|
PBS posted:Realistically, what separates lastpass from any other company that I have to place a fair amount of trust in to keep my money/information/etc secure? (If anything beyond the obvious that it stores my passwords for all other services) If PayPal or your bank get owned, they're going to eat the damages, not you. If LastPass gets owned you might get an apology email. (And as you say, the purpose of the basket is to hold all your eggs.)
|
# ? Jul 28, 2016 03:13 |
|
|
# ? May 10, 2024 01:36 |
|
Subjunctive posted:If PayPal or your bank get owned, they're going to eat the damages, not you. If LastPass gets owned you might get an apology email. (And as you say, the purpose of the basket is to hold all your eggs.) The bank doesn't eat anything. The sellers of whatever the unauthorized person bought eats them.
|
# ? Jul 28, 2016 03:22 |
|
Sickening posted:The bank doesn't eat anything. The sellers of whatever the unauthorized person bought eats them. If your bank is breached to the extent that there are customer losses, I'm pretty sure they and their insurers are going to write some cheques. But let's say they don't: does that somehow oppose the point I was making?
|
# ? Jul 28, 2016 03:25 |
|
OSI bean dip posted:Yes. Anyone who follows the same model like LastPass is likely to have the same problem. It seems like a significant convenience/feature loss to switch off, but I guess it wouldn't hurt to look at the alternatives a bit more.
|
# ? Jul 28, 2016 03:27 |
|
Nobody weighed in last time, but seems like a good time to ask again - what makes people happy to use third-party KeePass apps (and plugins I guess)? Obviously you have to trust the basic software, but what's to stop the maker of Keepass2Droid or whatever from harvesting your passwords, selling on to a company that will do it, etc? Why's the risk low enough to make it a good plan? It feels sketchy as a security thing, trusting something else in the middle, but lots of people with good opinions are happy to recommend it. It'd be nice to move myself and other people over to that setup (especially with 1password being an expensive recommendation), but I don't really get it. What's the deal?
|
# ? Jul 28, 2016 03:39 |
|
You can always MITM your iPhone traffic and see what the app is doing if you require some confirmation that your passwords aren't being sent to some botnet in China.
|
# ? Jul 28, 2016 07:46 |
|
baka kaba posted:what makes people happy to use third-party KeePass apps (and plugins I guess)? some men just want to watch the world not burn, mostly
|
# ? Jul 28, 2016 13:24 |
|
Thanks Ants posted:You can always MITM your iPhone traffic and see what the app is doing if you require some confirmation that your passwords aren't being sent to some botnet in China. As long as they're not trying to hide from that, which is not hard to do. Basically you have to reverse the binary if you want confidence.
|
# ? Jul 28, 2016 13:51 |
|
Subjunctive posted:As long as they're not trying to hide from that, which is not hard to do. Well the android app is open source anyway, so I could vet that and build it myself if I cared enough. I'll probably just install the store version anyway, I was just curious since trusting free third-party components with your main password and keystore seems like a risk. Not the same kind of risks as running Lastpass, but still a potential vulnerability - sort of like how people install Chrome extensions and find out later that they've been sold to shady companies who are now coming from inside your browser Just seems like people who are serious about security are happy to use this, and I was curious why it's ok - or ok enough anyway
|
# ? Jul 28, 2016 19:44 |
|
I say this as an outsider who doesn't know much, but it seems like you have to balance minimizing risk with butthole-tight/no compromises security with just getting on with your life.
|
# ? Jul 28, 2016 19:50 |
|
doctorfrog posted:I say this as an outsider who doesn't know much, but it seems like you have to balance minimizing risk with butthole-tight/no compromises security with just getting on with your life. That's a false dichotomy. Minimizing risk doesn't necessitate poor usability.
|
# ? Jul 28, 2016 20:15 |
|
doctorfrog posted:I say this as an outsider who doesn't know much, but it seems like you have to balance minimizing risk with butthole-tight/no compromises security with just getting on with your life. The problem with assessing risk is that it's not black and white like you think it is. If you're putting all of your financial-related account details into LastPass, who do you get to compensate you when there is an incident that is directly the fault of them? If LastPass suffers a heavy enough breach (similar in style to say Juniper's code injection) where it bankrupts LogMeIn, will your bank be of help? Can you sue LastPass if a vulnerably arises and you are directly affected by it in the same manner? These are questions that need to be answered before you even begin to assess the actualy risk you take by using something like LastPass. It's the same reason why I am waiting for the day that a bank opts to not compensate someone because they got their PC infected--London's police chief seems to think that this should be the case. 1Password and KeePass are not overly complicated nor a "no compromise" method of security. Besides, I don't put my online banking details into my password manager and it's one of three that never will end up in there.
|
# ? Jul 28, 2016 21:02 |
|
OSI bean dip posted:1Password and KeePass are not overly complicated nor a "no compromise" method of security. wyoak fucked around with this message at 17:53 on Jul 29, 2016 |
# ? Jul 29, 2016 15:57 |
|
Today I learned that motherboard makers, in their never-ending quest to gently caress over my new builds in stupid ways, make TPMs an optional module now. Do I lose anything by doing BitLocker with PIN-only or PIN + smallest metal-clad flash drive I can find? The theoretical attack I'm picturing is a malicious boot loader that captures the PIN and transparently feeds it into the real BitLocker, which a TPM would prevent. Can someone please remind me if you can enable the TPM later after first setting up BitLocker to be PIN-only? Does that regenerate your key / recovery key? My laptop is my only working Windows machine right now and I don't want to experiment.
|
# ? Jul 30, 2016 06:07 |
|
Using bitlocker with a TPM means you're automatically using a 256-bit encryption key. You have the option to use a tpm pin or password to unlock the chip and access the keys at startup, or you can just rely on the hardware validation profile (no modifications to bios/uefi, option roms, bootloader, etc). Encryption without the TPM means the key strength is effectively defined by the strength of the password or pin you sent and since it needs to be something you can easily remember, it's not going to be considerably weaker to brute force attacks. If you switch from password to tpm encryption at some point, you'll need to decrypt and then re-encrypt the drive with the new key that will be generated from the TPM. No point in using a key you know is weak. It will probably be faster to copy the data out and back in than wait for the decryption process with the mixed read/writes on the same drive.
|
# ? Jul 30, 2016 19:56 |
|
The drive I bought supports eDrive so I'm not worried about having to undo/redo the crypto as it uses key management on the flash controller. I could also use a PIN+USB scheme in the interim so it's down to a question of whether I want to use my new desktop this week. Also, my laptop is on TPM + PIN - that's 256-bit even with an 8-char random PIN, right?
|
# ? Jul 30, 2016 20:41 |
|
I think 'Don't Roll your Own Cypto' is likely counterproductive. You shouldn't implement your own crypto on projects that matter, but god if that one phrase hasn't raised a generation of programmers who know nothing about security.
|
# ? Jul 31, 2016 20:44 |
|
TimWinter posted:I think 'Don't Roll your Own Cypto' is likely counterproductive. You shouldn't implement your own crypto on projects that matter, but god if that one phrase hasn't raised a generation of programmers who know nothing about security. You know that has to do with using proprietary crypto algorithms and nothing to do with designing secure products that use crypto, right? I'm failing to see how encouraging a generation to use open and peer-reviewed algorithms leads to them knowing nothing about security.
|
# ? Jul 31, 2016 20:57 |
|
TimWinter posted:I think 'Wear A Helment' is likely counterproductive. You should wear a helmet when riding on busy roads, but god if that one phrase hasn't raised a generation of bicyclists who know nothing about safety.
|
# ? Jul 31, 2016 22:02 |
|
flosofl posted:You know that has to do with using proprietary crypto algorithms and nothing to do with designing secure products that use crypto, right? I'm failing to see how encouraging a generation to use open and peer-reviewed algorithms leads to them knowing nothing about security. It's not just saying "don't design your own algorithms," it's also saying "don't write your own crypto code." The formerly-Matasano blog post "If You're Typing the Letters A-E-S Into Your Code, You're Doing It Wrong", while written in a bit of a wanktastic fashion, lays out the gist of the problem scope. There's tons of edge cases and attacks possible even on the standard, well-peer-reviewed primitives if you're not careful about your design choices and implementation, and since nobody's thrown together a standalone client test suite to attack implementations generically just yet, the only way to know that the code you're using doesn't have, for instance, a timing attack or a padding oracle right now is to use the commonly available, peer-reviewed implementations. Even then you're not 100% safe, but it's far more likely to be found in a way that lets you patch harmlessly than gently caress you both ways to Sunday if you're using an implementation everyone is looking at. That's why things like NaCl exist, so that the average programmer doesn't have to worry about loving up implementation details that it's almost impossible to hold in a single human's brain.
|
# ? Jul 31, 2016 22:44 |
|
Storysmith posted:It's not just saying "don't design your own algorithms," it's also saying "don't write your own crypto code." The formerly-Matasano blog post "If You're Typing the Letters A-E-S Into Your Code, You're Doing It Wrong", while written in a bit of a wanktastic fashion, lays out the gist of the problem scope. There's tons of edge cases and attacks possible even on the standard, well-peer-reviewed primitives if you're not careful about your design choices and implementation, and since nobody's thrown together a standalone client test suite to attack implementations generically just yet, the only way to know that the code you're using doesn't have, for instance, a timing attack or a padding oracle right now is to use the commonly available, peer-reviewed implementations. Even then you're not 100% safe, but it's far more likely to be found in a way that lets you patch harmlessly than gently caress you both ways to Sunday if you're using an implementation everyone is looking at. That's why things like NaCl exist, so that the average programmer doesn't have to worry about loving up implementation details that it's almost impossible to hold in a single human's brain. I thought it would be implied that a programmer should use a tried and tested library as opposed to actually building code from the algorithm specs, but OK, yes what you say is correct as well.
|
# ? Jul 31, 2016 22:54 |
|
flosofl posted:You know that has to do with using proprietary crypto algorithms and nothing to do with designing secure products that use crypto, right? I'm failing to see how encouraging a generation to use open and peer-reviewed algorithms leads to them knowing nothing about security. The previous generations also knew nothing about security. e: oops quoted the wrong person taqueso fucked around with this message at 23:04 on Aug 1, 2016 |
# ? Aug 1, 2016 19:28 |
|
taqueso posted:The previous generations also knew nothing about security. Companies like Oracle still know nothing about security (gently caress every product they make).
|
# ? Aug 1, 2016 22:46 |
|
So, Windows 10 just got updated, andZero VGS posted:Also, the update uninstalls Classic Shell. Thanks fuckfaces! Guess what simultaneously happened to Classic Shell's hosting provider: Klyith posted:
Microsoft makes good decisions, guys. Really. Also, don't download anything from FossHub, if it wasn't obvious enough.
|
# ? Aug 3, 2016 05:24 |
|
That payload was written by some old-school virus/malware guys. Or maybe it's the era of the revival of boot sector viruses. Either way, that's pretty great. I mean, being hit by something like that sucks, but it's nostalgic as all hell.
|
# ? Aug 3, 2016 05:55 |
|
Kazinsal posted:That payload was written by some old-school virus/malware guys. Or maybe it's the era of the revival of boot sector viruses. Back when viruses were more about being clever and sheer dickishness, vs. today's 'I wonder how I could leverage this into a paycheck' type deals.
|
# ? Aug 3, 2016 11:25 |
|
An honest, if inflammatory question: Does Classic Shell have legitimate use scenarios beyond autists obstinately refusing to adopt modern UI? On the one hand I read "customization", which I don't necessarily object to; on the other, I saw "Classic IE" listed as one of its selling points and nearly spit out my drink. The kind of person who refuses to upgrade past Windows XP and IE8 for idiosyncratic reasons has to be the malware author's wet dream (though I imagine there's little profit in it).
|
# ? Aug 3, 2016 14:33 |
|
Cugel the Clever posted:An honest, if inflammatory question: Does Classic Shell have legitimate use scenarios beyond autists obstinately refusing to adopt modern UI? On the one hand I read "customization", which I don't necessarily object to; on the other, I saw "Classic IE" listed as one of its selling points and nearly spit out my drink. Classic Shell lets you customize the start menu with Classic Start but also has Classic Explorer and Classic IE as separate modules for windows explorer and IE. Most folks who use classic start probably don't use IE but it's still installed in Windows 10 since Edge is only sort of complete. Last time I used edge it had the option to open a web page in IE since a lot of things didn't work in Edge. Maybe it's better now but the last time I used a microsoft web browser was IE 4.
|
# ? Aug 3, 2016 16:22 |
|
Rexxed posted:Classic Shell lets you customize the start menu with Classic Start but also has Classic Explorer and Classic IE as separate modules for windows explorer and IE. Most folks who use classic start probably don't use IE but it's still installed in Windows 10 since Edge is only sort of complete. Last time I used edge it had the option to open a web page in IE since a lot of things didn't work in Edge. Maybe it's better now but the last time I used a microsoft web browser was IE 4.
|
# ? Aug 3, 2016 16:53 |
|
Cugel the Clever posted:An honest, if inflammatory question: Does Classic Shell have legitimate use scenarios beyond autists obstinately refusing to adopt modern UI? No
|
# ? Aug 3, 2016 17:02 |
|
wyoak posted:The 'open-in-IE' mode in Edge is for crappy intranet websites that don't work in any modern browser, Edge is pretty much the same as base Chrome or Firefox these days (there's 'edge' cases in all of them haha see what I did there). (they do have a non-Silverlight version hidden the gently caress away somewhere, but the fact that they don't just auto-load it if you are using a modern browser reeks of incompetence) Edge can handle basic web browsing just as well as FF/Chrome, but is still rather laggardly about implementing new stuff.
|
# ? Aug 3, 2016 17:12 |
|
dpbjinc posted:So, Windows 10 just got updated, and lol Why the hell don't people use secureboot?
|
# ? Aug 3, 2016 17:27 |
|
BangersInMyKnickers posted:lol Because then you wouldn't see the funny message and would instead get a cryptic error message from UEFI. SecureBoot doesn't stop you from wiping out the bootloader. Not running untrusted or unsigned applications as admin, staying up to date, and not doing stupid things to your partitions does. (This particular group didn't include a UEFI version because it was a waste of their time, but they could have done so trivially if they had the build environment set up.)
|
# ? Aug 3, 2016 17:34 |
|
Cugel the Clever posted:An honest, if inflammatory question: Does Classic Shell have legitimate use scenarios beyond autists obstinately refusing to adopt modern UI?
|
# ? Aug 3, 2016 23:12 |
|
Mr Chips posted:For Windows 8.1 users, having a start menu that doesn't take up the entire screen has a certain appeal This is about Windows 10 though, why would you still be on 8.1
|
# ? Aug 3, 2016 23:22 |
|
Oh hey, it gets better!Softpedia posted:On Twitter, the hacker said he compromised the entire website, including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted." But that's no problem, because the developers would obviously use completely different passwords for every service they use! What could possibly go wrong?
|
# ? Aug 4, 2016 00:21 |
|
Mr Chips posted:For Windows 8.1 users, having a start menu that doesn't take up the entire screen has a certain appeal
|
# ? Aug 4, 2016 02:52 |
|
Cugel the Clever posted:That's for Windows 8 users. 8.1 brought back a sane option a little more than a year later (maybe you need to toggle it in the options?). Did they actually ship that? I remember some news articles in 2014 about how they were going to ship it, but don't have any 8.1 installs to look at any more.
|
# ? Aug 4, 2016 05:31 |
|
I just read that PSExec transmits credentials in plaintext. Is that still a significant vulnerability if it's being used over a VPN, or does a VPN breach mean everything is hosed by the time you find it anyway?
|
# ? Aug 4, 2016 23:50 |
|
|
# ? May 10, 2024 01:36 |
|
The issue isn't if you're on VPN or not. It's generally a poor practice to send anything plaintext, regardless of a secure connection, because unless you can see the entire wire run and all devices on the network, anyone can put a sniffer and still get your password. There's a pretty good SANS article about this that even includes some workarounds, but as it says in the article, you'd probably be better off with WMIC or WinRM through powershell instead.
|
# ? Aug 5, 2016 00:06 |