven't been hijacked. You should be using a reputable public resolver (Google's are 8.8.8.8 and 8.8.4.4) rather than your ISP's regardless.
|
# ¿ Sep 24, 2017 17:03 |
|
not sure I'd recommend running whatever piece of poo poo version of openvpn/strongswan someone managed to get running on openwrt on an internet facing IP
Rufus Ping fucked around with this message at 00:27 on Jan 2, 2018 |
# ¿ Jan 2, 2018 00:24 |
|
Your best bet is probably to get a $5/mo VPS from digitalocean and install Algo on it
|
# ¿ Jan 2, 2018 00:33 |
|
22 Eargesplitten posted:Im reading you can set up Algo on a Ubiquiti Edgerouter Lite. I don't have any experience with Algo's IPSec mode but I do run wireguard on an ER-X using this build, which you might want to check out 22 Eargesplitten posted:What would that potentially do to throughput? I don't see any real impact on throughput but my internet is fairly slow to begin with (11mbps). At much higher pps the CPU may become the limiting factor (although the ER-L is slightly faster than the ER-X). How fast is your internet connection? 22 Eargesplitten posted:Would it be really stupid to run traffic to/from Steam, YouTube, Netflix, or whatever outside of the VPN to avoid any speed hit? You can do this pretty easily on EdgeOS using policy based routing ("modify table" rules) based on destination cidr and/or port. You might want to do it with Steam to reduce latency perhaps? (I guess - I'm not a gamer) Not sure there's much point for streaming video
|
# ¿ Jun 27, 2018 19:50 |
|
|
# ¿ Apr 28, 2024 19:41 |
|
22 Eargesplitten posted:Thanks, I’ll take a look. I’m on gigabit fiber. At that speed you will quite possibly run up against the limits of the hardware The ER-L supports hardware accelerated IPSec for specific ciphers but Algo doesn't use those ones by default. So if both the default Algo IPSec settings and wireguard are too slow, consider changing the cipher suite 22 Eargesplitten posted:It occurred to me that Steam would be one to be careful about since once in a blue moon I buy a game, and payment data is what needs to be protected more than my anime streams Payment data goes over TLS regardless so it doesn't make a difference
|
# ¿ Jun 27, 2018 21:27 |