|
Quote: "CubeiTz does not use ANY of this underlying technology... " Underneath mentioning vulnerabilities in C. Impressive that they've written a whole secure OS that doesn't use anything from the Windows/NT stack, Linux kernel OR Mac kernel! Way to go, guys.
|
#
¿
Sep 8, 2016 00:08
|
|
|
|
| # ¿ Apr 27, 2024 00:40 |
|
|
The fallout of the recent hack of the DNC by Russia (widely believed to be Russia) is fascinating. Does this house think that we should all be wary Russian hackers now, or is it a case of high profile targets attracting the most determined and expert attention? If the Russian's are feeding Assange, then what do his tweets that look like hashes mean?
|
|
#
¿
Oct 19, 2016 10:17
|
|
|
How dangerous would something like PoisonTap be, if inserted into an office computer in a corporate building? https://www.youtube.com/watch?v=Aatp5gCskvk
|
|
#
¿
Nov 21, 2016 18:45
|
|
|
Squibbles posted:... When I tried to log in to the new system it failed so I got in touch with support and they informed me that my password was too long so they truncated it for me so I should be able to log in now with the last two characters of my password lopped off. I decided to increase the security of my PayPal account last week. I tried to use a 40 character one generated by KeePass. PayPal wouldn't accept it but allowed a shorter one. One of the biggest payment processors in the world, there. I looked at their 2FA options, hoping that I could augment my lovely short password with something like Google auth but they have rolled their own system that sends you a text message. I didn't trust them to implement it properly if the best they can do is <30 character passwords, so I left it inactive. PayPal. One of the biggest payment processors in the world.
|
|
#
¿
Dec 3, 2016 14:47
|
|
|
Visions of trying to log into PayPal and waiting for a text message that never comes.
|
|
#
¿
Dec 3, 2016 15:56
|
|
|
vOv posted:I remember working around this on I think it was battle.net by popping open the element inspector and doing $0.value = "password". Except my autogenerated password was like 20 characters and the max was 16. So they silently truncated it before storing it, which meant that my password didn't actually work. This is what happened with me. It was up to me to work out why my newly generated ~40 character password wasn't working, before realising they'd truncated it to 20 characters. If you count the dots in the input box when pasting you can see that there are only 20 of them there, but really. If they can't even get decent length password entry working in a browser why should I trust them to send me a text message promptly to my phone when I'm out and about and see a good deal I want? Or if I feel that my account's become compromised and I need to log in and do something about it quickly? Why should I trust them not to gently caress that up? [facetious]What's the most secure 20 digit password?[/facetious]
|
|
#
¿
Dec 4, 2016 11:14
|
|
|
I'm about to start trying out CryFS with a Dropbox account for keeping a backup of ID scans, banking pdf's, payslips etc. https://www.cryfs.org/ It's a fork of EncFs which is more suited to cloud storage. Does anyone find anything that looks bad about it? Seems pretty nifty IMHO.
|
|
#
¿
Dec 25, 2016 21:54
|
|
|
Powered Descent posted:That does sound neat, thanks for the link. But unfortunately it doesn't appear to have my favorite feature of EncFS: reverse mode. That allows you to mount an encrypted view of unencrypted files, on the fly and with no extra disk space used up. I've been using it for years for my own backups. I'm not quite paranoid enough (yet) to keep my stuff encrypted on my local machine, but I want it scrambled before it goes off to the cloud. So my backup script just mounts the encrypted view and then rsyncs that. Works great. Hmm. That does sound like a cool way of doing it. Kind of like using Dropbox (or whatever) for an encrypted snapshot, rather than constantly looking for file changes. I was gonna use EncFS but read somewhere that the way the files are encrypted it's possible to reverse engineer the encryption key under certain circumstances. I think it was in relation to versioning, thus: Say you have a text file that you modify by adding a sentence to the end, then decide to edit again and remove that sentence. Dropbox (or whomever) now has two versions of the file and can use the differences generated by EncFS to calculate your symmetric key. See here: http://security.stackexchange.com/questions/83292/is-encfs-secure-for-encrypting-dropbox I guess it would be trivial for a big company like Dropbox to watch user accounts that seem to be encrypted with EncFS and run a bot to check file versions for when this scenario appears. If they wanted to. apropos man fucked around with this message at 22:57 on Dec 25, 2016 |
|
#
¿
Dec 25, 2016 22:43
|
|
|
Ah, OK. I'm no expert in these things, which is why I asked here to see if anyone thought CryFS has any obvious problems. I dunno what a stream cipher is, and how it would differ from transforming a whole file with a symmetric key. I've got CryFS set up to unlock a directory on boot by piping my passphrase through stdin and using the -c (--config) flag, so that I could move the cryfs.config file out of the directory to be uploaded. I'm keeping cryfs.config somewhere safe, since it's a bit like a luks header in that it contains the encryption key wrapped in further encryption. I realise that my local files are boned if someone has a look around and sees my config file passphrase, but if someone gains that kind of access I would have worse problems to care about. Seems good so far.
|
|
#
¿
Dec 26, 2016 09:24
|
|
|
Dylan16807 posted:With a stream cipher you don't directly encrypt the data. You generate a block of noise the same size as your data, and XOR them. This is appropriate in some circumstances. It is not appropriate when a key will be used more than once. Ah, right. I can kind of visualise what you mean. So the file is padded out to n*blocklength.
|
|
#
¿
Dec 26, 2016 11:56
|
|
|
Harik posted:In terms of security, I don't think it's anywhere near as secure as they think it is. Taken at rest, you can't gather much information. Taking the streaming update log that a cloud provider has, you can trivially identify the root directory blocks, other directories and individual files with a size granularity of 32k. You can see what files the user is working on with frequency, and as they grow you capture the additional blocks. You can tell exactly what directory they are in as well. This is all the stuff their scheme was supposed to prevent. I've got the cryfs.conf file stored inside my keepass database file, since keepass allows you to store attachments there. I have the same file regularly synced across three different hard disks and my mobile, so I don't think all of those are gonna break at the same time. As for the encryption, thanks for checking it out to a degree I couldn't understand. I've been tinkering with it most of today and even set up an AWS S3 storage "bucket" to sync the encrypted shards in my CryFS directory to S3 from the command line. I also set up a cron job to sync automatically every hour. I thought I had it all sorted but obviously this CryFS poo poo needs to go. I don't want to use an overall encryption container because I'll get bummed for bandwidth money by Amazon and also it'll slow my home net and connection down, since every time a file is altered in the container the whole container checksum changes. I'd like some automated file by file encryption that does the job properly. Ho hum.
|
|
#
¿
Dec 27, 2016 22:19
|
|
|
I think I'll switch over to EncFS. It'll be a trivial job tomorrow to copy the decrypted files to a new directory for EncFS, and then point my sync script to the new location. If Amazon want to check my encrypted blocks for file changes then have at it! Like you say, the important thing here is that I have a reliable backup that I know I can reassemble. Cheers! Edit: I'll also look at the best setup options for running EncFS.
|
|
#
¿
Dec 27, 2016 23:59
|
|
|
CaladSigilon posted:You want borgbackup. The only reason to use EncFS is if you need online access to it; if all you need is "batch" (aka backup) access, you want a deduplicating encrypted backup. Ooh. Thanks for mentioning that. I've had a look at a couple of reviews now that I know what to search for. This page (http://changelog.complete.org/archives/9353-roundup-of-remote-encrypted-deduplicated-backups-in-linux) is pretty informative and suggests to use Obnam instead of Attic (which borgbackup is a fork of). Since I'm not uploading a large amount like the guy in that article I'm gonna give borg a try.They may also have improved on the remote index problem that existed in Attic, since that article is almost two years old. I've gotta go out for a couple of hours, then I'll mess around with borg and maybe Obnam to compare.
|
|
#
¿
Dec 28, 2016 09:58
|
|
|
CaladSigilon posted:rsync.net has an awesome special price for people using attic/borg. Ridiculously, insultingly cheap, and they're incredible. No support, though; that only comes with the not-crazily-discounted plans. (Even the real plans aren't that expensive though.) A bit out of my league, there. You can't pay for less than 100GB and I'm lucky if I will hit 3GB for just personal documents and stuff. Looks good and cheap for those with big data. I'm gonna run S3 for a couple of months and see how it averages out. If it's more than $5, which I very much doubt, then I'll consider it.
|
|
#
¿
Dec 28, 2016 13:28
|
|
|
Rufus Ping posted:If you need backup (rather than syncing) just use tarsnap. It's backed by s3 Thanks for that. I've been playing with borgbackup for 24 hours and I like the versioning control I can do with it. I'm running it with crontab, so I can easily adjust time between archival operations. I've also got a second local borgbackup for my mozilla dotfiles, which used to occupy multiple tarballs but are now in one borg repo. I've been extracting different local and remote snapshots this morning and checking with diff to prove the integrity of my snapshots and it's all working out fine. I really like borgbackup. If Amazon start billing me too much for my borg syncs I'll have another look at tarsnap. Cheers!
|
|
#
¿
Dec 29, 2016 10:18
|
|
|
doctorfrog posted:Mediafire, IIRC, lets you set a password and temporary share links for files. Or (maybe) it did last time I used it years ago. I've been using a paid Dropbox account that lets you do time-limited public links (free account doesn't). Mega.nz also does this, and also splits the URI for your download link into two parts, seen here in black and red.  If you want you can just share the first part of the link publicly. This gives a prompt for the decryption key, which is the red half of the URI. The whole thing joined up allows you to download the file or directory. Dunno how great the encryption is but it could be handy to keep the link in two halves. You might also be helping Kim DotCom with some hits to pay his solicitors fees.
|
|
#
¿
Jan 1, 2017 02:03
|
|
|
Powered Descent posted:For gently caress's sake, just pick up a usb drive, they sell them at drugstores for five bucks. Hell, they're so cheap these days you can often find them lying round in car parks.
|
|
#
¿
Jan 1, 2017 10:24
|
|
|
unknown posted:Back to infosec... Just noticed in Amazon reviews that it's a rebadged Feitian K5 token. Just in case anyone can find one of those even cheaper than the cheapness that is the one you posted.
|
|
#
¿
Jan 2, 2017 20:50
|
|
gets you a usb U2F/Fido security key from amazon. (
|
I think either would be good. Just thought I'd mention the alternative brand in case anyone finds them local or something. I had a little read up about how Fido/U2F works this morning and tbh I'm still slightly bewitched by it, but if these things are only performing a public key encryption calculation on the details being sent to them before spitting it back then I can't see that there's much to go wrong apart from the keyring clip breaking. One site I read seemed to suggest that a master private key was stored in the fido device and another site suggested that private keys were server-side. Then I gave up reading 
|
|
#
¿
Jan 2, 2017 23:02
|
|
|
Authy is on the list. I use Authy but always via the Android app and not over HTTP. Do I need to regenerate my master key thingy again?
|
|
#
¿
Feb 24, 2017 21:31
|
|
|
Cool. Cheers folks.
|
|
#
¿
Feb 24, 2017 21:40
|
|
|
So I just spent the last couple of hours changing passwords due to cloudbleed. I even changed some that weren't on the vulnerable list just because. I noticed that ebay have disabled copy and paste in the browser, which is more likely to force people to choose a simple password over a random, complicated one that can be generated and pasted by keepass or whatever. Great thinking, ebay.
|
|
#
¿
Feb 25, 2017 09:10
|
|
|
Mr Chips posted:Have they? I was just able to log into ebay by pasting the password, with Chrome on Win10x64 I can copy and paste to login. It's changing the password that requires typing every character. Even with Ublock disabled.
|
|
#
¿
Feb 25, 2017 09:34
|
|
|
skull mask mcgee posted:Did you by chance tweet at twitter support about this because I literally just read a twitter thread about this exact issue. Nope. I stopped tweeting a coupla years ago.
|
|
#
¿
Feb 26, 2017 02:58
|
|
|
I use this app on my phone to sync my Keepass db: https://play.google.com/store/apps/details?id=com.bv.wifisync I have a cron job set on it every two hours to sync from my home server's samba share and force overwrite the latest version of my kdbx file on to the phone. It takes less than a second to sync. It will only try to sync if it's connected to a specific ssid. The main drawback is that if I'm out of the house and I want to sign up for something I just make a note of the password and enter it into my keepass db manually on my laptop. I have a cron job on my laptop to rsync the latest copy of my kdbx to the server every hour. Secondary drawback is that if I join a site on my laptop and save the new creds then it can take a couple of hours before the latest kdbx is on my phone, but I rarely join something so critical that I need portable access immediately. Main positive from this set up is not relying on a third party to handle my db.
|
|
#
¿
Mar 27, 2017 20:55
|
|
|
Yeah, I know it's convoluted. I quite like it, though.
|
|
#
¿
Mar 27, 2017 21:37
|
|
|
Last Chance posted:Except for the Android app that hasn't been updated in almost two years? Maybe it's perfect.
|
|
#
¿
Mar 28, 2017 06:30
|
|
|
So I just installed the eBay app on my Android phone after a factory reset. On first start it says "signing in with smart lock..." together with animated 'doing something' graphic for a few seconds, before realising that it can't pull creds from anywhere. I check out what "smart lock" is, where pertaining to password auth: https://support.google.com/accounts/answer/6197437 For fucks sake. You only ever have to log into the eBay app once, when you first run it. I'm not sure exactly what I'm getting annoyed at here. It's either that users are now ushered toward saving all their passwords with their Google account, or it's the fact that the eBay app tries to pull creds without even asking you if you want it to do so. Either way it's convenience gone mad and it cannot be as safe as using a decent password manager.
|
|
#
¿
May 2, 2017 14:14
|
|
|
apseudonym posted:Why do you think that? The first thing that comes to mind is that the eBay app started attempting to retrieve my passwords without any warning or input from me. I don't knowingly have any passwords stored with Google, so this failed. If I did have passwords stored with Google then there's some kind of password retrieval protocol which could theoretically be hacked. On the other hand, I'm using keepass for my passwords and a popular keepass Android app to unlock my database. When I want to log into a site I manually copy my password into the clipboard on my phone and paste it into the site. The app clears my clipboard automatically after 30s. So there are two obvious angles of attack with my situation: My keepass Android client is somehow remotely hacked or I install an app containing a keylogger (my phone is not rooted). I can't quantify the angles of attack with the Google 'request password' protocol because I don't know enough about Infosec, but I'd imagine that someone could be potentially probing for vulnerabilities round the clock whether my phone is on/off/exists.
|
|
#
¿
May 3, 2017 17:11
|
|
|
Meanwhile, our UK news is surveying the aftermath of the NHS computers that were held to ransom: "This was an attack that was unprecedented in scale..." Nope. It wasn't the size of the attack. The computer program will only attack where it can get through. If anything, the size of your holes were "unprecedented".
|
|
#
¿
May 15, 2017 06:10
|
|
|
What does this mean, which is the advice given by WhatsApp when backing up to Google Drive: "Important: Media and messages you back up are not protected by WhatsApp end-to-end encryption while in Google Drive." Also found on this page: https://faq.whatsapp.com/en/android/28000019 Does it mean that WhatsApp are simply no longer in control of the encrypted message archive that Google now holds, or does it mean that Google now has an archive of the messages in plaintext? EDIT: --- apropos man fucked around with this message at 10:48 on Jul 1, 2017 |
|
#
¿
Jul 1, 2017 10:43
|
|
|
Loving Africa Chaps posted:Messages are backed up in plain text iirc Heh. Really? Kind of nerfs secure comms with WhatsApp unless whoever you're talking to has told you they aren't using Drive backup. I mean, from a zero-knowledge perspective.
|
|
#
¿
Jul 1, 2017 11:40
|
|
|
Furism posted:... Well it's mainstream, massive userbase stuff, but here in the UK our government have been recently calling for stuff like WhatsApp to be back-doored to them. Makes me wonder if they know that they can simply ask Google for the conversations for some of their intelligence targets. I mean, there must be a few terrorists out there with Google Drive backup turned on, oblivious.
|
|
#
¿
Jul 1, 2017 18:15
|
|
|
In what way can your Intel PC be controlled, though? Even if you've got some kind of outward-facing RDP/VNC/SSH setup it ultimately falls down to the security of that, doesn't it? I guess it comes down to being extra vigilant with whatever software you tell your PC to run?
|
|
#
¿
Nov 22, 2017 15:51
|
|
|
|
|
#
¿
Nov 22, 2017 16:08
|
|
|
Would it be possible to have two verions of the kernel: one for Vee-Emming and one for plain desktop/laptop use? I don't wanna lose up to 30% performance. This is probably a bad idea, but fuckit: hit post.
|
|
#
¿
Jan 3, 2018 14:55
|
|
|
Klyith posted:I mean if you control those VMs yourself and know there's nothing bad running in them, it's not a big deal and just use the one? I was talking about Linux. Thanks for the advice about that kernel parameter. I suppose I've got nothing majorly exposed to the outside world on my server VM's, so it aint a problem. It's the performance drop in desktop use that's really got the potential to piss me off. I just spent £1150 on a brand new Thinkpad and I'm running Fedora on it. I got an i5 because I think an i5 is 'plenty' for Linux. That thought might turn out to bite me. This thing is literally a week old.
|
|
#
¿
Jan 3, 2018 15:52
|
|
|
Wtf is that supposed to mean? I'd be better off with Win10 on it? Chortle.
|
|
#
¿
Jan 3, 2018 17:17
|
|
|
Ages ago I got my mother to start using Lastpass. Her password strategy was terrible. She didn't like Lastpass, didn't see the benefit in the concept of having randomised passwords and was afraid of losing them. Even though I stressed to her she only had to remember one password. She's just old and doesn't even understand the basic concept of how a database works, I think. Since we gave up on Lastpass I changed all her passwords to some new randomised ones, popped them in an Excel table, printed it out and deleted the Excel file from her PC (I have an encrypted version of it). She laminated the printed out Excel version and I went round there the other day to set up a new phone she'd bought and the password for Amazon didn't work, so either she's changed it or gently caress knows. I'm tired of nannying her password strategy and I just noticed on the Chrome Blog that Chrome now generates and handles randomised password for you. Does this look like something a 67 year old woman can actually use? And will it retrieve historical passwords if she fucks something up? I sure as hell aren't using Google to store my passwords, but it looks like it might be OK for the clueless.
|
|
#
¿
Sep 5, 2018 15:06
|
|
|
|
| # ¿ Apr 27, 2024 00:40 |
|
|
Thanks Ants posted:I'd trust Google with my passwords before I trusted Lastpass Aye, perhaps I got a bit pointlessly emotive toward the end of my post. I think I'll get her into using this upgraded Google doohickey. She already uses Chrome, so this one might actually work for her.
|
|
#
¿
Sep 5, 2018 17:10
|
|