|
Rufus Ping posted:I'm in Europe Changing your DNS to Google's with the expectation that this will decrease any data-mining occurring is remarkably stupid. The only uses in "intercepting" your name lookups at large is almost entirely stats based, and you better believe Google will do this. Their DNS is also usually slow. Your ISP has 1001 other, better and less intensive ways of monitoring you if they wanted to. You change your DNS because there are better DNS resolvers that filter your results against known malware sites / bad ad domains and in some cases attempts by malware to phone home.
|
# ¿ Oct 17, 2015 23:26 |
|
|
# ¿ Apr 27, 2024 15:13 |
|
Rufus Ping posted:Personally I change it so the responses I receive accurately reflect the RRs published by the authoritative DNS, but don't let me stop you trying to blacklist "bad ad domains" using the equivalent of a hosts file It's the equivalent of a dynamically updating hosts file that can't readily be overwritten, so that's a lot better than nothing. Their focus is on blocking malware from phoning home / stopping botnet control and they have reasonable success at that. Much more effective, say, than the success rate you'd achieve trying to block anti-piracy groups with an open filter list, which you feel is worth your time. Differences in performance is less ping time (since all are within milliseconds of one another), and more one of reliability; Google's DNS has gone through several rocky patches where it would create considerable lag from making your enquiries retry or fallback due to non-response. Not sure if this is still such an issue.
|
# ¿ Oct 18, 2015 01:08 |
|
Applebees posted:Does Google Public DNS offer any advantages over OpenDNS? It supports DNSSEC and should theoretically be immune to DNS spoofing. The list of such incidents is vanishingly small however, and most DNS servers do their own sanity checking to ensure they're not being fed lies. Past (successful) attacks have been against ISP DNS servers, so switching to either is very likely to be equivalent protection from it. OpenDNS filtering owns, and if you need any other reason to use it, it makes graphs of your requests.
|
# ¿ Oct 18, 2015 12:34 |
|
doctorfrog posted:Any opinions on the encryption implementation in 7zip? The easiest way of achieving this, is also the most secure. You can create a Truecrypt* volume within your dropbox and simply shove your files there. Dropbox chunks the container like any large file and just uploads the sections that have changed. You can also give yourself plausible deniability (hide the encryption) so that, if someone steals the USB / hacks dropbox and AES is broken in 5 years, they can't go back and open it up. Or at least, they'd have no reason to suspect they could.** TC uses a slightly more secure implementation of AES, and can also chain encryption methods with no appreciable performance issues, so a complete break in one algorithm won't break the encryption. The only risk to your data is 7-Zip having a backdoor (intentionally or not) or a tragic error in it's implementation. TC has been examined to death for a vulnerability and one has never been found that could lead to easier brute force attacks. Has 7-Zip been so intensely scrutinised? Almost certainly not. Whether you consider that a valid threat is your own exercise though. *Truecrypt forked and largely died as a project as of 7.2. 7.1a was a full proper release by the original team, and as of Feb this year was audited to ensure there are no backdoors (etc) in the code. **You can determine something is a TC volume with a little effort, your goal is to create something that looks like it is meant to be random-looking data and be passed over. Video files are a good choice - most players will launch and simply say the file is missing a codec or similar.
|
# ¿ Oct 31, 2015 22:58 |
|
Grim posted:I've been using KeePass to store my password for ages but I decided the other day to start using it properly with a YubiKey + auto-typing / etc; some of the poo poo I login to for work just has the page title "Login" which fucks with the auto-type (goon autism won't allow me to just choose the correct entry off a list) and so I was thinking about installing a chrome extension to add the site url to the tab title as an elegant solution Why is any of this better than just using one of the approved chrome keepass extensions?
|
# ¿ Nov 5, 2015 21:25 |
|
hackbunny posted:
I took the original 'warning' as blowing smoke at the ex project, and some general advice that there will one day be published vulnerabilities, which won't be touched. There are now such vulnerabilities published (vs just existing in theory) so having it installed certainly offers some extra attack surface. I'm not rushing to replace my portable TC vaults, but there's also now no compelling reason to use it going into it fresh.
|
# ¿ Nov 7, 2015 20:27 |
|
doctorfrog posted:Grumble time, since MS started its "let's make it difficult not to upgrade to 10" campaign, I find that I now have to check each new patch they roll out to make sure it isn't installing something I didn't ask for and don't want. So I'm checking ghacks.net and windowssecrets.com every patch Tuesday. I don't think I've read a tech blog since the early aughts. I've been using WSUS Offline to install patches in the hopes that their administrative focus steers them away from this kind of nonsense. (edit: yes I am a cane-waving luddite running Win7) Your worst-case scenario is you get a taskbar icon saying you are compatible. There's no forced updates. A small number of people auto-updated on launch day who had reserved their copy, but this was a bug. Maybe this is enough to make your ludditeness rage you out but there's no real cause for concern. I hit the button to upgrade a couple of weeks ago. It's markedly quicker than Win 7 at booting and resuming, and there's no compatibility issues, even on the one machine where it says it isn't. Synthetic benchmarks put it on-par with 7 in nearly all things, better in others, give it a slight edge in gaming performance and is generally quicker at disk access. Windows 10 is the new Windows 7 in the "it's just quick and works" factor.
|
# ¿ Nov 14, 2015 13:47 |
|
Carbon dioxide posted:I'm glad they're putting Windows 10 upgrade to a more important update level. This is their way of preventing the thing that happened with Windows XP, where millions of computers were still running on this old system, even after support completely dropped, leading to security problems everywhere. And they're doing it for free too. While their Windows 10 data-grabbing from computers is concerning, an 'enforced' upgrade will in the long run be helpful for all those people who don't understand computer security at all. Right, and this is the heart of the reason for the push. Supporting 6-year old software, twice superseded, is a drain on resources keenly felt by a company struggling to bring their books back to where they want them to be, and 99% of the issue is people simply not wanting to for *reasons*. People, who could put the same effort they're putting into avoiding the update (being active in it is just bizarre) into researching their current compatibility and would end up with something that was a win-win for all. My desktop upgraded in about 25minutes with zero issues. I've had java patches take longer. This is the most seamless upgrade of an OS I've seen. To their credit, MS have largely seen the problem with optional, paid, effort-laden upgrades, and have adopted the "buy once, keep forever" model. Win 10 might then kill OS luddites, but sadly not soon, as 7 goes EOL in 2020.
|
# ¿ Nov 14, 2015 23:05 |
|
Melian Dialogue posted:I bought a new laptop recently, but never bothered to migrate old files off of my old one. I'm interested in using some type of Remote desktop software or something so that I basically use my old laptop like an external HD (i.e. just go into Explorer, open up the folders and such from the other laptop and control it from my new laptop). Migrate the files.
|
# ¿ Nov 18, 2015 21:43 |
|
Melian Dialogue posted:There's too many. I have an SSD on my new laptop that while is much faster, doesn't have a lot of storage. Do I need to just bite the bullet an buy an External HD? It just feels like an unnecessary expense given that my old laptop is just acting like an external HD right now, collecting dust. You have lovely transfer speed and have to power a whole laptop just to run it as a HDD, it's also an ageing 2.5" which isn't a great bedrock of reliability. How much storage do you need? External drives are cheap. All storage basically is.
|
# ¿ Nov 18, 2015 23:32 |
|
Fuschia tude posted:I've tried to upgrade my laptop twice, waited 8+ hours and got nowhere. Not to get too sidetracked (there's a Win thread) but clean installs now work from USB using the Windows 7 CD keys. It should fix the few people who fail the restart-upgrade.
|
# ¿ Nov 19, 2015 02:00 |
|
So with SSL fuckery (thanks Dell) and manufacturers doing MITM attacks on their own customers, bad AVs self-signing your requests (breaking EV) should we talk about SSL security? The GRC page probably best outlines the basics and offers a way at testing your results: https://www.grc.com/fingerprints.htm The perspectives project is available for firefox which seeks to do the same on the fly - http://perspectives-project.org/ There also seems to be a few tools to check your existing stores - http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/ Does anyone know of a better means of verifying a systems SSL integrity?
|
# ¿ Nov 25, 2015 13:26 |
|
There are funnier pictures of him to use, but thanks for the 10 carebux spent. And yes I'm specifically talking about the certificate stores. As more of the web transitions to HTTPS it seems more likely some ad-supported software is going to start loving around with trying to read that traffic by installing their own.
|
# ¿ Nov 26, 2015 00:57 |
|
Largely speaking, all the scary terms bloggers like to throw up relate to cortana. Using cortana means all your enquiries are uploaded to MS. This shouldn't really be a surprise to anyone since siri & google now do precisely the same thing, but I guess that doesn't make clicks. (i.e. this is literally just how it functions outside of any and all "pulling" they may or may not do). Besides that, there's a lot of misunderstanding how anonymised usage stats works, and you would be hard-pressed to find any well supported software that doesn't do this on some level, end-user side or server-side. Look at this bullshit which is being passed around - https://bgr.com/2016/01/05/microsoft-windows-10-spying-2015-user-data/ Of their list of "spying" data, 4 out of 7 are pulled server-side based on access, and one other could be extrapolated from their server data. There's a lot of hysteria over not much of an issue, but it's fair to say opt-in is pretty lovely, and MS are predictably demonstrating their PR team is still the worst in the industry. Data is money, but data is also user feedback that can't be tainted by user bias as strongly as feedback questionnaires, or any other method. Since the internet became popular you will forever find a loud screaming mass of people complaining about any and all changes, even if it directly benefits them. Asking users what they want has lost a lot of value since every minority interest can get whipped into a frenzy whilst the majority silently just use it.
|
# ¿ Jan 7, 2016 01:10 |
|
Melian Dialogue posted:Windows 8.1. I'd like to have it autoboot to a honeypot OS if its preconfigured upon shutdown/hibernate. Back when TrueCrypt was a darling of opensource, I achieved this by using it's hidden OS / plausible deniability boot. Basic concept - one password boots one OS instance, a second password boots a different one. You could obfuscate this was happening by changing the displayed text. eg On boot, it would display 'Press space and enter to continue' If you typed the actual password, it would boot normally into your OS. If you pressed space and enter (i.e. you were using a single space as a password) it would boot the hidden OS. Anyone stealing the laptop and who was dumb enough to use it would then get the version which phoned home. The problem with achieving the same in TYOOL2016 is truecrypt is discontinued, and insecure. The main fork veracrypt has fixed all notarized flaws in truecrypt, but hasn't itself had an extensive audit. If you generally trust well-used opensource software to be secure this might be an option, but if you'd rather someone rubber-stamp it, then it's lacking that. Cryptographically it has no flaws in either version.
|
# ¿ Feb 9, 2016 21:35 |
|
Minikeepass (iOS) lets you pull a file from dropbox to use as a keyfile, or sideload using iTunes / document storage.
|
# ¿ Feb 25, 2016 23:23 |
|
DeaconBlues posted:What's a good method of integrating KeepassX with Linux? I've had a go at installing KeeFox: it required mono, so I did that and then it seemed unable to detect my KeepassX 2 instance. I've looked at PassIFox but it's incompatible with Firefox Sync, which is something I don't want to give up. Did you have any luck using this to install regular KeePass under mono? That should leave you with the ported version of 2.x - from there you can try to install Keepasshttp and get a plugin working, or just use the auto-type to fill in forms. PassIFox does work with sync, you just need to install it and import the keys before you enable sync.
|
# ¿ Feb 26, 2016 20:52 |
|
Scaramouche posted:Hah, the first page of this forum has 7 posts with Windows 10 in the title (including one of mine) so no, I'm not sure if its there yet. I hope you don't really consider users blaming the first thing they can think different as the real reason for their problem.
|
# ¿ Apr 3, 2016 11:41 |
|
Three-Phase posted:Anything that is actually sensitive I've moved into secure containers on my Mac that has FileVault2. There was just so much stuff on that old computer that id like to make sure everything is crypted. Until the end of July you can grab a Win7 Pro OEM key off ebay for about the price of a coffee and muffin, and use it to give yourself a digital entitlement to Windows 10 Pro. This will give you bitlocker which is much neater than TC/VC. Or, just use 7 Pro v0v Three-Phase posted:It worth noting there is a delay on password entry in the MBR and I think that's done as an anti-brute force addition that makes that kind of attack take hundreds of thousands of times longer.
|
# ¿ May 30, 2016 12:31 |
|
Rooney McNibnug posted:- set Flash browser settings to "click-to-play". Better yet, straight up uninstall Flash Just remove flash (or turn it off in chrome) If you set it to click-to-play websites still try to use flash because they're lovely. If you remove it the site "falls Google are soon (or just have idk) reversing the above behaviour so that'll be a strong push against flash; very soon it will stop being a thing. Loving Africa Chaps posted:- I was about to move from lastpass to keypass but wondering if i should spring for 1password or just stay with last pass given keypass dont want to use https Note that the app does NOT have an auto-updater; it simply checks for one. e: The above is meant to read as "don't use lastpass because of this non-issue" - lastpass has very real issues. Khablam fucked around with this message at 11:15 on Jun 6, 2016 |
# ¿ Jun 6, 2016 11:11 |
|
Generator - > Advanced - > 'Character must appear at most once'
|
# ¿ Jul 12, 2016 23:47 |
|
Avocados posted:I've had a hell of a time lately with various accounts of mine getting broken into. Over the span of a month, my spotify account was accessed twice. My Playstation Network account was accessed and the person locked me out of it. I lost my Blizzard account the same way. In the span of an hour, Dropbox emailed me six times for password reset links. Today, Facebook emailed me a password reset link as well. The reset links imply they have access to one or more of your email accounts and are trying to intercept the reset links (ditto for changing details on you), or someone is just loving with you. You should be using 2FA on everything you mention above. If you don't use it on LP that's a very, very bad idea and possibly the source of your woes. You need to just start eliminating vectors: - compromised email account - compromised PC (flatten and reinstall, don't just scan for issues) - compromised LP (use keepass/1pass) - change master, enable 2FA - some credentials are in a breach somewhere - change them - compromised network (e.g. bad actor on a corporate network using SSL interception - rare) - compromised user (you!) - you were possibly phished - you were possibly skimmed entering credentials on a machine you don't control - you may ignore security cert issues - you share credentials around partners or practice no practical security around a partner that doesn't trust you
|
# ¿ Jul 16, 2016 10:54 |
|
2FA over SMS is fine, but google auth is easier and works on most (all?) phones made in the last 3-4 years. Why did you nuke the machine a month ago; roughly the time you report the issues starting? How did you do it? You didn't happen to an ISO? With the level of issues you are having I would start from the ground floor with 1password/keepass on a clean system and keep a tight eye on what you are installing from where. Both of these offer safe and secure ways to use them on machines that you don't own, though neither are completely immune to keyloggers. They will however not be as vulnerable as lastpass, whose whole core design will forever be vulnerable to clever phishing attacks; something similar to this could be left on public browsers to devastating effect. Their mitigations won't be of much help in these cases, as you would be expecting to authorise a new machine. Until you have a handle on whats happening you can always do your banking on a Live CD.
|
# ¿ Jul 17, 2016 02:15 |
|
Probably posted elsewhere, but Tavis took a 'quick look' at lastpass and it's deeply problematic: https://twitter.com/taviso/status/758074702589853696 This on top of some amateur-hour bugs in how the plugin works: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ (yes that's really making garbage URLs you can post anywhere be seen as valid for LP's auto-type, goddamn) Trusting any passwords to lastpass would be a very poor decision at this juncture.
|
# ¿ Jul 27, 2016 16:55 |
|
1password just offers a way of syncing the password data-blob. This is much like sticking your keepass DB in dropbox. All it does it move the [encrypted] data around for you. Your client interacts with the data locally. Lastpass offers a plugin that interacts with your data which never leaves their servers. This means you have to assume their servers are not compromised, or they're not compromised in a way they will fail to mention. LP have fallen over to relatively middle of the pack attacks on their infrastructure, have hand-waved such breaches and poorly explained resolution steps, so the idea that an adversary could get onto their server and MITM every request for your database for 6 months before being detected is ever present.
|
# ¿ Aug 22, 2016 03:13 |
|
Jose Valasquez posted:I've read the previous discussions, but 1Password's web access is brand new and I don't think it's been discussed. I'm not trying to argue in any way that LastPass isn't bad, I was trying to determine if 1Password's new feature that seems very similar to LastPass is equally bad. Your question has been answered a couple of times already dude. 1Password moves around the encrypted blob. LP has you interact with an encrypted blob held on their server. Furthermore you don't need to use that function if you don't want to.
|
# ¿ Aug 24, 2016 16:35 |
|
100:1 it's a spoofed email header to make it look like it comes from a contact. These are common, iOS malware isn't.
|
# ¿ Sep 4, 2016 13:14 |
|
Unless your dear mom is taking trips to Korea that's a spoofed header. e: There's 1001 ways to get an IT novice to give up contact details. It may not have been your mom at all. Any of those scenarios are more likely than a iOS botnet.
|
# ¿ Sep 4, 2016 20:23 |
|
Professor Shark posted:HBO says I need it Go to chrome://plugins/ (in Chrome, obviously) and disable flash. You'll find the majority of sites that were telling you to enable flash now silently roll over to HTML5. If you for-real need flash, you can simply turn it on.
|
# ¿ Oct 7, 2016 16:43 |
|
Segmentation Fault posted:Actually, click-to-play might be the smarter choice. In Chrome, go to Settings, click "Show advanced settings...", and scroll down a bit until you see the Privacy section. Click on "Content settings..." From there, scroll down until you see the Plugins section. You'll have the option to "Let me choose when to run plugin content." Here, you'll get the best of both worlds: Flash will never run unless you explicitly tell it to, and you'll still have it for when you run into a site that requires it, and even then you can enable Flash on a per-app basis (e.g. you can enable a video player without enabling an ad). The problem with going click-to-play is that every site that can be flash or HTML5 will prompt you to use flash. If you just disable it, the vast vast majority of all those sites you were going click-to-play on will just use HTML5 instead. I haven't needed to turn the plugin back on in weeks.
|
# ¿ Oct 7, 2016 19:08 |
|
MS' own literature suggests EMET is useful for older applications that haven't been recompiled for Win10 specifically.Samizdata posted:How's this from last year? Even if you assume this is 100% true, which it isn't, 3rd party AV introduces more problems than it solves. From those test sites: Industry average slowdown for web: 21% (AVG 33%) Industry average slowdown for common programs performance: 6% Industry average slowdown for common program launch: 15% Industry average slowdown for file access: 13% Industry average slowdown for installation: 30-50% Number of 3rd party AVs without major root-level access exploits in the last 12 months: 0 The whole free-AV industry has been repeatedly broiled in controversy after being caught doing MITM attacks on your browser, and selling browsing data to third parties. Now if you were to define a program that worsened system performance by 15-50% per scenario, opened backdoors to exploits, reduced browser security and sold your data, would I be talking about an AV or the malware it's designed to stop?
|
# ¿ Oct 8, 2016 13:34 |
|
Plenty of those top-scoring AVs on VT will just flag almost any unsigned exe as a virus. So not surprising they catch most.
|
# ¿ Oct 26, 2016 10:25 |
|
Clint Howard posted:How often do people here change passwords for sensitive sites and data? KeePass has the option of setting an expiry time for a password. Depending on the sensitivity of the data the password is protecting, I set expiry times of varying lengths. For my most sensitive information (e.g., banking sites), I change my passwords every week. For somewhat less sensitive, but still important stuff (email, dropbox), I change passwords every month. Things like forums account passwords and Amazon get changed every 3 months. I change my KeePass master password every month. My WPA2 and router passwords also get changed every month. I use 2FA on everything I can. The only virtue in changing passwords, is so the password in any given dump-made-public isn't your current password. Most of these that hit the web broadly tend to be months to years old. Even rarer are they plaintext, high entropy passwords aren't going to be reversed quickly if ever. It's kinda up to you whether you think its a waste of time or not? As for keypass, rotating that password achieves nothing. If someone was attacking the vault they'd presumably already have their own copy of your kbbx and changing the password to your version doesn't alter theirs. Bruteforcing keepass/WPA2 just isn't feasible. It's not "probably not in my lifetime" but rather "certainly not in the lifetime of the Sun". Worry less about rotating passwords weekly and instead activate 2FA, and especially secure keepass with a Yubikey or similar.
|
# ¿ Feb 25, 2017 03:28 |
|
Have you paid your bill? Some comically bad ISPs will just block port 80. You don't mention if this is only Chrome specifically. Another likely option is someone had hijacked your browser, is trying to redirect every non-secure page and their resource is down.
|
# ¿ Mar 17, 2017 17:36 |
|
anthonypants posted:But, like rufo says, they're all bad in one way or another. You absolutely can't trust any of the free ones, because they'll either sell your info or inject ads/malware. You can't necessarily trust any of the pay ones. You could host your own, but what endpoint do you trust? Can you use a VPN at work? Can you trust AWS/Azure/DigitalOcean? Is there actually anything to suggest the paid ones with provably no logging are actively bad? Sure they could be compromised, but ISPs have a pretty poor record of holding onto customer data.
|
# ¿ Mar 29, 2017 16:53 |
|
Rufus Ping posted:Would this be the same PrivateInternetAccess who use the same single shared secret to encrypt every customer's traffic? I'm going to agree with other posters and say a VPS is better. The issues discussed there don't affect people using the bundled OpenVPN clients though; just using L2TP. Not sure about other vendors but PIA did discuss this after people misattributed that article to their client. That said the article there (and common sense) suggests if you're just trying to cloak your data from your ISP, it's a workable solution. No one is recommending it against oppressive regimes (inb4 lol trump) or using it to hide whistle-blowers.
|
# ¿ Mar 30, 2017 16:46 |
|
I tried to do this about a year ago using an Ubuntu stick (it had persistence making it a decent choice). Few to no public computers around anymore will boot off a USB, or connect to the internet if they did. Maybe if you're looking at a shared PC in a hostel it might work, but it will not work most times in anything resembling an internet cafe / library. YMMV of course. What do you need a desktop for when you're travelling, that wouldn't be served by a lightweight tablet / your smartphone?
|
# ¿ Apr 30, 2017 11:50 |
|
Ophcrack will recover the password.Seaside Loafer posted:I did have her on a update schedule so up until the recent worm nastiness she is probably ok XP support is discontinued. There are some workarounds to make it get essential updates but it is STILL not secure and I doubt you have been doing this. Install any supported OS.
|
# ¿ May 31, 2017 17:13 |
|
1password doesn't add a lot to the iOS experience, because iOS itself is locked down preventing tight integration. Keepass does it well enough; you will be copy-pasting either way. KP (Minikeypass) loads the DB from the dropbox app so getting your PWs onto iOS is pretty simple.
|
# ¿ Jul 14, 2017 13:53 |
|
|
# ¿ Apr 27, 2024 15:13 |
|
Oysters Autobio posted:So Android Pay is now available in Canada. In the US, either *pay is probably your most secure method of payment. Additionally since either also notifies you of any payments within a few seconds of them happening you get a few advantages: - you show the payment cleared on your side. Believe me, this is rarely useful but amazing when it is - if you were, somehow, cloned, any transaction you didn't do yourself would immediately show in your notifications, so you can instantly stop the card
|
# ¿ Aug 28, 2017 11:22 |