|
apropos man posted:Either way it's convenience gone mad and it cannot be as safe as using a decent password manager. Lol. You don't know what you're talking about. Smart lock is unequivocally a good idea and most likely more secure than a password manager.
|
#
?
May 3, 2017 15:59
|
|
|
|
| # ? Apr 28, 2024 12:25 |
|
|
pr0zac posted:Lol. You don't know what you're talking about. Smart lock is unequivocally a good idea and most likely more secure than a password manager. Both can be implemented poorly and that's all it matters.
|
|
#
?
May 3, 2017 16:19
|
|
|
apseudonym posted:Why do you think that? The first thing that comes to mind is that the eBay app started attempting to retrieve my passwords without any warning or input from me. I don't knowingly have any passwords stored with Google, so this failed. If I did have passwords stored with Google then there's some kind of password retrieval protocol which could theoretically be hacked. On the other hand, I'm using keepass for my passwords and a popular keepass Android app to unlock my database. When I want to log into a site I manually copy my password into the clipboard on my phone and paste it into the site. The app clears my clipboard automatically after 30s. So there are two obvious angles of attack with my situation: My keepass Android client is somehow remotely hacked or I install an app containing a keylogger (my phone is not rooted). I can't quantify the angles of attack with the Google 'request password' protocol because I don't know enough about Infosec, but I'd imagine that someone could be potentially probing for vulnerabilities round the clock whether my phone is on/off/exists.
|
|
#
?
May 3, 2017 17:11
|
|
|
pr0zac posted:Lol. You don't know what you're talking about. Smart lock is unequivocally a good idea and most likely more secure than a password manager. What about securing your password manager with Smart Lock?
|
|
#
?
May 3, 2017 19:03
|
|
|
apropos man posted:imagine
|
|
#
?
May 3, 2017 19:25
|
|
|
apropos man posted:The first thing that comes to mind is that the eBay app started attempting to retrieve my passwords without any warning or input from me. I don't knowingly have any passwords stored with Google, so this failed. If I did have passwords stored with Google then there's some kind of password retrieval protocol which could theoretically be hacked. Smart lock is better, trust me 
apseudonym fucked around with this message at 21:22 on May 3, 2017 |
|
#
?
May 3, 2017 21:19
|
|
|
Speaking of third party auth... Everyone be SUPER CAREFUL of opening any share invites to view anything on google docs. A phishing attack is being discovered now that scrapes all your google contacts and has free reign over your gmail. From random names, but it always seems the first recipient is hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh[@]mailnator.com Here's a twitter post with a gif of what it looks like: https://twitter.com/zachlatta/status/859843151757955072 More info: https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam
|
|
#
?
May 3, 2017 21:23
|
|
|
Gotta love that Google allows email root access with a simple OAuth flow. OAuth is a user experience garbage fire. Let's use a innocent looking auth popup, that users see daily on their phones when they install flappy birds, that you must read in its entirety and know what the fine-grained permissions mean to understand what's reasonable access and what's pwned access.
|
|
#
?
May 3, 2017 21:39
|
|
|
EVIL Gibson posted:Speaking of third party auth... I got one of these today from someone I've had email correspondence with. Of course I was suspicious, not least due to the hhhhhhh recipient. I marked it as spam, and gmail was kind enough to allow me to mark my correspondent as at risk of having been compromised, which presumably will warn him, as well.
|
|
#
?
May 4, 2017 02:08
|
|
|
For our SOC, we're looking for some kind of sandbox environment to run links/attachments. We have an HVD and lots of VMs, but corporate bureaucracy means that any request for those, or to take a snapshot/reset/etc, can take weeks. Are there any web-based options that you guys use?
|
|
#
?
May 4, 2017 13:36
|
|
|
Solaron posted:For our SOC, we're looking for some kind of sandbox environment to run links/attachments. We have an HVD and lots of VMs, but corporate bureaucracy means that any request for those, or to take a snapshot/reset/etc, can take weeks. Malwr Set up Cuckoo Sandbox and automate it.
|
|
#
?
May 4, 2017 13:39
|
|
|
Solaron posted:For our SOC, we're looking for some kind of sandbox environment to run links/attachments. We have an HVD and lots of VMs, but corporate bureaucracy means that any request for those, or to take a snapshot/reset/etc, can take weeks. Check out Joe Sandbox as well if you're looking for something a little beefier/more private than malwr.
|
|
#
?
May 4, 2017 23:01
|
|
|
Any guesses? https://twitter.com/taviso/status/860679110728622080
|
|
#
?
May 6, 2017 03:21
|
|
|
Shagger: the linux subsystem
|
|
#
?
May 6, 2017 03:30
|
|
|
And Lo, Tavis shall stride across the earth Leaving destruction trailing in his wake His hushed whisper will sound as trumpets Heralding Buffers under-run and Input unsanitized Titans will huddle and pray The his terrible gaze pass them by
|
|
#
?
May 6, 2017 03:37
|
|
|
ohgodwhat posted:Shagger: the linux subsystem LOL no. https://twitter.com/taviso/status/860681252034142208
|
|
#
?
May 6, 2017 04:11
|
|
|
|
|
#
?
May 6, 2017 04:14
|
|
|
Best case scenario is it's Remote Assistance. Slightly worse is NTLM because gently caress NTLM for still existing.
|
|
#
?
May 6, 2017 04:16
|
|
|
I'm so hard
|
|
#
?
May 6, 2017 04:27
|
|
|
uh oh
|
|
#
?
May 6, 2017 04:29
|
|
|
Double Punctuation posted:Best case scenario is it's Remote Assistance. Slightly worse is NTLM because gently caress NTLM for still existing. windows firewall
|
|
#
?
May 6, 2017 04:44
|
|
|
Rufus Ping posted:windows firewall windows defender
|
|
#
?
May 6, 2017 04:45
|
|
|
Rufus Ping posted:windows firewall 
|
|
#
?
May 6, 2017 04:46
|
|
|
Rufus Ping posted:windows firewall *allows tcp/445 in from everywhere while flailing and cumming*
|
|
#
?
May 6, 2017 05:07
|
|
|
Double Punctuation posted:windows defender windows
|
|
#
?
May 6, 2017 06:24
|
|
|
Comedy option, fonts.
|
|
#
?
May 6, 2017 06:58
|
|
|
vOv posted:Comedy option, fonts. You jest but it's happened before
|
|
#
?
May 6, 2017 06:58
|
|
|
CLAM DOWN posted:*allows tcp/445 in from everywhere while flailing and cumming* Same
|
|
#
?
May 6, 2017 10:55
|
|
|
So that Intel bug was worse. It's the AMT implementation which allows you to remotely log into Intel servers remotely. As an admin you could log in and do adminly things after putting in your password, which would be hashed, and then authenticate you Turns out any password works! Not only will any password work, but no password is perfectly okay as well!
|
|
#
?
May 6, 2017 17:41
|
|
|
EVIL Gibson posted:So that Intel bug was worse. That's not an accurate description of the bug. The bug was they were comparing only up to the attack supplied length. The truth is funnier.
|
|
#
?
May 6, 2017 17:47
|
|
|
apseudonym posted:That's not an accurate description of the bug. The bug was they were comparing only up to the attack supplied length. Gotcha.
|
|
#
?
May 6, 2017 18:06
|
|
|
OSI bean dip posted:Read Simon Singh's Code Book then pickup Applied Cryptography by Bruce Schneier. wanted to pop back in to say that I bought the Singh book and the updated version of Schneier's The Code Book is just an all around fascinating read that gives you the crypto basics and then Schneier supplies more concrete examples/uses of modern crypto. Thanks a lot, OSI!
|
|
#
?
May 6, 2017 20:06
|
|
|
EVIL Gibson posted:So that Intel bug was worse.
|
|
#
?
May 7, 2017 05:54
|
|
|
So the Trump thread in D&D of all places has been talking about U2F (in the context of one campaign/office issuing a $15 Yubikey to each staffer I think) and I figure I'd ask here about them: 1. Should I buy a $15 Yubikey? I already use 2FA on all websites I can use them on and 1Password to generate random passwords. I'm not an important person but if $15 can get me more security for minimal effort I don't see any harm in it. 2. How much of an effort is it going to be to use U2F from a USB stick? I have an iPhone so I don't think any NFC etc versions would work, and I don't think U2F works with 1Password on my iPhone. I would use it on three computers which unfortunately are Windows, Linux, and macOS, so the system needs to be compatible with all three. 3. I'm thinking in terms of "minimal effort"---I usually just drop my keys into a bowl by the door when I walk into my house. The number of times my keys are sitting with me next to my desk at home or next to me in bed on my laptop are literally never. If I went all-in on the U2F thing then I would need to change my habits here and just keep my keys with me or not attach my Yubikey to my keychain or is there a better way that I'm missing?
|
|
#
?
May 7, 2017 09:36
|
|
|
I don't know about your iPhone but what I do know is that the Yubikey works fine on Linux Mint and Windows 10 w/ Chrome natively. For Firefox there's an extension that works, until Mozilla gets their poo poo together and implement U2F natively. I use it to log on GitHub all the time. As for security, I would consider physical tokens safer than a software one time password generator - if only because your phone might get infected in the future so having the key generation process being separate can't be bad. I'm not sure how likely this is to happen but it might. It's also possible that the Yubikey have a yet-undiscovered vulnerability (I doubt it, and it's not probable but it's possible. Overall the Yubikey is nice because just touching it is faster/less inconvenient than having to grab your phone, unlock it, start the 2FA app, find the website on the list, and write it down. But it's also inconvenient because you have to have your key with you at all times and if you lose it you're hosed (you basically always need two keys - a main one and a backup one because you will lose the main one eventually). Some websites support multiple 2FA schemes so what I do is enable both the Yubikey and Google/Microsoft/Lastpass Authenticator (they are all U2F compatible). When I travel I use my phone, when I'm at home I use the key (which stays home). It's not perfect but good enough.
|
|
#
?
May 7, 2017 09:43
|
|
|
U2F is great in general, but requires a USB port. Phone number are simply not secure as 2FA. U2F currently doesn't work with Safari, but I can see that some dude made an extension I probably wouldn't install. Otherwise, it's great. LastPass also doesn't support U2F yet, far as I can tell. U2F is better than the rest, but support is still so-so. I program, so I'm happy to use it for the services where it works like GitHub, but check the list of services that do work with it. That said, having one for your Gmail alone is probably worth the price and effort of admission. Just remember to remove your phone as 2FA after you set up proper 2FA. I use Google Authenticator and Authy for phone-based authentication. I don't like using LastPass for both password management and 2FA in case it gets compromised, and they've had a few issues recently. If you program, kryptonite is an interesting 2FA approach to SSH that stores the private key on your phone only and uses your phone to verify each SSH session. They should probably purchase an audit before your recommend your company and social network to use it, though. ufarn fucked around with this message at 13:09 on May 7, 2017 |
|
#
?
May 7, 2017 13:04
|
|
|
Lastpass definitely supports Yubikeys but only if you have a Premium account.
|
|
#
?
May 7, 2017 19:54
|
|
|
Furism posted:Lastpass definitely supports Yubikeys but only if you have a Premium account.
|
|
#
?
May 7, 2017 20:08
|
|
|
Mr Chips posted:it's not quite like that, if you try manually logging into the admin account via the web interface with no password you won't get anywhere. You actually need to fiddle with the HTTP a bit, there's a synopsis from the guy who found it here: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf Now this is interesting. Using an unsafe read to get past the auth part of the binary. Neat. I just remember finding an HP equiv weak auth where you could choose which kind of creds you wanted to use, either local or nt auth.
|
|
#
?
May 7, 2017 20:37
|
|
|
|
| # ? Apr 28, 2024 12:25 |
|
|
Are we not supposed to use a password manager anymore? Is that what the SmartLock thing was? Because my Keepass2Android is no longer finding the Keepass database file, despite the sync program finding it. Or is Keepass2Android broken now?
|
|
#
?
May 7, 2017 21:12
|
|
