|
Jose Valasquez posted:How does 1Password's web access differ from LastPass? Up until just the other day the answer to this would have been: the web access is basically non-existent; a previous vault file format allowed for the use of an HTML page which you could view locally to access passwords. However, last week or the week before they introduced their new pricing plans, which provide some dropbox-like features, cloud storage, and web access for subscribers (the standalone purchase is still available but supports none of those cloud features). I haven't heard any thoughts on how secure the web access is, yet, so may be worth waiting a bit before you drop 3 bucks a month for the privilege. No, I don't want to argue about how subscription models are bad or that 1Password is too expensive.
|
#
?
Aug 22, 2016 01:37
|
|
|
|
| # ? May 17, 2024 22:34 |
|
|
1password just offers a way of syncing the password data-blob. This is much like sticking your keepass DB in dropbox. All it does it move the [encrypted] data around for you. Your client interacts with the data locally. Lastpass offers a plugin that interacts with your data which never leaves their servers. This means you have to assume their servers are not compromised, or they're not compromised in a way they will fail to mention. LP have fallen over to relatively middle of the pack attacks on their infrastructure, have hand-waved such breaches and poorly explained resolution steps, so the idea that an adversary could get onto their server and MITM every request for your database for 6 months before being detected is ever present.
|
|
#
?
Aug 22, 2016 03:13
|
|
|
Carbon dioxide posted:Can someone who knows more about this than me take a look and confirm/deny whether Unchecky is good? https://unchecky.com/ I've been using it for maybe the last year or so. It's been pretty good for me and my parent's computer. But we don't really do much installing of crap from the internet so I've only seen it in action a small handful of times (including one false positive from The Sims 3 Create a Pattern Tool). Things I like about the tool: It just sits in the systray and keeps itself up to date, unless you specifically tell it not to do so. It doesn't spam you with billions of popup messages like lovely AV clients do. You can turn off the icon in the systray and notifications so it's even more unobtrusive. Things I don't like about the tool: I got a single false positive with it once? E: As for how much of a load it is on your system: It's using 2.124 K of RAM right now on my computer and very sporadically 1% of CPU. I think a singular browser toolbar getting through would be a bigger load on your over-all system. Geemer fucked around with this message at 21:21 on Aug 22, 2016 |
|
#
?
Aug 22, 2016 21:16
|
|
|
Khablam posted:1password just offers a way of syncing the password data-blob. This is much like sticking your keepass DB in dropbox. All it does it move the [encrypted] data around for you. Your client interacts with the data locally. Lastpass claims to only do the encryption/decryption at the device level as well. I'm not seeing how 1password's web access solution would be an improvement upon Lastpass
|
|
#
?
Aug 24, 2016 00:21
|
|
|
Jose Valasquez posted:Lastpass claims to only do the encryption/decryption at the device level as well. Your assumptions about LastPass should be shared here. Thanks.
|
|
#
?
Aug 24, 2016 01:06
|
|
|
Any cool blogs about cybersecurity and such to worth to follow? I like grugq and Kryptia's posts about the hacking world and OPSEC case studies and stuff for some odd reason.
|
|
#
?
Aug 24, 2016 02:56
|
|
|
OSI bean dip posted:Your assumptions about LastPass should be shared here. Thanks. I don't really have assumptions about it, I'm not a security expert but I'm interested and I know this thread hates LastPass, that's why I asked the security thread if there is a difference between LastPass's quote:Local-Only Encryption and 1Password's new web option. If the 1Password web option is better, why?
|
|
#
?
Aug 24, 2016 02:57
|
|
|
Jose Valasquez posted:I'm not a security expert Thanks. How about you don't contribute to this thread and instead read it? We've had these threads derailed many, many times because people don't take the time to bother to read past discussions. To answer your questions, you can read this post I made last year: OSI bean dip posted:Now that we have established the things we know about KeePass, what can we say about LastPass? 1Password just passes a binary blob around in the same way that KeePass does when using a cloud storage service and does not rely on a remote server to decode the contents. It's very, very easy to set it up in LastPass much like how Juniper or Patreon were breached to have code injected and then cause problems. LastPass is garbage and any 'expert' that goes and tells you that it is fine is an outright idiot. Lain Iwakura fucked around with this message at 03:17 on Aug 24, 2016 |
|
#
?
Aug 24, 2016 03:15
|
|
|
OSI, according to your OP, 1Password is good. However, it's not open source. What's your opinion on this?
|
|
#
?
Aug 24, 2016 06:00
|
|
|
Carbon dioxide posted:OSI, according to your OP, 1Password is good. However, it's not open source. It not being open-source isn't really a concern overall--there are details on 1Password's cryptography implementation anyway. Ultimately I actually don't take exception to closed-source software and encryption, but the way 1Password and KeePass works fundamentally in contrast to a cloud-based utility like LastPass is the main reason why I recommend them.
|
|
#
?
Aug 24, 2016 06:11
|
|
|
OSI bean dip posted:Thanks. How about you don't contribute to this thread and instead read it? horse mans answer of "nobody really knows how secure the web access is yet" was really all I needed.
|
|
#
?
Aug 24, 2016 16:19
|
|
|
Jose Valasquez posted:I've read the previous discussions, but 1Password's web access is brand new and I don't think it's been discussed. I'm not trying to argue in any way that LastPass isn't bad, I was trying to determine if 1Password's new feature that seems very similar to LastPass is equally bad. Your question has been answered a couple of times already dude. 1Password moves around the encrypted blob. LP has you interact with an encrypted blob held on their server. Furthermore you don't need to use that function if you don't want to.
|
|
#
?
Aug 24, 2016 16:35
|
|
|
OSI bean dip posted:Thanks. How about you don't contribute to this thread and instead read it? Dude, he was asking a question. There's absolutely no need to act like an rear end on your responses. Your thread is really interesting, and I love what I've learned from it, but if you hate people asking questions perhaps this isn't the right format for you.
|
|
#
?
Aug 27, 2016 23:17
|
|
|
Non Serviam posted:Dude, he was asking a question. There's absolutely no need to act like an rear end on your responses. It's easier to get past the hostility if you picture him saying it in a nasal computer nerd voice I found.
|
|
#
?
Aug 27, 2016 23:49
|
|
|
BigFactory posted:It's easier to get past the hostility if you picture him saying it in a nasal computer nerd voice I found. It worked! Thanks!
|
|
#
?
Aug 28, 2016 06:53
|
|
|
Non Serviam posted:Your thread is really interesting, and I love what I've learned from it, but if you hate people asking questions perhaps this isn't the right format for you. OSI bean dip posted:If you want to offer help, please do but bear in mind at the same time that you may be called out on any bad advice. Please do not poo poo up the thread.
|
|
#
?
Aug 28, 2016 19:14
|
|
|
https://www.grc.com/dns/benchmark.htm This is pretty cool for checking for fast good dns alternatives, Google's tool is outdated. https://patchmypc.net/download I'm probably the guy who said patchmypc is better. https://m.reddit.com/r/TronScript/ That reddit tronscript seems legit. Deep cleans to almost clean install, can also debloat. http://snailsuite.com/ Driver snail free updates drivers, I have driver genius (paid) and it catches more, faster, but snail gets it eventually, also my bank thought the purchase was sketch, it kind of was. This one may only be casually related to security, but http://www.geekuninstaller.com/ makes sure things cleanly uninstall, it might catch some crap ware and prevent winrot Quaint Quail Quilt fucked around with this message at 02:37 on Aug 29, 2016 |
|
#
?
Aug 29, 2016 02:31
|
|
|
galahan posted:This one may only be casually related to security, but http://www.geekuninstaller.com/ makes sure things cleanly uninstall, it might catch some crap ware and prevent winrot Does this do anything different/better than Revo Uninstaller? That's what I've been using for a while and it seems to work pretty well. Checks the registry and installation folder(s) for stuff left over by the program's native installer.
|
|
#
?
Aug 29, 2016 02:51
|
|
|
galahan posted:http://snailsuite.com/ I'd be more inclined to treat a 3rd party driver installer tool as a security threat than anything else.
|
|
#
?
Aug 29, 2016 03:49
|
|
|
galahan posted:bunch of irrelevant tools I don't think that these tools are appropriate for the thread. I also would not advise people to use third party driver resources and I also have a hard time taking GRC seriously.
|
|
#
?
Aug 29, 2016 03:54
|
|
|
OSI bean dip posted:I don't think that these tools are appropriate for the thread. I also would not advise people to use third party driver resources and I also have a hard time taking GRC seriously. He's still making SpinRite? Why is he still making SpinRight? And...apparently processor virtualization support is a state-of-the-art security feature? Why is he still using the Geocities template creation toolkit? 
|
|
#
?
Aug 29, 2016 04:15
|
|
|
Arsten posted:He's still making SpinRite? Why is he still making SpinRight? Probably because people keep paying for it.
|
|
#
?
Aug 29, 2016 04:36
|
|
|
Doesn't that just bring me back. Not at all security related, but I once made use of both Wizmo (https://www.grc.com/wizmo/wizmo.htm) and Trouble In Paradise (https://www.grc.com/tip/clickdeath.htm). The latter was regarding Zip drives and the infamous "click of death."
|
|
#
?
Aug 29, 2016 07:02
|
|
|
This thread is neat and I've enjoyed reading it. It's also gotten me to tighten up some stuff. I have a few questions; OpenDNS seems to be widely recommended, but I've been using something called Simple DNSCrypt. Have you ever heard of it and is it worth using over OpenDNS? It encrypts your DNS traffic, which seems like it would help prevent MITM attacks, and hasn't had any noticeable downsides for me other than occasionally changing the server when things stop loading. It also amuses me that all this time I've been feeling slightly nervous not having anything more than Malwarebytes to protect my computer I've actually been more secure not having an AV and simply browsing smart.
|
|
#
?
Sep 2, 2016 11:17
|
|
|
Squeegy posted:This thread is neat and I've enjoyed reading it. It's also gotten me to tighten up some stuff. I have a few questions; OpenDNS seems to be widely recommended, but I've been using something called Simple DNSCrypt. Have you ever heard of it and is it worth using over OpenDNS? It encrypts your DNS traffic, which seems like it would help prevent MITM attacks, and hasn't had any noticeable downsides for me other than occasionally changing the server when things stop loading. Encrypting the connection from your client to the DNS server may make MITM more difficult however most malware simply just tampers with your DNS client settings or edits your host file. Edit: to actually provide some advice, if you have a firewall then block all outbound udp/53 except for DNS servers that you trust. Pile Of Garbage fucked around with this message at 11:50 on Sep 2, 2016 |
|
#
?
Sep 2, 2016 11:43
|
|
|
Squeegy posted:This thread is neat and I've enjoyed reading it. It's also gotten me to tighten up some stuff. I have a few questions; OpenDNS seems to be widely recommended, but I've been using something called Simple DNSCrypt. Have you ever heard of it and is it worth using over OpenDNS? It encrypts your DNS traffic, which seems like it would help prevent MITM attacks, and hasn't had any noticeable downsides for me other than occasionally changing the server when things stop loading. Unless your subsequent connections are over TLS DNS being secure doesn't really do anything. If they are over TLS then the security of DNS doesn't really matter short of a DoS.
|
|
#
?
Sep 2, 2016 16:50
|
|
|
apseudonym posted:Unless your subsequent connections are over TLS DNS being secure doesn't really do anything. If they are over TLS then the security of DNS doesn't really matter short of a DoS. I use HTTPS Everywhere, if that's any help.
|
|
#
?
Sep 2, 2016 16:55
|
|
|
Squeegy posted:I use HTTPS Everywhere, if that's any help. More https is always good but that doesn't do anything for sites that still in tyool 2016 support support TLS  Plus there's a lot of traffic coming off your device that isn't from your browser.
|
|
#
?
Sep 2, 2016 22:42
|
|
|
When I had a Mac, I used an app called "little snitch," and which allowed me to monitor and/or kill any outbound connection. So far my search for a windows alternative has been fruitless. Do you guys know of something like this, or whether it's even useful?
|
|
#
?
Sep 3, 2016 00:03
|
|
|
Wireshark or netlimiter will show connections and if there's any activity, but no idea if you can straight out kill them with wireshark. And... it's probably not useful at all.
|
|
#
?
Sep 3, 2016 00:07
|
|
|
Non Serviam posted:When I had a Mac, I used an app called "little snitch," and which allowed me to monitor and/or kill any outbound connection. So far my search for a windows alternative has been fruitless. The understanding I have from posts in this and other threads is that it's not useful because malware will be injecting into processes that normally have network activity, allowing them to fly under the radar disguised as those legit services.
|
|
#
?
Sep 3, 2016 01:40
|
|
|
Non Serviam posted:When I had a Mac, I used an app called "little snitch," and which allowed me to monitor and/or kill any outbound connection. So far my search for a windows alternative has been fruitless. Netlimiter https://www.netlimiter.com/ Glasswire https://www.glasswire.com/ Windows10 FirewallControl http://www.sphinx-soft.com/Vista/order.html Regarding usefulness, I personally find running one constantly annoying as hell and just results in security warning fatigue where you just click allow blindly every time it pops a notification. That said I have up to date licenses for Little Snitch and Netlimiter cause I find them really useful for tracking down weird network behavior. The latest example was a buggy Adobe updater that burned my fiancée's entire month of data in three days downloading the same file over and over.
|
|
#
?
Sep 3, 2016 02:34
|
|
|
Squeegy posted:The understanding I have from posts in this and other threads is that it's not useful because malware will be injecting into processes that normally have network activity, allowing them to fly under the radar disguised as those legit services. Even if there's no injection generally by the time you try to kill it it's already done everything it wanted to do. It doesn't take long to set up a connection and exfil data. But you might learn interesting things looking at all the apps and services sending data, so it's useful in that regard.
|
|
#
?
Sep 3, 2016 05:06
|
|
|
It won't stop malware but it's useful to control software with callbacks.
|
|
#
?
Sep 3, 2016 13:48
|
|
|
Looks like I'll be dealing with my own momputer situation. She only uses Apple products, but when visiting her this year I found out that she's been sending spam emails to all her contacts for the past six months or so. She only knows because one of her friends told her and she's been getting Undelivered Mail notifications because it's trying to send them to noreply emails. The websites linked in the spam are registered to some Indian guy named Harish Coorg through GoDaddy. I'm guessing she's been rolled into some kind of botnet, and she said she's been changing her password so I assume her iPad is infected with malware. I'm not sure what to do other than proverbially raze it to the ground, and reset the iPad to factory default, maybe along with the rest of her devices (because I don't know for certain it's her iPad that's infected and not, say, her phone). She's amenable to the idea of a password manager, so I'm thinking I'll set her up with 1Password with a good master password and make sure it's configured to protect her; password reuse may also be a source of her woes. Apple devices are encrypted by default, I think, so no problems there. Any other advice you guys may have? I know OSI mentioned recommending people with poor computer security get iPads so I'd like to hear his thoughts on dealing with a potentially compromised iPad; I just don't see any other way they could be spamming from her email through password resets.
|
|
#
?
Sep 4, 2016 06:39
|
|
|
100:1 it's a spoofed email header to make it look like it comes from a contact. These are common, iOS malware isn't.
|
|
#
?
Sep 4, 2016 13:14
|
|
|
I agree. If her iPad was actually part of a botnet it would be too valuable to send spam using her address and trace it to the source. All the spam would have someone else as the sender that has nothing to with your mom. The only cause for concern is that her friends have also received these spams. But I would suspect that is because she has joined some contact stealing service like Twoo.com. You should probabaly go through the apps in her iPad, especially those that have access to her contacts. It would also be good if you can contact one of these friends that have received the spam emails. They should be savvy enough with computers to be able to find the full headers of the email and send them to you. You can use those to figure out where it originated from.
|
|
#
?
Sep 4, 2016 13:49
|
|
|
I imagine it's probably a lovely app because the spammer has access to her contacts. The undelivered mail is Cc'ed to several people on her contacts list. I don't see anything with access to her contacts list in her iPad besides Endomondo which seems to be a Fitbit app and probably safe (I revoked it just to be sure.) e: Here's the header of the undelivered mail. code:Cup Runneth Over fucked around with this message at 18:57 on Sep 4, 2016 |
|
#
?
Sep 4, 2016 18:09
|
|
|
Unless your dear mom is taking trips to Korea that's a spoofed header. e: There's 1001 ways to get an IT novice to give up contact details. It may not have been your mom at all. Any of those scenarios are more likely than a iOS botnet.
|
|
#
?
Sep 4, 2016 20:23
|
|
|
|
| # ? May 17, 2024 22:34 |
|
|
Aye, I realize that now. So what should I do?
|
|
#
?
Sep 4, 2016 21:29
|
|