|
dpkg chopra posted:you guys *snort* I just told the intern to go to the CEO and tell him he has to use MFA from now on ...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys?
|
# ? May 10, 2022 20:28 |
|
|
# ? Apr 28, 2024 22:36 |
|
CommieGIR posted:How did you get my IP?! Uh, your computer has been broadcasting it all day, genius.
|
# ? May 10, 2022 20:48 |
|
|
# ? May 10, 2022 20:54 |
|
Volmarias posted:Uh, your computer has been broadcasting it all day, genius. I don't broadcast my IP, because I run IPv6
|
# ? May 10, 2022 20:54 |
|
lol
|
# ? May 10, 2022 20:55 |
|
ate poo poo on live tv posted:I don't broadcast my IP, because I run IPv6 aha! ::1, owned, op
|
# ? May 10, 2022 20:55 |
|
Beeftweeter posted:...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys? As long as you have physical access to the computer, you can change anything. Wait, you were being serious about the AD being Azure? Seriously, though, this is the time to break out the disaster plans. You ... did ... make disaster plans, right? And you tested them?
|
# ? May 10, 2022 20:57 |
|
sb hermit posted:Real talk. All the NFC usb stuff that's good for desktops is like $100, maybe $50 for sketchy stuff. Does anyone have a recommendation from a reputable vendor? Or are all the $20 readers only available on aliexpress or something?
|
# ? May 10, 2022 20:57 |
|
why is there always a dave in an infosec group of sufficient size?
|
# ? May 10, 2022 20:58 |
|
mystes posted:What you want is a piv card and reader I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want. If they have to insert anything then might as well just do usb security keys.
|
# ? May 10, 2022 21:03 |
|
sb hermit posted:I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want. Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication? It really does seem like you're reinventing smart cards and I think we're all trying to figure out what exactly you're going for here. What makes this better than a security key that lives on a lanyard?
|
# ? May 10, 2022 21:07 |
|
Volmarias posted:Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication? I just asked for cheap nfc readers to test out new mfa scenarios. This is initially for personal use so that I can get a feel for how easy it is to use. If I was pricing something out for a larger userbase, I certainly won't be asking YOSPOS, I would be getting a buyer to do that research. I know that smartcards exist (I have about a half dozen, I think). I know that security keys exist, and I talk a lot about yubico keys in yospos. I also know that NFCs in phones are getting more prevalent and NFCs in laptops are not uncommon. I'm simply trying to get ahead of the curve. Smartcards are nice but they don't really work well with phones if you have to get an external reader. The fact of the matter is that I just want to try out NFCs for the desktop. It probably has limitations and whatnot, and I won't know how much they matter in a practical sense until I actually get hands on.
|
# ? May 10, 2022 21:22 |
|
speaking of bad security. how brute-forceable are bitlocker pins? like, if a random thief picks up an encrypted drive can they just start going to town on the drive and eventually crack anything that isn't 15+ characters with special characters and numbers?
|
# ? May 10, 2022 21:38 |
|
if you are using a tpm it should be rate limited and impossible to brute force, in theory
|
# ? May 10, 2022 21:45 |
|
I'm not familiar with the details of bitlocker but I do believe that the PIN feature relies on the TPM so an attacker can't just do an offline bruteforce, which would indeed be trivial if the pin is short.
|
# ? May 10, 2022 21:51 |
|
speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though? e: i guess what i'm asking, since i'm also unfamiliar with bitlocker, is basically "is that seriously the only limitation?" Beeftweeter fucked around with this message at 21:56 on May 10, 2022 |
# ? May 10, 2022 21:53 |
|
can't you just take out the drive and put it in a new machine to bypass the TPM restrictions? I thought the TPM was part of the CPU.
|
# ? May 10, 2022 21:55 |
|
if theyve done it right the drive is associated with one specific cpu/tpm and it cannot be unlocked while plugged into another one
|
# ? May 10, 2022 21:57 |
|
dpkg chopra posted:can't you just take out the drive and put it in a new machine to bypass the TPM restrictions? I thought the TPM was part of the CPU. no, a key is stored inside the TPM and without it the drive is useless
|
# ? May 10, 2022 22:07 |
|
Beeftweeter posted:speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though? a reasonable design would keep a counter in flash and when you restart your countdown to the next attempt starts all over again
|
# ? May 10, 2022 22:16 |
|
Dylan16807 posted:a reasonable design would keep a counter in flash and when you restart your countdown to the next attempt starts all over again yeah but we're talking about a ms technology from the age of ballmer, reason doesn't really work here
|
# ? May 10, 2022 22:17 |
|
Beeftweeter posted:yeah but we're talking about a ms technology from the age of ballmer, reason doesn't really work here the TPM code is on your motherboard maker which might be worse
|
# ? May 10, 2022 22:28 |
|
huh, the $20 tpm module for my motherboard has been out of stock for the last 4 years? weird.
|
# ? May 10, 2022 22:35 |
|
Beeftweeter posted:speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though? Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable. Dylan16807 posted:the TPM code is on your motherboard maker I've seen motherboard bioses that let you disable the onboard TPM so that you can use a different TPM chip.
|
# ? May 10, 2022 22:39 |
|
If you really really care about your BitLocker PIN getting nation stated then use it with a USB Key or USB Key + PIN
|
# ? May 10, 2022 23:05 |
|
sb hermit posted:Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable. ah okay, for some reason i thought the tpm's registers were static until purged forcefully via bios or efi or what have you
|
# ? May 10, 2022 23:17 |
|
spankmeister posted:I'm not familiar with the details of bitlocker but I do believe that the PIN feature relies on the TPM so an attacker can't just do an offline bruteforce, which would indeed be trivial if the pin is short. A properly implemented Bitlocker/TPM combo means if you have just the drive it's impossible to unlock, you need the laptop too. When you have both, you are basically forced to attack the TPM which may or may not be trivial. More recent ones are pretty drat good akin to brute forcing the Apple secure enclave. That said, in most implementations of bitlocker they didn't do it properly so you can probably just use the default encryption password for the drive.
|
# ? May 11, 2022 00:15 |
|
https://twitter.com/lrvick/status/1523787247706951680?s=21&t=Eazn4CHXYX-jOXuH0HhiWQ
|
# ? May 11, 2022 00:18 |
|
dpkg chopra posted:https://twitter.com/lrvick/status/1523787247706951680?s=21&t=Eazn4CHXYX-jOXuH0HhiWQ lol js
|
# ? May 11, 2022 00:28 |
|
No Package Maintainer
|
# ? May 11, 2022 00:38 |
|
dpkg chopra posted:No Package Maintainer
|
# ? May 11, 2022 00:44 |
|
dpkg chopra posted:No Package Maintainer thanks foreacharound
|
# ? May 11, 2022 00:49 |
|
dpkg chopra posted:No Package Maintainer
|
# ? May 11, 2022 01:10 |
|
lol just lol if your company uses javascript
|
# ? May 11, 2022 01:20 |
|
I've never seen a node package that was longer than like 4 lines and not trivial to implement yourself in a few minutes doesn't seem worth opening yourself to several dozen attack vectors per program imo
|
# ? May 11, 2022 05:40 |
|
dpkg chopra posted:No Package Maintainer Beeftweeter posted:lol js
|
# ? May 11, 2022 06:50 |
|
dpkg chopra posted:No Package Maintainer
|
# ? May 11, 2022 08:55 |
Dylan16807 posted:the TPM code is on your motherboard maker Phone posted:huh, the $20 tpm module for my motherboard has been out of stock for the last 4 years? weird. ate poo poo on live tv posted:A properly implemented Bitlocker/TPM combo means if you have just the drive it's impossible to unlock, you need the laptop too. When you have both, you are basically forced to attack the TPM which may or may not be trivial. More recent ones are pretty drat good akin to brute forcing the Apple secure enclave. Beeftweeter posted:lol js I wonder how many projects are subject to it, because it needs a fair bit of infrastructure and thought to prevent it. For example, in order to commit to FreeBSD Ports (or any FreeBSD repo), you need to have a private+public SSH key pair and not just the email of the maintainer. If someone, somehow, gains access to that, they'd still need to authenticate themselves with the PGP or SSH keys that're on file for them, or they won't get access unless they can show up to a FreeBSD developer summit or can contact a FreeBSD developer that already knows them and who'll vouch for them. BlankSystemDaemon fucked around with this message at 11:22 on May 11, 2022 |
|
# ? May 11, 2022 11:16 |
|
BlankSystemDaemon posted:What do you mean the TPM is out of stock? They all use the Port 80 header, so you should be able to use any TPM you want. i had no idea that header was a standard, now i feel silly for carefully tracking down the "specific" one for my motherboard. or is it a "standard" in that everyone agrees on what the pins are, but whether or not your motherboard will actually talk and play nice with it is another matter?
|
# ? May 11, 2022 13:51 |
|
|
# ? Apr 28, 2024 22:36 |
|
my comment was more along the lines of them being difficult to find and the literature on them sucks (surprise! your cpu can probably do it)
|
# ? May 11, 2022 14:02 |