|
FeloniousDrunk posted:I was going to say that this was the worst possible post to make, considering. But since no-one has ripped you apart in a couple of days, I gotta say that's a good choice of name. Just make sure your project doesn't get confused with mine I think his thing is kinda dumb because it has the same big downside of a standard password manager*, extra restrictions that would be annoying in use**, and no upside that I can see. But it should be secure against anything but someone owning his machine. *must-have backups of a file or your passwords are 100% gone **no flexibility in password output if a site is retarded about requiring or rejecting characters, only way to change a password is to change your mnemonic "account name" or master password The other difference is that he put his thing on github with a disclaimer that people shouldn't use it and probably hasn't told anyone to use it. The thread should maybe be "don't roll your own crypto if anyone is gonna use it besides your dumb self" but that won't fit in a title.
|
#
¿
Sep 21, 2016 11:01
|
|
|
|
| # ¿ Apr 26, 2024 03:29 |
|
|
https://twitter.com/le_keksec/status/826474519795732482 quote:HTTP server that listens to 0.0.0.0 with an undocumented API that...isn't very well coded.
|
|
#
¿
Feb 4, 2017 00:25
|
|
|
Do chromebooks support 7zip? That uses AES-256 when encrypted. Dump the passwords for stuff that is relevant to the chromebook to plain text, secure that with the strong password you have memorized for keepass. Still kinda a pain compared to automatic entry, but way easier than copying from the phone by eye.
|
|
#
¿
Jun 3, 2017 21:03
|
|
|
Last Chance posted:But doesn't that article actually imply that 7zip's using decent encryption? that's why you have to use good passwords, there's a ready-made brute force attack available. plus nobody's subjected 7zip to a fine-comb review for flaws. I'd use it to protect my own poo poo, like the passwords question earlier. But above that, it would depend. 7zip is an ok compromise for the original question -- encryption, no admin or OS privileges, easy to use for non-technical people. Hopefully that means they're not dealing with medical or financial records, just the secret powerpoints for next year's juicero. A better question would be why are employees who need to send secure, encrypted data: a) disallowed from admin access so they're locked out of bitlocker and presumably therefore not using full-disk encryption, making giant risks if someone's laptop gets stolen? b) sending USB sticks through the mail like a bunch of cavemen? But I guess those questions belong in one of the stupid IT stories threads.
|
|
#
¿
Jun 8, 2017 20:12
|
|
|
D. Ebdrup posted:How is a failure not a bug? Bug report: I smashed my computer with a hammer, systemd no longer boots Not that I think this qualifies under that example. Mainly, if systemd is supposed to be "init for the future" it should be aiming to go beyond posix standard usernames. For one thing, everybody outside the anglosphere wants characters other than a-z in usernames. So if you're working to have robust support for non-posix usernames, you might as well make sure they don't start things root as well.
|
|
#
¿
Jul 2, 2017 09:03
|
|
|
Thanks Ants posted:For some reason I'm shocked that @fart does Serious Work oh, I was wondering why http://www.smashmouth.com got a zero on their CSTAR score
|
|
#
¿
Aug 20, 2017 19:13
|
|
|
Furism posted:I understand that the USA are really full throttle in favor of free-market, weak state, strong companies, etc.. How does one keep thinking like this when they see what you quoted? Is anybody, anybody who doesn't have a direct stake that is, in agreement that class actions are bad, etc. ? This is a genuine question from a dirty left-wing European who cannot wrap his head around this. Send me my PM if you prefer (this not being D&D).  (pretend I edited the tv to show the Fox logo)
|
|
#
¿
Sep 27, 2017 22:31
|
|
|
orange sky posted:So the future probably belongs to small companies that can actually keep their poo poo together and adjust operations on a weekly basis, right? Cause I can't see any behemoth in any country being able to keep all their infrastructure safe as things are right now Small companies can't keep their poo poo safe either, they're just not as big of targets & not newsworthy when they get owned. The future belongs to the giant megacorps and the hackers that rob and extort them. It's the cyberpunk future except 90% less cool and 100% less sexy.
|
|
#
¿
Sep 29, 2017 19:18
|
|
|
This is nice because level3 recently started doing automatic redirects to a lovely search & ads page, and they were my 2nd slot after google. e: also I'm writing a DNS benchmark that runs on java, node.js, and a electron-based frontend Klyith fucked around with this message at 21:46 on Nov 17, 2017 |
|
#
¿
Nov 17, 2017 21:43
|
|
|
ChubbyThePhat posted:Generally consumer devices are class 1 and don't do too well beyond... 10 meters I think? Maybe a little less? https://www.defcon.org/html/links/dc_press/archives/12/esato_bluetoothcracking.htm definitely set all your bluetooth stuff to only pair manually
|
|
#
¿
Dec 7, 2017 19:44
|
|
|
"Attacker can gently caress with your BIOS" seems like a big enough prerequisite that any exploit following up on that is just icing on the cake.  Is Rutkowska so focused on Management Engine stuff because it has potential to undo the entire foundation of her Qubes system? I could see how that would piss someone off. Build an entire OS around the concept of compartmentalized distrust, then Intel comes along and fucks the whole thing by making something that breaks VM isolation, can't be turned off, and can't be trusted.
|
|
#
¿
Dec 9, 2017 12:36
|
|
|
I am one of the biggest critics of MS's "content delivery" and appx in general, and I'm not even sure what infosec taylor swift is talking about. They disabled some group policies that could prevent the ads from showing up, but a) that was in 2016, Redstone 2 was the spring 2017 update b) those settings were never really effective because major updates are fresh installs and fresh installs of win10 have those junk apps no matter what policies or settings you try to use on them. poo poo comes back every 6 months no matter what.
|
|
#
¿
Jan 1, 2018 05:20
|
|
|
Grassy Knowles posted:You could beat them by installing offline, deleting the stub files for the apps, then connecting. Perhaps that's no longer possible? which is kinda more work than just right clicking a bunch of dumb ad tiles and selecting uninstall But since this is the infosec thread, how do people here feel about appx in general? The driving force behind it seems to be security (also microsoft realizing they're the only company not making a 30% cut of every app sold on their platform). But I've just had terrible luck with it, it seems too secure for it's own good. Right now I have some of the standard OS apps that are totally broken with Event 69 errors, which as far as I can tell mean that the permissions have gotten hosed up so they can't launch. (They also can't update, and I'm pretty sure the only thing that will fix it is an in-place reinstall. Which I can't be bothered to do so I'm just waiting for the spring update.) My calculator doesn't work because its security is busted. That, IMHO, is a sign that your poo poo has gone off the rails.
|
|
#
¿
Jan 1, 2018 07:22
|
|
|
code:Klyith fucked around with this message at 08:01 on Jan 3, 2018 |
|
#
¿
Jan 3, 2018 07:13
|
|
|
The Fool posted:Lol, so much for amd being immune They're different bugs, the AMD one is much less severe security-wise. From what I can tell on AMD the malicious user process will hard crash the host machine, including from inside a VM. which is unfortunate but not as bad. Seems that linux at least is applying the the fix globally to all x86 cpus, no matter what. So AMD is gonna get hit by the performance slowdown as well on linux systems. Who knows what the MS patch will do, MS may have been able to target better. Working on a secret embargoed bug in open source is probably a lot harder than having a team of employees who can do the work quietly and behind closed doors.
|
|
#
¿
Jan 3, 2018 08:38
|
|
|
apropos man posted:Would it be possible to have two verions of the kernel: one for Vee-Emming and one for plain desktop/laptop use? I don't wanna lose up to 30% performance. I mean if you control those VMs yourself and know there's nothing bad running in them, it's not a big deal and just use the one? Anyways there's a kernel switch nopti to boot without FUCKWIT, so you just add a new line to your bootloader to avoid it. edit: on linux that is, maybe you're talking about windows.
|
|
#
¿
Jan 3, 2018 15:40
|
|
|
deimos posted:This affects non VMs as well, theoretically a Javascript payload could install a rootkit. That's how hosed this is. are you positive? the writing about this made it seem to me like the bug can only read kernel memory. and that to turn it into an attack you'd need to actually use that information -- either as a target for a second vulnerability, or just stealing the leaked data itself. which is why VMs are brought up all the time. but if I'm totally misunderstanding it and you can use it to write to arbitrary memory as well then count me in on the holy poo poo bandwagon.
|
|
#
¿
Jan 3, 2018 20:18
|
|
|
The Fool posted:Doesn't make it any less of a 'holy poo poo' situation though. yeah alright, but holy poo poo in a holy poo poo OSes need to do extensive rewrites of memory management type way not a holy poo poo the world is ending way
|
|
#
¿
Jan 3, 2018 20:50
|
|
|
Proteus Jones posted:Pretty much this. Spectre mitigation is looking more and more like a complete rearchitecting of some fundamentals in modern CPUs. Which means likely 4 to 5 years out for something to hit production. The question is, are you required to prevent it, or is it good enough just to catch it? The attacks are not subtle, you have to blindly scan through memory to find the bits that are meaningful and dangerous. I think the answer to some of these hardware brute-force attacks like spectre and rowhammer isn't to throw out everything and go back to 1980s hardware. It's good enough to have things, in hardware OS or both, that raises flags when a process starts issuing lots of instructions that get blocked as trying to load non-process memory. OS terminates that process, informs user, possibly quarantines the program. Kinda like DEP? also, I would like to revise my previous estimate: Klyith posted:holy poo poo the world is ending
|
|
#
¿
Jan 4, 2018 07:38
|
|
|
OneEightHundred posted:Spectre is much more complicated because it's not doing loads across a privilege boundary, it's doing speculative loads of valid memory in the same address space. That's bad for a lot of reasons: For one thing, even if the contents of that address space are restricted, it'll still allow accesses that should be forbidden by language semantics. For another, what I'm saying is that Spectre's characteristics are so simple that there is probably a ton of code that accidentally supplies the necessary functionality. The example it gives is basically "is this index lower than this amount? If so, load this address offset by the index shifted up a few bits." That's basically every bounds-checked array lookup, hardly a suspicious pattern. But in that case: quote:Also just in general, more because of rowhammer than this, I think x86 vendors should start taking some time to think about what code should be able to execute the CLFLUSH instruction in the first place. On one of the writeups I read about this there was a mention that all of these attacks can be blocked by setting a process to be run in-order only. Might that be a way to block them, by forcing instructions that precede a cache flush to be done in-order?
|
|
#
¿
Jan 4, 2018 10:16
|
|
|
Mystic Stylez posted:I always read that deleting all your cookies every time is good quote:Another question: this basically turns keepass from a secure password vault into a fancy "passwords.txt" program. anyone who has full access to your computer, whether remote or local, can potentially yoink all your passwords. not that a text file is the absolute worst level of password security. at the very least it implies that you're using different passwords for every site. it's still pretty bad though. a piece of paper in your desk drawer is more secure -- at least with that someone actually needs to break into your house. using keepass with a plaintext master password in plaintext is like having big fancy lock on your front door and a key under the mat
|
|
#
¿
Jan 15, 2018 05:49
|
|
|
B-Nasty posted:To be fair, it's a little better than just a text file. The master p/w in the batch file is encrypted using Window's DPAPI, which is locked to a user account. The DPAPI key, though stored on disk, is encrypted with the login credentials, so an active user session would be necessary. oh, I get it. the blog post was not at all clear in what is actually happening there. that completely changes my opinion, it's pretty much just as secure as normal password entry for a home desktop. if someone can scoop the vault & password from that, they could keylog when you're typing the master password as well. as long as it's on a desktop, not a laptop where someone walking off with it is a risk.
|
|
#
¿
Jan 15, 2018 19:08
|
|
|
this is to UI design what spaceballs is to security
|
|
#
¿
Jan 16, 2018 20:52
|
|
|
everyone replying to that could have just stopped with the part where he says "NOT keep the password in your memory" and then talks about remembering a thing. that's asinine whether the thing is a loving game ROM or digits 69 through 420 of pi. the only way to keep an encrypted file that you can't be persuaded to decrypt, legally or by rubber hose, would be to have someone else choose the password and not tell you what it is. and that person should probably live in a different country, and have been told not to reveal the password until you see them in person. no matter how desperate you sound on the phone. and now you're dealing with the consequences, legally or rubber hose wise, of carrying an encrypted file that the Opposition claims is CP or NSA secrets or the mafia's bitcoin address or whatever the gently caress else, and you can't decrypt it. so whatever you're carrying better be worse / more important than anything you have a chance of being accused of.
|
|
#
¿
Jan 20, 2018 18:53
|
|
|
Jeoh posted:goatman is my password my gape is my passport, verify me
|
|
#
¿
Jan 20, 2018 22:41
|
|
|
Martytoof posted:if you have an iPhone X they'll just point it at your face lol pwned Ha! that's where you're wrong, feds! I've secretly trained my iphone X to unlock only when pointed at my balls
|
|
#
¿
Jan 21, 2018 00:08
|
|
|
The Fool posted:Setup an online service that you do a key exchange with, so that this service has to be online and respond properly in order to unlock your file, ala media drm. judge doesn't believe you can't decrypt your files, jails you for contempt of court. you finally break and plead guilty, end up serving several extra years because they add a destroyed evidence charge and the DA has no reason to make a deal with you. plus the judge is annoyed enough to reject any time served discount for your contempt stay. you dorks are just inventing more and more elaborate ways to own yourself if you are a criminal in the US, or a dissident in a nasty dictatorship, your best bet is security through obscurity. the only way They can't force you to decrypt your poo poo is if they can't even find the storage media in the first place. a 128gb microsd card is the size of your fingernail, buy one of those and hide it somewhere clever. i suggest up your rear end.
|
|
#
¿
Jan 24, 2018 04:15
|
|
|
Trabisnikof posted:up you rear end is one of the first places they look oh gently caress really? looks like i need a new spot to hide my collection of secret nsa dox and embarrassing hentai!
|
|
#
¿
Jan 24, 2018 04:23
|
|
|
it's really all hentai but it's in a folder named "nsa dox" so i can pretend i'm jason loving bourne like the rest of the thread
|
|
#
¿
Jan 24, 2018 04:25
|
|
|
Jose Valasquez posted:This discussion is like when the gun nuts fantasize about how they're gonna save the day during a mass shooting. I remember in like 1999-2001 days when the thermite deadmans switch for HD destruction was a frequent topic on slashdot nerds just want to pretend they're james bond or something. gently caress, next you'll tell me they have hentai-sniffing dogs and my Important Secret Data will never be safe!
|
|
#
¿
Jan 25, 2018 00:40
|
|
|
that bit in cryptonomicon was horseshit at the time it was written and has only gotten moreso. the magnetic field needed to erase / write the magnetic media of any hard drive post 90s is really high. a standard refrigerator magnet can't do it even if you put it right against the platter. a nb magnet will do it, you need a big chunky one and you need to take the lid off. an sufficiently strong electromagnet coil in a doorframe would be kinda obvious because it would violently yank the pc from your arms and anything else ferromagnetic off your body and throw it violently across the room. then it would burn your house down because you used copper wires and they melted. we're talking about ~1/3rd the magnetic power of a MRI machine, those use superconductors. in that case how do hard drive heads manage to write data at all? they're very small, focused, and very close to the platter. (micrometers in 90s, nanometers today.) magnetic fields are a cube law, they're hard to make big.
|
|
#
¿
Jan 25, 2018 11:19
|
|
|
Absurd Alhazred posted:If you were wondering what happened to TrueCrypt... what the fuuuuuuuuuuuuuuuuuuuuck this is some Kaiser Soze poo poo, except he's briefly disguising himself as Bruce Schneider instead of Verbal Kent
|
|
#
¿
Jan 27, 2018 01:11
|
|
|
Docjowles posted:I admit to being a total dipshit in the security realm. And yeah this is something 99% of us won’t ever have to worry about. Just posting it because a) the attack itself is fascinating. And b) remember that time the NSA was caught intercepting hardware and installing backdoors? Maybe that airgapped computer wasn’t as secure as you thought. it's interesting, but more as a demonstration of how much a cpu or whatnot can be coaxed into doing really crazy stuff. As for real security, until someone comes up with a way to use some component on an airgapped pc to receive data, all of these exotic methods to send data out of the air gap are kinda academic. Installing malware on an airgapped machine is demonstrably possible. But if your goal is exfiltrating data, you can just do that the same way your malware got into the target machine in the first place (the USB keys or custom trojan hardware). If stuxnet had been aiming to steal "iranian agents.xls" instead of wreck centrifuges, the CIA would have made it save that data back to the USB key or whatever. But since the data you want to steal probably isn't an excell sheet saved on the desktop, you're probably going to need multiple rounds of passing information back and forth across the airgap to find the thing you want. And while these magnetic flippers or radio generators or led flashers would shorten one leg of the process, it's no magic bullet. At best they're a shortcut -- but since they also require physically placing a bug nearby, even that is questionable.
|
|
#
¿
Feb 10, 2018 20:04
|
|
|
astral posted:The beauty of those were that they spread on other people's USB drives though. exactly. but if you wanted to steal data, instead of the centrifuge-destroyer payload you'd have a data theft module that, when it recognizes the target airgapped machine, searches and writes your secret dox to the USB drive (encrypted of course). then you'd have an "exfiltration" module that was on every infected machine that passes the hot data along until you can upload to ftp.cia.gov from some tech's home pc. of course now if you have an airgapped computer with the Mission Impossible NOC List you are expoying all the USB ports and stuff because the cat is out of the bag. e VVV stuxnet was infecting 60% of the computers in Iran before they discovered it. the data can propagate out just as fast as the original infection, and jump any gap via sneakernet Klyith fucked around with this message at 23:34 on Feb 10, 2018 |
|
#
¿
Feb 10, 2018 21:03
|
|
|
Double Punctuation posted:This is why most password complexity requirements are bullshit. It’s a lot better to let users pick a long (20 characters absolute minimum) passphrase that’s easy to remember than it is to require symbols and stuff. All you should be doing with complexity requirements is setting a minimum character count and prohibiting repeated or keyboard sequences like 1234567890 or qwertyuiop. Alpha Mayo posted:I think the only solution is to move toward passphrases. The statistical analysis that has been done on all the billions of leaked passwords combined with the rise of GPU compute has made cracking most passwords trivial. MD5 is broken but that isn't why the passwords were so easy to crack, but because humans suck at coming up with passwords. The attack methods these days are extremely clever and look at passwords as a statistical heat map rather than something that should be brute forced. password complexity requirements are bullshit, but "everyone should use passphrases" is also bullshit. passphrases are: 1) not easy to remember if you're using a different passphrase for every site. reuse of passwords is bad. 2) crackable by the same methods as the pseudoramdom passwords people use now. grammar has rules, and you're probably using a phrase with common words and not something from a medical textbook. a safe phrase against hash attacks isn't 4 words, it's like 6-10. 3) people are not random, the world where everyone uses passphrases will still have 100 super-common ones like "roses are red violets are blue" or the opening line from 50 shades of gray.
|
|
#
¿
Feb 13, 2018 18:00
|
|
|
AlternateAccount posted:Can you explain this better? Don't blindly trust entropy calculators. They will sometimes give you "bonus entropy" for things that are actually non-random, common patterns. They need specific functions to detect a keyboard-walk pattern, because keyboards are not an inherent feature of mathematics. And the reason they need to write code to detect non-random patterns is because lots of people do them. If you're using a non-random pattern that they don't yet have code for, you will get a better score than you deserve. For example, your second phrase gets a much higher score than the first one because it includes characters that aren't letters. But spaces between words aren't random, and for anyone cracking hashes trying with both spaces and no-spaces only doubles the search space. That's a no-brainer. I'd call that a flaw in the calculator, to add that much entropy for words with spaces between them. Let's look at the formula that gets used to calculate "bits of entropy". It is: code:Looking for both spaces and no-spaces only doubles the number of possibilities: log2(1000*2000*2000*7000*2). That's 45 bits -- each bit equals twice as long to search. So now we look at the third example. Which is much better, but does it really have 103 bits of entropy? You have '+'s between the words. How many symbols are likely choices to be used between words in a passphrase? Well '_', '-', '+', and '.' are gonna be by far the most common. But you're using the same symbol each time. So that really only adds 4 new possibilities, plus the 2 of space & no-space. log2(1000*2000*2000*7000) = 44 log2(1000*2000*2000*7000*6) = 47 Then we need to add the "87#". This is the tricky one, and it does add a lot of entropy. How many extra characters is someone going to use? What patterns are most likely? At the start or at the end? Just looking for 3 extra numbers or symbols, at either the front or back will be: log2(1000*2000*2000*7000*6*42^3*2) = 64.4 bits, too much for any hacker (but not for the NSA). But tacking on the "extra randomness" at the end is by far the most popular choice. And one thing that people love is their birth year, so 2-digit numbers is a common test. So lets try 2 digits, plus any numeral or symbol, at the end... log2(1000*2000*2000*7000*6*100*42) = 59 bits, which is just verging into the possible. Someone with quad 1080s could find that if it was a bad website that used MD5 hashes and they ran it for a month. So you see how different assumptions come up with different results for entropy. I am totally cheating because I know I'm looking for a 4 word passphrase -- but if the whole world was using passphrases those could be good assumptions to make. Klyith fucked around with this message at 21:25 on Feb 14, 2018 |
|
#
¿
Feb 14, 2018 21:02
|
|
|
Kerning Chameleon posted:Cheetah Outrunning Security Theory. And now let's use this to talk about the follow up. I'd call it the "I don't have to be faster than the bear, I only have to be faster than the average guy" theory of password security. And it's wrong, even if you're not being specifically targeted. You still can't reuse passwords. Password reuse is feeding yourself to the bear. It doesn't matter how many bits of entropy your password has if some website stores it in plaintext or something. Now your legs are broken, and the bear eats everyone that reused passwords. The passphrase should+lonely+folks+leaf87# is a great password, and right now is pretty secure against anyone that isn't cheating like I was to artificially narrow the possible combinations. But can you also need to memorize code:GPU hashrate doubles every 2-4 years. The bear gets faster. I might have been cheating, but all of those ideas to reduce the possible combinations to brute force your password are real ideas. People really do have consistent patterns in how they make "random" passwords. As hashing power advances, it costs less and less time to try out more rulesets. I don't expect the 4word+3symbols passphrase to be broken today, because even the right ruleset guess would take weeks to hit. But it gets cheaper all the time. You still have to change passwords when someone gets their hash database stolen. The bear never forgets. Once those hashes get out in the world, the bad guys will have them forever. If you don't change your password based on the assumption that "my password is too strong to crack" then you will eventually be proven wrong by future bears. So yes, AlternateAccount posted:ideally, a proper difficult to crack password would be used on 1Password
|
|
#
¿
Feb 14, 2018 21:56
|
|
|
ElCondemn posted:I was just dogpiled last week for asking about password managers with browser integration... is 1password the suggested option or are people going to call me an idiot again for wanting something that my mother can use? you got dogpiled for your insistence about a lovely browser-integrated password manager, and further dogpiled from there on the convoluted string of choices that led you to insist on that password manager. e: and the fact that what you took from all of that was "all browser integrated password managers are bad" is some  cognitive dissonance
Klyith fucked around with this message at 00:08 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 00:01
|
|
|
ElCondemn posted:So again I'm asking, what is the preferred solution? 1password, Keepass ..... iCloud keychain Klyith fucked around with this message at 01:36 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 00:42
|
|
|
|
| # ¿ Apr 26, 2024 03:29 |
|
|
Potato Salad posted:Has icloud keychain come up itt before? everyone has bugs, it's about how you respond to them. apple patched it promptly when a researcher disclosed it to them. lastpass has a history of balking. (also FWIW the apple flaw was way less braindead than lastpass's mistakes. "sophisticated attacker MITMs you while your device is actively communicating to the mothership" versus "anyone visiting a website while using their extension gets owned".) keechain is all about ease of use for non-technical people which makes it weaker by default than lastpass or keepass, but aside from that it's fine. the real problem is it doesn't make sense unless you live 100% in the apple ecosystem. edit: oh yeah, and don't use anything from apple, google, or microsoft if you live in china and are afraid of your government, because they all bend over for the PRC waloo posted:How does this change, if at all, for somebody using a chromebook a lot? Klyith fucked around with this message at 01:40 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 01:34
|
|