|
wolrah posted:ID10T IPA - A 10%er to wash away the dumb Triple DES could already be one!
|
#
¿
Nov 2, 2017 22:16
|
|
|
|
| # ¿ Apr 18, 2024 18:25 |
|
|
The guys at work are speculating that AWS has already patched everything taking advantage of live migrations. I’ve been using AWS long enough to know that AWS takes your poo poo down when they do disruptive maintenance like this. Anyone know what the status of the mitigation on AWS hosts is? So far they’ve only announced that they’ve patched their Linux AMIs.
|
|
#
¿
Jan 4, 2018 15:36
|
|
|
Lain Iwakura posted:Here are CPUs that are safe: Apparently the AMD Epyc is also not vulnerable, presumably they found the problem a while ago and fixed it since their security changes seem to target exactly this kind of issue.
|
|
#
¿
Jan 4, 2018 21:33
|
|
|
Powered Descent posted:Got into a fun discussion today that this thread might enjoy pondering. You're just asking us "if you could use a file as your password what file would it be?" I would say, don't use a password that is public, it isn't any more secure than using a random string of characters that you write down somewhere public.
|
|
#
¿
Jan 22, 2018 06:58
|
|
|
Proteus Jones posted:Lastpass is a garbage fire, but what's wrong with 1Password? Or Keepass? I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked...
|
|
#
¿
Feb 16, 2018 17:18
|
|
|
Wiggly Wayne DDS posted:here's an audit publicised nov 15: So reading through your links the only really concerning bit is the custom_js stuff. I think most browser integrated password managers would have similar client side exploits. If your goal is perfect security then using anything that isn’t self hosted and air gapped is going to fall short of that. I think the trade off is probably worth it, at least for average users. Enabling MFA in addition to using a password manager will mitigate most security concerns.
|
|
#
¿
Feb 16, 2018 18:04
|
|
|
Thermopyle posted:Again, the problem isn't just that they were exploited but that they didn't handle the exploits well. I used to only use keepass, when I got off Dropbox and started self-hosting my file sync that became a non-starter. Also the fact that my family isn't as tech savvy has made browser integrated password managers the only option for me. Believe me if every website supported OIDC I'd use that in a heartbeat but the options are limited. I haven't seen anything that makes me want to immediately drop Lastpass since there hasn't been a remote or server-side exploit that doesn't require a compromised client. But sure I'm just a shill who works for Amazon (what?) that wants everyone to be insecure... for reasons...
|
|
#
¿
Feb 16, 2018 19:34
|
|
|
Wiggly Wayne DDS posted:ah so you just weren't reading anything, gotcha I did read what was posted in the post I quoted, as I said the custom_js stuff is concerning. The remote code execution is also concerning but it seems they dealt with the issue pretty quickly. Again browsers are inherently insecure, anyone could exploit any number of browser extensions to do the same thing. It's unfortunate that a security company had an exploit like that but it happens and the best any company can do is push fixes when those kinds of exploits are found. If I had to drop every company that had exploitable software/systems I'd have very little options.
|
|
#
¿
Feb 16, 2018 19:45
|
|
|
Trabisnikof posted:What would it take for you to stop using lastpass? An RCE they balk at patching? Yeah, that seems like a reasonable limit to me. Y'all keep more up to date with the industry than I do so I'm definitely open to suggestions for alternatives, I just have specific usability requirements that normal rational people have. 1password was my other option but at the time only Lastpass had Brave integration (not sure if that's changed), also I'm not sure that requiring a separate client install for desktop is great for my family but I can help them get past that step if necessary. ElCondemn fucked around with this message at 19:57 on Feb 16, 2018 |
|
#
¿
Feb 16, 2018 19:55
|
|
|
Wiggly Wayne DDS posted:of course you use brave Instead of being a lovely nerd about it maybe you could explain the problem?
|
|
#
¿
Feb 16, 2018 20:02
|
|
|
Thanks Ants posted:I've just skimmed the last few posts but it looks like they have tried to do that The problem with Brave?
|
|
#
¿
Feb 16, 2018 20:05
|
|
|
Wiggly Wayne DDS posted:what advantages does it bring you? it's downstream of chromium so you'll be waiting longer for security patches, and it's unique selling point is adblocking by default... except for brave payments that's just a indirect way of selling the same marketing information but of a specific demographic that thinks they've opted out of tracking I use Brave because adblocking and password manager integration aren't features that chrome supports on mobile. I use chrome on desktop.
|
|
#
¿
Feb 16, 2018 20:28
|
|
|
CLAM DOWN posted:That's incorrect. Android 8.0 and newer has a password autofill API that apps like Keepass2Android utilize very nicely, so password manager integration on mobile Chrome works perfectly. I'm on IOS
|
|
#
¿
Feb 16, 2018 20:45
|
|
|
EssOEss posted:I am not entirely sure how this matches with the rest of your reply where you indicate that some elaborate workflow should be set up. You can definitely just get a signing cert without any dongles or passwords. But you’re the exact reason these out of band signing practices exist, talk to your ops/security team to set this up. You should store your signing keys in an encrypted audited way using something like vault. During your build pipeline you’d grab the private key from your key store and sign your code. But I’m a bit wary of this method, how often are you releasing builds to the public? Only your GA public releases should be signed, you shouldn’t automatically sign every build that comes from your build pipeline.
|
|
#
¿
Feb 23, 2018 17:35
|
|
|
Rufus Ping posted:This is exactly right, which is why you should use a password manager that identifies the website you are visiting automatically, using the address bar rather than the page title, without any need for third party plugins or any thought on your part: 1Password I was just dogpiled last week for asking about password managers with browser integration... is 1password the suggested option or are people going to call me an idiot again for wanting something that my mother can use? Saukkis posted:One option is to do your emailing and suspect browsing inside a virtual machine and store your Keepass on the host computer. I don't know if you're being serious... AlternateAccount posted:I am not sure of the details, but our entire security team seems to be very confused and think that visibility = security. Auditing is a critical piece of threat detection and mitigation. But yeah just having a bunch of reports doesn't do much if you don't set standards and use tools to enforce those standards. Thermopyle posted:No, you see they type soooo faaaast! Solid strategy as long as you use a browser without CSS support! ElCondemn fucked around with this message at 20:59 on Feb 24, 2018 |
|
#
¿
Feb 24, 2018 20:56
|
|
|
EssOEss posted:Can you link to a specific provider? Because Section 16.3 of some relatively ontopic industry specifications say that's not kosher these days. Look man, you asked if it was possible and it is and there are CAs that will give you certs to do just that (https://www.instantssl.com/code-signing-certificate.html). If you disagree with the "industry specification" that prevents you from using these signing certs that's your own issue to deal with. EssOEss posted:Granted, I do not particularily care about the level of security - I can deal with plain certs with no protection or I can deal with well-protected certs (TPM/HSM style) but what I do not want at all is some certs that require a human to sit in my server rack, so to speak. As far as I know there is no signing technology that requires anyone to sit anywhere physically, they just need access to the token and the code you're signing. EssOEss posted:Why not? Signing proves that the builds come from me. My builds all come from me, even those I choose not to publish to a wide audience. Therefore it makes perfect sense to sign them. What makes you say I should not? It's just my preference (and I think a lot of other professionals would agree) but signed code indicates that it "came from you" but also that it's safe to run on any host that has a valid root CA cert to authenticate the trust against. If you're building test code and self sign these with your own private CA you get the same guarantees without any of the danger. The potential impact of a signed malicious release making it out into the public is way worse than having to manually type in a number when you want to do a public release. But again, if you don't like that you can just get a cert and sign your code however you drat well please, nobody except your auditors are going to care. Thermopyle posted:Reading the url in the address bar is not the same thing as using an extension to type your passwords. Sure... I'm not really part of that conversation I'm just confused about the 1password recommendation considering people were down my throat for using a browser extension password manager last week. Is 1password the recommendation or are we going to pretend like it's reasonable to spin up a VM every time my mom wants to log into netflix.
|
|
#
¿
Feb 24, 2018 23:55
|
|
|
Klyith posted:you got dogpiled for your insistence about a lovely browser-integrated password manager, and further dogpiled from there on the convoluted string of choices that led you to insist on that password manager. I was asking for a recommendation, I told everyone I was currently using LastPass and what my decidedly NOT CONVOLUTED REQUIREMENTS were (password sharing and browser/phone integration) and what I got was a bunch of responses pointing out "red flags" and links to articles that didn't indicate to me a problem with that specific provider. Maybe if the articles that were linked showed a comparison of 1password, dashlane or whoever and how they mitigate those issues compared to LastPass... I'm not tied to any specific password manager, I've seen the reports I just don't want to re-do all this poo poo if there's no alternative that isn't vulnerable in the same ways. EssOEss posted:My problem is more with the "person" side, not specifically about where they sit. I want my workflow to be automated. Automating your signing process is fine, you just have to create a network of trust. I wouldn't trust your process since it seems that you just want to dump your private keys on some build server and pump out signed code.
|
|
#
¿
Feb 25, 2018 00:12
|
|
|
So again I'm asking, what is the preferred solution?
|
|
#
¿
Feb 25, 2018 00:39
|
|
|
Proteus Jones posted:Right now, 1Password has the edge for me. I’ve used them for years, my group at work uses it. The development team actively engages its customer base and is quick to respond and disclose bugs. Hell, as seen earlier in the day, they already rolled in an update to their subscription based client to use the secure password check API with Have I Been Pwned. They’ve also stated they will roll this into the Watchtower service for non subscription customers in a future update. Thanks, that's what I'm looking for a recommendation.
|
|
#
¿
Feb 25, 2018 02:38
|
|
|
anthonypants posted:Just in case it comes up in the future, how many times does someone need to tell you something before it sticks? Not sure, maybe if people weren't accusing me of being an idiot for asking legitimate questions it would happen pretty quickly. But I guess that's how y'all like to interact, it's an odd strategy to treat people like idiots to prove how smart you are.
|
|
#
¿
Feb 25, 2018 03:12
|
|
|
anthonypants posted:Here was your dogshit interpretation of the problem: Please tel me what I’m saying thats dogshit or where I’m defending lastpass? Sorry that I wasn’t explicit but I was trying to determine what made 1password or other options more secure. I’ve read the articles about lastpass but I wasn’t seeing any argument or article that showed why other options were immune or better than lastpass in those scenarios. This isn’t D&D maybe you could afford to be less of an rear end in a top hat.
|
|
#
¿
Feb 25, 2018 16:47
|
|
|
Boris Galerkin posted:So from my point of view you asked about password managers like LastPass and if you look at anthonypants's post you'll see that people gave you reasons for why LastPass was poo poo. Then you proceeded to stick your fingers in your ears and go lalalalala and assert that it wasn't poo poo because of reasons, which prompted someone else to say to you "looks like you're already invested in LastPass and nothing we say will matter." I think it’s clear that people have strong opinions about lastpass, but nothing I said was ignoring the links or comments people posted, other than the insults and accusations that I’m a lastpass fan who’s a ”danger” to people. I still think it’s fair to say that the client side issues are probably going to be common among browser integrated password managers. The server side stuff like the custom_js issue is very concerning and I’m definitely moving away from lastpass for that (among other) reason. However the core encryption model is still solid but the implementation and their response to issues seems to be a pretty big problem. Nothing I’ve said is controversial, unless you’re a huge rear end in a top hat who thinks they’re a genius for making GBS threads on others. Regardless of all of that if you’re goal is to get people to move to another option feel free to point out the flaws in lastpass but then maybe describe how an alternative does it better. making GBS threads on my original choice doesn’t do anything to fix the problem. apseudonym posted:This thread has LastPass PTSD Clearly ElCondemn fucked around with this message at 19:06 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 19:00
|
|
|
apseudonym posted:This is line of thinking that sets people off in this thread with LastPass. The client side issues are only common if the people building it are incompetent, and you probably don't want to run a password manager written by incompetent engineers. I don’t know about that, there are lots of common patterns in software design that turn out to be terrible. The good companies know this and update their software regularly to keep ahead of these problems. For example meltdown, heart bleed, this recent CSS issue, these things happen. It’s useful to know which companies deal with these issues properly and which don’t. That’s not to say lastpass is following good modern design principals in the first place. apseudonym posted:I just use the built in chrome password manager/generation because lol. I was using chrome previously but then everyone got a phone and wanted to share passwords with each other.
|
|
#
¿
Feb 25, 2018 19:17
|
|
|
Wiggly Wayne DDS posted:i did mention them being repeatedly breached and ignoring that the attacker's had far more access and capabilities than pr said right Maybe I missed it in the articles that were linked but other than the custom_js issue they seem to have quickly resolved the server side issues (which again I said is one of the major reasons I'm moving away from them). The client side issues I believe are endemic to that security model, at the very least the client side issues didn't seem to be simple poo poo like checking the page title over the URI and required a compromised client to do things like intercept the master key. I can think of plenty of ways most other password managers could be compromised in the ways that the articles you linked have done, I haven't seen anyone post articles showing how other options are immune to these types of attacks (unless you count the run a VM to browse your email model as a valid solution). ElCondemn fucked around with this message at 19:31 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 19:27
|
|
|
Wiggly Wayne DDS posted:you earlier acknowledged they were hacked but only seem to think that custom_js is the issue. all those statements just above that section on what lastpass could hypothetically do? those are what attackers on lastpass' infrastructure can do I'm reading what you posted, you're just too stupid to understand what I'm saying about it. Honestly you really are an idiot who doesn't understand the difference between a client side exploit and a server side exploit. Wiggly Wayne DDS posted:which client side issues are endemic to the security model? you seem to enjoy convincing yourself that you're the only sane one here. once again there is no requirement for compromising the client to intercept the master key. you are completely misunderstanding what is happening and are not willing to explain your side at all. if you can "think of plenty of ways most other password managers could be compromised" then please do tell, we'd be lost without your wisdom in the matter. Web based authentication strategies are "secured" by the addition of SSL/TLS, it's trivial to hijack a session if you can MITM the session/cookie data. If your client is compromised you can do the same thing over a secure channel because one end is compromised. You can argue that they're doing stupid things (like keeping a local hash of a recovery key) but there are lots of companies that do this kind of thing and I'd guess some of them might be other password managers that I might use... which brings me to the next point Wiggly Wayne DDS posted:can you elaborate on the requiring articles to explain why different password managers are immune to vague types of attacks? what if your concern in that area so it can be explained to you why that documentation doesn't exist, or why it does but you've just not used the correct wording to find it I don't require poo poo, I'm saying if you are die hard against LastPass and want people to move off it going on and on about how lovely it is isn't going to help someone make a better decision. I was hoping to find other articles explaining how an exploit that's possible through LastPass is mitigated by 1password/whoever. Because as I see it right now if nobody has spent the time to audit these other providers why should I assume they're doing the right thing? I didn't find any articles that did that kind of security comparison with my google searches. cheese-cube posted:Unless you're being paid by Lastass things will surely get to a point where you have to take a step back and think "Wow, OK I'm sure stretching definitions and garbage to meet those pre-described sales points, is that even my responsibility anymore?" Good point, no reason to discuss security in a thread about security... apseudonym posted:These aren't good examples for defending poor software engineering practices, especially in their own product, it's just name dropping some bugs that got press lately. The CSS thing isn't even a bug. It's not a bug, but lots of people were implementing software that didn't take into account the possibility of a CSS element modifying the DOM dynamically as a security concern. I'm also not defending poor software engineering practices, I'm just saying that poo poo comes up and often it's pointless to blame a company for not being able to predict the future. apseudonym posted:Updates are a necessary but not remotely sufficient component for having a secure product. If you're product repeatedly has P0 security issues updating quickly doesn't forgive you not addressing the issues that let them happen in the first place. Doubly so if you're claiming to be a security critical product. This is just silly, look at all the CVEs that Cisco puts out, it's always the same type of poo poo and sometimes it's super critical. I'm not saying Cisco is the security standard we should aspire to, I'm just saying it happens and one way of determining whether you should jump ship or not is in how the company responds to the security concerns. ElCondemn fucked around with this message at 20:21 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 20:15
|
|
|
Absurd Alhazred posted:Yes, everybody else is stupid and you're a genius. Just install LastPass and Totally what I'm saying...
|
|
#
¿
Feb 25, 2018 20:21
|
|
on your passwords never getting exposed.
|
Trabisnikof posted:This attitude of “well I’m going to keep promoting insecure software because I demand you prove a negative first” is what makes much of this industry poo poo. Who's got that attitude? who's defending LastPass? I'm asking questions to make a decision about which other password managers I should be using.
|
|
#
¿
Feb 25, 2018 20:26
|
|
|
Trabisnikof posted:“Just asking questions” and then ignoring the answers so you can smugly tell us all that no one will answer your questions correctly. Really? Because I said I'm moving to 1password, not because everyone overwhelmingly agreed on it, but because maybe one or two people mentioned it and nobody went nuts over the suggestion.
|
|
#
¿
Feb 25, 2018 20:30
|
|
|
Thanks Ants posted:You're not genuinely after a discussion, you're sealioning You caught me! I'm just a LastPass shill and hoping to wear y'all down!
|
|
#
¿
Feb 25, 2018 20:31
|
|
|
Inept posted:Lazy
|
|
#
¿
Apr 3, 2018 20:39
|
|
|
22 Eargesplitten posted:But the police do it, and look how well that works! Seems to work fine for them, pensions, job security, and if you gently caress up at work and ruin lives you get a free vacation... hold a sec while I talk to management about a reorg.
|
|
#
¿
Jul 17, 2018 18:20
|
|
|
What do y'all think about Wireguard? We're considering replacing some of our GRE+ipsec tunneling at work with Wireguard, we only use it for cross VPC traffic in AWS to support tunneling to a remote VPN endpoint for one of our customers. Right now we're using some VyOS routers to tunnel and encrypt between VPCs (using local AWS routing wont work since the network we're routing doesn't actually exist in AWS).
|
|
#
¿
Sep 14, 2018 19:25
|
|
|
|
| # ¿ Apr 18, 2024 18:25 |
|
|
Dylan16807 posted:https://lwn.net/Articles/761939/ As far as I know people are pretty favorable of the overall plan, even with the new crypto system. I’m not sure this article represents the majority of users of the crypto API in the kernel. There are tons of companies that rely on hardware offload, it’s a pretty important layer that maybe desktop Linux users don’t care about but would have serious implications for hardware manufacturers and embedded software developers.
|
|
#
¿
Sep 15, 2018 06:22
|
|