Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Fashionable Jorts
Jan 18, 2010

Maybe if I'm busy it could keep me from you



If the government wants to get you, they'll get you.

Adbot
ADBOT LOVES YOU

Flipperwaldt
Nov 11, 2011

Won't somebody think of the starving hamsters in China?



Lambert posted:

Yeah, but I assume the government would be more interested in your emails, or chat messages than your rear end collection.
They are fools.

Powered Descent
Jul 13, 2008

We haven't had that spirit here since 1969.

Lambert posted:

Yeah, but I assume the government would be more interested in your emails, or chat messages than your rear end collection.

That's what ProtonMail and Signal are for. :ninja:

e: And Veracrypt to keep your butts in. :butt:

Powered Descent fucked around with this message at 22:22 on Jan 9, 2020

Ola
Jul 19, 2004

Klyith posted:

This is not how rainbow attacks work, a rainbow table doesn't have every combination of random characters. All combinations of just 9 random alphanumeric characters is 62^9 entries long. If every entry of key + hashes is just 100 bytes, your rainbow table is (62^9*100)/(1024^6) = 1.17 exabytes. (Uncompressed text though, put it in a zip file and it'll only be a couple dozen petabytes or so. Have fun torrenting that!)


Say it was something off the common password lists then. Main point is, a password database without salts is vulnerable to rainbow attacks and the entire thing is attackable at once, since you can look up all the identical hashes.

endlessmonotony posted:

This is a scenario that doesn't exist. I wouldn't worry about problems that aren't going to exist.


It does exist. Adobe did it and probably many more.

quote:

Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.

https://www.csoonline.com/article/2134124/adobe-confirms-stolen-passwords-were-encrypted-not-hashed.html

endlessmonotony posted:

This is exactly why I said that. By the time you're dealing with state actors it's absolutely not your password manager that's the target or a meaningful component of your data leaving your possession.

"Normal internet criminals" is a sufficient threat, and a password manager is a good protection tool that is simple to use for most people. And nation state isn't all Jack Bauer and NSA stuff, it's also random hoodlums paid by rear end in a top hat governments to steal bitcoin and spam Killary memes from hacked social media accounts.

D. Ebdrup posted:

Dictionary attacks are the exact reason why words should be avoided.

Adding to what Klyith's said, there are also generated dictionaries based on common patterns (e.g. sports team + late 20th or early 21st century birth year), machine learning trained on big leaks which provide probabilities on how they are shaped etc. People are very similar. Capitalized sports team + late 20th or early 21st century birth year + exclamation mark looks very secure if you look at the math of the whole character space. https://howsecureismypassword.net/ says it will take a computer 7 quadrillion years to crack "DallasCowboys1987!". But a clever dictionary attack can find it.

So in that sense, words or common patterns should be avoided and the easiest way is to get the manager to generate 15-20 characters of gibberish for you. If you want to check if a site is truncating your input, you can try logging on with the first or last character missing. That should actually be possible for password managers to do automatically.

endlessmonotony
Nov 4, 2009

by Fritz the Horse

Do you even read what you post, or what other people post for that matter?

Adobe's security got compromised because they were clownshoes, and as a result people figured out their password storage was clownshoes. No poo poo Sherlock it's goddamn Adobe.

And I don't get where you got the idea anyone at all, least of all me, is saying not to use password managers. :psyduck:

And I doubly don't get why you think it matters how the bruteforce time of any online password matters in any shape way or form. Why would you bruteforce the passwords of a service you have already compromised are these some loving Wacky Races cybervillains who crib their business model from the Brotherhood of Dada or something?

Ola
Jul 19, 2004

endlessmonotony posted:


And I doubly don't get why you think it matters how the bruteforce time of any online password matters in any shape way or form. Why would you bruteforce the passwords of a service you have already compromised are these some loving Wacky Races cybervillains who crib their business model from the Brotherhood of Dada or something?

It's meant to illustrate the relative efficiency of an attack. Just because a password db is stolen doesn't mean it's usable for nefarious purposes or that they have full access to anything else. A service being "compromised" doesn't mean Tom Cruise has ziplined into the mainframe and can do what he wants.

Klyith
Aug 3, 2007

GBS Pledge Week

Ola posted:

Say it was something off the common password lists then. Main point is, a password database without salts is vulnerable to rainbow attacks and the entire thing is attackable at once, since you can look up all the identical hashes.

Ok, it's kinda a trivial distinction. But I don't think crackers actually use rainbow tables anymore, because an unsalted database can also be cracked by GPU attacks very effectively. Each GPU guess works against the whole corpus. Why keep a 100GB file sitting around when a GPU can regenerate the math that created that file in an hour? A GPU rig can chew through all possibilities of 8 characters alphanum in a couple days. That's would be a 20 petabyte rainbow table. GPUs are more powerful than rainbow tables.


But all that is besides the point. Unsalted password databases are about as common as ones where the passwords are stored plaintext. That is, both can be found if you look around. Who cares about which flavor of security fuckup was responsible for your passwords getting stolen? The problem isn't rainbow tables. The problem is that any time you send in a password, the people you're telling it to might be complete morons. And that's why password reuse is bad, no matter what complexity of password you choose.


endlessmonotony posted:

And I doubly don't get why you think it matters how the bruteforce time of any online password matters in any shape way or form. Why would you bruteforce the passwords of a service you have already compromised are these some loving Wacky Races cybervillains who crib their business model from the Brotherhood of Dada or something?

It matters because online services frequently are compromised in ways where the attacker has limited control over only one part of the whole. Password databases are frequent targets for quick hits because they're easily identifiable and potentially useful even if the attacker doesn't care about the service itself. Also they tend to live on the outer layer of a complex web service. Meanwhile, installing a CC-scraping script on a service is more complicated and tends to be noticed faster.

High-entropy passwords that are immune to current and future attack even after years of predicted hardware advancement are good because a compromised site doesn't always know (or report) that it's been hacked.


Ola posted:

So in that sense, words or common patterns should be avoided and the easiest way is to get the manager to generate 15-20 characters of gibberish for you.

:hai:

Ola
Jul 19, 2004

Artelier posted:

I've been considering getting a password manager, but then went into a weird hellhole of research over the last few days and now I am more uncertain than ever. I just don't know what to choose! Never had one before so I'm probably experiencing information overload.


Hope everything is very clear and simple now. :o:

BlankSystemDaemon
Mar 13, 2009



I suppose all of us could also be talking out of our asses if someone were to reveal a quantum computer, that can handle more than a handful of qubits, tomorrow.

Although I still don't think any of us would be the first targets to be attacked. There's a pretty good chance we're just too boring for that.

Ola
Jul 19, 2004

D. Ebdrup posted:

I suppose all of us could also be talking out of our asses if someone were to reveal a quantum computer, that can handle more than a handful of qubits, tomorrow.

Although I still don't think any of us would be the first targets to be attacked. There's a pretty good chance we're just too boring for that.

What if they have been invented already, by someone who gets better use of them quietly reading everyone's secrets :tinfoil:

My girlfriend works for a company that researches post quantum crypto, algorithms that are meant to be usable now but resist future quantum attacks. Fascinating, but pretty incomprehensible for mere mortals.

Truga
May 4, 2014
Lipstick Apathy
IIRC, EC encryption is supposed to be quantum computing resistant. Which is seeing pretty widespread use already.

FRINGE
May 23, 2003
title stolen for lf posting

Ola posted:

My girlfriend

Ban.

Megillah Gorilla
Sep 22, 2003

If only all of life's problems could be solved by smoking a professor of ancient evil texts.



Bread Liar
Upgraded and this time it only broke two out of my three major CSS changes. Not bad.

Folders are back to that dreary grey colour, but no big deal. I can live with one less cosmetic change.

And, naturally, multirow tabs are broken again. Because, of course they are.

Time to hunt for a solution. Again.


Please Mozilla, just let me have my multirow tabs. At this point it's about all that's left stopping me from using Chrome :argh:


EDIT: Okay, turns out it was three for three. My dark-scrollbar script got disabled too. However, the new Firefox scrollbar which changes colour depending on the site actually works.

But I managed to fix the folder colour, so that was nice.


Also, I've finally bitten the bullet and gone with Tree Style Tabs. gently caress it, I love my tabs at the top, but I'm sick of beating the CSS into submission every time there's an update.

Megillah Gorilla fucked around with this message at 16:25 on Jan 11, 2020

Fashionable Jorts
Jan 18, 2010

Maybe if I'm busy it could keep me from you



Can anyone tell me where firefox moved the ability to save my shipping address to autofill immediately when I open up the 'enter your address' part of a website?

All of the online guides tell me to go Options>Privacy>Autofill>Saved Addresses, but that doesn't exist.



Did they remove it or just move it? Or is there a extension that exists now that does it automatically?

Mr.Radar
Nov 5, 2005

You guys aren't going to believe this, but that guy is our games teacher.
It's there for me in 72 on Windows 10. :shrug:

Qtotonibudinibudet
Nov 7, 2011



Omich poluyobok, skazhi ty narkoman? ya prosto tozhe gde to tam zhivu, mogli by vmeste uyobyvat' narkotiki

Truga posted:

IIRC, EC encryption is supposed to be quantum computing resistant. Which is seeing pretty widespread use already.

Bad news, it isn't: https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm

NSA dragged vendors kicking and screaming into implementing EC poo poo and then said "oops, guess we were wrong on that. hope you like doing a huge post-quantum rework when we're ready with recs for that!"

Applebees
Jul 23, 2013

yospos

Fashionable Jorts posted:

Can anyone tell me where firefox moved the ability to save my shipping address to autofill immediately when I open up the 'enter your address' part of a website?

All of the online guides tell me to go Options>Privacy>Autofill>Saved Addresses, but that doesn't exist.



Did they remove it or just move it? Or is there a extension that exists now that does it automatically?

Did you change locales? In the release version of Firefox it is only enabled for en-US by default.

You can set extensions.formautofill.available = on to make it available if you are using a different locale.

Fashionable Jorts
Jan 18, 2010

Maybe if I'm busy it could keep me from you



Oh fun, now whenever I open firefox it doesn't keep me logged into anything. The gently caress is going on here.

Edit: somehow I managed to check the box that says Delete cookies and site data when Firefox is closed.

Fashionable Jorts fucked around with this message at 19:24 on Jan 11, 2020

excellent bird guy
Jan 1, 2020

by Cyrano4747
I learned a lot about HTML/CSS just using the Inspector tools. Very useful imo.

excellent bird guy fucked around with this message at 19:15 on Jan 14, 2020

SMILLENNIALSMILLEN
Jun 26, 2009



in firefox im having an issue with the forums when i click on links to a quoted post like this


the loading images and tweets push the page down and the post off the screen. is there some way i can fix this?

e: actually it does it when going to last read post in a thread as well

SMILLENNIALSMILLEN fucked around with this message at 08:02 on Jan 19, 2020

BlankSystemDaemon
Mar 13, 2009



SMILLENNIALSMILLEN posted:

in firefox im having an issue with the forums when i click on links to a quoted post like this


the loading images and tweets push the page down and the post off the screen. is there some way i can fix this?

e: actually it does it when going to last read post in a thread as well
Well, scroll anchoring was supposed to have fixed it, but it evidently hasn't since it still happens all the loving time on every webpage. :shrug:

Nalin
Sep 29, 2007

Hair Elf

SMILLENNIALSMILLEN posted:

in firefox im having an issue with the forums when i click on links to a quoted post like this


the loading images and tweets push the page down and the post off the screen. is there some way i can fix this?

e: actually it does it when going to last read post in a thread as well

SALR can help. You can also try to convince an admin to fix the website CSS to make Firefox's half finished scoll anchoring work.

karoshi
Nov 4, 2008

"Can somebody mspaint eyes on the steaming packages? TIA" yeah well fuck you too buddy, this is the best you're gonna get. Is this even "work-safe"? Let's find out!
I enabled ~webrender~ back in 71 and it's great. I was having some issues with 1440p60 YouTubes and that fixed it. Also now everything is much faster, it's like the future is here. Sometimes everything gets slower and it's time to restart Firefox (or kill the GPU process, the one that's using 6GBytes, easy to find).

TraderStav
May 19, 2006

It feels like I was standing my entire life and I just sat down
Hello all, on Windows 10 using Google Sheets, if I scroll my mouse wheel it scrolls a page and a half of rows (~100) rather than just a few. This insane scrolling doesn't occur on any other sites. How can I address this? I want to see the next few rows and then those aren't even on the screen after the scroll finishes.

Thanks in advance!

wooger
Apr 16, 2005

YOU RESENT?

TraderStav posted:

Hello all, on Windows 10 using Google Sheets, if I scroll my mouse wheel it scrolls a page and a half of rows (~100) rather than just a few. This insane scrolling doesn't occur on any other sites. How can I address this? I want to see the next few rows and then those aren't even on the screen after the scroll finishes.

Thanks in advance!

Don’t have this issue, same setup.

What mouse do you have? Any special driver software installed?

Does the issue happen with a fresh profile (launch with Firefox.exe —p)?
What extensions do you have installed, and does the issue happen with them all disabled?

TraderStav
May 19, 2006

It feels like I was standing my entire life and I just sat down

wooger posted:

Don’t have this issue, same setup.

What mouse do you have? Any special driver software installed?

Does the issue happen with a fresh profile (launch with Firefox.exe —p)?
What extensions do you have installed, and does the issue happen with them all disabled?


Logitech Trackball MX ERGO. No special drivers other than the manufacturer.

Nothing too crazy from an extension standpoint, I'll go through and disable them later to see if it makes an impact but here they are:

- 1password Extension
- Auto tab discard
- Enhancer for Youtube
- Facebook Container
- SALR


e: Just confirmed, disabling extensions doesn't resolve it.
e2: Disabling smooth scrolling in my logitech options fixed it!

TraderStav fucked around with this message at 16:30 on Jan 20, 2020

Fashionable Jorts
Jan 18, 2010

Maybe if I'm busy it could keep me from you



SMILLENNIALSMILLEN posted:

in firefox im having an issue with the forums when i click on links to a quoted post like this


the loading images and tweets push the page down and the post off the screen. is there some way i can fix this?

e: actually it does it when going to last read post in a thread as well

I just kind of assumed thats how these forums worked, since they're a hundred years old and held together by duct tape and a prayer.

wooger
Apr 16, 2005

YOU RESENT?

TraderStav posted:

Logitech Trackball MX ERGO. No special drivers other than the manufacturer.

Nothing too crazy from an extension standpoint, I'll go through and disable them later to see if it makes an impact but here they are:

- 1password Extension
- Auto tab discard
- Enhancer for Youtube
- Facebook Container
- SALR


e: Just confirmed, disabling extensions doesn't resolve it.
e2: Disabling smooth scrolling in my logitech options fixed it!

Glad it’s fixed. Anything you have to install is “special drivers” in my book, and might break somewhere.

To be fair only usually in poo poo screen sharing apps.

Nalin
Sep 29, 2007

Hair Elf

Fashionable Jorts posted:

I just kind of assumed thats how these forums worked, since they're a hundred years old and held together by duct tape and a prayer.

No, that's how most sites work if you follow links with anchor tags. Firefox added scroll anchoring in an attempt to fix the problem, but the SA CSS stylesheet does a stupid thing that prevents that Firefox feature from working. Chrome doesn't have this issue because it can select an anchor point from within a scrollable frame while Firefox cannot; the feature was never implemented that far. They just got the basics working and decided to do something else and come back to it never.

biznatchio
Mar 31, 2001


Buglord
Scroll anchoring was one of the reasons I first made SALR way back when. Everything is so loving infuriating without it.

Fashionable Jorts
Jan 18, 2010

Maybe if I'm busy it could keep me from you



biznatchio posted:

Scroll anchoring was one of the reasons I first made SALR way back when. Everything is so loving infuriating without it.

Is there a trick to installing SALR on newer versions of Firefox? All I get is this error:

Megillah Gorilla
Sep 22, 2003

If only all of life's problems could be solved by smoking a professor of ancient evil texts.



Bread Liar
Pop over to the SALR thread, it should be in the first couple of posts.

Butt Savage
Aug 23, 2007
So after the recently patched giant security vulnerability in Firefox, my trust in the browser has taken a pretty big hit. I know all software is theoretically vulnerable to those types of security holes but for some reason I’m a bit shaken up by this one in particular.

I’m not a terribly advanced tech user but I try to be careful with which websites I visit (and use uBlock). Even so it’s scary to think that even the most trustworthy websites could be compromised under such an exploit and suddenly my computer is in someone else’s control.

I’ve read that such an exploit could be avoided in chrome because of how each tab is its own process and is sandboxed. Meanwhile Firefox still hasn’t fully caught up to that feature.

I don’t want to go back to chrome because I dislike google’s aggressive user data mining and emerging anti ad blocking campaign. On windows that leaves me with Firefox or edge and on Mac with safari + whatever ad blocker available for it.

Am I overreacting?

Lambert
Apr 15, 2018

by Fluffdaddy
Fallen Rib
Vivaldi is another good option. There's also Opera.

endlessmonotony
Nov 4, 2009

by Fritz the Horse

Butt Savage posted:

Am I overreacting?

Absolutely.

No browser will be better. You can go with Firefox, Chrome or Worse.

jink
May 8, 2002

Drop it like it's Hot.
Taco Defender

Butt Savage posted:

Am I overreacting?

All software has vulnerabilities. It is unfortunate that bad actors exist to exploit these vulnerabilities. I wouldn't rid yourself of Firefox due to vulnerabilities that are patched quickly... Chrome has had plenty of vulnerabilities (oh, look, one from November!) and Windows 10 just had a vulnerability anouncement from the NSA; it is THAT bad (SSL certificates can be 'faked' removing the circle of trust, CVE 2020-0601).

Stay vigilant and keep software updated. Computers aren't immune from attacks.

FRINGE
May 23, 2003
title stolen for lf posting

Butt Savage posted:

So after the recently patched giant security vulnerability in Firefox, my trust in the browser has taken a pretty big hit.

...

I’ve read that such an exploit could be avoided in chrome because

So a little less than a year ago:

https://www.forbes.com/sites/daveywinder/2019/03/07/google-confirms-serious-chrome-security-problem-heres-how-to-fix-it/

quote:

Google Chrome's security lead and engineering director, Justin Schuh, has warned that users of the most popular web browser should update "like right this minute." Why the urgency? Simply put, there is a zero-day vulnerability for Chrome that the Google Threat Analysis Group has determined is being actively exploited in the wild.

...

Although information regarding CVE-2019-5786 remains scarce currently, Satnam Narang, a senior research engineer at Tenable, says it is a "Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer." The 'use-after-free' vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. That's why Google has issued the urgent update warning, as the potential is there for exploits to be crafted that could enable an attacker to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser's built-in sandbox protection.

A couple months back:

https://www.scmagazine.com/home/security-news/network-security/google-chrome-update-amends-37-vulnerabilities/

quote:

Google last Thursday issued an update to its Chrome browser for Windows, Mac and Linux desktop environments, fixing two high-level vulnerabilities, including one that mysterious attackers have been exploiting as a zero day to deliver malware.

quote:

The latest patches to Chrome came just a mere nine days after the official introduction of Chrome version 78 had fixed another 37 security flaws. The three most pressing vulnerabilities to be addressed in that Oct. 22 release were CVE-2019-13699, a use-after-free condition in media; CVE-2019-13700, a buffer overrun in Blink; and CVE-2019-13701, a URL spoof bug in navigation.

Chrome is marketing and propaganda wrapped around a giant convoluted piece of spyware.

Use what you want, but nothing is actually secure. If you want to be as safe as possible you will need to inconvenience yourself. (Noscript, ect...)

nielsm
Jun 1, 2009



jink posted:

and Windows 10 just had a vulnerability anouncement from the NSA; it is THAT bad (SSL certificates can be 'faked' removing the circle of trust, CVE 2020-0601).

On that note, as far as I know, Chrome uses Windows' certificate store and crypto API to verify certificates, while Firefox uses Mozilla's own certificate store and certificate API/library. This should mean that Firefox users are not impacted by Windows crypto API vulnerabilities, as long as they stay within Firefox. (On the other hand, downloaded files where something else would be verifying a signature could still be vulnerable, even if the file was downloaded with Firefox.)

isndl
May 2, 2012
I WON A CONTEST IN TG AND ALL I GOT WAS THIS CUSTOM TITLE
PIP is pretty great but I'd definitely like to have a way to kick it into fullscreen without clicking back into the original video tab. Right now it also stays in PIP mode if I fullscreen the original video frame without closing the PIP. :v:

Adbot
ADBOT LOVES YOU

BlankSystemDaemon
Mar 13, 2009



Butt Savage posted:

Am I overreacting?
As others have said, absolutely. The only useful thing that you can learn from security announcements is how well the people involved handle it - and in that area, Firefox could do a lot worse (and probably a bit better).

Here's a fun thing to consider: One of the very first things anyone learns to write, helloworld, can lead to system exploits because on most systems it issues +65 syscalls and it only takes a few bugs in the kernel to suddenly lead to privilege escalation - although it's mostly theoretical, even if there's quite a few avenues.

And in the only-slightly-less-simple-than-helloworld case, there was once a remote code execution attack with priviledge escalation against fingerd (and that exploit is not why nobody uses it anymore).

Even things that some people reckon are "safer" have issues.

BlankSystemDaemon fucked around with this message at 16:12 on Jan 23, 2020

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply