|
i'm always impressed with what software people manage to find for a more or less solved problem seriously can you guys make a list somewhere? these weird recommendations people make on forums for 'security software anyone should have' that no one in security's heard of it legitimately impressive. it's a massive blindspot in auditing as, as a general rule, security researchers tend to only audit apps they've heard of or use causing this wide divide
|
#
?
Feb 13, 2018 20:36
|
|
|
|
| # ? Apr 29, 2024 03:38 |
|
|
If nobody is reinventing the wheel most of us will be unemployed. We definitely do not want that.
|
|
#
?
Feb 13, 2018 20:59
|
|
|
Volguus posted:If nobody is reinventing the wheel most of us will be unemployed. We definitely do not want that. Reinventing the wheel for sake of reinventing the wheel isn't the right way, though.
|
|
#
?
Feb 13, 2018 21:04
|
|
|
CLAM DOWN posted:Reinventing the wheel for sake of reinventing the wheel isn't the right way, though. People also still think chroot is for isolation - even some OpenBSD people, who should know better by now.
|
|
#
?
Feb 13, 2018 21:11
|
|
|
Volguus posted:If nobody is reinventing the wheel most of us will be unemployed. We definitely do not want that. Tired: reinventing the wheel Wired: bikeshedding
|
|
#
?
Feb 13, 2018 21:16
|
|
|
Proteus Jones posted:Oh Android, you keep being you. quote:Most of the Infected devices Are Android Smart Phones or TV Box with ADB Debugging Interface Opened Yawn. This is analogous to a router that had a public facing telnet with admin:admin exposed by the OEM for development, lol Linux is insecure. The default behavior in Android is for ADB to be disabled; the user has to enter a hidden menu in device settings and enter their password again to explicitly enable it. On newer versions of Android you also have to also explicit approve every device that connects to ADB just in case someone tries a fast one on your dev device.
|
|
#
?
Feb 13, 2018 21:36
|
|
|
So this is people rooting their own devices to watch pirated football streams and then taking a terrible approach to network security, as well as poo poo-tier OEMs shipping things with debuggers enabled.
|
|
#
?
Feb 13, 2018 21:38
|
|
|
Siochain posted:That segue's nicely into my question - corporate password management. Aka - what would you all recommend for our small IT team to track all of our various systems/passwords? Personally, I like SecretServer. There is a Free version that gets you in the door and then there's pay versions with all the big boy features.
|
|
#
?
Feb 13, 2018 21:46
|
|
|
Volmarias posted:Yawn.
|
|
#
?
Feb 13, 2018 21:47
|
|
|
anthonypants posted:It's "lol android is insecure", which is true because a vendor can "accidentally" leave adb running, open to the internet. I'm not sure if I do or don't agree with you here. Is it not possible for a vendor to accidentally leave most operating systems in an insecure state on their devices?
|
|
#
?
Feb 13, 2018 21:51
|
|
|
I don’t believe it’s possible with iOS of any vintage, because each connecting device needs to be authorized.
|
|
#
?
Feb 13, 2018 21:53
|
|
|
The bigger question is.. are people connecting these things directly to the internet? Are they port forwarding 5555? Also, you can actually disable the ADB auth mechanism with a setting in default.prop. You can bet many of these cheap lovely boxes have it disabled. If it is disabled, ADB on the device will just accept any connection to it.
|
|
#
?
Feb 13, 2018 22:02
|
|
|
Thermopyle posted:I'm not sure if I do or don't agree with you here.
|
|
#
?
Feb 13, 2018 22:20
|
|
|
evil_bunnY posted:That's the #1 issue with android: OEMs have no loving clue what they're doing, and after a couple years no incentive to fix anything at all. That is being generous.. Many are lucky to fix or update anything after the product's first release. What an updated OS? Buy our updated product!
|
|
#
?
Feb 13, 2018 22:22
|
|
|
MeltrePrime: Meltre harder.
BlankSystemDaemon fucked around with this message at 23:56 on Feb 13, 2018 |
|
#
?
Feb 13, 2018 23:51
|
|
|
Proteus Jones posted:Yeah, I'm not a fan of autofill AT ALL. Fortunately, 1Passowrd allows you to temporarily copy fields manually to the clipboard, including OTPs. I imagine Keepass is similar given all the recommendations for it. I don't like using clipboard for passwords even momentarily, I prefer Keepass autotype or manual typing. I would think keylogging should be at least significantly harder than reading clipboard. I wouldn't be surprised if there was some way for website javascript to read clipboard. The last straw for me was when I was using a Ubuntu VM meant for server management at work, and I tried to paste a string and I got a string from home. It had leaked through a separate Win7 VM with an RDP to it. So I had copied a string at my home computer, Remote Desktop Connection dutifully sent the clipboard to the Win7 VM, and even though the local console was locked, Virtualbox copied that to the host desktop and from there to the Ubuntu VM, and presumably every other VM I had running. After that I cut the clipboard sharing for the management VM. Double Punctuation posted:This is why most password complexity requirements are bullshit. It’s a lot better to let users pick a long (20 characters absolute minimum) passphrase that’s easy to remember than it is to require symbols and stuff. All you should be doing with complexity requirements is setting a minimum character count and prohibiting repeated or keyboard sequences like 1234567890 or qwertyuiop. Klyith posted:password complexity requirements are bullshit, but "everyone should use passphrases" is also bullshit. passphrases are: Yeah, a 20 letter passphrase doesn't help much when the owner uses it on every website and it's stolen from some hobbyist forum run by one dude. Brute forcing can be technically limited by restricting the failed online logging attempts and increasing the password hashing complexity, but services are pretty much powerless against reuse. The only method I can think of, is to require the pasword to include a specific, short, random string. If every website did that then all passwords would have to be at least partially unique. But that would be even more draconian than usual password requirements.
|
|
#
?
Feb 14, 2018 00:46
|
|
|
anthonypants posted:It's "lol android is insecure", which is true because a vendor can "accidentally" leave adb running, open to the internet. Defending Android with the "but newer versions..." is an extremely poor excuse, because over half of all Android devices are are on somewhere between 5.0 (2014) and 6.0 (2015) and I am absolutely positive Google's reporting doesn't include AOSP IoT garbage, which is exactly what was affected here. You have to actively work to leave it in an insecure state, though. How is this any different from a vendor that leaves telnet open to the world on a device because it's easier for development then ships it that way?
|
|
#
?
Feb 14, 2018 01:26
|
|
|
Volmarias posted:You have to actively work to leave it in an insecure state, though. How is this any different from a vendor that leaves telnet open to the world on a device because it's easier for development then ships it that way? It’s not? Both are terrible.
|
|
#
?
Feb 14, 2018 03:53
|
|
|
Both are terrible, but the major difference between a telnet session and an ADB session are that you don't know what shell you'll get over telnet, and you don't know what level of permissions you'll get. You can't guarantee it'll be some sort of root user, or even that you'll be allowed to execute code without further exploits. ADB is designed to be a "debug" "bridge" for "android", so it's explicitly operating at the highest level of privilege in order to allow you configure whatever you want or sideload an apk or upload firmware, and since it's pretty well-documented there's an extremely low barrier to entry for exploits.
|
|
#
?
Feb 14, 2018 04:19
|
|
|
anthonypants posted:Both are terrible, but the major difference between a telnet session and an ADB session are that you don't know what shell you'll get over telnet, and you don't know what level of permissions you'll get. You can't guarantee it'll be some sort of root user, or even that you'll be allowed to execute code without further exploits. ADB is designed to be a "debug" "bridge" for "android", so it's explicitly operating at the highest level of privilege in order to allow you configure whatever you want or sideload an apk or upload firmware, and since it's pretty well-documented there's an extremely low barrier to entry for exploits. ADB is not the highest privilege level. Volmarias posted:You have to actively work to leave it in an insecure state, though. How is this any different from a vendor that leaves telnet open to the world on a device because it's easier for development then ships it that way?
|
|
#
?
Feb 14, 2018 05:25
|
|
|
DACK FAYDEN posted:Finally, we've found a new economic model for porn sites to replace banner ads. Replace? Why not buttcoins and banner ads?
|
|
#
?
Feb 14, 2018 08:05
|
|
|
Boris Galerkin posted:Replace? Why not buttcoins and banner ads? https://arstechnica.com/information-technology/2018/02/salon-to-ad-blockers-can-we-use-your-browser-to-mine-cryptocurrency/
|
|
#
?
Feb 14, 2018 08:12
|
|
|
Saukkis posted:The only method I can think of, is to require the pasword to include a specific, short, random string. If every website did that then all passwords would have to be at least partially unique. But that would be even more draconian than usual password requirements. I proposed this at FB a few times, but even getting the explanatory text to be clear was pretty much impossible.
|
|
#
?
Feb 14, 2018 08:35
|
|
|
apseudonym posted:ADB is not the highest privilege level. Any devices that are exposing a root-capable ADB interface to the internet have gone through multiple tiers of actively stupid actions by the user and/or device vendor. Blaming Android for this is like blaming Windows for Lenovo's preinstalled spyware.
|
|
#
?
Feb 14, 2018 15:54
|
|
|
Boris Galerkin posted:Replace? Why not buttcoins and banner ads? 
|
|
#
?
Feb 14, 2018 16:52
|
|
|
CLAM DOWN posted:Just curious, do you protect these with a passphrase or something? Yes.
|
|
#
?
Feb 14, 2018 17:00
|
|
|
Trabisnikof posted:Those are only meaningfully different for the most trivial of adversaries. Can you explain this better? A list of words alone can be attacked via a simple dictionary of common words, ok. A list of words separated by a random character with a few others thrown in increases the entropy massively. So for example, using a passphrase generator, I picked: "should lonely folks leaf" password: shouldlonelyfolksleaf entropy: 44.38 password: should lonely folks leaf entropy: 67.228 password: should+lonely+folks+leaf87# entropy: 83.764 Are you considering that a dictionary that contains all single characters AND common words could crack it as technically a password with only 10 actual "characters"? Does it not matter that you're running it against thousands of possible characters instead of just an alphabet?
|
|
#
?
Feb 14, 2018 18:17
|
|
|
This is my Scare Em Straight video whenever I need to beat into people's heads why they need to be using password managers, yesterday: https://www.youtube.com/watch?v=7U-RbOKanYs With this as a followup: https://www.youtube.com/watch?v=3NjQ9b3pgIg Kerning Chameleon fucked around with this message at 18:33 on Feb 14, 2018 |
|
#
?
Feb 14, 2018 18:31
|
|
|
Kerning Chameleon posted:This is my Scare Em Straight video whenever I need to beat into people's heads why they need to be using password managers, yesterday: And then they go and pick lastpass or 1password or whatever some other lovely password manager service .
|
|
#
?
Feb 14, 2018 18:39
|
|
|
1password is good
|
|
#
?
Feb 14, 2018 18:40
|
|
|
Volguus posted:And then they go and pick lastpass or 1password or whatever some other lovely password manager service . I still consider that an improvement over, say, "michaeldavis1". Much in the same way I consider turning on SMS 2FA an improvement over no 2FA on at all, because it at least forces an additional step on the adversaries. Cheetah Outrunning Security Theory. Remember Cheetah Outrunning Security is useless if you are being specifically targeted rather than generally.
|
|
#
?
Feb 14, 2018 18:43
|
|
|
Volguus posted:And then they go and pick lastpass or 1password or whatever some other lovely password manager service . Lastpass is a garbage fire, but what's wrong with 1Password? Or Keepass?
|
|
#
?
Feb 14, 2018 19:41
|
|
|
Kerning Chameleon posted:I still consider that an improvement over, say, "michaeldavis1". Much in the same way I consider turning on SMS 2FA an improvement over no 2FA on at all, because it at least forces an additional step on the adversaries. Cheetah Outrunning Security Theory. False sense of security is a real danger
|
|
#
?
Feb 14, 2018 19:48
|
|
|
Proteus Jones posted:Lastpass is a garbage fire, but what's wrong with 1Password? Or Keepass?
|
|
#
?
Feb 14, 2018 19:49
|
|
|
anthonypants posted:Can you buy a non-cloud 1password account these days? Oh, yeah didn't think about that. I've owned it since I could use Dropbox, local wireless sync, and at some point they added iCloud Keychain. They're still rolling out updates, so I just assumed it was still an option. A quick look at their site and subscription/cloud based seems the only option now. If they every stop updating the non subscription version, I'll probably have to look for a replacement. EDIT: However their KB/FAQ has this: quote:What’s the best way to sync my data? So I don't know. They offer to download the app without signing up for the sub service, but I don't see any indication if they offer a one-time license after the trial ends or how much it costs. Proteus Jones fucked around with this message at 20:07 on Feb 14, 2018 |
|
#
?
Feb 14, 2018 20:03
|
|
|
anthonypants posted:Can you buy a non-cloud 1password account these days? 1password 7 is in alpha with the return of standalone vaults.
|
|
#
?
Feb 14, 2018 20:15
|
|
|
They never got rid of standalone vaults in the Mac version, the issue is with the Windows one that is just way behind in general. But yea standalone vaults are coming back. I really like 1password cloud though, I think letting agilebits handle sync security makes way more sense than dropbox or trusting myself to do it, and keeping it cloud synced in a few places means I'm less likely to lose it. There's also a few extra layers other than just the master password. They also are testing a big update to their browser extension that will work without a separate app, and it's really good.
|
|
#
?
Feb 14, 2018 20:31
|
|
|
AlternateAccount posted:Can you explain this better? How many password attempts can an attacker achieve per hour? If this is some unfiltered system with unlimited attempts, say like attacking hashes, then it’s only a marginal increase in effort to try my dictionary with different symbols between the words or with a short alphanumeric suffix or prefix. Might help make someone else a lower hanging fruit to crack, but if you’re targetted, the additional resources needed is a small increase in costs compared to the alternative. If your attacker is limited in the number of attempts in any reasonable way, then a dictionary attack will fail regardless of swapping spaces with a different symbol.
|
|
#
?
Feb 14, 2018 20:32
|
|
|
an actual dog posted:I think letting agilebits handle sync security makes way more sense than dropbox or trusting myself to do it, Is this right? It feels like if the encryption of your data is working correctly the "cloud" portion of this could be an open FTP server. Dropbox or agilebits or onedrive are not involved in "sync security".
|
|
#
?
Feb 14, 2018 20:35
|
|
|
|
| # ? Apr 29, 2024 03:38 |
|
|
Thermopyle posted:Is this right? This isn't wrong, but even if it's encrypted correctly I wouldn't be happy if someone hacked my dropbox and downloaded my vault files. Like I can think of several ways that could go wrong. There's also a few cool features that they added cause they control the severs now, like one that removes passwords from your phone for when you're crossing a border.
|
|
#
?
Feb 14, 2018 20:44
|
|