|
Subjunctive posted:Sort of a big ask. Stop using ask
|
#
?
Jan 28, 2017 23:17
|
|
|
|
| # ? May 18, 2024 01:14 |
|
|
Shroom King posted:Windows 7. After Microsoft seeded my computer with 5GB of Windows 10 installation files without my consent, I decided not to upgrade. I actually cloned my aging HDD to an SSD in order to keep Windows 7 longer. Good news! Your machine/license is already activated for a windows 10 install. You can still make the correct decision and do a clean reinstall right now! 
|
|
#
?
Jan 28, 2017 23:20
|
|
|
apseudonym posted:Stop using ask It's the only search engine that understands me!
|
|
#
?
Jan 28, 2017 23:40
|
|
|
apseudonym posted:Stop using ask Let's circle back on that later.
|
|
#
?
Jan 30, 2017 15:32
|
|
|
My PC was recently hacked or infected with a trojan or something, not sure as no scanner picked anything up, but someone was able to get into my email/amazon/banking etc, even bypassing 2 factor authentication. Also noticed a ton of bandwidth being used by tcpsvcs.exe to some random brazillian IP address. I am very careful about what I allow to run, so I really have no idea what happened. I did a clean install of windows 7 on a new SSD. I am wondering if using Linux in a VM for all email, banking etc. would be safe, since dual booting would be a pain. Or maybe I should just go back to Mac.
|
|
#
?
Feb 2, 2017 02:15
|
|
|
African AIDS cum posted:My PC was recently hacked or infected with a trojan or something, not sure as no scanner picked anything up, but someone was able to get into my email/amazon/banking etc, even bypassing 2 factor authentication. Also noticed a ton of bandwidth being used by tcpsvcs.exe to some random brazillian IP address. I am very careful about what I allow to run, so I really have no idea what happened. Using a VM to do your banking isn't a terrible idea. Some people I know have a small laptop they keep solely to do their financials. Nothing is really fool-proof but using a Mac or running Linux does change your attack surface and at the moment it is towards the better.
|
|
#
?
Feb 2, 2017 05:59
|
|
|
African AIDS cum posted:My PC was recently hacked or infected with a trojan or something, not sure as no scanner picked anything up, but someone was able to get into my email/amazon/banking etc, even bypassing 2 factor authentication. Also noticed a ton of bandwidth being used by tcpsvcs.exe to some random brazillian IP address. I am very careful about what I allow to run, so I really have no idea what happened. Doing your banking, etc. in a VM will only be "safer" if you already assume and expect your PC to be compromised. If your PC has been compromised then they would have probably owned your accounts anyway. In addition things like phishing attacks rely on exploiting the user more than the computer so if you aren't being careful you can be owned regardless. Upgrade to Windows 10, keep your OS and software (Browsers, etc.) up-to-date, enable click-to-play for all browser plug-ins (Flash, Java, etc.) or if you don't need them uninstall completely, get an ad-block extension for your browser (For FF/Chrome: uBlock Origin), get a password manager and set different passwords for all your accounts online, enable app-based 2FA for everything and be more careful online.
|
|
#
?
Feb 2, 2017 06:03
|
|
|
I already do all that besides having Windows 10. I'm thinking whatever got me is very new and unknown. Is windows 10 really more secure?
|
|
#
?
Feb 2, 2017 06:06
|
|
|
There is no reason to be running Windows 7 unless work forces you to.
|
|
#
?
Feb 2, 2017 06:07
|
|
|
African AIDS cum posted:I already do all that besides having Windows 10. I'm thinking whatever got me is very new and unknown. Is windows 10 really more secure? Yes, if only because it's the focus for security updates
|
|
#
?
Feb 2, 2017 06:13
|
|
|
EMILY BLUNTS posted:Good news! Your machine/license is already activated for a windows 10 install. You can still make the correct decision and do a clean reinstall right now! That does not fit my understanding of windows 10 activation.
|
|
#
?
Feb 2, 2017 06:21
|
|
|
OSI bean dip posted:Using a VM to do your banking isn't a terrible idea. Some people I know have a small laptop they keep solely to do their financials. Those two scenarios aren't as comparable as this wording suggests. The VM doesn't provide any meaningful protection if the host is compromised, while the separate laptop has no outer host to be compromised. Keyloggers in the host will capture a password typed into the VM and something like a rootkit is theoretically easier to install from the host because of its control over the VM's boot chain. Doing banking in a VM is only a strong measure if you're doing all your other browsing (and email, and other high-risk activities) in a different, isolated VM. At that point, containing the banking browser is really just reinforcing your trust in the host, because if your host is getting owned directly by the bank's uncontained website then you're up poo poo creek and the only real answer is to sever. However, for most personal machines, that rabbit hole goes pretty deep with lots of sharp edges: There are many embedded browsers like the one in Steam, which means you'd have to quarantine them too, and you're not going to have a good time trying to project some fancy dx11 game through RDP.
|
|
#
?
Feb 2, 2017 15:17
|
|
|
keseph posted:Those two scenarios aren't as comparable as this wording suggests. The VM doesn't provide any meaningful protection if the host is compromised, while the separate laptop has no outer host to be compromised. Keyloggers in the host will capture a password typed into the VM and something like a rootkit is theoretically easier to install from the host because of its control over the VM's boot chain. This is a good response.
|
|
#
?
Feb 2, 2017 16:36
|
|
|
Speaking of RDP, is it safe to use, or is there a good way to lock it down? I did upgrade to Windows 10 now and read through this entire thread which has been very informative
|
|
#
?
Feb 2, 2017 22:26
|
|
|
African AIDS cum posted:Speaking of RDP, is it safe to use, or is there a good way to lock it down? I did upgrade to Windows 10 now and read through this entire thread which has been very informative I personally prefer TeamViewer. Easy to use, multiplatform, bandwidth friendly and requires 2FA when needed.
|
|
#
?
Feb 2, 2017 22:31
|
|
|
Samizdata posted:I personally prefer TeamViewer. Easy to use, multiplatform, bandwidth friendly and requires 2FA when needed. TeamViewer is a terrible piece of software to suggest. By installing the application you're allowing a third-party server to control access to your PC and the 2FA is only good enough in verifying that the access is being done by you and not someone else using the same credentials. This however does not protect you from attacks via vulnerabilities and whatnot found within their infrastructure. There is a lot of speculation that TeamViewer wasn't forthcoming on how people got breached. If you really want to access your PC remotely, setup something you can SSH into, create an SSH tunnel to that device that creates a local socket for you to RDP into, and then use that to connect to your desktop via that. RDP should not be exposed to the Internet.
|
|
#
?
Feb 2, 2017 23:01
|
|
|
OSI bean dip posted:
|
|
#
?
Feb 2, 2017 23:17
|
|
|
African AIDS cum posted:Thanks, would a raspberry pi be good for this?
|
|
#
?
Feb 2, 2017 23:37
|
|
|
anthonypants posted:Yeah, but depending on which distro you put on it, it might not come with safe enough defaults for sticking on the internet. SSH is still lightyears better than RDP even with its defaults enabled.
|
|
#
?
Feb 3, 2017 00:32
|
|
|
I think he means it will likely have password-based SSH enabled, a root password of "pi", and no firewall
|
|
#
?
Feb 3, 2017 00:35
|
|
|
Rufus Ping posted:I think he means it will likely have password-based SSH enabled, a root password of "pi", and no firewall Well yeah. Don't expose it like that to the Internet. If someone wants to write a sane guide to setting up a Raspberry Pi to allow for remote access, please do.
|
|
#
?
Feb 3, 2017 00:38
|
|
|
OSI bean dip posted:SSH is still lightyears better than RDP even with its defaults enabled.
|
|
#
?
Feb 3, 2017 00:39
|
|
|
So I read through the thread, I've got a few questions: 1. I've been using keepass for years, but have not been using a key file for ease of use and fear of locking my self out if I lose it. Was this a smart trade-off? If not, what steps should I take to back up/protect my key file? I was thinking of uploading a copy of the key file to a cloud storage accountant separate from the dropbox where I keep the database/other files, and then keeping another back-up on some physical media (is a random flash drive reliable for backup?) some place safe, basically just duplicating what I do with the database file in separate locations. I saw a mention of using a Yubikey with keypass, I assume this is using the OtpKeyProv plugin to support OATH-HOTP. Yubico's site says I can associate multiple Yubikeys with one account for a backup, but this would not allow any option for an online backup right? Where would I maintain an off-site backup, a safety deposit box or something? If I lose a Yubikey, should I still switch to a new set of credentials for the keepass database? Is this actually worth it? 2. I've enabled FDE on my android phone and am looking at doing so on my desktop and laptops as well. I've read the recommendation for bitlocker, and the warnings about truecrypt/veracrypt/ect. My desktop pc runs Windows 10 Pro so bitlocker is included, however the laptops are running Windows 10 Home and they're the ones I really want FDE on. It looks like upgrading from home to pro costs $99 each which is pretty nuts, I can't really afford to drop $200 upgrading them. Are there any worthwhile alternatives not mentioned? 3. I was thinking about setting up a VPN for my phone and laptops for when I'm on random wifi networks/mobile data. Is this a good idea? It seems like there are 10 million vpn service providers and I have no idea which ones are good or trustworthy, so I was looking at trying to set up OpenVPN on an Amazon or Digital Ocean virtual server or something. Again, is this actually a good idea? Thanks.
|
|
#
?
Feb 3, 2017 02:32
|
|
|
OSI bean dip posted:TeamViewer is a terrible piece of software to suggest. By installing the application you're allowing a third-party server to control access to your PC and the 2FA is only good enough in verifying that the access is being done by you and not someone else using the same credentials. This however does not protect you from attacks via vulnerabilities and whatnot found within their infrastructure. There is a lot of speculation that TeamViewer wasn't forthcoming on how people got breached. You seem pretty determined you know everything, so I wonder why you even started the thread. FWIW, I have been using it for several years on several OSes and have yet to have a problem. Also, apparently you did not know it can work on only LAN connections. And TeamViewer was forthcoming. It was password reuse issues from other breaches. And they only had the 2FA as a response to the hack.
|
|
#
?
Feb 3, 2017 04:21
|
|
|
Samizdata posted:You seem pretty determined you know everything, so I wonder why you even started the thread. I suppose you didn't bother to read the OP: OSI bean dip posted:Welcome to the "Your Operating System has Poor Operational Security" thread. This is a guide written by those who have a clue about computer security for those who may not. However, we don't want to sugar coat things here and you must bear in mind that there are certain realities to the problems you face. Stuff in this thread has been contributed by people who actually know what they're talking about. You seem pretty determined to indicate that you don't know everything so why are you even trying to offer advice? Samizdata posted:FWIW, I have been using it for several years on several OSes and have yet to have a problem. Also, apparently you did not know it can work on only LAN connections. And TeamViewer was forthcoming. It was password reuse issues from other breaches. And they only had the 2FA as a response to the hack. Fantastic. If you keep pissing in the sink in public bathrooms you can possibly get away with it for years without anyone catching you. Also, the 2FA you talk about was not a response to the late-spring 2016 attack that I linked to. Here's a video from 2013 that shows it being available: https://www.youtube.com/watch?v=DicWF3WIiCg Besides, it does not matter if you have 2FA enabled or not, it won't matter if somehow TeamViewer's own infrastructure is breached. What does the 2FA do for you when either the software is compromised or someone takes hold of one of their systems and then starts to go hog wild? It does nothing. Anyway, please don't come in this thread and poo poo it up further if you want to debate this. If you really want to make your point, go post in this thread where people will be happy to point why you're wrong. Lain Iwakura fucked around with this message at 07:06 on Feb 3, 2017 |
|
#
?
Feb 3, 2017 06:58
|
|
|
Samizdata posted:You seem pretty determined you know everything, so I wonder why you even started the thread.
|
|
#
?
Feb 3, 2017 07:02
|
|
|
anthonypants posted:People typically start threads about topics with which they are very familiar, sometimes as a way to teach other people. They do this so that they can correct extremely stupid opinions, such as, "TeamViewer is actually good, from a security standpoint, because I have never personally experienced any problems, and also because the company who sells this product says there aren't any problems." Well, it shouldn't matter then, as we will have no computers with no OSes to need remote access for, as it is all buggy as gently caress poo poo we shouldn't use then.
|
|
#
?
Feb 3, 2017 07:24
|
|
|
Samizdata posted:Well, it shouldn't matter then, as we will have no computers with no OSes to need remote access for, as it is all buggy as gently caress poo poo we shouldn't use then. OSI bean dip posted:Anyway, please don't come in this thread and poo poo it up further if you want to debate this. If you really want to make your point, go post in this thread where people will be happy to point why you're wrong.
|
|
#
?
Feb 3, 2017 07:25
|
|
|
OtherworldlyInvader posted:3. I was thinking about setting up a VPN for my phone and laptops for when I'm on random wifi networks/mobile data. Is this a good idea? It seems like there are 10 million vpn service providers and I have no idea which ones are good or trustworthy, so I was looking at trying to set up OpenVPN on an Amazon or Digital Ocean virtual server or something. Again, is this actually a good idea? If you don't care about the traffic appearing from your home connection, setting up your own OpenVPN server is always a good idea for when you're out and about. It's also handy for being able to access files and do RDP sessions without opening that stuff up to the internet.
|
|
#
?
Feb 3, 2017 07:26
|
|
|
stick to configuring your own vpn on a home server or vps rather than touching the poo poo paid ones
|
|
#
?
Feb 3, 2017 10:30
|
|
|
Wiggly Wayne DDS posted:stick to configuring your own vpn on a home server or vps rather than touching the poo poo paid ones Isn't this similar to rolling your own crypto?
|
|
#
?
Feb 3, 2017 10:41
|
|
|
............... no. run openvpn and configure it. paid services will use outdated libraries, pre-shared keys and as much garbage as possible
|
|
#
?
Feb 3, 2017 10:49
|
|
|
A question on Safari adblockers. I've been using Wipr for a while, but it kind of sucks (among other things, there is no whitelist feature, and the developer has posted that he refuses to implement one). So I installed uBlock Origin, but I'm a little put off by:Safari posted:"uBlock Origin" can read, modify, and transmit content from all webpages. This could include sensitive information like passwords, phone numbers, and credit cards. Although Wipr lacks a feature I want, Safari claims that it "does not have permission to read or transmit content from any webpages". I like this. If Apple has managed to make Safari extension APIs that permit blocking ads without the extension being permitted to see private data, I am 100% in favor of adblockers using that interface. Even if they're open source and nobody has identified a malicious use of this data. So really my question is: How truthful is Apple's claim that an extension like Wipr can't see sensitive data? If it's nonsense I might as well switch to uBlock.
|
|
#
?
Feb 3, 2017 11:29
|
|
|
BobHoward posted:A question on Safari adblockers. I've been using Wipr for a while, but it kind of sucks (among other things, there is no whitelist feature, and the developer has posted that he refuses to implement one). So I installed uBlock Origin, but I'm a little put off by: Ublock needs to read content and make modifications--you can tell it to block entire elements. I don't know what Wipr is doing but it sounds like it is less effective and probably blocks content at a URL level and nothing more--if someone is more familiar with it and can offer a positive PoV I'll rescind my thoughts.
|
|
#
?
Feb 3, 2017 16:23
|
|
|
BobHoward posted:
I guess I don't understand how any content blocker could work if it can't a) read the content and b) modify said content to remove certain elements for safari to present to you. So "read and modify" are expected behaviors for content blockers. By "transmission" do they mean that uBlock actually offloads analysis to some centralized location. That would be pretty concerning, but I like to think there would be some hue and cry about that for how long it's been out in general.
|
|
#
?
Feb 3, 2017 16:27
|
|
|
flosofl posted:I guess I don't understand how any content blocker could work if it can't a) read the content and b) modify said content to remove certain elements for safari to present to you. So "read and modify" are expected behaviors for content blockers. Content blockers can just be policy functions. They get called by Safari with the URL of the script/image/iframe and then Safari acts on the answer. The content blocker never gets a reference to the document itself.
|
|
#
?
Feb 3, 2017 16:34
|
|
|
ublock origin (like any other extension that can inject scripts into a page) can essentially rewrite the page at its whim. It actually only uses that power to remove ads, but it's not possible for Safari to enforce that that's the only thing its doing. It shows the warning because those are all things that the extension could totally do if it was written by a malicious person who wanted it to do those things, and it's up to you whether you trust it to be benign.
|
|
#
?
Feb 3, 2017 16:39
|
|
|
flosofl posted:By "transmission" do they mean that uBlock actually offloads analysis to some centralized location. That would be pretty concerning, but I like to think there would be some hue and cry about that for how long it's been out in general. That's just what the permission would let it do. It doesn't mean it's actually doing that. It'd be very obvious if it did since the source code is up on Github.
|
|
#
?
Feb 3, 2017 16:38
|
|
|
flosofl posted:I guess I don't understand how any content blocker could work if it can't a) read the content and b) modify said content to remove certain elements for safari to present to you. So "read and modify" are expected behaviors for content blockers. I'd expect that "transmission" is just a reminder from Safari that any extension with full access to the DOM can inject its own scripts, and use them to fire off AJAX requests with arbitrary data to parts unknown.
|
|
#
?
Feb 3, 2017 16:43
|
|
|
|
| # ? May 18, 2024 01:14 |
|
|
Thanks, these replies all make sense to me. I haven't really looked into the extension framework for Safari.
|
|
#
?
Feb 3, 2017 16:54
|
|