Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

dpkg chopra posted:

you guys *snort* I just told the intern to go to the CEO and tell him he has to use MFA from now on

...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys?

Adbot
ADBOT LOVES YOU

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

CommieGIR posted:

How did you get my IP?!

Uh, your computer has been broadcasting it all day, genius.

KirbyKhan
Mar 20, 2009



Soiled Meat

ate shit on live tv
Feb 15, 2004

by Azathoth

Volmarias posted:

Uh, your computer has been broadcasting it all day, genius.

I don't broadcast my IP, because I run IPv6 :haw:

ate shit on live tv
Feb 15, 2004

by Azathoth

lol

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

ate poo poo on live tv posted:

I don't broadcast my IP, because I run IPv6 :haw:

aha!

::1, owned, op

sb hermit
Dec 13, 2016





Beeftweeter posted:

...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys?

As long as you have physical access to the computer, you can change anything.

Wait, you were being serious about the AD being Azure?

Seriously, though, this is the time to break out the disaster plans. You ... did ... make disaster plans, right? And you tested them?

mystes
May 31, 2006

sb hermit posted:

Real talk. All the NFC usb stuff that's good for desktops is like $100, maybe $50 for sketchy stuff. Does anyone have a recommendation from a reputable vendor? Or are all the $20 readers only available on aliexpress or something?

I would be very mad if there was just a cheap hp or dell or microsoft thing that everyone uses but I somehow overlook.

EDIT: I'm just talking about something that can read NFC on a yubikey or an NFC tag or something, nothing too complicated.
What you want is a piv card and reader but they're not going to be cheaper then fido2 tokens unless you buy them in bulk

sb hermit
Dec 13, 2016






why is there always a dave in an infosec group of sufficient size?

sb hermit
Dec 13, 2016





mystes posted:

What you want is a piv card and reader

I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want.

If they have to insert anything then might as well just do usb security keys.

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

sb hermit posted:

I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want.

If they have to insert anything then might as well just do usb security keys.

Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication?

It really does seem like you're reinventing smart cards and I think we're all trying to figure out what exactly you're going for here. What makes this better than a security key that lives on a lanyard?

sb hermit
Dec 13, 2016





Volmarias posted:

Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication?

It really does seem like you're reinventing smart cards and I think we're all trying to figure out what exactly you're going for here. What makes this better than a security key that lives on a lanyard?

I just asked for cheap nfc readers to test out new mfa scenarios. This is initially for personal use so that I can get a feel for how easy it is to use. If I was pricing something out for a larger userbase, I certainly won't be asking YOSPOS, I would be getting a buyer to do that research.

I know that smartcards exist (I have about a half dozen, I think). I know that security keys exist, and I talk a lot about yubico keys in yospos. I also know that NFCs in phones are getting more prevalent and NFCs in laptops are not uncommon. I'm simply trying to get ahead of the curve. Smartcards are nice but they don't really work well with phones if you have to get an external reader.

The fact of the matter is that I just want to try out NFCs for the desktop. It probably has limitations and whatnot, and I won't know how much they matter in a practical sense until I actually get hands on.

dpkg chopra
Jun 9, 2007

Fast Food Fight

Grimey Drawer
speaking of bad security. how brute-forceable are bitlocker pins?

like, if a random thief picks up an encrypted drive can they just start going to town on the drive and eventually crack anything that isn't 15+ characters with special characters and numbers?

Perplx
Jun 26, 2004


Best viewed on Orgasma Plasma
Lipstick Apathy
if you are using a tpm it should be rate limited and impossible to brute force, in theory

spankmeister
Jun 15, 2008






I'm not familiar with the details of bitlocker but I do believe that the PIN feature relies on the TPM so an attacker can't just do an offline bruteforce, which would indeed be trivial if the pin is short.

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face
speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though?

e: i guess what i'm asking, since i'm also unfamiliar with bitlocker, is basically "is that seriously the only limitation?"

Beeftweeter fucked around with this message at 21:56 on May 10, 2022

dpkg chopra
Jun 9, 2007

Fast Food Fight

Grimey Drawer
can't you just take out the drive and put it in a new machine to bypass the TPM restrictions? I thought the TPM was part of the CPU.

haveblue
Aug 15, 2005



Toilet Rascal
if they’ve done it right the drive is associated with one specific cpu/tpm and it cannot be unlocked while plugged into another one

spankmeister
Jun 15, 2008






dpkg chopra posted:

can't you just take out the drive and put it in a new machine to bypass the TPM restrictions? I thought the TPM was part of the CPU.

no, a key is stored inside the TPM and without it the drive is useless

Dylan16807
May 12, 2010

Beeftweeter posted:

speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though?

e: i guess what i'm asking, since i'm also unfamiliar with bitlocker, is basically "is that seriously the only limitation?"

a reasonable design would keep a counter in flash and when you restart your countdown to the next attempt starts all over again

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

Dylan16807 posted:

a reasonable design would keep a counter in flash and when you restart your countdown to the next attempt starts all over again

yeah but we're talking about a ms technology from the age of ballmer, reason doesn't really work here

Dylan16807
May 12, 2010

Beeftweeter posted:

yeah but we're talking about a ms technology from the age of ballmer, reason doesn't really work here

the TPM code is on your motherboard maker

which might be worse

Phone
Jul 30, 2005

親子丼をほしい。
huh, the $20 tpm module for my motherboard has been out of stock for the last 4 years? weird.

sb hermit
Dec 13, 2016





Beeftweeter posted:

speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though?

e: i guess what i'm asking, since i'm also unfamiliar with bitlocker, is basically "is that seriously the only limitation?"

Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable.

Dylan16807 posted:

the TPM code is on your motherboard maker

which might be worse

I've seen motherboard bioses that let you disable the onboard TPM so that you can use a different TPM chip.

Hed
Mar 31, 2004

Fun Shoe
If you really really care about your BitLocker PIN getting nation stated then use it with a USB Key or USB Key + PIN

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

sb hermit posted:

Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable.

I've seen motherboard bioses that let you disable the onboard TPM so that you can use a different TPM chip.

ah okay, for some reason i thought the tpm's registers were static until purged forcefully via bios or efi or what have you

ate shit on live tv
Feb 15, 2004

by Azathoth

spankmeister posted:

I'm not familiar with the details of bitlocker but I do believe that the PIN feature relies on the TPM so an attacker can't just do an offline bruteforce, which would indeed be trivial if the pin is short.

A properly implemented Bitlocker/TPM combo means if you have just the drive it's impossible to unlock, you need the laptop too. When you have both, you are basically forced to attack the TPM which may or may not be trivial. More recent ones are pretty drat good akin to brute forcing the Apple secure enclave.

That said, in most implementations of bitlocker they didn't do it properly so you can probably just use the default encryption password for the drive.

dpkg chopra
Jun 9, 2007

Fast Food Fight

Grimey Drawer
https://twitter.com/lrvick/status/1523787247706951680?s=21&t=Eazn4CHXYX-jOXuH0HhiWQ

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

lol js

dpkg chopra
Jun 9, 2007

Fast Food Fight

Grimey Drawer
No Package Maintainer

Kazinsal
Dec 13, 2011



dpkg chopra posted:

No Package Maintainer

Midjack
Dec 24, 2007



dpkg chopra posted:

No Package Maintainer

thanks foreacharound

Shaggar
Apr 26, 2006

dpkg chopra posted:

No Package Maintainer

Methanar
Sep 26, 2013

by the sex ghost
lol just lol if your company uses javascript

BattleMaster
Aug 14, 2000

I've never seen a node package that was longer than like 4 lines and not trivial to implement yourself in a few minutes

doesn't seem worth opening yourself to several dozen attack vectors per program imo

Zamujasa
Oct 27, 2010



Bread Liar

dpkg chopra posted:

No Package Maintainer


Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang



dpkg chopra posted:

No Package Maintainer

BlankSystemDaemon
Mar 13, 2009



Dylan16807 posted:

the TPM code is on your motherboard maker

which might be worse
fTPM is embedded in the motherboard firmware so is written by one of three companies: American Megatrends, Phoenix Technologies, or Insyde.

Phone posted:

huh, the $20 tpm module for my motherboard has been out of stock for the last 4 years? weird.
What do you mean the TPM is out of stock? They all use the Port 80 header, so you should be able to use any TPM you want.

ate poo poo on live tv posted:

A properly implemented Bitlocker/TPM combo means if you have just the drive it's impossible to unlock, you need the laptop too. When you have both, you are basically forced to attack the TPM which may or may not be trivial. More recent ones are pretty drat good akin to brute forcing the Apple secure enclave.

That said, in most implementations of bitlocker they didn't do it properly so you can probably just use the default encryption password for the drive.
Bitlocker itself, aside from communicating over the bus in plaintext, doesn't help you if your threat modeling doesn't disable ACPI S3 (or it's equivalent, whereas ACPI S4 doesn't work for obvious reasons).

Sure, lol js, but this is a real supply chain attack.

I wonder how many projects are subject to it, because it needs a fair bit of infrastructure and thought to prevent it.
For example, in order to commit to FreeBSD Ports (or any FreeBSD repo), you need to have a private+public SSH key pair and not just the email of the maintainer.
If someone, somehow, gains access to that, they'd still need to authenticate themselves with the PGP or SSH keys that're on file for them, or they won't get access unless they can show up to a FreeBSD developer summit or can contact a FreeBSD developer that already knows them and who'll vouch for them.

BlankSystemDaemon fucked around with this message at 11:22 on May 11, 2022

Shame Boy
Mar 2, 2010

BlankSystemDaemon posted:

What do you mean the TPM is out of stock? They all use the Port 80 header, so you should be able to use any TPM you want.

i had no idea that header was a standard, now i feel silly for carefully tracking down the "specific" one for my motherboard. or is it a "standard" in that everyone agrees on what the pins are, but whether or not your motherboard will actually talk and play nice with it is another matter?

Adbot
ADBOT LOVES YOU

Phone
Jul 30, 2005

親子丼をほしい。
my comment was more along the lines of them being difficult to find and the literature on them sucks (surprise! your cpu can probably do it)

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply