|
Powered Descent posted:From everything I've read (and tried), ChomeOS is actually a VERY tough nut to crack from a security point of view. Its biggest drawback is its biggest strength -- it's basically just a web browser and not much else. That's a pain in the butt if you want to color outside that line at all (like running a local password manager), but it also reduces the attack surface to about as small as it can get. I never had a chromebook and I don't really have a clue what they can and cannot do, so please forgive my stupid question: Do they not have a way to access a storage device? Because, if they do have some kind of means of accessing a storage device, then maybe one could save the password database there and copy on the same drive a copy of keepass compiled for arm (or whatever cpu they have) and run it from there? Sure, it wouldn't be synchronized with the android one, but how often do you change the database?
|
# ? Jun 3, 2017 17:47 |
|
|
# ? Apr 27, 2024 14:26 |
|
Volguus posted:I never had a chromebook and I don't really have a clue what they can and cannot do, so please forgive my stupid question: Do they not have a way to access a storage device? Because, if they do have some kind of means of accessing a storage device, then maybe one could save the password database there and copy on the same drive a copy of keepass compiled for arm (or whatever cpu they have) and run it from there? Sure, it wouldn't be synchronized with the android one, but how often do you change the database? They do have local storage, and if it has the hardware, you can plug in a usb drive or sd card to access your stuff. But it won't allow you to execute random files, at least not without jumping through various developer-mode hoops like Crouton. It does also have a basic but functional ssh client, so I suppose you could set up a CLI password manager on a trusted remote server somewhere.
|
# ? Jun 3, 2017 17:55 |
|
Furism posted:Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case. The other posts have answered a lot of this, but what pushes it over the top for me is that over the years, more and more of my computing has been in the browser exclusively. When I'm at my desktop 95% of my usage is covered by IDEs, text editors, games, and Chrome. I can't stand programming without multiple monitors so I'm not going to need the IDEs or text editors on a laptop. Ditto for gaming. That leaves Chrome being what the vast majority of what I use on a laptop. It has word processors, spreadsheets, instant messaging, and all the rest of the web. Couple that with the other stuff mentioned like basically zero janitoring and it was a no-brainer for me.
|
# ? Jun 3, 2017 18:52 |
|
Furism posted:Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case. ChromeOS is Linux.
|
# ? Jun 3, 2017 19:52 |
|
Do chromebooks support 7zip? That uses AES-256 when encrypted. Dump the passwords for stuff that is relevant to the chromebook to plain text, secure that with the strong password you have memorized for keepass. Still kinda a pain compared to automatic entry, but way easier than copying from the phone by eye.
|
# ? Jun 3, 2017 21:03 |
|
Klyith posted:Do chromebooks support 7zip? That uses AES-256 when encrypted. Dump the passwords for stuff that is relevant to the chromebook to plain text, secure that with the strong password you have memorized for keepass. Still kinda a pain compared to automatic entry, but way easier than copying from the phone by eye. The only things ChromeOS can run out of the box come from the Chrome store. There's also an extremely limited CLI, which 99% of users will never even see. But you can get a vastly improved, bash-like shell just by putting the thing into developer mode. Once there, you can do any command line tricks you like for do-it-yourself compression and/or encryption of files.
|
# ? Jun 3, 2017 21:18 |
|
Powered Descent posted:The only things ChromeOS can run out of the box come from the Chrome store. There's also an extremely limited CLI, which 99% of users will never even see. But you can get a vastly improved, bash-like shell just by putting the thing into developer mode. Once there, you can do any command line tricks you like for do-it-yourself compression and/or encryption of files. You can just install one of the apps from the Chrome store that unzip 7zip files.
|
# ? Jun 3, 2017 21:55 |
|
Thermopyle posted:You can just install one of the apps from the Chrome store that unzip 7zip files. I'll admit it, this gave me a little chill.
|
# ? Jun 3, 2017 22:06 |
|
The chrome extensions to open keepass DBs didn't work on my chromebook, but I was able to force the android-app feature on and get convenient access that way. While I can use desktop linux on it, the chrome stuff is fine, and it was good and cheap.
|
# ? Jun 4, 2017 00:40 |
|
https://twitter.com/rygorous/status/871234463165931524 https://twitter.com/rygorous/status/871240324655398913/ Absurd Alhazred fucked around with this message at 06:51 on Jun 4, 2017 |
# ? Jun 4, 2017 06:48 |
|
hobbesmaster posted:ChromeOS is Linux. Don't be an rear end you know what I meant.
|
# ? Jun 4, 2017 08:03 |
|
Good lord, that may as well read "under complex micro-architectural conditions, processor may not work when processing data".
|
# ? Jun 4, 2017 08:06 |
|
Is this worse than the Pentium floating-point problem?
|
# ? Jun 4, 2017 13:49 |
|
Kazinsal posted:Good lord, that may as well read "under complex micro-architectural conditions, processor may not work when processing data". That one is pretty ridiculous, by my reading. When working on a JIT, we would occasionally get suggestions from Intel to change code generation in ways that didn't have detectable effect on performance, but would "work better across a range of processors". I wonder how much of it was avoiding nonsense like this.
|
# ? Jun 4, 2017 16:58 |
|
Subjunctive posted:That one is pretty ridiculous, by my reading. Could it be related to the pipeline prediction? We're they telling you to maybe hit those registers as much to give the processor time to do all the branches?
|
# ? Jun 4, 2017 22:34 |
|
EVIL Gibson posted:Could it be related to the pipeline prediction? We're they telling you to maybe hit those registers as much to give the processor time to do all the branches? We did lots of work on pipelining and tracking perf counters for dispatch and stalls, but this stuff didn't come with performance justification. Like the NSA designing S-boxes maybe!
|
# ? Jun 4, 2017 22:43 |
|
Absurd Alhazred posted:https://twitter.com/rygorous/status/871234463165931524 Is TSX just cursed in general? It was broken and needed to be disabled in microcode updates in Haswell. It was broken in Broadwell...but a year after they shipped the microcode on Haswell my quad-core Broadwell laptop had it broken and needed a microcode update to boot most Linux distributions by disabling it. Now its broken in Skylake. Just.. wow. EDIT: The completely other frustrating thing is the needed microcode for the Broadwell quad core laptop issue was only released as part of a MSI BIOS update for several months. Queue people writing tools to scrape it and put it in their Linux initramfs. gourdcaptain fucked around with this message at 01:27 on Jun 5, 2017 |
# ? Jun 5, 2017 01:22 |
|
gourdcaptain posted:Is TSX just cursed in general? It was broken and needed to be disabled in microcode updates in Haswell. It was broken in Broadwell...but a year after they shipped the microcode on Haswell my quad-core Broadwell laptop had it broken and needed a microcode update to boot most Linux distributions by disabling it. Now its broken in Skylake. Just.. wow. Spooky Transaction at a Distance.
|
# ? Jun 5, 2017 01:35 |
|
What's a good free program to use to encrypt USB sticks being sent through the mail? Security is paramount, but something relatively easy for non-techies to use would be a huge plus.
|
# ? Jun 8, 2017 16:20 |
|
Avenging_Mikon posted:What's a good free program to use to encrypt USB sticks being sent through the mail? Security is paramount, but something relatively easy for non-techies to use would be a huge plus. Bitlocker.
|
# ? Jun 8, 2017 16:25 |
|
The Fool posted:Bitlocker. We don't give out local admin, so the non-techies wouldn't be able to enable it.
|
# ? Jun 8, 2017 16:46 |
|
PGP?
|
# ? Jun 8, 2017 16:55 |
|
Avenging_Mikon posted:We don't give out local admin, so the non-techies wouldn't be able to enable it. Could you install 7zip?
|
# ? Jun 8, 2017 17:03 |
|
Loving Africa Chaps posted:Could you install 7zip? Oh wow, I didn't realize 7zip did encryption. That's actually perfect then. Thanks!
|
# ? Jun 8, 2017 17:04 |
|
Make sure you're using good passwords. I think the default settings don't encrypt metadata. Also: there are crack utilities out there. (I haven't used it, just spent a few seconds on google.
|
# ? Jun 8, 2017 17:27 |
|
Evis posted:Make sure you're using good passwords. I think the default settings don't encrypt metadata. Also: there are crack utilities out there. (I haven't used it, just spent a few seconds on google. But doesn't that article actually imply that 7zip's using decent encryption? quote:At least from version 3.x, 7-Zip has been using a strong AES algorithm, which doesn't allow any attacks more effective than the brute force. Besides, the key derivation function is very similar to RAR one, and uses more than 130000 SHA-256 transformations and brute force rate on modern CPU is very low, only several hundreds of passwords per second. This carries inference that 7-Zip password encryption is one of the strongest between popular encryption systems in the context of brute force rate. quote:Please bear in mind you have quite no chance to crack unknown password (longer than 6-7 symbols) if you have no additional info about it.
|
# ? Jun 8, 2017 18:16 |
|
It does, but I haven't done any technical work to back that up or verify the claim.
|
# ? Jun 8, 2017 20:04 |
|
Last Chance posted:But doesn't that article actually imply that 7zip's using decent encryption? that's why you have to use good passwords, there's a ready-made brute force attack available. plus nobody's subjected 7zip to a fine-comb review for flaws. I'd use it to protect my own poo poo, like the passwords question earlier. But above that, it would depend. 7zip is an ok compromise for the original question -- encryption, no admin or OS privileges, easy to use for non-technical people. Hopefully that means they're not dealing with medical or financial records, just the secret powerpoints for next year's juicero. A better question would be why are employees who need to send secure, encrypted data: a) disallowed from admin access so they're locked out of bitlocker and presumably therefore not using full-disk encryption, making giant risks if someone's laptop gets stolen? b) sending USB sticks through the mail like a bunch of cavemen? But I guess those questions belong in one of the stupid IT stories threads.
|
# ? Jun 8, 2017 20:12 |
|
In regards to point a, bitlocker fde can be enabled and managed via GPO and/or MBAM with no need for the end user to have any input at all. edit: That being said, I just confirmed on my workstation that using bitlocker on removable devices does not require admin.
|
# ? Jun 8, 2017 20:15 |
|
Klyith posted:A better question would be why are employees who need to send secure, encrypted data: A) No one gets admin except IT. At all. Ever. We provide network drives for people to store things on, so FDE isn't required because none of that information is local. B) Because it's a file from the municipal government, and their guideline is "No emailing our files, or we'll sue you. Yes you can mail them." The issue arose because the first USB sent out was an encrypted USB, so everything was just on it, but the recipient entered the wrong password enough that the data was wiped. There was no second USB laying around, and no one wanted to drive the hour there and back to pick one up.
|
# ? Jun 8, 2017 20:24 |
|
Kazinsal posted:Good lord, that may as well read "under complex micro-architectural conditions, processor may not work when processing data". It's not quite that bad. You have to be using the H registers, which access the next-to-lowest 8 bits of the full register value. Probably uncommon, and easy to avoid.
|
# ? Jun 8, 2017 20:29 |
|
Avenging_Mikon posted:A) No one gets admin except IT. At all. Ever. We provide network drives for people to store things on, so FDE isn't required because none of that information is local. I take it you aren't concerned about attackers with local access?
|
# ? Jun 8, 2017 20:36 |
|
The Fool posted:In regards to point a, bitlocker fde can be enabled and managed via GPO and/or MBAM with no need for the end user to have any input at all. Bitlocker on a removable volume is likely going to be the only way to can enforce password strength standard. 7-zip or whatever other archive format is going to be on the honor system that the users don't subvert it.
|
# ? Jun 8, 2017 21:09 |
|
BangersInMyKnickers posted:Bitlocker on a removable volume is likely going to be the only way to can enforce password strength standard. 7-zip or whatever other archive format is going to be on the honor system that the users don't subvert it. This is a prescient point, but I think the person requesting the info was the one that was going to be doing the encrypting. I used VeraCrypt in the past with cert based keys to ship encrypted volumes internationally. Encrypting and then decrypting the volume on the remote side took quite a while, but I documented the process was well enough that an office manager for whom English was not their first language, was able to repeat the process after I walked them through it twice.
|
# ? Jun 8, 2017 22:35 |
|
Evis posted:I take it you aren't concerned about attackers with local access? Not particularly. First they'd need to grab someone's account credentials, and then they'd only have access to what that person's permissions give them, and we have Windows' Previous Versions going @ 7am and noon, so a delete rampage isn't terribly effective, and so the only thing they could really do is Exfiltrate data, which the only data we have that's worth exfiltrating is students' personal info such as address or grades, and that's in a web-based program that doesn't have a mass export option. Is it possible something could happen? Yes, absolutely. Is it likely? No, not really. Is it something we've worked to mitigate anyway? You betcha. But with our users, FDE would likely cause more issues than it solves.
|
# ? Jun 8, 2017 22:50 |
|
Dylan16807 posted:It's not quite that bad. You have to be using the H registers, which access the next-to-lowest 8 bits of the full register value. Probably uncommon, and easy to avoid. Yes, I know. I can think of at least three functions in one of my hobby projects that are susceptible to this bug. I just haven't had a Kaby Lake box to test on yet. Time to rewrite those loops...
|
# ? Jun 8, 2017 23:09 |
|
Talking about Veracrypt... Is it just me or is it less stable than TrueCrypt? I've had crashes, volumes that don't mount until a reboot, or the GUI sometimes getting stuck (not hanging, just not being able to minimize it away) and I could swear it's a bit longer than TC to mount a drive. I realize it's been audited so I use it but I'm tempted to just go back to the second-to-last release of TC.
|
# ? Jun 9, 2017 08:20 |
|
I'm looking at how to let our helpdesk accept UAC prompts when using remote assistance, and it looks like the only way is by enabling the UIAccess policy. UIAccess only works if the "User Account Control: Switch to the secure desktop when prompting for elevation" policy is disabled. It seems to me disabling secure desktop would reduce the effectiveness of UAC, am I right about that? One of the helpdesk guys came to me this morning asking that we set UAC to be disabled by default, so that they don't have to walk people through clicking on prompts while using remote assistance. This is the 6th or 7th time I've explained to him why that's a bad idea, and why we should never do that.
|
# ? Jun 9, 2017 16:28 |
|
The way that UAC presents its elevation prompt in the secure desktop is to prevent a normal application from spoofing the elevation prompt and stealing credentials. This is assuming a savvy enough user base to tell the difference in the first place. It's the default for a reason but can be disabled for your explicit use case so I would say doing so is appropriate.
|
# ? Jun 9, 2017 16:35 |
|
|
# ? Apr 27, 2024 14:26 |
|
Get a better remote access solution. Teamviewer is able to interact with UAC dialogs just fine, I do it all the time. From what I've seen GoToMyPC/GoToAssist and Join.me both seem to be able to as well. Do not disable or weaken UAC and if you have any influence over the idiot who suggested to turn it off make sure he learns why that's a colossally dumb idea.
|
# ? Jun 9, 2017 19:36 |